802.1X Configuration of Cisco Wireless Equipment
Wireless LAN Controller 440x
I do not recall any significant changes with previous versions (4.x is all I have used) of the software from a 802.1X or RADIUS perspective so you can consider these generic instructions but you should be aware that I have written them based on version 4.2.61.0. If something does not seem to work and you are running an alternative version I might have missed something :)
There is no MAC based authentication approach available via the wireless controller and to be honest I would recommend against it even if there was a possibility.
Really the only quirk is that in the RADIUS accounting packets do not contain the VLAN name so you have to manually build them for logging purposes. This means you have to slip the following into your FreeRADIUS 'hints' file:
# pesky WLC does not set the NAS-Port-Type :-/
DEFAULT NAS-IP-Address == w.x.y.z, Called-Station-Id =~ "^(.+):(.+)$"
NAS-Port-Type = Wireless-802.11,
Called-Station-Id := "%{1}",
NAS-Port-Id = "%{2}"
# the goddamn WLC does not include the SSID in the Accounting packets but it
# does for the Authentication so we do the following to tidy up
DEFAULT NAS-IP-Address == w.x.y.z, Acct-Status-Type =* ANY, Airespace-Wlan-Id == 1
NAS-Port-Type = Wireless-802.11,
NAS-Port-Id = "NAME1"
DEFAULT NAS-IP-Address == w.x.y.z, Acct-Status-Type =* ANY, Airespace-Wlan-Id == 2
NAS-Port-Type = Wireless-802.11,
NAS-Port-Id = "NAME2"
DEFAULT NAS-IP-Address == w.x.y.z, Acct-Status-Type =* ANY, Airespace-Wlan-Id == 7
NAS-Port-Type = Wireless-802.11,
NAS-Port-Id = "NAME7"
DEFAULT NAS-IP-Address == w.x.y.z, Acct-Status-Type =* ANY, Airespace-Wlan-Id =* ANY
NAS-Port-Type = Wireless-802.11,
NAS-Port-Id = "UNKNOWN SSID ID: %{Airespace-Wlan-Id}"
In the above example, 'w.x.y.z' is the IP address of your controller, NAME1, NAME2 and NAME7 are the names associated with the WLAN ID's you have configured on your controller.
