WLC RADIUS Server Failover - Passive mode timer

Similar Messages

• WLC Radius Server Load Balance

  Hi,
  Can someone provide me detailed description on how WLC Radius Server Load balance works.
  Becuase, I encounted a problem of User Authenticated with the 1st Radius Server, but Accounting Records are actually on 2nd Server .
  Any response will be very appreciated
  -Angela

  Hi Angela,
  I pasted below the part of config guide explaining the different modes. In summary :
  -Fallback off means : when 1st radius server shows dead , WLC moves to the second. And will only change again when the 2nd is dead too.
  -Passive means : whent 1st radius is dead, WLC moves to the second. If there is a new authentication coming in, it will try the 1st radius server again
  -Active means : WLC constantly sends radius probes to detect when primary is back up.
  config radius fallback-test mode {off | passive | active}
  where
  •off disables RADIUS server fallback.
  •passive causes the controller to revert to a server with a lower priority from the available backup servers without using extraneous probe messages. The controller simply ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent.
  •active causes the controller to revert to a server with a lower priority from the available backup servers by using RADIUS probe messages to proactively determine whether a server that has been marked inactive is back online. The controller simply ignores all inactive servers for all active RADIUS requests. Once the primary server receives a response from the recovered ACS server, the active fallback RADIUS server no longer sends probe messages to the server requesting the active probe authentication.

• WLC "radius server overwrite interface" setting

  Hello
  I'm looking at using "radius server overwrite interface" on a WLAN as a replacement for Called-Station-ID for Radius to match on SSID.
  When I enable "radius server overwrite interface" on a WLAN and join a client to the SSID I can see (via packet capture) that the WLC is correctly sourcing the Radius packets with the WLAN's "dynamic" interface IP Address. The problem is that the Radius server doesn't repond to these requests. Radius is configured with rules to match the new IP address but I see nothing (pass or fail) in the logs.
  Interestingly, the packet captures shows the correct NAS IP address (the WLAN interface IP Address) but always shows the WLC hostname as NAS-ID (regardless of NAS-ID settings on the WLAN or WLAN interface)
  I've tried WLC software 7.4.110.0, 7.4.121.0 and 7.6.100.0 with the same results but Radius never responds. Radius is Cisco ACS 5.5.0.46. Any ideas as to why this is happening?
  Thanks
  Andy

  Hi Scott
  installed ACS 5.4 0.46.6 and I still have the same problem - ACS doesn't respond to request from WLC when  "radius server overwrite interface" is enabled on WLAN and nothing appears in the logs. With  "radius server overwrite interface" disabled on the WLAN, authentication is a success and I can see this in the logs.
  I had a look a the packet captures I took earlier and the attributes in the Access-Request look ok - the only attribute I wasn't sure about was Message-Authenticator. Found this ietf document http://www.ietf.org/rfc/rfc2869.txt which mentions "silent discards" of Radius packets with non existent or incorrect Message-Authenticator attributes. I'm not sure if this is what I'm seeing on ACS when it receives the  "radius server overwrite interface" Access-Request packets. ACS is under contract so I will contact TAC about this.
  Mt production ACS cluster was upgraded from latest version of 5.3 to 5.5 with no loss of historic logs (logging after upgrade worked fine also). The upgrade did take a while with the log-collector. When it had completed I checked the Data Upgrade Status under Monitoring configuration and it showed that the upgrade was successful.
  Thanks for your help with this.
  Cheers
  Andy

• Multiple stand alone servers using one radius server?

