Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

2 WLANs , one with 802.1x and other other with MAC Auth - different radius servers

I am currently trying to troubleshoot an authentication issue. I have 2 WLANs, the first is our campus wireless which authenticates users using 802.1x and points to a Microsoft IAS Server for RADIUS authentication (authentication pass/fail based on domain user credentials).

This is working as intended.

A second WLAN was created for devices that do not support enterprise authentication (XBOX, Playstation, etc). For these devices I have created a self  registration site where the user can enter the MAC address of their  device. The MAC address is written to a SQL database as both username  and password. The WLAN for these users is configured for MAC auth and points to a Cisco ACS RADIUS server (Windows ACS 4.2). The Cisco ACS is configured to check the SQL server for user credentials. (External ODBC connection)

This also works well for the most part.

Summary:

WLAN 1 - Campus Wireless - WPA2 Enterprise 802.1x using domain credentials - external RADIUS (Microsoft IAS)

WLAN 2 - Legacy Wireless - Open with MAC authentication, external RADIUS (Cisco ACS 4.2)

Both RADIUS servers have been added to the main security page but each WLAN has been configured with only its specific RADIUS Server

The issue I am having is when users successfully authenticate to WLAN 1 at least once with their domain credentials can then manually connect to WLAN 2 even if they have not registered their MAC address.

In these cases the RADIUS server logs for WLAN 2 (Cisco ACS) indicate a "failed authentication" message.

From what I understand, once the Controller recieves the reject message it should not allow the client to connect. There should be no rolling over to the other radius server unless there is no response/timeout which would prompt it to rollover to the next available RADIUS Server.

I also did try "configure radius aggressive-failover disable" but since the CISCO ACS server is successfully passing back ACCEPT/REJECT messages it should not be trying to failover anyway.

I can reproduce the issue at will and in testing I have taken my iPad and reset all network settings then attempted to join WLAN2. This fails as it should but after I successfully authenticate to WLAN 1 at least once I am thereafter able to connect to WLAN2 at will regardless of the failed RADIUS authentication attempt.

Any ideas?

12 REPLIES

2 WLANs , one with 802.1x and other other with MAC Auth - differ

Hi,

The rolling over from radius servers only occurs on the same wlan and only when the controller deems the radius server being dead. However, if you get rejected from one WLAN but then you reassociate to another WLAN there is no mechanism in place in rejecting the attempt because they previously failed on a seperate wlan. This happens all the time with users connecting on incorrect wlans.

The failover feature is for when you have multiple servers (usually for redundancy) on the same WLAN. So when user is rejected but radius server 1 the process stops there and the request isnt sent to radius server 2.

Hope that helps!

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

2 WLANs , one with 802.1x and other other with MAC Auth - differ

Correct, this is how I understand it to work.

Neither WLAN should be rolling over at all. Users are bypassing the MAC authentication on WLAN2 based on their previous authentication to WLAN 1. The users are not actually failing authenticating on WLAN2 and then just reassociating with WLAN1. They are failing authentication on WLAN2 (per logs)  and then still successfully connecting to .... WLAN 2 =D

If a user has never connected to WLAN1( dot1x) and they attempt to connect to WLAN 2, they do not successfully authenticate if their MAC address is not in the database.

2 WLANs , one with 802.1x and other other with MAC Auth - differ

out of curiosity....is the ACS configured to talk to your Microsoft AD?

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

2 WLANs , one with 802.1x and other other with MAC Auth - differ

The ACS is not configured for AD. An external ODBC database is configured and assoicated with the Unknown User Policy.

Take WLAN 1 (dot1x) out of the picture completely and WLAN 2 with its MAC auth works perfectly.

Re: 2 WLANs , one with 802.1x and other other with MAC Auth - di

Is fast user switching enabled?

Steve

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

2 WLANs , one with 802.1x and other other with MAC Auth - differ

No, it is not.

thanks.

New Member

Re: 2 WLANs , one with 802.1x and other other with MAC Auth - di

Actually to be more specific.

"Fast SSID Change" is enabled at the controller level.

The per WLAN setting of "Fast Transition" is disabled.

If I understand correctly the Fast Transition is for allowing quick transistion between AP's and the Fast SSID Change is the ability to quickly change between SSID's

So could the authentication issue be the result of not enforcing a delay between SSID changes?

Re: 2 WLANs , one with 802.1x and other other with MAC Auth - di

Disable that and test again

Steve

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Re: 2 WLANs , one with 802.1x and other other with MAC Auth - di

That looks like it may be working.

At one time we needed to have this enabled to allow quick transistions from student to academic networks. (physically isolated WLAN's). Now, users are logically separated and remain on the same WLAN anywhere on campus so we should'nt need this.

I will test it further and let you know.

Cisco Employee

2 WLANs , one with 802.1x and other other with MAC Auth - differ

able to connect to WLAN2 at will regardless of the failed RADIUS authentication attempt??

When the issue gets reproduced, are you able to see that client on WLAN2 goes to RUN state and able to pass traffic. could you post the debugs for this issue.

MAC auth should be checked for every new association, it is interesting that it by passes it and ignoring radius response.

Are List of allowed MAC addresses is configured on WLC or ACS for L2 mac filtering. if it is allowed on WLC be sure to lock those entries to WLAN2 only.

As workaround, if possible, on WLAN2 enable wep encryption to avoid any clients accidentatly trying or hide WLAN2's ssid from its beacon.

New Member

2 WLANs , one with 802.1x and other other with MAC Auth - differ

Dear wmumper71

i need ur help to configure 2 ssid on AP 1140 each one of them authenticate from different radius server

i already have one ssid authenticate from a NPS server and it's working fine .

Cisco Employee

2 WLANs , one with 802.1x and other other with MAC Auth - differ

1811
Views
5
Helpful
12
Replies
CreatePlease to create content