A blog with tips, tricks and tutorials to help you prepare your CCIE Wireless lab exam.

Friday, December 2, 2011

WLAN controller Local EAP profile vs external RADIUS server

You probably know that the the local EAP profile you can configure on a controller is a backup... it will be used only if no external RADIUS is defined for user authentication on the controller, or if the defined RADIUS cannot be reached. In other words, when you define a Local EAP profile on a controller that also has RADIUS servers, the order is as follows:
1. Try to use the RADIUS server defined in the WLAN
2. Try to use any RADIUS server defined in Security > AAA > RADIUS > Authentication.
3. If all this fails, try to use the local EAP profile.

Let's play with this idea:



With this WLAN configuration, am I going to use the 10.100.1.30 RADIUS server or the local EAP profile?
Did you answer the 10.100.1.30 RADIUS server? Well, almost right... but I first need to check that server:


Oops, Network User is NOT checked for 10.100.1.30. This supposedly means that I cannot use this RADIUS server for wireless client authentication (only for management users authentication)... but I called that server from the WLAN, so this global "Network User unchecked" parameter does not matter (thanks Stoef and Anonymous for this comment): because the RADIUS is called directly from the WLAN, the WLAN is going to try to use it anyway. But because Network User is unchecked globally, any other WLAN trying to use the global RADIUS server list (i.e. not having the RADIUS called directly from the WLAN) is going to skip that one RADIUS.
Things would be different if the RADIUS was disabled:

In this case (regardless of Network User being checked or not), I may be calling 10.100.1.30 from the WLAN, but the RADIUS is disabled, and cannot be used, and will be ignored.
Okay, so my controller is going to revert to plan 2, try to use any RADIUS server configured for Network User authentication in Security > AAA > RADIUS > Authentication.
Cool, there is one there (172.29.129.156), matching my criteria (Network User is checked, and the RADIUS server is enabled).
So, my controller is going to use it... or is it? If I look into Management > SNMP > Trap Logs:


Ooh, this is not my lucky day, 172.29.129.156 is not responding, so the controller removed it from the active server list (172.29.129.156 still has the "enabled" status in the RADIUS > Authentication page, this "enabled" status just means that you, the admin, intended to use this RADIUS, not that the controller can actually talk to it successfully).
Ok, then the controller is going to use the local EAP profile. I can see that by running the debug aaa local-auth db enable command:
*aaaQueueReader: Dec 02 16:21:49.385: LOCAL_AUTH: EAP: Received an auth request
*aaaQueueReader: Dec 02 16:21:49.386: LOCAL_AUTH: Creating new context
*aaaQueueReader: Dec 02 16:21:49.386: LOCAL_AUTH: Created new context eap session handle 94000011
*aaaQueueReader: Dec 02 16:21:49.386: LOCAL_AUTH: (EAP:18) Sending the Rxd EAP packet (id 1) to EAP subsys
*EAP Framework: Dec 02 16:21:49.386: LOCAL_AUTH: Found matching context for id - 18
*EAP Framework: Dec 02 16:21:49.386: LOCAL_AUTH: (EAP) Sending user credential request username 'cisco' to FILE
*aaaQueueReader: Dec 02 16:21:49.386: User cisco information retrieved
*aaaQueueReader: Dec 02 16:21:49.386: AuthorizationResponse: 0x2c190b9c


A lot of "LOCAL_AUTH" stuff is happening here, I am definitely using the controller local EAP.
Would have this happened anyway, even with a RADIUS server?
Nope, as soon as I re-enable my RADIUS server:


The authentication occurs on the RADIUS server, and I can see the result on my ACS server (if authentication was local to the controller, I would not see any hit on the ACS... you can try at home, the best way to try is to create one user on the controller, and another on the ACS, and see which one works depending on your configuration changes):




So, in summary, do not get caught by the appearences. Your controller will always ("always", that is on code 7.0.x) prefer an external RADIUS server to the internal local EAP profile, whatever your WLAN configuration looks like.
The WLC will revert to the local EAP profile ONLY if no external RADIUS can be used (external RADIUSes are not configured for network user authentication, or no external RADIUS answers). Always verify "the rest" (RADIUS servers configuration and reachability)  before trusting the WLAN configuration nicely displayed before your candid eyes... :-D

30 comments:

  1. "Oops, Network User is NOT checked for 10.100.1.30. This means that I cannot use this RADIUS server for wireless client authentication"

    This is wrong, I think... and I'm pretty sure about it. If you define the radius-server in the WLAN-config to override the default-servers (like you did in your example), "Network User" checkbox is not necessary. Otherwise my 1500 concurrent-user WLAN would not work, because it is configured that way.

