Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
773
Views
5
Helpful
1
Replies

9800 | PSK+mac-filter SSID | romaing behaviour external AAA AuthZ

wombocombo
Level 1
Level 1

‎12-06-2022 01:43 AM

Dear Cisco Community,

I'd like to know the exact/normal behaviour of the 9800 WLC on a client roaming between two APs when the SSID is setup as:

  • central switched (local mode)
  • WPA2 PSK +mac-filtering enabled
  • mac-filter authorization is external (ISE)
  • no Fast-Roaming features enabled

From my understanding:

  1. On initial connection (association) of the client, the WLC is going to query the AAA server (ISE) for authorization of the client's mac-address and the client goes through WPA 4way handshake (PMK = PSK).
  2. When the client roams to another AP, same SSID and managed by same WLC, he's sending a reassociation request. The WLC should NOT trigger another authorization request to ISE as the he already has an established and authorized session of this client. WPA 4-way handshake between client and new AP has still to be made though.

At least that's my understanding how it (should) works. And I've found the follwing paper describing this:
"When the client roams or sends association request to the same AP or different AP and is still connected to WLAN, the client is not authenticated again to AAA server."https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-8/config-guide/b_cg88/wlan_security.html

I know this is AireOS, but I couldn't find any article descibing the behaviour for IOS-XE. 

Why am I asking:

We see a lot of authentication/authorization logs on ISE in a very short period of time from clients connected to an SSID which is configured as described. A test revealed that the WLC seems to send a AAA request to ISE on every client roam, which is in my opinion not how it should behave. 

- We are running 17.3.5b

Can someone agree on my assumption or provide me a document which proves me wrong?  

Thank you very much in advance!

KR

 

 

 

 

 

0 Helpful
1 Reply 1

marce1000
VIP
VIP

‎12-06-2022 01:51 AM

 

  -  A good to start with is reviewing  the current 9800   configuration with the CLI command : show  tech   wireless , have the output analyzed by  https://cway.cisco.com/tools/WirelessAnalyzer/  , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer.               Checkout all advisories and or configuration items related to the issue(s) that you posted  ,

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card