Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MR RADIUS Accounting Username

Solved
rpendleton
Here to help
‎Feb 7 2023 8:21 AM
‎Feb 7 2023 8:21 AM

MR RADIUS Accounting Username

Has anyone else seen their RADIUS Accounting have the mac-address as the username? We've identified so far on iOS that a user successfully authenticates and the RADIUS accounting packet correctly sends "Username" as the AD username, but upon roaming new Accounting packets are sent with "Username" as the mac-address of the device. We're running 29.5.1, noticed it on 29.4, but pretty sure it affected us on 28.x. 

 

We use the accounting information to feed our content filtering system and filter base on their attributes in AD. With mac-address being sent it's obviously not working as intended. 

 

0 Kudos
Subscribe
1 Accepted Solution
rpendleton
Here to help
‎Feb 10 2023 7:57 AM
‎Feb 10 2023 7:57 AM

Support has confirmed that this is not intended behavior. They noted that this behavior initially started in MR 28 and continued in MR 29. The 2 work arounds are to turn off 802.11r or downgrade to MR27

View solution in original post

0 Kudos
Subscribe
6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 7 2023 9:58 AM
‎Feb 7 2023 9:58 AM

That happens when MAB (MAC authenticatoin bypass) is enabled and the device can not authentication.

 

I can't find the specific document I want, but this document talks about this behaviour when using MAC based authentication.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Enabling_MAC-based_access_control_... 

0 Kudos
Subscribe
In response to PhilipDAth
rpendleton
Here to help
‎Feb 7 2023 10:45 AM
‎Feb 7 2023 10:45 AM

I'm unclear if that applies to me, based on the documentation you linked. I should have stated my configuration too. My SSID is configured "Enterprise with my Radius Server", with my RADIUS server being Cisco ISE and using Policy sets to authenticate against active directory. I also have 802.11r enabled but not in "adaptive" mode, which I'm unclear if that would make a difference. 

0 Kudos
Subscribe
rpendleton
Here to help
‎Feb 8 2023 1:20 PM
‎Feb 8 2023 1:20 PM

Just to follow up with additional information. We've found in our environment it appears if we turn off 802.11r from the SSID, and not utilize fast transition roaming, then accounting information is correct when the client switches to a new AP. I'm not sure if it's by design that the mac-address is used as the username field when roaming between APs with 802.11r enabled or not. 

0 Kudos
Subscribe
rpendleton
Here to help
‎Feb 10 2023 7:57 AM
‎Feb 10 2023 7:57 AM

Support has confirmed that this is not intended behavior. They noted that this behavior initially started in MR 28 and continued in MR 29. The 2 work arounds are to turn off 802.11r or downgrade to MR27

0 Kudos
Subscribe
In response to rpendleton
DavidMoyle
Just browsing
‎Feb 28 2023 9:53 PM
‎Feb 28 2023 9:53 PM

Thanks very much for publishing this data - We had a ticket with Meraki back in December regarding this however providing NPS Logs was not adequate for them to escalate as a bug.

Are you able to share your TAC / Support Case so we can add another customers also affected and hopefully increase the severity?

0 Kudos
Subscribe
In response to DavidMoyle
rpendleton
Here to help
‎Mar 2 2023 7:37 AM
‎Mar 2 2023 7:37 AM

TAC Case is 09221286. We provided them with multiple pcaps showing that the AP itself was sending mac-address in the radius auth.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.