WLC 5508 Radius Server

what is the authentication list precedence for radius authentication?
global list       network user checkbox
per wlan        aaa server add
global list       network user uncheck
i  have 3 radius server, 2 of which are use for gloabl authentication(all  ap are hreap) and a 3rd one use only for 1 site, when the 2 first radius  server fails the wlc use the 3rd one, but the 3rd only has database for  1 site users,
do  i need to uncheck the network user checkbox on the 3rd radius and  create a hreap group then associate the 3rd one?  i dont want the 3rd  radius to be able for the gloabl list to take this as normal globla  radius. any commnets?

Osvaldo,
Your observation is correct and this should be documented on the WLC help tab if you search for keyword network user under radius auth.
Quote:
Network User—Network user authentication check box. If this option is enabled, this entry is considered as the network user RADIUS authenticating server entry. If you did not set the RADIUS server entry on the WLAN configuration (WLANs > Edit > Security > AAA Servers), you must enable this option for networkusers.
Management—Management authentication check box. If this option is enabled, this entry is considered as the management RADIUS authenticating server entry. If you enable this option, authentication requests go to the RADIUS server
AAA server defined on WLAN takes precedence over global.

Similar Messages

  • WLC 5508 & Windows Server 2008 radius

    Hello guys, I need some bailout here. I have a WLC 5508 which i have configured for AP's but i would like to use the windows server 2008 as the radius server to authenticate the Active directory users.
    Can i use a separate windows server 2008 as the radius server or I have to use the same server working as the Active directory?
    I don't want to request unnecessary server from my client.
    Rgds,
    Anthony

    I am trying to take my WLC 5508 and have backend authentication through LDAP using web auth. i have tried and tried to set this up but it fails everytime.
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml
    I used that document to get me most of the way there but i cant get the part in the WLC where i go to SECURITY>AAA>LDAP, from here i click on the SERVER index that I want to use which is 1 and not sure what creditenals to put in some of those fields on there. the fields are USER BASE DN: , USER ATTRIBUTE: , and USER OBJECT TYPE: .  I have tried to do it as the link says from above but it just does not work.

  • Wlc 5508 radius authentication fail

    I am trying to setup a wireless lan for the first time using 5508, all is working to a point, until i try to setup client authentication using the following
    so settings are:
    Layer Wlan settings:
    Layer 2 security:WPA+WPA2
    AES
    Auth Key mgmt:802.1x
    We have the authentication server enabled:
    Ip an port are correct
    AAA overide not enabled
    Order for authentication, radius only
    Advanced: dafault settings
    Radius authentication servers:
    Call Station ID Type: IP address
    MAC Delimiter: Colon
    Network User
    Management
    Server Index
    Server Address
    Port
    IPSec
    Admin Status
    Server Index
    Server Address
    Shared Secret Format
                     ASCII                 Hex              
    Shared Secret
    Confirm Shared Secret
    Key Wrap
      (Designed for FIPS customers and requires a key wrap compliant RADIUS server)
    Port Number
    Server Status
                     Enabled                  Disabled              
    Support for RFC 3576
                     Enabled                  Disabled              
    Server Timeout
      seconds
    Network User
    Enable
    Management
    Enable
    IPSec
    Enable
    *radiusTransportThread: Dec 21 12:07:46.488: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 115) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
    *radiusTransportThread: Dec 21 12:07:46.012: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 114) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
    *Dot1x_NW_MsgTask_1: Dec 21 12:07:29.811: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3028 Max EAP identity request retries (3) exceeded for client 00:19:d2:b9:d5:e1
    *Dot1x_NW_MsgTask_1: Dec 21 12:07:29.811: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:b9:d5:e1
    *radiusTransportThread: Dec 21 12:07:16.412: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 113) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
    *Dot1x_NW_MsgTask_1: Dec 21 12:06:59.741: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3028 Max EAP identity request retries (3) exceeded for client 00:19:d2:b9:d5:e1
    Radius server occasionally sees attempts from user "XXZZYY"

    Osvaldo,
    Your observation is correct and this should be documented on the WLC help tab if you search for keyword network user under radius auth.
    Quote:
    Network User—Network user authentication check box. If this option is enabled, this entry is considered as the network user RADIUS authenticating server entry. If you did not set the RADIUS server entry on the WLAN configuration (WLANs > Edit > Security > AAA Servers), you must enable this option for networkusers.
    Management—Management authentication check box. If this option is enabled, this entry is considered as the management RADIUS authenticating server entry. If you enable this option, authentication requests go to the RADIUS server
    AAA server defined on WLAN takes precedence over global.

  • WLC 5508 Radius accounting issue

    I have a WLAN configured with 802.1x PEAP pointing to an external RADIUS server.  It works fine for the most part, but I'm having problem closing accounting sessions in RADIUS.  I've found this is related to the client table in the WLC.  The user session does not end in RADIUS unless the WLC officially removes the client from the db, which takes 5-6 minutes from what I can see (probably due to the default idle timeout of 300 seconds). 
    For example:
    1.  I connect my tablet to the test WLAN.  It associates and authenticates successfully and the WLC sends the accounting info to my RADIUS server, opening up a user session.  If I turn off the wifi in the tablet, the client entry stays in the WLC client table until it times out.  The WLC removes my tablet from the client table after 5-6 minutes, and then the session closes in the accounting table.  I can force the session to close much earlier by manually removing the client from the WLC.
    2.  Same as #1, but this time instead of turning of the wifi in the tablet, I choose to connect to a different WLAN in the WLC.  The user session in the accounting DB never closes.  If I reconnect back to the original test WLAN with 802.1x, it opens up yet another user session in RADIUS accounting.  Now I have a "dead" user session in accounting that is going to be open forever unless I delete it from SQL.
    Is this an issue with the end user client not sending the disassociation frame properly, or a config problem with the WLC?  How can I make it so that every time a client drops from an AP or moves to a different WLAN, the WLC would immediately send accounting updates to my RADIUS server and close the user session properly?
    Thanks,
    Wil

    Well like you said, the WLC will keep the client in the DB until the idle timer expires. This is normal and I don't think you will be able to change this unless you set the idle timer to a lower value.
    Sent from Cisco Technical Support iPhone App

  • WLC log RADIUS server failed to respond to request

    I'm keep on getting same couple MACs being failed.  I was hoping somebody has more inside about this?  Radius server is pingable from WLC. People are authenticating.  Please let me know what log should I provide.  Thank you in advance.
    Thu Feb 20 16:22:06 2014
    RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 78) for client 3c:a9:f4:42:11:a0 / user 'unknown'
    3
    Thu Feb 20 16:22:06 2014
    RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 77) for client 24:77:03:20:78:d0 / user 'unknown'
    4
    Thu Feb 20 16:22:06 2014
    RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 76) for client 24:77:03:d0:bd:b4 / user 'unknown'
    5
    Thu Feb 20 16:22:00 2014
    RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 75) for client 24:77:03:26:86:7c / user 'unknown'
    6
    Thu Feb 20 16:21:59 2014
    RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 74) for client 24:77:03:20:78:d0 / user 'unknown'
    7
    Thu Feb 20 16:21:59 2014
    RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 73) for client 3c:a9:f4:42:11:a0 / user 'unknown'
    8
    Thu Feb 20 16:21:59 2014
    RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 72) for client a0:82:1f:d8:24:02 / user 'unknown'

    You should look at the ACS logs as that will give you a better idea of the failure.
    Sent from Cisco Technical Support iPhone App

