My problem: I have a local management user profile defined on my WLC and it works fine when the Priority Order is set to LOCAL.  When I change the Priority Order to make RADIUS first and LOCAL second, I can't get logged into the WLC using CLI, GUI, or the console.  The last time this happened I had to reset the WLC and start over.  I don't want to do that again, so I need some way to get into the WLC.

Once I can get back into the WLI would prefer using Active Directory to authenticate the management user but that doesn't seem to work.  My RADIUS acts as a front end for the Active Directory database and works well for many of our Cisco LAN switches andd Routers. Now I'm trying to set up the WLC to authenticate the management user with RADIUS.  I have set the RADIUS (MS IAS) to return two attributes;

1. Vendor-Specific -Vendor Code 14179, Value=management

2. Service-Type - Value=Login

When I try to login using my AD account, the RADIUS server log shows an Access Request record, then an Access-Accept record that makes it appear RADIUS has successfully authenticated the user.  But the login prompt for the GUI comes back as if it has failed.  Same with the CLI login.  Now I can't get logged into the WLC.  How can I get into the box to manage it again?

Thanks

Hi,

In order to authenticate a user via a RADIUS server, for controller       login and management, you must add the user to the RADIUS database with the       IETF RADIUS attributes Service-Type attribute set to the appropriate value       according to the user's privileges.

• In order to set read-write privileges for the user, set the           Service-Type Attribute to Administrative.

• In order to set read-only privileges for the user, set the           Service-Type Attribute to           NAS-Prompt.

• For Lobby Ambassador you have to return IETF RADIUS Service-Type attribute set to Callback       Administrative.

Please find config example:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml.

HTH,
Tiago

That solved my problem.  I have a RADIUS (MS IAS) defined, but the RADIUS is using LDAP as the database for authentication. We manage the users by Windows Groups, and in the RADIUS policy conditions check for a certain Windows group in the user profile.  If it passes, they can login.  If it fails they can't unless they use the administrator profile.

How did you end up fixing it?  I am having the same issue.  I am using Windows 2008 server.  I have tried to set the RADIUS Attribute Service Type as Adminsitrative as well as Login didn't work.  Also what goes under Vendor Specific?

Note:  I am trying to use this just so I can log into the WLC.

hi, any response to mali1977us would also assist myself. i can see my management user with AD authenticate fine but im still prompted with the login page. 

you will need to set:

Service-Type:  Administrator

Cisco-AV-Pair:   shell:priv-lvl=15

--------

Khalid

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

The solution in my case was not checking the "Access-Request messages must contain the Message-Authenticator Attribute" option within Radius Client Settings