WLC RADIUS Fallback Questions
We would like to configure RADIUS fallback to ensure RADIUS authentications always go to their primary ACS while it's available, but the documentation is not very clear with regard to the username configuration.
There is no mention of a password, but if you enable fallback - even with the default "cisco-probe" username, failures of that account show up on the ACS server log, so I'm assuming it's not working.
Can someone shed some light on how exactly this "cisco-probe" should work?
Thanks!
There are three modes to fall back:
off - no fallback
passive - WLC sends the credentials to the 'dead' server when a user tries to authenticate
on - You configure a username, and an interval. WLC sends the credentials to the 'dead' server at configured interval.
The password really doesn't matter, just that the WLC gets a packet back. So getting a reject back from the server would bring it back 'alive' in the AAA list.
make sense?
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered
Similar Messages
-
WLC RADIUS Server Failover - Passive mode timer
In 7.2 WLC code, it appears it is now possible to specify which RADIUS servers are used as the preferred server for authentication (
Security > AAA > RADIUS > Fallback to open the RADIUS > Fallback Parameters ).
There are 3 mode for this: off, passive & active.
In the passive mode, the operation is described in the config guide as :
Passive
—Causes the controller to revert to a server with a lower priority from the available backup servers without using extraneous probe messages. The controller ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent.
Does anyone know how long this 'time period' is? If it is only a few seconds, then it could be that user authentications are being used to test against a failed RADIUS server frequently & will experience annoying time-out delays, causing support calls etc.
Anyone know what it is, or if its configurable? I don't see anything in the docs...
Nigel.Here you go.
RADIUS Server Fallback Feature on WLC.
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008098987e.shtml#passive -
WLC Radius Server Load Balance
Hi,
Can someone provide me detailed description on how WLC Radius Server Load balance works.
Becuase, I encounted a problem of User Authenticated with the 1st Radius Server, but Accounting Records are actually on 2nd Server .
Any response will be very appreciated
-AngelaHi Angela,
I pasted below the part of config guide explaining the different modes. In summary :
-Fallback off means : when 1st radius server shows dead , WLC moves to the second. And will only change again when the 2nd is dead too.
-Passive means : whent 1st radius is dead, WLC moves to the second. If there is a new authentication coming in, it will try the 1st radius server again
-Active means : WLC constantly sends radius probes to detect when primary is back up.
config radius fallback-test mode {off | passive | active}
where
•off disables RADIUS server fallback.
•passive causes the controller to revert to a server with a lower priority from the available backup servers without using extraneous probe messages. The controller simply ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent.
•active causes the controller to revert to a server with a lower priority from the available backup servers by using RADIUS probe messages to proactively determine whether a server that has been marked inactive is back online. The controller simply ignores all inactive servers for all active RADIUS requests. Once the primary server receives a response from the recovered ACS server, the active fallback RADIUS server no longer sends probe messages to the server requesting the active probe authentication. -
Fallback questions for user portal
Is there an option to display a link for the user to get their fallback questions right away instead of waiting X seconds for MFA to timeout? I'd like for the user to successfully authenticate first then have a link appear to skip to their questions.
Also, is there an option to add a captcha for the login screen?A quick and dirty way may be to count your logins from wwctx_sso_session$ :
select count(1) from WWCTX_SSO_SESSION$ where SESSION_START_TIME > (sysdate-24) and USER_NAME != 'PUBLIC' ;
This will give you the number of users who have logged on during a 24 hour interval. It doesn't filter out multiple user logins.
Regarding 10.1.4.2 :
It is a patch set on top of Portal 10.1.4. By definition, patch sets should not include any functionality changes. Oracle has added generation of HTML 4.01 Strict for your Portal however. Keep in mind however that you are not having all the fixes which have been incorporated in the patch set. Especially the web cache - PPE communication may be a bit buggy in some cases. -
Cannot use IP-phone-7921 with EAP-Fast using internal WLC Radius
Hello,
I Cannot authenticate IP-phone when I use internal WLC-radius with a profile "eap-fast"
The eror message I recieved on a debug is:
*Mar 09 03:15:09.765: Unable to find requested user entry for anonymous
But of course there is a user configured on my ipphone !
Note1 : I use a WLC with version : AIR-4400-K9-5-1-163-0 (AES)
Note2: When I use LEAP it is OK
Note3: When I try with my PC to autenticate in eap-fast with internal WLC radius, it is OK.
See attacehement for more detail.
Many thanks in advance.
Michel Misonne
*Mar 09 03:15:09.765: Unable to find requested user entry for anonymousABSOLUTLEY DO NOT DO THIS!
config advanced eap identity-request-timeout 120
config advanced eap identity-request-retries 20
config advanced eap request-timeout 120
config advanced eap request-retries 20
This can cause you issues for up to 40 minutes. 20 attempts * 2 minutes apart
Please take a look at
https://supportforums.cisco.com/docs/DOC-12110
config advanced eap identity-request-timeout 5
config advanced eap identity-request-retries 12
config advanced eap request-timeout 5
config advanced eap request-retries 12
would be much better, as it is only 60 seconds. No device should take longer than 5 seconds to respond, but sometimes the phones need more than the 1 second default.
HTH,
Steve -
Hi,
I have multiple WLC installations on different sites with Local APs. Is there a methodology or plan to solve fallback situation by installing a central WLC in the DataCenter (e.g.) What should I follow to create a solution to this problem? Licensing, choosing wlc controller model, limitations, etc.
Do I have to create a local redundancy first and then at the data center as I saw on a web page? Is it possible to make fallback solution to this type of infrastructure?You have to look to see what happens if a WLC fails at a site. The issue I have if your in local mode, is that if you have a wlc at a central location as a backup, then all traffic will be tunneled to that WLC and users will have to get a new ip address since you centralized wlc will have interfaces that is local to that site. Typically its best to have a redundant WLC at each location, but you really need to figure out the what if and how does the traffic flow now.
Licensing depends on how many AP's you want to be able to support... maybe you want to have license for one of the largest sites or maybe enough license for two large sites to failover. This will also tell you what controller model you have to go with since there is a max number of AP's depending on WLC.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
Hi,
I have been having a lot of issues with clients at a site that have a WLC and use EAP-TLS to an ACS server across the WAN. Most of the issues are roaming related in that the re-authentication time is very long. I have implemented QOS for the RADIUS traffic but they are still reporting problems.
Looking at the logs on the WLC (5.1.151.0) I see messages simliar to this one for all 5 ACS servers.
RADIUS server 10.x.x.x:1645 deactivated in global list
RADIUS server 10.x.x.x:1645 failed to respond to request (ID 65) for client 00:0b:6b:87:54:d2 /user 'unknown'
What concerns me is the word "deactivated". Does this mean that if an unknown client attempts to connect to this wlan and ACS is unable to authenticate it then the ACS server is "disabled" by the WLC?
Is this the case?
ThanksThanks JG,
Just one other question. The message says that the RADIUS server is disabled. Does this mean that it moves on to the next RADIUS server in the list?
(In the logs I can see the WLC cyclng through all the RADIUS servers in quick succession, diabling them as it fails to get a response for the unknown user)
COuld this almost be a denial of serivce style issue.
Thanks -
Hi
I want to do the WLC authentication with radius.the problem is when i enter the username and password , in radius it shows authentication passed but in telnet prompt it asks again for username password as if wrong username-password.
attached are debug capture of WLC and radius config summry.
can u please help me on the sameHi
similar incident i have observed on cisco.
Problem Title
Unable to login to WLC even after the successful authentication message is received from the RADIUS Server
Resolution For the Remote Access Dial-In User Service (RADIUS) user to login to the controller, the login user entry in the RADIUS server has to be associated with an attribute, Service-Type.If this attribute is not sent back to the controller from the ACS, the authentication finishes successfully (access-accept) and you do not see any authorization error on the controller, even with debug aaa all enable. But, you are prompted again for authentication. The only thing missing in the RADIUS return packet is the service type 6 attribute.Refer to the Before Using RADIUS Attributes section of RADIUS Attributes for more information on how to configure the service-type attribute.
It seemseverything ok in WLC and radius attribute is a problem.. -
WLC "radius server overwrite interface" setting
Hello
I'm looking at using "radius server overwrite interface" on a WLAN as a replacement for Called-Station-ID for Radius to match on SSID.
When I enable "radius server overwrite interface" on a WLAN and join a client to the SSID I can see (via packet capture) that the WLC is correctly sourcing the Radius packets with the WLAN's "dynamic" interface IP Address. The problem is that the Radius server doesn't repond to these requests. Radius is configured with rules to match the new IP address but I see nothing (pass or fail) in the logs.
Interestingly, the packet captures shows the correct NAS IP address (the WLAN interface IP Address) but always shows the WLC hostname as NAS-ID (regardless of NAS-ID settings on the WLAN or WLAN interface)
I've tried WLC software 7.4.110.0, 7.4.121.0 and 7.6.100.0 with the same results but Radius never responds. Radius is Cisco ACS 5.5.0.46. Any ideas as to why this is happening?
Thanks
AndyHi Scott
installed ACS 5.4 0.46.6 and I still have the same problem - ACS doesn't respond to request from WLC when "radius server overwrite interface" is enabled on WLAN and nothing appears in the logs. With "radius server overwrite interface" disabled on the WLAN, authentication is a success and I can see this in the logs.
I had a look a the packet captures I took earlier and the attributes in the Access-Request look ok - the only attribute I wasn't sure about was Message-Authenticator. Found this ietf document http://www.ietf.org/rfc/rfc2869.txt which mentions "silent discards" of Radius packets with non existent or incorrect Message-Authenticator attributes. I'm not sure if this is what I'm seeing on ACS when it receives the "radius server overwrite interface" Access-Request packets. ACS is under contract so I will contact TAC about this.
Mt production ACS cluster was upgraded from latest version of 5.3 to 5.5 with no loss of historic logs (logging after upgrade worked fine also). The upgrade did take a while with the log-collector. When it had completed I checked the Data Upgrade Status under Monitoring configuration and it showed that the upgrade was successful.
Thanks for your help with this.
Cheers
Andy -
WLC RADIUS attribute with Cisco ISE
Hi All,
Does anyone get the same result as me when integrating Cisco ISE with Wireless LAN Controller ?
My Authentication Policy :
Name: IsGuestAuthen
IF "WLC_Authentication" THEN "Default Network Access" > "Internal Users"
My Authorization Policy :
Name: IsGuestAuthen
IF "Guest" THEN "InternetOnly"
When I monitoring on the Live Authentication page, I can see only the MAC address and a guest account that authenticated. I cannot see the IP address of the guest client. Do you get the same result as me ?
Please advise on how to get the IP address of the guest client to show on the Live Authentication Page.
Thanks,
Pongsatorn ManeesudExactly...here is the list of attributes sent in the access-request from the wlc -
http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_security_sol.html#wp1992129
The framed ip address is sent in the accounting packet which doesnt appear in the live authentication report.
If you are up to speed on rest api's here is some reference material on this:
http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1089826
You can also run radius accounting report and filter it based off of account-start packets which will have the username and the ip address along with the mac address.
Thanks,
Tarik Admani
*Please rate helpful posts* -
WLC Radius Credentials Caching
We are using PEAP with ACS/AD as the external Database. The issue or behavior that we are experiencing is that clients require a Cached AD Token for the user authenticate against for the first time. The Client does not get an IP until authenticated and therefore cannot contact the DC.
We have shared laptops an its not feasible to cache all AD profiles(Tokens) to the laptop.
Will the Radius Authentication Server - Credential Caching option help by caching authenticated client sessions to the WLC and allow user to authenticate against multiple laptops? Is the above behavior correct(cached Token required)? Is there another approach to authenticating shared resources with PEAP/Radius(ACS)/ADI have Radius Authentication working. I even have Active Directory being used as the external database for clients. The problem is that a user that never has logged into a laptop(configure for AD) get as Domain not available if we try the via wireless for that users first login. I fully understad the issue which is the client have not been issued an IP because they have not been authenticated.
More than likely there is not a workaround for this scenerio other than login via wireless with the new AD user credentials. In effect caching the AD profile locally.
What I would like to address is because my users are Transient (nurses and doctors that share laptops) is how to lessen number of time for a wired loggin by caching the AD account in at the WLC. I may be off base to the function of this feature but its not very well documented (from what I have found) -
Hi all,
I have a mixed setup of WLC and autonomous AP in my network architecture. In our setup all wireless clients passes through mac authentication and then user id/password authentication. I want for mac authentication request should go to ACS server 1 while for user credential verification the request should go to server2 . In auto nomous AP i can achieve the requirement with folowing configuration.
aaa group server radius rad_eap
server 172.X.Y.103 auth-port 1812 acct-port 1813
aaa group server radius rad_mac
server 172.X.Y.104 auth-port 1812 acct-port 1813
aaa authentication login mac_methods group rad_mac
aaa authentication login eap_methods group rad_eap
radius-server host 172.X.Y.103 auth-port 1812 acct-port 1813 key 7 120A0D16190E2C0C2B25201F6231361B2921
radius-server host 172.X.Y.104 auth-port 1812 acct-port 1813 key 7 0448030704246C4608170120430F180C041C
By the above configuration in AP I can send the mac auth request to 172.X.Y.104 server and EAP authentication to 172.X.Y.103 server.
How ever I want to do the same on my WLC also.
Can anyone guide me how to do the same in GUI or through command line?If you want to do MAC filtering on one WLAN and standard 802.1x on another you can select which RADIUS server to use is the Security tab -> AAA Servers of each WLAN. To do both on the same WLAN there is no functionality on the WLC to allow you to split the roles the way you want to. Sorry.
-Eric
Cisco Wireless TAC
Sent from Cisco Technical Support iPhone App -
Hi
I have just configured a 4404 WLC running 7.0.116 for PEAP with MSCHPAv2 and a load of APs. The Radius server is an old Cisco ACS 3.3 box the customer has and we are using self signed certificates on the ACS.
It works fine but waht I found strange was that the ACS sees the source IP of the radius packets as being the WLAN dynamic interface IP address on the WLC not teh WLC management IP. Stopped it working until we noticed that as the ACS was reporting unkown NAS,
I though that all AAA should be sourced as the WLC managemnet IP address infact I have seen this stated in the WLC FAQ.
The management IP address is 172.18.0.2 /16 and the WLAN dynamic interface is 10.200.10.254 /24 with the ACS being 172.31.1.22 o its not like the ACS is on a directly attached interface of the WLC either.
Any idea why it should be doing this ?Figured it out.
On the WLC the WLAN template for a couple of the controllers had
"Radius Server Overwrite interface"
Selected which does exactly this changes the source IP from the mangement IP to the dynamic interface IP. Not sure why it was selcted as it wasnt on the template for any of the other WLANs. But it's fixed now so thats good -
WLC - radius down, possible to have auth none as secondary?
Lets say i have a 5508 wlc and have configured a wlan with web-auth and radius authentication
The one and only configured radius server goes offline. In the event this should happen, is it possible to allow clients to connect anyway? auth none as secondary?
Appreciate any thoughtsChris,
No, unfortunately not. Once you select 802.1X (Radius) you are bound to that security type. The controller will not allow NON EAP traffic on that WLAN unless it gets a EAP SUCCESS frame. The EAP success frame from the radius is sent to the WLC and it tell the WLC to open the controlled port to allow traffic to pass.
Top of my head alternatives:
You might consider another SSID with the same name with a OPEN security. Manually enable after failure of radius server
Create the user accounts on the WLC and allow the WLC to act as your radius server.If you have a large environment may not be realistic. -
Hi,
WLC is running the 4.0.217.203 version. I managed to find Document ID: 96103 but it did not mention the supported WLC version.
Do I need to upgrade the WLC ?
Regards,
RonExactly...here is the list of attributes sent in the access-request from the wlc -
http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_security_sol.html#wp1992129
The framed ip address is sent in the accounting packet which doesnt appear in the live authentication report.
If you are up to speed on rest api's here is some reference material on this:
http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1089826
You can also run radius accounting report and filter it based off of account-start packets which will have the username and the ip address along with the mac address.
Thanks,
Tarik Admani
*Please rate helpful posts*
Maybe you are looking for
-
How to locally backup multiple iPhones with different IDs
Hi all, I have a simple need to backup 2 iPhones using different Apple IDs. I understand that I can use iCloud to backup each on the cloud and no issue there. But when I ran local backup for both on the same computer, here comes the problem... The
-
Aperture Dual Display Mode Poor?
One of the big reasons I picked up Aperture was its ability to utilize my dual display set-up, but the implementation in Aperture seems hamstrung to me. I have a 22" Cinema Display as my main screen with a 17" Studio Display to it's left. What I'd LI
-
Does apple give store credit if you bring back a older product for trade in
I want to bring my imac back because its running slow does anyone know if they have a store credit program.
-
Problem in changing end date of PA-Infotype using HR_INFOTYPE_OPERATIONS .
Hi All, I am trying to change the end date of an active record in an infotype using HR_INFOTYPE_OPERATIONS FM. But am getting an error, 'Infotype does not exist'. I am using operation as 'MOD' and passing appropriate parameters as required. it would
-
Using java mail api without servlets, I ve sent an html mail. In that Ive
Using java mail api without servlets, I ve sent an html mail. In that Ive specified action to the servlet. On click, it shows url as file:///C:/Documents%20and%20Settings/sirivanig/Local%20Settings/Temporary%20Internet%20Files/Content.IE5/CNFHMDIT/up