WLC log RADIUS server failed to respond to request

Similar Messages

• Explanation RADIUS server failed to respond to request for STA

  Hi all,
  i have configured WLC 5508 to access through FreeRadius. Login is working fine but i see a lot of Warning message like :
  WLC_5508_SECONDARY: *radiusTransportThread:  #AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:472 RADIUS server X.X.X.X:X failed to respond to request(ID 28) for STA 40:83:de:3e:ee:81 / user '4083de3eee81'
  In Cisco System Message i've found :
  Explanation    RADIUS server failed to respond to request for STA.
  Recommended Action    No action is required.
  Is there a solution?
  Thanks
  Marco

  I think you've not configured the WLC as a RADIUS client on the RADIUS server, or the RADIUS shared secret is incorrect.
   http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml

• Wlc 5508 radius authentication fail

  I am trying to setup a wireless lan for the first time using 5508, all is working to a point, until i try to setup client authentication using the following
  so settings are:
  Layer Wlan settings:
  Layer 2 security:WPA+WPA2
  AES
  Auth Key mgmt:802.1x
  We have the authentication server enabled:
  Ip an port are correct
  AAA overide not enabled
  Order for authentication, radius only
  Advanced: dafault settings
  Radius authentication servers:
  Call Station ID Type: IP address
  MAC Delimiter: Colon
  Network User
  Management
  Server Index
  Server Address
  Port
  IPSec
  Admin Status
  Server Index
  Server Address
  Shared Secret Format
                   ASCII                 Hex              
  Shared Secret
  Confirm Shared Secret
  Key Wrap
    (Designed for FIPS customers and requires a key wrap compliant RADIUS server)
  Port Number
  Server Status
                   Enabled                  Disabled              
  Support for RFC 3576
                   Enabled                  Disabled              
  Server Timeout
    seconds
  Network User
  Enable
  Management
  Enable
  IPSec
  Enable
  *radiusTransportThread: Dec 21 12:07:46.488: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 115) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
  *radiusTransportThread: Dec 21 12:07:46.012: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 114) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
  *Dot1x_NW_MsgTask_1: Dec 21 12:07:29.811: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3028 Max EAP identity request retries (3) exceeded for client 00:19:d2:b9:d5:e1
  *Dot1x_NW_MsgTask_1: Dec 21 12:07:29.811: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:b9:d5:e1
  *radiusTransportThread: Dec 21 12:07:16.412: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 113) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
  *Dot1x_NW_MsgTask_1: Dec 21 12:06:59.741: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3028 Max EAP identity request retries (3) exceeded for client 00:19:d2:b9:d5:e1
  Radius server occasionally sees attempts from user "XXZZYY"

  Osvaldo,
  Your observation is correct and this should be documented on the WLC help tab if you search for keyword network user under radius auth.
  Quote:
  Network User—Network user authentication check box. If this option is enabled, this entry is considered as the network user RADIUS authenticating server entry. If you did not set the RADIUS server entry on the WLAN configuration (WLANs > Edit > Security > AAA Servers), you must enable this option for networkusers.
  Management—Management authentication check box. If this option is enabled, this entry is considered as the management RADIUS authenticating server entry. If you enable this option, authentication requests go to the RADIUS server
  AAA server defined on WLAN takes precedence over global.

• Safari cannot open the page as the server fails to respond

  safari cannot open the page as the server fails to respond? i am getting this message and safari is not working

  My 2nd gen works fine with WPA2 and AES encryption.
  You may need to go back and start over.  Reset the router back to factory defaults, log on as the admin, set up security, DHCP, and make sure the IP address pool has enough IP addresses to lease to ALL of the computers/devices that will connect to that the router.

• WLC 5508 Radius Server

  what is the authentication list precedence for radius authentication?
  global list       network user checkbox
  per wlan        aaa server add
  global list       network user uncheck
  i  have 3 radius server, 2 of which are use for gloabl authentication(all  ap are hreap) and a 3rd one use only for 1 site, when the 2 first radius  server fails the wlc use the 3rd one, but the 3rd only has database for  1 site users,
  do  i need to uncheck the network user checkbox on the 3rd radius and  create a hreap group then associate the 3rd one?  i dont want the 3rd  radius to be able for the gloabl list to take this as normal globla  radius. any commnets?

  Osvaldo,
  Your observation is correct and this should be documented on the WLC help tab if you search for keyword network user under radius auth.
  Quote:
  Network User—Network user authentication check box. If this option is enabled, this entry is considered as the network user RADIUS authenticating server entry. If you did not set the RADIUS server entry on the WLAN configuration (WLANs > Edit > Security > AAA Servers), you must enable this option for networkusers.
  Management—Management authentication check box. If this option is enabled, this entry is considered as the management RADIUS authenticating server entry. If you enable this option, authentication requests go to the RADIUS server
  AAA server defined on WLAN takes precedence over global.

• Visio - bug - The server failed to process the request

  Hi
  When uploading a visio diagram into one of our sharepoint document libraries we then get a 'The Server failed to process the Request' error when we then try and view the document in the Web Browser. Does anyone know how to fix this?
  Thanks

  I understand that this is an old thread. The following might be useful to other readers engaging this issue in the future.
  I experienced the same error message when provisioning a new instance of the Visio Graphics Service application for a new farm.  I first tested the approach presented by sjb500 and found that this approach did resolve the problem.  I then
  explored using a more limited permission approach.  Over the course of several attempts, I eventually found that I only need map the application pool identity to the SPDataAccess role to resolve the problem:

• ForbiddenError: The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription.

  Im trying to connect to my azure subscription via powershell on my machine but keep getting the following error when i run a command:
  ForbiddenError: The server failed to authenticate the request. Verify that the certificate is valid and is associated  with this subscription.
  The steps i have taken so far are:
  1. get settings file
  Get-AzurePublishSettingsFile
  2. Import settings file
  Import-AzurePublishSettingsFile -PublishSettingsFile "C:\Users\me\Downloads\credentials.publishsettings"
  3. I then run Get-Azuresubscription with the following output:
  SubscriptionId : 699385c3-b83a-44af-a651-bxxxxxxxxx
  SubscriptionName : Windows Azure MSDN - Visual Studio Premium
  Environment : AzureCloud
  SupportedModes : AzureServiceManagement
  DefaultAccount : 3B68902B5170D5EC91BFCBE4CC27E2A8838F61C4
  Accounts : {3B68902B5170D5EC91BFCBE4CC27E2A8838F61C4, 26B118D7F3C598FB8FE9CDC49AB5DE5E450C967C,
  03E1E1F0B8C7717F11FB58A14138C35524AB3F8D, 9A2E1FD267ECCC0E9B8C151BD931FC4824E89184...}
  IsDefault : True
  IsCurrent : True
  CurrentStorageAccountName :
  TenantId :
  I run Get-AzureAccount and get the following:
  Id Type Subscriptions Tenants
  3B68902B5170D5EC91BFCBE4CC27E2 Certificate 699385c3-b83a-44af-a651-xxxxxxxxx
  A8838F61C4
  26B118D7F3C598FB8FE9CDC49AB5DE Certificate 699385c3-b83a-44af-a651-xxxxxxxxx
  5E450C967C
  03E1E1F0B8C7717F11FB58A14138C3 Certificate 699385c3-b83a-44af-a651-xxxxxxxxx
  5524AB3F8D
  9A2E1FD267ECCC0E9B8C151BD931FC Certificate 699385c3-b83a-44af-a651-xxxxxxxxx
  4824E89184
  85AD02CB8EB8AB20CF2C44FD9D19F2 Certificate 699385c3-b83a-44af-a651-xxxxxxxxx
  9B6BB2FCD2
  Finally, when i try to run Get-AzureSQLDatabaseServer, to list my databases, i get this error:
  WARNING: Client Session Id: '5911f288-7b02-4c94-bb9d-37b9ea5fc187-2015-01-13 11:47:54Z'
  WARNING: Client Request Id: '3e5f7ea9-092a-46fd-a6a6-6916b9161b77-2015-01-13 15:25:41Z'
  Get-AzureSqlDatabaseServer : ForbiddenError: The server failed to authenticate the request. Verify that the certificate is valid and is associated
  with this subscription.
  At line:2 char:1
  + Get-AzureSqlDatabaseServer
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~
  + CategoryInfo : NotSpecified: (:) [Get-AzureSqlDatabaseServer], CloudException
  + FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.SqlDatabase.Server.Cmdlet.GetAzureSqlDatabaseServer
  I would appreciate any help in figuring out what i am doing wrong here.
  Thanks,

  OK. That won't work in Azure Automation though, as mentioned above. OrgID (recommended) or cert-based auth will need to be used. PublishSettings file won't work.
  Correct, but the original question was:
  <Quote>
  Im trying to connect to my azure subscription
  via powershell on my machine 
  </Quote>
  I wanted to test automation script's core functionality without having to wait for the very very long time taken for an automation runbook
  to spin up, actually run and provide output (can often take 2+ minutes for a trivial script). Although i cant run Workbooks on my pc, i can run the core modules (view virtual machines, databases etc) to ensure my logic is sound.

• The Server failed to retrieve the requested data

  I used to be able to open this site with firefox. I haven't been able to open it for 2 days. It does open in internet explorer.

  This appears to be an error message which has it roots in MS DTC, Microsoft Distributed Transaction Coordinator.
  This indicates that you somewhere manage to get a distributed transaction. This could be because of two things:
  1) There are triggers on the tables that accesses linked server.
  2) Your client code dabbles with some transaction class, like TransactionScope or similar.
  Erland Sommarskog, SQL Server MVP, [email protected]

• Radius server 00.00.00.00 deactivated in global list

  Hi
  we unable to authenticate the users connecting to WLC over EAP-FAST from the ACS 5.1.
  AD is integrated with the acs....
  The error msg coming in wlc is :Radius server deactivated in global list
  Radius server failed to respond to request(ID:xx) for client xx:xx;xx:xx:xx:xx:xx
  I find that problem with time skew error happen between the AD and ACS. But after i configured ntp server in acs the problem
  still exist.
  I removed the controller from the acs and added back, same thing done in controller(reconfigured aaa settings).
  But the problem not resolved
  Thanks
  Subhash

  After working with TAC, I resolved this issue recently.  Increasing the timeout value did not help. On the WLC, try:
  config radius aggressive-failover disable
  As per http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml :
  If the aggressive failover feature is enabled in WLC, the WLC is too aggressive to mark the AAA server as not responding. But, this should not be done because the AAA server is possibly not responsive only to that particular client, if you do silent discard. It can be a response to other valid clients with valid certificates. But, the WLC can still mark the AAA server as not responding and not functional.
  In order to overcome this, disable the aggressive failover feature. Issue the config radius aggressive-failover disable command from the controller GUI in order to perform this. If this is disabled, then the controller only fails over to the next AAA server if there are three consecutive clients that fail to receive a response from the RADIUS server.

• WLC not integrating with Radius Server

  Hello world,
  I have the following situation:
  One WLC 2000 Series (software version 7.0.230.0) with multiple SSID`s, one is with 802.1x integrated with a Radius Server.
  Everything worked fine until fiew days ago, when users were unable to logon via they`re certificates on Windows XP.
  The infrastracture didn`t suffer modifications.
  What i have checked: Radius certification isn`t expired, client certification isn`t expired, the password between controller and Radius is correct.
  There are no ACL`s between the WLC and the remote Server. I can ping the devices, other SSIDs on the same controller (wpa/psk) are working correct.
  The AP`s are 1242.
  I have tried deleting the SSID, configure it back. The OS on Windows Server is  2003 Standard. The AP`s are configured H-Reap.
  I have increased the Server Timeout from Radius Authentication Servers from 2 to 30 sec.
  The message logs recived on WLC Trap Logs:
  RADIUS server X.X.X.X:1812 failed to respond to request (ID 161) for client xx.xx.xx.xx.xx.xx/ user 'unknown'
  The message from the debug dot1x aaa enable:
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_CALLING_STATION_ID(31) index=1
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_CALLED_STATION_ID(30) index=2
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_PORT(5) index=3
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_VAP_ID(1) index=7
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_SERVICE_TYPE(6) index=8
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_FRAMED_MTU(12) index=9
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_EAP_MESSAGE(79) index=11
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_RAD_STATE(24) index=12
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_MESS_AUTH(80) index=13
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df AAA EAP Packet created request = 0x1cff348c.. !!!!
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Sending EAP Attribute (code=2, length=6, id=10) for mobile xx.xx.xx.xx.xx.xx.
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00000000: 02 0a 00 06 0d 00                                 ......
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
  *radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df [BE-resp] AAA response 'Interim Response'
  *radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df [BE-resp] Returning AAA response
  *radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df AAA Message 'Interim Response' received for mobile xx.xx.xx.xx.xx.xx.
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.329: 00:15:e9:33:75:df Skipping AVP (0/27) for mobile xx.xx.xx.xx.xx.xx.
  The messages on Windows 2003 Standard:
  User Y was denied access.
  Fully-Qualified-User-Name = xx.domain.com/Users_T/user
  NAS-IP-Address = X.X>X.X
  NAS-Identifier = Cisco_
  Called-Station-Identifier = ---------------------
  Calling-Station-Identifier = ---------------------
  Client-Friendly-Name = ---------------------
  Client-IP-Address = ---------------------
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 1
  Proxy-Policy-Name = Use Windows authentication for all users
  Authentication-Provider = Windows
  Authentication-Server = <undetermined>
  Policy-Name = Wireless Policy
  Authentication-Type = EAP
  EAP-Type = Smart Card or other certificate
  Reason-Code = 262
  Reason = The supplied message is incomplete.  The signature was not verified.User Y was denied access.
  Fully-Qualified-User-Name = xx.domain.com/Users_T/user
  NAS-IP-Address = X.X>X.X
  NAS-Identifier = Cisco_
  Called-Station-Identifier = ---------------------
  Calling-Station-Identifier = ---------------------
  Client-Friendly-Name = ---------------------
  Client-IP-Address = ---------------------
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 1
  Proxy-Policy-Name = Use Windows authentication for all users
  Authentication-Provider = Windows
  Authentication-Server = <undetermined>
  Policy-Name = Wireless Policy
  Authentication-Type = EAP
  EAP-Type = Smart Card or other certificate
  Reason-Code = 262
  Reason = The supplied message is incomplete.  The signature was not verified.
  Can anyone help why i cannot log the users via 802.1x ?

  Okay that is good..... this is what I would do next.  I would create a test ssid that uses PEAP MSchapv2 and create a new policy in IAS that is basic.  Allow 802.1x wireless and user group only and see if you can reconfigure one of the XP machines for PEAP.  Can you also post a screen shot of your polices (connection and network) so we can review it. 

• WLC "radius server overwrite interface" setting

  Hello
  I'm looking at using "radius server overwrite interface" on a WLAN as a replacement for Called-Station-ID for Radius to match on SSID.
  When I enable "radius server overwrite interface" on a WLAN and join a client to the SSID I can see (via packet capture) that the WLC is correctly sourcing the Radius packets with the WLAN's "dynamic" interface IP Address. The problem is that the Radius server doesn't repond to these requests. Radius is configured with rules to match the new IP address but I see nothing (pass or fail) in the logs.
  Interestingly, the packet captures shows the correct NAS IP address (the WLAN interface IP Address) but always shows the WLC hostname as NAS-ID (regardless of NAS-ID settings on the WLAN or WLAN interface)
  I've tried WLC software 7.4.110.0, 7.4.121.0 and 7.6.100.0 with the same results but Radius never responds. Radius is Cisco ACS 5.5.0.46. Any ideas as to why this is happening?
  Thanks
  Andy

  Hi Scott
  installed ACS 5.4 0.46.6 and I still have the same problem - ACS doesn't respond to request from WLC when  "radius server overwrite interface" is enabled on WLAN and nothing appears in the logs. With  "radius server overwrite interface" disabled on the WLAN, authentication is a success and I can see this in the logs.
  I had a look a the packet captures I took earlier and the attributes in the Access-Request look ok - the only attribute I wasn't sure about was Message-Authenticator. Found this ietf document http://www.ietf.org/rfc/rfc2869.txt which mentions "silent discards" of Radius packets with non existent or incorrect Message-Authenticator attributes. I'm not sure if this is what I'm seeing on ACS when it receives the  "radius server overwrite interface" Access-Request packets. ACS is under contract so I will contact TAC about this.
  Mt production ACS cluster was upgraded from latest version of 5.3 to 5.5 with no loss of historic logs (logging after upgrade worked fine also). The upgrade did take a while with the log-collector. When it had completed I checked the Data Upgrade Status under Monitoring configuration and it showed that the upgrade was successful.
  Thanks for your help with this.
  Cheers
  Andy

• ISE 1.1.1 (Fallback to local Vlan if radius server is found to be dead) not working

  We have configured following commands on switch to fallback to local Vlan if both radius server (policy persona's) is found dead. For test purpose we shutdown both servers (policy persona's) but fallback didn't work. We have 3750 switch running image 12.2(55)SE6 having following configuration.
  We do not know whether we configured switch in proper way or do we need to modify it.
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting system default start-stop group radius
  aaa server radius dynamic-author
  client 10.10.10.10 server-key 7 12345678 (Policy Persona 1)
  client 10.10.10.11 server-key 7 12345678 (Policy Persona 2)
  server-key 7 12345678
  ip device tracking
  epm logging
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 30 tries 3
  radius-server host 10.10.10.10 auth-port 1812 acct-port 1813 key 7 12345678 (Policy Persona 1)
  radius-server host 10.10.10.11 auth-port 1812 acct-port 1813 key 7 12345678 (Policy Persona 2)
  radius-server vsa send accounting
  radius-server vsa send authentication
  Port Configuration
  interface GigabitEthernet0/1
  switchport access vlan 305
  switchport mode access
  ip access-group ACL-DEFAULT in
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 305
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication open
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  Please help....
  Thanks

  Tabish-
  The pre-auth ACL that you have on your port is used for what's called a "Low-Impact" mode type of setup. With Low-Impact mode you are allowing services defined in the pre-auth ACL until the user/devices is authenticated. Once authenticated the pre-auth ACL gets replaced with the dACL/authorization policy that you have defined in the authorization profile. As a result, it is not possible to use "fail-open" configuration with low-impact as there is nothing to replace that pre-auth ACL since your NAD device(s) are unavailable.
  If you want to use the "fail-open" features you will have to use the "High Securty/Closed Mode." In that mode you cannot utilize the pre-auth ACL and essentially only EPoL traffic is allowed on port until authenticated.
  For more info you should reference the TrustSec design guide located at:
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
  Thank you for rating!

• Detect up/down radius server

  Hello,
  I was wondering how does a switch proceed to detect when one or several radius server is down.
  If I leave only one radius server in a C3560-24PS (running with the lastest software version) and shut all services associated with my ACS4.2 through the web interface, I receive the following error logs:
  13:55:31:%RADIUS-4-RADIUS_DEAD: RADIUS server x.x.x.x:1645,1646 is not  responding.
  13:55:31:%RADIUS-4-RADIUS_ALIVE: RADIUS server x.x.x.x:1645,1646 is being marked  alive.
  Anyone can explain me why a such ouput?
  Thank you for your help!
  David

  Hello,I was wondering how does a switch proceed to detect when one or several radius server is down.If
  I leave only one radius server in a C3560-24PS (running with the
  lastest software version) and shut all services associated with my
  ACS4.2 through the web interface, I receive the following error logs:13:55:31:%RADIUS-4-RADIUS_DEAD: RADIUS server x.x.x.x:1645,1646 is not  responding.
  13:55:31:%RADIUS-4-RADIUS_ALIVE: RADIUS server x.x.x.x:1645,1646 is being marked  alive.Anyone can explain me why a such ouput?Thank you for your help!David
  Hi David,
  Following are the comments for the above messages
  %RADIUS-4-RADIUS_DEAD -- A RADIUS server has not responded to repeated requests
  For checking purpose check to see if the RADIUS server is still active.
  %RADIUS-4-RADIUS_ALIVE -- A RADIUS server that previously was not responding has responded
  to a new request
  Hope to Help !!
  Remember to rate the helpful post
  Ganesh.H

• 1100 with Local Radius Server problems Atheros Client

  I have Local authentication turned on for the 1100 and am using the Atheros Client Utility configuring LEAP with username/password and it is failing, here is the debug from the 1100.Any help much appreciated.
  Xcon-ap1100#conf t
  Enter configuration commands, one per line. End with CNTL/Z.
  Xcon-ap1100(config)#radius
  Xcon-ap1100(config)#radius-server local
  Xcon-ap1100(config-radsrv)#no nas 10.201.1.5
  Xcon-ap1100(config-radsrv)#nas 10.201.1.5 key thiskey
  Xcon-ap1100(config-radsrv)#end
  Xcon-ap1100#debug radius
  Radius protocol debugging is on
  Radius protocol brief debugging is off
  Radius protocol verbose debugging is off
  Radius packet hex dump debugging is off
  Radius packet protocol debugging is on
  Radius packet retransmission debugging is off
  Radius server fail-over debugging is off
  Xcon-ap1100#term mon
  Xcon-ap1100#
  *Apr 3 16:26:26.961: RADIUS: AAA Unsupported [248] 10
  *Apr 3 16:26:26.961: RADIUS: 43 61 72 64 69 66 66 4E [CardiffN]
  *Apr 3 16:26:26.962: RADIUS: AAA Unsupported [150] 3
  *Apr 3 16:26:26.962: RADIUS: 32 [2]
  *Apr 3 16:26:26.962: RADIUS(000000FC): Storing nasport 246 in rad_db
  *Apr 3 16:26:26.962: RADIUS(000000FC): Config NAS IP: 10.201.1.5
  *Apr 3 16:26:26.963: RADIUS/ENCODE(000000FC): acct_session_id: 251
  *Apr 3 16:26:26.963: RADIUS(000000FC): Config NAS IP: 10.201.1.5
  *Apr 3 16:26:26.963: RADIUS(000000FC): sending
  *Apr 3 16:26:26.963: RADIUS(000000FC): Send Access-Request to 10.201.1.5:1645 id 21645/158, len 130
  *Apr 3 16:26:26.963: RADIUS: authenticator 74 20 7D 86 32 7B 1A 65 - 88 DE A7 58 51 91 FA 5D
  *Apr 3 16:26:26.963: RADIUS: User-Name [1] 6 "test"
  *Apr 3 16:26:26.964: RADIUS: Framed-MTU [12] 6 1400
  *Apr 3 16:26:26.964: RADIUS: Called-Station-Id [30] 16 "000f.f751.7970"
  *Apr 3 16:26:26.964: RADIUS: Calling-Station-Id [31] 16 "0090.963d.7bf6"
  *Apr 3 16:26:26.964: RADIUS: Service-Type [6] 6 Login [1]
  *Apr 3 16:26:26.965: RADIUS: Message-Authenticato[80] 18 *
  *Apr 3 16:26:26.965: RADIUS: EAP-Message [79] 11
  *Apr 3 16:26:26.965: RADIUS: 02 02 00 09 01 74 65 73 74 [?????test]
  *Apr 3 16:26:26.965: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
  *Apr 3 16:26:26.965: RADIUS: NAS-Port [5] 6 246
  *Apr 3 16:26:26.965: RADIUS: NAS-IP-Address [4] 6 10.201.1.5
  *Apr 3 16:26:26.965: RADIUS: Nas-Identifier [32] 13 "Xcon-ap1100"
  *Apr 3 16:26:31.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
  *Apr 3 16:26:36.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
  *Apr 3 16:26:41.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
  *Apr 3 16:26:46.965: RADIUS: No response from (10.201.1.5:1645,1646) for id 21645/158
  *Apr 3 16:26:46.965: RADIUS/DECODE: parse response no app start; FAIL
  *Apr 3 16:26:46.965: RADIUS/DECODE: parse response; FAIL
  *Apr 3 16:26:46.966: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed
  *Apr 3 16:26:50.070: RADIUS: AAA Unsupported [248] 10
  *Apr 3 16:26:50.070: RADIUS: 43 61 72 64 69 66 66 4E [CardiffN]
  *Apr 3 16:26:50.071: RADIUS: AAA Unsupported [150] 3
  *Apr 3 16:26:50.071: RADIUS: 32 [2]
  *Apr 3 16:26:50.071: RADIUS(000000FD): Storing nasport 247 in rad_db
  *Apr 3 16:26:50.072: RADIUS(000000FD): Config NAS IP: 10.201.1.5
  *Apr 3 16:29:29.041: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed
  *Apr 3 16:29:52.253: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed

  I have a very similar situation here. Took me a while to figure out why existing user certificates are OK but no new users can enroll. I checked all certificates for expiry. No go. It was not the expiry ("Valid to") time, but rather the "Valid From" time that is messed up.
  This is what happens: The rollover gets created and replaces the original one (which remains in memory, no flash) But the new one is valid from the expiry of the old one - in my case TOMORROW and after a power-outage the day before yesterday (the most definitive way to get a reboot!) I only have the new NOT YET VALID certificate.
  OK, I can wait until tomorrow and see if it works. But the design is far from intelligent. The industry standard is that when you renew a certificate, the validity of the new one is immediate - even if it means it runs for a few days longer than the designated lifetime.
  So much for the overlap period of 30 days (as you can see from your own post) if the old certificate goes away after a reboot and the new one is not yet valid! (The CA certificate expiration timer gets reset to some Unix time-zero ( 01:00:00 CEST Jan 1 1970) which I take to mean "not valid yet".)
  I only have a few days of trouble - and just one to go after finally working it out, but it could have been up to 30 days if I for any reason had rebooted after the roll-over certificate got created.
  Cheers
  Bernhard

• Cisco ISE with both internal and External RADIUS Server

  Hi
  I have ISE 1.2 , I configured it as management monitor and PSN and it work fine
  I would like to know if I can integrate an external radius server and work with both internal and External RADIUS Server simultanously
  So some computer (groupe_A in active directory ) will continu to made radius authentication on the ISE internal radius and other computer (groupe_B in active directory) will made radius authentication on an external radius server
  I will like to know if it is possible to configure it and how I can do it ?
  Thanks in advance for your help
  Regards
  Blaise

  Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. Cisco ISE accepts the results of the requests and returns them to the NAS.
  Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. The External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description, or both. In both simple and rule-based authentication policies, you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
  The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same.