topic Re: Multiple Radius Requests in Network Access Control

Multiple Radius Requests

tombstone1 — Mon, 22 Jul 2024 19:14:10 GMT

Hey everyone,

I am setting up a Radius (NPS) server, using MAC address authentication on my WLC 5508. The problem I am having is it is not allowing access. I get the following two events on my NPS.

Event 1:

Network Policy Server granted access to a user.
User:
Security ID: Domain\60452e38fb8a
Account Name: 60452e38fb8a
Account Domain: Domain
Fully Qualified Account Name: Domain\60452e38fb8a
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: 10f3119946a0
Calling Station Identifier: 60452e38fb8a
NAS:
NAS IPv4 Address: 10.x.x.12
NAS IPv6 Address: -
NAS Identifier: 2504
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 1
RADIUS Client:
Client Friendly Name: WLC
Client IP Address: 10.x.x.12
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: Mac Bypass
Authentication Provider: Windows
Authentication Server: SERVER2.Tombstone.k12.az.us
Authentication Type: PAP
EAP Type: -
Account Session Identifier: 36363936383065662F36303A34353A32653A33383A66623A38612F32373134
Logging Results: Accounting information was written to the local log file.

Event 2:

Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: host/LP-14279
Account Domain: Domain
Fully Qualified Account Name: Domain\host/LP-14279
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: 10f3119946a0
Calling Station Identifier: 60452e38fb8a
NAS:
NAS IPv4 Address: 10.x.x.12
NAS IPv6 Address: -
NAS Identifier: 2504
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 1
RADIUS Client:
Client Friendly Name: WLC
Client IP Address: 10.x.x.12
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: SERVER2.Tombstone.k12.az.us
Authentication Type: EAP
EAP Type: -
Account Session Identifier: 36363936383065662F36303A34353A32653A33383A66623A38612F32373134
Logging Results: Accounting information was written to the local log file.
Reason Code: 8
Reason: The specified user account does not exist.

The first event authenticates and grants access, and then seconds later the 2nd event denies access. I want the 1st event not the 2nd. It seems the "AP" is sending two requests. One with the MAC, like I want, and the second with the hostname. How can I stop this from happening?

Re: Multiple Radius Requests

Arne Bier — Mon, 22 Jul 2024 20:22:25 GMT

Looks like your WLAN SSID is an Enterprise one, and has the NPS as the RADIUS server. The client in this case, appears to be configured with an 802.1X supplicant and you must disable that to prevent the client from sending those EAP frames to the network.

What does your WLAN config look like for that SSID?

What type of client is connecting and what does its config look like?

Re: Multiple Radius Requests

tombstone1 — Mon, 22 Jul 2024 20:36:25 GMT

Arne,

Yes, it is an Enterprise WLAN ID, the NPS is the RADIUS configured on the WLAN. The Device is a laptop which is the Supplicant. It is connecting through the WLC to the RADIUS.

I followed this thread Solved: switch startup mode - Cisco Community to setup my WLAN.

