C4110-2 wrong role applied to wifi users

  • 0
  • 1
  • Problem
  • Updated 1 year ago
  • Solved
Hi everyone,

We have a problem, which one appears randomly and we have many diffulcuties to identify the origin and how to resolve it.

Here is the authentication chain:

Client request to authenticate > Access point > C4110-2 Controller > RADIUS Server > Active Directory *here parsing to find user and access right related to him* after that it does the same reverse path.

The problem here is the role applied to the client. Normally a specific role related to the client is setted after finding a match in AD. But in our situation the client take the "Default" role we made which deny all traffic.

You'll find in attachement a screenshot related to the role:


The network has an open SSID and connectable by WPA2-Enterprise (EAP-PEAP)
I can affirm it's linked to authentication because I try with a "test" network setup with WPA2-Personnal (with PSK) and it works perfectly.

We also thought of a VPN tunnel problem between sites but we have the same case in a site direclty connected by MAN network.

We check the logs: we can see the client PC trying to connect but didn't take an IP and the good Role (always the "Default"). We have no logs on RADIUS server.

Last information, on those sites the same network had been working for years and we had this case on different types of AP (2610, 3825i). Controller is a C4110-2 running the software version 09.21.14.0005

Please help me !!

Thibault R.
Photo of Thibault Rochette

Thibault Rochette

  • 70 Points

Posted 1 year ago

  • 0
  • 1
Photo of Tyler Marcotte

Tyler Marcotte, Official Rep

  • 2,700 Points 2k badge 2x thumb
Hi Thibault,

If you're not seeing any logs in your RADIUS server, it means that the RADIUS request is not making it to the RADIUS server at all. I would take a trace from your controller to see if it's leaving the controller destined to the radius server.

It's not necessarily an answer, but it's the next step I would take towards troubleshooting.

Tyler
Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 3,050 Points 3k badge 2x thumb
On the client side, does it show that client connected at all? If it could not make to the radius , from the client perspective you should see something like 'Unable to connect' or similar (depends on the OS).
When client passes 'dot1X' stage, it concidered as 'port open now', the next step - to obtain IP.
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,086 Points 20k badge 2x thumb
Check the controller "station event" log = GUI > Logs > EWC: Station Events
In the upper right field put in the MAC of the client and please provide a screenshot for us.

Also check the RADIUS server log for the authentication events.
Photo of Careno, Ryan

Careno, Ryan, Employee

  • 1,092 Points 1k badge 2x thumb
Sometimes Windows Servers do not log failed RADIUS login attempts, only successful logins.  To confirm, in a dos prompt CLI on the RADIUS Server, you may need to verify RADIUS failure are being logged with command:

==========================================================
c:\ auditpol /get /subcategory:"Network Policy Server"
System audit policy
Category/Subcategory                      Setting
Logon/Logoff
 Network Policy Server                   Success
c:\
==========================================================

If the output shows Network Policy Server showing "Success and Failure" it's enabled, but if it only shows "Success" like the example above you will need to use the following syntax to enable failure logging:

auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

Ryan