Guest

Preview Tool

Cisco Bug: CSCus07013 - Adding mac filter check when client is changing SSID for webauth

Last Modified

Feb 24, 2018

Products (1)

  • Cisco 5500 Series Wireless Controllers

Known Affected Releases

7.4(121.0) 8.0(110.5)

Description (partial)

Symptom:
5508 with 7.4.121.0,  AP model are 1142+2602 (local model).
 
SSID 7 :  mac filter(external MS NPS server A)+ mac auth on mac filter failure (external portal against MS AD A)
SSID 9 : WPA/WPA2 PSK
SSID 11: mac filter(external MS NPS server B)+ mac auth on mac filter failure (external portal against MS AD B)
 
The two MS NPS servers for SSID 7 and 11 are different, the two external portal for SSID 7 and 11 are also different.
 
We run the below test with a device(the mac of this device is in MS NPS server A but not in MS NPS server B)
 
Client connect to SSID7 first, then he switch to SSID 11, the mac auth will failed as expected, but he found that he will not be redirected for web auth and will be granted for internet access, the state is ?RUN?
Client connect to SSID9 first, then he switch to SSID 11, the symptom is the same as the 1st one
Remove the client session on WLC, client connect to SSID 11 directly, he will be redirected to web auth and the state is ?Webauth_REQ?

So it seems that if there is existing session for this client on WLC, the client can connect the SSID 11 without web auth...

Conditions:
with fast SSID change enabled
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.