I am currently trying to troubleshoot an authentication issue. I have 2 WLANs, the first is our campus wireless which authenticates users using 802.1x and points to a Microsoft IAS Server for RADIUS authentication (authentication pass/fail based on domain user credentials).
This is working as intended.
A second WLAN was created for devices that do not support enterprise authentication (XBOX, Playstation, etc). For these devices I have created a self registration site where the user can enter the MAC address of their device. The MAC address is written to a SQL database as both username and password. The WLAN for these users is configured for MAC auth and points to a Cisco ACS RADIUS server (Windows ACS 4.2). The Cisco ACS is configured to check the SQL server for user credentials. (External ODBC connection)
This also works well for the most part.
WLAN 1 - Campus Wireless - WPA2 Enterprise 802.1x using domain credentials - external RADIUS (Microsoft IAS)
WLAN 2 - Legacy Wireless - Open with MAC authentication, external RADIUS (Cisco ACS 4.2)
Both RADIUS servers have been added to the main security page but each WLAN has been configured with only its specific RADIUS Server
The issue I am having is when users successfully authenticate to WLAN 1 at least once with their domain credentials can then manually connect to WLAN 2 even if they have not registered their MAC address.
In these cases the RADIUS server logs for WLAN 2 (Cisco ACS) indicate a "failed authentication" message.
From what I understand, once the Controller recieves the reject message it should not allow the client to connect. There should be no rolling over to the other radius server unless there is no response/timeout which would prompt it to rollover to the next available RADIUS Server.
I also did try "configure radius aggressive-failover disable" but since the CISCO ACS server is successfully passing back ACCEPT/REJECT messages it should not be trying to failover anyway.
I can reproduce the issue at will and in testing I have taken my iPad and reset all network settings then attempted to join WLAN2. This fails as it should but after I successfully authenticate to WLAN 1 at least once I am thereafter able to connect to WLAN2 at will regardless of the failed RADIUS authentication attempt.
The rolling over from radius servers only occurs on the same wlan and only when the controller deems the radius server being dead. However, if you get rejected from one WLAN but then you reassociate to another WLAN there is no mechanism in place in rejecting the attempt because they previously failed on a seperate wlan. This happens all the time with users connecting on incorrect wlans.
The failover feature is for when you have multiple servers (usually for redundancy) on the same WLAN. So when user is rejected but radius server 1 the process stops there and the request isnt sent to radius server 2.
Hope that helps!
*Please rate helpful posts*
Correct, this is how I understand it to work.
Neither WLAN should be rolling over at all. Users are bypassing the MAC authentication on WLAN2 based on their previous authentication to WLAN 1. The users are not actually failing authenticating on WLAN2 and then just reassociating with WLAN1. They are failing authentication on WLAN2 (per logs) and then still successfully connecting to .... WLAN 2 =D
If a user has never connected to WLAN1( dot1x) and they attempt to connect to WLAN 2, they do not successfully authenticate if their MAC address is not in the database.
out of curiosity....is the ACS configured to talk to your Microsoft AD?
Please remember to rate useful posts, and mark questions as answered
The ACS is not configured for AD. An external ODBC database is configured and assoicated with the Unknown User Policy.
Take WLAN 1 (dot1x) out of the picture completely and WLAN 2 with its MAC auth works perfectly.
Is fast user switching enabled?
Sent from Cisco Technical Support iPhone App
Actually to be more specific.
"Fast SSID Change" is enabled at the controller level.
The per WLAN setting of "Fast Transition" is disabled.
If I understand correctly the Fast Transition is for allowing quick transistion between AP's and the Fast SSID Change is the ability to quickly change between SSID's
So could the authentication issue be the result of not enforcing a delay between SSID changes?
Disable that and test again
Sent from Cisco Technical Support iPhone App
That looks like it may be working.
At one time we needed to have this enabled to allow quick transistions from student to academic networks. (physically isolated WLAN's). Now, users are logically separated and remain on the same WLAN anywhere on campus so we should'nt need this.
I will test it further and let you know.
able to connect to WLAN2 at will regardless of the failed RADIUS authentication attempt??
When the issue gets reproduced, are you able to see that client on WLAN2 goes to RUN state and able to pass traffic. could you post the debugs for this issue.
MAC auth should be checked for every new association, it is interesting that it by passes it and ignoring radius response.
Are List of allowed MAC addresses is configured on WLC or ACS for L2 mac filtering. if it is allowed on WLC be sure to lock those entries to WLAN2 only.
As workaround, if possible, on WLAN2 enable wep encryption to avoid any clients accidentatly trying or hide WLAN2's ssid from its beacon.
i need ur help to configure 2 ssid on AP 1140 each one of them authenticate from different radius server
i already have one ssid authenticate from a NPS server and it's working fine .