My blog; no-one else's

Month: May 2021

Cisco WLC, MAC authentication and Passthrough WebAuth

While Passthrough WebAuth upon MAC authentication failure is not supported on Cisco WLCs, it is easy to workaround this by doing the following.

The first step is to create a user to be used as a dummy account that the web-form will silently submit when the user agrees. This user should be created depending on where you authentication happens (radius or local).

The second step is to modify the passthrough HTML file (login.html, for example) to include a hidden <div> that contains the dummy user’s login details:

<div id="hiddenForm" style="display: none;">
<h4 align=center><font color="#000000">Username<input type="TEXT" name="username" SIZE="25" MAXLENGTH="63" VALUE="webauthdummy"></font></h4>
<h4 align=center><font color="#000000">Password<input type="Password" name="password" SIZE="25" MAXLENGTH="63" VALUE="webauthdummy"></font></h4>
</div>

Just make sure the above is within the <form> block. The above can be simplified; I got lazy and just modified Cisco’s webauth examples.

<h4 align=center><font size="5" color="#000000"><input type="button" name="Submit" value="ACCEPT" class="button" onclick="submitAction();"></h4></font><p></p>

As above I also modified the submit button slightly to say “ACCEPT” as the passthrough form does.

And that’s it. You can now set the “On MAC Filter failure” when using the Web Policy Layer 3 Security feature.

FreeRADIUS, MySQL and Cisco WLC AAA Override

Here’s how to get AAA Override working on a Cisco WLC using FreeRadius backed with MySQL:

  • Enable AAA Override on the WLAN on the WLC
  • Create a Dynamic Interface on the WLC with a vLAN and IP address
  • Add the following to the radreply MySQL table:
idusernameattributeopvalue
nusernameTunnel-Type=VLAN
nusernameTunnel-Medium-Type=IEEE-802
nusernameTunnel-Private-Group-Id=vlanId
radreply table

The NAS (WLC) will receive these parameters in the Radius reply packet when user username authenticates and will place the user on the interface with the corresponding vLAN.

© 2024 Scott's Blog

Theme by Anders NorenUp ↑