08-02-2012 03:41 PM - edited 07-03-2021 10:29 PM
Running 7.0.220. There are several 'unknown' users every day reported in WCS. Investigating the connections on the WLC I find the clients are in a run state and passing traffic but there is no username listed on the client detail. (hence the unknown on WCS)
(mcm-189jsoc-wlc1) >show client detail 60:c5:47:07:b6:5a
Client MAC Address............................... 60:c5:47:07:b6:5a
Client Username ................................. N/A
AP MAC Address................................... 00:1e:13:42:16:a0
AP Name.......................................... mcm-208dorm-wap1
Client State..................................... Associated
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 1
BSSID............................................ 00:1e:13:42:16:a0
Connected For ................................... 599 secs
Channel.......................................... 11
Clients in this state are usually Apple products. From initial investigation it looks like the do authenticate with the ACS.
Any ideas for debugs to run, or fixes on the WLC? Perhaps there's a bug on this behavior?
Thanks
Kyle Morrison
08-02-2012 04:08 PM
So for sure the SSID those clients are connecting on is using 802.1x? Does the username show up in the ACS passed attempt logs?
Sent from Cisco Technical Support iPhone App
08-02-2012 08:06 PM
Yes the clients are using 802.1x. The username shows up in ACS passed authentication log.
08-02-2012 06:16 PM
Kyle:
I suppose you are using PEAP or some EAP that utilizes TLS tunnel.
The username that appears is what cold "outer identity" username. This is sent to the AAA server outside the TLS channel and need not to be the correct username although it can be the same. So I think with macBooks the outer identity is empty. But I don't remember if it appears on the WLC as unknown.
For ipad I can see my username explicitly appearing on my WLC which means the outer identity is same asthe correct username.
What mac devices that you use?
You need no debugs. Wireless packet capture while the client is trying to authenticate should be enough to show what outer identity is used.
HTH
Amjad
p.s: with windows it depends on the supplicant software if an outer identity can be configured or not.
Sent from Cisco Technical Support iPad App
08-03-2012 11:47 AM
I just tested this out and I can see the username in both the ACS 5.2 logs and in the WLC using an iPhone 4 and an iPad. Maybe look at upgrading to the latest 7.0.x code, as I'm running 7.2.x.
08-07-2012 05:33 PM
Thanks for that. I'm at a government institution and upgrading is never an option. I'm going to look a little more into the outside identity thing with the macs.
08-08-2012 04:32 AM
Kyle,
You can always open a TAC case and see if there is something with the code you are running. I have tested many different codes, and I don't remember not seeing a username when using 802.1x on the WLC with your version of code.
01-25-2013 10:09 AM
When the client fails auth then you will see the outer ID. When it passes auth it gets updated with the real ID..
This is how I recalling seeing this ..
Scott can you test this?
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
01-25-2013 10:15 AM
George is funny. But yes I can and have:) my iDevices show up as long as its associated and connected using PEAP 802.1x if it doesn't pass authentication it doesn't show anything. The ACS or radius logs will show the username that fails though.
Sent from Cisco Technical Support iPhone App
01-25-2013 10:21 AM
Ok so my thinking is correct then .. I see this with my phones from time to time with unknown or anynomous .. this is a good blog post ..
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
01-25-2013 10:23 AM
Haha... You blog about it George:)
Sent from Cisco Technical Support iPhone App
01-25-2013 10:16 AM
But now I'm on 7.4:) I don't like to download all the time as it messes up my lab:)
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide