Solved: Re: WLC user authentication and SSID broadcast

mahesh18 · ‎09-05-2013

Hi Everyone,

Need to confirm if WLC is sending the ssid as broadcast or not?

Also if users connect if they get the ip from dhcp need to confirm how they are getting authenticated?

Regards

Mahesh

Rasika Nayanajith · ‎09-05-2013

Hi Mahesh..

In CLI "show wlan " tells you all the featured configured on that SSID. If it says "Broadcast SSID" feature enabled then it is boradcast & any user can see it. (see below)

(4402-3) >show wlan 4

WLAN Identifier.................................. 4

Profile Name..................................... Voice02

Network Name (SSID).............................. Voice02

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

Also "show client summary " output tells you who are authenticated clients. See below

(WLC) >show client summary

Number of Clients................................ 29

MAC Address AP Name Slot Status WLAN Auth Protocol Port Wired PMIPV6 Role

----------------- ----------------- ---- ------------- ----- ---- ---------------- ---- ----- ------ ----------------

08:37:3d:ef:01:51 10.10.6.244 N/A Associated 15 No Mobile 13 No No Export Anchor

10:68:3f:36:f2:a8 OE-AP002-HARI 1 Associated 1 Yes 802.11a 13 No No Local

You can use "show client detail " for more about authentication detail

(WLC) >show client detail 10:68:3f:36:f2:a8

Client MAC Address............................... 10:68:3f:36:f2:a8

Client Username ................................. abc

AP MAC Address................................... 00:3a:98:00:85:20

AP Name.......................................... OE-AP002-HARI

AP radio slot Id................................. 1

Client State..................................... Associated

Client NAC OOB State............................. Access

Wireless LAN Id.................................. 1

Hotspot (802.11u)................................ Not Supported

BSSID............................................ 00:3a:98:00:85:2e

Connected For ................................... 1126 secs

Channel.......................................... 161

IP Address....................................... 149.144.156.7

Gateway Address.................................. 149.144.159.250

Netmask.......................................... 255.255.252.0

Association Id................................... 1

Authentication Algorithm......................... Open System

Reason Code...................................... 1

Status Code...................................... 0

Client CCX version............................... No CCX support

Re-Authentication Timeout........................ 654

QoS Level........................................ Platinum

HTH

Rasika

View solution in original post

Scott Fella · ‎09-05-2013

You need to post your show WLAN this will show you how that WLAN is setup for authentication. Open authentication means no encryption.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

Rasika Nayanajith · ‎09-05-2013

Hi Mahesh..

In CLI "show wlan " tells you all the featured configured on that SSID. If it says "Broadcast SSID" feature enabled then it is boradcast & any user can see it. (see below)

(4402-3) >show wlan 4

WLAN Identifier.................................. 4

Profile Name..................................... Voice02

Network Name (SSID).............................. Voice02

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

Also "show client summary " output tells you who are authenticated clients. See below

(WLC) >show client summary

Number of Clients................................ 29

MAC Address AP Name Slot Status WLAN Auth Protocol Port Wired PMIPV6 Role

----------------- ----------------- ---- ------------- ----- ---- ---------------- ---- ----- ------ ----------------

08:37:3d:ef:01:51 10.10.6.244 N/A Associated 15 No Mobile 13 No No Export Anchor

10:68:3f:36:f2:a8 OE-AP002-HARI 1 Associated 1 Yes 802.11a 13 No No Local

You can use "show client detail " for more about authentication detail

(WLC) >show client detail 10:68:3f:36:f2:a8

Client MAC Address............................... 10:68:3f:36:f2:a8

Client Username ................................. abc

AP MAC Address................................... 00:3a:98:00:85:20

AP Name.......................................... OE-AP002-HARI

AP radio slot Id................................. 1

Client State..................................... Associated

Client NAC OOB State............................. Access

Wireless LAN Id.................................. 1

Hotspot (802.11u)................................ Not Supported

BSSID............................................ 00:3a:98:00:85:2e

Connected For ................................... 1126 secs

Channel.......................................... 161

IP Address....................................... 149.144.156.7

Gateway Address.................................. 149.144.159.250

Netmask.......................................... 255.255.252.0

Association Id................................... 1

Authentication Algorithm......................... Open System

Reason Code...................................... 1

Status Code...................................... 0

Client CCX version............................... No CCX support

Re-Authentication Timeout........................ 654

QoS Level........................................ Platinum

HTH

Rasika

mahesh18 · ‎09-05-2013

Hi Rasika,

If we see below

Client Username ................................. Cisco1

Authentication Algorithm......................... Open System

does it mean that clients use no password for authentication?

here Cisco1 can be username of there PC right ?

Regards

Mahesh

Scott Fella · ‎09-05-2013

You need to post your show WLAN this will show you how that WLAN is setup for authentication. Open authentication means no encryption.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Rasika Nayanajith · ‎09-05-2013

With respect to username you are correct.

But regarding authentication you cannot come to a conclusion like that, You have to see the full "show client detail " . Here is an example of PEAP authenticated client. Authentication algorithm open system does not mean user does not use password. Any EAP method Authentication Algorithm show as open system, but still user has to enter their credential (except TLS where it is certificate based)

(WLC) >show client detail 04:1e:64:13:f9:03

Client MAC Address............................... 04:1e:64:13:f9:03

Client Username ................................. smcowgill

AP MAC Address................................... c4:0a:cb:a0:e8:50

AP Name.......................................... APc464.13b4.4be8

Client State..................................... Associated

Client NAC OOB State............................. Access

Wireless LAN Id.................................. 2

Hotspot (802.11u)................................ Not Supported

BSSID............................................ c4:0a:cb:a0:e8:51

Connected For ................................... 7520 secs

Channel.......................................... 1

.

Association Id................................... 1

Authentication Algorithm......................... Open System

Reason Code...................................... 1

Status Code...................................... 0

Client CCX version............................... No CCX support

Re-Authentication Timeout........................ 3284

802.1P Priority Tag.............................. 6

CTS Security Group Tag........................... Not Applicable

KTS CAC Capability............................... No

WMM Support...................................... Enabled

APSD ACs....................................... BK BE VI VO

Power Save....................................... ON

Current Rate..................................... 54.0

Supported Rates.................................. 12.0,18.0,24.0,36.0,48.0,54.0

Mobility State................................... Foreign

Mobility Anchor IP Address....................... 10.14.7.247

Mobility Move Count.............................. 3

Security Policy Completed........................ Yes

Policy Manager State............................. RUN

Policy Manager Rule Created...................... Yes

Audit Session ID................................. 0a0a06f400040f985228de2e

IPv4 ACL Name.................................... none

IPv4 ACL Applied Status.......................... Unavailable

IPv6 ACL Name.................................... none

IPv6 ACL Applied Status.......................... Unavailable

Client Type...................................... SimpleIP

PMIPv6 State..................................... Unavailable

mDNS Status...................................... Enabled

mDNS Profile Name................................ default-mdns-profile

No. of mDNS Services Advertised.................. 0

Policy Type...................................... WPA2

Authentication Key Management.................... 802.1x

Encryption Cipher................................ CCMP (AES)

Protected Management Frame ...................... No

Management Frame Protection...................... No

EAP Type......................................... PEAP

mahesh18 · ‎09-05-2013

Hi Scott & Rasika,

Thanks for your help.

I can check now method of Authentication config on wlan

Regards

MAhesh