Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3983
Views
10
Helpful
13
Replies

WLC 9800: User Name remains 'Unknown' after RADIUS authentication in WLAN 802.1X enabled

netmaster.uc3m
Level 1
Level 1

‎10-19-2020 12:51 AM - edited ‎07-05-2021 12:39 PM

Hi,

 

We have a WLC 9800-40 (16.12.4a). Sometimes after successful authentication against RADIUS, by a user in a WLAN 802.1X enabled, User Name remains 'Unknown' in the controller monitor, despite being associated a long time ago. Because of that, our PRIME management station doesn't register User Name either (register it as 'Unknown').

 

Any suggestion?

0 Helpful
13 Replies 13

marce1000
VIP
VIP

‎10-19-2020 03:58 AM

 

                        - What's in the logs of the radius server for the particular authentication ?

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

netmaster.uc3m
Level 1
Level 1
In response to marce1000

‎10-19-2020 06:31 AM

Hi M,

 

Radius logs show 'Login OK' for the user, but 'User Name' in controller remains 'Unknown'.

 

Dou you need anything more specific about the radius log?

 

Thanks!

0 Helpful

marce1000
VIP
VIP
In response to netmaster.uc3m

‎10-19-2020 08:44 AM

 

 - Is the username detectable in the radius logs (if needed use debugging powers, if available) ?

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

netmaster.uc3m
Level 1
Level 1
In response to marce1000

‎10-19-2020 08:51 AM

Yes, in RADIUS logs, the username is ok.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to netmaster.uc3m

‎10-20-2020 12:51 AM

What radius server are you using? If you see the username when the device authenticates initially, you should also see the username on the controller.
-Scott
*** Please rate helpful posts ***
0 Helpful

netmaster.uc3m
Level 1
Level 1
In response to Scott Fella

‎10-20-2020 02:29 AM

We use FREERADIUS, we see the username in the RADIUS server logs when the device authenticates initially , but, sometimes, not always, the username in the wlc 9800 remains 'Unknown' ...

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to netmaster.uc3m

‎10-20-2020 08:12 AM

I think that can be the problem. When using EAP, the radius server should “know” of the username 100%. If you only see that sometimes, well there is an issue there. Maybe reach out to their forums and get some suggestions.
-Scott
*** Please rate helpful posts ***
0 Helpful

netmaster.uc3m
Level 1
Level 1
In response to Scott Fella

‎10-21-2020 02:21 AM

Sorry if I didn't explain well. RADIUS SERVER always knows the username, but controller doesn't. In RADIUS logs Login is OK y username is known but in controller username remains 'Unknown'.

 

 

 

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to netmaster.uc3m

‎10-21-2020 08:03 AM

I don’t know... maybe something with freeradius? I run 9800’s and ISE with no issues.
-Scott
*** Please rate helpful posts ***
0 Helpful

netmaster.uc3m
Level 1
Level 1
In response to Scott Fella

‎11-04-2020 04:26 AM

Hi,

We have done some more digging in this subject and found the following issue:

 

When a user athenticated in an EAP enabled SSID wifi network, roams from an AP to another with a different Policy Profile, we obtain the next trace from controller for the client:

 

2020/10/26 07:54:37.259 {wncd_x_R0-4}{1}: [client-orch-sm] [23099]: (ERR): Policy Profile Mismatch, Local:APL-LabRobotica_WLANID_1, Remote:APL_WLANID_1
2020/10/26 07:54:37.259 {wncd_x_R0-1}{1}: [client-orch-sm] [22478]: (note): MAC: 149f.3c58.a6b3 Mobility discovery triggered. Client mode: Local
2020/10/26 07:54:37.259 {wncd_x_R0-4}{1}: [client-orch-sm] [23099]: (ERR): MAC: 149f.3c58.a6b3 Handoff Deny: Profile Mismatch
2020/10/26 07:54:37.259 {wncd_x_R0-1}{1}: [client-orch-state] [22478]: (note): MAC: 149f.3c58.a6b3 Client state transition: S_CO_L2_AUTH_IN_PROGRESS -> S_CO_MOBILITY_DISCOVERY_IN_PROGRESS
2020/10/26 07:54:37.259 {wncd_x_R0-4}{1}: [ewlc-infra-evq] [23099]: (ERR): <149f.3c58.a6b3 >:handoff:MM_HANDOFF_FAILURE
2020/10/26 07:54:37.260 {wncd_x_R0-1}{1}: [ewlc-infra-evq] [22478]: (ERR):<149f.3c58.a6b3>:handoff:MM_HANDOFF_REJECTED_BY_PEER
2020/10/26 07:54:37.260 {wncd_x_R0-4}{1}: [ewlc-infra-evq] [23099]: (ERR): 149f.3c58.a6b3 CLIENT_MOBILITY_CLEANUP Reason = MMIF_MM_MSG_DECODE_FAILURE WLAN profile = Eduroam, Policy profile = APL-LabRobotica_WLANID_1, AP name = XXXXAP2
2020/10/26 07:54:37.260 {wncd_x_R0-1}{1}: [mm-client] [22478]: (note): MAC: 149f.3c58.a6b3 Mobility Successful. Roam Type None, Sub Roam Type MM_SUB_ROAM_TYPE_NONE, Previous BSSID MAC: 0000.0000.0000 Client IFID: 0xa000148c, Client Role: Local PoA: 0x90400350 PoP: 0x0
2020/10/26 07:54:37.260 {wncd_x_R0-4}{1}: [client-orch-sm] [23099]: (note): MAC: 149f.3c58.a6b3 Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_MOBILITY_FAILURE, fsm-state transition 00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|01|07|13|17|18|25|30|3f|40|42|43|48
|55|57|67|80|

