Configure Verify and Troubleshoot Web Auth on Mac Filter Failure
Available Languages
Contents
Introduction
This document describes to Configure, Troubleshoot and Verify Local Web Auth on “Mac Filter Failure” feature using ISE for external authentication.
Prerequisites
Configure ISE for MAC Authentication
Valid user credentials configured on ISE/Active Directory
Requirements
Cisco recommends that you have knowledge of these topics:
Basic understanding to navigate through controller Web UI
Policy, WLAN profile and Policy Tags configuration
Service policy configuration on ISE
Components Used
9800 WLC version 17.12.2
C9120 AXI AP
9300 switch
ISE version version 3.1.0.518
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
The Web Auth "On Mac Failure Filter" feature serves as a fallback mechanism in WLAN environments that use both MAC Authentication and Web Authentication.
- Fallback Mechanism: When a client attempts to connect to a WLAN with MAC Filter against an external RADIUS server (ISE) or local server and fails to authenticate, this feature automatically initiates a Layer 3 Web Authentication.
- Successful Authentication: If a client successfully authenticates through the MAC Filter, Web Authentication is bypassed, allowing the client to connect directly to the WLAN.
- Avoiding Disassociations: This feature helps prevent disassociations that can otherwise occur due to MAC filter authentication failures.
Web Auth Flow
Configure
Network Diagram
Network Topology
Configurations
Configure Web Parameters
Navigate to Configuration > Security > Web Auth and select the Global parameter map
Verify the Virtual IP and Trustpoint configuration from the Global Parameter Map. All custom Web Auth parameter profiles inherit the Virtual IP and Trustpoint configuration from the Global Parameter Map.
Global Web Auth Parameter Profile
Step1: Select "Add" to create a custom web authentication parameter map. Enter Profile name and choose Type as "Webauth".
Web Auth Parameter Profile
If your clients are also getting an IPv6 address, you must also add a Virtual IPv6 address in the parameter map. Use an IP in the documentation range 2001:db8::/32
If your clients obtained an IPv6 address, there is a good chance they try to get the HTTP web auth redirection in V6 and not V4, which is why you need the Virrtual IPv6 to be set also.
CLI Configuration:
parameter-map type webauth Web-Filter
type webauth
Configure Policy Profile
Step1: Create a Policy Profile
Navigate to Configuration > Tags & Profiles > Policy. Select "Add". In the General tab, specify a name for the profile and enable the status toggle.
Policy Profile
Step2:
Under the Access Policies tab, choose the client VLAN from the VLAN section dropdown list.
Access Policy tab
CLI Configuration:
wireless profile policy Web-Filter-Policy
vlan VLAN2074
no shutdown
Configure WLAN Profile
Step1: Navigate to Configuration > Tags and Profiles > WLANs. Select "Add" to create a new profile. Define a profile name and SSID name, and enable the status field.
WLAN Profile
Step2: Under the Security tab, enable the "Mac Filtering" checkbox and configure the RADIUS server in the Authorization List (ISE or local server). This setup utilizes ISE for both Mac Authentication and Web Authentication.
WLAN Layer 2 security
Step3: Navigate to Security > Layer3. Enable Web Policy and associate it with the Web Authentication Parameter Map profile. Check the "On Mac Filter Failure" checkbox and choose the RADIUS server from the Authentication list dropdown.
WLAN Layer3 security tab
CLI Configuration
wlan Mac_Filtering_Wlan 9 Mac_Filtering_Wlan
mac-filtering network
radio policy dot11 24ghz
radio policy dot11 5ghz
no security ft adaptive
no security wpa
no security wpa wpa2
no security wpa wpa2 ciphers aes
no security wpa akm dot1x
security web-auth
security web-auth authentication-list ISE-List
security web-auth on-macfilter-failure
security web-auth parameter-map Web-Filter
no shutdown
Step4: Configure Policy Tags, Create WLAN Profile, and Policy Profile Mapping
Navigate to Configuration > Tags & Profiles > Tags > Policy. Click "Add" to define a name for the Policy Tag. Under WLAN-Policy Maps, select "Add" to map the previously created WLAN and Policy profile.
