cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Vinay Sharma
Rising star
Rising star

     

    Introduction

    Mac-Auth-Failover feature allows to associate wireless clients with Dynamic-WEP security even if MAC-Auth fails.

    Pre-requirement

    1. Security Type on WLAN has to be “Static-WEP + Dynamic-WEP (802.1x)”.
    2. Mac-Filter has to be enabled on the same WLAN.

    NOTE – Mac-auth-failover is not applicable for Static-WEP wireless client. Mac-Address of Static-WEP client has to be present in the local-database (on wlc) or AAA server.

    NOTE – If the feature is disabled then Wireless Controller will de-auth the client if mac-auth fails.

    How it works  - Static-WEP client

    1. Client comes with Static-WEP security type.
    2. WLC checks the local-database first if it does not find client’s MAC entry then WLC sends “radius_request” to AAA server and AAA server send “radius_accept” if MAC is present otherwise “radius_reject”.
    3. When MAC-auth is completed then WLC moves the client into RUN state.
    4. If MAC-auth is failed then client will be in “802.1X_REQD”.

    Note – if “mac-auth-failover” feature is enabled WLC does not de-auth client (with static-wep security) when client fails “mac-auth”. WLC allows client to be associated but client will be in “802.1X_REQD” state and not get IP Address.

     

    MAC-Auth-Failover Feature Support.jpg

    Dynamic-WEP (802.1x) client

    1. Client comes with Dynamic-WEP (802.1x) security type.
    2. WLC checks the local-database first if it does not find client’s MAC entry then WLC sends “radius_request” to AAA server and AAA server send “radius_accept” if MAC is present otherwise “radius_reject”.
    3. Since “Mac-auth-failover” feature is enabled WLC will send “EAP_Request” to client whether AAA server sends “radius_accept” or “radius_reject”.
    4. And then Dynamic-WEP procedure takes place in order to put client into RUN state.

     

    MAC-Auth-Failover Feature Support 2.jpg

    NOTE – After EAP_Request, Four-way hand shake happens as part of Dynamic-wep security and after successful authentication WLC put the client into RUN state.

    Configuration - GUI

    MAC-Auth-Failover Feature Support 3.jpg

    CLI Commands

    config wlan mac-filtering enable <wlan_id>
    
    config wlan security static-wep-key enable <wlan_id>
    
    config wlan security static-wep-key encryption <wlan_id> 40/104 ascii/Hex <key> <key_index>
    
    config wlan security 802.1X enable <wlan_id>
    
    config wlan security 802.1X on-macfilter-failure enable <wlan_id>

    NOTE – By default, 802.1X uses key index value 1 hence we need to use some other key index value for “static-wep” but some wireless utility does not have option to configure index value. In that case, 802.1X key index value can be changed through CLI.

    (WLC-5500) >config advanced eap key-index ?
    
    <key-index> Enter the key index value, 0 or 3.

    Commands to verify

    Show wlan <wlan_id>
    
    Example -
    
    (sp-wifi-wlc) >show wlan sp-wlan
    
    WLAN Identifier.................................. 6
    
    Profile Name..................................... sp-wlan
    
    Network Name (SSID).............................. sp-wlan
    
    Status........................................... Disabled
    
    MAC Filtering.................................... Enabled
    
    Broadcast SSID................................... Enabled
    
    AAA Policy Override.............................. Enabled
    
    |
    
    |
    
    Security
    
    802.11 Authentication:........................ Open System
    
    FT Support.................................... Disabled
    
    Static WEP Keys............................... Enabled
    
    Key Index:...................................... 1
    
    Encryption:..................................... 40-bit WEP
    
    802.1X........................................ Enabled
    
    Encryption:..................................... 40-bit WEP
    
    802.1X on MAC Auth failure:..................... Enabled
    
    |
    
    -----------xxxx--------------

    Debug Commands

    1. Debug client <client_mac_address>
    2. Debug aaa all enable

    Debug that will help in troubleshooting

    (WLC-5500) >*apfMsConnTask_4: Aug 09 18:00:57.015: 00:24:d7:42:46:e4 Adding mobile on LWAPP AP 64:d9:89:47:f7:e0(1)
    
    *apfMsConnTask_4: Aug 09 18:00:57.015: 00:24:d7:42:46:e4 Association received from mobile on AP 64:d9:89:47:f7:e0
    
    *apfMsConnTask_4: Aug 09 18:00:57.015: 00:24:d7:42:46:e4 Global 200 Clients are allowed to AP radio
    
    *apfMsConnTask_4: Aug 09 18:00:57.015: 00:24:d7:42:46:e4 Max Client Trap Threshold: 0 cur: 0
    
