WLC radius discussion

Similar Messages

• Cannot use IP-phone-7921 with EAP-Fast using internal WLC Radius

  Hello,
  I Cannot authenticate IP-phone when I use internal WLC-radius with a profile "eap-fast"
  The eror message I recieved on a debug is:
  *Mar 09 03:15:09.765: Unable to find requested user entry for anonymous
  But of course there is a user configured on my ipphone !
  Note1 : I use a WLC with version : AIR-4400-K9-5-1-163-0 (AES)
  Note2: When I use LEAP it is OK
  Note3: When I try with my PC to autenticate in eap-fast with internal WLC radius, it is OK.
  See attacehement for more detail.
  Many thanks in advance.
  Michel Misonne
  *Mar 09 03:15:09.765: Unable to find requested user entry for anonymous

  ABSOLUTLEY DO NOT DO THIS!
  config advanced eap identity-request-timeout 120
  config advanced eap identity-request-retries 20
  config advanced eap request-timeout 120
  config advanced eap request-retries 20
  This can cause you issues for up to 40 minutes. 20 attempts * 2 minutes apart
  Please take a look at
  https://supportforums.cisco.com/docs/DOC-12110
  config advanced eap identity-request-timeout 5
  config advanced eap identity-request-retries 12
  config advanced eap request-timeout 5
  config advanced eap request-retries 12
  would be much better, as it is only 60 seconds.  No device should take longer than 5 seconds to respond, but sometimes the phones need more than the 1 second default.
  HTH,
  Steve

• WLC Radius Server Load Balance

  Hi,
  Can someone provide me detailed description on how WLC Radius Server Load balance works.
  Becuase, I encounted a problem of User Authenticated with the 1st Radius Server, but Accounting Records are actually on 2nd Server .
  Any response will be very appreciated
  -Angela

  Hi Angela,
  I pasted below the part of config guide explaining the different modes. In summary :
  -Fallback off means : when 1st radius server shows dead , WLC moves to the second. And will only change again when the 2nd is dead too.
  -Passive means : whent 1st radius is dead, WLC moves to the second. If there is a new authentication coming in, it will try the 1st radius server again
  -Active means : WLC constantly sends radius probes to detect when primary is back up.
  config radius fallback-test mode {off | passive | active}
  where
  •off disables RADIUS server fallback.
  •passive causes the controller to revert to a server with a lower priority from the available backup servers without using extraneous probe messages. The controller simply ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent.
  •active causes the controller to revert to a server with a lower priority from the available backup servers by using RADIUS probe messages to proactively determine whether a server that has been marked inactive is back online. The controller simply ignores all inactive servers for all active RADIUS requests. Once the primary server receives a response from the recovered ACS server, the active fallback RADIUS server no longer sends probe messages to the server requesting the active probe authentication.

• WLC-Radius Integration..

  Hi
  I want to do the WLC authentication with radius.the problem is when i enter the username and password , in radius it shows authentication passed but in telnet prompt it asks again for username password as if wrong username-password.
  attached are debug capture of WLC and radius config summry.
  can u please help me on the same

  Hi
  similar incident i have observed on cisco.
  Problem Title
  Unable to login to WLC even after the successful authentication message is received from the RADIUS Server
  Resolution For the Remote Access Dial-In User Service (RADIUS) user to login to the controller, the login user entry in the RADIUS server has to be associated with an attribute, Service-Type.If this attribute is not sent back to the controller from the ACS, the authentication finishes successfully (access-accept) and you do not see any authorization error on the controller, even with debug aaa all enable. But, you are prompted again for authentication. The only thing missing in the RADIUS return packet is the service type 6 attribute.Refer to the Before Using RADIUS Attributes section of RADIUS Attributes for more information on how to configure the service-type attribute.
  It seemseverything ok in WLC and radius attribute is a problem..

• WLC RADIUS Server Failover - Passive mode timer

  In 7.2 WLC code, it appears it is now possible to specify which RADIUS servers are used as the preferred server for authentication (
  Security > AAA > RADIUS > Fallback to open the RADIUS > Fallback Parameters ).
  There are 3 mode for this: off, passive & active.
  In the passive mode, the operation is described in the config guide as :
  Passive
  —Causes the controller to revert to a server with a lower priority from the available backup servers without using extraneous probe messages. The controller ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent.
  Does anyone know how long this 'time period' is? If it is only a few seconds, then it could be that user authentications are being used to test against a failed RADIUS server frequently & will experience annoying time-out delays, causing support calls etc.
  Anyone know what it is, or if its configurable? I don't see anything in the docs...
  Nigel.

  Here you go.
  RADIUS Server Fallback Feature on WLC.
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008098987e.shtml#passive

• WLC "radius server overwrite interface" setting

  Hello
  I'm looking at using "radius server overwrite interface" on a WLAN as a replacement for Called-Station-ID for Radius to match on SSID.
  When I enable "radius server overwrite interface" on a WLAN and join a client to the SSID I can see (via packet capture) that the WLC is correctly sourcing the Radius packets with the WLAN's "dynamic" interface IP Address. The problem is that the Radius server doesn't repond to these requests. Radius is configured with rules to match the new IP address but I see nothing (pass or fail) in the logs.
  Interestingly, the packet captures shows the correct NAS IP address (the WLAN interface IP Address) but always shows the WLC hostname as NAS-ID (regardless of NAS-ID settings on the WLAN or WLAN interface)
  I've tried WLC software 7.4.110.0, 7.4.121.0 and 7.6.100.0 with the same results but Radius never responds. Radius is Cisco ACS 5.5.0.46. Any ideas as to why this is happening?
  Thanks
  Andy

  Hi Scott
  installed ACS 5.4 0.46.6 and I still have the same problem - ACS doesn't respond to request from WLC when  "radius server overwrite interface" is enabled on WLAN and nothing appears in the logs. With  "radius server overwrite interface" disabled on the WLAN, authentication is a success and I can see this in the logs.
  I had a look a the packet captures I took earlier and the attributes in the Access-Request look ok - the only attribute I wasn't sure about was Message-Authenticator. Found this ietf document http://www.ietf.org/rfc/rfc2869.txt which mentions "silent discards" of Radius packets with non existent or incorrect Message-Authenticator attributes. I'm not sure if this is what I'm seeing on ACS when it receives the  "radius server overwrite interface" Access-Request packets. ACS is under contract so I will contact TAC about this.
  Mt production ACS cluster was upgraded from latest version of 5.3 to 5.5 with no loss of historic logs (logging after upgrade worked fine also). The upgrade did take a while with the log-collector. When it had completed I checked the Data Upgrade Status under Monitoring configuration and it showed that the upgrade was successful.
  Thanks for your help with this.
  Cheers
  Andy

• WLC RADIUS attribute with Cisco ISE

  Hi All,
  Does anyone get the same result as me when integrating Cisco ISE with Wireless LAN Controller ?
  My Authentication Policy :
       Name: IsGuestAuthen
       IF "WLC_Authentication" THEN "Default Network Access" > "Internal Users"
  My Authorization Policy :
       Name: IsGuestAuthen
       IF "Guest" THEN "InternetOnly"
  When I monitoring on the Live Authentication page, I can see only the MAC address and a guest account that authenticated. I cannot see the IP address of the guest client. Do you get the same result as me ?
  Please advise on how to get the IP address of the guest client to show on the Live Authentication Page.
  Thanks,
  Pongsatorn Maneesud

  Exactly...here is the list of attributes sent in the access-request from the wlc -
  http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_security_sol.html#wp1992129
  The framed ip address is sent in the accounting packet which doesnt appear in the live authentication report.
  If you are up to speed on rest api's here is some reference material on this:
  http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1089826
  You can also run radius accounting report and filter it based off of account-start packets which will have the username and the ip address along with the mac address.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• WLC Radius Credentials Caching

  We are using PEAP with ACS/AD as the external Database. The issue or behavior that we are experiencing is that clients require a Cached AD Token for the user authenticate against for the first time. The Client does not get an IP until authenticated and therefore cannot contact the DC.
  We have shared laptops an its not feasible to cache all AD profiles(Tokens) to the laptop.
  Will the Radius Authentication Server - Credential Caching option help by caching authenticated client sessions to the WLC and allow user to authenticate against multiple laptops? Is the above behavior correct(cached Token required)? Is there another approach to authenticating shared resources with PEAP/Radius(ACS)/AD

  I have Radius Authentication working. I even have Active Directory being used as the external database for clients. The problem is that a user that never has logged into a laptop(configure for AD) get as Domain not available if we try the via wireless for that users first login. I fully understad the issue which is the client have not been issued an IP because they have not been authenticated.
  More than likely there is not a workaround for this scenerio other than login via wireless with the new AD user credentials. In effect caching the AD profile locally.
  What I would like to address is because my users are Transient (nurses and doctors that share laptops) is how to lessen number of time for a wired loggin by caching the AD account in at the WLC. I may be off base to the function of this feature but its not very well documented (from what I have found)

• WLC RADIUS Fallback Questions

  We would like to configure RADIUS fallback to ensure RADIUS authentications always go to their primary ACS while it's available, but the documentation is not very clear with regard to the username configuration.
  There is no mention of a password, but if you enable fallback - even with the default "cisco-probe" username, failures of that account show up on the ACS server log, so I'm assuming it's not working.
  Can someone shed some light on how exactly this "cisco-probe" should work?
  Thanks!

  There are three modes to fall back:
  off - no fallback
  passive - WLC sends the credentials to the 'dead' server when a user tries to authenticate
  on - You configure a username, and an interval.  WLC sends the credentials to the 'dead' server at configured interval.
  The password really doesn't matter, just that the WLC gets a packet back.  So getting a reject back from the server would bring it back 'alive' in the AAA list.
  make sense?
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• WLC Radius source IP

  Hi
  I have just configured a 4404 WLC running 7.0.116 for PEAP with MSCHPAv2 and a load of APs. The Radius server is an old Cisco ACS 3.3 box the customer has and we are using self signed certificates on the ACS.
  It works fine but waht I found strange was that the ACS sees the source IP of the radius packets as being the WLAN dynamic interface IP address on the WLC not teh WLC management IP. Stopped it working until we noticed that as the ACS was reporting unkown NAS,
  I though that all AAA should be sourced as the WLC managemnet IP address infact I have seen this stated in the WLC FAQ.
  The management IP address is 172.18.0.2 /16 and the WLAN dynamic interface is 10.200.10.254 /24 with the ACS being 172.31.1.22 o its not like the ACS is on a directly attached interface of the WLC either.
  Any idea why it should be doing this ?

  Figured it out.
  On the WLC the WLAN template for a couple of the controllers had
  "Radius Server Overwrite interface"
  Selected which does exactly this changes the source IP from the mangement IP to the dynamic interface IP. Not sure why it was selcted as it wasnt on the template for any of the other WLANs. But it's fixed now so thats good

• WLC - radius down, possible to have auth none as secondary?

  Lets say i have a 5508 wlc and have configured a wlan with web-auth and radius authentication
  The one and only configured radius server goes offline. In the event this should happen, is it possible to allow clients to connect anyway? auth none as secondary?
  Appreciate any thoughts

  Chris,
  No, unfortunately not.  Once you select 802.1X (Radius) you are bound to that security type. The  controller will not allow NON EAP traffic on that WLAN unless it gets a EAP SUCCESS frame. The EAP success frame from the radius is sent to the WLC and it tell the WLC to open the controlled port to allow traffic to pass.
  Top of my head alternatives:
  You might consider another SSID with the same name with a OPEN security. Manually enable after failure of radius server
  Create the user accounts on the WLC and allow the WLC to act as your radius server.If you have a large environment may not be realistic.

• WLC Radius Attribute support

  Hi,
  WLC is running the 4.0.217.203 version. I managed to find Document ID: 96103 but it did not mention the supported WLC version.
  Do I need to upgrade the WLC ?
  Regards,
  Ron

  Exactly...here is the list of attributes sent in the access-request from the wlc -
  http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_security_sol.html#wp1992129
  The framed ip address is sent in the accounting packet which doesnt appear in the live authentication report.
  If you are up to speed on rest api's here is some reference material on this:
  http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1089826
  You can also run radius accounting report and filter it based off of account-start packets which will have the username and the ip address along with the mac address.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• WLC & RADIUS Issue

  Hi,
  I have been having a lot of issues with clients at a site that have a WLC and use EAP-TLS to an ACS server across the WAN. Most of the issues are roaming related in that the re-authentication time is very long. I have implemented QOS for the RADIUS traffic but they are still reporting problems.
  Looking at the logs on the WLC (5.1.151.0) I see messages simliar to this one for all 5 ACS servers.
  RADIUS server 10.x.x.x:1645 deactivated in global list
  RADIUS server 10.x.x.x:1645 failed to respond to request (ID 65) for client 00:0b:6b:87:54:d2 /user 'unknown'
  What concerns me is the word "deactivated". Does this mean that if an unknown client attempts to connect to this wlan and ACS is unable to authenticate it then the ACS server is "disabled" by the WLC?
  Is this the case?
  Thanks

  Thanks JG,
  Just one other question. The message says that the RADIUS server is disabled. Does this mean that it moves on to the next RADIUS server in the list?
  (In the logs I can see the WLC cyclng through all the RADIUS servers in quick succession, diabling them as it fails to get a response for the unknown user)
  COuld this almost be a denial of serivce style issue.
  Thanks

• WLC to ISE authentication for Guest

  Hi Experts,
  Hope if you could guide me with our setup for Guest users. Below is what we are doing
  a)     Guest connects to SSID
  b)     WLC is being used to redirect Guest HTTP to WLC internal Portal
  c)     WLC forwards guest authentication details to cisco ISE [ISE and WLC radius]
  The guest connects to SSID and does get WLC portal for authentication, when the username and password entered on Cisco ISE i see error message as
  'User Identity not found in any of Identity Store' though it is going through correct Store and the Guest name is certainly configured on Cisco ISE. ISE version is 1.2 and WLC is 7.4, please let me know if i am missing anything here.
  Appreciate your help

  The first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
  Please follow below guide for step by step configuration:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• 801.x WLANs authenticated via Radius and Active Directory permit any user access any WLAN

  Hi,
  I have configured several WLANs with WPA2 and 8021.x which authenticate users through Radius server (Windows Internet authentication service) that conects with an Active Directory, into the AD exists one user group for each WLAN but the problem is that any user that was added to some group can get access to any WLAN, does anyboby know if I need some configuraion on the WLC to restric that?
  thanks for your help.

  Hi Scott,
  I have done some test modifying the Radius Policy to look at called station ID and test too looking at the NAS-ID, In the first case, I change the Call Station ID Type into WLC RADIUS Authentication Servers configuration to AP MAC Address:SSID and AP Name:SSID and into the Radius Server using .*:SSID-NAME$ and SSID-NAME$ ,but it blocks access for any user. In the second case, I change the NAS-ID into WLC WLAN and interface confguration and into the radius server Policy to match all, but it doesn´t have any impact, what other test could I try?
  thanks for your help.