WLC Radius source IP

Similar Messages

• ISE Deployment - Limit on Radius Sources?

  Greetings, 
  I am planning a change to our ISE deployment, and I am curious if there is a limitation to the number of Radius sources that can be added to the running config on the switches and APs.
  The majority of the switches are 2960 series and the APs are 2602 models.   
  Currently, we have two Radius Sources configured as follows:
  aaa group server radius rad_eap
   server X.X.X.X auth-port 1645 acct-port 1646
   server X.X.X.X auth-port 1645 acct-port 1646
  I need to know if I am able to add a third entry to that list, or if there is a hard limitation I am unaware of.
  Thank You.

  ISE questions will probably get more traction in the Security forum.
  That said, the answer is "it depends". It all depends on your design. Is your third server a Policy Services Node or an Inline Posture Node (IPEP)? Either way, one of those would generally be positioned so as to provide profiling, posture and enforcement services working in conjunction with the Admin server(s). If a server is not part of the overall architecture, it will not.
  All new ISE designs should be based on the Cisco-approved High Level Design (HLD) template. If you follow that and develop your Low Level design based on it, many of the typical questions should be answered.
  Hope this helps.

• Cannot use IP-phone-7921 with EAP-Fast using internal WLC Radius

  Hello,
  I Cannot authenticate IP-phone when I use internal WLC-radius with a profile "eap-fast"
  The eror message I recieved on a debug is:
  *Mar 09 03:15:09.765: Unable to find requested user entry for anonymous
  But of course there is a user configured on my ipphone !
  Note1 : I use a WLC with version : AIR-4400-K9-5-1-163-0 (AES)
  Note2: When I use LEAP it is OK
  Note3: When I try with my PC to autenticate in eap-fast with internal WLC radius, it is OK.
  See attacehement for more detail.
  Many thanks in advance.
  Michel Misonne
  *Mar 09 03:15:09.765: Unable to find requested user entry for anonymous

  ABSOLUTLEY DO NOT DO THIS!
  config advanced eap identity-request-timeout 120
  config advanced eap identity-request-retries 20
  config advanced eap request-timeout 120
  config advanced eap request-retries 20
  This can cause you issues for up to 40 minutes. 20 attempts * 2 minutes apart
  Please take a look at
  https://supportforums.cisco.com/docs/DOC-12110
  config advanced eap identity-request-timeout 5
  config advanced eap identity-request-retries 12
  config advanced eap request-timeout 5
  config advanced eap request-retries 12
  would be much better, as it is only 60 seconds.  No device should take longer than 5 seconds to respond, but sometimes the phones need more than the 1 second default.
  HTH,
  Steve

• WLC Radius Server Load Balance

  Hi,
  Can someone provide me detailed description on how WLC Radius Server Load balance works.
  Becuase, I encounted a problem of User Authenticated with the 1st Radius Server, but Accounting Records are actually on 2nd Server .
  Any response will be very appreciated
  -Angela

  Hi Angela,
  I pasted below the part of config guide explaining the different modes. In summary :
  -Fallback off means : when 1st radius server shows dead , WLC moves to the second. And will only change again when the 2nd is dead too.
  -Passive means : whent 1st radius is dead, WLC moves to the second. If there is a new authentication coming in, it will try the 1st radius server again
  -Active means : WLC constantly sends radius probes to detect when primary is back up.
  config radius fallback-test mode {off | passive | active}
  where
  •off disables RADIUS server fallback.
  •passive causes the controller to revert to a server with a lower priority from the available backup servers without using extraneous probe messages. The controller simply ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent.
  •active causes the controller to revert to a server with a lower priority from the available backup servers by using RADIUS probe messages to proactively determine whether a server that has been marked inactive is back online. The controller simply ignores all inactive servers for all active RADIUS requests. Once the primary server receives a response from the recovered ACS server, the active fallback RADIUS server no longer sends probe messages to the server requesting the active probe authentication.

• Radius source-interface not working ?

  I'm running IOS 150-2.SE2 on 3750-X switches.
  In my config, I have the command:
  ip radius source-interface Loopback1
  but all radius requests still have the source IP address of the "nearest" interface, not the loopback interface.
  Interface Loopback1 is up and is pingable from the radius server.
  Any suggestions ?
  Thanks,
  GTG

  The only command I can see for controlling radius source address/interface is that global ip radius source-interface command.
  My full AAA configuration is:
  aaa new-model
  aaa authentication login default group radius local
  aaa authorization exec default group radius if-authenticated
  aaa authorization network default group radius
  aaa accounting exec default start-stop group radius
  aaa accounting system default start-stop group radius
  ip radius source-interface Loopback1
  radius server radius1
  address ipv4 192.168.1.1 auth-port 1812 acct-port 1813
  key 7
  GTG

• WLC to RADIUS Source address ?

  Hi,
  what is the source interface/address the controller uses to communicate with RADIUS server?. can i change it ?
  i am waiting for your kind support

  Hi,
  As far as I know it is MGMT interface or dynamic interface (only if radius server is in the same vlan). I think there is no option to change this behevior.
  Cheers
  Greg

• WLC "radius server overwrite interface" setting

  Hello
  I'm looking at using "radius server overwrite interface" on a WLAN as a replacement for Called-Station-ID for Radius to match on SSID.
  When I enable "radius server overwrite interface" on a WLAN and join a client to the SSID I can see (via packet capture) that the WLC is correctly sourcing the Radius packets with the WLAN's "dynamic" interface IP Address. The problem is that the Radius server doesn't repond to these requests. Radius is configured with rules to match the new IP address but I see nothing (pass or fail) in the logs.
  Interestingly, the packet captures shows the correct NAS IP address (the WLAN interface IP Address) but always shows the WLC hostname as NAS-ID (regardless of NAS-ID settings on the WLAN or WLAN interface)
  I've tried WLC software 7.4.110.0, 7.4.121.0 and 7.6.100.0 with the same results but Radius never responds. Radius is Cisco ACS 5.5.0.46. Any ideas as to why this is happening?
  Thanks
  Andy

  Hi Scott
  installed ACS 5.4 0.46.6 and I still have the same problem - ACS doesn't respond to request from WLC when  "radius server overwrite interface" is enabled on WLAN and nothing appears in the logs. With  "radius server overwrite interface" disabled on the WLAN, authentication is a success and I can see this in the logs.
  I had a look a the packet captures I took earlier and the attributes in the Access-Request look ok - the only attribute I wasn't sure about was Message-Authenticator. Found this ietf document http://www.ietf.org/rfc/rfc2869.txt which mentions "silent discards" of Radius packets with non existent or incorrect Message-Authenticator attributes. I'm not sure if this is what I'm seeing on ACS when it receives the  "radius server overwrite interface" Access-Request packets. ACS is under contract so I will contact TAC about this.
  Mt production ACS cluster was upgraded from latest version of 5.3 to 5.5 with no loss of historic logs (logging after upgrade worked fine also). The upgrade did take a while with the log-collector. When it had completed I checked the Data Upgrade Status under Monitoring configuration and it showed that the upgrade was successful.
  Thanks for your help with this.
  Cheers
  Andy

• WLC-Radius Integration..

  Hi
  I want to do the WLC authentication with radius.the problem is when i enter the username and password , in radius it shows authentication passed but in telnet prompt it asks again for username password as if wrong username-password.
  attached are debug capture of WLC and radius config summry.
  can u please help me on the same

  Hi
  similar incident i have observed on cisco.
  Problem Title
  Unable to login to WLC even after the successful authentication message is received from the RADIUS Server
  Resolution For the Remote Access Dial-In User Service (RADIUS) user to login to the controller, the login user entry in the RADIUS server has to be associated with an attribute, Service-Type.If this attribute is not sent back to the controller from the ACS, the authentication finishes successfully (access-accept) and you do not see any authorization error on the controller, even with debug aaa all enable. But, you are prompted again for authentication. The only thing missing in the RADIUS return packet is the service type 6 attribute.Refer to the Before Using RADIUS Attributes section of RADIUS Attributes for more information on how to configure the service-type attribute.
  It seemseverything ok in WLC and radius attribute is a problem..

• WLC RADIUS Server Failover - Passive mode timer

  In 7.2 WLC code, it appears it is now possible to specify which RADIUS servers are used as the preferred server for authentication (
  Security > AAA > RADIUS > Fallback to open the RADIUS > Fallback Parameters ).
  There are 3 mode for this: off, passive & active.
  In the passive mode, the operation is described in the config guide as :
  Passive
  —Causes the controller to revert to a server with a lower priority from the available backup servers without using extraneous probe messages. The controller ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent.
  Does anyone know how long this 'time period' is? If it is only a few seconds, then it could be that user authentications are being used to test against a failed RADIUS server frequently & will experience annoying time-out delays, causing support calls etc.
  Anyone know what it is, or if its configurable? I don't see anything in the docs...
  Nigel.

  Here you go.
  RADIUS Server Fallback Feature on WLC.
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008098987e.shtml#passive

• WLC RADIUS attribute with Cisco ISE

  Hi All,
  Does anyone get the same result as me when integrating Cisco ISE with Wireless LAN Controller ?
  My Authentication Policy :
       Name: IsGuestAuthen
       IF "WLC_Authentication" THEN "Default Network Access" > "Internal Users"
  My Authorization Policy :
       Name: IsGuestAuthen
       IF "Guest" THEN "InternetOnly"
  When I monitoring on the Live Authentication page, I can see only the MAC address and a guest account that authenticated. I cannot see the IP address of the guest client. Do you get the same result as me ?
  Please advise on how to get the IP address of the guest client to show on the Live Authentication Page.
  Thanks,
  Pongsatorn Maneesud

  Exactly...here is the list of attributes sent in the access-request from the wlc -
  http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_security_sol.html#wp1992129
  The framed ip address is sent in the accounting packet which doesnt appear in the live authentication report.
  If you are up to speed on rest api's here is some reference material on this:
  http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1089826
  You can also run radius accounting report and filter it based off of account-start packets which will have the username and the ip address along with the mac address.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• WLC Radius Credentials Caching