  Hello, I have a question.
  I'm working for a company and our problem is we need a username and password for every server.
  We would like to set up a Radius server using an extension so it can use a SQL database for the users.
  Is it possible to put 1 username and 1 password for each user in this database so we don't need more then one for each server?
  Also can we set up policy's for those users so they can't access every stand-alone server.
  Kind Regards,
  Michael

  Hi,
  Based on my research, when a RADIUS client (access server) sends connection requests and accounting messages to a RADIUS server, the RADIUS server will sends back an Access-Accept message or sends back an Access-Reject message to authenticate and authorize
  the connection requests based on a set of rules and the information in the user account database. The Access-Accept message can contain connection restrictions that are implemented by the access server for the duration of the connection.
  In addition, according to your description, it seems that you used the SQL database as the User account database. Did you use NPS as a RADIUS server? If yes, maybe you can configure related network policy to restrict access. I would appreciate it if you can
  introduce more detailed information about your environment. The link below may be helpful:
  Configuring Microsoft NPS (Network Policy Server) / (Internet Authentication Service)IAS as Wireless LAN Controller (WLC) RADIUS Server
  Best regards,
  Susie

• Client Exclusion Policies on WLC not working with ISE as RADIUS Server

  Hi,
  for our Guest WLAN (Security Setting for this SSID:Layer2: MAC filtering, Layer3:none) we use ISE as RADIUS Server. On WLC I enabled client exclusion polices and checked all options (Excessive 802.11 Auth. Failures etc..).. But even if a client fails 20times at authentication, it is not excluded on the wlc. It works with other SSIDs, where security settings are set to 802.1x.
  Am I missing any settings here or do you have some tipps on how to troubleshoot this?
  Thanks very much!

  Hi Renata,
  If those guest failures are not associated with valid guest users (i.e. people who have forgotten their account or entering the wrong password) there isn't anything that can be done. The main point of Guest WLAN is to make it as easy as possible for Guests - individuals with device configurations you don't want to deal with or know about, to connect your network for internet access. From a WiFi/802.11 perspective, the standard Guest WLAN setup means its easy for any device to connect.
  If your Guest WLAN has the following:
  SSID is broadcast enabled, Security = OPEN, Encryption = none, then any 802.11 device can find the WLAN via passive scanning and connect. And any device that connects will get the ISE portal. Once recieveing that portal they can guess away at valid username/password.
  I would suspect that unless your Guest WiFi is adjacent to a Mall, school, hotel or other hi-density area of individuals  with time and electronics on their hands, other than alerts in your ops window and logs, resources associated with this (WLC & ISE) are very low.
  You can try and dull the noise a few ways.
  Option 1. create and ISE log filter on those alerts so they don't cluter the console.
  Option 2. Stop broadcasting the SSID.  This is not a security measure, but will cut volume of people connecting to the SSID significantly. You will have to tell your guests what SSID or include it in their credential communication.
  Option 3. Put a very simple PSK on the SSID. The PSK will become a public secret - shared with valid guests, doesn't have change as it's purpose is not security.  You will have to include this information on their credential communication.
  Option 4 - both 2 and 3
  The most effective option would be 3.
  Good Luck!

• Using RSA RADIUS Server and WLC 7.4 to dynamically asssign users to VLAN

  Hello,
  What we are trying to do:
  John logs on to wifi using RSA fob for password. RSA sends back auth request with attibutes to WLC 7.4 that magically knows how to interpret the attributes and puts John on vlan 10. Mary logs on with her fob and gets put on VLAN 20.
  We dont have ISE. We dont have ACS. We have RSA Authentication Manager 7.0
  We have looked high and low for documentation for this kind of setup and we find stuff that is close to a match but not quite.
  Here is what we are seeing
  1. dynamic vlan assignment is not working -- radius server is set with the attributes
  2. RSA authentication works
  3. John and Mary are always put into the VLAN where the MGMT interface is
  4. I can see that attributes are making it back to the WLC by sniffing
  We are stuck at this point. Any help would be much appreciated,
  P.

