, ,

As per the RFC3580 (IEEE 802.1X RADIUS Usage Guidelines) here are the definition of two terms “Called Station ID” & “Calling Station ID“. As you can see if your wireless deployment is RFC3580 compliant, you should get AP Radio MAC & SSID information as “Called Station ID” where as supplicant mac address as “Calling Station ID”. These are useful to enforce policies to your wireless traffic based on SSID information.

Called Station ID:
For IEEE 802.1X Authenticators, this attribute is used to store the
bridge or Access Point MAC address in ASCII format (upper case only),
with octet values separated by a "-".  Example: "00-10-A4-23-19-C0".
In IEEE 802.11, where the SSID is known, it SHOULD be appended to the
Access Point MAC address, separated from the MAC address with a ":".
Example "00-10-A4-23-19-C0:AP1".

Calling Station ID:
For IEEE 802.1X Authenticators, this attribute is used to store the
Supplicant MAC address in ASCII format (upper case only), with octet
values separated by a "-".  Example: "00-10-A4-23-19-C0".

We will see how this works in Cisco Local & H-REAP mode deployment. Here is the basic topology where I have two APs, WLC & ACS.


Here is the L1130-1 (Local Mode) AP information.


Here is the L1250-1 (H-REAP Mode) AP information.


I have configured WLAN called “RFC-3580” to test this out & configured for WAP2/AES & 802.1x for RADIUS authentication. Below picture shows the few important settings (H-REAP local switching) while most of others kept its default.


First of all we will test Local Mode AP (L1130-1) connection by connecting to this SSID & then go to ACS Monitoring logs. You would see something like this. As you can see “Called Station ID” is coming as “AP Radio MAC: SSID” which is comply to RFC3580. Also calling station ID appear as supplicant MAC address separated by “-” which is comply to the standard.


Now will test this with H-REAP mode. In H-REAP there will be two scenarios as “Connected” & “Standalone” mode. In connected mode, WLC will be sending authentication request to radius server where as in Standalone mode AP itself sending authentication request.

Here is the similar output when client is associated to H-REAP in Connected Mode. As you can see both parameters information is comply with RFC3580. Note that this time L1250-1 Radio MAC (54:75:d0:cd:05:70) is part of called station ID.


Finally we will test this in “H-REAP Standalone” mode. You can do this by shutdown the switchport connect to WLC.  You can verify this by using “show capwap reap status” on AP CLI.

L1250-1#show capwap reap status 
 AP Mode:         REAP, Standalone
 Radar detected on:

Here is the ACS log information this time. You can see clearly this time both Calling Station ID &  Called Station ID is not RFC3580 compliant (No SSID info in Called station ID & MAC info is not separated by “-“). If you looked carefully Called Station MAC address is not Radio MAC address (54:75:d0:cd:05:70) but BSSID which is derived from the base radio MAC address. Since my WLAN ID is 10, If you increment base MAC by 10 you will end up with 54:75:d0:cd:05:79 which is BSSID in this case.


Can you change this default behavior in H-REAP standalone mode ? Since AP config is controlled by WLC, unless it is configurable from WLC there is no permanent fix (unless Cisco Change this bbehavior to comply with RFC 3580). But if you really want you can modify AP config locally (but would not prevail if AP reboots)

If you configure “radius-server vsa send authentication” you can send the SSID information to ACS.

L1250-1#debug capwap console cli
This command is meant only for debugging/troubleshooting 
Any configuration change may result in different
behavior from centralized configuration. 

CAPWAP console CLI allow/disallow debugging is on
L1250-1#conf t
Enter configuration commands, one per line.  End with CNTL/Z

L1250-1(config)#radius-server vsa send ?
  accounting      Send in accounting requests
  authentication  Send in access requests
  cisco-nas-port  Send cisco-nas-port VSA(2)

L1250-1(config)#radius-server vsa send authentication ?
  3gpp2  Send 3GPP2 VSAs in accounting requests

L1250-1(config)#radius-server vsa send authentication

Here is the output once configure this on the AP locally. SSID information coming under “Cisco-AVPair” as you can see below.


Looks like there are commands to change the radius attribute on the AP CLI, but none of this make information send is RFC 3580 compliant in this scenario.

L1250-1(config)#radius-server attribute ?
  11        Filter-Id attribute configuration
  188       Num-In-Multilink attribute configuration
  218       Address-Pool attribute
  25        Class attribute
  30        DNIS attribute
  31        Calling Station ID
  32        NAS-Identifier attribute
  4         NAS IP address attribute
  44        Acct-Session-Id attribute
  55        Event-Timestamp attribute
  6         Service-Type attribute
  69        Tunnel-Password attribute
  77        Connect-Info attribute
  8         Framed IP address attribute
  list      List of Attribute Types
  nas-port  NAS-Port attribute configuration

L1250-1(config)#radius-server attribute 31 mac format 
  default      format ex: 0000.4096.3e4a
  ietf         format ex: 00-00-40-96-3E-4A
  unformatted  format ex: 000040963e4a

L1250-1(config)#radius-server attribute 31 mac format  ietf

There is a support forum question related to this, Hopefully Cisco will answer to this when this available in WLC/H-REAP.

WLC Problem with append SSID in Called Station ID in H-REAP

Related Posts

1. EAP Overview
2. AAA Basics – Part 1
3. PEAP & EAP-FAST with ACS 5.2
4. AAA Override with ACS 5.2