MAC address format problem between ACS and WLC5760 controller

Heiko Kelling · ‎02-24-2016

Hi all,

first I want to apologize for the bad english.

We have an old wireless infrastructure with standalone APs (1121, 1142 etc...) and a SSID where clients logging in via mac address authentication. The mac addresses are stored in internal ACS database in the format "aabbcc112233", small letters without hyphen and colon.

The authentication works perfectly. This is the log of a old standalone AP authentication:

040591: Jan 26 16:11:06.739 MET: RADIUS/ENCODE(0000D60A):Orig. component type = DOT11
040592: Jan 26 16:11:06.740 MET: RADIUS(0000D60A): Storing nasport 55044 in rad_db
040593: Jan 26 16:11:06.740 MET: RADIUS(0000D60A): Config NAS IP: 172.28.2.20
040594: Jan 26 16:11:06.740 MET: RADIUS/ENCODE(0000D60A): acct_session_id: 64882
040595: Jan 26 16:11:06.740 MET: RADIUS(0000D60A): Config NAS IP: 172.28.2.20
040596: Jan 26 16:11:06.741 MET: RADIUS(0000D60A): sending
040597: Jan 26 16:11:06.741 MET: RADIUS(0000D60A): Send Access-Request to 172.29.254.222:1812 id 1645/177, len 198
040598: Jan 26 16:11:06.741 MET: RADIUS: authenticator 6A 02 ED 45 C8 D3 E4 F3 - 86 9F DD AF 22 6B 65 7D
040599: Jan 26 16:11:06.741 MET: RADIUS: User-Name [1] 14 "489d2468953e"
040600: Jan 26 16:11:06.741 MET: RADIUS: User-Password [2] 18 *
040601: Jan 26 16:11:06.741 MET: RADIUS: Called-Station-Id [30] 16 "0011.92f7.1ba0"
040602: Jan 26 16:11:06.742 MET: RADIUS: Calling-Station-Id [31] 16 "489d.2468.953e"
040603: Jan 26 16:11:06.742 MET: RADIUS: Vendor, Cisco [26] 24
040604: Jan 26 16:11:06.742 MET: RADIUS: Cisco AVpair [1] 18 "ssid=SSID_guests"
040605: Jan 26 16:11:06.742 MET: RADIUS: Vendor, WISPr [26] 42
040606: Jan 26 16:11:06.742 MET: RADIUS: WISPr VSA [2] 36 "xyz"
040607: Jan 26 16:11:06.743 MET: RADIUS: Service-Type [6] 6 Login [1]
040608: Jan 26 16:11:06.743 MET: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
040609: Jan 26 16:11:06.743 MET: RADIUS: Vendor, Cisco [26] 13
040610: Jan 26 16:11:06.743 MET: RADIUS: cisco-nas-port [2] 7 "55044"
040611: Jan 26 16:11:06.743 MET: RADIUS: NAS-Port [5] 6 55044
040612: Jan 26 16:11:06.743 MET: RADIUS: NAS-IP-Address [4] 6 172.28.2.20
040613: Jan 26 16:11:06.743 MET: RADIUS: Nas-Identifier [32] 11 "c1121_020"
040614: Jan 26 16:11:06.755 MET: RADIUS: Received from id 1645/177 172.29.254.222:1812, Access-Accept, len 20
040615: Jan 26 16:11:06.755 MET: RADIUS: authenticator 18 4E A5 A6 31 B9 BC DE - C9 72 E4 23 71 A0 FD 6E
040616: Jan 26 16:11:06.756 MET: RADIUS(0000D60A): Received from id 1645/177

Now we have bought 5760 controllers and there are problems with the authentication:

All devices are rejected by ACS, because the the WLC 5760 sends the mac addresses and the whole RADIUS packets in a different format.

Jan 26 16:08:54.797: RADIUS/ENCODE(0000001E):Orig. component type = Invalid
Jan 26 16:08:54.797: RADIUS(0000001E): Config NAS IP: 0.0.0.0
Jan 26 16:08:54.797: RADIUS(0000001E): Config NAS IPv6: ::
Jan 26 16:08:54.797: RADIUS(0000001E): sending
Jan 26 16:08:54.797: RADIUS/ENCODE: Best Local IP-Address 172.28.254.1 for Radius-Server 172.29.254.222
Jan 26 16:08:54.797: RADIUS(0000001E): Send Access-Request to 172.29.254.222:1812 id 1645/88, len 220
Jan 26 16:08:54.797: RADIUS: authenticator 0F C9 73 5B 54 0A 97 3A - 95 0C 4A E8 A2 7C A4 9D
Jan 26 16:08:54.797: RADIUS: User-Name [1] 14 "489d2468953e"
Jan 26 16:08:54.797: RADIUS: Calling-Station-Id [31] 19 "48:9d:24:68:95:3e"
Jan 26 16:08:54.797: RADIUS: Called-Station-Id [30] 14 "172.28.254.1"
Jan 26 16:08:54.797: RADIUS: NAS-Port-Id [87] 3 "0"
Jan 26 16:08:54.797: RADIUS: Vendor, Airespace [26] 12
Jan 26 16:08:54.797: RADIUS: Airespace-WLAN-ID [1] 6 11
Jan 26 16:08:54.797: RADIUS: Service-Type [6] 6 Call Check [10]
Jan 26 16:08:54.797: RADIUS: Vendor, Cisco [26] 31
Jan 26 16:08:54.797: RADIUS: Cisco AVpair [1] 25 "service-type=Call Check"
Jan 26 16:08:54.797: RADIUS: Framed-MTU [12] 6 1300
Jan 26 16:08:54.798: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
Jan 26 16:08:54.798: RADIUS: Vendor, Cisco [26] 49
Jan 26 16:08:54.798: RADIUS: Cisco AVpair [1] 43 "audit-session-id=ac1cfe0156a79a160000001e"
Jan 26 16:08:54.798: RADIUS: Tunnel-Type [64] 6 00:VLAN [13]
Jan 26 16:08:54.798: RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6]
Jan 26 16:08:54.798: RADIUS: Tunnel-Private-Group[81] 4 "11"
Jan 26 16:08:54.798: RADIUS: User-Password [2] 18 *
Jan 26 16:08:54.798: RADIUS: NAS-IP-Address [4] 6 172.28.254.1
Jan 26 16:08:54.798: RADIUS(0000001E): Sending a IPv4 Radius Packet
Jan 26 16:08:54.798: RADIUS(0000001E): Started 5 sec timeout
Jan 26 16:08:54.809: RADIUS: Received from id 1645/88 172.29.254.222:1812, Access-Reject, len 20

The result of the different format is that the ACS is looking for 48-9D-24-68-95-3E in the internal user identity store and not for 489d2468953e and the devices is always rejected:

There is a cli command on WLC 5760:

(config)# aaa group server radius “grp-name”
(config-sg-radius)# mac-delimiter “colon/hyphen/none/single-hyphen”

It has an impact on the radius username, but for the ACS the “ACS Username” and the “Calling Station ID” seems to be crucial and the "radius username" is unimportant.

So I have found these command and tried to change the radius parameters like described on this website

http://mrncciew.com/2013/07/22/called-calling-station-id/:

L1250-1(config)#radius-server attribute ?
11 Filter-Id attribute configuration
188 Num-In-Multilink attribute configuration
218 Address-Pool attribute
25 Class attribute
30 DNIS attribute
31 Calling Station ID
32 NAS-Identifier attribute
4 NAS IP address attribute
44 Acct-Session-Id attribute
55 Event-Timestamp attribute
6 Service-Type attribute
69 Tunnel-Password attribute
77 Connect-Info attribute
8 Framed IP address attribute
list List of Attribute Types
nas-port NAS-Port attribute configuration

L1250-1(config)#radius-server attribute 31 mac format
default format ex: 0000.4096.3e4a
ietf format ex: 00-00-40-96-3E-4A
unformatted format ex: 000040963e4a

L1250-1(config)#radius-server attribute 31 mac format ietf

For example: radius-server attribute 31 mac format unformatted

But this command seems to have no effect, no matter what I choose there! Is there anybody with the same problem?

Yury Kuzminov · ‎11-08-2017

Dear Heiko,

I've faced with similar issue in our network. If you have a solution, please let me know )

Sandeep Choudhary · ‎11-08-2017

Did you configured correctly ?

The necessary commands are found in the AAA server group.

aaa group server radius server_grp
......
mac-delimiter colon|hyphen|none|single-hyphen

Regards

Dont forget to rate helpful posts

Yury Kuzminov · ‎11-08-2017

@Sandeep Choudhary wrote:

Did you configured correctly ?

The necessary commands are found in the AAA server group.

aaa group server radius server_grp
......
mac-delimiter colon|hyphen|none|single-hyphen

Regards

Dont forget to rate helpful posts

Yep, saw this info already, thanks! I'll try to change a delimiters and wrote back a results.

Yury Kuzminov · ‎11-09-2017

No, changing mac delimiters (and mac-filtering types as well) doesn't helped. We found only one thing: Called-Station-ID field in the RADIUS requests contains the IP of management interface of controller, not the MAC of AP. Is this can be a reason of rejecting?

Yury Kuzminov · ‎11-17-2017

Problem was solved by changing called-station-id field in RADIUS request from 5760 to ACS. ACS must get a SSID from this field to find a proper policy, however, 5760 sends a management IP address of controller by default. To change this field, wireless security dot1x radius mac-authentication call-station-id was changed on 5760. After changing to ap-macaddress-ssid authentication was successful.

Here is some additional info:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/5700/software/release/3se/security/command_reference/b_sec_3se_5700_cr/b_sec_32se_3850_cr_chapter_01.html#wp2148606362