ACS5.2 with Radius to RSA token server

Similar Messages

• ACS 4.0 and RSA Token Server problem

  Hi,
  We are having a problem trying to get ACS 4.0 for Windows to authenticate wireless users on an RSA Token server.
  Our Cisco 1200 series AP is configured for WPA2 and LEAP authentication. It points at the ACS server for RADIUS authentication. Now this works fine for users with a static password defined on the ACS internal database. However, for obvious security reasons, we?d like the authentication passed to our internal RSA server.
  I have installed the RSA Agent on the same server as the ACS along (after adding the generated sdconf.rec file to the System32 folder). The RSA server has been added to the ACS external databases and a user configured to use the RSA Token server for password.
  When we try to authenticate, the ACS fails the attempt with reason ?External DB password invalid?. The same user can successfully authenticate when using the RSA test authentication tool which is installed on the ACS server as part of the RSA Agent software.
  After running some debugs on a PIX in front of the servers, I can see traffic to/from the servers when using the test tool (which works), however it looks like ACS doesn?t even send traffic to the RSA server when authenticating.
  Any help or advice appreciated.
  Thanks

  Hi,
  The token servers only support PAP. Please make sure that the request are going to the RSA in PAP.
  Following link talks about the same.
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/o.htm#wp824733
  Regards,
  ~JG

• AAA Authorization with RADIUS and RSA SecurID Authentication Manager

  Hi there.
  I am in the process of implementing a new RSA SecurID deployment, and unfortunately the bulk of the IOS devices here do not support native SecurID (SDI) protocol. With the older RSA SecurID deployment version, it supported TACACS running on the system, now in 8.x it does not.  Myself, along with RSA Support, are having problems getting TACACS working correctly with the new RSA Deployment, so the idea turned to possibly just using RADIUS
  I have setup the RADIUS server-host, and configured the AAA authentication and authorization commands as follows:
  #aaa new-model
  #radius-server host 1.1.1.1 timeout 10 retransmit 3 key cisco123!
  #aaa authentication login default group radius enable
  #aaa authorization exec default group radius local
  I have also tried
  #aaa authorization exec default group radius if-authenticated local
  I can successfully authenticate via SSH to User Mode using my SecurID passcode -- however, when I go to enter Priv Exec mode, it wont take the SecurID passcode - I just get an "access denied"
  I've ran tcpdump on the RSA Primary Instance, looking for 1645/1646 traffic, and I dont get anything
  I've turned on RADIUS debugging on the IOS device, and I dont get anything either
  I did see this disclaimer in a Cisco doc: "The RADIUS method does not work on a per-username basis."  -- not sure if this is related to my issue?
  I'm beginning to wonder if IOS/AAA cant pass authorization-exec process to RSA SecurID

  I don't have a solution, but can confirm I have the same problem and am also trying to find a solution.
  I see no data sent to the RSA server when using the wireless AP. With other equipment on the same ACS, I do see the attempts going to the RSA server.
  The first reply doesn't seem to apply to me, since it's not sending a request from the ACS machine to the RSA machine.

