Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS

Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication.  I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user"  along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
Any ideas of what might be the issue or misconfiguration?

Jim,
I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
May need to open a TAC case to see if this issue is on the 550x controllers also.
Thanks,
Tarik

Similar Messages

  • Creating new Bridge Group names in Cisco 5508 WLC??

    How do we Create new Bridge Group names on Cisco 5508 WLC, with 1552E Access Point??

    You create it on the 1552 once the AP joins.  One it joins, you will have to choose that AP and then set the AP mode to Bridge and then apply.  This will reboot the AP.  Once the AP comes back, you will have a MESH tab on that specific AP or any AP that you have set to Bridge mode.  You then set the AP role and the bridge group name there.  Here is an older MESH deployment guide to follow.
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70mesh.html
    Scott

  • Radius server for 802.1x port authentication

    Does anybody know if CiscoSecure for Unix version 2.3.6.2 can be used as a Radius server for 802.1x port authentication? I know the Windows version will do this and can be configured to assign a user to a specific VLAN, but can the UNIX software do the same?
    Thanks

    Check connectivity between the PIX and the server.
    If the server is outside the PIX, verify that it is specified in the (if_name) parameter of the aaa-server command. In the example below, the (if_name) parameter represents outside.
    aaa-server group_tag (if_name) host server_ip key timeout 5
    If you are using TACACS+, verify that the PIX and server are communicating on the same port (Transmission Control Protocol (TCP)/49).
    If you are using RADIUS, verify that the PIX and server are communicating on User Datagram Protocol (UDP) port 1645. Or, if the RADIUS server is using port 1812, verify that the PIX is using software version 6.0 or later, and then issue the aaa-server radius-authport 1812 command to specify port 1812.
    Ensure that the secret key is correct.
    Check the server logs for failed attempts. All servers have some kind of logging function.

  • Cisco ISE with both internal and External RADIUS Server

    Hi
    I have ISE 1.2 , I configured it as management monitor and PSN and it work fine
    I would like to know if I can integrate an external radius server and work with both internal and External RADIUS Server simultanously
    So some computer (groupe_A in active directory ) will continu to made radius authentication on the ISE internal radius and other computer (groupe_B in active directory) will made radius authentication on an external radius server
    I will like to know if it is possible to configure it and how I can do it ?
    Thanks in advance for your help
    Regards
    Blaise

    Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. Cisco ISE accepts the results of the requests and returns them to the NAS.
    Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. The External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description, or both. In both simple and rule-based authentication policies, you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
    The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same.

  • When WLC authenticate users with secondary RADIUS server?

    Hi Sir,
    I'm configuring a WLC4404-100. One of the WLANs points to two RADIUS Servers for Authentication and Accounting (please see attached).
    I'd like to know, under what circumstances will the WLC authenticate users against the secondary RADIUS Server (in my case, the ACS with IP address 10.200.67.84)?
    Please advise.
    Thank you.
    B.Rgds,
    Lim TS

    Hi,
    I navigated to the following on the WLC:
    MANAGEMENT -> SNMP -> Trap Logs
    I noticed the following SNMP trap:
    Fri Dec 8 11:23:21 2006 No Radius Servers Are Responding
    I checked the 2nd ACS server, and true, at around the same time 11:23, the 2nd ACS server was authenticating users.
    I checked the 1st ACS server; at around the same time 11:23, there wasn't any service suspension or database replication going on. What's the cause of this WLC authenticating with the 2nd ACS server? The network is robust and I don't expect any latency issue. The two RADIUS servers are serving only wireless users, the number is about 120.
    On the WLC, I used the default of 2 seconds Retransmit Timeout for both the RADIUS Authentication Servers. Should I fine-tune it to higher value?
    Retransmit Timeout - Specify the time in seconds after which the RADIUS authentication request will timeout and a retransmission will be taken up by the controller. You can specify a value between 2 to 30 seconds.
    There are Passed Authentications logged on the 1st ACS server after during & after 11:23. So, I suspect the WLC is doing a kind of load-balancing across the two RADIUS servers.
    Please advise.
    Thank you.
    B.Rgds,
    Lim TS

  • WLC WLAN Authentication from External RADIUS Server

    Dears,
    How to make WLC Receive PoD (Packet of Disconnect) from the RADIUS server to terminate the session and disconnect authenticating clients.
    Thanks,

    Hi Ahmed,
    Its not documented well, but here is it:
    CSCso52532 No Documentation for sending RADIUS Disconnect-Request (RFC 3576)
    . If a user has to be logged out then, following attributes are expected
      - SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value.
             SSH_RADIUS_SERVICE_TYPE_LOGIN(1)
           - SSH_RADIUS_AVP_CALLING_STATION_ID(31) - this is needed, if
                  we want to delete  particular user  session via particular device
                  (like PDA, Phone or PC)
           - SSH_RADIUS_AVP_USER_NAME(1)
    . If a management user has to be logged out then, following attributes
    are expected
      - SSH_RADIUS_AVP_SERVICE_TYPE(6) attribte with following value
      - SSH_RADIUS_SERVICE_TYPE_ADMINISTRATIVE
                          OR
       - SSH_RADIUS_SERVICE_TYPE_NAS_PROMPT
       - SSH_RADIUS_AVP_USER_NAME(1)
       - SSH_RADIUS_AVP_FRAMED_IP_ADDRESS(8)
    Eg:
    *Dec 17 12:59:08.926:   Packet contains 14 AVPs:
    *Dec 17 12:59:08.926:       AVP[01] User-Name................................user@domain (17 bytes)
    *Dec 17 12:59:08.926:       AVP[02] Nas-Port.................................0x0000000d (13) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[03] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[04] Framed-IP-Address........................0x0a003f1b (167788315) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[05] NAS-Identifier...........................wlcRM_1 (7 bytes)
    *Dec 17 12:59:08.926:       AVP[06] Airespace / WLAN-Identifier..............0x00000004 (4) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[07] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes)
    *Dec 17 12:59:08.926:       AVP[08] Acct-Authentic...........................0x00000001 (1) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[09] Tunnel-Type..............................0x0000000d (13) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[10] Tunnel-Medium-Type.......................0x00000006 (6) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[11] Tunnel-Group-Id..........................0x3633 (13875) (2 bytes)
    *Dec 17 12:59:08.926:       AVP[12] Acct-Status-Type.........................0x00000001 (1) (4 bytes)
    *Dec 17 12:59:08.926:       AVP[13] Calling-Station-Id.......................10.0.63.27 (10 bytes)
    *Dec 17 12:59:08.926:       AVP[14] Called-Station-Id........................10.0.71.251 (11 bytes)
    *Dec 17 12:59:10.943: 00:1c:26:cb:27:71 Accounting-Response received from RADIUS server 10.0.71.249 for mobile 00:1c:26:cb:27:71 receiveId = 0
    *Dec 17 12:59:34.044: Received a 'RFC-3576 Disconnect-Request' from 10.0.71.249
    *Dec 17 12:59:34.044:   Packet contains 6 AVPs:
    *Dec 17 12:59:34.044:       AVP[01] Nas-Ip-Address...........................0x0a0047fb (167790587) (4 bytes)
    *Dec 17 12:59:34.044:       AVP[02] User-Name................................user@domain (17 bytes)
    *Dec 17 12:59:34.044:       AVP[03] Acct-Session-Id..........................4b2a1d0c/00:1c:26:cb:27:71/4 (28 bytes)
    *Dec 17 12:59:34.044:       AVP[04] Calling-Station-Id.......................10.0.63.27 (10 bytes)
    *Dec 17 12:59:34.044:       AVP[05] Called-Station-Id........................10.0.71.251 (11 bytes)
    *Dec 17 12:59:34.044:       AVP[06] Service-Type.............................0x00000001 (1) (4 bytes)
    *Dec 17 12:59:34.044: Error cause 503 generated for 'RFC-3576 Disconnect-Request' from 10.0.71.249 (Session Identification attributes not valid)
    *Dec 17 12:59:34.045: Sent a 'RFC-3576 Disconnect-Nak' to 10.0.71.249:3799
    *Dec 17 12:59:36.561: ****Enter processIncomingMessages: response code=5
    **Share your knowledge. It’s a way to achieve immortality.
    --Dalai Lama**
    Please Rate if helpful.
    Regards
    Ed

