WLC "radius server overwrite interface" setting

Hello
I'm looking at using "radius server overwrite interface" on a WLAN as a replacement for Called-Station-ID for Radius to match on SSID.
When I enable "radius server overwrite interface" on a WLAN and join a client to the SSID I can see (via packet capture) that the WLC is correctly sourcing the Radius packets with the WLAN's "dynamic" interface IP Address. The problem is that the Radius server doesn't repond to these requests. Radius is configured with rules to match the new IP address but I see nothing (pass or fail) in the logs.
Interestingly, the packet captures shows the correct NAS IP address (the WLAN interface IP Address) but always shows the WLC hostname as NAS-ID (regardless of NAS-ID settings on the WLAN or WLAN interface)
I've tried WLC software 7.4.110.0, 7.4.121.0 and 7.6.100.0 with the same results but Radius never responds. Radius is Cisco ACS 5.5.0.46. Any ideas as to why this is happening?
Thanks
Andy

Hi Scott
installed ACS 5.4 0.46.6 and I still have the same problem - ACS doesn't respond to request from WLC when  "radius server overwrite interface" is enabled on WLAN and nothing appears in the logs. With  "radius server overwrite interface" disabled on the WLAN, authentication is a success and I can see this in the logs.
I had a look a the packet captures I took earlier and the attributes in the Access-Request look ok - the only attribute I wasn't sure about was Message-Authenticator. Found this ietf document http://www.ietf.org/rfc/rfc2869.txt which mentions "silent discards" of Radius packets with non existent or incorrect Message-Authenticator attributes. I'm not sure if this is what I'm seeing on ACS when it receives the  "radius server overwrite interface" Access-Request packets. ACS is under contract so I will contact TAC about this.
Mt production ACS cluster was upgraded from latest version of 5.3 to 5.5 with no loss of historic logs (logging after upgrade worked fine also). The upgrade did take a while with the log-collector. When it had completed I checked the Data Upgrade Status under Monitoring configuration and it showed that the upgrade was successful.
Thanks for your help with this.
Cheers
Andy

Similar Messages

  • Flexconnect Radius Server Overwrite interface Question

    Hello All,
    Can someone confirm/comment on the following:
    In a flexconnect scenario, for site 1, i would like to source the radius requests to a remote radius (at the flexconnect site 1).  as i can understand i need to enable the RAdius Server Overwrite interface option. Is that all?
     Also, for flexconnect sites X this can also be done per WLAN X configuration. 
    Is this correct?
    Thanks

    Hi pana,
    Answers below :
    Meaning that, even if i configure the Flexconnect groups with local authentication, then how does the Flexconnect ap reach the local radius?
    When you are working with local authentication, the AP will communicate with the local RADIUS Server using the local routing in the branch office without the 802.1X traffic being sending to the WLC......the AP will communicate directly to the local radius server using it IP address and the local routing. (This communication is transparent if you see from the WLC because the WLC will not intermediate the authentication between the client and RADIUS, who will intermediate is the AP. The WLC will receive informations when the AP is in connected mode about the client and the authentication method and etc after the user was authenticated).
    Example :
                                                                                                               RADIUS SERVER
    WLC ----SWITCH L3------ROUTER----(MPLS Link)-----ROUTER---SWITCH L3---AP
    The WLC continues managing the Access Point but will  not"talk" to the RADIUS Server, who will "talk" to the RADIUS Server is the AP in the branch office using the SWITCH L3 (Asumming that you have the RADIUS in one network and the AP in another network in the same branch office)
    Understand now ?
    As i can understand, in a local switching/local authentication scenario the Flexconnect ap can only map a WLAN to local VLAN( route-able network on the remote site) that serves for the users-data plane. Then in conjunction with the radius server override option, how can this FlexconnectAP send requests to the local radius? I can only suppose that it will do so using the users locally mapped VLAN/WLAN but i cant reference this anywhere. 
    The AP will only send the requests do the local radius only if you configure the FlexConnect Local Auth and FlexConnect Group. Enabling this option the AP will use it IP Address to communicate with RADIUS without the WLC intermedianting this communication.
    Without the FlexConnect Local Auth enable in the WLAN the AP will continue directing the 802.1X requests to the WLC and the WLC will send to the RADIUS Server and in this situation if you enabled the radius overwrite interface the WLC will try to reach the RADIUS Server using the WLAN interface and not the management the interface. (You do not need the radius overwrite interface option to work with Local Auth if you want to use the AP as a Authenticatior, you only use this interface if you want that the WLC with central authentication direct the 802.1X authentications to the RADIUS)
    One information about the VLAN/WLAN is really mapped statically but you can manipulate it using the RADIUS Atrributes, changing the VLANs from the USERs based in the AD Group and after the authentication. It can work in local auth scenario or central auth scenario.
    http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch7_HREA.html#pgfId-1103070
    I hope it helps and if not helps i think i am not understanding the real question.

  • WLC Radius Server Load Balance

    Hi,
    Can someone provide me detailed description on how WLC Radius Server Load balance works.
    Becuase, I encounted a problem of User Authenticated with the 1st Radius Server, but Accounting Records are actually on 2nd Server .
    Any response will be very appreciated
    -Angela

    Hi Angela,
    I pasted below the part of config guide explaining the different modes. In summary :
    -Fallback off means : when 1st radius server shows dead , WLC moves to the second. And will only change again when the 2nd is dead too.
    -Passive means : whent 1st radius is dead, WLC moves to the second. If there is a new authentication coming in, it will try the 1st radius server again
    -Active means : WLC constantly sends radius probes to detect when primary is back up.
    config radius fallback-test mode {off | passive | active}
    where
    •off disables RADIUS server fallback.
    •passive causes the controller to revert to a server with a lower priority from the available backup servers without using extraneous probe messages. The controller simply ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent.
    •active causes the controller to revert to a server with a lower priority from the available backup servers by using RADIUS probe messages to proactively determine whether a server that has been marked inactive is back online. The controller simply ignores all inactive servers for all active RADIUS requests. Once the primary server receives a response from the recovered ACS server, the active fallback RADIUS server no longer sends probe messages to the server requesting the active probe authentication.

  • WLC RADIUS Server Failover - Passive mode timer

    In 7.2 WLC code, it appears it is now possible to specify which RADIUS servers are used as the preferred server for authentication (
    Security > AAA > RADIUS > Fallback to open the RADIUS > Fallback Parameters ).
    There are 3 mode for this: off, passive & active.
    In the passive mode, the operation is described in the config guide as :
    Passive
    —Causes the controller to revert to a server with a lower priority from the available backup servers without using extraneous probe messages. The controller ignores all inactive servers for a time period and retries later when a RADIUS message needs to be sent.
    Does anyone know how long this 'time period' is? If it is only a few seconds, then it could be that user authentications are being used to test against a failed RADIUS server frequently & will experience annoying time-out delays, causing support calls etc.
    Anyone know what it is, or if its configurable? I don't see anything in the docs...
    Nigel.

    Here you go.
    RADIUS Server Fallback Feature on WLC.
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008098987e.shtml#passive

  • WLC Radius source IP

    Hi
    I have just configured a 4404 WLC running 7.0.116 for PEAP with MSCHPAv2 and a load of APs. The Radius server is an old Cisco ACS 3.3 box the customer has and we are using self signed certificates on the ACS.
    It works fine but waht I found strange was that the ACS sees the source IP of the radius packets as being the WLAN dynamic interface IP address on the WLC not teh WLC management IP. Stopped it working until we noticed that as the ACS was reporting unkown NAS,
    I though that all AAA should be sourced as the WLC managemnet IP address infact I have seen this stated in the WLC FAQ.
    The management IP address is 172.18.0.2 /16 and the WLAN dynamic interface is 10.200.10.254 /24 with the ACS being 172.31.1.22 o its not like the ACS is on a directly attached interface of the WLC either.
    Any idea why it should be doing this ?

    Figured it out.
    On the WLC the WLAN template for a couple of the controllers had
    "Radius Server Overwrite interface"
    Selected which does exactly this changes the source IP from the mangement IP to the dynamic interface IP. Not sure why it was selcted as it wasnt on the template for any of the other WLANs. But it's fixed now so thats good

  • Radius request source interface

                       HI !
    I have controllers WLC 5508 and release 7.4.
    If I, in  the WLAN configurations about AAA and radius servers, use the possibillty to change the radius request source interface by  "Radius Server Overwrite Interface" it will, use the interface that the SSID is configured to, as a source address.
    If my SSID is configured to a interface group, what will happend then??
    Will only the first configured vlan be used as a source or will he vary the source address between the vlan included inte the interface group?
    (It, of cource, need to be the the same every the time, every request and predictable)
    /mats

    Hi,
    Yes, I did get an answer on my tac-case on this. It will use the first configured vlan in the group.
    I have had it configured and use "radius server overwrite" on the interface group right now. It working this way since these months. It seems to work well.  :-)
    /mats

  • WLC2106 and External Radius Server

    I have a linux freeradius running fine.
    I have a WLC2106 configured and running fine.
    I have created a Wlan and I am trying to have authentication done by linux freeradius server, but controller even try to reach radius server.
    Any sugestion?
    Tks
    Rosa
    First of all radius configuration:
    Wlan configuration

    Thanks Jatin.
    Yes, I have defined linux server.
    I guess info can not go through and reach linux server because of a combination of some
    config like Radius Server Overwrite interface and Allow AAA Override

  • Multiple stand alone servers using one radius server?

    Hello, I have a question.
    I'm working for a company and our problem is we need a username and password for every server.
    We would like to set up a Radius server using an extension so it can use a SQL database for the users.
    Is it possible to put 1 username and 1 password for each user in this database so we don't need more then one for each server?
    Also can we set up policy's for those users so they can't access every stand-alone server.
    Kind Regards,
    Michael

    Hi,
    Based on my research, when a RADIUS client (access server) sends connection requests and accounting messages to a RADIUS server, the RADIUS server will sends back an Access-Accept message or sends back an Access-Reject message to authenticate and authorize
    the connection requests based on a set of rules and the information in the user account database. The Access-Accept message can contain connection restrictions that are implemented by the access server for the duration of the connection.
    In addition, according to your description, it seems that you used the SQL database as the User account database. Did you use NPS as a RADIUS server? If yes, maybe you can configure related network policy to restrict access. I would appreciate it if you can
    introduce more detailed information about your environment. The link below may be helpful:
    Configuring Microsoft NPS (Network Policy Server) / (Internet Authentication Service)IAS as Wireless LAN Controller (WLC) RADIUS Server
    Best regards,
    Susie

  • Using RSA RADIUS Server and WLC 7.4 to dynamically asssign users to VLAN

    Hello,
    What we are trying to do:
    John logs on to wifi using RSA fob for password. RSA sends back auth request with attibutes to WLC 7.4 that magically knows how to interpret the attributes and puts John on vlan 10. Mary logs on with her fob and gets put on VLAN 20.
    We dont have ISE. We dont have ACS. We have RSA Authentication Manager 7.0
    We have looked high and low for documentation for this kind of setup and we find stuff that is close to a match but not quite.
    Here is what we are seeing
    1. dynamic vlan assignment is not working -- radius server is set with the attributes
    2. RSA authentication works
    3. John and Mary are always put into the VLAN where the MGMT interface is
    4. I can see that attributes are making it back to the WLC by sniffing
    We are stuck at this point. Any help would be much appreciated,
    P.

