Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
25787
Views
25
Helpful
11
Replies

WLC Called-Station-ID (Radius Authentication and Accounting Config)

Go to solution
Tymofii Dmytrenko
Level 1
Level 1

‎08-08-2018 05:22 AM - edited ‎08-08-2018 06:37 AM

Hello

 

I am currently trying to understand the effect of Called-Station-ID configuration on Cisco ISE infrastructure. I have noticed that some of our anchor WLCs are configured with IP Address as Called-Station-ID for both Authentication and Accounting and this forces Cisco ISE to display Endpoints using IP addresses, rather than MAC addresses (even though in my understanding Called-Station-ID should only affect NAD, while Calling-Station-ID refers to endpoint?).

 

Before I'll change it, I'd like to understand what is current RECOMMENDED way to configure Authentication and Accounting with regards to Called-Station-Id. I have noticed that default setting is AP MAC:SSID for Authentication, but System MAC for Accounting. Can anyone explain why is this inconsistency? Doesn't this affect accounting or Radius session if different?

 

Also, there are loads of options, such as

  • IP Address
  • AP MAC
  • AP MAC:SSID
  • AP Name:SSID
  • AP Name
  • AP Group
  • Flex Group
  • AP Location
  • Vlan ID
  • AP Eth MAC
  • AP Eth MAC:SSID
  • AP Label Address
  • AP Label Address:SSID

What is practical use for all these different configuration options?

Has anyone had to use something other than default 'AP MAC:SSID'?

When and Why please (what have you tried to achieve)?

 

Many thanks!

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to Tymofii Dmytrenko

‎08-10-2018 05:58 AM

The fields you are asking about have no impact on ISE.  If you want to use the field then use them, but ISE doesn't use them for critical operations.  If you want to know the logic why Authentication is different than Accounting engage the Cisco Wireless team and find out their logic.  The settings you are seeing are the default setting on the WLC.  Like I said I usually change authentication to AP Name:SSID because I want to use that data in that field in my rules.

View solution in original post

11 Replies 11

Go to solution
paul
Level 10
Level 10

‎08-08-2018 05:33 AM

I wouldn't think called station ID shouldn't affect how ISE displays the information for the MAC address in Context Visibility.  The only modification I make to the called station ID is for authentication and I have my customers change it to AP Name:SSID.  Then I can use Called Station ID in two ways:

 

  1. Use the "Ends With" condition to grab the SSID name and use it as the admission criteria to my policy sets for wireless.  That allows me to have unique policy sets for each SSID.
  2. Use string matches on the AP name to know what site the user is connecting at to allow a SSID to behave different at one location vs. another.

 

Go to solution
Tymofii Dmytrenko
Level 1
Level 1
In response to paul

‎08-08-2018 05:55 AM

Thanks for this one! Does it mean you have a long list of AuthZ rules in your environment to support different behavior in different locations? Also, does it mean your hostnames (at least APs) have distinct location string encoded?

In our environment we rely on SSID ID instead (Airespace:Airespace-Wlan-Id). All our SSIDs are configured in a consistent fashion across the board. But, yeah... I would agree that matching SSID by name is more flexible.
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Tymofii Dmytrenko

‎08-08-2018 07:02 AM

If you want to treat clients differently at different location based on the AP name your APs would have to have a consistent naming convention with a location code embedded in the name. I have really only used this on one customer case. They wanted their guest wireless users to be treated differently at their remote sites vs. the main office. You would have different Authz rules based on AP name in that case. I have used WLAN ID in the past, but as you pointed out that requires you to have consistent WLAN IDs across all your controllers. The SSID name is consistent by default.


0 Helpful

Go to solution
Tymofii Dmytrenko
Level 1
Level 1

‎08-08-2018 03:25 PM

Can anyone from Cisco to comment? In particular, why by default Authentication is set to AP MAC:SSID, but Accounting is using System MAC? Shouldn't these two be configured identically? What's the impact on logging/accounting or session handling if these two things are configured differently / separately?

 

Regards

0 Helpful

Go to solution
Nidhi
Cisco Employee
Cisco Employee
In response to Tymofii Dmytrenko

‎08-10-2018 02:08 AM

By default Authentication is set to AP MAC:SSID, But you can change it to use any other attribute . It depends on how the customer would want to authenticate the endpoint.

In ISE, MAC-Address is the unique identifier for the endpoint. Hence session handling or accounting is on MAC address / session id  . There is no impact on the logs

 

Thanks,

Nidhi

0 Helpful

Go to solution
Tymofii Dmytrenko
Level 1
Level 1
In response to Nidhi

‎08-10-2018 05:33 AM

Thanks @Nidhi. Could you please explain why Accounting's default value is System MAC (which is WLC's MAC address), rather than AP MAC:SSID (Authentication's config). Wouldn't it be better to have both set to identical config? Any ipmpact at all? Does it only affects Accounting logging and nothing else?

 

Thanks

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Tymofii Dmytrenko

‎08-10-2018 05:58 AM

The fields you are asking about have no impact on ISE.  If you want to use the field then use them, but ISE doesn't use them for critical operations.  If you want to know the logic why Authentication is different than Accounting engage the Cisco Wireless team and find out their logic.  The settings you are seeing are the default setting on the WLC.  Like I said I usually change authentication to AP Name:SSID because I want to use that data in that field in my rules.

Go to solution
Tymofii Dmytrenko
Level 1
Level 1
In response to Jason Kunst

‎08-10-2018 06:16 AM

@Jason Kunst thanks for these! I will have a read now.

@paul thanks a lot!

0 Helpful

Go to solution
Tymofii Dmytrenko
Level 1
Level 1
In response to Jason Kunst

‎08-10-2018 06:24 AM

@Jason Kunst

One more question if you don't mind. As I mentioned in my original post. When Radius Authentication on WLC is set to IP Address it also affects Calling-Station-ID which is displayed as IP address and not MAC of endpoint on anchor WLC.

 

Is it by design or bug behavior? I didn't expect Called Station ID to affect Calling Station ID behavior.

 

Regards

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Tymofii Dmytrenko

‎08-10-2018 06:35 AM

As Paul mentioned you would have to reach out to the wireless team to get specific answers on that product line
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents