WLC 5508 Release 7.4.100.0 RADIUS PROBLEM

Similar Messages

• Upgrade WLC 5508 IOS 8.0.100

  Hi
  I wan to upgrade the IOS version on WLC 5508, but I do not is recommended, 
  Can you help me is recommended upgrade for this version?.
  The apple devices have a problem with retry authentication constantly
  regards

  After WLC upgrade to 8.0.100 [ not in HA mode], the AP seem to be dropping out and reconnect using the fallback to IP-  inspite of the statically configured IP on the AP
  Running Outdoor mesh AIR-CAP1552E-N-K9 on WLC 5508
  (Cisco Controller) >show boot
  Primary Boot Image............................... 8.0.100.0 (default) (active)
  Backup Boot Image................................ 7.6.101.2
  =========
  Last AP disconnect details
  - Reason for last AP connection failure.................... The AP has been reset by the controller
  - Last AP disconnect reason................................ Unknown failure reason
  Last join error summary
  - Type of error that occurred last......................... Lwapp join request rejected
  - Reason for error that occurred last...................... No Mwar payload found in join request
  - Time at which the last join error occurred............... Dec 03 00:05:26.114
  AP disconnect details
  - Reason for last AP connection failure.................... The AP has been reset by the controller

• Upgrade WLC 5508 to 7.4.121.0 problem

  After I upgraded WLC 5508 from 7.2.111.3 to 7.4.121.0, all 3602i APs don't associate with the controller.  All APs were working/associating with controller on 7.2.111.3 at same setting.  IP address of APs are setup as DHCP.
  The error message is "AP couldn't get IP address".   
  Any one has this type of problem when you upgrade WLC 5508 from 7.2.111.3 to 7.4.121.0.
  Thanks,

  Hi,
  This doesn't look like software issue.
  You have to check why the APs are not able to get ip address. Try connecting a PC to a swtich port where one of these APs are connected and see if you are able to get IP on PC.
  Also check if the DHCP server is reachable and if there are IP address in the pool assigned for APs.
  HTH,
  Thanks & Regards,
  Ishant
  *** Please rate the post if you find it useful ***

• WLC 5508 with 7.4.100.0 software

  Hi All,
  One of my client has a wireless setup with WLC 5508 and 1142N APs. It was running with a good coverage for access points when WLC was running with 7.0 software version. Last week I upgraded the software to latest 7.4.100.0 version. After that the coverage of APs are very low.
  Can someone help me regarding this issue.
  Thanks
  Sadiq

  I didn't have coverage issues per say, but my 1142 APs kept disassociating randomly
  TAC suggested running these commands. Which has stopped the APs leaving the building.
  > config 802.11a disable network
  > config 802.11a 11nSupport a-mpdu tx priority all disable
  > config 802.11a 11nSupport a-mpdu tx scheduler disable
  > config 802.11a enable network
  > config 802.11b disable network
  > config 802.11b 11nSupport a-mpdu tx priority all disable
  > config 802.11b 11nSupport a-mpdu tx scheduler disable
  > config 802.11b enable network
  Aggregation is the process of grouping packet data frames together  rather than transmitting them separately. Two aggregation methods are  available: Aggregated MAC Protocol Data Unit (A-MPDU) and Aggregated MAC  Service Data Unit (A-MSDU). A-MPDU is performed in the software whereas  A-MSDU is performed in the hardware.
  Disables the 802.11n-5 GHz A-MPDU transmit aggregation scheduler.

• WLC 5508 + NPS MS-CHAP v2 Auth problems

  Hi,
  I am having a lot of trouble trying to set up a Cisco WLC 5508 to use NPS on Windows Server 2008 as it's authentication.
  When a client attempts to connect to the WLAN, the authentication is denied on Windows 7/Vista/XP, however, on Mac/iOS clients, it asks to accept the certificate (this is a public cert, issued by Entrust - however, it is a wildcard cert..), but then it will connect.
  So I have two questions:
  1/ Why won't the windows clients authenticate? If I set up the WLAN profile on the windows machine, and I deselect "Validate server certificate", then they connect just fine....
  2/ Is it possible to make it so the user is not prompted to accept the certificate? Why can't this certificate be validated locally by the client?
  Thanks,
  Josh

  Looks like it might have been an issue with that certificate, I don't know.
  Either it didn't like the wildcard, or it didn't like the intermediate/root CA.
  I downloaded a Comodo Trial SSL and plugged that in - works like a charm now!

• Anchor mobility configuration getting lost in wlc 5508 ios code 7.4.100.0

  It is observed that in WLC 5508 , ios 7.4.100.0 ,  mobility anchor configuration on wlan  is getting lost .  we configure anchor ip address on  guest wlan > mobility anchor >  Switch IP Address (Anchor).
  We have configured the template on NCS 2.0 to push the anchor mobility ip address on all WLC
  Has anyone oberved this behavoiur. We have more than 100 WLC  , and  everyweek  mobility anchor configuration is lost on some WLC having code  7.4.100.0.

  I am having this exact same problem.  I am running 7.3 on 5508 WLC.   My remote site LAP's are using Flex (HREAP).  The initial access point that my laptop associates to connects with no problem, as soon as I wander out of range of the initial LAP and into the area of another access point, I lose data connectivity.   The was validated like the original post as I start a constant ping on the LAN and watch as the ping latency increases and then ping replies stop.  The only way to correct the problem is resetting of the wireless adapter on the laptop.  Side note my DroidX has no problem wandering from AP to AP.
  Laptop: Windows 7 32bit
  I then returned to my home site and test where I have a secondary controller and the LAP's are configured for local mode, no problems roaming from access point to access point.   Validated with constant ping test.  The pings drop for a second and re-
  continues as the laptop reconnects.
  **Edit: I am going to try the removing the DHCP Addr. Assignment required option, and report that back to the TAC engineer.
  Message was edited by: Michael Dunki-Jacobs
  **Edit Solved:***
  The problem is in deed solved by turning the "DHCP Address Required" but why?

• WLC 5508 WPA Authentication Problems

  Hello,
  We have a WLC 5508 with 7.4.100.0 Firmware.
  We are using 1141 and 1142 APs and we are having authentication problems with clients that are connecting to our WLAN with WPA+AES autentication. The clients receive in her laptop a password error, and we receive the following log in wlc:
  Client Excluded: MACAddress:f8:f1:eb:dd:ff:cd Base Radio MAC :08:ad:dd:76:4d:30 Slot: 0 User Name: unknown Ip Address: unknown Reason:802.1x Authentication failed 3 times. ReasonCode: 4
  The strange thing is that the problem is solved restarting the Access-points.
  Anyone had this problem previusly?
  Thanks in advance.

  I made the configuration using the Cisco Recommended settings, the strange thing its that the users connect normally, until they starts with authentication problems. I restart the access points and the problem its solved.
  Cisco Recommended  and not recommended Authentication Settings
  Security encryption settings need to be identical for WPA and WPA2 for TKIP and AES as shown in this image:
  These images provide examples of incompatible settings for TKIP and AES:
  Note: Be aware that security settings permit unsupported features.
  These images provide examples of compatible settings:

• Cisco WLC 5508 in HA mode error

  Hai ,
  I am Getting the below Error in Cisco WLC 5508, Version 7.4.100.0 in HAmode. The WLC contains Access Points having in local and Flex Connect Mode.
  RF failure notification ErrorType: 32 Reason :Error: Config Sync failed on Standby for the usmdb:HA_send_usmDbApfMsDelete,
  I sam a same bug in Cisco WLC 7.4.100.0 release notes similar to the error like
  RF failure notification ErrorType: 32 Reason :Error: Config Sync failed on Standby for the usmdb:HA_send_usmDbSpamSetRadSlotAntennaType.
  Any Ideas?

  HI Mohamed,
  its a open Caveats  in 7.4.100.0
  CSCud26632
  Symptom: The following SNMP trap appears on the controller when you change the channel width number to 40-MHz:
  RF failure notification ErrorType: 32 Reason :Error: Config Sync failed on Standby for the usmdb:HA_send_usmDbSpamSetRadSlotAntennaType.
  Conditions: Controller is in an HA pair. Join the 802.11n access point to the controller and change the channel width to 40-MHz and channel number to 157.
  Workaround: None
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn74.html
  Reagrds
  Please rate helpful posts

• Webauth page on WLC 5508

       Hi ,
  I need to download a login banner page on our WLC 5508 version 7.4.100.60  but i am getting error and the logs is showing the following :
  *TransferTask: Sep 11 11:05:04.248: #CLIWEB-3-BUFFER_TOO_LONG: cli_web_api.c:3240 Buffer for Login Banner too long (max = 1296 chars).
  My FTP is working fine since i have upgraded the version using it and the .tar file which i am trying to upload is 50K  can any body help on this please

  Mohammad,
  Typically, login banners are .txt files.  Please ensure the file that you are uploading is a .txt and not a .tar.
  If you are unsuccessful in uploading the file through the Web GUI, might I suggest that you try it through CLI?  Sometimes transfers just seem to work better through CLI.
  Just in case you have any questions on the CLI transfer, I have this link for your reference:
  www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mfw.html#wp1132285
  This is the Configuration Guide for the WLC.
  Please let me know if this fixes your issue.  If it does, please rate this answer and mark your question as Answered.
  Charles Moreton

• WLC 5508 Distribution Ports

  Dear Community,
  i have a small Q that should we configure any of distribution port of WLC 5508 with speed 10/100 to connect it with cisco's 3750 on fastethernet port.
  By default WLC ports are gig ports so is there any comand or option to configure the port by decreasing its speedin wlc.
                                                                         OR
  could we connect them in the same status like wlc gig port wit switch 3750 fastethernet port and there will not any speed mismatch and it will work fine.Honestly on my behalf it will not work like this.
  please advise what is the best practice to do that.

  i have a small Q that should we configure any of distribution port of WLC 5508 with speed 10/100 to connect it with cisco's 3750 on fastethernet port.Won't work because the 5508 will negotiate to 1Gb only.

• WLC 5508 HA Problem Soft.ver 7.4.100

  Dear Support,
  we are using two WLC 5508 software ver.7.4.100 with first 50AP license and in the next day we add 50AP license again to the primary WLC. when we activate HA base in the following guiden http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/High_Availability_DG.html but when we doing test the failover we found a couple log message on the Secondary WLC like below and not for long time all AP on the Secondary WLC was drop off. 
  1. DP Critical Error
  2. *RRM-DCLNT-2_4: May 23 07:43:53.204: #RRM-3-RRM_LOGMSG: rrmTables.c:682 RRM LOG:  Could not retrieve  RRM Coverage Measurement DataKey BSSID:34:db:fd:dd:3e:20,Key SlotId:0
  *RRM-DCLNT-2_4: May 23 07:43:53.164: #RRM-3-RRM_LOGMSG: rrmTables.c:682 RRM LOG:  Could not retrieve  RRM Coverage Measurement DataKey BSSID:34:db:fd:dd:3e:20,Key SlotId:0
  *RRM-DCLNT-2_4: May 23 07:43:52.854: #RRM-3-RRM_LOGMSG: rrmTables.c:682 RRM LOG:  Could not retrieve  RRM Coverage Measurement DataKey BSSID:2c:36:f8:72:fc:c0,Key SlotId:0
  I also send a complete log for both problem above and enclose it with pdf file. need you advice and assistance,
  regard, afriansyah

  I agree go to version 7.4.121.0 I has some strange issues on prior releases. Personally I am running 7.6.120.0 right now but that's mainly due to support for the 3702 access points.
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/High_Availability_DG.html#pgfId-74573
  that's a good guide just to double check yourself just in case. -