    Here is a little more background:
    We have created a dynamic interface in VLAN 157
    Wireless LAN has been assigned to MGMT interface which is on VLAN 35
    This is a VWLC ver 7.4.100
    AP is attached to VWLC (only FlexConnect mode is supported)
    RADIUS Server has been configured
    Users are getting assigned to VLAN 35
    Also I have attached some screenshots and two packet captures so you can see what the RSA is sending back with your own eyes
    I dont see any atttributes in the capture when RSA sends to the VWLC
    I see attributes in the capture when RSA send to my local RADIUS Client (My PC)
    And to answer your question we have sending a VLAN ID (157)

  • How to set two radius servers one is window NPS another is cisco radius server

    how to set two radius servers one is window NPS another is cisco radius server
    when i try the following command, once window priority is first , i type cisco radius user name, it authenticated fail
    i can not use both at the same time
    radius-server host 192.168.1.3  is window NPS
    radius-server host 192.168.1.1 is cisco radius
    http://blog.skufel.net/2012/06/how-to-integrating-cisco-devices-access-with-microsoft-npsradius/
    conf t
    no aaa authentication login default line
    no aaa authentication login local group radius
    no aaa authorization exec default group radius if-authenticated
    no aaa authorization network default group radius
    no aaa accounting connection default start-stop group radius
    aaa new-model
    aaa group server radius IAS
     server 192.168.1.1 auth-port 1812 acct-port 1813
     server 192.168.1.3 auth-port 1812 acct-port 1813
    aaa authentication login userAuthentication local group IAS
    aaa authorization exec userAuthorization local group IAS if-authenticated
    aaa authorization network userAuthorization local group IAS
    aaa accounting exec default start-stop group IAS
    aaa accounting system default start-stop group IAS
    aaa session-id common
    radius-server host 192.168.1.1 auth-port 1812 acct-port 1813
    radius-server host 192.168.1.2 auth-port 1812 acct-port 1813
    radius-server host 192.168.1.3 auth-port 1645 acct-port 1646
    radius-server host 192.168.1.3 auth-port 1812 acct-port 1813
    privilege exec level 1 show config
    ip radius source-interface Gi0/1
    line vty 0 4
     authorization exec userAuthorization
     login authentication userAuthentication
     transport input telnet
    line vty 5 15
     authorization exec userAuthorization
     login authentication userAuthentication
     transport input telnet
    end
    conf t
    aaa group server radius IAS
     server 192.168.1.3 auth-port 1812 acct-port 1813
     server 192.168.1.1 auth-port 1812 acct-port 1813
    end

    The first AAA server listed in your config will always be used unless/until it becomes unavailable. At that point the NAD would move down to the next AAA server defined on the list and use that one until it becomes unavailable and then move to third one, and so on. 
    If you want to use two AAA servers at the same time then you will need to put a load balancer in front of them. Then the virtual IP (vip) will be listed in the NADs vs the individual AAA servers' IPs. 
    I hope this helps!
    Thank you for rating helpful posts!

  • Client Exclusion Policies on WLC not working with ISE as RADIUS Server

    Hi,
    for our Guest WLAN (Security Setting for this SSID:Layer2: MAC filtering, Layer3:none) we use ISE as RADIUS Server. On WLC I enabled client exclusion polices and checked all options (Excessive 802.11 Auth. Failures etc..).. But even if a client fails 20times at authentication, it is not excluded on the wlc. It works with other SSIDs, where security settings are set to 802.1x.
    Am I missing any settings here or do you have some tipps on how to troubleshoot this?
    Thanks very much!

