Authentication of Wireless LAN Controller's Lobby Administrator via RADIUS Server

Document ID: 97073

Introduction
Prerequisites
      Requirements
      Components Used
      Conventions
Background Information
Configure
      Configurations
      WLC Configuration
      RADIUS Server Configuration
Verify
Troubleshoot
NetPro Discussion Forums - Featured Conversations
Related Information

Introduction

This document explains the configuration steps involved to authenticate a lobby administrator of the wireless LAN controller (WLC) with a RADIUS server.

Prerequisites

Requirements

Ensure that you meet these requirements before you attempt this configuration:

Knowledge of how to configure basic parameters on WLCs
Knowledge of how to configure a RADIUS server, such as the Cisco Secure ACS
Knowledge of guest users in the WLC

Components Used

The information in this document is based on these software and hardware versions:

Cisco 2006 Wireless LAN Controller that runs version 4.0.217.0
A Cisco Secure ACS that runs software version 3.2 and is used as a RADIUS server in this configuration.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Background Information

A lobby administrator, also known as a lobby ambassador of a WLC, can create and manage guest user accounts on the controller. The lobby ambassador has limited configuration privileges and access only to the web pages used to manage the guest accounts. The lobby ambassador can specify the amount of time that the guest user accounts remain active. After the specified time elapses, the guest user accounts expire automatically.

Refer to Deployment Guide: Cisco Guest Access Using the Cisco Wireless LAN Controller for more information on guest users.

In order to create a guest user account on the WLC, you need to login to the controller as a lobby administrator. This document explains how a user is authenticated into the WLC as a lobby administrator based on the attributes returned by the RADIUS server.

Note: Lobby administrator authentication can also be performed based on the lobby administrator account configured locally on the WLC. Refer to Creating a Lobby Ambassador Account for information of how to create a lobby administrator account locally on a controller. Refer to RADIUS Server Authentication of Management Users on the Controller Configuration Example for more information on how to authenticate a fully privileged WLC management user, other than a lobby administrator, with the RADIUS server.

Configure

In this section, you are presented with the information on how to configure the WLC and the ACS for the purpose described in this document.

Note: Use the Command Lookup Tool ( registered customers only) in order to find more information on the commands used in this document.

Configurations

This document uses these configurations:

The Management interface IP address of WLC is 10.77.244.212/27.
The IP address of the RADIUS server is 10.77.244.197/27.
The shared secret key that is used on the access point (AP) and the RADIUS server is cisco123.
The username and password of the lobby administrator configured in the RADIUS server are both lobbyadmin.

In the configuration example in this document, any user logging into the controller with username and password as lobbyadmin is assigned the role of a lobby administrator.

WLC Configuration

Before you start the necessary WLC configuration, ensure that your controller runs version 4.0.206.0 or later. This is due to Cisco bug ID CSCsg89868 ( registered customers only) in which the web interface of the controller displays wrong web pages for the LobbyAdmin user when the username is stored in a RADIUS database. The LobbyAdmin is presented with the ReadOnly interface instead of the LobbyAdmin interface.

This bug has been resolved in WLC version 4.0.206.0. Therefore, ensure that your controller version is 4.0.206.0 or later. Refer to Wireless LAN Controller (WLC) Software Upgrade to Versions 3.2, 4.0, and 4.1 for instructions on how to upgrade your controller to the appropriate version.

In order to perform controller management authentication with the RADIUS server, ensure that the Admin-auth-via-RADIUS flag is enabled on the controller. This can be verified from the show radius summary command output.

This output provides an example:

(Cisco Controller) >show radius summary

Vendor Id Backward Compatibility.................Disabled 

Credentials Caching..............................Disabled

Call Station Id Type.............................IP Address

Administrative Authentication via RADIUS.........Disabled

Aggressive Failover..............................Enabled

Keywrap..........................................Disabled

The highlighted information in the show radius summary command output shows that administrative authentication with RADIUS is currently disabled. In order to enable it, issue the config radius admin-authentication enable command from the WLC CLI. This command enables administrative authentication via RADIUS. You can now configure the RADIUS server to manage WLC users.

The next step is to configure RADIUS server information on the controller and establish Layer 3 reachability between the controller and RADIUS server.

Configure RADIUS Server Information on the Controller

Complete these steps in order to configure the WLC with details about the ACS:

From the WLC GUI, choose the Security tab and configure the IP address and shared secret of the ACS server.

This shared secret needs to be the same on the ACS in order for the WLC to communicate with the ACS.

Note: The ACS shared secret is case sensitive. Therefore, make sure to enter the shared secret information correctly.

This figure shows an example:
Check the Management check box in order to allow the ACS to manage the WLC users as shown in the figure in step 1. Then, click Apply.