  • WLC "radius server overwrite interface" setting

    Hello
    I'm looking at using "radius server overwrite interface" on a WLAN as a replacement for Called-Station-ID for Radius to match on SSID.
    When I enable "radius server overwrite interface" on a WLAN and join a client to the SSID I can see (via packet capture) that the WLC is correctly sourcing the Radius packets with the WLAN's "dynamic" interface IP Address. The problem is that the Radius server doesn't repond to these requests. Radius is configured with rules to match the new IP address but I see nothing (pass or fail) in the logs.
    Interestingly, the packet captures shows the correct NAS IP address (the WLAN interface IP Address) but always shows the WLC hostname as NAS-ID (regardless of NAS-ID settings on the WLAN or WLAN interface)
    I've tried WLC software 7.4.110.0, 7.4.121.0 and 7.6.100.0 with the same results but Radius never responds. Radius is Cisco ACS 5.5.0.46. Any ideas as to why this is happening?
    Thanks
    Andy

    Hi Scott
    installed ACS 5.4 0.46.6 and I still have the same problem - ACS doesn't respond to request from WLC when  "radius server overwrite interface" is enabled on WLAN and nothing appears in the logs. With  "radius server overwrite interface" disabled on the WLAN, authentication is a success and I can see this in the logs.
    I had a look a the packet captures I took earlier and the attributes in the Access-Request look ok - the only attribute I wasn't sure about was Message-Authenticator. Found this ietf document http://www.ietf.org/rfc/rfc2869.txt which mentions "silent discards" of Radius packets with non existent or incorrect Message-Authenticator attributes. I'm not sure if this is what I'm seeing on ACS when it receives the  "radius server overwrite interface" Access-Request packets. ACS is under contract so I will contact TAC about this.
    Mt production ACS cluster was upgraded from latest version of 5.3 to 5.5 with no loss of historic logs (logging after upgrade worked fine also). The upgrade did take a while with the log-collector. When it had completed I checked the Data Upgrade Status under Monitoring configuration and it showed that the upgrade was successful.
    Thanks for your help with this.
    Cheers
    Andy

  • Radius server 00.00.00.00 deactivated in global list

    Hi
    we unable to authenticate the users connecting to WLC over EAP-FAST from the ACS 5.1.
    AD is integrated with the acs....
    The error msg coming in wlc is :Radius server deactivated in global list
    Radius server failed to respond to request(ID:xx) for client xx:xx;xx:xx:xx:xx:xx
    I find that problem with time skew error happen between the AD and ACS. But after i configured ntp server in acs the problem
    still exist.
    I removed the controller from the acs and added back, same thing done in controller(reconfigured aaa settings).
    But the problem not resolved
    Thanks
    Subhash

    After working with TAC, I resolved this issue recently.  Increasing the timeout value did not help. On the WLC, try:
    config radius aggressive-failover disable
    As per http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml :
    If the aggressive failover feature is enabled in WLC, the WLC is too aggressive to mark the AAA server as not responding. But, this should not be done because the AAA server is possibly not responsive only to that particular client, if you do silent discard. It can be a response to other valid clients with valid certificates. But, the WLC can still mark the AAA server as not responding and not functional.
    In order to overcome this, disable the aggressive failover feature. Issue the config radius aggressive-failover disable command from the controller GUI in order to perform this. If this is disabled, then the controller only fails over to the next AAA server if there are three consecutive clients that fail to receive a response from the RADIUS server.

  • Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS

    Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
    I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication.  I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user"  along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
    Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
    Any ideas of what might be the issue or misconfiguration?

    Jim,
    I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
    It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
    May need to open a TAC case to see if this issue is on the 550x controllers also.
    Thanks,
    Tarik

  • WLC 5508 and Microsoft Radius Server 2008

    Hi, I am trying to setup WLC 5508 for a customer who want to use MS NPS for Radius authentication, however there aren't many good documents showing how to configure the MS NPS.
    I have couple of questions:
    1, Does WLC 5508 support MS NPS on Server 2008 R2?
    2, Are there any good document showing how to configure this?
    Thanks

    Hadisharifi,
    There is no single document that we can pick for configuring WLC and NPS. However, you may visit the below listed document for NPS  and WLC side configuration:
    Configure the WLC for RADIUS Authentication through an External RADIUS Server
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml#c2
    Fo the NPS side configuration, you may consider the attached document.
    Regds,
    JK
    Do rate helpful posts-

  • EAP-TLS on WLC 5508 agains IAS RADIUS

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin-top:0cm;
    mso-para-margin-right:0cm;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0cm;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    Hi, anyone experienced issue like this?
    I am installing a WLC 5508 using EAP-TLS authentication with an IAS Radius server.
    I got “Access-Accept” debug message received from RADIUS server.
    However the wireless client failed to connect.
    Below is partially the debug message from the WLC
    Any feedbacks are welcome
    *Oct 07 15:08:24.403:     Callback.....................................0x10c527d0
    *Oct 07 15:08:24.403:     protocolType.................................0x00140001
    *Oct 07 15:08:24.403:     proxyState...................................00:19:7D:72:B4:3B-09:00
    *Oct 07 15:08:24.403:     Packet contains 12 AVPs (not shown)
    *Oct 07 15:08:24.403: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
    *Oct 07 15:08:24.404: 00:19:7d:72:b4:3b Successful transmission of Authentication Packet (id 101) to 10.86.8.105:1812, proxy state 00:19:7d:72:b4:3b-00:00
    *Oct 07 15:08:24.404: 00000000: 01 65 00 d2 d0 bc 95 1b  f7 c9 71 dd 32 cb b7 0a  .e........q.2...
    *Oct 07 15:08:24.404: 00000010: 52 eb 0c 3e 01 22 68 6f  73 74 2f 49 44 31 30 2d  R..>."host/ID10-
    *Oct 07 15:08:24.404: 00000020: 30 41 46 4a 30 33 31 2e  65 75 63 2e 6e 65 73 74  0AFJ031.euc.test
    *Oct 07 15:08:24.404: 00000030: 6c 65 2e 63 6f 6d 1f 13  30 30 2d 31 39 2d 37 64  01.com..00-19-7d
    *Oct 07 15:08:24.404: 00000040: 2d 37 32 2d 62 34 2d 33  62 1e 1a 30 30 2d 33 61  -72-b4-3b..00-3a
    *Oct 07 15:08:24.404: 00000050: 2d 39 38 2d 39 35 2d 34  36 2d 35 30 3a 57 57 53  -98-95-46-50:TES
    *Oct 07 15:08:24.404: 00000060: 33 30 30 05 06 00 00 00  01 04 06 0a 56 0c d2 20  300.........V...
    *Oct 07 15:08:24.404: 00000070: 0c 49 44 48 4f 4a 58 43  30 30 31 1a 0c 00 00 37  .IDHOJXC001....7
    *Oct 07 15:08:24.404: 00000080: 63 01 06 00 00 00 01 06  06 00 00 00 02 0c 06 00  c...............
    *Oct 07 15:08:24.404: 00000090: 00 05 14 3d 06 00 00 00  13 4f 27 02 03 00 25 01  ...=.....O'...%.
    *Oct 07 15:08:24.404: 000000a0: 68 6f 73 74 2f 49 44 31  30 2d 30 41 46 4a 30 33  host/ID10-0AFJ03
    *Oct 07 15:08:24.404: 000000b0: 31 2e 65 75 63 2e 6e 65  73 74 6c 65 2e 63 6f 6d  1.euc.nestle.com
    *Oct 07 15:08:24.404: 000000c0: 50 12 80 be 54 a7 26 52  8e 63 0f 2f 87 a5 78 53  P...T.&R.c./..xS
    *Oct 07 15:08:24.404: 000000d0: 68 6e                                             hn
    *Oct 07 15:08:24.405: 00000000: 02 65 00 34 3e c1 67 35  f7 be 57 75 43 ce 19 ca  .e.4>.g5..WuC...
    *Oct 07 15:08:24.405: 00000010: 83 5d 83 95 19 20 31 b1  03 a2 00 00 01 37 00 01  .]....1......7..
    *Oct 07 15:08:24.405: 00000020: 0a 56 08 69 01 cb 63 8b  13 1e 16 37 00 00 00 00  .V.i..c....7....
    *Oct 07 15:08:24.405: 00000030: 00 00 00 5f                                       ..._
    *Oct 07 15:08:24.405: ****Enter processIncomingMessages: response code=2
    *Oct 07 15:08:24.405: ****Enter processRadiusResponse: response code=2
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Access-Accept received from RADIUS server 10.86.8.105 for mobile 00:19:7d:72:b4:3b receiveId = 9
    *Oct 07 15:08:24.405: AuthorizationResponse: 0x1524b3d8
    *Oct 07 15:08:24.405:     structureSize................................78
    *Oct 07 15:08:24.405:     resultCode...................................0
    *Oct 07 15:08:24.405:     protocolUsed.................................0x00000001
    *Oct 07 15:08:24.405:     proxyState...................................00:19:7D:72:B4:3B-09:00
    *Oct 07 15:08:24.405:     Packet contains 1 AVPs:
    *Oct 07 15:08:24.405:         AVP[01] Class....................................DATA (30 bytes)
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Applying new AAA override for station 00:19:7d:72:b4:3b
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Override values for station 00:19:7d:72:b4:3b
        source: 4, valid bits: 0x0
        qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
        dataAvgC: -1, rTAvgC
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Inserting new RADIUS override into chain for station 00:19:7d:72:b4:3b
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Override values for station 00:19:7d:72:b4:3b
        source: 4, valid bits: 0x0
        qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
        dataAvgC: -1, rTAvgC
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:24.405: 00000000: 01 00 00 04 03 ff 00 04                           ........
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:24.405: 00000000: 01 03 00 5f fe 00 89 00  20 00 00 00 00 00 00 00  ..._............
    *Oct 07 15:08:24.405: 00000010: 00 3e 5d 2a e3 2a c2 22  71 0b 06 e8 42 6c 3c bf  .>]*.*."q...Bl<.
    *Oct 07 15:08:24.405: 00000020: 45 1e 5c e7 a1 68 ae 0c  c0 9f 22 ce 0c 3e 96 45  E.\..h...."..>.E
    *Oct 07 15:08:24.405: 00000030: ee 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:24.405: 00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:24.405: 00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:24.405: 00000060: 00 00 00                                          ...
    *Oct 07 15:08:25.316: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:25.317: 00000000: 01 03 00 5f fe 00 89 00  20 00 00 00 00 00 00 00  ..._............
    *Oct 07 15:08:25.317: 00000010: 01 3e 5d 2a e3 2a c2 22  71 0b 06 e8 42 6c 3c bf  .>]*.*."q...Bl<.
    *Oct 07 15:08:25.317: 00000020: 45 1e 5c e7 a1 68 ae 0c  c0 9f 22 ce 0c 3e 96 45  E.\..h...."..>.E
    *Oct 07 15:08:25.317: 00000030: ee 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:25.317: 00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:25.317: 00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:25.317: 00000060: 00 00 00                                          ...
    *Oct 07 15:08:26.317: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:26.317: 00000000: 01 03 00 5f fe 00 89 00  20 00 00 00 00 00 00 00  ..._............
    *Oct 07 15:08:26.317: 00000010: 02 3e 5d 2a e3 2a c2 22  71 0b 06 e8 42 6c 3c bf  .>]*.*."q...Bl<.
    *Oct 07 15:08:26.317: 00000020: 45 1e 5c e7 a1 68 ae 0c  c0 9f 22 ce 0c 3e 96 45  E.\..h...."..>.E
    *Oct 07 15:08:26.317: 00000030: ee 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:26.317: 00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:26.317: 00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:26.317: 00000060: 00 00 00                                          ...
    *Oct 07 15:08:27.753: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:27.753: 00000000: 01 00 00 30 01 01 00 30  01 00 6e 65 74 77 6f 72  ...0...0..networ
    *Oct 07 15:08:27.753: 00000010: 6b 69 64 3d 57 57 53 33  30 30 2c 6e 61 73 69 64  kid=TES300,nasid
    *Oct 07 15:08:27.753: 00000020: 3d 49 44 48 4f 4a 58 43  30 30 31 2c 70 6f 72 74  =IDHOJXC001,port
    *Oct 07 15:08:27.753: 00000030: 69 64 3d 31                                            id=1
    *Oct 07 15:08:27.760: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 5) from mobile 00:19:7d:72:b4:3b
    *Oct 07 15:08:27.760: 00000000: 01 01 00 00 00                                    .....
    *Oct 07 15:08:27.760: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:27.760: 00000000: 01 00 00 30 01 02 00 30  01 00 6e 65 74 77 6f 72  ...0...0..networ
    *Oct 07 15:08:27.760: 00000010: 6b 69 64 3d 57 57 53 33  30 30 2c 6e 61 73 69 64  kid=TES300,nasid
    *Oct 07 15:08:27.760: 00000020: 3d 49 44 48 4f 4a 58 43  30 30 31 2c 70 6f 72 74  =IDHOJXC001,port
    *Oct 07 15:08:27.760: 00000030: 69 64 3d 31                                       id=1
    *Oct 07 15:08:27.762: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 41) from mobile 00:19:7d:72:b4:3b
    *Oct 07 15:08:27.762: 00000000: 01 00 00 25 02 01 00 25  01 68 6f 73 74 2f 49 44  ...%...%.host/ID
    *Oct 07 15:08:27.762: 00000010: 31 30 2d 30 41 46 4a 30  33 31 2e 65 75 63 2e 6e  10-0AFJ031.euc.t
    *Oct 07 15:08:27.762: 00000020: 65 73 74 6c 65 2e 63 6f  6d                       est01.com
    *Oct 07 15:08:27.764: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 41) from mobile 00:19:7d:72:b4:3b
    *Oct 07 15:08:27.764: 00000000: 01 00 00 25 02 02 00 25  01 68 6f 73 74 2f 49 44  ...%...%.host/ID
    *Oct 07 15:08:27.764: 00000010: 31 30 2d 30 41 46 4a 30  33 31 2e 65 75 63 2e 6e  10-0AFJ031.euc.t
    *Oct 07 15:08:27.764: 00000020: 65 73 74 6c 65 2e 63 6f  6d                       est01.com
    *Oct 07 15:08:27.765: AuthenticationRequest: 0x1ad0b36c

    Thanks for your reply jedubois
    Really appreciate it.
    I have tried to change the value for EAPOL-Key Timeout, still the client won't connect.
    Below are the outputs for the eap advanced config
    (Cisco Controller) >show advanced eap
    EAP-Identity-Request Timeout (seconds)........... 30
    EAP-Identity-Request Max Retries................. 2
    EAP Key-Index for Dynamic WEP.................... 0
    EAP Max-Login Ignore Identity Response........... enable
    EAP-Request Timeout (seconds).................... 30
    EAP-Request Max Retries.......................... 2
    EAPOL-Key Timeout (milliseconds)................. 5000
    EAPOL-Key Max Retries............................ 2
    (Cisco Controller) >
    Any other suggestion?

  • Does WLC 5508 (7.2) support PEAP to MS radius?

    Hi,
    I'm running version  7.2.111.3 on my WLC 5508 and I try to figure out how I can set PEAP towards my configurerd Radius servers.
    On my Local EAP profile I can specify PEAP, but how is it default configurerd when you just specify the radius servers on the "WLANs > Edit Test > security > AAA servers tab ?
    The MS radius logs tell me that it is EAP and not PEAP, so the questions is does the WLC support Microsoft: Protected EAP ???
    Dot1x_NW_MsgTask_0: Oct 10 11:02:27.279: 24:77:03:07:75:28 AAA EAP Packet created request = 0x1bd4647c.. !!!! -> should be AAA PEAP ???
    *Dot1x_NW_MsgTask_0: Oct 10 11:02:27.279: 24:77:03:07:75:28 Sending EAP Attribute (code=2, length=35, id=2) for mobile 24:77:03:07:75:28
    *Dot1x_NW_MsgTask_0: Oct 10 11:02:27.280: 24:77:03:07:75:28 [BE-req] Radius  EAP/Local WLAN 3.
    Thanks in advance,
    Michel

