802.1x with ACS does not correctly work

Unanswered Question
Jan 18th, 2008


I have here a WLan setup with a WDS, some 40 Accesspoints, an ACS 4.1 server and a Windows Domain Controller which has the users configured.

I have a group mapping in ACS configured which points to a small group in the ADS.

The groupmapping in ACS points to a specific group in ACS.

There I've configured the following:

[009\001] cisco-av-pair

- ssid=xx-200 (the name of the SSID the clients connect)

[006] Service-Type

- Login

[007] Framed-Protocol


[025] Class

- OU=pers; (this is not the special group where those users are in, but they are also in this one)

[064] Tunnel-Type

- Tag 1 Value Vlan

[065] Tunnel-Medium-Type

- Tag 1 Value 802

[081] Tunnel-Private-Group-ID

- Tag 1 Value 200 (the Vlan in which they should go)

The good thing is, authentication with username password works.

The bad thing is, every user can authenticate and get into this SSID instead of only the users in the special group which points to this groupmapping.

The other ADS groups also point to other ACS groups, but they don't have the above values ([009\001] cisco-av-pair, [064] Tunnel-Type, [065] Tunnel-Medium-Type, [081] Tunnel-Private-Group-ID) configured.

The logfile from the ACS also shows that the wrong users are mapped into the correct group like they should, but they still get access.

Here the WDS configuration:


server auth-port 1645 acct-port 1646

server auth-port 1645 acct-port 1646


aaa authentication enable default enable

aaa session-id common

radius-server host auth-port 1645 acct-port 1646 key 7 xxxx

radius-server host auth-port 1645 acct-port 1646 key 7 xxxx

radius-server retransmit 2

radius-server timeout 18

radius-server deadtime 1

radius-server vsa send accounting

wlccp authentication-server infrastructure METHOD_WDS_RADIOMANAGEMENT

wlccp authentication-server client any METHOD_WDS_RADIOMANAGEMENT

ssid xx-200

The accesspoint config:

aaa authentication login METHOD_RAD_WDS_CLIENT group radius

aaa authentication enable default enable

aaa session-id common


dot11 ssid xx-200

vlan 200

authentication open eap METHOD_RAD_WDS_CLIENT

authentication network-eap METHOD_RAD_WDS_CLIENT

authentication key-management wpa

interface Dot11Radio0

encryption vlan 200 mode ciphers aes-ccm

broadcast-key vlan 200 change 60

ssid xx-200


interface Dot11Radio0.200


encapsulation dot1Q 200

no ip route-cache

no cdp enable

bridge-group 200

bridge-group 200 subscriber-loop-control

bridge-group 200 block-unknown-source

no bridge-group 200 source-learning

no bridge-group 200 unicast-flooding

bridge-group 200 spanning-disabled


interface FastEthernet0.200


encapsulation dot1Q 200

no ip route-cache

bridge-group 200

no bridge-group 200 source-learning

bridge-group 200 spanning-disabled


I hope you can find why any user can authenticate and not just the ones in the groupmapping which has the radius attributes configured.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
patoberli Fri, 01/18/2008 - 08:02

I have finally found something to look into :/

000619: Jan 18 16:50:11 A: RADIUS: AAA Unsupported Attr: ssid [263] 6

000620: Jan 18 16:50:11 A: RADIUS: 48 53 52 2D [xxx-]

000621: Jan 18 16:50:11 A: RADIUS: AAA Unsupported Attr: interface [156] 4

000622: Jan 18 16:50:11 A: RADIUS: 32 35 [25]

This is with various debugging active on the WDS. And this might be the reason why it doesn't work.

Sven Hruza Wed, 02/18/2009 - 09:46

Hi patoberli,

the same debug message I have seen in my debugs!

But I can't find anything about it...

Did you find out what the message means?

Thanks a lot!


patoberli Wed, 02/18/2009 - 23:26

Hi, no I found nothing about that. But I've also replaced our complete setup to the new controller based solution. That's makes the whole setup way easier, but it's not cheap.



aneelaka Fri, 03/06/2009 - 14:22

With ACS you have debug logs in package.cab, it should give more useful info on user mapping


This Discussion



Trending Topics - Security & Network