    It makes sense also, because that way the servers are not "default" and cannot be used on every WLAN, but only on the ones I set them to.

    This is based on 7.0 code, but also worked that way back to 5.2. (and probably even sooner, but I started EAP with 5.2)

    ReplyDelete
  2. only unselect "network user" was not force auth use local EAP, must config radius status to disable could force local EAP.

    ReplyDelete
  3. Thanks a lot Stoef and Anonymous, you are perfectly right!
    Calling the RADIUS from the WLAN overrides the unchecked Network User and global level, but of course disabling the RADIUS globally makes that the WLAN cannot use it anymore.
    Post was updated to reflec this point. Thanks again!

    ReplyDelete
  4. Awesome blog! Now In anticipation of a follow-up ….
    unlimited broadband wireless

    ReplyDelete
  5. I am truly inspired by this online journal! Extremely clear clarification of issues is given and it is open to every living soul. I have perused your post, truly you have given this extraordinary informative data about it.
    Windows Server Datacenter

    ReplyDelete
  6. I truly get pleasure from while I read your blogs and its content.
    Zero Up 2.0 Bonus

    ReplyDelete
  7. Wow thanks for this wonderful exam dump, this is a great exam dump however I would like to suggest a more efficient site that I found before when I was struggling to pass my CCIE exams. Here is the site which has practice exams that you can answer https://www.certlibrary.com/info/400-351 I hope that you make use of it and give some feedback on the result.

    ReplyDelete
  8. Wow thanks for this wonderful exam dump, this is a great exam dump however I would like to suggest a more efficient site that I found before when I was struggling to pass my CCIE exams. Here is the site which has practice exams that you can answer https://www.certlibrary.com/info/400-351 I hope that you make use of it and give some feedback on the result.

    ReplyDelete
  9. Hi I’m Steve Max is a professional service provider who is an experienced technician and has more than 5 years of hand on experience. If you are facing any kind of technical glitch in your walmart gift card balance then it’s time that you must definitely consider us. We will help you to solve your query within minutes.

    ReplyDelete
  10. TROUBLESHOOT BELLSOUTH EMAIL PROBLEMS +1-844-636-0656

    If you have some BellSouth email login problems, you can just troubleshoot BellSouth Email Problem and get rid of them by calling us on our number +1-844-636-0656. We have solutions for issues like Bell South email not wkrking and we can help you with BellSouth Email Password Reset.

    BellSouth Customer Service Number

    ReplyDelete
  11. I visited your site. This is really mind blowing . I like it.
    You can visit my Site for the latest Content.
    https://onelifewatch.com/

    ReplyDelete
  12. I have seen your website. it's really good. I like it. 
    This is my site URL, visit for the latest Content. https://hairers.com/

    ReplyDelete
  13. Nice Information thanks for sharing with us... If you have any issues related QuickBooks software Just click on link......
    How to fix QuickBooks error code 5502
    How to Delete a Deposit in QuickBooks

    ReplyDelete
  14. Nice post thanks for sharing with us.. instant fix QuickBooks error just click on link..
    SBCGlobal support number
    How to remove a SBCGlobal account from an iPhone

    ReplyDelete
  15. If you are facing any issues related AOL email get AOL Email Support Number then fix all technical error with AOL technical support team 24X7 available.....
    Add or change login screen name in AOL Mail
    How to Fix AOL Error AC 3000

    ReplyDelete
  16. Nice Information thanks for sharing with us... If you have any issues related Turbotax Just click on link for quick support......

