Radius Users able to access Wifi after being removed from group

jbudd
Comes here often

Radius Users able to access Wifi after being removed from group

Hello,

 We have our wifi configured to use RADIUS authentication Via a Windows NPS server with MSCHAPv2. I have a user that graduated last year and has been removed from AD, however his credentials are still working to allow users access to the wifi. How do I go about revoking wifi access for this user, is there a cache that I need to clear? Again the user has been removed from AD and we are using a Windows NPS server not the built in meraki radius database.

6 REPLIES 6
PhilipDAth
Kind of a big deal
Kind of a big deal

Check out the security log on NPS (event IDs 6272 and 6273).

 

NPS will say whether it granted or denied the user access.  If it says it granted the user access, look at the reason why.  Which policy granted access.

 

Once you understand why NPS allowed access, you should be able to take steps to prevent that access.

@jbudd his account must still be active somewhere, radius much like LDAP doesn't cache a users credentials.

 

 

Looking at it from a slightly different angle is the user still using their original credentials, is someone else using that persons credentials or is the original user using a curent users credentials? What I am trying to get at is how did this come to your attention as this might help you solve whats going on. 

I believe it is another user using the original users credentials. We only allow a small number of students access to the specific wifi SSID. They must have an accommodation to be granted access. I noticed the issue because there was a high number of students on the SSID in question. When I looked up this particular student in AD I was unable to locate their account. I did a search using powershell as well as ADUC. I found the student in our student information system, he graduated last year, but our SIS is in no way tied to AD. 

 

I went over to the school and tried to authenticate to the wifi with my cell phone and I was blocked. When I look in the Meraki dashboard at the clients page I see my phone with the students name, and it only shows 6kb of usage. Maybe I am interpreting the dashboard incorrectly, I thought it would only show me users that are actually authenticated.

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

I think you might be looking at the client name, which appears to be incorrect.

 

Under network Wide/Clients, click on the spanner on the far right-hand side, and tick "User" to add the username column.  Then you can see the username that was used to authenticate the device.

You might find the student from last year sold their device to a student from this year - so the device name is the same, but they are actually logging in with a new username.

jbudd
Comes here often

I appreciate the help, but I am indeed looking at the User Column. 

 

It appears for one reason or another that I am seeing clients in the Meraki dashboard even though they are being denied access to the wifi. I took my cell phone over to the building where the user is appearing and I tried to access the wifi using the user in questions credentials. I got a message saying there was a problem connecting and it would not let me on the network. When I got back to the office, I see the username in question associated with the mac of my cell phone. It showed that only 2kb of traffic had been used by the device. My guess is that during the RADIUS hand shake the clients are momentarily added to the network, and then denied access if they don't match any of my NPS rules. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels