cancel
Showing results for 
Search instead for 
Did you mean: 

Local radius with LDAP and local users

Local radius with LDAP and local users

Ned
New Contributor
Hello Community,

I'm using WING VX controller version 5.9.3.0-018R.

I try to configure a wifi network SSID Testcorp that uses the local radius server with the local user database Testcorp-User-Pool. LDAP authentication with local radius is configured and working for SSIDs Wifi01 and Wifi02.
A guest network with captive portal is also configured and working as expected.

I added the radius user pool policy and the authentication parameter local in the radius server policy for SSID Testcorp.

When I connect to the Testcorp wifi, I get a certificate warning (self-signed certificate of controller) but LDAP authentication is used (found out by trial and error) and not the local user database.


I read this post/how-to's using both LDAP and local radius server, How to configure 802.1x authentication with internal RADIUS on a WiNG controller and How to configure a WiNG controller for 802.1x authentication with internal RADIUS, using LDAP but I can't figure out why LDAP and not the local user database is used on SSID Testcorp.

Excerpt of running config
code:
aaa-policy Testcorp_local_radius
authentication server 1 onboard controller

aaa-policy CaptivePortal
authentication server 1 onboard self




wlan Testcorp
description Testcorp
ssid Testcorp
vlan 201
bridging-mode local
encryption-type ccmp
authentication-type eap
no answer-broadcast-probes
use wlan-qos-policy Testcorp
use aaa-policy Testcorp_local_radius

wlan Guest
ssid Guest-Wifi
vlan 200
bridging-mode local
encryption-type none
authentication-type none
no answer-broadcast-probes
no client-client-communication
use wlan-qos-policy Guest
use captive-portal Guest
captive-portal-enforcement
use ip-access-list out BROADCAST-MULTICAST-CONTROL
use mac-access-list out PERMIT-ARP-AND-IPv4




radius-group Testcorp-Users
policy vlan 201
policy ssid Testcorp

radius-group Guest
guest
policy vlan 200
policy ssid Guest-Wifi




radius-user-pool-policy Testcorp-User-Pool
user john-test password 0 testpassword group Testcorp-Users

radius-user-pool-policy Guest
$GUEST_USERS




radius-server-policy RADIUS-Policy
use radius-user-pool-policy Guest
use radius-user-pool-policy Testcorp-User-Pool
authentication data-source ldap ssid Wifi01 precedence 1
authentication data-source ldap ssid Wifi02 precedence 2
authentication data-source local ssid Guest-Wifi precedence 3
authentication data-source local ssid Testcorp precedence 4
authentication data-source ldap fallback
authentication eap-auth-type peap-mschapv2
ldap-server primary host $IP port 389 login $LDAP_PARAMETERS net-timeout 3
ldap-agent primary domain-name $DOMAIN domain-admin-user $DOMAIN_USER domain-admin-password 0 $PASSWORD
use radius-group GROUP1
use radius-group GROUP2



Anybody has a similar setup working or an idea why it is not working as expected?

Thanks in advance
Ned
1 ACCEPTED SOLUTION

Daren_Ellis
Extreme Employee
Hi Ned,

Its not supported to have same radius service mapped to both AP and controller (you might have issue).
But we do support local radius with LDAP on either AP or controller.
Something my be wrong with the config somewhere.

I would suggest opening a case with GTAC so we can review the tech-support from the AP and the controller.

View solution in original post

9 REPLIES 9

Chen
New Contributor
Hi Ned ,

I'm using WING VX9000 version 5.9.4.0-020R , And have similar setup working as yours,

The client wants to receive front-end authentication using-both , ldap-and-external-radius-server.
Authentication with eap-auth-type peap-mschapv2
And later on in the project to add captive-portal Geast
I before on-site testing and created In a test environment a local radius server with the local user database


code:
code:
aaa-policy MedTech_local_radius
authentication server 1 onboard controller
authentication protocol mschapv2

radius-server-policy RADIUS-Policy
use radius-user-pool-policy Med-User-Pool
authentication eap-auth-type peap-mschapv2
authentication data-source ldap ssid Wifi87 precedence 1


Is the correct authentication of DEFAULT SOURCE local / LDAP ?
Do i Need Ldap Agent?

Will you be able to share the Config you have created and working.

Thank you for your advice,
Chen

Ned
New Contributor
Hello Daren,

I think I have this issue:
Its not supported to have same radius service mapped to both AP and controller.


I leave the Guest Wifi auth. on APs and authenticate the Testcorp Wifi with LDAP on the controller.

Thank you very much for your help.

Daren_Ellis
Extreme Employee
Hi Ned,

Its not supported to have same radius service mapped to both AP and controller (you might have issue).
But we do support local radius with LDAP on either AP or controller.
Something my be wrong with the config somewhere.

I would suggest opening a case with GTAC so we can review the tech-support from the AP and the controller.

Ned
New Contributor
Hello Daren,

I agree with you that the radius server on the controller is a better solution. But when I change the aaa policy settings from AP based

code:
aaa-policy Testcorp_local_radius
authentication server 1 onboard self

back to controller based
code:
aaa-policy Testcorp_local_radius
authentication server 1 onboard controller


I'm back to the point where I started. The radius runs on controller but does LDAP auth instead of local authentication.

If you could confirm this problem is related to have LDAP auth with local radius (Wifi01 and Wifi02) and local authentication on controller (Testcorp), I could authenticate Wifi01 and Wifi02 on an external radius server (like the SSID Employee) and use the local radius on the controller exclusively for SSID Testcorp.

Is it a supported setup to have local authentication on AP (onboard self) and local auth on controller (onboard controller) at the same time for different SSIDs?
GTM-P2G8KFN