WLAN Identifier.................................. 6 Profile Name..................................... TEST-Mac-Filter Network Name (SSID).............................. Test Status........................................... Enabled MAC Filtering.................................... Enabled Broadcast SSID................................... Enabled AAA Policy Override.............................. Disabled Network Admission Control Client Profiling Status Radius Profiling ............................ Enabled DHCP ....................................... Enabled HTTP ....................................... Enabled Local Profiling ............................. Disabled DHCP ....................................... Disabled HTTP ....................................... Disabled Radius-NAC State............................... Disabled SNMP-NAC State................................. Disabled Quarantine VLAN................................ 0 Maximum Clients Allowed.......................... Unlimited Maximum number of Clients per AP Radio........... 200 --More-- or (q)uit ATF Policy....................................... 0 Number of Active Clients......................... 0 Exclusionlist Timeout............................ 60 seconds Session Timeout.................................. 1800 seconds User Idle Timeout................................ Disabled Sleep Client..................................... disable Sleep Client Timeout............................. 720 minutes User Idle Threshold.............................. 0 Bytes NAS-identifier................................... 2504 CHD per WLAN..................................... Enabled Webauth DHCP exclusion........................... Disabled Interface........................................ management Multicast Interface.............................. Not Configured WLAN IPv4 ACL.................................... unconfigured WLAN IPv6 ACL.................................... unconfigured WLAN Layer2 ACL.................................. unconfigured WLAN URL ACL..................................... unconfigured mDNS Status...................................... Enabled mDNS Profile Name................................ default-mdns-profile DHCP Server...................................... Default DHCP Address Assignment Required................. Disabled Static IP client tunneling....................... Disabled Tunnel Profile................................... Unconfigured --More-- or (q)uit PMIPv6 Mobility Type............................. none PMIPv6 MAG Profile........................... Unconfigured PMIPv6 Default Realm......................... Unconfigured PMIPv6 NAI Type.............................. Hexadecimal PMIPv6 MAG location.......................... WLC Quality of Service............................... Silver Per-SSID Rate Limits............................. Upstream Downstream Average Data Rate................................ 0 0 Average Realtime Data Rate....................... 0 0 Burst Data Rate.................................. 0 0 Burst Realtime Data Rate......................... 0 0 Per-Client Rate Limits........................... Upstream Downstream Average Data Rate................................ 0 0 Average Realtime Data Rate....................... 0 0 Burst Data Rate.................................. 0 0 Burst Realtime Data Rate......................... 0 0 Scan Defer Priority.............................. 4,5,6 Scan Defer Time.................................. 100 milliseconds WMM.............................................. Allowed WMM UAPSD Compliant Client Support............... Disabled Media Stream Multicast-direct.................... Disabled CCX - AironetIe Support.......................... Enabled CCX - Gratuitous ProbeResponse (GPR)............. Disabled --More-- or (q)uit CCX - Diagnostics Channel Capability............. Disabled Dot11-Phone Mode (7920).......................... Disabled Wired Protocol................................... 802.1P (Tag=0) Passive Client Feature........................... Disabled Peer-to-Peer Blocking Action..................... Disabled Radio Policy..................................... All DTIM period for 802.11a radio.................... 1 DTIM period for 802.11b radio.................... 1 Radius Servers Authentication................................ 10.4.0.2 1812 * Accounting.................................... Global Servers Interim Update............................. Disabled Interim Update Interval.................... 0 Framed IPv6 Acct AVP ...................... Prefix Dynamic Interface............................. Disabled Dynamic Interface Priority.................... wlan Local EAP Authentication......................... Disabled Radius NAI-Realm................................. Disabled Mu-Mimo.......................................... Enabled Security 802.11 Authentication:........................ Open System FT Support.................................... Disabled --More-- or (q)uit Static WEP Keys............................... Disabled 802.1X........................................ Disabled Wi-Fi Protected Access (WPA/WPA2)............. Enabled WPA (SSN IE)............................... Enabled TKIP Cipher............................. Disabled AES Cipher.............................. Enabled WPA2 (RSN IE).............................. Enabled TKIP Cipher............................. Disabled AES Cipher.............................. Enabled CCMP256 Cipher.......................... Disabled GCMP128 Cipher.......................... Disabled GCMP256 Cipher.......................... Disabled OSEN IE.................................... Disabled Auth Key Management 802.1x.................................. Enabled PSK..................................... Disabled CCKM.................................... Disabled FT-1X(802.11r).......................... Disabled FT-PSK(802.11r)......................... Disabled PMF-1X(802.11w)......................... Disabled PMF-PSK(802.11w)........................ Disabled OSEN-1X................................. Disabled SUITEB-1X............................... Disabled --More-- or (q)uit SUITEB192-1X............................ Disabled FT Reassociation Timeout................... 20 FT Over-The-DS mode........................ Disabled GTK Randomization.......................... Disabled SKC Cache Support.......................... Disabled CCKM TSF Tolerance......................... 1000 Wi-Fi Direct policy configured................ Disabled EAP-Passthrough............................... Disabled CKIP ......................................... Disabled Web Based Authentication...................... Disabled Web Authentication Timeout.................... 300 Web-Passthrough............................... Disabled Mac-auth-server............................... 0.0.0.0 Web-portal-server............................. 0.0.0.0 Conditional Web Redirect...................... Disabled Splash-Page Web Redirect...................... Disabled Auto Anchor................................... Disabled FlexConnect Local Switching................... Disabled FlexConnect Central Association............... Disabled flexconnect Central Dhcp Flag................. Disabled flexconnect nat-pat Flag...................... Disabled flexconnect Dns Override Flag................. Disabled flexconnect PPPoE pass-through................ Disabled --More-- or (q)uit flexconnect local-switching IP-source-guar.... Disabled FlexConnect Vlan based Central Switching ..... Disabled FlexConnect Local Authentication.............. Disabled FlexConnect Learn IP Address.................. Enabled Client MFP.................................... Optional PMF........................................... Disabled PMF Association Comeback Time................. 1 PMF SA Query RetryTimeout..................... 200 Tkip MIC Countermeasure Hold-down Timer....... 60 Eap-params.................................... Disabled AVC Visibilty.................................... Disabled AVC Profile Name................................. None Flow Monitor Name................................ None Split Tunnel Configuration Split Tunnel................................. Disabled Call Snooping.................................... Disabled Roamed Call Re-Anchor Policy..................... Disabled SIP CAC Fail Send-486-Busy Policy................ Enabled SIP CAC Fail Send Dis-Association Policy......... Disabled KTS based CAC Policy............................. Disabled Assisted Roaming Prediction Optimization......... Disabled 802.11k Neighbor List............................ Enabled 802.11k Neighbor List Dual Band.................. Disabled --More-- or (q)uit 802.11v Directed Multicast Service............... Enabled 802.11v BSS Max Idle Service..................... Enabled 802.11v BSS Transition Service................... Enabled 802.11v BSS Transition Disassoc Imminent......... Disabled 802.11v BSS Transition Disassoc Timer............ 200 802.11v BSS Transition OpRoam Disassoc Timer..... 40 DMS DB is empty Band Select...................................... Disabled Load Balancing................................... Disabled Multicast Buffer................................. Disabled Universal Ap Admin............................... Disabled Broadcast Tagging................................ Disabled Mobility Anchor List WLAN ID IP Address Status Priority ------- --------------- ------ -------- 802.11u........................................ Disabled MSAP Services.................................. Disabled Local Policy ---------------- --More-- or (q)uit Priority Policy Name -------- --------------- Lync State ...................................... Disabled Audio QoS Policy................................. Silver Video QoS Policy................................. Silver App-Share QoS Policy............................. Silver File Transfer QoS Policy......................... Silver QoS Fastlane Status.............................. Disable Selective Reanchoring Status..................... Disable

