Re: WLC re-format RADIUS requests? (appending SSID to CSID)

jhonny.eriksson · ‎09-30-2013

Hello,

Once in a while I get an issue with my 802.1x authentication I use on my WLAN. I've a setup of Cisco WLC 5508, 1142 LAPs and are running FlexConnect SSID. Usually the clients authenticate towards the RADIUS server set in the WLC with the client MAC in the Called Station ID. However, sometimes (for some strange reason, no change are done in the WLC) the RADIUS requests received but with the SSID appended to the Called Station ID and so the request is discarded and the users unable to authenticate.

Is there any possibility that the WLC adds the SSID to the Called Station ID field for some reason?

Thanks in advance

Best Regards

Rasika Nayanajith · ‎09-30-2013

In most of the scenario (ie local mode AP, Flex Connect -Connected mode) called stationd-id information is RFC compliant and sending the SSID name as part of Called Station ID.

But in Flexconnect Standalone mode it is not the case.

I have tested this with 7.0.116.0 & confirmed the behaviour. Not sure under what cirumstances you experience this behaviour

This may be useful to understand this

http://mrncciew.com/2013/07/22/called-calling-station-id/

HTH

Rasika

**** Pls rate all useful responses ****

jhonny.eriksson · ‎10-04-2013

Hello,

Thanks for your response. I do understand what should be the case, and I think understand what is being said in the appended link. However it doesn't really translate to what I am seeing in the RADIUS server.

This is the output that I get;

Access request for user username was discarded.

Fully-Qualified-User-Name =

NAS-IP-Address =

NAS-Identifier =

Called-Station-Identifier = 40-f4-ec-4a-dc-80:SSID

Calling-Station-Identifier = 40-2c-f4-e7-48-81

Client-Friendly-Name =

Client-IP-Address =

NAS-Port-Type = Wireless - IEEE 802.11

NAS-Port = 13

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Reason-Code = 3

Reason = The Remote Authentication Dial-In User Service (RADIUS) request was not properly formatted. "

But at the same time I get this;

username was granted access.

Fully-Qualified-User-Name = AD\username

NAS-IP-Address =

NAS-Identifier =

Client-Friendly-Name =

Client-IP-Address =

Calling-Station-Identifier = 00-12-7b-4c-82-77

NAS-Port-Type = Wireless - IEEE 802.11

NAS-Port = 13

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Policy-Name = Posten Workstation Wireless Access Policy

Authentication-Type = PEAP

EAP-Type = Secured password (EAP-MSCHAP v2)"

So there is two differences. In the rejected one you have the Called Station ID listed which is not in the approved one. The other thing is that the FQU says Undetermined on the rejected one, and the login username on the approved. Same WLC, same SSID, same setup (flexconnect) same configuration etc.

Any ideas what could cause this?

Scott Fella · ‎10-05-2013

I have many clients using FlexConnect and IAS or NPS as a radius server and I have a policy to look at the called station id for the ssid. I have never ran into an issue where the radius rejected a client because the called station was not being sent. I have clients using both PEAP User creds and machine auth.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***