topic Re: Computer connecting to Wi-Fi - 802.1x - MAC auth. in Wireless

Computer connecting to Wi-Fi - 802.1x - MAC auth.

kenneth.gregersen — Wed, 11 Jan 2023 12:43:04 GMT

Discovered something strange, and unexpected today.

We have multiple SSIDs. Regular company computers connect to a 802.1x enabled WLAN.

Then we have different SSID/network using PSK and MAC auth.

What I see is that if a computer is added to the list of devices that is allowed to connec to the PSK/MAC auth. network, it will no longer connect to the 802.1x network.
The same computer can connect to other SSIDs/networks that only use PSK, while still being on the "allowed-list" for the PSK/MAC auth network.
So, this seems only to be a problem when connecting to the 802.1x based network.

Is this expected behaviour?

We're running Cisco 9800-CL 17.3.5b.

/Kenneth

Re: Computer connecting to Wi-Fi - 802.1x - MAC auth.

Mark Elsen — Wed, 11 Jan 2023 13:17:44 GMT

- This page will give you a number of tools and commands for client debugging : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity , note that client RA Traces , can be analyzed with : https://cway.cisco.com/wireless-debug-analyzer/
Besides that it's good practice to have a checkup of the current controller configuration with the CLI command : show tech wireless , have the output analyzed by https://cway.cisco.com/tools/WirelessAnalyzer/ , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer. Checkout all advisories! All items red-flagged should be corrected. For future use : WirelessAnalyzer can also make you aware of the RF environment such as coverage holes , APs under heavy load , APs undergoing frequent channel changes and so on. It is advised to use WirelessAnalyzer on a regular basis afterwards (even when current issues get resolved)

Re: Computer connecting to Wi-Fi - 802.1x - MAC auth.

JPavonM — Wed, 11 Jan 2023 15:03:38 GMT

Check whether your config looks like this:

aaa authorization network <YOUR_LIST_HERE> local
aaa attribute list <YOUR_LIST_HERE>
attribute type ssid "<YOUR_SSID_HERE> "
!
username <DEVICE_MAC> mac aaa attribute list <YOUR_LIST_HERE> description WHATEVER
wlan <YOUR_WLAN_PROF_HERE> 16 <YOUR_SSID_HERE>
mac-filtering <YOUR_LIST_HERE>

Re: Computer connecting to Wi-Fi - 802.1x - MAC auth.

kenneth.gregersen — Wed, 11 Jan 2023 17:35:53 GMT

It looks like this, and it seems to be OK.

aaa authorization network MY-MAC-PSK-NETWORK local
aaa attribute list MY-MAC-PSK-NETWORK_FILTER
attribute type ssid "MY-MAC-PSK-NETWORK-SSID"
!
!
username [MAC_ADDRESS] mac aaa attribute list MY-MAC-PSK-NETWORK_FILTER wlan-profile-name MY-MAC-PSK-NETWORK-SSID description "SOME DESCRIPTION"
username [MAC_ADDRESS] mac aaa attribute list MY-MAC-PSK-NETWORK_FILTER wlan-profile-name MY-MAC-PSK-NETWORK-SSID description "SOME DESCRIPTION"
username [MAC_ADDRESS] mac aaa attribute list MY-MAC-PSK-NETWORK_FILTER wlan-profile-name MY-MAC-PSK-NETWORK-SSID description "SOME DESCRIPTION"
!
!
wlan MY-MAC-PSK-NETWORK-NAME 205 MY-MAC-PSK-NETWORK-SSID
assisted-roaming dual-list
assisted-roaming prediction
no chd
mac-filtering MY-MAC-PSK-NETWORK_FILTER
peer-blocking drop
no security ft adaptive
security wpa psk set-key ascii 0 ********
no security wpa akm dot1x
security wpa akm psk
no shutdown

Keep in mind that both the PSK/MAC auth. WLAN and the 802.1x WLANs are working as expected.

The problem is that when I add a computer to the PSK/MAC auth. list, it's no longer able to connect to the 802.1x based WLAN

Re: Computer connecting to Wi-Fi - 802.1x - MAC auth.

balaji.bandi — Wed, 11 Jan 2023 20:58:07 GMT

i believe that is a Local auth Limitation, you need to have an External Radius to handle this kind of condition (like ISE)

depends on the code running check the documentation :

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/wireless-web-authentication.html