Computer connecting to Wi-Fi - 802.1x - MAC auth.

kenneth.gregersen · ‎01-11-2023

Hi

Discovered something strange, and unexpected today.

We have multiple SSIDs. Regular company computers connect to a 802.1x enabled WLAN.

Then we have different SSID/network using PSK and MAC auth.

What I see is that if a computer is added to the list of devices that is allowed to connec to the PSK/MAC auth. network, it will no longer connect to the 802.1x network.
The same computer can connect to other SSIDs/networks that only use PSK, while still being on the "allowed-list" for the PSK/MAC auth network.
So, this seems only to be a problem when connecting to the 802.1x based network.

Is this expected behaviour?

We're running Cisco 9800-CL 17.3.5b.

/Kenneth

marce1000 · ‎01-11-2023

- This page will give you a number of tools and commands for client debugging : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity , note that client RA Traces , can be analyzed with : https://cway.cisco.com/wireless-debug-analyzer/
Besides that it's good practice to have a checkup of the current controller configuration with the CLI command : show tech wireless , have the output analyzed by https://cway.cisco.com/tools/WirelessAnalyzer/ , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer. Checkout all advisories! All items red-flagged should be corrected. For future use : WirelessAnalyzer can also make you aware of the RF environment such as coverage holes , APs under heavy load , APs undergoing frequent channel changes and so on. It is advised to use WirelessAnalyzer on a regular basis afterwards (even when current issues get resolved)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

JPavonM · ‎01-11-2023

Check whether your config looks like this:

aaa authorization network <YOUR_LIST_HERE> local
aaa attribute list <YOUR_LIST_HERE>
attribute type ssid "<YOUR_SSID_HERE> "
!
username <DEVICE_MAC> mac aaa attribute list <YOUR_LIST_HERE> description WHATEVER
wlan <YOUR_WLAN_PROF_HERE> 16 <YOUR_SSID_HERE>
mac-filtering <YOUR_LIST_HERE>

kenneth.gregersen · ‎01-11-2023

Hi

It looks like this, and it seems to be OK.

aaa authorization network MY-MAC-PSK-NETWORK local
aaa attribute list MY-MAC-PSK-NETWORK_FILTER
attribute type ssid "MY-MAC-PSK-NETWORK-SSID"
!
!
username [MAC_ADDRESS] mac aaa attribute list MY-MAC-PSK-NETWORK_FILTER wlan-profile-name MY-MAC-PSK-NETWORK-SSID description "SOME DESCRIPTION"
username [MAC_ADDRESS] mac aaa attribute list MY-MAC-PSK-NETWORK_FILTER wlan-profile-name MY-MAC-PSK-NETWORK-SSID description "SOME DESCRIPTION"
username [MAC_ADDRESS] mac aaa attribute list MY-MAC-PSK-NETWORK_FILTER wlan-profile-name MY-MAC-PSK-NETWORK-SSID description "SOME DESCRIPTION"
!
!
wlan MY-MAC-PSK-NETWORK-NAME 205 MY-MAC-PSK-NETWORK-SSID
assisted-roaming dual-list
assisted-roaming prediction
no chd
mac-filtering MY-MAC-PSK-NETWORK_FILTER
peer-blocking drop
no security ft adaptive
security wpa psk set-key ascii 0 ********
no security wpa akm dot1x
security wpa akm psk
no shutdown