• 802.1x ACS RSA Secure ID/Safeword Token server

  Hello, We are trying to impliment wireless scurity in our network. We want to issue badges with attached tokens so clients can come into our office and login to our wireless network, They would then be prompted for their login and password which would be their Badge ID an their token credentials.
  We are using an airespace wireless security device, We specify ACS as the 802.1x radius server. Airespace is sending the requests to ACS just fine but ACS does not seem to like what it's seeing. We also imported a custom VSA vendor file for the airespace wireless security device. The log below reflects this.
  We have tested by creating local ACS users, and authentication works and we can get onto our network. But when we specify the AAA servers as our Radius Token Server, Set the unknown user DB to that Server and test auth, We are not granted permission to our WLAN. It's as if Cisco does not recognize the PEAP auth information and rejects it by default. We ARE required to get this working with XPSP1, as we would hate to have to install software on every clients laptop.
  A wireless client of ours DID work when we specified EAP-GTC on the client side, But it will never work when we specify PEAP on the client side, We never seem to see communications from ACS to our Safeword token server regardless of what we do(including the successful EAP-GTC login). Our radius strings are correct etc. Safeword is listening on 1812, But also has protols EASSP-1/2 listening on ports we have set manually(are these relevant to our needs?)
  The failed attempts log show "External DB Auth Failed"
  Here is a snip of the CSRadius/RDS.log when we try to auth, when we sniff traffic we see the eap request and the radius reject on the wire, but we never see ACS ask the token server. If anyone can make any suggestions on how we could troubleshoot further/test or make forward progress in any way please do. Thank you all in advance.
  Cisco RDS log attached.

  The problem could be with your Secure ID RSA server.

• Router login with RSA token

  Is there any way to secure the logining process of a router using RSA token?
  And how to do that.
  Thank you!
  Regards.

  You can set the router to authenticate with TACACS or with Radius and then set up the authentication server to use RSA server as the authentication processor (an external authentication to the TACACS or Radius server).
  So the configuration of the router is pretty straightforward:
  aaa authentication login default group tacacs+ line
  aaa authentication enable default group tacacs+ enable
  The more unusual part is the configuration of the TACACS server to send authentication requests to RSA.
  HTH
  Rick

• Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server

  Hi,
  I would be very appreciated if anyone can share their experience. Thanks in advance.
  Issue:
  I am trying to configure the ACE SE 4.2 to authenticate using RSA SecurID Token Server.
  Problems encountered:
  Authentication failed. In the failed logged attempt the error "External Database not operational" was next to the login name.
  In the auth.log, there was "External DB [SecurID.dll]: aceclnt.dll callback returned error [23]".
  Questions:
  1. Please kindly advise how I should resolve this problem.
  2. Also, is there any successful message once ACS get the sdconf.rec? Will the "Purge Node Secret" button be enabled?
  Troubleshooting steps I have done:
  Below is the steps I took to setup the external DB.
  1. Verified sdconf.rec is not a garbage file using the Test authentication function in RSA client.
  2. FTP sdconf.rec in the external database configuration. (Had used Wireshark and confirm file transfered successfully.)
  2. Defined unknown user policy to check RSA SecurID Token Server to authenticate.
  Thank you.

  I have NO experience with ACS SE 4.2 and
  RSA SecurID Token Server BUT I have
  experiences with Cisco ACS 4.1 running on
  Windows 2003 SP2 Enterprise Edition and
  RSA SecurID Token Server.
  All the troubleshoot you've done is correct.
  In Windows 2003 running Cisco ACS, you can
  install the test authentication RSA client
  and that you can verify that the setup
  is correct (by verifying that the sdconf.rec
  is not corrupted).
  One thing I can think of is that when you
  setup the ACS SE box, under external
  database, configure unknown user policy,
  did you check it to tell how to define users
  when they are not found in the ACS internal
  database. Did you select RSA SecurID token
  server?
  Other than that, from what I understand,
  you've done everything correctly.

• ISE Admin Access Authentication to RADIUS Token Server

  Hi all!
  I want to use an External  RADIUS Token Server for ISE Admin Access Authentication and Authorization.
  Authentication works, but how do I map the users  to Admin Groups? Is there a way  to map a returned RADIUS Attribute  (IETF "Class" or Cisco-AVPair "CiscoSecure-Group-Id") to an Admin Group?
  Thanks in advance,
  Michael Langerreiter

  ISE 1.3 does have an bug: Authentication failed due to zero RBAC Groups.
  Cisco Bug: CSCur76447 - External Admin access fails with shadow user & Radius token
  Last Modified
  Nov 25, 2014
  Product
  Cisco Identity Services Engine (ISE) 3300 Series Appliances
  Known Affected Releases
  1.3(0.876)
  Description (partial)
  Symptom:
  ISE 1.3 RBAC fails with shadow user & Radius token
  Operations > Reports > Deployment Status > Administrator Logins report shows
  Authentication failed due to zero RBAC Groups
  Conditions:
  RBAC with shadow user & Radius token
  View Bug Details in Bug Search Tool
  Why Is Login Required?
  Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
  Bug Details Include
  Full Description (including symptoms, conditions and workarounds)
  Status
  Severity
  Known Fixed Releases
  Related Community Discussions
  Number of Related Support Cases
  Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.

