Radius webauth atributen

Radius
When webauth authentication is involved, the WLC will check for username/password locally (on the WLC - Security Local Net Users) then send the request to radius (if there is one defined globally) if not found locally in the WLC database. The attributes sent are listed below. If the radius-server is sophisticated enough, it should be able to do refuse/allow based on the attributes sent in addition to the username/password. Radius attribute traffic can be seen with 'debug aaa all enable'.
Assuming the WLC local database works, you then define the radius-server under Security > radius-authentication for the remote authentication. You also need to tell the radius-server about the WLC, ensuring that the keys match on both devices. If you have configured a radius-server for accounting under security, this will cause the username of the user to be sent in the accounting record.
Radius attributes sent for authentication
Username (attribute 1) Password (attribute 2 is encrypted): Service-Type (attribute 6 = login) NAS-IP-Address (attribute 4 = 4 hex bytes of WLC ip address) NAS-Identifier (attribute 32 = name of WLC) NAS-Port-Type (attribute 61 = x13 = dec-19 = wireless-802.11) Vendor-specific (attribute 26 = the Airespace-WLAN-Id from the WLC - the number) Calling-Station-ID (attribute 31 = NIC ip address in dotted-decimal) Called-Station-ID (attribute 30 = WLC ip address in dotted-decimal)
Radius attributes honored in access-accept
Radius attributes honored in access-accept - service-type can be '1' (login) or nothing returned but cannot be 'administrative==6'.
Access-list name (ACL-Name) and QoS (QoS-Level) settings can also be passed down using vendor-specific attributes.
Radius attributes sent in webauth accounting
Start:
User-Name (attribute 1 - this will be the username unless it's passthrough in which case it is the mac or email entered) Nas-Port (attribute 5 = x1d = 29 (if LAG)) Nas-Ip-Address (attribute 4 = ip of WLC in dotted decimal) Framed-IP-Address (attribute 8 = ip of NIC in dotted decimal) Class attribute (attribute 25 if that was sent by the radius-server) NAS-Identifier (attribute 32 = WLC name) Vendor-specific (attribute 26 = the Airespace-WLAN-Id from the WLC - the number) Acct-Session-Id (attribute 44) Acct-Authenticate (attribute 45) Acct-Status-Type (attribute 40) Tunnel-Type (attribute 64) Tunnel-Medium-Type (attribute 65) Tunnel-Private-Group-Id (attribute 81) Calling-Station-ID (attribute 31 = NIC ip address in dotted-decimal) Called-Station-ID (attribute 30 = WLC ip address in dotted-decimal) The Called-Station-ID default format is the WLC ip address but depending on how it is configured in the WLC Security main screen, may be the WLC or AP mac address such as 00-11-22-33-44-55-66
Interim:
User-Name (attribute 1 - this will be the username unless it's passthrough in which case it is the mac or email entered) Nas-Port (attribute 5 = x1d = 29 (if LAG)) Nas-Ip-Address (attribute 4 = ip of WLC in dotted decimal) Framed-IP-Address (attribute 8 = ip of NIC in dotted decimal) Class attribute (attribute 25 if that was sent by the radius-server) NAS-Identifier (attribute 32 = WLC name) Vendor-specific (attribute 26 = the Airespace-WLAN-Id from the WLC - the number) Acct-Session-Id (attribute 44) Acct-Authenticate (attribute 45) Tunnel-Type (attribute 64) Tunnel-Medium-Type (attribute 65) Tunnel-Private-Group-Id (attribute 81) Acct-Status-Type (attribute 40) Acct-Input-Octets (attribute 42) Acct-Output-Octets (attribute 43) Acct-Input-Packets (attribute 47) Acct-Output-Packets (attribute 48) Acct-Session-Time (attribute 46) Acct-Delay-Time (attribute 41) Calling-Station-ID (attribute 31 = NIC ip address in dotted-decimal) Called-Station-ID (attribute 30 = WLC ip address in dotted-decimal) The Called-Station-ID default format is the WLC ip address but depending on how it is configured in the WLC Security main screen, may be the WLC or AP mac address such as 00-11-22-33-44-55-66
Stop:
User-Name (attribute 1 - this will be the username unless it's passthrough in which case it is the mac or email entered) Nas-Port (attribute 5 = x1d = 29 (if LAG)) Nas-Ip-Address (attribute 4 = ip of WLC in dotted decimal) NAS-Identifier (attribute 32 = WLC name) Vendor-specific (attribute 26 = the Airespace-WLAN-Id from the WLC - the number) Acct-Session-Id (attribute 44) Acct-Authenticate (attribute 45) Acct-Status-Type (attribute 40) Acct-Input-Octets (attribute 42) Acct-Output-Octets (attribute 43) Acct-Input-Packets (attribute 47) Acct-Output-Packets (attribute 48) Acct-Terminate-Cause (attribute 49) Acct-Session-Time (attribute 46) Calling-Station-ID (attribute 31 = NIC ip address in dotted-decimal) Called-Station-ID (attribute 30 = WLC ip address in dotted-decimal) The Called-Station-ID default format is the WLC ip address but depending on how it is configured in the WLC Security main screen, may be the WLC or AP mac address such as 00-11-22-33-44-55-66
Troubleshooting
show commands
WLC
show interface summary show interface virtual show client detailed <mac> show custom-web show wlan # show acl summary show acl detail <name> show sysinfo show run-config show radius auth statistics
PC
nslookup <destination> *without* webauth ipconfig /all
debug commands
WLC debugs:
debug client <##:##:##:##:##:##> debug aaa all enable debug pem state enable debug pem events enable debug dhcp message enable debug dhcp packet enable debug pm ssh-appgw enable debug pm ssh-tcp enable debug aaa all enable

Previous page: Certificaat WLC Next page: Intel adapter settings