    you're right +5. looks like it sort of gives more granular selection/priority, if we don't want to use any AAA from global when all the configured AAA on WLAN failed then it will be useful.
    http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70sol.html
    Step 16
    Select the
    Network User
    check box to enable network user authentication (or accounting), or unselect it to disable this feature. The default value is selected. If you enable this feature, this entry is considered the RADIUS authentication (or accounting) server for network users. If you did not configure a RADIUS server entry on the WLAN, you must enable this option for network users.

  • WLC 5508 LDAP Windows 2008 Server - auth based on AD groups

    hi NG,
    i'm trying to web-authenticate my Wifi user of an WLC 5508 against LDAP.
    Thereby i'm trying to autenticate all users within a GROUP, not an OU within the MS Active Directory based upon an Windows 2008 Server.
    I can authenticate against a user, witch is beeing put into an OU, according to examples based here: https://www.cisco.com/en/US/products/ps6366/prod_configuration_examples_list.html
    Checking based upon Users within OUs works fine.
    But i have not got all of those users wihin one single OU!
    Need help for following:    LDAP-Auth based on AD Groups:
    Using:
    MS-Domain:                          MY-DOMAIN.CH
    AD-GROUP:                          VPN-USERS
    AD-Structure:
    MY-DOMAIN.CH
    |
    GROUPS
            |
        Administrative Groups
                          |
                     VPN-USERS
                              (-> Member of this Groups (Wireless1, Wirless2, ...)
    Server Adress:               IP.IP.IP.IP
    Port:                                 389
    Enable Server Stats      YES
    Simple Bind                    Authenticated
    Bind Username              LDAP-USER
    Bind Password               supersecret
    Bind Passw. confirm      supersecret
    User Base DN:               ?-1-?
    User Attribute:                ?-2-?
    User Object Type:          Person
    Server Timeout               2
    What happens for instance, if i put a GROUP within a GROUP regarding the LDAP Authentication.
    I guess i have to authenticate against the "upper" GROUP, or do i have to create an entry on the WLC for every GROUP i'm questoning?
    Could some one provide my with an example, since i have not found documentation regarding this topic.
    Thank you.

    Hi,
    User Base DN : this is in case you want to restrict the search area. If you put "dc=mydomain,dc=CH", you will search your whole AD. Depending on the size, it can be slow ...
    Remember that the User Base DN is also used for the admin user.
    In conclusion, User Base DN should be the most restrictive path that leads to both the admins and the users you want to authenticate.
    Example :
    OU=Employees,OU=Humans,DC=Mydomain,DC=CH
    This would prevent to search in machines or any assets. This implies that the admin you bind with is an employee and you are only authenticating employees. You can have any number of OUs under employees, it doesn't matter
    Attribute : This is the object attribute that the WLC uses to compare with the user name. In general, you would go with sAMAccountName in AD. CN would be another common example for LDAP databases.
    If what you are looking for is to restrict access and only authenticate people who belong to a certain group. Then you need a radius server like ACS.
    That server will be able to make selections and check the "memberOf" attribute to make sure it is in a certain group.
    Nicolas
    ===
    Don't forget to rate answers that you find useful

