MR RADIUS Accounting Username

Solved
rpendleton
Here to help

MR RADIUS Accounting Username

Has anyone else seen their RADIUS Accounting have the mac-address as the username? We've identified so far on iOS that a user successfully authenticates and the RADIUS accounting packet correctly sends "Username" as the AD username, but upon roaming new Accounting packets are sent with "Username" as the mac-address of the device. We're running 29.5.1, noticed it on 29.4, but pretty sure it affected us on 28.x. 

 

We use the accounting information to feed our content filtering system and filter base on their attributes in AD. With mac-address being sent it's obviously not working as intended. 

 

1 Accepted Solution
rpendleton
Here to help

Support has confirmed that this is not intended behavior. They noted that this behavior initially started in MR 28 and continued in MR 29. The 2 work arounds are to turn off 802.11r or downgrade to MR27

View solution in original post

7 Replies 7
PhilipDAth
Kind of a big deal
Kind of a big deal

That happens when MAB (MAC authenticatoin bypass) is enabled and the device can not authentication.

 

I can't find the specific document I want, but this document talks about this behaviour when using MAC based authentication.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Enabling_MAC-based_access_control_... 

rpendleton
Here to help

I'm unclear if that applies to me, based on the documentation you linked. I should have stated my configuration too. My SSID is configured "Enterprise with my Radius Server", with my RADIUS server being Cisco ISE and using Policy sets to authenticate against active directory. I also have 802.11r enabled but not in "adaptive" mode, which I'm unclear if that would make a difference. 

rpendleton
Here to help

Just to follow up with additional information. We've found in our environment it appears if we turn off 802.11r from the SSID, and not utilize fast transition roaming, then accounting information is correct when the client switches to a new AP. I'm not sure if it's by design that the mac-address is used as the username field when roaming between APs with 802.11r enabled or not. 

rpendleton
Here to help

Support has confirmed that this is not intended behavior. They noted that this behavior initially started in MR 28 and continued in MR 29. The 2 work arounds are to turn off 802.11r or downgrade to MR27

DavidMoyle
Just browsing

Thanks very much for publishing this data - We had a ticket with Meraki back in December regarding this however providing NPS Logs was not adequate for them to escalate as a bug.

Are you able to share your TAC / Support Case so we can add another customers also affected and hopefully increase the severity?

rpendleton
Here to help

TAC Case is 09221286. We provided them with multiple pcaps showing that the AP itself was sending mac-address in the radius auth.

DavidMoyle
Just browsing

I have received an update that the beta released this week, MR 31.1.1 should resolve this issue however have not tested yet.

 

Bug Fixes

  • Roaming-related issues with 802.11r configured SSID

 

If anyone can update their experiences would be great!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels