I'm using WING VX controller version 18.104.22.168-018R.
I try to configure a wifi network SSID Testcorp that uses the local radius server with the local user database Testcorp-User-Pool. LDAP authentication with local radius is configured and working for SSIDs Wifi01 and Wifi02.
A guest network with captive portal is also configured and working as expected.
I added the radius user pool policy and the authentication parameter local in the radius server policy for SSID Testcorp.
When I connect to the Testcorp wifi, I get a certificate warning (self-signed certificate of controller) but LDAP authentication is used (found out by trial and error) and not the local user database.
I read this post/how-to's using both LDAP and local radius server, How to configure 802.1x authentication with internal RADIUS on a WiNG controller and How to configure a WiNG controller for 802.1x authentication with internal RADIUS, using LDAP but I can't figure out why LDAP and not the local user database is used on SSID Testcorp.
Excerpt of running config
authentication server 1 onboard controller
authentication server 1 onboard self
use wlan-qos-policy Testcorp
use aaa-policy Testcorp_local_radius
use wlan-qos-policy Guest
use captive-portal Guest
use ip-access-list out BROADCAST-MULTICAST-CONTROL
use mac-access-list out PERMIT-ARP-AND-IPv4
policy vlan 201
policy ssid Testcorp
policy vlan 200
policy ssid Guest-Wifi
user john-test password 0 testpassword group Testcorp-Users
use radius-user-pool-policy Guest
use radius-user-pool-policy Testcorp-User-Pool
authentication data-source ldap ssid Wifi01 precedence 1
authentication data-source ldap ssid Wifi02 precedence 2
authentication data-source local ssid Guest-Wifi precedence 3
authentication data-source local ssid Testcorp precedence 4
authentication data-source ldap fallback
authentication eap-auth-type peap-mschapv2
ldap-server primary host $IP port 389 login $LDAP_PARAMETERS net-timeout 3
ldap-agent primary domain-name $DOMAIN domain-admin-user $DOMAIN_USER domain-admin-password 0 $PASSWORD
use radius-group GROUP1
use radius-group GROUP2
Anybody has a similar setup working or an idea why it is not working as expected?
Thanks in advance
Best answer by Daren Ellis
Its not supported to have same radius service mapped to both AP and controller (you might have issue).
But we do support local radius with LDAP on either AP or controller.
Something my be wrong with the config somewhere.
I would suggest opening a case with GTAC so we can review the tech-support from the AP and the controller.