Settings needed to get Cisco’s WebAuth authenticating with Microsoft’s IAS Radius.

Ever had a problem you could not figure out? Well this little sucker gave me a headache.

This little chestnut ended up being pretty simple compared to when we looked back on everything we did try.

A funny quote that comes to mind (Eureka):

Henry: Do you remember Occam’s Razor?
Carter: uh…”Simple things are true”?
Henry: Close enough.

I guess you had to see the episode

Basically to start if you are running a Cisco controller with WPA-PSK, turn it off on all SSID’s. We were told this much later by an Australian TAC technician if you are using WLC 4400 series up to IOS 5.2 (February 2009 release) you cannot run WebAuth via Radius even if you have 8021.x working fine; it is a know problem.

Okay lets begin…..

I will be writing this as if you have everything installed, there isn’t a need for me to reinvent the wheel so these pointed links should suffice.

Also I am not giving technical advise, the steps below are to give you an insight to how it worked for me; please make sure you have backups before you start.

Okay below is a very basic step by step, to get more info use the links. These settings are used on our setup and may not necessary suit your needs however there is enough info to get you started.

Skill level: 7 – (1 Novice – 5 intermediate – 10 Expert)

Preferred Ingredients:

Windows 2003 Enterprise Service Pack 2
Microsoft IAS (Radius) Server ver 5x +
Cisco wireless controller with IOS 4.2.176.0 minimum
DHCP server with scope options set

The Links provided have a generic approach to get you going, what you will find here is specifics to get it working using the ingredients listed.

Tip #1: A good idea on how to start is read the links and the steps below will fall into place even easier.

Setup your IAS to recieve requests from your Cisco controller:
Microsoft IAS RADIUS for wireless authentication

Create a new “Radius Client” – This is the IP of your Cisco Controller, I’ve used vendor ‘Cisco’ instead of ‘Radius Standard’; remember your password you will need it later.

Create a new “Access Policy” – Just start simple IMO add a “Windows-Group” such as ‘Domain Users’ & “NAS-IP-Address” which is your controllers IP.

Tip #2: If you get an error, the less complicated the policy the easier the troubleshooting.

Tip #3: If you want to test your Radius server is working I recommend using NTRadPing 1.5 RADIUS Utility for testing.

To allow application to talk to your radius server create another “Radius Client” but this time use the workstation IP you have NTRadPing installed on; use radius standard and remember the password you set.

————————————

Setup your Cisco controller for WebAuth – This site explains using Cisco’s ACS Radius Server but up to Figure 7 should get most of your settings ready for use.
Wireless LAN Controller Web Authentication

Log into your Cisco Controller.

We need to create a connection to our IAS Radius Server.

Go to ‘Security’ Tab >

On the side menu ‘RADIUS’ + ‘Authentication’

Enter your IAS (Radius) details, IP, password and make sure ‘Server Status’ is enabled; everything else as default i.e. as port ’1812′.

Rinse, Repeat with ‘Accounting’ under ‘RADIUS’ menu.

Create a new ‘Interface’ under ‘CONTROLLER’ > ‘Interfaces’ and call it “GuestWIFI” (add all the relevant information needed such as GW, DHCP, VLAN ID etc.)

Note.

Whilst you are in ‘Interfaces’ check to make sure your ‘virtual’ interface has an IP, sometimes if not setup right the address will be “0.0.0.0″.

This will stop your WebAuth page from working. If no address is there give it something like “1.1.1.1″ and that should get you cooking.

Go to ‘WLAN’ in Tab menu and make a new SSID, call it “GUEST”

Edit SSID “GUEST” and under ‘GENERAL TAB’ make sure ‘Status’ = enabled, ‘Radio Policy’ = ‘All’, ‘Interface’ = “GuestWIFI” , ‘Broadcast SSID’ is ticked (ON).

Go to ‘SECURITY TAB’ > ‘LAYER 2 TAB’ then make sure ‘Layer 2 Security’ = None and ‘MAC filtering” is unticked (OFF).

Next go to tab ‘LAYER 3′ and make sure ‘Layer 3 Security’ = None, ‘Web Policy’ is ticked (ON), ‘Authentication’ radio box is selected and everything else is default.

Next go to ‘AAA SERVERS’ and make sure ‘Authentication Servers’ & ‘Accounting Servers’ = Enabled and ‘Server 1′ drop boxes have servers you created for selection.

For the rest everything else should be okay on Default.

The last thing is what authentication method we are using.

Go to ‘CONTROLLER’ Tab main page.

There is a setting called “Web Radius Authentication”

Make sure you set the Authentication to what you want your Cisco controller to send to IAS Radius server – PAP, CHAP or MD5-CHAP are your options.

Hope this small how to gives you a better idea

Cheers,

Phil