Web authentication to MS IAS - one user out of 75 is failing

Unanswered Question

Hi, I've set up web authentication to IAS successfully. Most of my users have no problems, but one is really having a tough go of it.

I've noticed some strange entries in the logs and maybe someone here can offer some advice.

The WLC reports this:

Oct 05 13:06:01.819 pem_api.c:5669 PEM-1-MSGTAG051: Unable to allow user 000004023 into the system - perhaps the useris already logged onto the system?

IAS logging seems a little sparse, but these are the entries reported for user 000004023. Even though we've been trying all day, we didn't record any more entries after this.,4023,10/05/2007,09:02:31,IAS,SVM-IAS1,6,1,4,,32,QCA-WLC1,26,0x00003763010600000002,31,,30,,4108,,4116,9,4128,Wireless Controller 1,4155,1,4154,Use Windows authentication for all users,4129,SITE\4023,4130,SITE\4023,4127,1,25,311 1 09/26/2007 17:32:23 1119,4136,1,4142,0,4023,10/05/2007,09:02:31,IAS,SVM-IAS1,25,311 1 09/26/2007 17:32:23 1119,4127,1,4130,SITE\4023,4129,SITE\4023,4154,Use Windows authentication for all users,4155,1,4128,Wireless Controller 1,4116,9,4108,,4136,3,4142,16

Here is an IAS record for which another user was successful.,000003746,10/05/2007,08:57:44,IAS,SVM-IAS1,6,1,4,,32,QCA-WLC1,26,0x00003763010600000002,31,,30,,4108,,4116,9,4128,Wireless Controller 1,4155,1,4154,Use Windows authentication for all users,4129,SITE\000003746,4127,1,4149,Wireless - Student Access - WLC1,25,311 1 09/26/2007 17:32:23 1110,4130,SITE.local/SITE/Students/Users/Some User,4136,1,4142,0,000003746,10/05/2007,08:57:44,IAS,SVM-IAS1,25,311 1 09/26/2007 17:32:23 1110,4130,SITE.local/SITE/Students/Users/Some User,6,1,26,0x00003763010600000002,4108,,4116,9,4128,Wireless Controller 1,4155,1,4154,Use Windows authentication for all users,4129,SITE\000003746,4127,1,4149,Wireless - Student Access - WLC1,4136,2,4142,0

I notice that on the failed record, the leading zeroes are truncated from the username field. This is a problem for us as these are actually userids.

In addition, despite the fact that I have administratively disassociated user they are still shown in the user list:

(QCA-WCS1) >show client username 000004023

MAC Address AP Name Status WLAN Auth Protocol Port

----------------- ----------------- ------------- ---- ---- -------- ----

00:1c:b3:b5:5d:87 N/A Idle N/A No Unknown 0

I would not expect to continue to see this entry after the user is no longer associated. This entry remains hours after all other entries are gone.

Any recommendations?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
scottmac Sun, 10/07/2007 - 06:11

What version of code are you running on what flavor of controller?

Likely as not it's the client; do you have access to the client machine for some testing?

Make sure the client drivers are current and that the operating system is up to date with patches.

As bizarre as it may seem, if this customer is, um, "frugal," then also try another nic on the client ... we've run across duplicate MACs on some "cost effective" NICS ... probability in this case is close to nil, but when things get tight, you gotta look for the wierd stuff.

Let us know ...


Hi Scott,

The code is the latest -

We've actually been able to get this user online, by issuing another userid. It seems this is closely tied in the radius authentication.

Good call on the duplicate MAC, but unfortunately that isn't the problem. We were able to replicate the error with another laptop, and at any rate the MAC isn't in the list of connected clients.

I really would like to see if there isn't a second cache of credentials somewhere that I can flush out.

Just to note, the command "show client username " will show details for any client if they have logged in at least once, even if they're no longer associated. This seems to be normal behaviour. Like this:

>show client username 000001234

MAC Address AP Name Status WLAN Auth Protocol Port

----------------- ----------------- ------------- ---- ---- -------- ----

00:0e:35:ae:ab:ca N/A Idle N/A No Unknown 0

>show client username 000005678

Unable to locate user requested

>show client username 000009876

MAC Address AP Name Status WLAN Auth Protocol Port

----------------- ----------------- ------------- ---- ---- -------- ----

00:19:7e:51:ef:e3 AP01 Associated 2 Yes 802.11g 1


I now have a second user with this problem.

