WLC log RADIUS server failed to respond to request
I'm keep on getting same couple MACs being failed. I was hoping somebody has more inside about this? Radius server is pingable from WLC. People are authenticating. Please let me know what log should I provide. Thank you in advance.
Thu Feb 20 16:22:06 2014
RADIUS server 10.4.120.251:1812 failed to respond to request (ID 78) for client 3c:a9:f4:42:11:a0 / user 'unknown'
3
Thu Feb 20 16:22:06 2014
RADIUS server 10.4.120.251:1812 failed to respond to request (ID 77) for client 24:77:03:20:78:d0 / user 'unknown'
4
Thu Feb 20 16:22:06 2014
RADIUS server 10.4.120.251:1812 failed to respond to request (ID 76) for client 24:77:03:d0:bd:b4 / user 'unknown'
5
Thu Feb 20 16:22:00 2014
RADIUS server 10.4.120.251:1812 failed to respond to request (ID 75) for client 24:77:03:26:86:7c / user 'unknown'
6
Thu Feb 20 16:21:59 2014
RADIUS server 10.4.120.251:1812 failed to respond to request (ID 74) for client 24:77:03:20:78:d0 / user 'unknown'
7
Thu Feb 20 16:21:59 2014
RADIUS server 10.4.120.251:1812 failed to respond to request (ID 73) for client 3c:a9:f4:42:11:a0 / user 'unknown'
8
Thu Feb 20 16:21:59 2014
RADIUS server 10.4.120.251:1812 failed to respond to request (ID 72) for client a0:82:1f:d8:24:02 / user 'unknown'
You should look at the ACS logs as that will give you a better idea of the failure.
Sent from Cisco Technical Support iPhone App
Similar Messages
-
Explanation RADIUS server failed to respond to request for STA
Hi all,
i have configured WLC 5508 to access through FreeRadius. Login is working fine but i see a lot of Warning message like :
WLC_5508_SECONDARY: *radiusTransportThread: #AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:472 RADIUS server X.X.X.X:X failed to respond to request(ID 28) for STA 40:83:de:3e:ee:81 / user '4083de3eee81'
In Cisco System Message i've found :
Explanation RADIUS server failed to respond to request for STA.
Recommended Action No action is required.
Is there a solution?
Thanks
MarcoI think you've not configured the WLC as a RADIUS client on the RADIUS server, or the RADIUS shared secret is incorrect.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml -
Wlc 5508 radius authentication fail
I am trying to setup a wireless lan for the first time using 5508, all is working to a point, until i try to setup client authentication using the following
so settings are:
Layer Wlan settings:
Layer 2 security:WPA+WPA2
AES
Auth Key mgmt:802.1x
We have the authentication server enabled:
Ip an port are correct
AAA overide not enabled
Order for authentication, radius only
Advanced: dafault settings
Radius authentication servers:
Call Station ID Type: IP address
MAC Delimiter: Colon
Network User
Management
Server Index
Server Address
Port
IPSec
Admin Status
Server Index
Server Address
Shared Secret Format
ASCII Hex
Shared Secret
Confirm Shared Secret
Key Wrap
(Designed for FIPS customers and requires a key wrap compliant RADIUS server)
Port Number
Server Status
Enabled Disabled
Support for RFC 3576
Enabled Disabled
Server Timeout
seconds
Network User
Enable
Management
Enable
IPSec
Enable
*radiusTransportThread: Dec 21 12:07:46.488: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 115) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
*radiusTransportThread: Dec 21 12:07:46.012: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 114) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
*Dot1x_NW_MsgTask_1: Dec 21 12:07:29.811: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3028 Max EAP identity request retries (3) exceeded for client 00:19:d2:b9:d5:e1
*Dot1x_NW_MsgTask_1: Dec 21 12:07:29.811: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:b9:d5:e1
*radiusTransportThread: Dec 21 12:07:16.412: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 113) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
*Dot1x_NW_MsgTask_1: Dec 21 12:06:59.741: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3028 Max EAP identity request retries (3) exceeded for client 00:19:d2:b9:d5:e1
Radius server occasionally sees attempts from user "XXZZYY"Osvaldo,
Your observation is correct and this should be documented on the WLC help tab if you search for keyword network user under radius auth.
Quote:
Network User—Network user authentication check box. If this option is enabled, this entry is considered as the network user RADIUS authenticating server entry. If you did not set the RADIUS server entry on the WLAN configuration (WLANs > Edit > Security > AAA Servers), you must enable this option for networkusers.
Management—Management authentication check box. If this option is enabled, this entry is considered as the management RADIUS authenticating server entry. If you enable this option, authentication requests go to the RADIUS server
AAA server defined on WLAN takes precedence over global. -
Safari cannot open the page as the server fails to respond
safari cannot open the page as the server fails to respond? i am getting this message and safari is not working
My 2nd gen works fine with WPA2 and AES encryption.
You may need to go back and start over. Reset the router back to factory defaults, log on as the admin, set up security, DHCP, and make sure the IP address pool has enough IP addresses to lease to ALL of the computers/devices that will connect to that the router. -
what is the authentication list precedence for radius authentication?
global list network user checkbox
per wlan aaa server add
global list network user uncheck
i have 3 radius server, 2 of which are use for gloabl authentication(all ap are hreap) and a 3rd one use only for 1 site, when the 2 first radius server fails the wlc use the 3rd one, but the 3rd only has database for 1 site users,
do i need to uncheck the network user checkbox on the 3rd radius and create a hreap group then associate the 3rd one? i dont want the 3rd radius to be able for the gloabl list to take this as normal globla radius. any commnets?Osvaldo,
Your observation is correct and this should be documented on the WLC help tab if you search for keyword network user under radius auth.
Quote:
Network User—Network user authentication check box. If this option is enabled, this entry is considered as the network user RADIUS authenticating server entry. If you did not set the RADIUS server entry on the WLAN configuration (WLANs > Edit > Security > AAA Servers), you must enable this option for networkusers.
Management—Management authentication check box. If this option is enabled, this entry is considered as the management RADIUS authenticating server entry. If you enable this option, authentication requests go to the RADIUS server
AAA server defined on WLAN takes precedence over global. -
Visio - bug - The server failed to process the request
Hi
When uploading a visio diagram into one of our sharepoint document libraries we then get a 'The Server failed to process the Request' error when we then try and view the document in the Web Browser. Does anyone know how to fix this?
ThanksI understand that this is an old thread. The following might be useful to other readers engaging this issue in the future.
I experienced the same error message when provisioning a new instance of the Visio Graphics Service application for a new farm. I first tested the approach presented by sjb500 and found that this approach did resolve the problem. I then
explored using a more limited permission approach. Over the course of several attempts, I eventually found that I only need map the application pool identity to the SPDataAccess role to resolve the problem: -
Im trying to connect to my azure subscription via powershell on my machine but keep getting the following error when i run a command:
ForbiddenError: The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription.
The steps i have taken so far are:
1. get settings file
Get-AzurePublishSettingsFile
2. Import settings file
Import-AzurePublishSettingsFile -PublishSettingsFile "C:\Users\me\Downloads\credentials.publishsettings"
3. I then run Get-Azuresubscription with the following output:
SubscriptionId : 699385c3-b83a-44af-a651-bxxxxxxxxx
SubscriptionName : Windows Azure MSDN - Visual Studio Premium
Environment : AzureCloud
SupportedModes : AzureServiceManagement
DefaultAccount : 3B68902B5170D5EC91BFCBE4CC27E2A8838F61C4
Accounts : {3B68902B5170D5EC91BFCBE4CC27E2A8838F61C4, 26B118D7F3C598FB8FE9CDC49AB5DE5E450C967C,
03E1E1F0B8C7717F11FB58A14138C35524AB3F8D, 9A2E1FD267ECCC0E9B8C151BD931FC4824E89184...}
IsDefault : True
IsCurrent : True
CurrentStorageAccountName :
TenantId :
I run Get-AzureAccount and get the following:
Id Type Subscriptions Tenants
3B68902B5170D5EC91BFCBE4CC27E2 Certificate 699385c3-b83a-44af-a651-xxxxxxxxx
A8838F61C4
26B118D7F3C598FB8FE9CDC49AB5DE Certificate 699385c3-b83a-44af-a651-xxxxxxxxx
5E450C967C
03E1E1F0B8C7717F11FB58A14138C3 Certificate 699385c3-b83a-44af-a651-xxxxxxxxx
5524AB3F8D
9A2E1FD267ECCC0E9B8C151BD931FC Certificate 699385c3-b83a-44af-a651-xxxxxxxxx
4824E89184
85AD02CB8EB8AB20CF2C44FD9D19F2 Certificate 699385c3-b83a-44af-a651-xxxxxxxxx
9B6BB2FCD2
Finally, when i try to run Get-AzureSQLDatabaseServer, to list my databases, i get this error:
WARNING: Client Session Id: '5911f288-7b02-4c94-bb9d-37b9ea5fc187-2015-01-13 11:47:54Z'
WARNING: Client Request Id: '3e5f7ea9-092a-46fd-a6a6-6916b9161b77-2015-01-13 15:25:41Z'
Get-AzureSqlDatabaseServer : ForbiddenError: The server failed to authenticate the request. Verify that the certificate is valid and is associated
with this subscription.
At line:2 char:1
+ Get-AzureSqlDatabaseServer
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-AzureSqlDatabaseServer], CloudException
+ FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.SqlDatabase.Server.Cmdlet.GetAzureSqlDatabaseServer
I would appreciate any help in figuring out what i am doing wrong here.
Thanks,OK. That won't work in Azure Automation though, as mentioned above. OrgID (recommended) or cert-based auth will need to be used. PublishSettings file won't work.
Correct, but the original question was:
<Quote>
Im trying to connect to my azure subscription
via powershell on my machine
</Quote>
I wanted to test automation script's core functionality without having to wait for the very very long time taken for an automation runbook
to spin up, actually run and provide output (can often take 2+ minutes for a trivial script). Although i cant run Workbooks on my pc, i can run the core modules (view virtual machines, databases etc) to ensure my logic is sound. -
The Server failed to retrieve the requested data
I used to be able to open this site with firefox. I haven't been able to open it for 2 days. It does open in internet explorer.
This appears to be an error message which has it roots in MS DTC, Microsoft Distributed Transaction Coordinator.
This indicates that you somewhere manage to get a distributed transaction. This could be because of two things:
1) There are triggers on the tables that accesses linked server.
2) Your client code dabbles with some transaction class, like TransactionScope or similar.
Erland Sommarskog, SQL Server MVP, [email protected] -
Radius server 00.00.00.00 deactivated in global list
Hi
we unable to authenticate the users connecting to WLC over EAP-FAST from the ACS 5.1.
AD is integrated with the acs....
The error msg coming in wlc is :Radius server deactivated in global list
Radius server failed to respond to request(ID:xx) for client xx:xx;xx:xx:xx:xx:xx
I find that problem with time skew error happen between the AD and ACS. But after i configured ntp server in acs the problem
still exist.
I removed the controller from the acs and added back, same thing done in controller(reconfigured aaa settings).
But the problem not resolved
Thanks
SubhashAfter working with TAC, I resolved this issue recently. Increasing the timeout value did not help. On the WLC, try:
config radius aggressive-failover disable
As per http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml :
If the aggressive failover feature is enabled in WLC, the WLC is too aggressive to mark the AAA server as not responding. But, this should not be done because the AAA server is possibly not responsive only to that particular client, if you do silent discard. It can be a response to other valid clients with valid certificates. But, the WLC can still mark the AAA server as not responding and not functional.
In order to overcome this, disable the aggressive failover feature. Issue the config radius aggressive-failover disable command from the controller GUI in order to perform this. If this is disabled, then the controller only fails over to the next AAA server if there are three consecutive clients that fail to receive a response from the RADIUS server. -
WLC not integrating with Radius Server
Hello world,
I have the following situation:
One WLC 2000 Series (software version 7.0.230.0) with multiple SSID`s, one is with 802.1x integrated with a Radius Server.
Everything worked fine until fiew days ago, when users were unable to logon via they`re certificates on Windows XP.
The infrastracture didn`t suffer modifications.
What i have checked: Radius certification isn`t expired, client certification isn`t expired, the password between controller and Radius is correct.
There are no ACL`s between the WLC and the remote Server. I can ping the devices, other SSIDs on the same controller (wpa/psk) are working correct.
The AP`s are 1242.
I have tried deleting the SSID, configure it back. The OS on Windows Server is 2003 Standard. The AP`s are configured H-Reap.
I have increased the Server Timeout from Radius Authentication Servers from 2 to 30 sec.
The message logs recived on WLC Trap Logs:
RADIUS server X.X.X.X:1812 failed to respond to request (ID 161) for client xx.xx.xx.xx.xx.xx/ user 'unknown'
The message from the debug dot1x aaa enable:
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_CALLING_STATION_ID(31) index=1
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_CALLED_STATION_ID(30) index=2
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_PORT(5) index=3
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_VAP_ID(1) index=7
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_SERVICE_TYPE(6) index=8
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_FRAMED_MTU(12) index=9
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_EAP_MESSAGE(79) index=11
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_RAD_STATE(24) index=12
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_MESS_AUTH(80) index=13
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df AAA EAP Packet created request = 0x1cff348c.. !!!!
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Sending EAP Attribute (code=2, length=6, id=10) for mobile xx.xx.xx.xx.xx.xx.
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00000000: 02 0a 00 06 0d 00 ......
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
*radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df [BE-resp] AAA response 'Interim Response'
*radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df [BE-resp] Returning AAA response
*radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df AAA Message 'Interim Response' received for mobile xx.xx.xx.xx.xx.xx.
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.329: 00:15:e9:33:75:df Skipping AVP (0/27) for mobile xx.xx.xx.xx.xx.xx.
The messages on Windows 2003 Standard:
User Y was denied access.
Fully-Qualified-User-Name = xx.domain.com/Users_T/user
NAS-IP-Address = X.X>X.X
NAS-Identifier = Cisco_
Called-Station-Identifier = ---------------------
Calling-Station-Identifier = ---------------------
Client-Friendly-Name = ---------------------
Client-IP-Address = ---------------------
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless Policy
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 262
Reason = The supplied message is incomplete. The signature was not verified.User Y was denied access.
Fully-Qualified-User-Name = xx.domain.com/Users_T/user
NAS-IP-Address = X.X>X.X
NAS-Identifier = Cisco_
Called-Station-Identifier = ---------------------
Calling-Station-Identifier = ---------------------
Client-Friendly-Name = ---------------------
Client-IP-Address = ---------------------
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless Policy
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 262
Reason = The supplied message is incomplete. The signature was not verified.
Can anyone help why i cannot log the users via 802.1x ?Okay that is good..... this is what I would do next. I would create a test ssid that uses PEAP MSchapv2 and create a new policy in IAS that is basic. Allow 802.1x wireless and user group only and see if you can reconfigure one of the XP machines for PEAP. Can you also post a screen shot of your polices (connection and network) so we can review it.
-
WLC "radius server overwrite interface" setting
Hello
I'm looking at using "radius server overwrite interface" on a WLAN as a replacement for Called-Station-ID for Radius to match on SSID.
When I enable "radius server overwrite interface" on a WLAN and join a client to the SSID I can see (via packet capture) that the WLC is correctly sourcing the Radius packets with the WLAN's "dynamic" interface IP Address. The problem is that the Radius server doesn't repond to these requests. Radius is configured with rules to match the new IP address but I see nothing (pass or fail) in the logs.
Interestingly, the packet captures shows the correct NAS IP address (the WLAN interface IP Address) but always shows the WLC hostname as NAS-ID (regardless of NAS-ID settings on the WLAN or WLAN interface)
I've tried WLC software 7.4.110.0, 7.4.121.0 and 7.6.100.0 with the same results but Radius never responds. Radius is Cisco ACS 5.5.0.46. Any ideas as to why this is happening?
Thanks
AndyHi Scott
installed ACS 5.4 0.46.6 and I still have the same problem - ACS doesn't respond to request from WLC when "radius server overwrite interface" is enabled on WLAN and nothing appears in the logs. With "radius server overwrite interface" disabled on the WLAN, authentication is a success and I can see this in the logs.
I had a look a the packet captures I took earlier and the attributes in the Access-Request look ok - the only attribute I wasn't sure about was Message-Authenticator. Found this ietf document http://www.ietf.org/rfc/rfc2869.txt which mentions "silent discards" of Radius packets with non existent or incorrect Message-Authenticator attributes. I'm not sure if this is what I'm seeing on ACS when it receives the "radius server overwrite interface" Access-Request packets. ACS is under contract so I will contact TAC about this.
Mt production ACS cluster was upgraded from latest version of 5.3 to 5.5 with no loss of historic logs (logging after upgrade worked fine also). The upgrade did take a while with the log-collector. When it had completed I checked the Data Upgrade Status under Monitoring configuration and it showed that the upgrade was successful.
Thanks for your help with this.
Cheers
Andy -
We have configured following commands on switch to fallback to local Vlan if both radius server (policy persona's) is found dead. For test purpose we shutdown both servers (policy persona's) but fallback didn't work. We have 3750 switch running image 12.2(55)SE6 having following configuration.
We do not know whether we configured switch in proper way or do we need to modify it.
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
aaa server radius dynamic-author
client 10.10.10.10 server-key 7 12345678 (Policy Persona 1)
client 10.10.10.11 server-key 7 12345678 (Policy Persona 2)
server-key 7 12345678
ip device tracking
epm logging
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host 10.10.10.10 auth-port 1812 acct-port 1813 key 7 12345678 (Policy Persona 1)
radius-server host 10.10.10.11 auth-port 1812 acct-port 1813 key 7 12345678 (Policy Persona 2)
radius-server vsa send accounting
radius-server vsa send authentication
Port Configuration
interface GigabitEthernet0/1
switchport access vlan 305
switchport mode access
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 305
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
Please help....
ThanksTabish-
The pre-auth ACL that you have on your port is used for what's called a "Low-Impact" mode type of setup. With Low-Impact mode you are allowing services defined in the pre-auth ACL until the user/devices is authenticated. Once authenticated the pre-auth ACL gets replaced with the dACL/authorization policy that you have defined in the authorization profile. As a result, it is not possible to use "fail-open" configuration with low-impact as there is nothing to replace that pre-auth ACL since your NAD device(s) are unavailable.
If you want to use the "fail-open" features you will have to use the "High Securty/Closed Mode." In that mode you cannot utilize the pre-auth ACL and essentially only EPoL traffic is allowed on port until authenticated.
For more info you should reference the TrustSec design guide located at:
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
Thank you for rating! -
Detect up/down radius server
Hello,
I was wondering how does a switch proceed to detect when one or several radius server is down.
If I leave only one radius server in a C3560-24PS (running with the lastest software version) and shut all services associated with my ACS4.2 through the web interface, I receive the following error logs:
13:55:31:%RADIUS-4-RADIUS_DEAD: RADIUS server x.x.x.x:1645,1646 is not responding.
13:55:31:%RADIUS-4-RADIUS_ALIVE: RADIUS server x.x.x.x:1645,1646 is being marked alive.
Anyone can explain me why a such ouput?
Thank you for your help!
DavidHello,I was wondering how does a switch proceed to detect when one or several radius server is down.If
I leave only one radius server in a C3560-24PS (running with the
lastest software version) and shut all services associated with my
ACS4.2 through the web interface, I receive the following error logs:13:55:31:%RADIUS-4-RADIUS_DEAD: RADIUS server x.x.x.x:1645,1646 is not responding.
13:55:31:%RADIUS-4-RADIUS_ALIVE: RADIUS server x.x.x.x:1645,1646 is being marked alive.Anyone can explain me why a such ouput?Thank you for your help!David
Hi David,
Following are the comments for the above messages
%RADIUS-4-RADIUS_DEAD -- A RADIUS server has not responded to repeated requests
For checking purpose check to see if the RADIUS server is still active.
%RADIUS-4-RADIUS_ALIVE -- A RADIUS server that previously was not responding has responded
to a new request
Hope to Help !!
Remember to rate the helpful post
Ganesh.H -
1100 with Local Radius Server problems Atheros Client
I have Local authentication turned on for the 1100 and am using the Atheros Client Utility configuring LEAP with username/password and it is failing, here is the debug from the 1100.Any help much appreciated.
Xcon-ap1100#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Xcon-ap1100(config)#radius
Xcon-ap1100(config)#radius-server local
Xcon-ap1100(config-radsrv)#no nas 10.201.1.5
Xcon-ap1100(config-radsrv)#nas 10.201.1.5 key thiskey
Xcon-ap1100(config-radsrv)#end
Xcon-ap1100#debug radius
Radius protocol debugging is on
Radius protocol brief debugging is off
Radius protocol verbose debugging is off
Radius packet hex dump debugging is off
Radius packet protocol debugging is on
Radius packet retransmission debugging is off
Radius server fail-over debugging is off
Xcon-ap1100#term mon
Xcon-ap1100#
*Apr 3 16:26:26.961: RADIUS: AAA Unsupported [248] 10
*Apr 3 16:26:26.961: RADIUS: 43 61 72 64 69 66 66 4E [CardiffN]
*Apr 3 16:26:26.962: RADIUS: AAA Unsupported [150] 3
*Apr 3 16:26:26.962: RADIUS: 32 [2]
*Apr 3 16:26:26.962: RADIUS(000000FC): Storing nasport 246 in rad_db
*Apr 3 16:26:26.962: RADIUS(000000FC): Config NAS IP: 10.201.1.5
*Apr 3 16:26:26.963: RADIUS/ENCODE(000000FC): acct_session_id: 251
*Apr 3 16:26:26.963: RADIUS(000000FC): Config NAS IP: 10.201.1.5
*Apr 3 16:26:26.963: RADIUS(000000FC): sending
*Apr 3 16:26:26.963: RADIUS(000000FC): Send Access-Request to 10.201.1.5:1645 id 21645/158, len 130
*Apr 3 16:26:26.963: RADIUS: authenticator 74 20 7D 86 32 7B 1A 65 - 88 DE A7 58 51 91 FA 5D
*Apr 3 16:26:26.963: RADIUS: User-Name [1] 6 "test"
*Apr 3 16:26:26.964: RADIUS: Framed-MTU [12] 6 1400
*Apr 3 16:26:26.964: RADIUS: Called-Station-Id [30] 16 "000f.f751.7970"
*Apr 3 16:26:26.964: RADIUS: Calling-Station-Id [31] 16 "0090.963d.7bf6"
*Apr 3 16:26:26.964: RADIUS: Service-Type [6] 6 Login [1]
*Apr 3 16:26:26.965: RADIUS: Message-Authenticato[80] 18 *
*Apr 3 16:26:26.965: RADIUS: EAP-Message [79] 11
*Apr 3 16:26:26.965: RADIUS: 02 02 00 09 01 74 65 73 74 [?????test]
*Apr 3 16:26:26.965: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
*Apr 3 16:26:26.965: RADIUS: NAS-Port [5] 6 246
*Apr 3 16:26:26.965: RADIUS: NAS-IP-Address [4] 6 10.201.1.5
*Apr 3 16:26:26.965: RADIUS: Nas-Identifier [32] 13 "Xcon-ap1100"
*Apr 3 16:26:31.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
*Apr 3 16:26:36.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
*Apr 3 16:26:41.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
*Apr 3 16:26:46.965: RADIUS: No response from (10.201.1.5:1645,1646) for id 21645/158
*Apr 3 16:26:46.965: RADIUS/DECODE: parse response no app start; FAIL
*Apr 3 16:26:46.965: RADIUS/DECODE: parse response; FAIL
*Apr 3 16:26:46.966: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed
*Apr 3 16:26:50.070: RADIUS: AAA Unsupported [248] 10
*Apr 3 16:26:50.070: RADIUS: 43 61 72 64 69 66 66 4E [CardiffN]
*Apr 3 16:26:50.071: RADIUS: AAA Unsupported [150] 3
*Apr 3 16:26:50.071: RADIUS: 32 [2]
*Apr 3 16:26:50.071: RADIUS(000000FD): Storing nasport 247 in rad_db
*Apr 3 16:26:50.072: RADIUS(000000FD): Config NAS IP: 10.201.1.5
*Apr 3 16:29:29.041: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed
*Apr 3 16:29:52.253: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failedI have a very similar situation here. Took me a while to figure out why existing user certificates are OK but no new users can enroll. I checked all certificates for expiry. No go. It was not the expiry ("Valid to") time, but rather the "Valid From" time that is messed up.
This is what happens: The rollover gets created and replaces the original one (which remains in memory, no flash) But the new one is valid from the expiry of the old one - in my case TOMORROW and after a power-outage the day before yesterday (the most definitive way to get a reboot!) I only have the new NOT YET VALID certificate.
OK, I can wait until tomorrow and see if it works. But the design is far from intelligent. The industry standard is that when you renew a certificate, the validity of the new one is immediate - even if it means it runs for a few days longer than the designated lifetime.
So much for the overlap period of 30 days (as you can see from your own post) if the old certificate goes away after a reboot and the new one is not yet valid! (The CA certificate expiration timer gets reset to some Unix time-zero ( 01:00:00 CEST Jan 1 1970) which I take to mean "not valid yet".)
I only have a few days of trouble - and just one to go after finally working it out, but it could have been up to 30 days if I for any reason had rebooted after the roll-over certificate got created.
Cheers
Bernhard -
Cisco ISE with both internal and External RADIUS Server
Hi
I have ISE 1.2 , I configured it as management monitor and PSN and it work fine
I would like to know if I can integrate an external radius server and work with both internal and External RADIUS Server simultanously
So some computer (groupe_A in active directory ) will continu to made radius authentication on the ISE internal radius and other computer (groupe_B in active directory) will made radius authentication on an external radius server
I will like to know if it is possible to configure it and how I can do it ?
Thanks in advance for your help
Regards
BlaiseCisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. Cisco ISE accepts the results of the requests and returns them to the NAS.
Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. The External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description, or both. In both simple and rule-based authentication policies, you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same.
Maybe you are looking for
-
Hi, I have a LOV with a query has a bind variable: select comp_plan_id,name from cn_comp_plans_all where sysdate between start_date and nvl(end_date,sysdate+1) and org_id = : 1 So I create a CO for this LOV , and in processRequest(), I pass the value
-
I'm trying to transfer iTunes and it's based off an old email account. How can I transfer to my new email account.
-
How do I enable "auto-capitalization" on Pages 5.2?
I'm still used to Microsoft Word which would capitalize for me, at the beginnings of sentences, proper nouns, etc. Pages must have have it, right?
-
HT4113 my ipad is disabled and I don't know the passcode
my ipad is disabled with a passcode and i don't remember it
-
SSRS Report Viewer 2012 Cancel Link on loading spinner not stopping SQL Query
Hi I searched the forum for this one and didn't find anything germane, so here goes. In SSRS 2012 when running a report interactively if you hit cancel it basically does nothing but stop the spinner and prevent the request from completing. I'd like t