Has anyone else seen their RADIUS Accounting have the mac-address as the username? We've identified so far on iOS that a user successfully authenticates and the RADIUS accounting packet correctly sends "Username" as the AD username, but upon roaming new Accounting packets are sent with "Username" as the mac-address of the device. We're running 29.5.1, noticed it on 29.4, but pretty sure it affected us on 28.x.
We use the accounting information to feed our content filtering system and filter base on their attributes in AD. With mac-address being sent it's obviously not working as intended.
Solved! Go to solution.
Support has confirmed that this is not intended behavior. They noted that this behavior initially started in MR 28 and continued in MR 29. The 2 work arounds are to turn off 802.11r or downgrade to MR27
That happens when MAB (MAC authenticatoin bypass) is enabled and the device can not authentication.
I can't find the specific document I want, but this document talks about this behaviour when using MAC based authentication.
I'm unclear if that applies to me, based on the documentation you linked. I should have stated my configuration too. My SSID is configured "Enterprise with my Radius Server", with my RADIUS server being Cisco ISE and using Policy sets to authenticate against active directory. I also have 802.11r enabled but not in "adaptive" mode, which I'm unclear if that would make a difference.
Just to follow up with additional information. We've found in our environment it appears if we turn off 802.11r from the SSID, and not utilize fast transition roaming, then accounting information is correct when the client switches to a new AP. I'm not sure if it's by design that the mac-address is used as the username field when roaming between APs with 802.11r enabled or not.
Support has confirmed that this is not intended behavior. They noted that this behavior initially started in MR 28 and continued in MR 29. The 2 work arounds are to turn off 802.11r or downgrade to MR27
Thanks very much for publishing this data - We had a ticket with Meraki back in December regarding this however providing NPS Logs was not adequate for them to escalate as a bug.
Are you able to share your TAC / Support Case so we can add another customers also affected and hopefully increase the severity?
TAC Case is 09221286. We provided them with multiple pcaps showing that the AP itself was sending mac-address in the radius auth.
I have received an update that the beta released this week, MR 31.1.1 should resolve this issue however have not tested yet.
Bug Fixes
If anyone can update their experiences would be great!