Solved: Re: Check your RADIUS reject

Sebastien Barbereau · ‎09-22-2011

Hi

I am currently experimenting with the webauth 'On MAC Filter failure' feature.

In most cases things work fine, meaning that: user arrives in SSID coverage, if his MAC is registered in our radius he is allowed through, if not heassociates to the AP and gets the usual splashscreen. But, in some weird cases things dont happen as expected: user arrives in SSID coverage, if his MAC is registered in our radius he is allowed through, if not he can not associated.

I tryed to run some debugs but with little success as I dont know what I am looking for.

As far as I can say, the problem appears with devices I used for testing (allow through MAC filter, then removed ...) and make me think of some kind of caching mechanism. (things like fastpath come into my mind).

Did someone implement the feature successfully?

Thanks,

seb.

Nicolas Darchis · ‎09-26-2011

The problem here is that no DHCP is happening. Authentication is successful but no DHCP packet is seen ... you should take a sniffer on the client and another one on the dhcp server side to see waht's happening

View solution in original post

Nicolas Darchis · ‎09-22-2011

"debug client " ?

Sebastien Barbereau · ‎09-22-2011

Hi,

Sure (debug client 00:24:d6:23:d0:58). Problem is visible around 12:26:47.612

*pemReceiveTask: Sep 22 12:25:38.048: 2c:a8:35:cf:20:14 Sent an XID frame

*apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 Adding mobile on LWAPP AP 00:08:30:4a:d6:50(0)

*apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 Association received from mobile on AP 00:08:30:4a:d6:50

*apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)

*apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 Applying site-specific IPv6 override for station 00:24:d6:23:d0:58 - vapId 3, site 'UNAIDS-HQ', interface 'unaids-guests'

*apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 Applying IPv6 Interface Policy for station 00:24:d6:23:d0:58 - vlan 113, interface id 11, interface 'unaids-guests'

*apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 Applying site-specific override for station 00:24:d6:23:d0:58 - vapId 3, site 'UNAIDS-HQ', interface 'unaids-guests'

*apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)

*apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 STA - rates (8): 130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0

*apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0

*apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 apfProcessAssocReq (apf_80211.c:5122) Changing state for mobile 00:24:d6:23:d0:58 on AP 00:08:30:4a:d6:50 from Idle to AAA Pending

*aaaQueueReader: Sep 22 12:26:26.258: Unable to find requested user entry for 0024d623d058

*aaaQueueReader: Sep 22 12:26:26.258: ReProcessAuthentication previous proto 8, next proto 40000001

*apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 Scheduling deletion of Mobile Station: (callerId: 20) in 10 seconds

*aaaQueueReader: Sep 22 12:26:26.258: AuthenticationRequest: 0x2aeb3be8

*aaaQueueReader: Sep 22 12:26:26.258: Callback.....................................0x100df840

*aaaQueueReader: Sep 22 12:26:26.258: protocolType.................................0x40000001

*aaaQueueReader: Sep 22 12:26:26.258: proxyState...................................00:24:D6:23:D0:58-00:00

*aaaQueueReader: Sep 22 12:26:26.258: Packet contains 14 AVPs (not shown)

*aaaQueueReader: Sep 22 12:26:26.258: apfVapRadiusInfoGet: WLAN(3) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0

*aaaQueueReader: Sep 22 12:26:26.259: 00:24:d6:23:d0:58 Successful transmission of Authentication Packet (id 255) to 10.83.40.111:1812, proxy state 00:24:d6:23:d0:58-00:01

*aaaQueueReader: Sep 22 12:26:26.259: 00000000: 01 ff 00 b0 00 00 00 00 00 00 00 00 00 00 00 00 ................

*aaaQueueReader: Sep 22 12:26:26.259: 00000010: 00 00 00 00 01 0e 30 30 32 34 64 36 32 33 64 30 ......0024d623d0

*aaaQueueReader: Sep 22 12:26:26.259: 00000020: 35 38 1e 21 30 30 2d 30 38 2d 33 30 2d 34 61 2d 58.!00-08-30-4a-

*aaaQueueReader: Sep 22 12:26:26.259: 00000030: 64 36 2d 35 30 3a 55 4e 41 49 44 53 2d 54 45 53 d6-50:UNAIDS-TES

*aaaQueueReader: Sep 22 12:26:26.259: 00000040: 54 2d 32 1f 13 30 30 2d 32 34 2d 64 36 2d 32 33 T-2..00-24-d6-23

*aaaQueueReader: Sep 22 12:26:26.259: 00000050: 2d 64 30 2d 35 38 05 06 00 00 00 0d 04 06 0a 53 -d0-58.........S

*aaaQueueReader: Sep 22 12:26:26.259: 00000060: 05 80 20 0d 47 45 2d 44 43 57 4c 43 2d 30 31 1a ....GE-DCWLC-01.