    Hi Renata,
    If those guest failures are not associated with valid guest users (i.e. people who have forgotten their account or entering the wrong password) there isn't anything that can be done. The main point of Guest WLAN is to make it as easy as possible for Guests - individuals with device configurations you don't want to deal with or know about, to connect your network for internet access. From a WiFi/802.11 perspective, the standard Guest WLAN setup means its easy for any device to connect.
    If your Guest WLAN has the following:
    SSID is broadcast enabled, Security = OPEN, Encryption = none, then any 802.11 device can find the WLAN via passive scanning and connect. And any device that connects will get the ISE portal. Once recieveing that portal they can guess away at valid username/password.
    I would suspect that unless your Guest WiFi is adjacent to a Mall, school, hotel or other hi-density area of individuals  with time and electronics on their hands, other than alerts in your ops window and logs, resources associated with this (WLC & ISE) are very low.
    You can try and dull the noise a few ways.
    Option 1. create and ISE log filter on those alerts so they don't cluter the console.
    Option 2. Stop broadcasting the SSID.  This is not a security measure, but will cut volume of people connecting to the SSID significantly. You will have to tell your guests what SSID or include it in their credential communication.
    Option 3. Put a very simple PSK on the SSID. The PSK will become a public secret - shared with valid guests, doesn't have change as it's purpose is not security.  You will have to include this information on their credential communication.
    Option 4 - both 2 and 3
    The most effective option would be 3.
    Good Luck!

  • WLC 5508 Radius Server

    what is the authentication list precedence for radius authentication?
    global list       network user checkbox
    per wlan        aaa server add
    global list       network user uncheck
    i  have 3 radius server, 2 of which are use for gloabl authentication(all  ap are hreap) and a 3rd one use only for 1 site, when the 2 first radius  server fails the wlc use the 3rd one, but the 3rd only has database for  1 site users,
    do  i need to uncheck the network user checkbox on the 3rd radius and  create a hreap group then associate the 3rd one?  i dont want the 3rd  radius to be able for the gloabl list to take this as normal globla  radius. any commnets?

    Osvaldo,
    Your observation is correct and this should be documented on the WLC help tab if you search for keyword network user under radius auth.
    Quote:
    Network User—Network user authentication check box. If this option is enabled, this entry is considered as the network user RADIUS authenticating server entry. If you did not set the RADIUS server entry on the WLAN configuration (WLANs > Edit > Security > AAA Servers), you must enable this option for networkusers.
    Management—Management authentication check box. If this option is enabled, this entry is considered as the management RADIUS authenticating server entry. If you enable this option, authentication requests go to the RADIUS server
    AAA server defined on WLAN takes precedence over global.

  • WLC Web-auth fail with external RADIUS server

    I follow step by step the link bellow to configure web-auth with external RADIUS server but I receive a error on console debug of the WLC "Returning AAA Error No Server (-7) for mobile"
    My Radius Server is fine, because I can authenticate on WLC Web page with RADIUS user.
    WLC 4402 version 4.1.171.0
    http://www.cisco.com/en/US/products/ps6366/prod_technical_reference09186a0080706f5f.html