    *apfMsConnTask_4: Aug 09 18:00:57.015: 00:24:d7:42:46:e4 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
    
    *apfMsConnTask_4: Aug 09 18:00:57.015: 00:24:d7:42:46:e4 Re-applying interface policy for client
    
    *apfMsConnTask_4: Aug 09 18:00:57.015: 00:24:d7:42:46:e4 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1839)
    
    *apfMsConnTask_4: Aug 09 18:00:57.015: 00:24:d7:42:46:e4 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2006)
    
    *apfMsConnTask_4: Aug 09 18:00:57.016: 00:24:d7:42:46:e4 In processSsidIE:3883 setting Central switched to TRUE
    
    *apfMsConnTask_4: Aug 09 18:00:57.016: 00:24:d7:42:46:e4 In processSsidIE:3886 apVapId = 1 and Split Acl Id = 65535
    
    *apfMsConnTask_4: Aug 09 18:00:57.016: 00:24:d7:42:46:e4 Applying site-specific Local Bridging override for station 00:24:d7:42:46:e4 - vapId 5, site 'apg', interface 'dyn59'
    
    *apfMsConnTask_4: Aug 09 18:00:57.016: 00:24:d7:42:46:e4 Applying Local Bridging Interface Policy for station 00:24:d7:42:46:e4 - vlan 59, interface id 12, interface 'dyn59'
    
    *apfMsConnTask_4: Aug 09 18:00:57.016: 00:24:d7:42:46:e4 Applying site-specific override for station 00:24:d7:42:46:e4 - vapId 5, site 'apg', interface 'dyn59'
    
    *apfMsConnTask_4: Aug 09 18:00:57.016: 00:24:d7:42:46:e4 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 59
    
    *apfMsConnTask_4: Aug 09 18:00:57.016: 00:24:d7:42:46:e4 Re-applying interface policy for client
    
    *apfMsConnTask_4: Aug 09 18:00:57.016: 00:24:d7:42:46:e4 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1839)
    
    *apfMsConnTask_4: Aug 09 18:00:57.016: 00:24:d7:42:46:e4 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2006)
    
    *apfMsConnTask_4: Aug 09 18:00:57.016: 00:24:d7:42:46:e4 processSsidIE statusCode is 0 and status is 0
    
    *apfMsConnTask_4: Aug 09 18:00:57.016: 00:24:d7:42:46:e4 processSsidIE ssid_done_flag is 0 finish_flag is 0
    
    *apfMsConnTask_4: Aug 09 18:00:57.016: 00:24:d7:42:46:e4 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
    
    *apfMsConnTask_4: Aug 09 18:00:57.016: 00:24:d7:42:46:e4 suppRates statusCode is 0 and gotSuppRatesElement is 1
    
    *apfMsConnTask_4: Aug 09 18:00:57.016: apfVapRadiusClientInfoGet: Client 00:24:D7:42:46:E4 dynamic int attributes srcAddr: 9.10.59.10 , gw: 9.10.59.1 mask: 255.255.255.0 , vlan:59, dpPort:13, srcPort:32769
    
    *apfMsConnTask_4: Aug 09 18:00:57.016: 00:24:d7:42:46:e4 apfProcessAssocReq (apf_80211.c:6585) Changing state for mobile 00:24:d7:42:46:e4 on AP 64:d9:89:47:f7:e0 from Idle to AAA Pending
    
    *aaaQueueReader: Aug 09 18:00:57.016: Unable to find requested user entry for 0024d74246e4 -------------- >>>[when client mac is not there in the local-database (on wlc)]
    
    *aaaQueueReader: Aug 09 18:00:57.016: ReProcessAuthentication previous proto 8, next proto 40000001
    
    *apfMsConnTask_4: Aug 09 18:00:57.016: 00:24:d7:42:46:e4 Scheduling deletion of Mobile Station: (callerId: 20) in 10 seconds
    
    *aaaQueueReader: Aug 09 18:00:57.016: AuthenticationRequest: 0x2b7c4fac
    
    *aaaQueueReader: Aug 09 18:00:57.016: Callback.....................................0x10119c88
    
    *aaaQueueReader: Aug 09 18:00:57.016: protocolType.................................0x40000001
    
    *aaaQueueReader: Aug 09 18:00:57.016: proxyState...................................00:24:D7:42:46:E4-00:00
    
    *aaaQueueReader: Aug 09 18:00:57.016: Packet contains 14 AVPs (not shown)
    
    *aaaQueueReader: Aug 09 18:00:57.017: 00:24:d7:42:46:e4 AAARadiusSendPktToDtl actual port MTU :1430
    
    *aaaQueueReader: Aug 09 18:00:57.017: 00:24:d7:42:46:e4 AAARadiusSendPktToDtl:Sending PDU to DTL SRC MAC: 68:EF:BD:8F:14:4F
    
    *aaaQueueReader: Aug 09 18:00:57.017: 00:24:d7:42:46:e4 Successful transmission of Authentication Packet (id 16) to 9.1.0.100:1812, proxy state 00:24:d7:42:46:e4-00:01 -------------------------------------- >>> [When WLC IP address is there in AAA server]
    
    *aaaQueueReader: Aug 09 18:00:57.017: 00000000: 01 10 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 ................
    