  • Cisco WLC 5508 - NPS Radius

    Cisco WLC 5508
    Software Version: 7.4.100.0
    Windows Server 2008R2
    I've got everything setup on the Windows Server 2008 side of things (certificates, radius clients, etc)
    I added the radius server on the WLC, and configured a new WLAN to use it.
    Both are on the same subnet.
    When trying to conect to the WLAN it kept failing.  I installed wireshark on the server to monitor the radius traffic, and to my surprise there was no radius traffic showing up on the server.  The radius statistics on the WLC are at 0 as well, so it's like the WLC isn't even attempting Radius.
    I reverified that the server was enabled on both the security tab and the WLAN itself on the WLC.  Rebooted the controller and the server, all to no avail.  I used a radius test client, and can successfully send radius commands to the server using that utility.
    Frustrated, I just kept trying to reconnect on my wireless device, and after about the 15th try, finally I saw radius activity on wireshark.  It rejected my access, but at least I saw activity.  It also registerd radius statistcs on the WLC as well.
    So now if I keep trying to connect repeatedly, about every dozen or so times the WLC actually will send a radius request to the server.
    What in the world is going on here?

    I do have local management users on the controller.
    Some hours later I added the option of authenticating management users, for the NPS server. Then logged inn to the management GUI using NPS radius, worked just fine.
    However, these commands have been useful to me several times, to make sure unsuccessful requests appear in the Windows Event log:
    auditpol /get /subcategory:"Network Policy Server"
    If it shows ‘No auditing’ or just "Success", you can run this command to enable it:
    auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
    So now I know that the NPS radius server works, for management access. I will go to the customer's site some other day to test it for 802.1x authentication. If not, I'll do some debugging to decide wihich to blame - the WLC or NPS.

  • WLC 5508 and ACS server

    Hi,
    Apologies if this has been answered before. I did a search, but unable to find anythimg.
    What I would like to do is be able to have a WLC 5508 as the local RADIUS DB and authenticator, but then be able to have an ACS server in a central location as a backup and then replicate between them.
    In other words set up groups for my remote sites in the central ACS server, which then replicates only the correct group to the remote sites. This allows less adminstrative overhead, as we just update the central one.
    Is this possible and how would I configure the WLC to do this ?
    Thanks

    Hi,
    if I understood your request, you want to replicate user information between an ACS and a WLC right ?
    That's impossible.
    ACS can only replicate with other ACS running the same version. No other ways of synchronization exists.
    Regards,
    Nicolas
    ===
    Don't forget to rate answers that you find useful

  • WLC cannot reach Radius server

    I am currently configuring Radius server with Cisco Wireless Controller 5508.  Using debug aaa at the CLI, I can see the controller receive radius client message but nothing coming back from the radius server.
    For some reason, Wireless Controller 5508 cannot ping the Radius server using CLI.  Yet, I can ping the 5508 controller from the Radius server.  The Radius server is running Windows 2008 NPS with firewall turned off.  There are no antivirus firewall installed on the Radius server.  NPS is installed and configured on Windows 2008.  Nothing shows up in the NPS log.
    Any idea?  

    if you put a PC onto WLC management subnet can you ping your NPS from that PC ? 
    Also are you using service port of your WLC ?
    HTH
    Rasika
    **** Pls rate all useful responses ****

Maybe you are looking for

  • A/R report u0096 Customer open items based on due date

    Hi all, Can anyone tell me if there is a standard report on AR side that gives me invoices due between certain dates, meaning I should be able to select due dates between 11/15/2006 and 11/30/2006 in the selection and the report should get me the cus

  • Do I need to boot from OSX disk to repair permissions?

    If the answer is no, how easy is it to copy Disk Utility to my hard drive?

  • Downloading file in UTF-8 format

    Hi, I want to download a file in UTF-* format. i have written the following code to download it in UTF-8. OPEN DATASET L_filename FOR OUTPUT IN TEXT MODE ENCODING UTF-8. LOOP AT p_struct INTO w_struct. TRANSFER w_struct TO l_filename. CLEAR w_struct.

  • Split GL sale and cost of sale

    Hi all, User need to split GL sale and cost of sale according to the model of the car. 1 GL for 1 model. Currently for all sale and cost of sale will flow to 1 GL. I need to create new GL for each model. How do I split and is it can be done in the sy

  • PO approval hierarchy

    In case a person belonging to a particular position in the approval hierarchy is on leave, he should be able to depute someone(selected beforehand) to carry out this job. Is it possible to map this? How?