  • Using root bridge as a fallback radius server for WPA and EAP

    From reading the different documentation out there, it seems that one should be able to configure a root bridge as a fallback radius server in case a primary radius server were to be unreachable. Has anyone encountered this situation? And could they share the steps and configuration statements to apply the bridges (1310 or 1410) in order to make this happen?
    Many Thanks and Regards,
    Giles -

    Yes, you have to first configure a root bridge as a fallback radius server in case a primary radius server were to be unreachable

  • WLC configuration for EAP-TLS

    Hi,
    I am tring to set up a Cisco WLC 2006 with EAP-TLS + WPA.
    Everytime I try to log in to the network my wireless card gives a message saying " validating user", but nothing else happens.
    I cannot find any manual for configuring this. Can anyone perhaps assist?
    Regards
    Dean

    More details would be helpful:
    What RADIUS server are you using, what CA are you using, where (what VLAN) they located, which port of the WLC are you connected to (RADIUS/CA)?
    Are you using the Vendor's client software or MS wireless zero config? Which version? or Linux? Which distribution/version?
    Having this info will be a good start ...
    Let us know
    Scott

  • Radius server for lab work

    I am studying Routing & Switching, but I also need to have a general understanding of the security features: AAA authentication, dot1x etc. It is probably the weakest link in my chain of knowledge because I have never used those
    features.
    I really need to play with the protocols in the lab to get a basic understanding of them. Is there some cut-down Radius server, preferably freeware running on a PC, that can be used for basic lab work? Can someone guide me through obtaining and installing it?
    Kevin Dorrell
    Luxembourg

    Hi Kevin
    You should be able to get an eval license for Cisco's Secure ACS that you could use in the lab. It is free for download on the Cisco site.
    It does run out after 3 months so it depends on how long you need it for.
    The other option is to use the Microsoft Radius server (IAS) which comes with the W2K Advanced server. I haven't used it so i can't really comment other than that.
    HTH
    Jon

  • Radius server for Sun Java directory Server?

    I want to know what products does offer Sun for provide a radius server using the Sun Java Directory Server..
    I have only seen Sun Access Manager, but it is a complex/expensive product for use only the radius server
    Regards

    Nope
    This is part of the Oracle Lifetime Support policy:
    http://www.oracle.com/us/support/lifetime-support/index.html
    'OLD' products can/may still be supported under *SPECIAL* support contracts. So if you're entitled to its support, you can access it. Otherwise, I'm afraid the answer is no.
    HTH,
    Marco

  • Setting Radius server for Airport Extreme

    Hi all,
    I have AP Airport Extreme. I updated it to the latest version of firmware and Airport utility.
    I am trying to set the AP to connect to Microsoft Radius server (Windows server 2003). The problem is that in the security, I don't have WPA/WPA2 Enterprise. I only have WPA/WPA2 personal. I do have option to configure the radius properties (IP, Port, etc'...).
    What should I do in order to set my AP to connect to Microsoft Windows server 2003?
    Thanks for your help.

    About the only one I'm aware of is the D-Link DPR-1260, which supports up to 4 printers. I have the predecessor to this print server, but it was horribly unreliable, requiring a reboot at least once a day, so YMMV. I settled on a Buffalo WLI-TX4-G54HP wireless-to-Ethernet bridge (with built-in 4-port Ethernet switch) and use my Belkin F1UP0001 in Ethernet mode. This combination gives me the option of adding network-enabled printers at a later date.

  • Cisco ISE: 802.1x Timers Best Practices / Re-authentication Timers [EAP-TLS]

    Dear Folks,
    Kindly, suggest the best recommended values for the timers in 802.1x (EAP-TLS)... Should i keep default all or change or some of them?
    Also, what do we need reauthentication timers? Any benefit to use it? Does it prompt to users or became invisible? and What are the best values, in case if we need to use it?
    Thanks,
    Regards,
    Mubasher
    My Interface Configuration is as below;
    interface GigabitEthernet1/34
    switchport access vlan 131
    switchport mode access
    switchport voice vlan 195
    ip access-group ACL-DEFAULT in
    authentication event fail action authorize vlan 131
    authentication event server dead action authorize vlan 131
    authentication event server alive action reinitialize
    authentication open
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    mab
    snmp trap mac-notification change added
    dot1x pae authenticator
    dot1x timeout tx-period 5
    storm-control broadcast level 30.00
    spanning-tree portfast
    spanning-tree bpduguard enable

    Hello Mubashir,
    Many timers can be modified as needed in a deployment. Unless you are experiencing a specific problem where adjusting the timer may correct unwanted behavior, it is recommended to leave all timers at their default values except for the 802.1X transmit timer (tx-period).
    The tx-period timer defaults to a value of 30 seconds. Leaving this value at 30 seconds provides a default wait of 90 seconds (3 x tx-period) before a switchport will begin the next method of authentication, and begin the MAB process for non-authenticating devices.
    Based on numerous deployments, the best-practice recommendation is to set the tx-period value to 10 seconds to provide the optimal time for MAB devices. Setting the value below 10 seconds may result in the port moving to MAC authentication bypass too quickly.
    Configure the tx-period timer.
    C3750X(config-if-range)#dot1x timeout tx-period 10

  • Use Sol8 intel as install server for NetraX1. possible?

    I spend several days trying to reinstall the Solaris 8 10/01 into my brand new Netra X1 server. but no luck.
    this is my first and only sparc server. i'm using Solaris 8 intel as install server and install the netra drivers...
    my question is:
    is it possible to using Solaris 8 intel as install server for Netra X1 net install?
    I don't think i will buy one more sparc machine in this reason.
    Chris

    Yes, you can use an X86 box to install Solaris Sparc to a Netra X1.
    First, you must be using InfoDoc 26310 ( available on SunSolve).
    In between steps 6 & 7 of that procedure you must do the following:
    After applying the mis.netra-x1.259-3836-03 script you will need to add the dmfe driver to the boot image served out by your jumpstart server. This is done at the shell prompt as root. Please note that in the example below the root image is located at: /jumpstart/2.8/sparc_1001/Solaris_8/Tools/Boot
    on the example server. This location will vary depending on the setup of your server. The example is used to illustrate the point that you must specify the whole path all the way to the alternate root that is served across the network to your client. The sample command line is:
    # add_drv -b /jumpstart/2.8/sparc_1001/Solaris_8/Tools/Boot -m "* 0600 root sys" -i '"pci128h,9102" "pci1282,9102" "ethernet"' dmfe
    This can also be broken out using backslashes as follows:
    # add_drv -b /jumpstart/2.8/sparc_1000/Solaris_8/Tools/Boot \
    -m "* 0600 root sys" \
    -i '"pci128h,9102" "pci1282,9102" "ethernet"' dmfe Note that the ">" symbols will be added as you hit return after each "\".
    The above procedure must be done to each boot image you wish to install. For example, if you have a 10/2001 image and a 01/2001
    image that you use for different configurations, you will need to add the dmfe driver to both .../Solaris_8/Tools/Boot directories.
    Proceed with step 7 and beyond in the procedure from Info Doc 26310 to complete your installation.

  • Need reasons not to use SMB/win2003 as file server for mac clients

    hey guys,
    i'm looking for reasons not to use windwos2003 as fileserver with smb for use with os x in a graphic production environment.
    can someone help? just need a sum up for "internal use"
    smb seems to be slower than afp
    etc...
    thank you!

    Well, it tends to be that saving over the network from Adobe and Quark apps "just works better" over AFP than it does over SMB.
    Put another way, people wouldn't be paying $4000 for a software license form Extreme-ZIP so they can serve AFP from a Windows 2003 server if there wasn't a real benefit to this. You can get an Xserve for this same $4000

  • 5508 WLC to Server2008 NPS Radius

    I have setup the WLC to authenticate to a MS Server2008 NPS for a WPA2/AES SSID. The connection is successful, but client authentication fails for wrong EAP-type. I believe this indicates a Windows7 client issue. Can anyone tell me the required client setup to satisfy the MS NPS?

    NPS properties attached

Maybe you are looking for