Note: The controller first looks for the username and password in the locally defined management users of the controller before it tries to authenticate the management user through the RADIUS server.
Verify the Layer 3 reachability between the controller and the configured RADIUS server with the help of the ping command. This ping option is also available on the configured RADIUS server page in the WLC GUI in the Security>RADIUS Authentication tab.

This diagram shows a successful ping reply from the RADIUS server. Therefore, Layer 3 reachability is available between the controller and RADIUS server.

RADIUS Server Configuration

Complete the steps in these sections in order to configure the RADIUS server:

Add the WLC as an AAA Client to the RADIUS Server
Configure the Appropriate RADIUS IETF Service-Type Attribute for a Lobby Administrator

Add the WLC as an AAA Client to the RADIUS Server

Complete these steps in order to add the WLC as an AAA client in the RADIUS server. As mentioned earlier, this document uses the ACS as the RADIUS server. You can use any RADIUS server for this configuration.

Complete these steps in order to add the WLC as an AAA client in the ACS:

From the ACS GUI, choose the Network Configuration tab.
Under AAA Clients, click Add Entry.
In the Add AAA Client window, enter the WLC host name, the IP address of the WLC, and a shared secret key. See the example diagram under step 5.
From the Authenticate Using drop-down menu, choose RADIUS (Cisco Aironet).
Click Submit + Restart in order to save the configuration.

Configure the Appropriate RADIUS IETF Service-Type Attribute for a Lobby Administrator

In order to authenticate a management user of a controller as a lobby administrator via the RADIUS server, you must add the user to the RADIUS database with the IETF RADIUS Service-Type attribute set to Callback Administrative. This attribute assigns the specific user the role of a lobby administrator on a controller.

This document shows the example user lobbyadmin as a lobby administrator. In order to configure this user, complete these steps on the ACS:

From the ACS GUI, choose the User Setup tab.
Enter the username to be added to the ACS as this example window shows:
Click Add/Edit in order to go to the User Edit page.
On the User Edit page, provide the Real Name, Description and Password details of this user.

In this example, the username and password used are both lobbyadmin.
Scroll down to the IETF RADIUS Attributes setting and check the Service-Type Attribute check box.
Choose Callback Administrative from the Service-Type pull-down menu and click Submit.

This is the attribute that assigns this user the role of a lobby administrator.

Sometimes, this Service-Type attribute is not visible under the user settings. In such cases, complete these steps in order to make it visible:
1. From the ACS GUI, choose Interface Configuration > RADIUS (IETF) in order to enable IETF attributes in the User Configuration window.
  
  This brings you to the RADIUS (IETF) Settings page.
2. From the RADIUS (IETF) Settings page, you can enable the IETF attribute that needs to be visible under user or group settings. For this configuration, check Service-Type for the User column and click Submit.
  
  This window shows an example:
  
  Note: This example specifies authentication on a per-user basis. You can also perform authentication based on the group to which a particular user belongs. In such cases, check the Group check box so that this attribute is visible under Group settings. For this example, it is not necessary to check the Group check box.
  
  Note: Also, if the authentication is on a group basis, you need to assign users to a particular group and configure the group setting IETF attributes to provide access privileges to users of that group. Refer to User Group Management for detailed information on how to configure and manage groups.

Verify

Use this section in order to confirm that your configuration works properly.

In order to verify that your configuration works properly, access the WLC through the GUI (HTTP/HTTPS) mode.

Note: A lobby ambassador cannot access the controller CLI interface and therefore can create guest user accounts only from the controller GUI.

When the login prompt appears, enter the username and password as configured on the ACS. If you have the configurations correct, you are authenticated successfully into the WLC as lobby administrator. This example shows how the GUI of a lobby administrator looks after successful authentication:

/image/gif/paws/97073/auth-lobbyadmin-radius8.gif

Note: You can see that a lobby administrator has no other option apart from guest user management.

In order to verify it from the CLI mode, Telnet into the controller as a read-write administrator. Issue the debug aaa all enable command at the controller CLI.

