Apple wireless clients authenticated but show no username in WLC

Kyle Morrison · ‎08-02-2012

Running 7.0.220. There are several 'unknown' users every day reported in WCS. Investigating the connections on the WLC I find the clients are in a run state and passing traffic but there is no username listed on the client detail. (hence the unknown on WCS)

(mcm-189jsoc-wlc1) >show client detail 60:c5:47:07:b6:5a

Client MAC Address............................... 60:c5:47:07:b6:5a

Client Username ................................. N/A

AP MAC Address................................... 00:1e:13:42:16:a0

AP Name.......................................... mcm-208dorm-wap1

Client State..................................... Associated

Client NAC OOB State............................. Access

Wireless LAN Id.................................. 1

BSSID............................................ 00:1e:13:42:16:a0

Connected For ................................... 599 secs

Channel.......................................... 11

Clients in this state are usually Apple products. From initial investigation it looks like the do authenticate with the ACS.

Any ideas for debugs to run, or fixes on the WLC? Perhaps there's a bug on this behavior?

Thanks

Kyle Morrison

Scott Fella · ‎08-02-2012

So for sure the SSID those clients are connecting on is using 802.1x? Does the username show up in the ACS passed attempt logs?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Kyle Morrison · ‎08-02-2012

Yes the clients are using 802.1x. The username shows up in ACS passed authentication log.

Amjad Abdullah · ‎08-02-2012

Kyle:

I suppose you are using PEAP or some EAP that utilizes TLS tunnel.

The username that appears is what cold "outer identity" username. This is sent to the AAA server outside the TLS channel and need not to be the correct username although it can be the same. So I think with macBooks the outer identity is empty. But I don't remember if it appears on the WLC as unknown.

For ipad I can see my username explicitly appearing on my WLC which means the outer identity is same asthe correct username.

What mac devices that you use?

You need no debugs. Wireless packet capture while the client is trying to authenticate should be enough to show what outer identity is used.

HTH

Amjad

p.s: with windows it depends on the supplicant software if an outer identity can be configured or not.

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"

Scott Fella · ‎08-03-2012

I just tested this out and I can see the username in both the ACS 5.2 logs and in the WLC using an iPhone 4 and an iPad. Maybe look at upgrading to the latest 7.0.x code, as I'm running 7.2.x.

-Scott
*** Please rate helpful posts ***

Kyle Morrison · ‎08-07-2012

Thanks for that. I'm at a government institution and upgrading is never an option. I'm going to look a little more into the outside identity thing with the macs.

Scott Fella · ‎08-08-2012

Kyle,

You can always open a TAC case and see if there is something with the code you are running. I have tested many different codes, and I don't remember not seeing a username when using 802.1x on the WLC with your version of code.

-Scott
*** Please rate helpful posts ***

George Stefanick · ‎01-25-2013

When the client fails auth then you will see the outer ID. When it passes auth it gets updated with the real ID..

This is how I recalling seeing this ..

Scott can you test this?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Scott Fella · ‎01-25-2013

George is funny. But yes I can and have:) my iDevices show up as long as its associated and connected using PEAP 802.1x if it doesn't pass authentication it doesn't show anything. The ACS or radius logs will show the username that fails though.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

George Stefanick · ‎01-25-2013

Ok so my thinking is correct then .. I see this with my phones from time to time with unknown or anynomous .. this is a good blog post ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Scott Fella · ‎01-25-2013

Haha... You blog about it George:)

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎01-25-2013

But now I'm on 7.4:) I don't like to download all the time as it messes up my lab:)

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***