×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Called-Station-ID attribute and Cisco WLC code 7.4

Answered Question
Jan 16th, 2014
User Badges:
  • Silver, 250 points or more

Hello


I have 2 WLCs configured with 2 SSIDs (one is [WPA2][Auth(802.1X)] and the other is Web-Auth). One of the WLCs is remote and its WLANs are configured with mobility anchors pointing to the other WLC. Both WLCs are configured with Called-Station-ID set to AP Mac Address:SSID. I use this attribute on ACS to authenticate/authorize users based on what SSID they connect to.


This worked fine on WLC code 7.0 but on upgrading to 7.4 I started having some issues:


  • clients on the remote WLC can still authenticate on the [WPA2][Auth(802.1X)] SSID as the Called-Station-ID attribute is still AP Mac Address:SSID
  • clients on the remote WLC cannot authenticate on the Web-Auth SSID as the Called-Station-ID attribute now appears to be the Mac Address of the WLC anchor controller


WLC models are 5508 and current code is 7.4.110.0 (APs are AIR-LAP1142N-E-K9). Can anyone tell me why I'm seeing this behaviour on the Web-Auth SSID on the remote WLC?


Thanks
Andy

Correct Answer by Scott Fella about 3 years 7 months ago

Since you have two AAA devices that's sending info, you can have your policy for the guest specifying the guest WLC. The SSID policy for the foreign WLC is only really needed if you have multiple 802.1x authentication from the foreign WLC and that's when you can use the regex to defiance the SSID per AD Group.

Look at a successful authentication from one of the guest users. Look at the detailed log and then in that log, you will see all the attributes being sent that the radius can send back to the WLC. You can use any of those attributes in your policies.

Called-Station-ID might not be sent like what your use to, because the foreign WLC has the access point the guest user associates to and tunnels it back to the anchor WLC. So this attribute might not be available. Things do change with code versions so you might just have to adjust your policies. I haven't played around with 7.0.x code with guest anchor and radius in a while, but I have in the past upgraded radius or the WLC and had to tweak my radius policies.

Sent from Cisco Technical Support iPhone App

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Scott Fella Thu, 01/16/2014 - 18:50
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

That is interesting, because 802.1x would happen on the foreign WLC, which is where the ap's are associated to.  WebAuth happens on the guest anchor WLC.  Since you are using radius, why not just use a regex of .*SSID so you don't have to define the mac address and that will only look for your SSID.  Depending on your radius, you can either use the regex or some has a "Contains" and the value would be your SSID.


Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

andrewswanson Thu, 01/16/2014 - 23:16
User Badges:
  • Silver, 250 points or more

Thanks for the reply. I'm using Cisco ACS 5.5 for Radius - the authentication logs for the remote web-auth clients don't mention the SSID name at all. The Called-Station-ID is always the Anchor Controller Mac and the NAS-ID is the Anchor Controller host name regardless of any changes I make on either Controller. I'll have a look at getting some packet captures to confirm this and also have a look at other WLC software versions.


Thanks

Andy

Correct Answer
Scott Fella Fri, 01/17/2014 - 05:03
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Since you have two AAA devices that's sending info, you can have your policy for the guest specifying the guest WLC. The SSID policy for the foreign WLC is only really needed if you have multiple 802.1x authentication from the foreign WLC and that's when you can use the regex to defiance the SSID per AD Group.

Look at a successful authentication from one of the guest users. Look at the detailed log and then in that log, you will see all the attributes being sent that the radius can send back to the WLC. You can use any of those attributes in your policies.

Called-Station-ID might not be sent like what your use to, because the foreign WLC has the access point the guest user associates to and tunnels it back to the anchor WLC. So this attribute might not be available. Things do change with code versions so you might just have to adjust your policies. I haven't played around with 7.0.x code with guest anchor and radius in a while, but I have in the past upgraded radius or the WLC and had to tweak my radius policies.

Sent from Cisco Technical Support iPhone App

andrewswanson Fri, 01/17/2014 - 08:53
User Badges:
  • Silver, 250 points or more

Thanks Scott - I'm in the process in working out what attribute to use to distinguish SSID for clients on foreign WLC for Web-Auth.


For successful authentications (ie for APs associated to the anchor WLC), the only attribute that gives a clue to the ssid is Called-Station-ID


I setup a test anchor WLC and changed the WLC Call Station ID option from AP Mac Address:SSID to IP address. This changed the Calling-Station-ID from the client Mac address to its IP address (the Web-Auth clients have a dedicated subnet and I could use this attribute to match on client IP address). Unfortunatley the WLC Call Station ID change is a global one and it also changed the Called-Station-ID to the IP Address of the Anchor controller.


I think I may be able to use "Radius Server Overwrite interface" option on the Web-Auth WLAN - this would hopefully give me an attribute to match on. I'll give this a try and post back any results - thanks for your help with this.


Andy

andrewswanson Thu, 01/30/2014 - 02:14
User Badges:
  • Silver, 250 points or more

Tested using Radius Server Overwrite Interface instead of Called-Station-ID for ACS to determine the WLAN - workes fine for me.


Thanks

andy

Scott Fella Thu, 01/30/2014 - 05:41
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Glad you got it working!

Sent from Cisco Technical Support iPhone App

Actions

This Discussion