Policy TAG map
CLI Configuration:
wireless tag policy default-policy-tag
description "default policy-tag"
wlan Mac_Filtering_Wlan policy Web-Filter-Policy
Step 5: Navigate to Configuration > Wireless > Access Point. Select the access point responsible for broadcasting this SSID. Within the Edit AP menu, assign the created Policy Tag.
Mapping policy TAG to AP
Configure AAA Settings:
Step1: Create a Radius Server:
Navigate to Configuration > Security > AAA. Click the "Add" option under the Server/Group section. On the "Create AAA Radius Server" page, enter the server name, IP address, and Shared Secret.
Server Configuration
CLI Configuration
radius server ISE-Auth
address ipv4 10.197.224.122 auth-port 1812 acct-port 1813
key *****
server name ISE-Auth
Step2: Create a Radius Server Group:
Select the "Add" option under the Server Groups section to define a server group. Toggle the servers to be included within the same group configuration.
It is not required to set the source interface. By default, the 9800 uses its routing table to figure out the interface to use to reach the RADIUS server and typically uses the default gateway.
Server Group
CLI Configuration
aaa group server radius ISE-Group
server name ISE-Auth
ip radius source-interface Vlan2074
deadtime 5
Step3: Configure AAA Method List:
Navigate to the AAA Method List tab. Under Authentication, click Add. Define a method list name with Type as "login" and Group type as "Group". Map the configured authentication server group under the Assigned Server Group section.
Authentication Method list
CLI Configuration
aaa authentication login ISE-List group ISE-Group
Navigate to the Authorization Method List section and click "Add". Define a method list name and set the type to "network" with Group type as "Group". Toggle the configured RADIUS server to the Assigned Server Groups section.
Authorization method list
CLI Configuration
aaa authorization network network group ISE-Group
ISE configuration:
Add WLC as a network device on ISE
Step1: Navigate to Administration > Network Devices and click Add. Enter the controller IP address, Hostname and shared secret under the Radius Authentication Settings
Add Network device
Shared Secret
Step2: Create User entry
Under the Identity Management > Identities, select the Add option.
Configure the username and password which the client must use to web authentication
Add user credentials
Step3: Navigate to Administration > Identity Management > Groups > Registered Devices and click Add.
Enter device mac address to create an entry on the server.
Add device mac address
Step4: Create Service Policy
Navigate to Policy > Policy sets and select “+” sign to create a new policy set
This policy set is for user web authentication, where a username and password for the client is created in Identity Management
Web Authentication Service policy
Similarly, create a MAB service policy and map internal endpoints under authentication policy.
MAB Authentication service policy
Verify
Controller configuration
show wireless tag policy detailed default-policy-tag
Policy Tag Name : default-policy-tag
Description : default policy-tag
Number of WLAN-POLICY maps: 1
WLAN Profile Name Policy Name
------------------------------------------------------------------------
Mac_Filtering_Wlan Web-Filter-Policy
show wireless profile policy detailed Web-Filter-Policy
Policy Profile Name : Web-Filter-Policy
Description :
Status : ENABLED
VLAN : 2074
Multicast VLAN : 0
show wlan name Mac_Filtering_Wlan
WLAN Profile Name : Mac_Filtering_Wlan
================================================
Identifier : 9
Description :
Network Name (SSID) : Mac_Filtering_Wlan
Status : Enabled
Broadcast SSID : Enabled
Mac Filter Authorization list name : network
Webauth On-mac-filter Failure : Enabled
Webauth Authentication List Name : ISE-List
Webauth Authorization List Name : Disabled
Webauth Parameter Map : Web-Filter
show parameter-map type webauth name Web-Filter
Parameter Map Name : Web-Filter
Type : webauth
Auth-proxy Init State time : 120 sec
Webauth max-http connection : 100
Webauth logout-window : Enabled
Webauth success-window : Enabled
Consent Email : Disabled
Activation Mode : Replace
Sleeping-Client : Disabled
Webauth login-auth-bypass:
show ip http server status
HTTP server status: Enabled
HTTP server port: 80
HTTP server active supplementary listener ports: 21111
HTTP server authentication method: local
HTTP server auth-retry 0 time-window 0
HTTP server digest algorithm: md5
HTTP server access class: 0
HTTP server IPv4 access class: None
HTTP server IPv6 access class: None
HTTP server base path:
HTTP File Upload status: Disabled
HTTP server upload path:
HTTP server help root:
Maximum number of concurrent server connections allowed: 300
Maximum number of secondary server connections allowed: 50
Server idle time-out: 180 seconds
Server life time-out: 180 seconds
Server session idle time-out: 600 seconds
Maximum number of requests allowed on a connection: 25
Server linger time : 60 seconds
HTTP server active session modules: ALL
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
show ap name AP2-AIR-AP3802I-D-K9-2 tag detail
Policy tag mapping
------------------
WLAN Profile Name Policy Name VLAN Flex Central Switching IPv4 ACL IPv6 ACL
---------------------------------------------------------------------------------------------------------------------------------------------
Mac_Filtering_Wlan Web-Filter-Policy 2074 ENABLED Not Configured Not Configured
Client policy state on controller
Navigate to the Dashboard > Clients section to confirm the status of connected clients.
Client is currently in Web Auth pending state
Client detail
show wireless client summary
Number of Clients: 1
MAC Address AP Name Type ID State Protocol Method Role
-------------------------------------------------------------------------------------------------------------------------
6c7e.67e3.6db9 AP2-AIR-AP3802I-D-K9-2 WLAN 9 Webauth Pending 11ac Web Auth Local
show wireless client mac-address 6c7e.67e3.6db9 detail
Client MAC Address : 6c7e.67e3.6db9
Client MAC Type : Universally Administered Address
Client DUID: NA
Client IPv4 Address : 10.76.6.150
Client IPv6 Addresses : fe80::10eb:ede2:23fe:75c3
Client Username : 6c7e67e36db9
AP MAC Address : 1880.902b.05e0
AP Name: AP2-AIR-AP3802I-D-K9-2
AP slot : 1
Client State : Associated
Policy Profile : Web-Filter-Policy
Flex Profile : N/A
Wireless LAN Id: 9
WLAN Profile Name: Mac_Filtering_Wlan
Wireless LAN Network Name (SSID): Mac_Filtering_Wlan
BSSID : 1880.902b.05eb
Client ACLs : None
Mac authentication : Failed
Policy Manager State: Webauth Pending
Last Policy Manager State : IP Learn Complete
Client Entry Create Time : 88 seconds
Policy Type : N/A
Encryption Cipher : None
Auth Method Status List
Method : Web Auth
Webauth State : Get Redirect
Webauth Method : Webauth
After successful Web-Authentication, client policy manager state transitions to RUN
show wireless client mac-address 6c7e.67e3.6db9 detail
Client ACLs : None
Mac authentication : Failed
Policy Manager State: Run
Last Policy Manager State : Webauth Pending
Client Entry Create Time : 131 seconds
Policy Type : N/A
Troubleshoot
The functionality of the Web Auth on MAC Failure feature relies on the controller capability to trigger web authentication upon MAB failure. Our primary aim is to gather RA traces efficiently from the controller for troubleshooting and analysis.
Collecting Radioactive trace
Activate Radio Active Tracing to generate client debug traces for the specified MAC address in the CLI.
Steps to enable Radioactive Tracing:
Ensure all the conditional debugs are disabled
clear platform condition allEnable debug for specified mac address
debug wireless mac <H.H.H> monitor-time <Time is seconds>After reproducing the issue, disable debugging to halt the RA trace collection.
no debug wireless mac <H.H.H>
Once the RA trace is stopped, the debug file is generated in the controller bootflash.
show bootflash: | include ra_trace
2728 179 Jul 17 2024 15:13:54.0000000000 +00:00 ra_trace_MAC_aaaabbbbcccc_HHMMSS.XXX_timezone_DayWeek_Month_Day_year.log
Copy the file to an external server.
copy bootflash:ra_trace_MAC_aaaabbbbcccc_HHMMSS.XXX_timezone_DayWeek_Month_Day_year.log tftp://<IP address>/ra-FILENAME.txt
Display the debug log:
more bootflash:ra_trace_MAC_aaaabbbbcccc_HHMMSS.XXX_timezone_DayWeek_Month_Day_year.log
Enable RA trace in GUI,
Step1: Navigate to Troubleshooting > Radioactive Trace. Select the option to add a new entry, then enter the client MAC address in the designated Add MAC/IP Address tab.