 

Accounting to RADIUS SERVER informs the session stops for this user:

 

Mon Oct 26 08:45:47 2020
Cisco-AVPair = "dc-profile-name=Linux-Workstation"
Cisco-AVPair = "dc-device-name=android-dhcp-9"
Cisco-AVPair = "dc-device-class-tag=Workstation:Linux-Workstation"
Cisco-AVPair = "dc-certainty-metric=10"
Cisco-AVPair = "dc-opaque=\002\000\000\000\001\000\000\000\000\000\000"
Cisco-AVPair = "dc-protocol-map=41"
Cisco-AVPair = "http-tlv=\000\001\000hMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.32 Safari/53
7.36"
Cisco-AVPair = "dhcp-option=\000\014\000\tGalaxy-J5"
Cisco-AVPair = "dhcp-option=\000<\000\016android-dhcp-9"
Cisco-AVPair = "dhcp-option=\0007\000\n\001\003\006\017\032\0343:;+"
Framed-IP-Address = x.x.8.26
Framed-IPv6-Address = fe80::169f:3cff:fe58:a6b3
User-Name = "jose"
Cisco-AVPair = "audit-session-id=0510960A0000C9C163D8E384"
Cisco-AVPair = "vlan-id=xxx"
Cisco-AVPair = "method=dot1x"
Called-Station-Id = "00-38-df-2d-22-60"
Calling-Station-Id = "14-9f-3c-58-a6-b3"
NAS-IP-Address = x.x.x.x
NAS-Port-Id = "capwap_90400350"
NAS-Port-Type = Wireless-802.11
NAS-Port = 6216
Airespace-Wlan-Id = 1
Cisco-AVPair = "cisco-wlan-ssid=eduroam"
NAS-Identifier = "WiFi-01"
Acct-Session-Id = "000063a6"
Acct-Input-Octets = 6124411
Acct-Input-Gigawords = 0
Acct-Output-Octets = 1751560
Acct-Output-Gigawords = 0
Acct-Input-Packets = 7991
Acct-Output-Packets = 8758
Acct-Authentic = Remote
Acct-Terminate-Cause = Reauthentication-Failure
Acct-Status-Type = Stop
Event-Timestamp = "Oct 26 2020 08:45:47 CET"
Acct-Session-Time = 382
Acct-Delay-Time = 0
Acct-Unique-Session-Id = "e8cb8fb848d21c71"
Stripped-User-Name = "jose"
Realm = "NULL"
Timestamp = 1603698347

 

After roaming, WLC Controller reports another session starts:

 

Mon Oct 26 08:45:47 2020
Cisco-AVPair = "dc-profile-name=Un-Classified Device"
Cisco-AVPair = "dc-device-name=SAMSUNG ELECTRONICS CO.,LTD"
Cisco-AVPair = "dc-device-class-tag=Un-Classified Device"
Cisco-AVPair = "dc-certainty-metric=0"
Cisco-AVPair = "dc-opaque=\004\000\000\000\000\000\000\000\000\000\000"
Cisco-AVPair = "dc-protocol-map=1"
Framed-IP-Address = x.x.8.26
Cisco-AVPair = "audit-session-id=0510960A0000C9C163D8E384"
Cisco-AVPair = "vlan-id=xxx"
Cisco-AVPair = "method=dot1x"
Called-Station-Id = "5c-e1-76-d3-03-80"
Calling-Station-Id = "14-9f-3c-58-a6-b3"
NAS-IP-Address = x.x.x.x
NAS-Port-Id = "capwap_90c00033"
NAS-Port-Type = Wireless-802.11
NAS-Port = 6216
Airespace-Wlan-Id = 1
Cisco-AVPair = "cisco-wlan-ssid=eduroam"
NAS-Identifier = "WiFi-01"
Acct-Session-Id = "00004162"
Acct-Input-Octets = 0
Acct-Input-Gigawords = 0
Acct-Output-Octets = 0
Acct-Output-Gigawords = 0
Acct-Input-Packets = 0
Acct-Output-Packets = 0
Acct-Authentic = Remote
Acct-Status-Type = Start
Event-Timestamp = "Oct 26 2020 08:45:47 CET"
Acct-Delay-Time = 0
Acct-Unique-Session-Id = "aab5126e2f575117"
Timestamp = 1603698347

 

but no full authentication has been done in RADIUS SERVER again, and Username is not reported by the WLC.

 

Device is still associated to EAP SSID through the new AP, WLC reporting Mobility History Roam Type “802.11i Fast”.
But Username remains unknown for the controller, because client was deleted, I guess.

 

So, it seems WLC didn’t force full authentication against RADIUS SERVER, allowing Fast Roaming instead, and keeping incomplete user information.

 

Best regards.

 

- Jose J.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to netmaster.uc3m

‎11-04-2020 06:52 AM

So why are you using different policy profiles in a location where devices roam? I’m also assuming that if you use the same policy profile or roam to aps on the same policy profile, there are no issues?
-Scott
*** Please rate helpful posts ***
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Scott Fella

‎11-04-2020 06:58 AM

Take a look at this link as it might help explain what you might be seeing.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_client_roaming_policy_profile.html
-Scott
*** Please rate helpful posts ***

Arne Bier
VIP
VIP
In response to netmaster.uc3m

‎11-11-2020 12:30 PM

Hey @netmaster.uc3m 

 

Since it's Freeradius, do you have to manually populate the User-Name attribute in the RADIUS Access-Accept message back to the NAS? Out of curiosity, if you did a packet capture on the wire, what is contained in the Access-Accept to the WLC? In my opinion, this is what informs the NAS (WLC in this case) what the 'User Name' should be displayed as. Perhaps the returned value is blank. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card