*aaaQueueReader: Sep 22 12:26:26.259: 00000070: 0c 00 00 37 63 01 06 00 00 00 03 02 12 0d e4 89 ...7c...........

*aaaQueueReader: Sep 22 12:26:26.259: 00000080: d6 a8 35 ae 7e ee 86 d9 65 0e 78 f5 5d 06 06 00 ..5.~...e.x.]...

*aaaQueueReader: Sep 22 12:26:26.259: 00000090: 00 00 0a 0c 06 00 00 05 14 3d 06 00 00 00 13 40 .........=.....@

*aaaQueueReader: Sep 22 12:26:26.259: 000000a0: 06 00 00 00 0d 41 06 00 00 00 06 51 05 31 31 33 .....A.....Q.113

*radiusTransportThread: Sep 22 12:26:27.262: 00000000: 03 ff 00 14 64 b5 1e e0 41 f9 08 3f 47 46 3c 2b ....d...A..?GF<+

*radiusTransportThread: Sep 22 12:26:27.262: 00000010: 33 38 28 a3 38(.

*radiusTransportThread: Sep 22 12:26:27.262: ****Enter processIncomingMessages: response code=3

*radiusTransportThread: Sep 22 12:26:27.262: ****Enter processRadiusResponse: response code=3

*radiusTransportThread: Sep 22 12:26:27.262: 00:24:d6:23:d0:58 Access-Reject received from RADIUS server 10.83.40.111 for mobile 00:24:d6:23:d0:58 receiveId = 0

*radiusTransportThread: Sep 22 12:26:27.262: 00:24:d6:23:d0:58 Returning AAA Error 'Authentication Failed' (-4) for mobile 00:24:d6:23:d0:58

*radiusTransportThread: Sep 22 12:26:27.262: AuthorizationResponse: 0x3c4fd8b4

*radiusTransportThread: Sep 22 12:26:27.262: structureSize................................32

*radiusTransportThread: Sep 22 12:26:27.262: resultCode...................................-4

*radiusTransportThread: Sep 22 12:26:27.262: protocolUsed.................................0xffffffff

*radiusTransportThread: Sep 22 12:26:27.262: proxyState...................................00:24:D6:23:D0:58-00:00

*radiusTransportThread: Sep 22 12:26:27.262: Packet contains 0 AVPs:

*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Applying new AAA override for station 00:24:d6:23:d0:58

*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Override values for station 00:24:d6:23:d0:58

source: 2, valid bits: 0x0

qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1

*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1

vlanIfName: '', aclName: ''

*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)

*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Applying site-specific override for station 00:24:d6:23:d0:58 - vapId 3, site 'UNAIDS-HQ', interface 'unaids-guests'

*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)

*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Inserting AAA Override struct for mobile

MAC: 00:24:d6:23:d0:58, source 2

*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Inserting new RADIUS override into chain for station 00:24:d6:23:d0:58

*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Override values for station 00:24:d6:23:d0:58

source: 2, valid bits: 0x0

qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1

*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1

vlanIfName: '', aclName: ''

*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 START (0) Initializing policy

*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)

*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)

*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 00:08:30:4a:d6:50 vapId 3 apVapId 3for this client

*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Not Using WMM Compliance code qosCap 00

*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:08:30:4a:d6:50 vapId 3 apVapId 3

*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)

*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 apfMsAssoStateInc

*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 00:24:d6:23:d0:58 on AP 00:08:30:4a:d6:50 from AAA Pending to Associated

*apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Scheduling deletion of Mobile Station: (callerId: 49) in 1800 seconds

*apfReceiveTask: Sep 22 12:26:27.264: 00:24:d6:23:d0:58 Sending Assoc Response to station on BSSID 00:08:30:4a:d6:50 (status 0) ApVapId 3 Slot 0

*apfReceiveTask: Sep 22 12:26:27.264: 00:24:d6:23:d0:58 apfProcessRadiusAssocResp (apf_80211.c:2153) Changing state for mobile 00:24:d6:23:d0:58 on AP 00:08:30:4a:d6:50 from Associated to Associated

*apfReceiveTask: Sep 22 12:26:29.211: 00:24:d6:23:d0:58 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED

*apfReceiveTask: Sep 22 12:26:29.211: 00:24:d6:23:d0:58 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4431, Adding TMP rule

*apfReceiveTask: Sep 22 09:31:33.211: 00:24:d6:23:d0:58 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule

type = Airespace AP - Learn IP address

on AP 00:08:30:4a:d6:50, slot 0, interface = 13, QOS = 0

ACL Id = 255, Jumbo F

*apfReceiveTask: Sep 22 12:26:29.211: 00:24:d6:23:d0:58 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 7006 IPv6 Vlan = 113, IPv6 intf id = 11

*apfReceiveTask: Sep 22 12:26:29.211: 00:24:d6:23:d0:58 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)

*pemReceiveTask: Sep 22 12:26:29.212: 00:24:d6:23:d0:58 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0

*pemReceiveTask: Sep 22 12:26:29.212: 00:24:d6:23:d0:58 Sent an XID frame

*spamApTask4: Sep 22 12:26:46.641: 00:24:d6:23:d0:58 Received Idle-Timeout from AP 00:08:30:4a:d6:50, slot 0 for STA 00:24:d6:23:d0:58

*spamApTask4: Sep 22 12:26:46.641: 00:24:d6:23:d0:58 apfMsDeleteByMscb Scheduling mobile for deletion with deleteReason 4, reasonCode 4

*spamApTask4: Sep 22 12:26:46.641: 00:24:d6:23:d0:58 Scheduling deletion of Mobile Station: (callerId: 30) in 1 seconds

*osapiBsnTimer: Sep 22 12:26:47.611: 00:24:d6:23:d0:58 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!

*apfReceiveTask: Sep 22 12:26:47.611: 00:24:d6:23:d0:58 apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile 00:24:d6:23:d0:58 on AP 00:08:30:4a:d6:50 from Associated to Disassociated

*apfReceiveTask: Sep 22 12:26:47.611: 00:24:d6:23:d0:58 Sent Deauthenticate to mobile on BSSID 00:08:30:4a:d6:50 slot 0(caller apf_ms.c:5094)

*apfReceiveTask: Sep 22 12:26:47.611: 00:24:d6:23:d0:58 Sending Accounting request (2) for station 00:24:d6:23:d0:58

*apfReceiveTask: Sep 22 12:26:47.611: 00:24:d6:23:d0:58 apfMsAssoStateDec

*apfReceiveTask: Sep 22 12:26:47.611: 00:24:d6:23:d0:58 apfMsExpireMobileStation (apf_ms.c:5132) Changing state for mobile 00:24:d6:23:d0:58 on AP 00:08:30:4a:d6:50 from Disassociated to Idle

*apfReceiveTask: Sep 22 12:26:47.612: 00:24:d6:23:d0:58 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [00:08:30:4a:d6:50]

*apfReceiveTask: Sep 22 12:26:47.612: 00:24:d6:23:d0:58 Deleting mobile on AP 00:08:30:4a:d6:50(0)

*pemReceiveTask: Sep 22 12:26:47.612: 00:24:d6:23:d0:58 0.0.0.0 Removed NPU entry.

*aaaQueueReader: Sep 22 12:31:04.526: Unable to find requested user entry for 2ca835cf2014

*aaaQueueReader: Sep 22 12:31:04.526: ReProcessAuthentication previous proto 8, next proto 40000001

*aaaQueueReader: Sep 22 12:31:04.526: apfVapRadiusInfoGet: WLAN(3) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0

*radiusTransportThread: Sep 22 12:31:05.530: 00000000: 03 00 00 14 cd cd cd 40 48 d9 c9 26 10 81 e3 5b .......@H..&...[

*radiusTransportThread: Sep 22 12:31:05.530: 00000010: b0 35 95 73 .5.s

*radiusTransportThread: Sep 22 12:31:05.530: ****Enter processIncomingMessages: response code=3

*radiusTransportThread: Sep 22 12:31:05.530: ****Enter processRadiusResponse: response code=3

Thanks,

Seb.

Nicolas Darchis · ‎09-26-2011

The problem here is that no DHCP is happening. Authentication is successful but no DHCP packet is seen ... you should take a sniffer on the client and another one on the dhcp server side to see waht's happening

Sebastien Barbereau · ‎10-28-2011

As you point the issue lies on the client.

Some weird driver / OS combination prevent the system to properly query for DHCP.

As soon as the driver/OS changes things start to work.

Thanks,

Seb.

Darren Ramsey · ‎10-29-2011

You might check out this bug if you are guest anchoring.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCts54424

bruneeljeroen · ‎10-28-2011

Hello sebastien, I would be interested in configuring something similar. Can you tell me how to configure this setup ?

I heve triend enableng a MAc filter on my guest VLAN, but that does not seem te work for me ?

Can you direct me in in right direction ?

jimgrumbles · ‎01-15-2016

Check your RADIUS reject delay settings on your RADIUS server. I had to set mine from 1 to 0.

https://supportforums.cisco.com/discussion/11893201/web-auth-mac-filter-failure-radius#comment-11075696

hunterfuller · ‎09-21-2022

jimgrumbles,

Thank you so much for your comment. We are running Aruba ClearPass for our RADIUS server. The default reject delay is 1. I set it to 0 and MAC Auth started working with no problem.

WLC Webauth on mac filter / Bypass