Radioactive trace
Embedded Packet Captures:
Navigate to Troubleshooting > Packet Capture. Enter the capture name and specify the client MAC address as the inner filter MAC. Set the buffer size to 100 and choose the uplink interface to monitor incoming and outgoing packets.
Embedded packet capture
Note: Select the "Monitor Control Traffic" option to view traffic redirected to the system CPU and reinjected into the data plane.
Select Start to capture packets
Start capture
CLI configuration
monitor capture TestPCap inner mac <H.H.H>
monitor capture TestPCap buffer size 100
monitor capture TestPCap interface twoGigabitEthernet 0/0/0 both
monitor capture TestPCap start
<Reporduce the issue>
monitor capture TestPCap stopshow monitor capture TestPCap
Status Information for Capture TestPCap
Target Type:
Interface: TwoGigabitEthernet0/0/0, Direction: BOTH
Status : Inactive
Filter Details:
Capture all packets
Inner Filter Details:
Mac: 6c7e.67e3.6db9
Continuous capture: disabled
Buffer Details:
Buffer Type: LINEAR (default)
Buffer Size (in MB): 100
Limit Details:
Number of Packets to capture: 0 (no limit)
Packet Capture duration: 3600
Packet Size to capture: 0 (no limit)
Maximum number of packets to capture per second: 1000
Packet sampling rate: 0 (no sampling)
Export packet capture to external TFTP server
monitor capture TestPCap export tftp://<IP address>/ TestPCap.pcap
Export packet capture
Example scenario during successful MAC authentication, a client device connects to the network, its MAC address is validated by the RADIUS server through configured policies, and upon verification, access is granted by the network access device, allowing network connectivity.
Once client associates, controller sends a Access-Request to ISE server,
User name is the mac address of the client as this is MAB authentication
2024/07/16 21:12:52.711298748 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: Send Access-Request to 10.197.224.122:1812 id 0/0, len 422
2024/07/16 21:12:52.711310730 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: authenticator 19 c6 63 56 33 a7 e6 b6 - f3 00 70 b0 2a 7f 75 3c
2024/07/16 21:12:52.711326401 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: User-Name [1] 14 "6c7e67b72d29"
2024/07/16 21:12:52.711329615 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: User-Password [2] 18 *
2024/07/16 21:12:52.711337331 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: Service-Type [6] 6 Call Check [10]
2024/07/16 21:12:52.711340443 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: Vendor, Cisco [26] 31
2024/07/16 21:12:52.711344513 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: Cisco AVpair [1] 25 "service-type=Call Check"
2024/07/16 21:12:52.711349087 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: Framed-MTU [12] 6 1485
2024/07/16 21:12:52.711351935 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: Message-Authenticator[80] 18 ...
2024/07/16 21:12:52.711377387 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: EAP-Key-Name [102] 2 *
2024/07/16 21:12:52.711382613 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: Vendor, Cisco [26] 49
2024/07/16 21:12:52.711385989 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: Cisco AVpair [1] 43 "audit-session-id=9C064C0A0000227ABE923CE6
ISE sends Access-Accept as we have a valid user entry
2024/07/16 21:12:52.779147404 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: Received from id 1812/0 10.197.224.122:0, Access-Accept, len 115
2024/07/16 21:12:52.779156117 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: authenticator 5d dc 1c e6 d3 82 a3 75 - 07 a1 86 0a 37 e2 e7 65
2024/07/16 21:12:52.779161793 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: User-Name [1] 19 "6C-7E-67-B7-2D-29"
2024/07/16 21:12:52.779165183 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: Class [25] 58 ...
2024/07/16 21:12:52.779219803 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: Message-Authenticator[80] 18 ...
