Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5229
Views
5
Helpful
2
Replies

MAC authentication with W2K8R2 NPS (radius) & Cisco 4400

Go to solution
Chris Samuels
Level 1
Level 1

‎12-16-2010 09:13 AM - edited ‎03-10-2019 05:39 PM

On a cisco 4400 I have a wlan set up for only mac filtering through radius using MS NPS.

I have created an AD user account with mac address as username and password. On NPS I created a connection policy and network policy with the latter displayed.

netpol.png

On the client (Win7Pro), i connect to the ssid and it makes the connection as intended and the access entry is logged in the radius log.

The problem is that when I shut the machine down or manually disconnect the ssid I am able to reconnect to it when the machine comes back up or when I reconnected to the ssid. Policy is not executed and no radius entry is logged on the reconnect. What's more, if I disable the network policy so that no connection can be made it is still made regardless of the policy status. The ONLY way to reinitiate the whole process the proper way, i.e. connection via policy, radius logging, etc., is to disable and reenable the wlan on the controller. After this is completed the machine is properly denied access when the NPS network policy is disabled.

In a nutshell, once the machine is authorized to connect is seems to stay connected no matter what the policy status is until the connection to the wlan is disabled. My guess is that the computer is somehow caching the credentials. However, I am hoping it is something I can change on the controller because the devices connecting to this wlan are only trusted via dhcp (mac) reservations; they can be any type of machine with a mac address.

Any help appreciated.

Thank you

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee

‎12-16-2010 10:48 AM

Hi,

a WLC will not reauthenticate a client if it disconnected all of a sudden (=client didn't tell WLC it was disconnecting) and if only a short amount of time passed.

By default, this means that the client has to be not seen for 5 minutes for the client entry to be deleted on the controller. That's the "user idle timeout" on WLC and can be configured to be shorter.

To make sure if this is your problem, disconnect your client and check on "monitor->clients" if you still see the client mac there.

If you don't, then the WLC should ask for authentication again and the problem would be on microsoft side then.

Hope this helps.

Nicolas

===

Don't forget to rate answers that you find useful

View solution in original post

2 Replies 2

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee

‎12-16-2010 10:48 AM

Hi,

a WLC will not reauthenticate a client if it disconnected all of a sudden (=client didn't tell WLC it was disconnecting) and if only a short amount of time passed.

By default, this means that the client has to be not seen for 5 minutes for the client entry to be deleted on the controller. That's the "user idle timeout" on WLC and can be configured to be shorter.

To make sure if this is your problem, disconnect your client and check on "monitor->clients" if you still see the client mac there.

If you don't, then the WLC should ask for authentication again and the problem would be on microsoft side then.

Hope this helps.

Nicolas

===

Don't forget to rate answers that you find useful

Go to solution
Chris Samuels
Level 1
Level 1
In response to Nicolas Darchis

‎12-20-2010 07:07 AM

Thanks for pointing this out. It was right there in front of my face.

thanks again.

0 Helpful
Customers Also Viewed These Support Documents