As per the RFC3580 (IEEE 802.1X RADIUS Usage Guidelines) here are the definition of two terms “Called Station ID” & “Calling Station ID“. As you can see if your wireless deployment is RFC3580 compliant, you should get AP Radio MAC & SSID information as “Called Station ID” where as supplicant mac address as “Calling Station ID”. These are useful to enforce policies to your wireless traffic based on SSID information.
Called Station ID: For IEEE 802.1X Authenticators, this attribute is used to store the bridge or Access Point MAC address in ASCII format (upper case only), with octet values separated by a "-". Example: "00-10-A4-23-19-C0". In IEEE 802.11, where the SSID is known, it SHOULD be appended to the Access Point MAC address, separated from the MAC address with a ":". Example "00-10-A4-23-19-C0:AP1". Calling Station ID: For IEEE 802.1X Authenticators, this attribute is used to store the Supplicant MAC address in ASCII format (upper case only), with octet values separated by a "-". Example: "00-10-A4-23-19-C0".
We will see how this works in Cisco Local & H-REAP mode deployment. Here is the basic topology where I have two APs, WLC & ACS.
Here is the L1130-1 (Local Mode) AP information.
Here is the L1250-1 (H-REAP Mode) AP information.
I have configured WLAN called “RFC-3580” to test this out & configured for WAP2/AES & 802.1x for RADIUS authentication. Below picture shows the few important settings (H-REAP local switching) while most of others kept its default.
First of all we will test Local Mode AP (L1130-1) connection by connecting to this SSID & then go to ACS Monitoring logs. You would see something like this. As you can see “Called Station ID” is coming as “AP Radio MAC: SSID” which is comply to RFC3580. Also calling station ID appear as supplicant MAC address separated by “-” which is comply to the standard.
Now will test this with H-REAP mode. In H-REAP there will be two scenarios as “Connected” & “Standalone” mode. In connected mode, WLC will be sending authentication request to radius server where as in Standalone mode AP itself sending authentication request.
Here is the similar output when client is associated to H-REAP in Connected Mode. As you can see both parameters information is comply with RFC3580. Note that this time L1250-1 Radio MAC (54:75:d0:cd:05:70) is part of called station ID.
Finally we will test this in “H-REAP Standalone” mode. You can do this by shutdown the switchport connect to WLC. You can verify this by using “show capwap reap status” on AP CLI.
L1250-1#show capwap reap status AP Mode: REAP, Standalone Radar detected on:
Here is the ACS log information this time. You can see clearly this time both Calling Station ID & Called Station ID is not RFC3580 compliant (No SSID info in Called station ID & MAC info is not separated by “-“). If you looked carefully Called Station MAC address is not Radio MAC address (54:75:d0:cd:05:70) but BSSID which is derived from the base radio MAC address. Since my WLAN ID is 10, If you increment base MAC by 10 you will end up with 54:75:d0:cd:05:79 which is BSSID in this case.
Can you change this default behavior in H-REAP standalone mode ? Since AP config is controlled by WLC, unless it is configurable from WLC there is no permanent fix (unless Cisco Change this bbehavior to comply with RFC 3580). But if you really want you can modify AP config locally (but would not prevail if AP reboots)
If you configure “radius-server vsa send authentication” you can send the SSID information to ACS.
L1250-1#debug capwap console cli This command is meant only for debugging/troubleshooting Any configuration change may result in different behavior from centralized configuration. CAPWAP console CLI allow/disallow debugging is on L1250-1#conf t Enter configuration commands, one per line. End with CNTL/Z L1250-1(config)#radius-server vsa send ? accounting Send in accounting requests authentication Send in access requests cisco-nas-port Send cisco-nas-port VSA(2) <cr> L1250-1(config)#radius-server vsa send authentication ? 3gpp2 Send 3GPP2 VSAs in accounting requests <cr> L1250-1(config)#radius-server vsa send authentication
Here is the output once configure this on the AP locally. SSID information coming under “Cisco-AVPair” as you can see below.
Looks like there are commands to change the radius attribute on the AP CLI, but none of this make information send is RFC 3580 compliant in this scenario.
L1250-1(config)#radius-server attribute ? 11 Filter-Id attribute configuration 188 Num-In-Multilink attribute configuration 218 Address-Pool attribute 25 Class attribute 30 DNIS attribute 31 Calling Station ID 32 NAS-Identifier attribute 4 NAS IP address attribute 44 Acct-Session-Id attribute 55 Event-Timestamp attribute 6 Service-Type attribute 69 Tunnel-Password attribute 77 Connect-Info attribute 8 Framed IP address attribute list List of Attribute Types nas-port NAS-Port attribute configuration L1250-1(config)#radius-server attribute 31 mac format default format ex: 0000.4096.3e4a ietf format ex: 00-00-40-96-3E-4A unformatted format ex: 000040963e4a L1250-1(config)#radius-server attribute 31 mac format ietf
There is a support forum question related to this, Hopefully Cisco will answer to this when this available in WLC/H-REAP.
WLC Problem with append SSID in Called Station ID in H-REAP
1. EAP Overview
2. AAA Basics – Part 1
3. PEAP & EAP-FAST with ACS 5.2
4. AAA Override with ACS 5.2
I have 5760 WLC , but using the command radius-server vsa send authentication did not send the SSID name to the ISE !!!!1