• SSLVPN with RSA TOKEN

  Hi
  Does the firewall support ssl vpn with RSA token concept with below mentioned license
  Current remote acesss vpn is configured .If yes what are the changed reguired?
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 150
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled
  VPN-3DES-AES                   : Enabled
  Security Contexts              : 2
  GTP/GPRS                       : Disabled
  SSL VPN Peers                  : 2
  Total VPN Peers                : 750
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled
  AnyConnect for Cisco VPN Phone : Disabled
  AnyConnect Essentials          : Disabled
  Advanced Endpoint Assessment   : Disabled
  UC Phone Proxy Sessions        : 2
  Total UC Proxy Sessions        : 2
  Botnet Traffic Filter          : Disabled

  according to me, you will need a AAA server to communicate with the RSA key server. like below:
  Cisco ASA ---> ACS ---> RSA Server
  the license is fine.
  this is the guide for setup   http://www.rsa.com/rsasecured/guides/imp_pdfs/Cisco_ASA_AuthMan7.1.pdf

• ACS 4.2 RDBMS Action 105/108 - How to set to something other than default "RADIUS Token Server"

  I'm trying to create an import script for RDBMS to import users, but cannot figure out how to set the "PASS_TYPE_RADIUS_TOKEN" to something other than the default of "RADIUS Token Server".  We have multiple RADIUS Token Server definitions.
  I can create a user with what I need, except external db password is set to "RADIUS Token Server".  How do I set it to (for example) something like "RADIUS Token Server - xxxx"
  We have more than 1 RADIUS Token Server definition called "RADIUS Token Server - xxxx", "RADIUS Token Server - yyyy". 
  Thanks!

  As per my knowledge you have to update 4.2 ACS to
  5.1, because when you go for RDBMS synchronization it wont allow you, I have faced problem in past while primary ACS was 4.1 and secondary I have 4.2, I have updated primary ACS to 4.2 and everything is working fine.

• RSA token with Pix

  I have a Pix 525 running 7.02 OS using the 5.0 VPN client. I'm trying to configure this to use RSA tokens to authenticate. I added the following lines to my Pix config:
  aaa-server <group name> protocol sdi
  reactivation-mode timed
  aaa-server <group name> host 172.16.180.X
  retry-interval 3
  timeout 13
  aaa-server <group name> protocol sdi
  reactivation-mode timed
  aaa-server <group name> host 172.16.180.105
  retry-interval 3
  timeout 13
  Where do I put in the shared secret that the RSA server uses? I know we put one in there, it's actually a version of RADIUS but I don't know where to put it for the Pix.
  Thanks

  If you're doing it via SDI the two devices will negotiate the shared secret. Only if you're doing Radius do you need to create one manually, based on RSA documents.

• Unsucessful ACS to RADIUS token server exchange

  Hello team:
  We are getting a hard time in trying to make our ACS 4.2 talk to an external FreeRadius token server.
  When our ACS sends the Access-Request message, our FreeRadius token server answers with an Access-Accept message with zero atributes on the message. This answer, according to ACS documentation, should be perfectly accepted by ACS when it works as a RADIUS client. However, our ACS considers this answer as an error and so the transaction fails.
  In order to compare with another platform working of radius server of our , we replaced our FreeRadius token server by another CS ACS. With this scenario, everything works! So we sniffed the ACS to ACS transaction and found that two RADIUS attributes are sent with the Access-Accept message:
  (1) Framed-IP = 255.255.255.255
  (2) Class = 0x434143533a302f356662622f37663030303030312f31383133
  We got back to our FreeRadius as the external RADIUS server of our ACS, and managed it to generate and return exactly the previous kind of message to the ACS working as radius client, however when our ACS receives the RADIUS Access-Accept with these attributes, it still rejects the answer and fails.
  So we are missing something.
  ¿Did anyone manage to make ACS query an external RADIUS server with success? We would appreciate any hints!!
  thank you very much in advance
  Rogelio Alvez
  Argentina

  Thanks for the interest Tarik!
  Here you have the debug from both sides ACS 4.2 and Freeradius in the same authentication event:
  ACS Debug from a terminal monitor
  2w1d: AAA/AUTHEN/CONT (4096347873): continue_login (user='(undef)')
  2w1d: AAA/AUTHEN (4096347873): status = GETUSER
  2w1d: AAA/AUTHEN (4096347873): Method=radius (radius)
  2w1d: AAA/AUTHEN (4096347873): status = GETPASS
  2w1d: AAA/AUTHEN/CONT (4096347873): continue_login (user='camara/829113')
  2w1d: AAA/AUTHEN (4096347873): status = GETPASS
  2w1d: AAA/AUTHEN (4096347873): Method=radius (radius)
  2w1d: RADIUS: ustruct sharecount=1
  2w1d: RADIUS: Initial Transmit tty7 id 175 192.168.0.3:1645, Access-Request, len 86
  2w1d:         Attribute 4 6 C0A800CB
  2w1d:         Attribute 5 6 00000007
  2w1d:         Attribute 61 6 00000005
  2w1d:         Attribute 1 15 63616D61
  2w1d:         Attribute 31 15 3139322E
  2w1d:         Attribute 2 18 893A4B64
  2w1d: RADIUS: Received from id 175 192.168.0.3:1645, Access-Reject, len 32
  2w1d:         Attribute 18 12 52656A65
  2w1d: RADIUS: saved authorization data for user 80E8A88C at 0
  2w1d: AAA/AUTHEN (4096347873): status = FAIL
  2w1d: AAA/AUTHEN/ABORT: (4096347873) because Invalid password.
  2w1d: AAA/MEMORY: free_user (0x80E8A88C) user='camara/829113' ruser='' port='tty7' rem_addr='192.168.0.202' authen_type=ASCII service=LOGIN priv=1
  2w1d: AAA: parse name=tty7 idb type=-1 tty=-1
  2w1d: AAA: name=tty7 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=7 channel=0
  2w1d: AAA/MEMORY: create_user (0x80E8B920) user='' ruser='' port='tty7' rem_addr='192.168.0.202' authen_type=ASCII service=LOGIN priv=1
  2w1d: AAA/AUTHEN/START (2072451976): port='tty7' list='pepe' action=LOGIN service=LOGIN
  2w1d: AAA/AUTHEN/START (2072451976): found list pepe
  2w1d: AAA/AUTHEN/START (2072451976): Method=radius (radius)
