Wednesday, 22 January 2014

Cisco WLC 802.1X Client Exclusion Sometimes Doesn't Work...

I came across an issue recently and though I'd blog it for others...  Cisco WLC client exclusion not working for some 802.1X clients.  In my case this is using CUWN (WLC v7.x, Cisco ACS v5.3).

This issue effects what I call the 'basic' BYOD setup.  Where certificates aren't in play and AD is referenced directly by the client using EAP methods - i.e. PEAP (MS-CHAP-V2).

The issue being reported was AD account lockout being triggered by WLAN clients.  I thought that this would be unlikely as the WLC excludes clients by MAC when they are failing consistently.  The WLC registers RADIUS-REJECT messages and after 3 failures excludes the client.  The WLC drops all RADIUS requests from the excluded client MAC for the period of the exclusion timer (as configured for the WLAN).

I began testing with an iPhone 4 (iOS 7) and sure enough it was able to generate as many failed authentications as it liked without being excluded.  The client debug and AAA logs showed that the WLC isn't excluding the client because it re-associates after just one RADIUS-REJECT message.  The RADIUS-REJECT counter on the WLC never reaches 3 and the client isn't excluded.  Exclusion works fine for clients that repeat 3 auth attempts without disassociating.

I wonder why the WLC would purge the RADIUS-REJECT count when the client disassociates?  Is this by design or due to changes in modern 802.11 driver logic?  I think Windows drivers tend to play more nicely.

The moral of the story here is that this is one (of potentially many) ways that the AD is opened to malicious attack.  Get smart and implement additional measures to protect AD.  For the WLAN use EAP-TLS authentication.  Implement two-factor auth for all other public-facing services.

Have a look at my Building BYOD blog for further info on securing your BYOD services.