    Hi,
    I am having some issues when I try to authenticate an AD account against a NAP Radius Server on Windows 2008.
    In fact, I own a WLC 2106 and I configured it to authenticate users againts a radius Server with Active Directory. I set the Web Radius Authentication to CHAP on the controller tab from the WLC 2106 and i am getting the error below  
    : Authentication failed for gcasanova. When I set the controller to  Web Radius Authentication to PAP, everything is working fine. I am able to connect to through the controller using an AD Account. But my purpose is not use PAP which is an unsecure protocol since password are sent as plaintext on the network.
    Can someone tell me what's wrong?
    *radiusTransportThread: Oct 26 11:02:13.975:    proxyState......................                                                                                                 .............00:24:D7:40:E5:00-00:00
    *radiusTransportThread: Oct 26 11:02:13.975:    Packet contains 0 AVPs:
    *emWeb: Oct 26 11:02:13.977: Authentication failed for gcasanova
    *aaaQueueReader: Oct 26 11:02:29.985: AuthenticationRequest: 0xb6564634
    *aaaQueueReader: Oct 26 11:02:29.985:   Callback.....................................0x8576720
    *aaaQueueReader: Oct 26 11:02:29.985:   protocolType.................................0x00000001
    *aaaQueueReader: Oct 26 11:02:29.985:   proxyState...................................00:24:D7:40:E5:00-00:00
    *aaaQueueReader: Oct 26 11:02:29.986:   Packet contains 11 AVPs (not shown)
    *aaaQueueReader: Oct 26 11:02:29.986: apfVapRadiusInfoGet: WLAN(4) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
    *aaaQueueReader: Oct 26 11:02:29.986: 00:24:d7:40:e5:00 Successful transmission of Authentication Packet (id 86) to 10.2.0.15:1812, proxy state 00:24:d7:40:e5:00-00:00
    *aaaQueueReader: Oct 26 11:02:29.987: 00000000: 01 56 00 9a 8e 48 e7 20  1d ef be 29 e6 3a 61 6d  .V...H.....).:am
    *aaaQueueReader: Oct 26 11:02:29.987: 00000010: 2b de 07 24 01 0b 67 63  61 73 61 6e 6f 76 61 3c  +..$..gcasanova<
    *aaaQueueReader: Oct 26 11:02:29.987: 00000020: 12 3c ce a0 87 ac df 7a  a5 35 af 7c ef 83 c7 58  .<.....z.5.|...X
    *aaaQueueReader: Oct 26 11:02:29.987: 00000030: ed 03 13 28 a7 5a 0d 26  6d ab 49 ea da 7c 5a 8e  ...(.Z.&m.I..|Z.
    *aaaQueueReader: Oct 26 11:02:29.987: 00000040: 1d 94 70 69 06 06 00 00  00 01 04 06 0a 02 00 06  ..pi............
    *aaaQueueReader: Oct 26 11:02:29.987: 00000050: 05 06 00 00 00 01 20 0a  50 41 52 2d 57 4c 43 31  ........PAR-WLC1
    *aaaQueueReader: Oct 26 11:02:29.987: 00000060: 3d 06 00 00 00 13 1a 0c  00 00 37 63 01 06 00 00  =.........7c....
    *aaaQueueReader: Oct 26 11:02:29.988: 00000070: 00 04 1f 0c 31 30 2e 32  2e 30 2e 31 35 36 1e 0a  ....10.2.0.156..
    *aaaQueueReader: Oct 26 11:02:29.988: 00000080: 31 30 2e 32 2e 30 2e 36  50 12 7f 86 5a c5 61 ad  10.2.0.6P...Z.a.
    *aaaQueueReader: Oct 26 11:02:29.988: 00000090: af 54 fa fa 42 e7 f6 16  9e 10                    .T..B.....
    *radiusTransportThread: Oct 26 11:02:29.988: 00000000: 03 56 00 14 a9 10 07 84  83 00 87 83 b9 10 64 e1  .V............d.
    *radiusTransportThread: Oct 26 11:02:29.988: 00000010: 66 b3 c5 5e                                       f..^
    *radiusTransportThread: Oct 26 11:02:29.988: ****Enter processIncomingMessages: response code=3
    *radiusTransportThread: Oct 26 11:02:29.988: ****Enter processRadiusResponse: response code=3
    *radiusTransportThread: Oct 26 11:02:29.988: 00:24:d7:40:e5:00 Access-Reject received from RADIUS server 10.2.0.15 for mobile 00:24:d7:40:e5:00 receiveId = 0
    *radiusTransportThread: Oct 26 11:02:29.989: 00:24:d7:40:e5:00 Returning AAA Error 'Authentication Failed' (-4) for mobile 00:24:d7:40:e5:00
    *radiusTransportThread: Oct 26 11:02:29.989: AuthorizationResponse: 0xb97fe774
    *radiusTransportThread: Oct 26 11:02:29.989:    structureSize................................32
    *radiusTransportThread: Oct 26 11:02:29.989:    resultCode...................................-4
    *radiusTransportThread: Oct 26 11:02:29.989:    protocolUsed.................................0xffffffff
    *radiusTransportThread: Oct 26 11:02:29.989:    proxyState...................................00:24:D7:40:E5:00-00:00
    *radiusTransportThread: Oct 26 11:02:29.989:    Packet contains 0 AVPs:

  • Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS

    Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
    I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication.  I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user"  along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
    Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
    Any ideas of what might be the issue or misconfiguration?