  2w1d: AAA/AUTHEN (2072451976): status = GETUSER
  Freeradius Debug
  rad_recv: Access-Request packet from host 192.168.0.3 port 3912, id=23, length=94
      User-Name = "camara/829113"
      NAS-IP-Address = 192.168.0.3
      NAS-Port = 6372
      NAS-Identifier = "CiscoSecure ACS v4.2(0.124)"
      User-Password = "\277\241\340t\312/\2303^;\216\233\3618\2179"
  # Executing section authorize from file /etc/freeradius/sites-enabled/vuserver
  +- entering group authorize {...}
  ++[preprocess] returns ok
  [auth_log]     expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.0.3/auth-detail-20120714
  [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.0.3/auth-detail-20120714
  [auth_log]     expand: %t -> Sat Jul 14 18:42:32 2012
  ++[auth_log] returns ok
  [IPASS] Looking up realm "camara" for User-Name = "camara/829113"
  [IPASS] Found realm "DEFAULT"
  [IPASS] Adding Stripped-User-Name = "829113"
  [IPASS] Adding Realm = "DEFAULT"
  [IPASS] Authentication realm is LOCAL.
  ++[IPASS] returns ok
  [suffix] Request already proxied.  Ignoring.
  ++[suffix] returns ok
  ++[files] returns noop
  ++[control] returns noop
  rlm_perl: Response: 201: Succeeded
  rlm_perl: Added pair User-Name = camara/829113
  rlm_perl: Added pair User-Password = \277\241\340t\312/\2303^;\216\233\3618\2179
  rlm_perl: Added pair NAS-Identifier = CiscoSecure ACS v4.2(0.124)
  rlm_perl: Added pair Realm = DEFAULT
  rlm_perl: Added pair Stripped-User-Name = 829113
  rlm_perl: Added pair NAS-Port = 6372
  rlm_perl: Added pair NAS-IP-Address = 192.168.0.3
  rlm_perl: Added pair Class = 0x434143533a302f3265662f37663030303030312f31383133
  rlm_perl: Added pair Framed-IP-Address = 255.255.255.255
  rlm_perl: Added pair Auth-Type = Perl
  ++[perl] returns ok
  ++[expiration] returns noop
  ++[logintime] returns noop
  Found Auth-Type = Perl
  # Executing group from file /etc/freeradius/sites-enabled/vuserver
  +- entering group Perl {...}
  rlm_perl: Added pair User-Name = camara/829113
  rlm_perl: Added pair NAS-Identifier = CiscoSecure ACS v4.2(0.124)
  rlm_perl: Added pair User-Password = \277\241\340t\312/\2303^;\216\233\3618\2179
  rlm_perl: Added pair Realm = DEFAULT
  rlm_perl: Added pair NAS-IP-Address = 192.168.0.3
  rlm_perl: Added pair NAS-Port = 6372
  rlm_perl: Added pair Stripped-User-Name = 829113
  rlm_perl: Added pair Framed-IP-Address = 255.255.255.255
  rlm_perl: Added pair Class = 0x434143533a302f3265662f37663030303030312f31383133
  rlm_perl: Added pair Auth-Type = Perl
  ++[perl] returns ok
    WARNING: Empty post-auth section.  Using default return values.
  # Executing section post-auth from file /etc/freeradius/sites-enabled/vuserver
  Sending Access-Accept of id 23 to 192.168.0.3 port 3912
      Framed-IP-Address = 255.255.255.255
      Class = 0x434143533a302f3265662f37663030303030312f31383133
  Finished request 3.
  Going to the next request
  Waking up in 4.9 seconds.
  Cleaning up request 3 ID 23 with timestamp +575
  Ready to process requests.
  Inside the file archive.zip you`ll find
  cap_freeradius.cap (communication sniffed between the ACS and the Freeradius)
  captura2acsOK.pcapng (communication sniffed between the ACS 1 and the ACS 2 where everything its ok)
  If you need more information or output please let me know.
  Rogelio

• How to configure AD and Token server (over radius) authentication

  Dear forum,
  I have a scenario where users should be allowed network access after their have given their AD credentials and a token (Blackshield Token server).
  The token server speaks over radius to the cisco ACS appliance. I have managed to get users authenticated by means of their AD credentials. I am how ever not able to use both means in order to have a successfull authentication.
  Does anyone have a configuration example for this scenario? Any help would be greatly appreciated.
  Thanks!!!

  Hi,
  I have had two deployments using this form of authentication.
  Just so we are on the same page, the token servers that I have integrated connect to an Active Directory server running NPS (MS radius), then the user will have to send their password+token and the token software will check the account password, and then the token to see if the users succeeds.
  Let me know if that is the design of your software. If it is, then all you need to do is configure the token software to run on radius and then set the policies up from there. From the network device standpoint it just needs to point to the radius server.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Cisco PI 1.3 - Internal Server Error with RADIUS-authentication

  Hi,
  I have a problem with a Cisco Prime Infrastructure 1.3 (Appliance, fully patched) that I'm trying to authenticate against a Radiator RADIUS-server.
  From the RADIUS-server's point of view it looks fine, but I just get an HTTP Status 500 internal error (see attached image) when trying to log in.
  I'm not the one managing the RADIUS-server but I got the following debug sent from them:
  Wed Oct 30 08:52:06 2013: DEBUG: Packet dump:
  *** Received from 10.36.0.132 port 17235 ....
  Code:       Access-Request
  Identifier: 102
  Authentic:  REMOVED
  Attributes:
          User-Name = "test-user"
          User-Password = REMOVED
          NAS-IP-Address = 10.36.0.132
          Message-Authenticator = REMOVED
  Wed Oct 30 08:52:06 2013: DEBUG: Handling request with Handler 'Client-Identifier=/^prime[.]net[.]REMOVED[.]se$/', Identifier 'Network-Prime-AAA'
  Wed Oct 30 08:52:06 2013: DEBUG:  Deleting session for test-user, 10.36.0.132,
  Wed Oct 30 08:52:06 2013: DEBUG: Handling with Radius::AuthUNIX:
  Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthUNIX looks for match with test-user [test-user]
  Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthUNIX ACCEPT: : test-user [test-user]
  Wed Oct 30 08:52:06 2013: DEBUG: AuthBy UNIX result: ACCEPT,
  Wed Oct 30 08:52:06 2013: DEBUG: Handling with Radius::AuthFILE:
  Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthFILE looks for match with test-user [test-user]
  Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthFILE ACCEPT: : test-user [test-user]
  Wed Oct 30 08:52:06 2013: DEBUG: AuthBy FILE result: ACCEPT,
  Wed Oct 30 08:52:06 2013: DEBUG: Access accepted for test-user
  Wed Oct 30 08:52:06 2013: DEBUG: Packet dump:
  *** Sending to 10.36.0.132 port 17235 ....
  Code:       Access-Accept
  Identifier: 102
  Authentic:  REMOVED
  Attributes:
          cisco-avpair = "NCS:virtual-domain0=ROOT-DOMAIN"
          cisco-avpair = "NCS:role0=Admin"
          cisco-avpair = "NCS:task0=View Alerts and Events"
          cisco-avpair = "NCS:task1=Device Reports"
  ..the rest of the AV-pairs removed
  Does anyone have any idea on what the the problem is, or some tips on how to troubleshoot? (rebooting and ncs stop/start has no impact on the issue)
  //Charlie

  I ran into a similar issue this morning in my lab.  After I issued ncs status - the database service came back as not running.  I stop/started the Prime services and it came up.  Once all the services were running my WLC imported with no issues.  I also deployed another server for another lab and it had issues with the clocking being out of sync. 

• NAC guest server with RADIUS authentication for guests issue.

  Hi all,
  We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
  The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
  https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
  -----START QUOTE-----
  Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
  •Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
  •Self Service—This option allows guest self service. After selection proceed to Step 8.
  •Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
  ----- END QUOTE-----
  Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
  Regards
  Kevin Woodhouse

  Well I will try to answer your 2nd questions.... will it work... yes.  It is like any other radius server (high end:))  But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD.  Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
  Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right.  Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that.  That is my opinion.

• 3850 switch configure with radius server

  wifi useres authenticate with radius server configure required
  Posted by WebUser Raja Sekhar from Cisco Support Community App

  Kindly check the following links for configuring 802.1x
               http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/security/configuration_guide/b_sec_1501_3850_cg_chapter_0101.html
               http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/security/configuration_guide/b_sec_1501_3850_cg_chapter_01110.html