(Cisco Controller) >debug aaa all enable
AuthenticationRequest: 0xac83f40
	Callback.....................................0x8265bc8
	protocolType.................................0x00020001
	proxyState...................................18:00:00:00:00:00-00:00
	Packet contains 5 AVPs (not shown)
18:00:00:00:00:00 Successful transmission of Authentication Packet (id 2) 
 to 10.77.244.197:1812, proxy state 18:00:00:00:00:00-00:00
00000000: 01 02 00 44 00 00 00 00  00 00 00 00 00 00 00 00  ...D............
00000010: 00 00 00 00 01 0c 6c 6f  62 62 79 61 64 6d 69 6e  ......lobbyadmin
00000020: 02 12 e3 2e 50 aa 62 e9  00 55 78 d2 9a 5d 59 ed  ....P.b..Ux..]Y.
00000030: ca 23 06 06 00 00 00 07  04 06 0a 4d f4 d4 20 06  .#.........M....
00000040: 57 4c 43 32                                       WLC2
00000000: 02 02 00 41 80 cb 97 48  b0 52 d5 64 b1 58 6e 5a  ...A...H.R.d.XnZ
00000010: c4 5f 5d f1 06 06 00 00  00 0b 19 27 43 49 53 43  ._]........'CISC
00000020: 4f 41 43 53 3a 30 30 31  33 30 31 37 34 2f 30 61  OACS:00130174/0a
00000030: 34 64 66 34 64 34 2f 6c  6f 62 62 79 61 64 6d 69  4df4d4/lobbyadmi
00000040: 6e                                                n
****Enter processIncomingMessages: response code=2
****Enter processRadiusResponse: response code=2
18:00:00:00:00:00 Access-Accept received from RADIUS server 10.77.244.197 
 for mobile 18:00:00:00:00:00 receiveId = 0
AuthorizationResponse: 0x9845500
	structureSize................................101
	resultCode...................................0
	protocolUsed.................................0x00000001
	proxyState...................................18:00:00:00:00:00-00:00
	Packet contains 2 AVPs:
   AVP[01] Service-Type.............................0x0000000b (11) (4 bytes)
   AVP[02] Class....................................CISCOACS:00130174/0a4df4d4/
                                                    lobbyadmin (37 bytes)
Unable to find requested user entry for lobbyadmin
AuthenticationRequest: 0xac84064
	Callback.....................................0x8265bc8
	protocolType.................................0x00020001
	proxyState...................................19:00:00:00:00:00-00:00
	Packet contains 5 AVPs (not shown)
19:00:00:00:00:00 Successful transmission of Authentication Packet (id 3) 
 to 10.77.244.197:1812, proxy state 19:00:00:00:00:00-00:00
00000000: 01 03 00 44 00 00 00 00  00 00 00 00 00 00 00 00  ...D............
00000010: 00 00 00 00 01 0c 6c 6f  62 62 79 61 64 6d 69 6e  ......lobbyadmin
00000020: 02 12 e3 2e 50 aa 62 e9  00 55 78 d2 9a 5d 59 ed  ....P.b..Ux..]Y.
00000030: ca 23 06 06 00 00 00 07  04 06 0a 4d f4 d4 20 06  .#.........M....
00000040: 57 4c 43 32                                       WLC2
00000000: 02 03 00 41 7e 73 f3 a2  dd 68 c0 9f f4 94 90 df  ...A~s...h......
00000010: d0 38 0c 3a 06 06 00 00  00 0b 19 27 43 49 53 43  .8.:.......'CISC
00000020: 4f 41 43 53 3a 30 30 31  33 30 31 37 35 2f 30 61  OACS:00130175/0a
00000030: 34 64 66 34 64 34 2f 6c  6f 62 62 79 61 64 6d 69  4df4d4/lobbyadmi
00000040: 6e                                                n
****Enter processIncomingMessages: response code=2
****Enter processRadiusResponse: response code=2
19:00:00:00:00:00 Access-Accept received from RADIUS server 10.77.244.197 
 for mobile 19:00:00:00:00:00 receiveId = 0
AuthorizationResponse: 0x9845500
	structureSize................................101
	resultCode...................................0
	protocolUsed.................................0x00000001
	proxyState...................................19:00:00:00:00:00-00:00
	Packet contains 2 AVPs:
  AVP[01] Service-Type.............................0x0000000b (11) (4 bytes)
  AVP[02] Class....................................CISCOACS:00130175/0a4df4d4/
                                                   lobbyadmin (37 bytes)

In the highlighted information in this output, you can see that the service-type attribute 11 (Callback Administrative) is passed onto the controller from the ACS server and the user is logged in as a lobby administrator.

These commands might be of additional help:

debug aaa details enable
debug aaa events enable
debug aaa packets enable

Note: Refer to Important Information on Debug Commands before you use debug commands.

Troubleshoot

When you login to a controller with lobby ambassador privileges, you are not able to create a guest user account with a "0" life time value, which is an account that never expires. In these situations, you receive the Lifetime value cannot be 0 error message.

This is due to Cisco bug ID CSCsf32392 ( registered customers only) , which is found mainly with WLC version 4.0. This bug has been resolved in WLC version 4.1.

NetPro Discussion Forums - Featured Conversations

Networking Professionals Connection is a forum for networking professionals to share questions, suggestions, and information about networking solutions, products, and technologies. The featured links are some of the most recent conversations available in this technology.

NetPro Discussion Forums - Featured Conversations for Wireless

Wireless - Mobility: WLAN Radio Standards

Wireless - Mobility: Security and Network Management

Wireless - Mobility: Wireless IP Voice and Video

Wireless - Mobility: Getting Started with Wireless

Wireless - Mobility: General

Related Information

Updated: Feb 19, 2008

Document ID: 97073

Hierarchical Navigation

Wireless, LAN (WLAN)