  Here is a little more background:
  We have created a dynamic interface in VLAN 157
  Wireless LAN has been assigned to MGMT interface which is on VLAN 35
  This is a VWLC ver 7.4.100
  AP is attached to VWLC (only FlexConnect mode is supported)
  RADIUS Server has been configured
  Users are getting assigned to VLAN 35
  Also I have attached some screenshots and two packet captures so you can see what the RSA is sending back with your own eyes
  I dont see any atttributes in the capture when RSA sends to the VWLC
  I see attributes in the capture when RSA send to my local RADIUS Client (My PC)
  And to answer your question we have sending a VLAN ID (157)

• When WLC authenticate users with secondary RADIUS server?

  Hi Sir,
  I'm configuring a WLC4404-100. One of the WLANs points to two RADIUS Servers for Authentication and Accounting (please see attached).
  I'd like to know, under what circumstances will the WLC authenticate users against the secondary RADIUS Server (in my case, the ACS with IP address 10.200.67.84)?
  Please advise.
  Thank you.
  B.Rgds,
  Lim TS

  Hi,
  I navigated to the following on the WLC:
  MANAGEMENT -> SNMP -> Trap Logs
  I noticed the following SNMP trap:
  Fri Dec 8 11:23:21 2006 No Radius Servers Are Responding
  I checked the 2nd ACS server, and true, at around the same time 11:23, the 2nd ACS server was authenticating users.
  I checked the 1st ACS server; at around the same time 11:23, there wasn't any service suspension or database replication going on. What's the cause of this WLC authenticating with the 2nd ACS server? The network is robust and I don't expect any latency issue. The two RADIUS servers are serving only wireless users, the number is about 120.
  On the WLC, I used the default of 2 seconds Retransmit Timeout for both the RADIUS Authentication Servers. Should I fine-tune it to higher value?
  Retransmit Timeout - Specify the time in seconds after which the RADIUS authentication request will timeout and a retransmission will be taken up by the controller. You can specify a value between 2 to 30 seconds.
  There are Passed Authentications logged on the 1st ACS server after during & after 11:23. So, I suspect the WLC is doing a kind of load-balancing across the two RADIUS servers.
  Please advise.
  Thank you.
  B.Rgds,
  Lim TS

• Read file from FTP server (passive mode)

  HI,
  I want to read a file from a ftp server. I can do it by OpenStream() and read the file contents as a stream. But the ftp account is set as "PASSIVE Mode", so how to set it to passive mode and access the file ? Any thoughts?
  Thanks,
  thb.

  Hi,
  Thanks for your speedy response. How to set the PASV parameter, with the InputStream reader. Currently I am reading a file that is active thru. flg. steps.
  InputStream is = new URL("url").openStream();
  BufferedReader in = new BufferedReader(new InputStreamReader(is));
  Then, I am writing the stream contents to a file. So how to set up the PASV parameter?
  Thanks.

• Problems with re authentications in a wireless with WLC working with web authentication and a radius server

  Hi everyone, im having problems in a wireless network, the SSID has security layer 2 WPA, layer 3 web authentication (internal default page), and external RADIUS.
  When a client makes a roaming from one AP to another one or when he has a idle time, he needs to re authenticate in the web login page. Somebody knows a solution to avoid this behavior?. Or somebody has a troubleshooting way to determine why the clients have this problems??

  A few things I can share that might help .. Your actually feet on the ground will be importnat to see this issue for yourself.
  I know when a client or if the AP sends a DEAUTH frame the client will need to reestablish its connection and it will 100% of the time require a new web auth. If a client loses connection while roaming and a DEAUTH is sent on either side you will get the page. If youre client isnt romaing cleanly this can be a problem.
  Another problem is your using EAP. Are you using CCK or a device that supports OKC. What does your radius server say when a client roams ?
  You could also simply your config and then reapply your security and see where it breaks. By this I mean. For testing, create a SSID turn off security and leave layer 3 web auth on. Roam and see what happens. If it works, then start to apply the security and see where it breaks.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS

  Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
  I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication.  I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user"  along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
  Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
  Any ideas of what might be the issue or misconfiguration?