The client is a standard Windows Laptop trying to connect to Wi-fi. No special config.

Re: Multiple Radius Requests

Arne Bier — Mon, 22 Jul 2024 21:25:47 GMT

In your initial posting you say that Event 1 is good (PAP .. i.e. the MAB event) but you don't want Event 2 (EAP) - well that's expected behaviour of an 802.1X supplicant to sent EAPOL Identify frame when it initialises. If you don't want to see EAP, then you must disable the client supplicant.

What is your use case and what are you hoping to achieve?

Is it iPSK? In that case, you don't use an Enterprise SSID. You use an PSK SSID with MAC Filtering (MAB) configured. That means the clients must be configured with a PSK, and the WLC will also send the MAC address to the RADIUS server - RADIUS server can decide whether or not to accept the client, and also which PSK to use (using a Cisco AVPair).

Re: Multiple Radius Requests

tombstone1 — Tue, 23 Jul 2024 13:26:07 GMT

What I am trying to do is get the device to connect to wifi only if the MAC address is in the windows user group. Using the MAC as the username and password. I don't want the user to have to input these. I know this takes a lot more work but that is the goal. We are trying to resolve unwanted devices on our network, that are hogging up bandwidth. I want it to go through windows because I need to use this on three different WLCs.

Re: Multiple Radius Requests

tombstone1 — Tue, 23 Jul 2024 19:22:03 GMT

Arne,

I get what you are saying now. I set the SSID to PSK instead of 802.1x, and now it seems to be connecting great on the one client I have registered, and not connecting on anyother device. Thank you for clarifying that for me.

Re: Multiple Radius Requests

Arne Bier — Tue, 23 Jul 2024 20:27:38 GMT

Glad that resolved it. You can mark the question as resolved if this answered your question.

Cheers