    Jim,
    I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
    It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
    May need to open a TAC case to see if this issue is on the 550x controllers also.
    Thanks,
    Tarik

  • WLC not integrating with Radius Server

    Hello world,
    I have the following situation:
    One WLC 2000 Series (software version 7.0.230.0) with multiple SSID`s, one is with 802.1x integrated with a Radius Server.
    Everything worked fine until fiew days ago, when users were unable to logon via they`re certificates on Windows XP.
    The infrastracture didn`t suffer modifications.
    What i have checked: Radius certification isn`t expired, client certification isn`t expired, the password between controller and Radius is correct.
    There are no ACL`s between the WLC and the remote Server. I can ping the devices, other SSIDs on the same controller (wpa/psk) are working correct.
    The AP`s are 1242.
    I have tried deleting the SSID, configure it back. The OS on Windows Server is  2003 Standard. The AP`s are configured H-Reap.
    I have increased the Server Timeout from Radius Authentication Servers from 2 to 30 sec.
    The message logs recived on WLC Trap Logs:
    RADIUS server X.X.X.X:1812 failed to respond to request (ID 161) for client xx.xx.xx.xx.xx.xx/ user 'unknown'
    The message from the debug dot1x aaa enable:
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_CALLING_STATION_ID(31) index=1
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_CALLED_STATION_ID(30) index=2
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_PORT(5) index=3
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_VAP_ID(1) index=7
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_SERVICE_TYPE(6) index=8
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_FRAMED_MTU(12) index=9
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_EAP_MESSAGE(79) index=11
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_RAD_STATE(24) index=12
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_MESS_AUTH(80) index=13
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df AAA EAP Packet created request = 0x1cff348c.. !!!!
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Sending EAP Attribute (code=2, length=6, id=10) for mobile xx.xx.xx.xx.xx.xx.
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00000000: 02 0a 00 06 0d 00                                 ......
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
    *radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df [BE-resp] AAA response 'Interim Response'
    *radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df [BE-resp] Returning AAA response
    *radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df AAA Message 'Interim Response' received for mobile xx.xx.xx.xx.xx.xx.
    *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.329: 00:15:e9:33:75:df Skipping AVP (0/27) for mobile xx.xx.xx.xx.xx.xx.
    The messages on Windows 2003 Standard:
    User Y was denied access.
    Fully-Qualified-User-Name = xx.domain.com/Users_T/user
    NAS-IP-Address = X.X>X.X
    NAS-Identifier = Cisco_
    Called-Station-Identifier = ---------------------
    Calling-Station-Identifier = ---------------------
    Client-Friendly-Name = ---------------------
    Client-IP-Address = ---------------------
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 1
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = Wireless Policy
    Authentication-Type = EAP
    EAP-Type = Smart Card or other certificate
    Reason-Code = 262
    Reason = The supplied message is incomplete.  The signature was not verified.User Y was denied access.
    Fully-Qualified-User-Name = xx.domain.com/Users_T/user
    NAS-IP-Address = X.X>X.X
    NAS-Identifier = Cisco_
    Called-Station-Identifier = ---------------------
    Calling-Station-Identifier = ---------------------
    Client-Friendly-Name = ---------------------
    Client-IP-Address = ---------------------
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 1
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = Wireless Policy
    Authentication-Type = EAP
    EAP-Type = Smart Card or other certificate
    Reason-Code = 262
    Reason = The supplied message is incomplete.  The signature was not verified.
    Can anyone help why i cannot log the users via 802.1x ?

    Okay that is good..... this is what I would do next.  I would create a test ssid that uses PEAP MSchapv2 and create a new policy in IAS that is basic.  Allow 802.1x wireless and user group only and see if you can reconfigure one of the XP machines for PEAP.  Can you also post a screen shot of your polices (connection and network) so we can review it. 

Maybe you are looking for