WLC & RADIUS Issue

Similar Messages

• Cannot use IP-phone-7921 with EAP-Fast using internal WLC Radius

  Hello,
  I Cannot authenticate IP-phone when I use internal WLC-radius with a profile "eap-fast"
  The eror message I recieved on a debug is:
  *Mar 09 03:15:09.765: Unable to find requested user entry for anonymous
  But of course there is a user configured on my ipphone !
  Note1 : I use a WLC with version : AIR-4400-K9-5-1-163-0 (AES)
  Note2: When I use LEAP it is OK
  Note3: When I try with my PC to autenticate in eap-fast with internal WLC radius, it is OK.
  See attacehement for more detail.
  Many thanks in advance.
  Michel Misonne
  *Mar 09 03:15:09.765: Unable to find requested user entry for anonymous

  ABSOLUTLEY DO NOT DO THIS!
  config advanced eap identity-request-timeout 120
  config advanced eap identity-request-retries 20
  config advanced eap request-timeout 120
  config advanced eap request-retries 20
  This can cause you issues for up to 40 minutes. 20 attempts * 2 minutes apart
  Please take a look at
  https://supportforums.cisco.com/docs/DOC-12110
  config advanced eap identity-request-timeout 5
  config advanced eap identity-request-retries 12
  config advanced eap request-timeout 5
  config advanced eap request-retries 12
  would be much better, as it is only 60 seconds.  No device should take longer than 5 seconds to respond, but sometimes the phones need more than the 1 second default.
  HTH,
  Steve

• WLC Radius Server Load Balance

  Hi,
  Can someone provide me detailed description on how WLC Radius Server Load balance works.
  Becuase, I encounted a problem of User Authenticated with the 1st Radius Server, but Accounting Records are actually on 2nd Server .
  Any response will be very appreciated
  -Angela

  Hi Angela,
  I pasted below the part of config guide explaining the different modes. In summary :
  -Fallback off means : when 1st radius server shows dead , WLC moves to the second. And will only change again when the 2nd is dead too.
  -Passive means : whent 1st radius is dead, WLC moves to the second. If there is a new authentication coming in, it will try the 1st radius server again
  -Active means : WLC constantly sends radius probes to detect when primary is back up.
  config radius fallback-test mode {off | passive | active}
  where
  •off disables RADIUS server fallback.
  •passive causes the controller to revert to a server with a lower priority from the available backup servers without using extraneous probe messages. The controller simply ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent.
  •active causes the controller to revert to a server with a lower priority from the available backup servers by using RADIUS probe messages to proactively determine whether a server that has been marked inactive is back online. The controller simply ignores all inactive servers for all active RADIUS requests. Once the primary server receives a response from the recovered ACS server, the active fallback RADIUS server no longer sends probe messages to the server requesting the active probe authentication.

• WLC 2504 - Issue with using Microsoft NPS for Radius Management Login

  Hello,
  In our environment we like to have our network admins and engineers use their Active Directory credentials when logging into devices so we can log who logged into which devices and if any changes were made. To do this we use a Server 2008 R2 NPS server with all our routers, switches and ASA's. We recently purchased a WLC to begin adding wireless to our environment. (See WLC_Radius_Config.png and NPS_Radius_Config.png)
  On the WLC, I am able to authenticate in using my AD credentials but when I go to apply any config changes I get a message saying "Authorization Failed. No sufficient privileges." (See error.png) I have a feeling I am missing something small but this is very important to us.
  I checked the Radius server and there are no login errors or NPS errors pointing to the WLC logins. Has anyone else run into this issue or know what I can do to solve it? 
  Thanks,

  Hi Kyujin,
  I wish I had finished my guide.  Didn't realize it would take this long.
  But what I meant is that when adding the attributes to my NPS (Microsoft's Network Policy Server) I only had to add the role and virtual domain if using Prime Infrastructure.
  If you use NCS, you have to add the role, all the tasks, and the virtual domain.
  See the screenshots and see if that helps explain it.  Not sure how TACACS will work as I'm not familiar with it.
  Microsoft NPS - Attributes for NCS
  Microsoft NPS - Attributes for PI

• WLC and Radius issue

  We keep get the following error. And everytime we got this, the clients have been force to re-authentication.
  Any idea?
  Thanks,
  RADIUS server 10.108.32.33:1812 activated on WLAN 1
  RADIUS server 10.140.4.9:1812 deactivated on WLAN 1

  Go to clients. Look up the client by mac address and look at the PEM state. It will tell you why the client is failing ..
  DHCP_REQ is meaning there is a DHCP issue
  8021x_REQ means it failed auth
  You could also turn off exclude as a test, perhaps these clients are a little slow to auth.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• WLC and windows radius issue and another problem

  Hi everyone.
  We have a problem with a costumer wireless infraestructure which has a WLC using a Windows 2003 radius server. for authentication.
  The users can't connet to the SSID from monday. Anything haven't been changed and the configuration is correct.
  I think its a client problem because the clients who use Linux can connect.
  Any idea?
  I have attached a debug dot1x events when a windows client try to connect.
  We have another problem with another SSID using local wpa2/pkm/ascii authentication..
  This SSID is used for smartphones. The clientes who use Android can connet, the clients who use IPhone can't.
  Is this a cospiracy? xD
  Thank you for avance.
  Best regards

  for the debug you attached, I see the client send an EAPOL start message, after it gets the Identity request.  It seems to move beyond that, and then
  Jul 30 15:36:47.396: 18:3d:a2:65:bd:54 Processing Access-Reject for mobile 18:3d:a2:65:bd:54
  I'd take a look at the IAS logs to see why this particular client was rejected.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• ISE WLC Integration issues

  We are in the process of integrating ISE into our WLC and are planning on implementing HReap (Flexconnect) local switching.  We have setup the ISE server as a Radius entry in the WLC and added WLC to ISE, same shared secret.  We have a test SSID configured on the WLC and it is using the entry to ISE for AAA.  We have used "none" for layer 2 security as well as WPA.......but we never see any activity on the ISE server.  Also from the WLC if we do a show radius auth stat there doesn't appear to be any traffic sent from the WLC to ISE.
  (Cisco Controller) >show radius auth sta
  Authentication Servers:
  <Output Ommited>
  Server Index..................................... 4
  Server Address................................... IP ADDRESS OF ISE
  Msg Round Trip Time.............................. 0 (msec)
  First Requests................................... 0
  Retry Requests................................... 0
  Accept Responses................................. 0
  Reject Responses................................. 0
  Challenge Responses.............................. 0
  Malformed Msgs................................... 0
  Bad Authenticator Msgs........................... 0
  Pending Requests................................. 0
  Timeout Requests................................. 0
  Unknowntype Msgs................................. 0
  Other Drops...................................... 0
  We have integrated ISE with swtich and ASA and have always been able to get some activity on the ISE authentication monitor.
  Thanks,
  Joe

  Wireless will not do dACLs with or without FlexConnect.  In centrally switched networks you can use Named ACLs which are differnt than dACLs.  
  But you are correct with FlexConnect (pre-7.5*) you can use FlexConnect ACLs tied to the VLAN.  Then you can use ISE to set the VLAN.
  *As of 7.5 version of code you can now user named ACLs on Locally Switched users, but it is still a named ACL and not a dACL.
  From the release notes
  In the earlier releases, you could have a per client access control list (ACL) in a centrally switched traffic. In this release, this feature has been enhanced to support ACL for local switching traffic with both central and local authentication. Client ACL is returned from AAA on successful client Layer 2 authentication as part of Airespace RADIUS attributes. As the Airespace RADIUS attribute is an ACL name, the ACL must be already present on the FlexConnect AP.
  In downstream traffic, VLAN ACL is applied first and then the client ACL is applied. In upstream traffic, the client ACL is applied first and then the VLAN ACL is applied.
  There are some other limitations when using FlexConnect that you should be aware about.
  This guide will show you how to use Centrally Authenticated with Locally Switched
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080c090eb.shtml
  This document will show you the feature matrix for ISE and FlexConnect
  http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b3690b.shtml
  If you are using Active Directory I would recommend against using LDAP because there are more features when using the native AD integration.  If you not using AD then the issue with the Secure LDAP is probably related to the CA certificate not being installed correctly. 

• WLC 4400 issue on "user login policies" parameter.

  Hi,
  I'm using a Cisco Wireless controller in my company.
  (the model is a AIR-WLC4402-50-K9 in 4.2.207.0 version).
  The WLAN is configured with WPAv2 AES and 802.1X (PEAP MS-CHAPv2) authentication on an external Microsoft IAS server (2003 R2).
  the authentication rely on Active Directory login and password.
  The user authentication works fine and the WLAN too.
  But it's possible for a single user to log on different laptops with the same AD login and password and use the wireless network.
  And it has to be forbiden by  "user login policies" parameter set to 1 on the WLC (in security parameters).
  Does anybody says if it's a known issue and how to solve this problem?
  thanks,
  raphael Paviot.

  Dancampb,
  Many thanks ,  you're right, I have to find the solution on IAS server side.
  In fact, I have also applied these commands on the controller and the max-user login works (in the case of an externan radius server).
  I have seen it in the "message logs".
  (Cisco Controller) config>advanced eap max-login-ignore-identity-response disable
  (Cisco Controller) config> netuser maxuserLogin 1
  But the problem still remain , because the IAS server is not case sensitive for user logins instead of the Wireless Controller.
  For exemple:
  raphaelpaviot login and RaphaelPAVIOT login are:
  -one user for the IAS server.
  -two different users on the WLC.
  cordially.

• WLC Radius Credentials Caching

  We are using PEAP with ACS/AD as the external Database. The issue or behavior that we are experiencing is that clients require a Cached AD Token for the user authenticate against for the first time. The Client does not get an IP until authenticated and therefore cannot contact the DC.
  We have shared laptops an its not feasible to cache all AD profiles(Tokens) to the laptop.
  Will the Radius Authentication Server - Credential Caching option help by caching authenticated client sessions to the WLC and allow user to authenticate against multiple laptops? Is the above behavior correct(cached Token required)? Is there another approach to authenticating shared resources with PEAP/Radius(ACS)/AD

  I have Radius Authentication working. I even have Active Directory being used as the external database for clients. The problem is that a user that never has logged into a laptop(configure for AD) get as Domain not available if we try the via wireless for that users first login. I fully understad the issue which is the client have not been issued an IP because they have not been authenticated.
  More than likely there is not a workaround for this scenerio other than login via wireless with the new AD user credentials. In effect caching the AD profile locally.
  What I would like to address is because my users are Transient (nurses and doctors that share laptops) is how to lessen number of time for a wired loggin by caching the AD account in at the WLC. I may be off base to the function of this feature but its not very well documented (from what I have found)

• AP - WLC joining issue

  We have 3 WLC's(5500) in our network and about 150 AP's. Only 4 AP's register to 1 controller, over 70 to 2nd and about 50 to 3rd. On checking & comparing few of the AP's this is what i concluded.
  1. 4 AP's that registered to the first WLC did not have that AP in the primary, secondary or tertiary list. If it was there then it was either secondary or tertiary or the device name entered is not resolvable by DNS but the device name is correct. Management IP was not configured on any of the 4 AP's for any of the WLC's
  2. AP's registered to second and third WLC's have similar config. First WLC as Primary, Second as secondary and third Tertiary with correct DNS name in the field but wrong device name. Also all have Management IP's entered as well.
  CAPWAP Join Taken Time for 4 AP's varies from 6to10 mins while for other AP its few seconds. DNS for cisco-capwap-controller points to WLC with4 AP's. I donot see any use of option in DNS for WAP's.
  How can i make AP's join this WLC. 
  Should I get the DNS and device name discrepancy corrected? 
  What is the selection process for AP's to choose WLC, as I see AP's not joining WLC in there building but joining a WLC in other adjacent building? Is there a way for me to influence this decision?

  What is the selection process for AP's to choose WLC, as I see AP's not joining WLC in there building but joining a WLC in other adjacent building? Is there a way for me to influence this decision?
  Best way to do this is configure AP High Availability of APs with primary,secondary,tertiary WLC name & IP (both fields required). This is taking precedence over any other methods.
  http://mrncciew.com/2013/04/07/ap-failover/
  If you have AP join issue, try to configure DHCP option 43 & see if that helps
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/97066-dhcp-option-43-00.html
  If this is one off case, you can try static or broadcast forwarding as a interim solution
  http://mrncciew.com/2013/03/17/ap-registration/
  http://mrncciew.com/2013/05/04/wlc-discovery-via-broadcast/
  HTH
  Rasika
  *** Pls rate all useful responses ***

• WLC-Radius Integration..

  Hi
  I want to do the WLC authentication with radius.the problem is when i enter the username and password , in radius it shows authentication passed but in telnet prompt it asks again for username password as if wrong username-password.
  attached are debug capture of WLC and radius config summry.
  can u please help me on the same

  Hi
  similar incident i have observed on cisco.
  Problem Title
  Unable to login to WLC even after the successful authentication message is received from the RADIUS Server
  Resolution For the Remote Access Dial-In User Service (RADIUS) user to login to the controller, the login user entry in the RADIUS server has to be associated with an attribute, Service-Type.If this attribute is not sent back to the controller from the ACS, the authentication finishes successfully (access-accept) and you do not see any authorization error on the controller, even with debug aaa all enable. But, you are prompted again for authentication. The only thing missing in the RADIUS return packet is the service type 6 attribute.Refer to the Before Using RADIUS Attributes section of RADIUS Attributes for more information on how to configure the service-type attribute.
  It seemseverything ok in WLC and radius attribute is a problem..

• WLC RADIUS Server Failover - Passive mode timer

  In 7.2 WLC code, it appears it is now possible to specify which RADIUS servers are used as the preferred server for authentication (
  Security > AAA > RADIUS > Fallback to open the RADIUS > Fallback Parameters ).
  There are 3 mode for this: off, passive & active.
  In the passive mode, the operation is described in the config guide as :
  Passive
  —Causes the controller to revert to a server with a lower priority from the available backup servers without using extraneous probe messages. The controller ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent.
  Does anyone know how long this 'time period' is? If it is only a few seconds, then it could be that user authentications are being used to test against a failed RADIUS server frequently & will experience annoying time-out delays, causing support calls etc.
  Anyone know what it is, or if its configurable? I don't see anything in the docs...
  Nigel.

  Here you go.
  RADIUS Server Fallback Feature on WLC.
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008098987e.shtml#passive

• WLC "radius server overwrite interface" setting

  Hello
  I'm looking at using "radius server overwrite interface" on a WLAN as a replacement for Called-Station-ID for Radius to match on SSID.
  When I enable "radius server overwrite interface" on a WLAN and join a client to the SSID I can see (via packet capture) that the WLC is correctly sourcing the Radius packets with the WLAN's "dynamic" interface IP Address. The problem is that the Radius server doesn't repond to these requests. Radius is configured with rules to match the new IP address but I see nothing (pass or fail) in the logs.
  Interestingly, the packet captures shows the correct NAS IP address (the WLAN interface IP Address) but always shows the WLC hostname as NAS-ID (regardless of NAS-ID settings on the WLAN or WLAN interface)
  I've tried WLC software 7.4.110.0, 7.4.121.0 and 7.6.100.0 with the same results but Radius never responds. Radius is Cisco ACS 5.5.0.46. Any ideas as to why this is happening?
  Thanks
  Andy

  Hi Scott
  installed ACS 5.4 0.46.6 and I still have the same problem - ACS doesn't respond to request from WLC when  "radius server overwrite interface" is enabled on WLAN and nothing appears in the logs. With  "radius server overwrite interface" disabled on the WLAN, authentication is a success and I can see this in the logs.
  I had a look a the packet captures I took earlier and the attributes in the Access-Request look ok - the only attribute I wasn't sure about was Message-Authenticator. Found this ietf document http://www.ietf.org/rfc/rfc2869.txt which mentions "silent discards" of Radius packets with non existent or incorrect Message-Authenticator attributes. I'm not sure if this is what I'm seeing on ACS when it receives the  "radius server overwrite interface" Access-Request packets. ACS is under contract so I will contact TAC about this.
  Mt production ACS cluster was upgraded from latest version of 5.3 to 5.5 with no loss of historic logs (logging after upgrade worked fine also). The upgrade did take a while with the log-collector. When it had completed I checked the Data Upgrade Status under Monitoring configuration and it showed that the upgrade was successful.
  Thanks for your help with this.
  Cheers
  Andy

• 5508 WLC redundancy issue.

  I am trying to set up fail-over for Cisco 5508 Wireless LAN Controller which is using 7.4 version software. I setup the redundancy port and peer redundancy.
  While checking,one becomes active and other becomes standby.
  Its showing everything perfectly including peer,standby-hot etc.(XMLs matched also)
  I disconnect the 1st WLC uplink and then the Stand by becomes active. Fine.
  Later i connected the 1st WLC link and disconnect the 2nd WLC (currently active). Here comes the issue.
  Then other WLC is not becoming Active and it enters in to Maintenance mode. Means Down.
  why this issue happens?
  One thing i need to highlight is, one WLC is having 50 AP basce license count and other WLC having 250 AP base license count.
  Is this will be an issue? Whether the License count should be same on both?
  If so,how can i trim-down 250 to 50 AP base license?
  Any clues? Help me!

  You don't have trim down the license. The license amount is going to be what you have on the primary. As far as failover the way your doing it, I don't thinkers supported that way. Only a hard failure. So you will have to manually switch the primary back.
  Sent from Cisco Technical Support iPhone App

• WLC RADIUS attribute with Cisco ISE

  Hi All,
  Does anyone get the same result as me when integrating Cisco ISE with Wireless LAN Controller ?
  My Authentication Policy :
       Name: IsGuestAuthen
       IF "WLC_Authentication" THEN "Default Network Access" > "Internal Users"
  My Authorization Policy :
       Name: IsGuestAuthen
       IF "Guest" THEN "InternetOnly"
  When I monitoring on the Live Authentication page, I can see only the MAC address and a guest account that authenticated. I cannot see the IP address of the guest client. Do you get the same result as me ?
  Please advise on how to get the IP address of the guest client to show on the Live Authentication Page.
  Thanks,
  Pongsatorn Maneesud

  Exactly...here is the list of attributes sent in the access-request from the wlc -
  http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_security_sol.html#wp1992129
  The framed ip address is sent in the accounting packet which doesnt appear in the live authentication report.
  If you are up to speed on rest api's here is some reference material on this:
  http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1089826
  You can also run radius accounting report and filter it based off of account-start packets which will have the username and the ip address along with the mac address.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*