Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4941
Views
0
Helpful
5
Replies

WLC problem with Calling-Station-Id append SSID in H-REAP MODE

Go to solution
uselessid
Level 1
Level 1

‎07-15-2013 11:45 AM - edited ‎07-04-2021 12:25 AM

Hello!

We have a WLC 5508 with Aironet 1041 AP's and we're working in H-REAP mode.

We need to receive the SSID in the Calling-Station-Id attribute on RADIUS (in compliance to RFC 3580) so we can use a specific filter on LDAP.

The problem is that we can only achieve this by setting the command "radius-server vsa send" on the AP (Controller doesn't support it), which we do manually and has to be done everytime the AP reboots otherwise it cannot authenticate on RADIUS.

So, we have some inquiries:

1) How can we enable the AP/WLC to send the CallingStationID in the RFC 3580 format when using H-REAP;

2) How can we enable the AP/WLC to send the authentication to a specific RADIUS server (on a per-SSID basis - one RADIUS per SSID) even if we're using H-REAP;

3) Any other alternatives to achieve the requested.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jacob Snyder
Level 5
Level 5

‎07-15-2013 09:56 PM

I don't have an answer for a radius server per WLAN, but there is something you can do.

If you look, the called-station-id is the mac address of the MBSSID that the AP has associated with the WLAN.

for example:

Called-Station-ID=40f4.ec60.d9df

Taking the old days of doing this with autonomous APs, you could create a network condition that maps all of the MBSSIDs to their respective SSIDs to identify which SSID they are calling and use that as a way to distringuish between them.

You can find the BSSID for the WLAN by running the show ap wlan 802.11(a/b)

(CCIE_Wireless) >show ap wlan 802.11a Lab1142

Site Name........................................ RemoteOffice

Site Description.................................

WLAN ID          Interface          BSSID

-------         -----------        --------------------------

4               13-w                 40:f4:ec:60:d9:df

That way you could write an ACS policy that could take action based on the SSID.

Totally not a best practice, and it's a big manual PITA if the deployment is very large.  This is how we dealt with autonomous APs in large deployments where H-REAP didn't make sense.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rasika Nayanajith
VIP
VIP

‎07-15-2013 07:21 PM

Hi Gustavo,

I think you refering to Called Station ID (not calling station id) usually comes with SSID info. In H-REAP there are two modes "Connected" & "Standalone". As per my understanding H-REAP in connected mode, RADIUS request is coming from the WLC where you should see SSID information in "Called Station ID" where as in standalone mode since AP sending the radius request directly without RFC3850 format (unless you configure ap manually like you said).

In this context here is my response to your queries

1. In Connected Mode WLC should send RADIUS request comply with RFC3850. In standalone mode I do not think you can do this. I will test it & let you know if I found something for you.

2. Again in Connected mode, you can do this per SSID on WLC, but in Standalone mode, I do not think you can specify different Radius server for different SSID.

3. In H-REAP you can assing different VLANs to different SSID (local switching & vlan mapping) as long as you configure H-REAP connected AP to swith via a trunk port & required vlan passing on that trunk.

HTH

Rasika

0 Helpful

Go to solution
Jacob Snyder
Level 5
Level 5

‎07-15-2013 08:49 PM

So, i just tested this in the lab running 7.0.116.0.

It's true you don't get this in RFC 3580 format which is XX-XX-XX-XX-XX

I had an AP in flexconnect configured with Local Auth and I got the following:

0 Helpful

Go to solution
Jacob Snyder
Level 5
Level 5

‎07-15-2013 09:56 PM

I don't have an answer for a radius server per WLAN, but there is something you can do.

If you look, the called-station-id is the mac address of the MBSSID that the AP has associated with the WLAN.

for example:

Called-Station-ID=40f4.ec60.d9df

Taking the old days of doing this with autonomous APs, you could create a network condition that maps all of the MBSSIDs to their respective SSIDs to identify which SSID they are calling and use that as a way to distringuish between them.

You can find the BSSID for the WLAN by running the show ap wlan 802.11(a/b)

(CCIE_Wireless) >show ap wlan 802.11a Lab1142

Site Name........................................ RemoteOffice

Site Description.................................

WLAN ID          Interface          BSSID

-------         -----------        --------------------------

4               13-w                 40:f4:ec:60:d9:df

That way you could write an ACS policy that could take action based on the SSID.

Totally not a best practice, and it's a big manual PITA if the deployment is very large.  This is how we dealt with autonomous APs in large deployments where H-REAP didn't make sense.

0 Helpful

Go to solution
uselessid
Level 1
Level 1
In response to Jacob Snyder

‎07-22-2013 08:21 AM

jsnyder81

You're right, it works.

It's a good alternative since we canno't do it by the Controller.

Thanks for the help!

0 Helpful

Go to solution
WILSON HUANG
Level 1
Level 1
In response to uselessid

‎10-29-2013 09:08 PM

in H-REAP, the H-REAP ap does not support AAA-override,

in FlexConnect, the FlexConnect ap support AAA-override.

you could use the RADIUS-IETF:called-station-ID and RADIUS-Cisco:av-pair to idenity which SSID/wlan you connect to.

in H-REAP/FlexConncet ap in connected mode,  RADIUS-IETF:called-station-ID, :.

the condition would be classified as "end of"+":"


in H-REAP/FlexConncet ap in standalone mode, the radius request is sent from AP,

RADIUS-Cisco:av-pair, ssid=

the condition would be classified as "equal to"+"ssid="

in which is your SSID.

In WLC 7.4/7.5, the ap-group would add "NAS-ID" attribute in each ap-group,

then we could use ap-group/NAS-ID to identify which WLAN on your ap.

We could use NAS-ID to identify the access service rule, (up to 16 WLAN on AP-group)

and in each access service to identity WLAN via RADIUS-IETF:called-station-ID, and RADIUS-Cisco:av-pair.

Personally, I would not use the "airespace-wlan-id" to identity which WLAN client connected.

( How could I always remember each customer's WLAN-ID meaning? .. XD~~ )

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card