  Jim,
  I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
  It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
  May need to open a TAC case to see if this issue is on the 550x controllers also.
  Thanks,
  Tarik

• WLC not integrating with Radius Server

  Hello world,
  I have the following situation:
  One WLC 2000 Series (software version 7.0.230.0) with multiple SSID`s, one is with 802.1x integrated with a Radius Server.
  Everything worked fine until fiew days ago, when users were unable to logon via they`re certificates on Windows XP.
  The infrastracture didn`t suffer modifications.
  What i have checked: Radius certification isn`t expired, client certification isn`t expired, the password between controller and Radius is correct.
  There are no ACL`s between the WLC and the remote Server. I can ping the devices, other SSIDs on the same controller (wpa/psk) are working correct.
  The AP`s are 1242.
  I have tried deleting the SSID, configure it back. The OS on Windows Server is  2003 Standard. The AP`s are configured H-Reap.
  I have increased the Server Timeout from Radius Authentication Servers from 2 to 30 sec.
  The message logs recived on WLC Trap Logs:
  RADIUS server X.X.X.X:1812 failed to respond to request (ID 161) for client xx.xx.xx.xx.xx.xx/ user 'unknown'
  The message from the debug dot1x aaa enable:
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_CALLING_STATION_ID(31) index=1
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_CALLED_STATION_ID(30) index=2
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_PORT(5) index=3
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_VAP_ID(1) index=7
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_SERVICE_TYPE(6) index=8
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_FRAMED_MTU(12) index=9
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_EAP_MESSAGE(79) index=11
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_RAD_STATE(24) index=12
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_MESS_AUTH(80) index=13
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df AAA EAP Packet created request = 0x1cff348c.. !!!!
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Sending EAP Attribute (code=2, length=6, id=10) for mobile xx.xx.xx.xx.xx.xx.
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00000000: 02 0a 00 06 0d 00                                 ......
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
  *radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df [BE-resp] AAA response 'Interim Response'
  *radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df [BE-resp] Returning AAA response
  *radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df AAA Message 'Interim Response' received for mobile xx.xx.xx.xx.xx.xx.
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.329: 00:15:e9:33:75:df Skipping AVP (0/27) for mobile xx.xx.xx.xx.xx.xx.
  The messages on Windows 2003 Standard:
  User Y was denied access.
  Fully-Qualified-User-Name = xx.domain.com/Users_T/user
  NAS-IP-Address = X.X>X.X
  NAS-Identifier = Cisco_
  Called-Station-Identifier = ---------------------
  Calling-Station-Identifier = ---------------------
  Client-Friendly-Name = ---------------------
  Client-IP-Address = ---------------------
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 1
  Proxy-Policy-Name = Use Windows authentication for all users
  Authentication-Provider = Windows
  Authentication-Server = <undetermined>
  Policy-Name = Wireless Policy
  Authentication-Type = EAP
  EAP-Type = Smart Card or other certificate
  Reason-Code = 262
  Reason = The supplied message is incomplete.  The signature was not verified.User Y was denied access.
  Fully-Qualified-User-Name = xx.domain.com/Users_T/user
  NAS-IP-Address = X.X>X.X
  NAS-Identifier = Cisco_
  Called-Station-Identifier = ---------------------
  Calling-Station-Identifier = ---------------------
  Client-Friendly-Name = ---------------------
  Client-IP-Address = ---------------------
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 1
  Proxy-Policy-Name = Use Windows authentication for all users
  Authentication-Provider = Windows
  Authentication-Server = <undetermined>
  Policy-Name = Wireless Policy
  Authentication-Type = EAP
  EAP-Type = Smart Card or other certificate
  Reason-Code = 262
  Reason = The supplied message is incomplete.  The signature was not verified.
  Can anyone help why i cannot log the users via 802.1x ?

  Okay that is good..... this is what I would do next.  I would create a test ssid that uses PEAP MSchapv2 and create a new policy in IAS that is basic.  Allow 802.1x wireless and user group only and see if you can reconfigure one of the XP machines for PEAP.  Can you also post a screen shot of your polices (connection and network) so we can review it. 