    *aaaQueueReader: Aug 09 18:00:57.017: 00000010: 00 00 00 00 01 13 30 30 3a 32 34 3a 64 37 3a 34 ......00:24:d7:4
    
    *aaaQueueReader: Aug 09 18:00:57.017: 00000020: 32 3a 34 36 3a 65 34 1e 18 36 34 3a 64 39 3a 38 2:46:e4..64:d9:8
    
    *aaaQueueReader: Aug 09 18:00:57.017: 00000030: 39 3a 34 37 3a 66 37 3a 65 30 3a 6a 6f 68 6d 1f 9:47:f7:e0:johm.
    
    *aaaQueueReader: Aug 09 18:00:57.017: 00000040: 13 30 30 3a 32 34 3a 64 37 3a 34 32 3a 34 36 3a .00:24:d7:42:46:
    
    *aaaQueueReader: Aug 09 18:00:57.017: 00000050: 65 34 05 06 00 00 00 0d 04 06 09 0a 3b 0a 20 0a e4..........;...
    
    *aaaQueueReader: Aug 09 18:00:57.017: 00000060: 48 53 52 50 35 35 5f 31 1a 0c 00 00 37 63 01 06 HSRP55_1....7c..
    
    *aaaQueueReader: Aug 09 18:00:57.017: 00000070: 00 00 00 05 02 22 4f d3 fe e3 8b 10 a2 b9 ae da ....."O.........
    
    *aaaQueueReader: Aug 09 18:00:57.017: 00000080: ad 11 c3 6d ac 64 1b 71 c5 b8 50 ed c1 6f b5 fd ...m.d.q..P..o..
    
    *aaaQueueReader: Aug 09 18:00:57.017: 00000090: c1 59 9e 3d d8 29 06 06 00 00 00 0a 0c 06 00 00 .Y.=.)..........
    
    *aaaQueueReader: Aug 09 18:00:57.017: 000000a0: 05 14 3d 06 00 00 00 13 40 06 00 00 00 0d 41 06 ..=.....@.....A.
    
    *aaaQueueReader: Aug 09 18:00:57.017: 000000b0: 00 00 00 06 51 04 35 39 ....Q.59
    
    *radiusTransportThread: Aug 09 18:00:57.020: 00000000: 03 10 00 20 4e 86 b3 ae 7d 6e 6c be 65 4a 8f 16 ....N...}nl.eJ..
    
    *radiusTransportThread: Aug 09 18:00:57.020: 00000010: ee da 41 56 12 0c 52 65 6a 65 63 74 65 64 0a 0d ..AV..Rejected..
    
    *radiusTransportThread: Aug 09 18:00:57.020: ****Enter processIncomingMessages: response code=3
    
    *radiusTransportThread: Aug 09 18:00:57.020: ****Enter processRadiusResponse: response code=3
    
    *radiusTransportThread: Aug 09 18:00:57.020: 00:24:d7:42:46:e4 Access-Reject received from RADIUS server 9.1.0.100 for mobile 00:24:d7:42:46:e4 receiveId = 0 ---------------------- >>> [ when client’s mac is NOT there in AAA server ]
    
    *radiusTransportThread: Aug 09 18:00:57.021: 00:24:d7:42:46:e4 Returning AAA Error 'Authentication Failed' (-4) for mobile 00:24:d7:42:46:e4
    
    *radiusTransportThread: Aug 09 18:00:57.021: AuthorizationResponse: 0x45ed1984
    
    *radiusTransportThread: Aug 09 18:00:57.021: structureSize................................32
    
    *radiusTransportThread: Aug 09 18:00:57.021: resultCode...................................-4
    
    *radiusTransportThread: Aug 09 18:00:57.021: protocolUsed.................................0xffffffff
    
    *radiusTransportThread: Aug 09 18:00:57.021: proxyState...................................00:24:D7:42:46:E4-00:00
    
    *radiusTransportThread: Aug 09 18:00:57.021: Packet contains 0 AVPs:
    
    *apfReceiveTask: Aug 09 18:00:57.021: 00:24:d7:42:46:e4 Received SGT for this Client.
    
