Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[WLC] Example Configuration - Mac (Local) and Dot1x (Radius) authentication

0

0

Article ID: KB31170 KB Last Updated: 28 Nov 2017Version: 1.0
Summary:

 This article provides an example configuration for Mac (Local) and Dot1x (Radius) authentication on WLC controller.

Solution:
  1. Create a service-profile for your access, and configure the auth-fallthru as none for the authentication mode.
    Note: By default, auth-fallthru will be set to “none”.

    WLC# set service-profile <service-profile name> ssid-name <ssid-name>
    WLC# set service-profile <service-profile name> auth-fallthru <none>
    WLC# set service-profile <service-profile name> rsn-ie cipher-ccmp enable
    WLC# set service-profile <service-profile name> rsn-ie enable
    WLC# set service-profile <service-profile name> attr vlan-name <vlan-name>

  2. Create a radio-profile, then associate service-profile to radio-profile. Associate the radio-profile to radios of the AP’s.

  3. Configure external RADIUS server on WLC by using the following command:

    WLC# set radius server <radius server name> address <IP-address> key <shared secret key> deadtime <0> timeout <5>
  4. Configure AAA profile for Mac (Local) + Dot1x (Radius)

    WLC# set aaa-profile <aaa-profile name>
    WLC# set aaa-profile <aaa-profile name> mac local
    WLC# set aaa-profile <aaa-profile name> dot1x pass-through <Radius Server Group Name>


    Note: You can configure dot1x as pass-through or peap-mschapv2
  5. Configure an authentication rule for the SSID against the aaa-profile:

    WLC# Set authentication profile ssid <ssid-name> <aaa-profile name>
  6. Configure Mac-User Group and map the individual mac users to the Mac-User Group as follows:

    WLC# Set mac-usergroup <mac-usergroup name> attr vlan-name <VLAN-Name>
    WLC# Set mac-usergroup <mac-usergroup name> attr ssid-name <ssid-name>
    WLC# Set mac-user <mac-address> group <mac-usergroup name>
    WLC# Set mac-user <mac-address> attr vlan-name <VLAN-Name>


    Note: Please mention the existing dot1x ssid name in the above highlighted <ssid-name>.
  7. Now connect to a device whose mac-address got mapped to mac-usergroup on WLC controller.

Verification

Connect a client which is allowed in the Mac user group. Please find the “show sessions” output.

WLC# show sessions
1 sessions total
User Name SessID Type Address VLAN AP/Rdo
--------- ------ ---- ------- ---- -------
test 44 * prof 10.9.221.231,V6 default 1/1
 

Note: The above user “test” is created in the Windows 2008 Radius server. You can also create the user locally on the Controller.

For Dot1x users, create Local Configuration on the controller:

set user <user-name> password <password>
set user <user-name> attr ssid <ssid-name>
set user <user-name> attr vlan <vlan-name>

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search