Re: Radius option 8

Gioacchino · ‎10-17-2024

Hi community,

in our WLC we have the following

radius-server attribute 8 include-in-access-req

As far I as I understand, this instructs the WLC to send the IP address (Framed-IP-Address) proposed by the DHCP client in the Access-Request.
In the logs we see that many clients propose values that are not within the scope of our IP address plan, the DHCP is external, neither ewithin ISE nor within the WLC.

I would say that the fact that we see such requests is normal, because DHCP clients get Ip addresses from other wireless network, like home wireless (many are in the range 192.168.0.0/24) nd hence try to use the last remembered one.

Am I correct? Is there a way to fix that, maybe on the WLC? I don't think so because I should instruct the WLC about the "right" ranges, but I'm not aware of such way.

Any hints/clues?

TIA, Gio

balaji.bandi · ‎10-17-2024

In the logs we see that many clients propose values that are not within the scope of our IP address plan, the DHCP is external, neither ewithin ISE nor within the WLC.

can you post some example logs to look here

Also provide the environment information what WLC Controller and Code running ?

what end devices ? Phone or Laptop or anything else ?

you can enable debug see where the requests are coming .

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Gioacchino · ‎10-22-2024

Hi @balaji.bandi ,

I will try to post a sanitized log.
It's a 9800-40 with Cisco IOS XE Software, Version 17.09.03
End devices might be anything, even laptops.

Flavio Miranda · ‎10-17-2024

@Gioacchino

Not sure if I pictured your scenario correctly, but, on the documentation related to attribute 8, we can read:

"Prerequisites for RADIUS Attribute 8 Framed-IP-Address in Access Requests

Sending RADIUS attribute 8 in the RADIUS access requests assumes that the login host has been configured to request its IP address from the NAS server. It also assumes that the login host has been configured to accept an IP address from the NAS.

The NAS must be configured with a pool of network addresses on the interface supporting the login hosts."

If I understood it right, this is not the case for your scenario, right?

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_radatt/configuration/xe-3s/sec-usr-radatt-xe-3s-book/sec-rad-att-8-accss-req.html

Gioacchino · ‎10-22-2024

Hi Flavio,

well, I'd say we fall into this scenario. I've read the doc you provided me the link for. The logs in WLC, normalized by Splunk, relate (I think) to Accounting packets (more when I'll be able to sanitize the log).

I have just realized that we announce the same SSID in many many buildings of the campus, but wireless clients get the IP address from different ranges (I'm not responsible for the design). And you know people move around, may close the lid of the laptops that triggers the sleep (or hibernation) mode.

The DHCP server role is held neither by the WLC nor by the ISE, but from the ISC version. It's centralized and the GWs relay requests to it.

I'll try to come back asap with a sample log, it will help IMO.

Thanks,

Gioacchino

Gioacchino · ‎10-23-2024

@balaji.bandi, @Flavio Miranda

Here below, a sanitized log, all the pieces of info has been camuflated, but the Framed-IP-Address. For that SSID, COMPANY-GUESTS, we use ranges within 10.0.0.0/8.

In it, I read "RADIUS Accounting watchdog update"; I'm a bit puzzled:

Does it really mean that for the Framed-IP-Address we reached the phase of accounting (post authentication and authorization)?

OR

Is it about a message where the WLC just informs the ISE that there is a device willing to use that IP address?

This is important to understand if the device indeed uses that IP address after associating onto the SSID.

Here the logged message

Oct 22 14:58:11 WLC_IP_addr CISE_RADIUS_Accounting 0000320541 1 0 2024-10-22 14:58:11.588 +02:00 0005372900 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update
ConfigVersionId=96
Device IP Address=<WLC_IP_addr>
UserName=AA-08-FA-73-BE-33
NetworkDeviceName=WLC9800
User-Name=AA-08-FA-73-BE-33
NAS-IP-Address=<WLC_IP_addr>
NAS-Port=50315
Framed-IP-Address=192.168.0.207 <<<<<<<<< Value in question, we speak of this!
Class=CACS:3C57930A000444ACB44E5961:a-shs-ise1/518391323/271123
Called-Station-ID=AP_U1.10:COMPANY-GUEST
Calling-Station-ID=AA-08-FA-73-BE-33
NAS-Identifier=COMPANY-GUEST:54-8a-ba-e0-6d-11
Acct-Status-Type=Interim-Update
Acct-Delay-Time=5
Acct-Input-Octets=0
Acct-Output-Octets=0
Acct-Session-Id=0002bcdc
Acct-Authentic=Remote
Acct-Input-Packets=0
Acct-Output-Packets=0
Acct-Input-Gigawords=0
Acct-Output-Gigawords=0
Event-Timestamp=1729601886
NAS-Port-Type=Wireless - IEEE 802.11
Framed-IPv6-Address=fe80::18bf:*:*:*
cisco-av-pair=dc-profile-name=Un-Classified Device
cisco-av-pair=dc-device-name=Unknown Device
cisco-av-pair=dc-device-class-tag=Un-Classified Device
cisco-av-pair=dc-certainty-metric=0
cisco-av-pair=64:63:2d:6f:70:61:71:75:65:3d:04:00:00:00:00:00:00:00:00:00:00:00
cisco-av-pair=dc-protocol-map=1
cisco-av-pair=audit-session-id=3C57930A000444ACB44E5961
cisco-av-pair=vlan-id=2201
cisco-av-pair=method=mab
cisco-av-pair=cisco-wlan-ssid=COMPANY-GUEST
cisco-av-pair=wlan-profile-name=Guest
Airespace-Wlan-Id=2
AcsSessionID=a-shs-ise1/518391323/271141
SelectedAccessService=Default Network Access
RequestLatency=2
Step=11004
Step=11017
Step=15049
Step=15008
Step=22094
Step=11005
NetworkDeviceGroups=Device Type#All Device Types#Wireless controller
NetworkDeviceGroups=IPSEC#Is IPSEC Device#No
NetworkDeviceGroups=Location#All Locations
CPMSessionID=3C57930A000444ACB44E5961
TotalAuthenLatency=2
ClientLatency=0
Network Device Profile=Cisco
Location=Location#All Locations
Device Type=Device Type#All Device Types#Wireless controller
IPSEC=IPSEC#Is IPSEC Device#No

Gioacchino · ‎10-23-2024

The SSID in question uses the ISE captive portal.

What makes me wonder is this type of message "Oct 22 14:58:11 WLC_IP_addr CISE_RADIUS_Accounting 0000320541 1 0 2024-10-22 14:58:11.588 +02:00 0005372900 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update" that speaks of Accounting

Rich R · ‎11-03-2024

Since your radius server (ISE) is not providing the IP allocation I think you should not be using "radius-server attribute 8 include-in-access-req".

To ensure that your clients always use he correct IP address from the correct subnet your wireless profile policy should be configured with "ipv4 dhcp required"

The client framed IP will always be sent in the radius accounting anyway by default.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390