topic Re: Problems with C9120 VLAN Radius assignment when using iPSK in Wireless

Problems with C9120 VLAN Radius assignment when using iPSK

bredell — Mon, 09 Aug 2021 14:10:06 GMT

I'm having problems getting the Radius server to assign VLAN for clients while at the same time doing iPSK. iPSK works but the AP seems to ignore the VLAN assignment.

Hardware is C9120AXI-E using version 17.6.1.0.250 (controller) and 17.6.1.13 (AP). I'm using FreeRADIUS 3.0.13. The AP is connected using a trunk with VLANs 10 and 500, and native VLAN 5. The SSID is configured to use VLAN 500 but I try to change it to VLAN 10 using Radius.

Radius conf for the user:

'<client MAC>' Cleartext-password := '<client MAC>'
 User-Name = "Foo Bar",
 Tunnel-Type = 13,
 Tunnel-Medium-Type = 6,
 Tunnel-Private-Group-Id = 10,
 Cisco-AVPair = "psk-mode=ascii",
 Cisco-AVPair += "psk=HelloWorld"
# Cisco-AVPair += "vlan-id=10",
# Cisco-AVPair += "role=vlan10"

Radius debug looks like this:

(43) Received Access-Request Id 144 from 10.0.5.50:56397 to 10.0.5.5:1812 length 406
(43)   User-Name = "<client MAC>"
(43)   User-Password = "<client MAC>"
(43)   Service-Type = Call-Check
(43)   Cisco-AVPair = "service-type=Call Check"
(43)   Framed-MTU = 1485
(43)   Message-Authenticator = <authenticator>
(43)   Cisco-AVPair = "audit-session-id=<session ID>"
(43)   Cisco-AVPair = "method=mab"
(43)   Cisco-AVPair = "client-iif-id=3187675497"
(43)   Cisco-AVPair = "vlan-id=500"
(43)   NAS-IP-Address = 10.0.5.50
(43)   NAS-Port-Id = "capwap_90000004"
(43)   NAS-Port-Type = Wireless-802.11
(43)   NAS-Port = 5
(43)   Cisco-AVPair = "cisco-wlan-ssid=Mybeta test"
(43)   Cisco-AVPair = "wlan-profile-name=wlan-mybeta"
(43)   Called-Station-Id = "<Radio MAC>:Mybeta test"
(43)   Calling-Station-Id = "<Client MAC>"
(43)   Airespace-Wlan-Id = 2
(43)   NAS-Identifier = "ap"
(43) # Executing section authorize from file /etc/raddb/radiusd.conf
(43)   authorize {
(43) files: users: Matched entry (client MAC) at line 1
(43)     [files] = ok
(43)     [pap] = updated
(43)   } # authorize = updated
(43) Found Auth-Type = PAP
(43) # Executing group from file /etc/raddb/radiusd.conf
(43)   Auth-Type PAP {
(43) pap: Login attempt with password
(43) pap: Comparing with "known good" Cleartext-Password
(43) pap: User authenticated successfully
(43)     [pap] = ok
(43)   } # Auth-Type PAP = ok
(43) Sent Access-Accept Id 144 from 10.0.5.5:1812 to 10.0.5.50:56397 length 0
(43)   User-Name = "Foo Bar"
(43)   Tunnel-Type = VLAN
(43)   Tunnel-Medium-Type = IEEE-802
(43)   Tunnel-Private-Group-Id = "10"
(43)   Cisco-AVPair = "psk-mode=ascii"
(43)   Cisco-AVPair = "psk=HelloWorld"
(43) Finished request

iPSK works fine, the client needs to login using the password set in Radius. But the client gets connected to VLAN 500, not VLAN 10 as specified by Radius.

Checking the status of the client in the CLI gives:

ap#show wireless client mac-address <client MAC> detail   

Client MAC Address : <client MAC>
Client MAC Type : Universally Administered Address
Client DUID: NA
Client IPv4 Address : 10.5.0.237
Client IPv6 Addresses : fe80::8f6:b7d3:d328:9437
Client Username : Foo Bar
AP MAC Address : <AP MAC>
AP Name: ap1
AP slot : 1
Client State : Associated
Policy Profile : policy-profile-mybeta
Ipsk Tag : <tag hex>
Flex Profile : default-flex-profile
Wireless LAN Id: 2
WLAN Profile Name: wlan-mybeta
Wireless LAN Network Name (SSID): Mybeta test
BSSID : <BSSID>
Connected For : 357 seconds 
Protocol : 802.11ac
Channel : 100
Client IIF-ID : 0x90000005
Association Id : 1
Authentication Algorithm : Open System
Idle state timeout : N/A
Session Timeout : 1800 sec (Remaining time: 1444 sec)
Session Warning Time : Timer not running
Input Policy Name  : None
Input Policy State : None
Input Policy Source : None
Output Policy Name  : None
Output Policy State : None
Output Policy Source : None
WMM Support : Enabled
U-APSD Support : Disabled
Fastlane Support : Enabled
Client Active State : Active
Power Save : ON
Current Rate : m9 ss2
Supported Rates : 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
AAA QoS Rate Limit Parameters:
  QoS Average Data Rate Upstream             : 0 (kbps)
  QoS Realtime Average Data Rate Upstream    : 0 (kbps)
  QoS Burst Data Rate Upstream               : 0 (kbps)
  QoS Realtime Burst Data Rate Upstream      : 0 (kbps)
  QoS Average Data Rate Downstream           : 0 (kbps)
  QoS Realtime Average Data Rate Downstream  : 0 (kbps)
  QoS Burst Data Rate Downstream             : 0 (kbps)
  QoS Realtime Burst Data Rate Downstream    : 0 (kbps)
Mobility:
  Move Count                  : 0
  Mobility Role               : Local
  Mobility Roam Type          : None
  Mobility Complete Timestamp : 08/09/2021 13:15:51 UTC
Client Join Time:
  Join Time Of Client : 08/09/2021 13:15:51 UTC
Client State Servers : None
Client ACLs : None
Policy Manager State: Run
Last Policy Manager State : IP Learn Complete
Client Entry Create Time : 357 seconds 
Policy Type : WPA2
Encryption Cipher : CCMP (AES)
Authentication Key Management : PSK
AAA override passphrase : Yes
User Defined (Private) Network : Disabled
User Defined (Private) Network Drop Unicast : Disabled
Encrypted Traffic Analytics : No
Protected Management Frame - 802.11w : No
EAP Type : Not Applicable
VLAN Override after Webauth : No
VLAN : 500
Multicast VLAN : 0
WiFi Direct Capabilities:
  WiFi Direct Capable           : No
Central NAT : DISABLED
Session Manager:
  Point of Attachment : capwap_90000004
  IIF ID             : 0x90000004
  Authorized         : TRUE
  Session timeout    : 1800
  Common Session ID: 3205000A000000412B0E22E4
  Acct Session ID  : 0x00000030
  Last Tried Aaa Server Details:
        Server IP : 10.0.5.5
  Auth Method Status List
        Method : MAB
                SM State        : TERMINATE
                Authen Status   : Success
  Local Policies:
        Service Template : wlan_svc_policy-profile-mybeta (priority 254)
                Absolute-Timer   : 1800
  Server Policies:
                VLAN             : 10
  Resultant Policies:
                VLAN             : 10
                Absolute-Timer   : 1800
DNS Snooped IPv4 Addresses : None
DNS Snooped IPv6 Addresses : None
Client Capabilities
  CF Pollable : Not implemented
  CF Poll Request : Not implemented
  Short Preamble : Not implemented
  PBCC : Not implemented
  Channel Agility : Not implemented
  Listen Interval : 0
Fast BSS Transition Details :
  Reassociation Timeout : 20
11v BSS Transition : Implemented
11v DMS Capable : Yes
11v DMS ID Mask   : 0x0
QoS Map Capable : No
FlexConnect Data Switching : Local
FlexConnect Dhcp Status : Local
FlexConnect Authentication : Central
Client Statistics:
  Number of Bytes Received from Client : 33810
  Number of Bytes Sent to Client : 31889
  Number of Packets Received from Client : 194
  Number of Packets Sent to Client : 128
  Number of Policy Errors : 0
  Radio Signal Strength Indicator : -40 dBm
  Signal to Noise Ratio : 54 dB
Fabric status : Disabled
Radio Measurement Enabled Capabilities
  Capabilities: Passive Beacon Measurement, Active Beacon Measurement, Statistics Measurement, AP Channel Report
Client Scan Report Time : Timer not running
Client Scan Reports 
Assisted Roaming Neighbor List 
Nearby AP Statistics:
EoGRE : Pending Classification
Device Classification Information:
  Device Type      : Apple-Device
  Device Name      : APPLE, INC.
  Protocol Map     : 0x000001  (OUI)
Max Client Protocol Capability: 802.11ac Wave 2
WiFi to Cellular Steering : Not implemented
Cellular Capability : N/A
Advanced Scheduling Requests Details:
  Apple Specific Requests(ASR) Capabilities/Statistics:
    Regular ASR support: DISABLED

ap#

If I try connecting without assigning a VLAN on the Radius server, the Session Manager section above changes to this:

  Local Policies:
        Service Template : wlan_svc_policy-profile-mybeta (priority 254)
                VLAN             : 500
                Absolute-Timer   : 1800
  Server Policies:
  Resultant Policies:
                VLAN             : 500
                Absolute-Timer   : 1800

No mention of VLAN 10 this time. So it seems that the AP is picking up the VLAN info from Radius but it doesn't change the VLAN of the client.

If I assign the SSID to VLAN 10, the client gets connected to VLAN 10.

If I assign the SSID to VLAN 500, the client gets connected to VLAN 500.

If I assign the SSID to VLAN 500 and let Radius assign the client to VLAN 10, the client still gets connected to VLAN 500. The VLAN assignment from Radius doesn't work.

I've also tried letting Radius assign a role to the client, and include VLAN 10 in the definition of the role. This produces the same result, I can see in the details that the client has been assigned the role but it's still connected to VLAN 500.

Why is this not working? What have I missed?

Re: Problems with C9120 VLAN Radius assignment when using iPSK

Rich R — Tue, 10 Aug 2021 23:41:34 GMT

I'd say you need to open a TAC case at this point.

My best guess would be that the 2 features (iPSK and radius VLAN) are mutually incompatible.

Have you checked the config guide/command reference and release notes?

Have you tried it without iPSK?

Re: Problems with C9120 VLAN Radius assignment when using iPSK

bredell — Wed, 11 Aug 2021 14:27:11 GMT

I've checked the release notes and guides. But I haven't tried using only VLAN assignment, I've implemented iPSK first and then tried adding VLAN assignment, maybe I should try it the other way around.

I've checked this article (Configure Catalyst 9800 WLC iPSK with Cisco ISE) at:

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/216130-configure-catalyst-9800-wlc-ipsk-with-ci.html

Near the end of the article it says:

"On top of returning the encryption key, since this authorization happens at the 802.11 association phase, it is entirely possible to return other AAA attriburtes from ISE such as ACL or VLAN id."

This indicates that iPSK and VLAN assignment are compatible and I believe this should also apply to my setup.

I will do some more testing and if I'm not successful I'll open a TAC case, I've never done that before.

Re: Problems with C9120 VLAN Radius assignment when using iPSK

laurensvandervleuten — Thu, 10 Feb 2022 10:55:59 GMT

I managed to get this working with the 9120, although I use ISE instead of freeradius.
RADIUS attributes you use seem ok to me.

What I noticed in your user conf:

 User-Name = "Foo Bar",
 Tunnel-Type = 13,
 Tunnel-Medium-Type = 6,
 Tunnel-Private-Group-Id = 10,
 Cisco-AVPair = "psk-mode=ascii",
 Cisco-AVPair += "psk=HelloWorld"

Is the += correct for that config (don't know freeradius, but I noticed that being different)

Also do you have the "Allow AAA Override" setting enabled in the WLAN on the WLC ?
And does the VLAN 10 exist on the WLC trunk ?

Re: Problems with C9120 VLAN Radius assignment when using iPSK

bredell — Sat, 26 Feb 2022 14:19:29 GMT

Great that you managed to get it working!

I still have problems. I've updated to the latest software but my access point still won't assign a proper VLAN.

The "+=" syntax in the configuration file is correct, it's used by FreeRADIUS to add another copy of the same attribute. If I used an ordinary "=" the second copy of the Cisco-AVPair attribute would overwrite the first one.

I have enabled "Allow AAA Override" in the policy profile and the VLAN is present in the trunk. I'm sure there's a very simple setting somewhere that is wrong but I can't find it.

It's good that you managed to solve it, that means it can be done. Do you have any suggestions on where to look?

Also, since your setup is working, would it be possible to get a copy of your configuration? After you've masked the sensitive stuff, of course. Then I could compare it to mine and hopefully find what's missing in my configuration.

I was hoping to finally get good control over all wireless devices I have at home, but it requires iPSK and VLAN assignment.

Re: Problems with C9120 VLAN Radius assignment when using iPSK

Scott Fella — Sat, 26 Feb 2022 18:13:28 GMT

Keep in ming that if you do't see free radius anywhere in the guide, that means Cisco doesn't validate it will work with any other radius server. Now what you should do is create a test 802.1x with vlan override and see if that works. Make sure you have vlan 500 defined on the controller and also make sure aaa override is enabled. If you can't get 802.1x to work with vlan override, you will not get ipsk working.

Re: Problems with C9120 VLAN Radius assignment when using iPSK

Rich R — Sun, 27 Feb 2022 08:37:37 GMT

I can confirm that free radius definitely works - it's all we use. Cisco only formally test/validate ISE for obvious reasons - it's the Cisco product and they'd like you to use it. But radius is a standard so as long as you send everything it expects it just works.

You might be missing some of the required AVPs in your radius reply for the WLC to accept the response.

Do you have a pcap showing which AVPs the radius is sending?