10-19-2020 12:51 AM - edited 07-05-2021 12:39 PM
Hi,
We have a WLC 9800-40 (16.12.4a). Sometimes after successful authentication against RADIUS, by a user in a WLAN 802.1X enabled, User Name remains 'Unknown' in the controller monitor, despite being associated a long time ago. Because of that, our PRIME management station doesn't register User Name either (register it as 'Unknown').
Any suggestion?
10-19-2020 03:58 AM
- What's in the logs of the radius server for the particular authentication ?
M.
10-19-2020 06:31 AM
Hi M,
Radius logs show 'Login OK' for the user, but 'User Name' in controller remains 'Unknown'.
Dou you need anything more specific about the radius log?
Thanks!
10-19-2020 08:44 AM
- Is the username detectable in the radius logs (if needed use debugging powers, if available) ?
M.
10-19-2020 08:51 AM
Yes, in RADIUS logs, the username is ok.
10-20-2020 12:51 AM
10-20-2020 02:29 AM
We use FREERADIUS, we see the username in the RADIUS server logs when the device authenticates initially , but, sometimes, not always, the username in the wlc 9800 remains 'Unknown' ...
10-20-2020 08:12 AM
10-21-2020 02:21 AM
Sorry if I didn't explain well. RADIUS SERVER always knows the username, but controller doesn't. In RADIUS logs Login is OK y username is known but in controller username remains 'Unknown'.
10-21-2020 08:03 AM
11-04-2020 04:26 AM
Hi,
We have done some more digging in this subject and found the following issue:
When a user athenticated in an EAP enabled SSID wifi network, roams from an AP to another with a different Policy Profile, we obtain the next trace from controller for the client:
2020/10/26 07:54:37.259 {wncd_x_R0-4}{1}: [client-orch-sm] [23099]: (ERR): Policy Profile Mismatch, Local:APL-LabRobotica_WLANID_1, Remote:APL_WLANID_1
2020/10/26 07:54:37.259 {wncd_x_R0-1}{1}: [client-orch-sm] [22478]: (note): MAC: 149f.3c58.a6b3 Mobility discovery triggered. Client mode: Local
2020/10/26 07:54:37.259 {wncd_x_R0-4}{1}: [client-orch-sm] [23099]: (ERR): MAC: 149f.3c58.a6b3 Handoff Deny: Profile Mismatch
2020/10/26 07:54:37.259 {wncd_x_R0-1}{1}: [client-orch-state] [22478]: (note): MAC: 149f.3c58.a6b3 Client state transition: S_CO_L2_AUTH_IN_PROGRESS -> S_CO_MOBILITY_DISCOVERY_IN_PROGRESS
2020/10/26 07:54:37.259 {wncd_x_R0-4}{1}: [ewlc-infra-evq] [23099]: (ERR): <149f.3c58.a6b3 >:handoff:MM_HANDOFF_FAILURE
2020/10/26 07:54:37.260 {wncd_x_R0-1}{1}: [ewlc-infra-evq] [22478]: (ERR):<149f.3c58.a6b3>:handoff:MM_HANDOFF_REJECTED_BY_PEER
2020/10/26 07:54:37.260 {wncd_x_R0-4}{1}: [ewlc-infra-evq] [23099]: (ERR): 149f.3c58.a6b3 CLIENT_MOBILITY_CLEANUP Reason = MMIF_MM_MSG_DECODE_FAILURE WLAN profile = Eduroam, Policy profile = APL-LabRobotica_WLANID_1, AP name = XXXXAP2
2020/10/26 07:54:37.260 {wncd_x_R0-1}{1}: [mm-client] [22478]: (note): MAC: 149f.3c58.a6b3 Mobility Successful. Roam Type None, Sub Roam Type MM_SUB_ROAM_TYPE_NONE, Previous BSSID MAC: 0000.0000.0000 Client IFID: 0xa000148c, Client Role: Local PoA: 0x90400350 PoP: 0x0
2020/10/26 07:54:37.260 {wncd_x_R0-4}{1}: [client-orch-sm] [23099]: (note): MAC: 149f.3c58.a6b3 Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_MOBILITY_FAILURE, fsm-state transition 00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|01|07|13|17|18|25|30|3f|40|42|43|48
|55|57|67|80|
Accounting to RADIUS SERVER informs the session stops for this user:
Mon Oct 26 08:45:47 2020
Cisco-AVPair = "dc-profile-name=Linux-Workstation"
Cisco-AVPair = "dc-device-name=android-dhcp-9"
Cisco-AVPair = "dc-device-class-tag=Workstation:Linux-Workstation"
Cisco-AVPair = "dc-certainty-metric=10"