2024/07/16 21:12:52.779417578 {wncd_x_R0-0}{1}: [mab] [17765]: (info): [6c7e.67b7.2d29:capwap_90000005] MAB received an Access-Accept for (6c7e.67b7.2d29)
2024/07/16 21:12:52.779436247 {wncd_x_R0-0}{1}: [mab] [17765]: (info): [6c7e.67b7.2d29:capwap_90000005] Received event 'MAB_RESULT' on (6c7e.67b7.2d29)
Client policy state transistioned to Mac Auth completed
2024/07/16 21:12:52.780181486 {wncd_x_R0-0}{1}: [client-auth] [17765]: (info): MAC: 6c7e.67b7.2d29 Client auth-interface state transition: S_AUTHIF_MAB_AUTH_PENDING -> S_AUTHIF_MAB_AUTH_DONE
2024/07/16 21:12:52.780238297 {wncd_x_R0-0}{1}: [client-orch-sm] [17765]: (debug): MAC: 6c7e.67b7.2d29 Processing MAB authentication result status: 0, CO_AUTH_STATUS_SUCCESS
Client is in IP learn state after successful MAB authentication
2024/07/16 21:12:55.791404789 {wncd_x_R0-0}{1}: [client-orch-state] [17765]: (note): MAC: 6c7e.67b7.2d29 Client state transition: S_CO_DPATH_PLUMB_IN_PROGRESS -> S_CO_IP_LEARN_IN_PROGRESS
2024/07/16 21:12:55.791739386 {wncd_x_R0-0}{1}: [client-iplearn] [17765]: (info): MAC: 6c7e.67b7.2d29 IP-learn state transition: S_IPLEARN_INIT -> S_IPLEARN_IN_PROGRESS
2024/07/16 21:12:55.794130301 {iosrp_R0-0}{1}: [buginf] [4440]: (debug): AUTH-FEAT-SISF-EVENT: IP update for MAC f4bd.9e58.424b. New IP 10.76.6.147
Client policy manager state updated to RUN, Web Authentication is skipped for the client which completes MAB authentication
2024/07/16 21:13:11.210786952 {wncd_x_R0-0}{1}: [errmsg] [17765]: (info): %CLIENT_ORCH_LOG-6-CLIENT_ADDED_TO_RUN_STATE: R0/0: wncd: Username entry (6C-7E-67-B7-2D-29) joined with ssid (Mac_Filtering_Wlan) for device with MAC: 6c7e.67b7.2d29 on channel (136)
Verification using Embedded Packet Capture
Radius Packet
Example where MAC authentication failure for a client device
Mac Authentication initaited for a client after successful association
2024/07/17 03:20:59.842211775 {wncd_x_R0-0}{1}: [mab] [17765]: (info): [6c7e.67e3.6db9:capwap_90000005] MAB authentication started for 6c7e.67e3.6db9
2024/07/17 03:20:59.842280253 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [17765]: (note): Authentication Success. Resolved Policy bitmap:11 for client 6c7e.67e3.6db9
2024/07/17 03:20:59.842284313 {wncd_x_R0-0}{1}: [client-auth] [17765]: (info): MAC: 6c7e.67e3.6db9 Client auth-interface state transition: S_AUTHIF_MAB_AUTH_PENDING -> S_AUTHIF_MAB_AUTH_PENDING
2024/07/17 03:20:59.842320572 {wncd_x_R0-0}{1}: [mab] [17765]: (info): [6c7e.67e3.6db9:capwap_90000005] Received event 'MAB_CONTINUE' on (6c7e.67e3.6db9)
ISE would send Access-Reject as this device entry is not present in ISE
2024/07/17 03:20:59.842678322 {wncd_x_R0-0}{1}: [mab] [17765]: (info): [6c7e.67e3.6db9:capwap_90000005] MAB received an Access-Reject for 0xFE00001C (6c7e.67e3.6db9)
2024/07/17 03:20:59.842877636 {wncd_x_R0-0}{1}: [auth-mgr] [17765]: (info): [6c7e.67e3.6db9:capwap_90000005] Method mab changing state from 'Running' to 'Authc Failed'
Web-Auth initiated for client device as MAB failed
2024/07/17 03:20:59.843728206 {wncd_x_R0-0}{1}: [client-auth] [17765]: (info): MAC: 6c7e.67e3.6db9 Client auth-interface state transition: S_AUTHIF_MAB_AUTH_FAILED -> S_AUTHIF_L2_WEBAUTH_PENDING
Once the Client initiates a HTTP GET request, Redirect URL is pushed to the client device as the corresponding TCP session is spoofed by the controller.
2024/07/17 03:21:37.817434046 {wncd_x_R0-0}{1}: [webauth-httpd] [17765]: (info): capwap_90000005[6c7e.67e3.6db9][ 10.76.6.150]Parse GET, src [10.76.6.150] dst [10.76.6.145] url [http://10.76.6.145/auth/discovery?architecture=9]
2024/07/17 03:21:37.817459639 {wncd_x_R0-0}{1}: [webauth-httpd] [17765]: (debug): capwap_90000005[6c7e.67e3.6db9][ 10.76.6.150]Parse GET, Redirect to VIP/login.html
2024/07/17 03:21:37.817466483 {wncd_x_R0-0}{1}: [webauth-httpd] [17765]: (debug): capwap_90000005[6c7e.67e3.6db9][ 10.76.6.150]Parse GET, Redirect to Virtual IP url [https://192.0.2.1/login.html?redirect=http://10.76.6.145/auth/discovery?architecture=9]
2024/07/17 03:21:37.817482231 {wncd_x_R0-0}{1}: [webauth-state] [17765]: (info): capwap_90000005[6c7e.67e3.6db9][ 10.76.6.150]State INIT -> GET_REDIRECT
Client initiates a HTTP Get to the redirect URL and once the page loads the login credentials is submitted.
The controller sends a Access Request to ISE
This is a web autnentication as a valid user name is observed in Access-Accept packet
2024/07/17 03:22:51.132347799 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: Send Access-Request to 10.197.224.122:1812 id 0/3, len 457
2024/07/17 03:22:51.132362949 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: authenticator fd 40 0f 7e 35 67 dc 5a - 63 cf ef ae f3 79 ee aa
2024/07/17 03:22:51.132368737 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: Calling-Station-Id [31] 19 "6c-7e-67-e3-6d-b9"
2024/07/17 03:22:51.132372791 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: User-Name [1] 10 "testuser"
2024/07/17 03:22:51.132376569 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: Vendor, Cisco [26] 49
Access-Accept received from ISE
2024/07/17 03:22:51.187040709 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: Received from id 1812/3 10.197.224.122:0, Access-Accept, len 106
2024/07/17 03:22:51.187050061 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: authenticator d3 ac 6c f7 a2 a2 17 ca - b4 0f 00 a7 f6 51 0a a4
2024/07/17 03:22:51.187055731 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: User-Name [1] 10 "testuser"
2024/07/17 03:22:51.187059053 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: Class [25] 58 ...
2024/07/17 03:22:51.187102553 {wncd_x_R0-0}{1}: [radius] [17765]: (info): RADIUS: Message-Authenticator[80] 18 ...
Web Authentication is successful and client state transistion to RUN state
2024/07/17 03:22:51.193775717 {wncd_x_R0-0}{1}: [errmsg] [17765]: (info): %CLIENT_ORCH_LOG-6-CLIENT_ADDED_TO_RUN_STATE: R0/0: wncd: Username entry (testuser) joined with ssid (Mac_Filtering_Wlan) for device with MAC: 6c7e.67e3.6db9 on channel (136)
2024/07/17 03:22:51.194009423 {wncd_x_R0-0}{1}: [client-orch-state] [17765]: (note): MAC: 6c7e.67e3.6db9 Client state transition: S_CO_L3_AUTH_IN_PROGRESS -> S_CO_RUN
Verification through EPC captures
The client completes TCP handshake with the controller virtual IP address and the client loads the redirect portal page. Once the user submits username and password, we can observe a radius access-request from the controller management IP address.
After successful authentication, the client TCP session is closed and on the controller the client transitions into RUN state.
TCP flow with radius packet
Radius packet sent to ISE with user credentials
Client-side wireshark capture to validate the client traffic is getting redirected to the portal page and validate the TCP handshake to controller virtual ip address/ web server
Client side capture to validate the redirect url
Client establishes TCP handshake to the virtual IP address of the controller
TCP handshake between the client and webserver
Session is closed after successful web authentication,
TCP session closed after client completes web authentication
Related Article
Understand Wireless Debugs and Log Collection on Catalyst 9800 Wireless LAN Controllers
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
25-Jul-2024 |
Initial Release |
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)