• What attributes are shared between a Radius Server and a WLC?

  I have a customer who is trying to setup a Radius server to authenticate Management users for the controller,
  she is using a Microsoft NPS R2 server. All good at this point.
  She needs to know what attributes are shared between the server and the WLC to complete the authentication
  because she is being successfully authenticated, but still unable to access the WLC.
  Someone knows what those attributes are?
  The only information at the moment that I found, was on a document that said that different management
  users can receive different Vendor-specific Attributes. That means that the returned attributes to the WLC
  will depend of what radius server model or platform you are using.

  Robin,
  For using Microsoft radius to authenticate management users, you can reference this document, which shows you the steps involved.
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/91392-airespace-vsa-msias-config.html
  Thanks,
  Scott
  *****Help out other by using the rating system and marking answered questions as "Answered"*****

• WLC 5508 and Microsoft Radius Server 2008

  Hi, I am trying to setup WLC 5508 for a customer who want to use MS NPS for Radius authentication, however there aren't many good documents showing how to configure the MS NPS.
  I have couple of questions:
  1, Does WLC 5508 support MS NPS on Server 2008 R2?
  2, Are there any good document showing how to configure this?
  Thanks

  Hadisharifi,
  There is no single document that we can pick for configuring WLC and NPS. However, you may visit the below listed document for NPS  and WLC side configuration:
  Configure the WLC for RADIUS Authentication through an External RADIUS Server
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml#c2
  Fo the NPS side configuration, you may consider the attached document.
  Regds,
  JK
  Do rate helpful posts-

• Problem with passive mode FTP server and NAT

  Hi,
  I have a problem with Passive mode FTP and NAT.
  I am trying to run both an FTP server and sharing the Internet connection via NAT. I have by the way specified the passive ports to use in ftpaccess (65000-65534). Everything works fine until someone tries to connect via Passive mode. I have tracked the problem down to the firewall and the rule that handles NAT.
  Firewall rule config without NAT:
  00001 allow udp from any 626 to any dst-port 626
  01000 allow ip from any to any via lo0
  12300 allow ip from any to any
  65535 allow ip from any to any
  Firewall rule config with NAT
  00001 allow udp from any 626 to any dst-port 626
  00010 divert 8668 ip from any to any via en1
  01000 allow ip from any to any via lo0
  12300 allow ip from any to any
  65535 allow ip from any to any
  So, passive ports do not work when NAT is on. If I turn it off, Passive ftp works like a charm.
  But how do I solve my problem? I have in my quest for the answer stumbled upon "-punch_fw" but do not know how to use it or if it even helps me at all?
  Best regards,
  Peter
  B&W G3 Mac OS X (10.4.5)

  Media/Lacrosse-1-tiny.3gp
  I can't find the file on your server.
  They may also need to edit the .htaccess file to allow the .3gp file extension be used. Call them.

• The remote server returned an error: 227 Entering Passive Mode (201,199,193,165,154,52).

  Hi I have a problem 
  The remote server returned an error: 227 Entering Passive Mode (201,199,193,165,154,52).
  I dont knoe how to solve it 

  Hi,
  Please see the following links and try the methods to check if they are helpful:
  http://geekswithblogs.net/hmloo/archive/2012/10/16/the-remote-server-returned-an-error-227-entering-passive-mode.aspx
  http://social.msdn.microsoft.com/Forums/en-US/0128e595-c8e2-4f5e-9426-fd93eb510cab/the-remote-server-returned-an-error-227-entering-passive-mode-67228534212130?forum=netfxnetcom
  Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  Then, it is not a Microsoft Office issue, you'd better post your question to MSDN forum:
  http://social.msdn.microsoft.com/Forums/en-US/home?forum=netfxnetcom
  Regards,
  George Zhao
  TechNet Community Support