Unique for these problem users is that the "show client username" command does not display them as an active client. I increased the number of active logins per account to two, to minimize the damage from this problem, and despite the fact that this client is currently authenticated and active on the system, it shows this in the console:

>show client username 000001234

MAC Address AP Name Status WLAN Auth Protocol Port

----------------- ----------------- ------------- ---- ---- -------- ----

00:0e:35:ae:ab:ca N/A Idle N/A No Unknown 0

In the web front-end, I can lookup her MAC address and it displays as active.

Now there may be a further issue, in that the MAC listed above is not the client's MAC address and she claims to have attempted a login with her laptop only. Does this mean someone else successfully logged into her account? Or is it a further manifestation of this problem.

I've got enough data for a TAC case now I think. I'll drop a line when I hear more.


dennischolmes Tue, 10/09/2007 - 18:12

Have you tried increasing your EAP timeouts. The default is like 2 seconds and this sometimes causes problems with IAS authentication. What happens is the response from the IAS back to the controller takes longer than 2 seconds so the controller attempts to resend the authentication request. That could be why you don't see them authenticated. They actually never were as far as the controller is concerned.

This problem keeps getting weirder. Yesterday I had the good luck to spot another strange effect of this problem.

>show client username 000004023

MAC Address AP Name Status WLAN Auth Protocol Port

----------------- ----------------- ------------- ---- ---- -------- ----

00:1c:b3:b5:5d:87 LAP03 Associated 2 Yes 802.11g 1

>show client username 000004203

MAC Address AP Name Status WLAN Auth Protocol Port

----------------- ----------------- ------------- ---- ---- -------- ----

00:1c:b3:b5:5d:87 LAP03 Associated 2 Yes 802.11g 1

When user 000004203 logs in, the same MAC address is recorded as being used by user 00004023. User 000004023 is one of our original problem users, so she is logging in under another, temporary userid.

A WLC with dyslexia? That seems too easy.

scottmac Wed, 10/10/2007 - 15:19

Well, generally, when you see multiple upper-layer identities associated with a single MAC, that indicates that the traffic is passing through a router / proxy / firewall.

You can see this if you access some stuff on the Internet, then do an ARP -A or (on a router) "show arp" ... you will / should see multiple IP addresses, all with teh MAC of the last hop to the LAN segment that the host is sitting on.

Now, between a wireless client and a wireless host, with nothing (supposedly) between 'em, then I'd suspect a "man in the middle" attack.

Or, I think I remember an earlier post where you mention a web authentication host (i.e., captive portal)... that is likely to be acting as a proxy or a pass-through (do you have one NIC in there or two?)

If all traffic is passed through the web auth box, then the MAC you're seeing is probably the web box/captive portal.

Could you post a diagram, or even a general description of the setup you are using ... are the LWAPPs L2 or L3? etc



dennischolmes Wed, 10/10/2007 - 15:38


Didn't have time to answer earlier. The WLC acts as a proxy for dhcp and authentication requests. That would be the reason you are seeing the same mac with multiple users. If you check, I bet it is the mac of the mgt interface on the controller. I think it is time to get TAC involved.

Hi Scott,

The APs are in L3 mode, they're 1131s. We're using a single WLC4402 which provides the web portal. I've uploaded a picture that should help.

I have quite a few active clients to look at, and I think the "show client username xxx" shows the actual client MAC address. I don't believe this is a problem at the hardware layer (there aren't multiple MACs per IP) but at the authentication management stage. I believe there is a second authentication table that the controller maintains locally which correlates client MACs to radius usernames.

But that's just what I think, so I appreciate everyone helping. I have raised a case with TAC, following my suspicion of a bug.


maraboli Fri, 03/07/2008 - 05:36


I have the exact same problem with my WCS and 4400 controller ( version)

Has this problem been solved ?

(maybe in the version?)

thank you.


Yes it has been solved - sorry I forgot to post the solution I got from TAC.

It was very simple, but I had to set the AAA session timeout to an appropriate number. It had been set to 0, which implies that AAA authentication sessions were never removed from the system.

Once I set this field to a high number of seconds, the problem was solved.

This system is still running, so I'm preparing for the upgrade, but at the time 65535 seconds was the highest it would go - the TAC engineer was surprised at this, he said in previous versions it had been possible to use a higher number.



This Discussion



Trending Topics - Security & Network