topic Re: WLC Called-Station-ID (Radius Authentication and Accounting Config) in Network Access Control

WLC Called-Station-ID (Radius Authentication and Accounting Config)

Tymofii Dmytrenko — Wed, 08 Aug 2018 13:37:20 GMT

Hello

I am currently trying to understand the effect of Called-Station-ID configuration on Cisco ISE infrastructure. I have noticed that some of our anchor WLCs are configured with IP Address as Called-Station-ID for both Authentication and Accounting and this forces Cisco ISE to display Endpoints using IP addresses, rather than MAC addresses (even though in my understanding Called-Station-ID should only affect NAD, while Calling-Station-ID refers to endpoint?).

Before I'll change it, I'd like to understand what is current RECOMMENDED way to configure Authentication and Accounting with regards to Called-Station-Id. I have noticed that default setting is AP MAC:SSID for Authentication, but System MAC for Accounting. Can anyone explain why is this inconsistency? Doesn't this affect accounting or Radius session if different?

Also, there are loads of options, such as

IP Address
AP MAC
AP MAC:SSID
AP Name:SSID
AP Name
AP Group
Flex Group
AP Location
Vlan ID
AP Eth MAC
AP Eth MAC:SSID
AP Label Address
AP Label Address:SSID

What is practical use for all these different configuration options?

Has anyone had to use something other than default 'AP MAC:SSID'?

When and Why please (what have you tried to achieve)?

Many thanks!

Re: Called-Station-ID Radius Authentication and Accounting on Foreign and Anchor WLCs

paul — Wed, 08 Aug 2018 12:33:28 GMT

I wouldn't think called station ID shouldn't affect how ISE displays the information for the MAC address in Context Visibility. The only modification I make to the called station ID is for authentication and I have my customers change it to AP Name:SSID. Then I can use Called Station ID in two ways:

Use the "Ends With" condition to grab the SSID name and use it as the admission criteria to my policy sets for wireless. That allows me to have unique policy sets for each SSID.
Use string matches on the AP name to know what site the user is connecting at to allow a SSID to behave different at one location vs. another.

Re: Called-Station-ID Radius Authentication and Accounting on Foreign and Anchor WLCs

Tymofii Dmytrenko — Wed, 08 Aug 2018 12:55:25 GMT

Thanks for this one! Does it mean you have a long list of AuthZ rules in your environment to support different behavior in different locations? Also, does it mean your hostnames (at least APs) have distinct location string encoded?

In our environment we rely on SSID ID instead (Airespace:Airespace-Wlan-Id). All our SSIDs are configured in a consistent fashion across the board. But, yeah... I would agree that matching SSID by name is more flexible.

Re: Called-Station-ID Radius Authentication and Accounting on Foreign and Anchor WLCs

paul — Wed, 08 Aug 2018 14:02:23 GMT

If you want to treat clients differently at different location based on the AP name your APs would have to have a consistent naming convention with a location code embedded in the name. I have really only used this on one customer case. They wanted their guest wireless users to be treated differently at their remote sites vs. the main office. You would have different Authz rules based on AP name in that case. I have used WLAN ID in the past, but as you pointed out that requires you to have consistent WLAN IDs across all your controllers. The SSID name is consistent by default.

Re: WLC Called-Station-ID (Radius Authentication and Accounting Config)

Tymofii Dmytrenko — Wed, 08 Aug 2018 22:25:44 GMT

Can anyone from Cisco to comment? In particular, why by default Authentication is set to AP MAC:SSID, but Accounting is using System MAC? Shouldn't these two be configured identically? What's the impact on logging/accounting or session handling if these two things are configured differently / separately?

Regards

Re: WLC Called-Station-ID (Radius Authentication and Accounting Config)

Nidhi — Fri, 10 Aug 2018 09:08:37 GMT

By default Authentication is set to AP MAC:SSID, But you can change it to use any other attribute . It depends on how the customer would want to authenticate the endpoint.

In ISE, MAC-Address is the unique identifier for the endpoint. Hence session handling or accounting is on MAC address / session id . There is no impact on the logs

Thanks,

Nidhi

Re: WLC Called-Station-ID (Radius Authentication and Accounting Config)

Tymofii Dmytrenko — Fri, 10 Aug 2018 12:33:58 GMT

Thanks @Nidhi. Could you please explain why Accounting's default value is System MAC (which is WLC's MAC address), rather than AP MAC:SSID (Authentication's config). Wouldn't it be better to have both set to identical config? Any ipmpact at all? Does it only affects Accounting logging and nothing else?

Thanks

Re: WLC Called-Station-ID (Radius Authentication and Accounting Config)

paul — Fri, 10 Aug 2018 12:58:18 GMT

The fields you are asking about have no impact on ISE. If you want to use the field then use them, but ISE doesn't use them for critical operations. If you want to know the logic why Authentication is different than Accounting engage the Cisco Wireless team and find out their logic. The settings you are seeing are the default setting on the WLC. Like I said I usually change authentication to AP Name:SSID because I want to use that data in that field in my rules.

Re: WLC Called-Station-ID (Radius Authentication and Accounting Config)

Jason Kunst — Fri, 10 Aug 2018 13:06:19 GMT

Correct

Also recommend looking at

https://community.cisco.com/t5/security-documents/top-six-important-cisco-wlc-settings-for-ise-integration/ta-p/3643795

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-6/b_Cisco_Wireless_LAN_Controller_Configuration_Best_Practices.html

Re: WLC Called-Station-ID (Radius Authentication and Accounting Config)

Tymofii Dmytrenko — Fri, 10 Aug 2018 13:16:23 GMT

@Jason Kunst thanks for these! I will have a read now.

@paul thanks a lot!

Re: WLC Called-Station-ID (Radius Authentication and Accounting Config)

Tymofii Dmytrenko — Fri, 10 Aug 2018 13:24:46 GMT

@Jason Kunst

One more question if you don't mind. As I mentioned in my original post. When Radius Authentication on WLC is set to IP Address it also affects Calling-Station-ID which is displayed as IP address and not MAC of endpoint on anchor WLC.

Is it by design or bug behavior? I didn't expect Called Station ID to affect Calling Station ID behavior.

Regards

Re: WLC Called-Station-ID (Radius Authentication and Accounting Config)

Jason Kunst — Fri, 10 Aug 2018 13:35:19 GMT

As Paul mentioned you would have to reach out to the wireless team to get specific answers on that product line