• WLC 5508 -7.4.100 mDNS Bonjour snooping

  Hello
  Have 7.4 installed and configured for Bonjour Snooping. All is working, but working too well. We have a large campus that house 2 schools and each school is complaining that they can see the other schools AppleTV devices.
  I have played around with a few different scenarios to see if I can localize the bonjour traffic.
  I guess I am looking to create a logical split for bonjour devices amoung the schools.
  Apple came to the school and informed us that the IPAD has a limit of 64 devices that can be seen via the bonjour. At some point we will have over 100 AppleTV added.
  so we have 3 wlc 5508's with 7.4.100
  we have 2 SSIDs that span the whole campus
  using AP groups to segment the floors in buildings
  So the schools are logically split with AP groups
  Here is what I have tried
  I created few mDNS profiles and assigned the services for Apple TV - let's call them school1 and school2
  I assign the mDNS profiles to the interfaces dedicated each school
  enable snooping on the WLAN with profile of none
  The end result is that devices from both schools can be seen.
  I tried to create new ssid for apple TVs and a new ssid for 1 schools teachers
  I followed the vlan select example
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_tech_note09186a0080bb1d7c.shtml
  end result is that devices from both schools can be seen
  I have tried the mDNS without multicast enabled just like the video shows to no avail - I assume maybe my AP groups might be more complicated then the example of just 2 vlans
  https://supportforums.cisco.com/community/netpro/wireless-mobility/begin-wireless/blog/2013/01/01/wireless-lan-controller-wlc-release-74--bonjour-gateway-configuration-example
  I have tried combinations of things, but I must be missing something
  In the webinar, Cisco said it will use filtering to restrict which  clients can see which services (Apple TV's, etc). What will Cisco use to  filter Bonjour requests?
  according to this article
  http://www.pcadvisor.co.uk/news/network-wifi/3376119/cisco-answers-user-questions-about-upcoming-apple-bonjour-gateway/#ixzz2SIDqFH49
  The filtering options are: · Per WLAN/SSID · Per VLAN or AP  Group · Per Interface Group (which is a group of VLANs pooled together).
  A Bonjour service policy can be created and applied on any one of  the above criteria. In the future, we will support per-user Bonjour  service policies which will come as a RADIUS attribute from the AAA server.
  Read more: http://www.pcadvisor.co.uk/news/network-wifi/3376119/cisco-answers-user-questions-about-upcoming-apple-bonjour-gateway/#ixzz2SZqMYpdh
  Cheers
  Any insight would be appreciated

  Here are the ACLs for the controller
  acl create BlockBonjour
  acl apply BlockBonjour
  acl counter start
  acl rule add BlockBonjour 1
  acl rule add BlockBonjour 2
  acl rule action BlockBonjour 1 deny
  acl rule action BlockBonjour 2 permit
  acl rule destination address BlockBonjour 1 224.0.0.251 255.255.255.255
  acl rule destination address BlockBonjour 2 0.0.0.0 0.0.0.0
  acl rule destination port range BlockBonjour 1 0 65535
  acl rule destination port range BlockBonjour 2 0 65535
  acl rule source address BlockBonjour 1 0.0.0.0 0.0.0.0
  acl rule source address BlockBonjour 2 0.0.0.0 0.0.0.0
  acl rule source port range BlockBonjour 1 0 65535
  acl rule source port range BlockBonjour 2 0 65535
  acl rule direction BlockBonjour 1  In 
  acl rule direction BlockBonjour 2 Any 
  acl rule dscp BlockBonjour 1  Any 
  acl rule dscp BlockBonjour 2  Any 
  acl rule protocol BlockBonjour 1  Any 
  acl rule protocol BlockBonjour 2  Any 
  acl apply BlockBonjour ipv6 acl create BlockAllIPv6
  ipv6 acl apply BlockAllIPv6
  ipv6 acl rule add BlockAllIPv6 1
  ipv6 acl rule action BlockAllIPv6 1 deny
  ipv6 acl rule destination address BlockAllIPv6 1 :: 0
  ipv6 acl rule destination port range BlockAllIPv6 1 0 65535
  ipv6 acl rule source address BlockAllIPv6 1 :: 0
  ipv6 acl rule source port range BlockAllIPv6 1 0 65535
  ipv6 acl rule direction BlockAllIPv6 1 Any 
  ipv6 acl rule dscp BlockAllIPv6 1  Any 
  ipv6 acl rule protocol BlockAllIPv6 1 Any
  ipv6 acl apply BlockAllIPv6
  Apply to wlan:  The wlan index is used in this case, the first wlan created on controller
  wlan acl 1 BlockBonjour
  wlan ipv6 acl 1 BlockAllIPv6

• WLC 7.6.120.0 Radius problems with FreeRadius server

  Hi there
  we have 3 WLC 5508 with version 7.6.120.0 and 2 FreeRadius servers. In the WLC log we see a lot of "radius auth-server unavailable" messages and some users can not authenticate against our dot1x (PEAP).
  The problems occur most of the time, when there are a lot of WLAN clients trying to connect to the SSID at the same time.
  Does anybody have the same problems or are there any known bug for this phenomena?
  Thanks in advance and best regards
  Anna

  Hi Anna
  your problems seems to be this bug here: https://tools.cisco.com/bugsearch/bug/CSCuo96366
  Symptom:
  Clients are not able to Authenticate at Peak loads when using FreeRadius.
  Conditions:
  Using Freed radius (most susceptible), we observe at high auth rate and if Radius server is not responding to all Radius packets in seq order or if the server is slow, WLC when wraps around 0-255 Radius ID's, it does not do a check when posting new packet.
  So essentially you have 2 packets with same ID being presented to AAA server.
  Workaround:
  Recover's when load is reduced.
  Further Problem Description:
  So far, issue has not been brought to notice while using ISE/ACS/NPS.
  There are two possible solutions I see:
  1. Downgrade to an earlier WLC version <7.6 (e.g. 7.4.121.0)
  2. Try to have another radius server in between (radius proxy, e.g. Cisco ACS or Microsoft NPS)
  Best regards
  Dominic

• WLC 5508 8.0.100 AP dropout anf fallback issue

  After WLC upgrade to 8.0.100 [ not in HA mode], the AP seem to be dropping out and reconnect using the fallback to IP-  inspite of the statically configured IP on the AP
  Running Outdoor mesh AIR-CAP1552E-N-K9 on WLC 5508
  (Cisco Controller) >show boot
  Primary Boot Image............................... 8.0.100.0 (default) (active)
  Backup Boot Image................................ 7.6.101.2
  =========
  Last AP disconnect details
  - Reason for last AP connection failure.................... The AP has been reset by the controller
  - Last AP disconnect reason................................ Unknown failure reason
  Last join error summary
  - Type of error that occurred last......................... Lwapp join request rejected
  - Reason for error that occurred last...................... No Mwar payload found in join request
  - Time at which the last join error occurred............... Dec 03 00:05:26.114
  AP disconnect details
  - Reason for last AP connection failure.................... The AP has been reset by the controller

  We downgraded the WLC to  7.4.121.0 and finally got rid of the DHCP problem
  But encountered a new issue
  The WGB once connected to the mesh AP does not reconnect to the network  , auth failure-   AIR-SAP1602E-Z-K9 running  - ap1g2-k9w7-mx.152-2.JB2
  Local EAP auth configured for WGB client on the WLC
  Looks more like the WGB stuck in a state , unable to negotiate its credentials
  Controller log
  *dot1xMsgTask: Mar 24 10:33:52.737: #DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1404 Unable to send EAPOL-key msg  - invalid WPA state (0) - client f4:0f:1b:23:03:37
  Attached is the debug and client status from WLC
  Any  idea what is going on
  Thanks

• Cisco WLC 5508 - NPS Radius

  Cisco WLC 5508
  Software Version: 7.4.100.0
  Windows Server 2008R2
  I've got everything setup on the Windows Server 2008 side of things (certificates, radius clients, etc)
  I added the radius server on the WLC, and configured a new WLAN to use it.
  Both are on the same subnet.
  When trying to conect to the WLAN it kept failing.  I installed wireshark on the server to monitor the radius traffic, and to my surprise there was no radius traffic showing up on the server.  The radius statistics on the WLC are at 0 as well, so it's like the WLC isn't even attempting Radius.
  I reverified that the server was enabled on both the security tab and the WLAN itself on the WLC.  Rebooted the controller and the server, all to no avail.  I used a radius test client, and can successfully send radius commands to the server using that utility.
  Frustrated, I just kept trying to reconnect on my wireless device, and after about the 15th try, finally I saw radius activity on wireshark.  It rejected my access, but at least I saw activity.  It also registerd radius statistcs on the WLC as well.
  So now if I keep trying to connect repeatedly, about every dozen or so times the WLC actually will send a radius request to the server.
  What in the world is going on here?

  I do have local management users on the controller.
  Some hours later I added the option of authenticating management users, for the NPS server. Then logged inn to the management GUI using NPS radius, worked just fine.
  However, these commands have been useful to me several times, to make sure unsuccessful requests appear in the Windows Event log:
  auditpol /get /subcategory:"Network Policy Server"
  If it shows ‘No auditing’ or just "Success", you can run this command to enable it:
  auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
  So now I know that the NPS radius server works, for management access. I will go to the customer's site some other day to test it for 802.1x authentication. If not, I'll do some debugging to decide wihich to blame - the WLC or NPS.