  We are using PEAP with ACS/AD as the external Database. The issue or behavior that we are experiencing is that clients require a Cached AD Token for the user authenticate against for the first time. The Client does not get an IP until authenticated and therefore cannot contact the DC.
  We have shared laptops an its not feasible to cache all AD profiles(Tokens) to the laptop.
  Will the Radius Authentication Server - Credential Caching option help by caching authenticated client sessions to the WLC and allow user to authenticate against multiple laptops? Is the above behavior correct(cached Token required)? Is there another approach to authenticating shared resources with PEAP/Radius(ACS)/AD

  I have Radius Authentication working. I even have Active Directory being used as the external database for clients. The problem is that a user that never has logged into a laptop(configure for AD) get as Domain not available if we try the via wireless for that users first login. I fully understad the issue which is the client have not been issued an IP because they have not been authenticated.
  More than likely there is not a workaround for this scenerio other than login via wireless with the new AD user credentials. In effect caching the AD profile locally.
  What I would like to address is because my users are Transient (nurses and doctors that share laptops) is how to lessen number of time for a wired loggin by caching the AD account in at the WLC. I may be off base to the function of this feature but its not very well documented (from what I have found)

• WLC radius discussion

     Hi all,
  I have a mixed setup of WLC and autonomous AP in my network architecture. In our setup all wireless clients passes through mac authentication and then user id/password  authentication. I want for mac authentication request should go to ACS server 1   while for user credential verification the request should go to server2 . In auto nomous AP i can achieve the requirement with folowing configuration.
  aaa group server radius rad_eap
  server 172.X.Y.103 auth-port 1812 acct-port 1813
  aaa group server radius rad_mac
  server 172.X.Y.104 auth-port 1812 acct-port 1813
  aaa authentication login mac_methods group rad_mac
  aaa authentication login eap_methods group rad_eap
  radius-server host 172.X.Y.103 auth-port 1812 acct-port 1813 key 7 120A0D16190E2C0C2B25201F6231361B2921
  radius-server host 172.X.Y.104 auth-port 1812 acct-port 1813 key 7 0448030704246C4608170120430F180C041C
  By the above configuration in AP I can send the mac auth request to 172.X.Y.104 server and EAP authentication to 172.X.Y.103 server.
  How ever I want to do the same on my WLC also.
  Can anyone guide me how to do the same in GUI or through command line?

  If you want to do MAC filtering on one WLAN and standard 802.1x on another you can select which RADIUS server to use is the Security tab -> AAA Servers of each WLAN. To do both on the same WLAN there is no functionality on the WLC to allow you to split the roles the way you want to. Sorry.
  -Eric
  Cisco Wireless TAC
  Sent from Cisco Technical Support iPhone App

• WLC RADIUS Fallback Questions

  We would like to configure RADIUS fallback to ensure RADIUS authentications always go to their primary ACS while it's available, but the documentation is not very clear with regard to the username configuration.
  There is no mention of a password, but if you enable fallback - even with the default "cisco-probe" username, failures of that account show up on the ACS server log, so I'm assuming it's not working.
  Can someone shed some light on how exactly this "cisco-probe" should work?
  Thanks!

  There are three modes to fall back:
  off - no fallback
  passive - WLC sends the credentials to the 'dead' server when a user tries to authenticate
  on - You configure a username, and an interval.  WLC sends the credentials to the 'dead' server at configured interval.
  The password really doesn't matter, just that the WLC gets a packet back.  So getting a reject back from the server would bring it back 'alive' in the AAA list.
  make sense?
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• WLC - radius down, possible to have auth none as secondary?

  Lets say i have a 5508 wlc and have configured a wlan with web-auth and radius authentication
  The one and only configured radius server goes offline. In the event this should happen, is it possible to allow clients to connect anyway? auth none as secondary?
  Appreciate any thoughts

  Chris,
  No, unfortunately not.  Once you select 802.1X (Radius) you are bound to that security type. The  controller will not allow NON EAP traffic on that WLAN unless it gets a EAP SUCCESS frame. The EAP success frame from the radius is sent to the WLC and it tell the WLC to open the controlled port to allow traffic to pass.
  Top of my head alternatives:
  You might consider another SSID with the same name with a OPEN security. Manually enable after failure of radius server
  Create the user accounts on the WLC and allow the WLC to act as your radius server.If you have a large environment may not be realistic.

• WLC Radius Attribute support

  Hi,
  WLC is running the 4.0.217.203 version. I managed to find Document ID: 96103 but it did not mention the supported WLC version.
  Do I need to upgrade the WLC ?
  Regards,
  Ron

  Exactly...here is the list of attributes sent in the access-request from the wlc -
  http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_security_sol.html#wp1992129
  The framed ip address is sent in the accounting packet which doesnt appear in the live authentication report.
  If you are up to speed on rest api's here is some reference material on this:
  http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1089826
  You can also run radius accounting report and filter it based off of account-start packets which will have the username and the ip address along with the mac address.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*