Wireless (General)

Expand all | Collapse all

C4110-2 wrong role applied to wifi users

  • 1.  C4110-2 wrong role applied to wifi users

    Posted 05-04-2017 07:26
    Hi everyone,

    We have a problem, which one appears randomly and we have many diffulcuties to identify the origin and how to resolve it.

    Here is the authentication chain:

    Client request to authenticate > Access point > C4110-2 Controller > RADIUS Server > Active Directory *here parsing to find user and access right related to him* after that it does the same reverse path.

    The problem here is the role applied to the client. Normally a specific role related to the client is setted after finding a match in AD. But in our situation the client take the "Default" role we made which deny all traffic.

    You'll find in attachement a screenshot related to the role:

    The network has an open SSID and connectable by WPA2-Enterprise (EAP-PEAP)
    I can affirm it's linked to authentication because I try with a "test" network setup with WPA2-Personnal (with PSK) and it works perfectly.

    We also thought of a VPN tunnel problem between sites but we have the same case in a site direclty connected by MAN network.

    We check the logs: we can see the client PC trying to connect but didn't take an IP and the good Role (always the "Default"). We have no logs on RADIUS server.

    Last information, on those sites the same network had been working for years and we had this case on different types of AP (2610, 3825i). Controller is a C4110-2 running the software version

    Please help me !!

    Thibault R.

  • 2.  RE: C4110-2 wrong role applied to wifi users

    Posted 05-04-2017 11:06
    Hi Thibault,

    If you're not seeing any logs in your RADIUS server, it means that the RADIUS request is not making it to the RADIUS server at all. I would take a trace from your controller to see if it's leaving the controller destined to the radius server.

    It's not necessarily an answer, but it's the next step I would take towards troubleshooting.


  • 3.  RE: C4110-2 wrong role applied to wifi users

    Posted 05-04-2017 13:07
    On the client side, does it show that client connected at all? If it could not make to the radius , from the client perspective you should see something like 'Unable to connect' or similar (depends on the OS). When client passes 'dot1X' stage, it concidered as 'port open now', the next step - to obtain IP.

  • 4.  RE: C4110-2 wrong role applied to wifi users

    Posted 05-04-2017 16:53
    Check the controller "station event" log = GUI > Logs > EWC: Station Events
    In the upper right field put in the MAC of the client and please provide a screenshot for us.

    Also check the RADIUS server log for the authentication events.

  • 5.  RE: C4110-2 wrong role applied to wifi users

    Posted 05-04-2017 17:59
    Sometimes Windows Servers do not log failed RADIUS login attempts, only successful logins. To confirm, in a dos prompt CLI on the RADIUS Server, you may need to verify RADIUS failure are being logged with command:

    c:\ auditpol /get /subcategory:"Network Policy Server"
    System audit policy
    Category/Subcategory Setting
    Network Policy Server Success

    If the output shows Network Policy Server showing "Success and Failure" it's enabled, but if it only shows "Success" like the example above you will need to use the following syntax to enable failure logging:

    auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable