Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
101
Views
0
Helpful
3
Replies

Multiple Radius Requests

tombstone1
Level 1
Level 1

‎07-22-2024 12:14 PM

Hey everyone,

I am setting up a Radius (NPS) server, using MAC address authentication on my WLC 5508. The problem I am having is it is not allowing access. I get the following two events on my NPS.

Event 1:

Network Policy Server granted access to a user.
User:
Security ID: Domain\60452e38fb8a
Account Name: 60452e38fb8a
Account Domain: Domain
Fully Qualified Account Name: Domain\60452e38fb8a
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: 10f3119946a0
Calling Station Identifier: 60452e38fb8a
NAS:
NAS IPv4 Address: 10.x.x.12
NAS IPv6 Address: -
NAS Identifier: 2504
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 1
RADIUS Client:
Client Friendly Name: WLC
Client IP Address: 10.x.x.12
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: Mac Bypass
Authentication Provider: Windows
Authentication Server: SERVER2.Tombstone.k12.az.us
Authentication Type: PAP
EAP Type: -
Account Session Identifier: 36363936383065662F36303A34353A32653A33383A66623A38612F32373134
Logging Results: Accounting information was written to the local log file.


Event 2:

Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: host/LP-14279
Account Domain: Domain
Fully Qualified Account Name: Domain\host/LP-14279
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: 10f3119946a0
Calling Station Identifier: 60452e38fb8a
NAS:
NAS IPv4 Address: 10.x.x.12
NAS IPv6 Address: -
NAS Identifier: 2504
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 1
RADIUS Client:
Client Friendly Name: WLC
Client IP Address: 10.x.x.12
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: SERVER2.Tombstone.k12.az.us
Authentication Type: EAP
EAP Type: -
Account Session Identifier: 36363936383065662F36303A34353A32653A33383A66623A38612F32373134
Logging Results: Accounting information was written to the local log file.
Reason Code: 8
Reason: The specified user account does not exist.

The first event authenticates and grants access, and then seconds later the 2nd event denies access. I want the 1st event not the 2nd. It seems the "AP" is sending two requests. One with the MAC, like I want, and the second with the hostname. How can I stop this from happening?

Labels:
0 Helpful
3 Replies 3

Arne Bier
VIP
VIP

‎07-22-2024 01:22 PM

Looks like your WLAN SSID is an Enterprise one, and has the NPS as the RADIUS server. The client in this case, appears to be configured with an 802.1X supplicant and you must disable that to prevent the client from sending those EAP frames to the network.

What does your WLAN config look like for that SSID?

What type of client is connecting and what does its config look like?

0 Helpful

tombstone1
Level 1
Level 1
In response to Arne Bier

‎07-22-2024 01:32 PM - edited ‎07-22-2024 01:36 PM

Arne,

Yes, it is an Enterprise WLAN ID, the NPS is the RADIUS configured on the WLAN. The Device is a laptop which is the Supplicant. It is connecting through the WLC to the RADIUS.

I followed this thread Solved: switch startup mode - Cisco Community to setup my WLAN.

 

WLAN Identifier.................................. 6
Profile Name..................................... TEST-Mac-Filter
Network Name (SSID).............................. Test
Status........................................... Enabled
MAC Filtering.................................... Enabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status
    Radius Profiling ............................ Enabled
     DHCP ....................................... Enabled
     HTTP ....................................... Enabled
    Local Profiling ............................. Disabled
     DHCP ....................................... Disabled
     HTTP ....................................... Disabled
  Radius-NAC State............................... Disabled
  SNMP-NAC State................................. Disabled
  Quarantine VLAN................................ 0
Maximum Clients Allowed.......................... Unlimited
Maximum number of Clients per AP Radio........... 200

--More-- or (q)uit
ATF Policy....................................... 0
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 720 minutes
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... 2504
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
WLAN URL ACL..................................... unconfigured
mDNS Status...................................... Enabled
mDNS Profile Name................................ default-mdns-profile
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Tunnel Profile................................... Unconfigured

--More-- or (q)uit
PMIPv6 Mobility Type............................. none
    PMIPv6 MAG Profile........................... Unconfigured
    PMIPv6 Default Realm......................... Unconfigured
    PMIPv6 NAI Type.............................. Hexadecimal
    PMIPv6 MAG location.......................... WLC
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream      Downstream
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Per-Client Rate Limits........................... Upstream      Downstream
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled

--More-- or (q)uit
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... 802.1P (Tag=0)
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ 10.4.0.2 1812 *
   Accounting.................................... Global Servers
      Interim Update............................. Disabled
      Interim Update Interval.................... 0
      Framed IPv6 Acct AVP ...................... Prefix
   Dynamic Interface............................. Disabled
   Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Radius NAI-Realm................................. Disabled
Mu-Mimo.......................................... Enabled
Security

   802.11 Authentication:........................ Open System
   FT Support.................................... Disabled

--More-- or (q)uit
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Enabled
      WPA (SSN IE)............................... Enabled
         TKIP Cipher............................. Disabled
         AES Cipher.............................. Enabled
      WPA2 (RSN IE).............................. Enabled
         TKIP Cipher............................. Disabled
         AES Cipher.............................. Enabled
         CCMP256 Cipher.......................... Disabled
         GCMP128 Cipher.......................... Disabled
         GCMP256 Cipher.......................... Disabled
      OSEN IE.................................... Disabled
      Auth Key Management
         802.1x.................................. Enabled
         PSK..................................... Disabled
         CCKM.................................... Disabled
         FT-1X(802.11r).......................... Disabled
         FT-PSK(802.11r)......................... Disabled
         PMF-1X(802.11w)......................... Disabled
         PMF-PSK(802.11w)........................ Disabled
         OSEN-1X................................. Disabled
         SUITEB-1X............................... Disabled

--More-- or (q)uit
         SUITEB192-1X............................ Disabled
      FT Reassociation Timeout................... 20
      FT Over-The-DS mode........................ Disabled
      GTK Randomization.......................... Disabled
      SKC Cache Support.......................... Disabled
      CCKM TSF Tolerance......................... 1000
   Wi-Fi Direct policy configured................ Disabled
   EAP-Passthrough............................... Disabled
   CKIP ......................................... Disabled
   Web Based Authentication...................... Disabled
   Web Authentication Timeout.................... 300
   Web-Passthrough............................... Disabled
   Mac-auth-server............................... 0.0.0.0
   Web-portal-server............................. 0.0.0.0
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   FlexConnect Local Switching................... Disabled
   FlexConnect Central Association............... Disabled
   flexconnect Central Dhcp Flag................. Disabled
   flexconnect nat-pat Flag...................... Disabled
   flexconnect Dns Override Flag................. Disabled
   flexconnect PPPoE pass-through................ Disabled

--More-- or (q)uit
   flexconnect local-switching IP-source-guar.... Disabled
   FlexConnect Vlan based Central Switching ..... Disabled
   FlexConnect Local Authentication.............. Disabled
   FlexConnect Learn IP Address.................. Enabled
   Client MFP.................................... Optional
   PMF........................................... Disabled
   PMF Association Comeback Time................. 1
   PMF SA Query RetryTimeout..................... 200
   Tkip MIC Countermeasure Hold-down Timer....... 60
   Eap-params.................................... Disabled
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Split Tunnel Configuration
    Split Tunnel................................. Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Enabled
802.11k Neighbor List Dual Band.................. Disabled

--More-- or (q)uit
802.11v Directed Multicast Service............... Enabled
802.11v BSS Max Idle Service..................... Enabled
802.11v BSS Transition Service................... Enabled
802.11v BSS Transition Disassoc Imminent......... Disabled
802.11v BSS Transition Disassoc Timer............ 200
802.11v BSS Transition OpRoam Disassoc Timer..... 40
DMS DB is empty
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Universal Ap Admin............................... Disabled
Broadcast Tagging................................ Disabled

 Mobility Anchor List
 WLAN ID     IP Address            Status                             Priority
 -------     ---------------       ------                             --------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

Local Policy
----------------

--More-- or (q)uit
Priority  Policy Name
--------  ---------------

Lync State ...................................... Disabled
Audio QoS Policy................................. Silver
Video QoS Policy................................. Silver
App-Share QoS Policy............................. Silver
File Transfer QoS Policy......................... Silver
QoS Fastlane Status.............................. Disable
Selective Reanchoring Status..................... Disable

The client is a standard Windows Laptop trying to connect to Wi-fi. No special config.

 

0 Helpful

Arne Bier
VIP
VIP

‎07-22-2024 02:25 PM

In your initial posting you say that Event 1 is good (PAP .. i.e. the MAB event) but you don't want Event 2 (EAP) - well that's expected behaviour of an 802.1X supplicant to sent EAPOL Identify frame when it initialises. If you don't want to see EAP, then you must disable the client supplicant.

What is your use case and what are you hoping to achieve?

Is it iPSK?  In that case, you don't use an Enterprise SSID. You use an PSK SSID with MAC Filtering (MAB) configured. That means the clients must be configured with a PSK, and the WLC will also send the MAC address to the RADIUS server - RADIUS server can decide whether or not to accept the client, and also which PSK to use (using a Cisco AVPair).

0 Helpful
Customers Also Viewed These Support Documents