    *apfReceiveTask: Aug 09 18:00:57.021: 00:24:d7:42:46:e4 SGT received is '' with length 0 for station 00:24:d7:42:46:e4
    
    *apfReceiveTask: Aug 09 18:00:57.021: 00:24:d7:42:46:e4 Client Mac not found in Radius DB, but sending Sucessfull Association response , since 'dot1x on-mac-failure' feature is turned on -------------------------------- >>> [ WLC sends successful association response because 'dot1x on-mac-failure' is enabled]
    
    *apfReceiveTask: Aug 09 18:00:57.021: 00:24:d7:42:46:e4 Applying new AAA override for station 00:24:d7:42:46:e4
    
    *apfReceiveTask: Aug 09 18:00:57.021: 00:24:d7:42:46:e4 Override values for station 00:24:d7:42:46:e4

    Video - SP WiFi Updates on Wireless LAN Controller - 7.3 Release

    SP WiFi video.jpg

     

    Features and Use Cases in Release 1.0

    The main features supported in Release 1.0 include:

    • Controlling, securing, and differentiating services through intelligent policies embedded directly in the network or received through open and standards-based control interfaces to the basic service set (BSS)

    • Customizing service convergence with zero-touch provisioning across customized networks

    • Authenticating and authorizing subscribers using Dynamic Host Configuration Protocol (DHCP), RADIUS-based authentication, web logon, Wireless Internet Service Provider roaming (WISPr), MAC address, and IP address

    • Controlling and accounting for per-subscriber and per-service use for postpaid and prepaid billing

    • Validating high availability under high scale for:

    – Number of access points per controller
    – Subscriber count
    – Call rates
    – Load balancers

     

    Cisco SP Wi-Fi Services Overview

    Our SP Wi-Fi Services portfolio is a comprehensive set of services representing a holistic approach to the total lifecycle of service provider Wi-Fi engagements. Starting with a proof of concept, it covers the end-to-end spectrum of planning, building, optimization, and operation services, each assured by Cisco service-level agreements (SLAs). These services are flexible and can be customized.


    Cisco SP Wi-Fi Proof of Concept Service
    – Demonstration of a centralized management system, with zero-touch service fulfillment for rapid deployments of meshed access points, using a cloud-based architecture hosted in a Cisco data center


    Cisco SP Wi-Fi RF Plan and Build Service
    – Professional services from Cisco and our Wi-Fi specialized partners
    – Help in planning and deploying the RF components of the Cisco SP Wi-Fi solution
    – Analysis of architectural readiness, with guidance on selecting and prioritizing locations for Wi-Fi
    – RF expertise to obtain the most from your wireless access points
    – Coverage and capacity planning
    – Post-deployment RF analysis assistance to promote deployment success


    Cisco SP Wi-Fi Core Plan and Build Service
    – Professional services from Cisco and our Wi-Fi specialized partners
    – Help planning and deploying the core components of the Cisco SP Wi-Fi solution
    – Analysis of architectural readiness and assistance with the SP Wi-Fi deployment design
    – Start-to-finish deployment assistance, including a mobile subscriber policy enforcement system
    – Pre-deployment validation to help ensure deployment success
    – Post-deployment knowledge transfers to help ensure your understanding of the solution


    Cisco SP Wi-Fi Solution Support Service (Reactive)
    – Expert assistance to streamline operation of the Wi-Fi architecture
    – Quick isolation and remediation of unplanned service disruptions
    – Tracking and identification of the root cause of disruptive incidents, which provides valuable information for design changes and to help you scale with mobile subscriber growth


    Cisco SP Wi-Fi Optimization Services (Proactive)
    – Expert analysis and recommendations for transforming your Wi-Fi architecture into a high-performing, efficient environment
    – Help creating a strategy for managing all the critical components of the Cisco SP Wi-Fi architecture using a suite of Cisco hosted network management applications
    – Availability and performance optimization expertise to validate your planned design changes
    – Collaboration in developing a strategy for managing software releases and changes
    – Continuous learning activities that help your IT staff become more self-sufficient


    Cisco SP Wi-Fi Assurance Service (Preemptive)
    – Extension of the measurement and analytical capabilities provided by your Cisco SP Wi-Fi architecture
    – Real-time monitoring of various key performance indicators (KPIs) from Cisco network operations center
    – Comprehensive analytics using fault, capacity, availability, and performance information to help ensure reliable operations


    Cisco SP Wi-Fi Operate Service (End-to-End Platform Management)
    – Monitoring of the managed devices in the your environment to help ensure access points and controllers are properly activated and provisioned
    – Management of incident and problem resolution
    – Identification of operational trends to continually improve performance

    Cisco Service Provider Wi-Fi Solution 3.0 Data Sheet

    Reference

    Getting Started

    Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

    Quick Links