    turbotax customer support number
    turbotax technical support number

    ReplyDelete
  17. Norton Antivirus is one of the premier security programs to manage and handle viruses or malware attacks in your system. It installs a toolbar in your system; notifications downloaded safe lines and displays various special reports and offers. Some rectifying steps are listed below to fix this problem in this blog. Press the Menu and select More Tools and then browser Extensions. Click the trash icons available to the right of the Norton Identity Safe and Norton Security Toolbar to disable it. To get quick troubleshooting, you must dial Norton Contact Number to deactivate it instantly.
    How to Fix Norton Antivirus Crashing and Not Responding
    How to Resolve Norton Error 3039?
    How to Fix Norton Ghost Error 10030

    ReplyDelete
  18. Are you facing problems in connecting your PC and mobile? As Quicken cloud sync is a way used to connect your desktop and smartphone without any problem. Due to the network failures, user encounter this standard kind of problem. Result of this, users cannot transfer working materials from desktop to smartphone or vice versa and restrict the access of account from different places. But if you cannot connect to quicken cloud sync, you have to apply some facile steps or contact at toll-free Quicken Helpline NumberAnother way to communicate is by email or live chat from our official website, and our representative will revert instantly.
    How to Resolve Quicken Error CC-501
    How to Fix Quicken Won't Download Bank Transactions
    How to Fix Quicken is Extremely Slow to Load
    How to Backup or Restore Your Quicken Data

    ReplyDelete

  19. Whenever you print a page, the waste of ink requires to be cleaned. Canon printer’s mechanism enables the printer to absorb excess ink used in cleaning and printing operations. Printer pages until the waste ink absorber becomes full. Getting the error means that the waste absorber ink is full. You will receive a Canon printer 5b00. The error happens because ink spills on your printer or the waste ink counter becomes complete. To fix the Canon printer, you must dial Canon Printer Phone Number to fix it immediately. A technical representative will assist you with appropriate solutions.


    How to Connect a Canon Printer to Wi-Fi
    Unable to Connect Canon Printer to PC
    How to Fix Canon Printer Black Ink Not Printing

    ReplyDelete
  20. AOL desktop gold provides speed and reliability with the latest technology. Nowadays, it offers the best experience and receives more than average volume, impacting the system ability to log in to AOL service. For the resolution, it is advisable to Update AOL Gold from the official website. AOL provides simple steps in their guide to reinstalling AOL desktop gold for Windows 10. Still, if you feel a problem while executing any of the steps, you can contact the AOL helpline to reach us out by email on the official website. Have happy surfing!

    How to Clear Cache in AOL Desktop Gold
    How to Install AOL Desktop Gold for Mac
    How to Fix AOL Desktop Gold Error 104

    ReplyDelete
  21. This is a very nice one and gives in-depth information. I am really happy with the quality and presentation of the article. I’d really like to appreciate the efforts you get with writing this post. Thanks for sharing.
    <a href="https://www.sevenmentor.com/ccie-classes-in-bangalore>CCIE classes in Bangalore</a>

    ReplyDelete
  22. the efforts you get with writing this post. Thanks for sharing.
    https://www.sevenmentor.com/ccie-classes-in-bangalore

    ReplyDelete
  23. Download the Google Apigee-API-Engineer Q&A PDF file easily to prepare Google Cloud – Apigee Certified API Engineer Exam. It is particularly designed for Google Apigee-API-Engineer exam and our Google specialists have created this Apigee-API-Engineer Question Dumps observing the original Apigee-API-Engineer exam.

    ReplyDelete
  24. Prepare for Google Professional-Cloud-Security-Engineer exam with our preparation material with full confidence. We offer you 100% real Professional Cloud Security Engineer Exam Google Professional-Cloud-Security-Engineer exam dumps for your better results. Prepare4Test’s Professional-Cloud-Security-Engineer pdf dumps are verified by Google Gurus.

    ReplyDelete
  25. Great job done. This will help me a lot in my site promotion
    hp printer setup

    ReplyDelete
  26. helpful for me as well as others also.
    Thanks for Sharing great one.
    Shivam Rajput


    ReplyDelete