WLC Radius Credentials Caching

We are using PEAP with ACS/AD as the external Database. The issue or behavior that we are experiencing is that clients require a Cached AD Token for the user authenticate against for the first time. The Client does not get an IP until authenticated and therefore cannot contact the DC.
We have shared laptops an its not feasible to cache all AD profiles(Tokens) to the laptop.
Will the Radius Authentication Server - Credential Caching option help by caching authenticated client sessions to the WLC and allow user to authenticate against multiple laptops? Is the above behavior correct(cached Token required)? Is there another approach to authenticating shared resources with PEAP/Radius(ACS)/AD

I have Radius Authentication working. I even have Active Directory being used as the external database for clients. The problem is that a user that never has logged into a laptop(configure for AD) get as Domain not available if we try the via wireless for that users first login. I fully understad the issue which is the client have not been issued an IP because they have not been authenticated.
More than likely there is not a workaround for this scenerio other than login via wireless with the new AD user credentials. In effect caching the AD profile locally.
What I would like to address is because my users are Transient (nurses and doctors that share laptops) is how to lessen number of time for a wired loggin by caching the AD account in at the WLC. I may be off base to the function of this feature but its not very well documented (from what I have found)

Similar Messages

SASL(-1): generic failure: GSSAPI Error. No Credentials Cache Found

When I try to use any ldap command line utilties on my Xserve dual G5 running OS X Server 10.4.11, I get any number of errors including:
SASL/GSSAPI authentication started
ldapsasl_interactive_binds: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No credentials cache found)
If I run kadmin, or klist as super user I get the same error or similar error
If I run kdelete and then kinit I don't get an error message, but I still can't log in using the directory administrator account, or even root if I enable the root account.
The Server Admin tool shows that Kerberos is running and it appears to be working on all the clients on the network (OS X 10.3 and 10.4), but I just can't use the command line. This is frustrating because there are a number of batch tasks I prefer doing with the command line such as ldapadd and ldapmodify. The only command line utility for LDAP that does seem to work is slapcat. Workgroup Admin works as does phpldapadmin.
Any ideas?
Message was edited by: Christopher Dart
Message was edited by: Christopher Dart

Solved the problem by myself
- Disable the automatic recognition of the account settings-

VPN access to a Watchguard firewall using Radius credentials

Good morning, I have an Ipod Touch 4G that I would like to use to connect to our Watchguard firewall using the built in VPN client and pptp
I am the person onsite that manages the Watchguard firewall(s) (x553 with 10.2.12 firmware) , which are setup for pptp vpn access using Windows Radius servers. The users use their Active Directory credentials to make the VPN connections.
I have several macs at home, including an iMac and Mac mini and both of them can easily make VPN connections to the Watchguard firewall using pptp VPN access with Radius credentials. T
The setup I have been trying on the ipod Touch 4g is using the dns name for the firewall (published in Network Solutions DNS). I have also tried the outside address of each firewall. For the account, since we are using a Radius connection into Active Directory, I put my login in the format of domain\username . RSA SecurID is On, the Encryption level is set to Auto and Send all traffic is off.
In my testing so far, the Ipod Touch starts the connection, starts authenticating to Radius and fails. If I turned off RSA SecurID, no authentication is attempted, so it looks like this needs to stay turned on. It doesn't seem to matter is Send all traffic is off or on. Having it off is preferable as I don't want to send all Internet traffic through the firewall when connected via VPN.
So, I basically duped the setup of the VPN on the Ipod Touch based on my setup that's working on the Mac Mini and Imacs at home. But VPN on the iPod Touch 4g with the latest version of IOS is not working.
Does anyone have this kind of configuration working on the iPod Touch 4g or know if this is a shortcoming of this version of the Ipod or IoS?
Thanks,
Leo

I fixed my vpn connection on the iPod Touch. This is what works for Radius login to a Watchguard firewall:
Server (DNS name or ip address).
Account domainname\username
RSA SecurIT off
Encryption level Auto
Send All Traffic off.
Leo

Cannot use IP-phone-7921 with EAP-Fast using internal WLC Radius

Hello,
I Cannot authenticate IP-phone when I use internal WLC-radius with a profile "eap-fast"
The eror message I recieved on a debug is:
*Mar 09 03:15:09.765: Unable to find requested user entry for anonymous
But of course there is a user configured on my ipphone !
Note1 : I use a WLC with version : AIR-4400-K9-5-1-163-0 (AES)
Note2: When I use LEAP it is OK
Note3: When I try with my PC to autenticate in eap-fast with internal WLC radius, it is OK.
See attacehement for more detail.
Many thanks in advance.
Michel Misonne
*Mar 09 03:15:09.765: Unable to find requested user entry for anonymous

ABSOLUTLEY DO NOT DO THIS!
config advanced eap identity-request-timeout 120
config advanced eap identity-request-retries 20
config advanced eap request-timeout 120
config advanced eap request-retries 20
This can cause you issues for up to 40 minutes. 20 attempts * 2 minutes apart
Please take a look at
https://supportforums.cisco.com/docs/DOC-12110
config advanced eap identity-request-timeout 5
config advanced eap identity-request-retries 12
config advanced eap request-timeout 5
config advanced eap request-retries 12
would be much better, as it is only 60 seconds. No device should take longer than 5 seconds to respond, but sometimes the phones need more than the 1 second default.
HTH,
Steve

WLC Radius Server Load Balance

Hi,
Can someone provide me detailed description on how WLC Radius Server Load balance works.
Becuase, I encounted a problem of User Authenticated with the 1st Radius Server, but Accounting Records are actually on 2nd Server .
Any response will be very appreciated
-Angela

Hi Angela,
I pasted below the part of config guide explaining the different modes. In summary :
-Fallback off means : when 1st radius server shows dead , WLC moves to the second. And will only change again when the 2nd is dead too.
-Passive means : whent 1st radius is dead, WLC moves to the second. If there is a new authentication coming in, it will try the 1st radius server again
-Active means : WLC constantly sends radius probes to detect when primary is back up.
config radius fallback-test mode {off | passive | active}
where
•off disables RADIUS server fallback.
•passive causes the controller to revert to a server with a lower priority from the available backup servers without using extraneous probe messages. The controller simply ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent.
•active causes the controller to revert to a server with a lower priority from the available backup servers by using RADIUS probe messages to proactively determine whether a server that has been marked inactive is back online. The controller simply ignores all inactive servers for all active RADIUS requests. Once the primary server receives a response from the recovered ACS server, the active fallback RADIUS server no longer sends probe messages to the server requesting the active probe authentication.

OS X 10.10.2 Mail.app: "GSSAPI Error: Miscellaneous failure (see text (No credentials cache file found)"

For an IMAP SSL account, I see the following error in the log every time mail.app checks for new mails:
23.03.15 09:06:12.782 Mail[5620]: Failed a step of SASL authentication
SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (No credentials cache file found)
New mails are shown but it takes quite long until they are fetched. These error lines show up several times.
What causes these errors?
Andy Brunner

Solved the problem by myself
- Disable the automatic recognition of the account settings-

WLC RADIUS Fallback Questions

We would like to configure RADIUS fallback to ensure RADIUS authentications always go to their primary ACS while it's available, but the documentation is not very clear with regard to the username configuration.
There is no mention of a password, but if you enable fallback - even with the default "cisco-probe" username, failures of that account show up on the ACS server log, so I'm assuming it's not working.
Can someone shed some light on how exactly this "cisco-probe" should work?
Thanks!

There are three modes to fall back:
off - no fallback
passive - WLC sends the credentials to the 'dead' server when a user tries to authenticate
on - You configure a username, and an interval. WLC sends the credentials to the 'dead' server at configured interval.
The password really doesn't matter, just that the WLC gets a packet back. So getting a reject back from the server would bring it back 'alive' in the AAA list.
make sense?
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered

WLC-Radius Integration..

Hi
I want to do the WLC authentication with radius.the problem is when i enter the username and password , in radius it shows authentication passed but in telnet prompt it asks again for username password as if wrong username-password.
attached are debug capture of WLC and radius config summry.
can u please help me on the same

Hi
similar incident i have observed on cisco.
Problem Title
Unable to login to WLC even after the successful authentication message is received from the RADIUS Server
Resolution For the Remote Access Dial-In User Service (RADIUS) user to login to the controller, the login user entry in the RADIUS server has to be associated with an attribute, Service-Type.If this attribute is not sent back to the controller from the ACS, the authentication finishes successfully (access-accept) and you do not see any authorization error on the controller, even with debug aaa all enable. But, you are prompted again for authentication. The only thing missing in the RADIUS return packet is the service type 6 attribute.Refer to the Before Using RADIUS Attributes section of RADIUS Attributes for more information on how to configure the service-type attribute.
It seemseverything ok in WLC and radius attribute is a problem..

WLC RADIUS Server Failover - Passive mode timer

In 7.2 WLC code, it appears it is now possible to specify which RADIUS servers are used as the preferred server for authentication (
Security > AAA > RADIUS > Fallback to open the RADIUS > Fallback Parameters ).
There are 3 mode for this: off, passive & active.
In the passive mode, the operation is described in the config guide as :
Passive
—Causes the controller to revert to a server with a lower priority from the available backup servers without using extraneous probe messages. The controller ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent.
Does anyone know how long this 'time period' is? If it is only a few seconds, then it could be that user authentications are being used to test against a failed RADIUS server frequently & will experience annoying time-out delays, causing support calls etc.
Anyone know what it is, or if its configurable? I don't see anything in the docs...
Nigel.

Here you go.
RADIUS Server Fallback Feature on WLC.
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008098987e.shtml#passive

WLC "radius server overwrite interface" setting

Hello
I'm looking at using "radius server overwrite interface" on a WLAN as a replacement for Called-Station-ID for Radius to match on SSID.
When I enable "radius server overwrite interface" on a WLAN and join a client to the SSID I can see (via packet capture) that the WLC is correctly sourcing the Radius packets with the WLAN's "dynamic" interface IP Address. The problem is that the Radius server doesn't repond to these requests. Radius is configured with rules to match the new IP address but I see nothing (pass or fail) in the logs.
Interestingly, the packet captures shows the correct NAS IP address (the WLAN interface IP Address) but always shows the WLC hostname as NAS-ID (regardless of NAS-ID settings on the WLAN or WLAN interface)
I've tried WLC software 7.4.110.0, 7.4.121.0 and 7.6.100.0 with the same results but Radius never responds. Radius is Cisco ACS 5.5.0.46. Any ideas as to why this is happening?
Thanks
Andy

Hi Scott
installed ACS 5.4 0.46.6 and I still have the same problem - ACS doesn't respond to request from WLC when "radius server overwrite interface" is enabled on WLAN and nothing appears in the logs. With "radius server overwrite interface" disabled on the WLAN, authentication is a success and I can see this in the logs.
I had a look a the packet captures I took earlier and the attributes in the Access-Request look ok - the only attribute I wasn't sure about was Message-Authenticator. Found this ietf document http://www.ietf.org/rfc/rfc2869.txt which mentions "silent discards" of Radius packets with non existent or incorrect Message-Authenticator attributes. I'm not sure if this is what I'm seeing on ACS when it receives the "radius server overwrite interface" Access-Request packets. ACS is under contract so I will contact TAC about this.
Mt production ACS cluster was upgraded from latest version of 5.3 to 5.5 with no loss of historic logs (logging after upgrade worked fine also). The upgrade did take a while with the log-collector. When it had completed I checked the Data Upgrade Status under Monitoring configuration and it showed that the upgrade was successful.
Thanks for your help with this.
Cheers
Andy

WLC RADIUS attribute with Cisco ISE

Hi All,
Does anyone get the same result as me when integrating Cisco ISE with Wireless LAN Controller ?
My Authentication Policy :
     Name: IsGuestAuthen
     IF "WLC_Authentication" THEN "Default Network Access" > "Internal Users"
My Authorization Policy :
     Name: IsGuestAuthen
     IF "Guest" THEN "InternetOnly"
When I monitoring on the Live Authentication page, I can see only the MAC address and a guest account that authenticated. I cannot see the IP address of the guest client. Do you get the same result as me ?
Please advise on how to get the IP address of the guest client to show on the Live Authentication Page.
Thanks,
Pongsatorn Maneesud

Exactly...here is the list of attributes sent in the access-request from the wlc -
http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_security_sol.html#wp1992129
The framed ip address is sent in the accounting packet which doesnt appear in the live authentication report.
If you are up to speed on rest api's here is some reference material on this:
http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1089826
You can also run radius accounting report and filter it based off of account-start packets which will have the username and the ip address along with the mac address.
Thanks,
Tarik Admani
*Please rate helpful posts*

WLC radius discussion

Hi all,
I have a mixed setup of WLC and autonomous AP in my network architecture. In our setup all wireless clients passes through mac authentication and then user id/password authentication. I want for mac authentication request should go to ACS server 1 while for user credential verification the request should go to server2 . In auto nomous AP i can achieve the requirement with folowing configuration.
aaa group server radius rad_eap
server 172.X.Y.103 auth-port 1812 acct-port 1813
aaa group server radius rad_mac
server 172.X.Y.104 auth-port 1812 acct-port 1813
aaa authentication login mac_methods group rad_mac
aaa authentication login eap_methods group rad_eap
radius-server host 172.X.Y.103 auth-port 1812 acct-port 1813 key 7 120A0D16190E2C0C2B25201F6231361B2921
radius-server host 172.X.Y.104 auth-port 1812 acct-port 1813 key 7 0448030704246C4608170120430F180C041C
By the above configuration in AP I can send the mac auth request to 172.X.Y.104 server and EAP authentication to 172.X.Y.103 server.
How ever I want to do the same on my WLC also.
Can anyone guide me how to do the same in GUI or through command line?

If you want to do MAC filtering on one WLAN and standard 802.1x on another you can select which RADIUS server to use is the Security tab -> AAA Servers of each WLAN. To do both on the same WLAN there is no functionality on the WLC to allow you to split the roles the way you want to. Sorry.
-Eric
Cisco Wireless TAC
Sent from Cisco Technical Support iPhone App

WLC Radius source IP

Hi
I have just configured a 4404 WLC running 7.0.116 for PEAP with MSCHPAv2 and a load of APs. The Radius server is an old Cisco ACS 3.3 box the customer has and we are using self signed certificates on the ACS.
It works fine but waht I found strange was that the ACS sees the source IP of the radius packets as being the WLAN dynamic interface IP address on the WLC not teh WLC management IP. Stopped it working until we noticed that as the ACS was reporting unkown NAS,
I though that all AAA should be sourced as the WLC managemnet IP address infact I have seen this stated in the WLC FAQ.
The management IP address is 172.18.0.2 /16 and the WLAN dynamic interface is 10.200.10.254 /24 with the ACS being 172.31.1.22 o its not like the ACS is on a directly attached interface of the WLC either.
Any idea why it should be doing this ?

Figured it out.
On the WLC the WLAN template for a couple of the controllers had
"Radius Server Overwrite interface"
Selected which does exactly this changes the source IP from the mangement IP to the dynamic interface IP. Not sure why it was selcted as it wasnt on the template for any of the other WLANs. But it's fixed now so thats good

WLC - radius down, possible to have auth none as secondary?

Lets say i have a 5508 wlc and have configured a wlan with web-auth and radius authentication
The one and only configured radius server goes offline. In the event this should happen, is it possible to allow clients to connect anyway? auth none as secondary?
Appreciate any thoughts

Chris,
No, unfortunately not. Once you select 802.1X (Radius) you are bound to that security type. The controller will not allow NON EAP traffic on that WLAN unless it gets a EAP SUCCESS frame. The EAP success frame from the radius is sent to the WLC and it tell the WLC to open the controlled port to allow traffic to pass.
Top of my head alternatives:
You might consider another SSID with the same name with a OPEN security. Manually enable after failure of radius server
Create the user accounts on the WLC and allow the WLC to act as your radius server.If you have a large environment may not be realistic.

WLC Radius Attribute support

Hi,
WLC is running the 4.0.217.203 version. I managed to find Document ID: 96103 but it did not mention the supported WLC version.
Do I need to upgrade the WLC ?
Regards,
Ron

Exactly...here is the list of attributes sent in the access-request from the wlc -
http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_security_sol.html#wp1992129
The framed ip address is sent in the accounting packet which doesnt appear in the live authentication report.
If you are up to speed on rest api's here is some reference material on this:
http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1089826
You can also run radius accounting report and filter it based off of account-start packets which will have the username and the ip address along with the mac address.
Thanks,
Tarik Admani
*Please rate helpful posts*

WLC Radius Credentials Caching

Similar Messages

Maybe you are looking for