Hi All,
I am trying to set up a simple network of few Cisco 1131 APs and WLC 4402. I have set up a IAS radius server on the domain controller. On the WLC / APs, I have three SSIDs, One for Guest with Web Login having local user/password set up on WLC itself, no encryption in this case, second SSID is for older laptops / devices that only suppprt WEP 128, it has to be authenticated by IAS via AD, then third SSID for WPA/TKIP, users of this ssid (say engineering) again to be autheticated by IAS via AD on engineering windows group. Then I have a fourth SSID for WPAv2/AES and users (say finance) of this SSID belong to finance windows group, part of the overall universal windows group.
All of these SSIDs belong to separate WLAN-ID / VLAN on the WLC and thus each one after authentication will be allocated an IP address from the scope on the subnet of the VLAN interface set up on the WLC. This DHCP server is on a different machine than IAS / AD.
All APs are connected to the same VLAN as the WLC. APs are able to discover and register with the controller and all transmit all four SSIDs fine.
I have added WLC IP address as radius client and have radius shared key matched between IAS client set up and the WLC and WLC has correct IAS IP address as radius server. Vendor type under IAS radius client set up is cisco.
I have tested Guest account and it works fine as it has only local account and hence no IAS / AD involvement. I have also verified WEP SSID by disabling authentication requirement.
I am not very clear as to how to set up IAS for remote access policy.
I am trying to match the conditions in remote access policy, to be client-ip-address as IP address of WLC (radius client), and then using the default universal windows user group. So as per this any user credential coming to IAS thru WLC, and which IAS finds thru AD, to be part of the universal windows group, should pass and remote access policy should trigger.
I have set up EAP to be PEAP, MSCHAPv2 for authentication, encryption tab has all encryption / no encryption checked. The attributes are set up for service-type =login. Anything else I need to set up, so that the users can be authenticated.
Thanks
I am trying to set up a simple network of few Cisco 1131 APs and WLC 4402. I have set up a IAS radius server on the domain controller. On the WLC / APs, I have three SSIDs, One for Guest with Web Login having local user/password set up on WLC itself, no encryption in this case, second SSID is for older laptops / devices that only suppprt WEP 128, it has to be authenticated by IAS via AD, then third SSID for WPA/TKIP, users of this ssid (say engineering) again to be autheticated by IAS via AD on engineering windows group. Then I have a fourth SSID for WPAv2/AES and users (say finance) of this SSID belong to finance windows group, part of the overall universal windows group.
All of these SSIDs belong to separate WLAN-ID / VLAN on the WLC and thus each one after authentication will be allocated an IP address from the scope on the subnet of the VLAN interface set up on the WLC. This DHCP server is on a different machine than IAS / AD.
All APs are connected to the same VLAN as the WLC. APs are able to discover and register with the controller and all transmit all four SSIDs fine.
I have added WLC IP address as radius client and have radius shared key matched between IAS client set up and the WLC and WLC has correct IAS IP address as radius server. Vendor type under IAS radius client set up is cisco.
I have tested Guest account and it works fine as it has only local account and hence no IAS / AD involvement. I have also verified WEP SSID by disabling authentication requirement.
I am not very clear as to how to set up IAS for remote access policy.
I am trying to match the conditions in remote access policy, to be client-ip-address as IP address of WLC (radius client), and then using the default universal windows user group. So as per this any user credential coming to IAS thru WLC, and which IAS finds thru AD, to be part of the universal windows group, should pass and remote access policy should trigger.
I have set up EAP to be PEAP, MSCHAPv2 for authentication, encryption tab has all encryption / no encryption checked. The attributes are set up for service-type =login. Anything else I need to set up, so that the users can be authenticated.
Thanks