Cisco-AVPair = "dc-opaque=\002\000\000\000\001\000\000\000\000\000\000"
Cisco-AVPair = "dc-protocol-map=41"
Cisco-AVPair = "http-tlv=\000\001\000hMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.32 Safari/53
7.36"
Cisco-AVPair = "dhcp-option=\000\014\000\tGalaxy-J5"
Cisco-AVPair = "dhcp-option=\000<\000\016android-dhcp-9"
Cisco-AVPair = "dhcp-option=\0007\000\n\001\003\006\017\032\0343:;+"
Framed-IP-Address = x.x.8.26
Framed-IPv6-Address = fe80::169f:3cff:fe58:a6b3
User-Name = "jose"
Cisco-AVPair = "audit-session-id=0510960A0000C9C163D8E384"
Cisco-AVPair = "vlan-id=xxx"
Cisco-AVPair = "method=dot1x"
Called-Station-Id = "00-38-df-2d-22-60"
Calling-Station-Id = "14-9f-3c-58-a6-b3"
NAS-IP-Address = x.x.x.x
NAS-Port-Id = "capwap_90400350"
NAS-Port-Type = Wireless-802.11
NAS-Port = 6216
Airespace-Wlan-Id = 1
Cisco-AVPair = "cisco-wlan-ssid=eduroam"
NAS-Identifier = "WiFi-01"
Acct-Session-Id = "000063a6"
Acct-Input-Octets = 6124411
Acct-Input-Gigawords = 0
Acct-Output-Octets = 1751560
Acct-Output-Gigawords = 0
Acct-Input-Packets = 7991
Acct-Output-Packets = 8758
Acct-Authentic = Remote
Acct-Terminate-Cause = Reauthentication-Failure
Acct-Status-Type = Stop
Event-Timestamp = "Oct 26 2020 08:45:47 CET"
Acct-Session-Time = 382
Acct-Delay-Time = 0
Acct-Unique-Session-Id = "e8cb8fb848d21c71"
Stripped-User-Name = "jose"
Realm = "NULL"
Timestamp = 1603698347
After roaming, WLC Controller reports another session starts:
Mon Oct 26 08:45:47 2020
Cisco-AVPair = "dc-profile-name=Un-Classified Device"
Cisco-AVPair = "dc-device-name=SAMSUNG ELECTRONICS CO.,LTD"
Cisco-AVPair = "dc-device-class-tag=Un-Classified Device"
Cisco-AVPair = "dc-certainty-metric=0"
Cisco-AVPair = "dc-opaque=\004\000\000\000\000\000\000\000\000\000\000"
Cisco-AVPair = "dc-protocol-map=1"
Framed-IP-Address = x.x.8.26
Cisco-AVPair = "audit-session-id=0510960A0000C9C163D8E384"
Cisco-AVPair = "vlan-id=xxx"
Cisco-AVPair = "method=dot1x"
Called-Station-Id = "5c-e1-76-d3-03-80"
Calling-Station-Id = "14-9f-3c-58-a6-b3"
NAS-IP-Address = x.x.x.x
NAS-Port-Id = "capwap_90c00033"
NAS-Port-Type = Wireless-802.11
NAS-Port = 6216
Airespace-Wlan-Id = 1
Cisco-AVPair = "cisco-wlan-ssid=eduroam"
NAS-Identifier = "WiFi-01"
Acct-Session-Id = "00004162"
Acct-Input-Octets = 0
Acct-Input-Gigawords = 0
Acct-Output-Octets = 0
Acct-Output-Gigawords = 0
Acct-Input-Packets = 0
Acct-Output-Packets = 0
Acct-Authentic = Remote
Acct-Status-Type = Start
Event-Timestamp = "Oct 26 2020 08:45:47 CET"
Acct-Delay-Time = 0
Acct-Unique-Session-Id = "aab5126e2f575117"
Timestamp = 1603698347
but no full authentication has been done in RADIUS SERVER again, and Username is not reported by the WLC.
Device is still associated to EAP SSID through the new AP, WLC reporting Mobility History Roam Type “802.11i Fast”.
But Username remains unknown for the controller, because client was deleted, I guess.
So, it seems WLC didn’t force full authentication against RADIUS SERVER, allowing Fast Roaming instead, and keeping incomplete user information.
Best regards.
- Jose J.
11-04-2020 06:52 AM
11-04-2020 06:58 AM
11-11-2020 12:30 PM
Hey @netmaster.uc3m
Since it's Freeradius, do you have to manually populate the User-Name attribute in the RADIUS Access-Accept message back to the NAS? Out of curiosity, if you did a packet capture on the wire, what is contained in the Access-Accept to the WLC? In my opinion, this is what informs the NAS (WLC in this case) what the 'User Name' should be displayed as. Perhaps the returned value is blank.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide