Solved

Cisco Wireless LAN controller issue with RADIUS

Posted on 2014-02-04
7
8,960 Views
Last Modified: 2014-02-11
We have a Cisco WLC 2504 connected to the LAN. All Cisco AIR-AP-1252 APs connects to the WLC. I configured WLC to communicate with our RADIUS server which is windows 2008 and provide DHCP IPs to clients. I am missing Something

We get following message on the WLC. I can provide more information as required.

Log 	System Time	Trap
0 Tue Feb 4 11:50:59 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 120) for client a0:88:b4:6b:c6:14 / user 'unknown' 
1 Tue Feb 4 11:50:50 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 119) for client 00:40:96:ae:94:98 / user 'unknown' 
2 Tue Feb 4 11:50:45 2014 AAA Authentication Failure for UserName:wcsadmin User Type: WLAN USER 
3 Tue Feb 4 11:50:37 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 118) for client a0:88:b4:6b:c6:14 / user 'unknown' 
4 Tue Feb 4 11:50:32 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 117) for client 00:40:96:ae:94:98 / user 'unknown' 
5 Tue Feb 4 11:50:26 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 116) for client 84:3a:4b:05:a2:b2 / user 'unknown' 
6 Tue Feb 4 11:50:13 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 115) for client 00:40:96:ae:94:98 / user 'unknown' 
7 Tue Feb 4 11:50:08 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 114) for client a0:88:b4:6b:91:bc / user 'unknown' 
8 Tue Feb 4 11:49:55 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 113) for client 00:40:96:ae:94:98 / user 'unknown' 
9 Tue Feb 4 11:49:46 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 112) for client a0:88:b4:6b:91:bc / user 'unknown' 
10 Tue Feb 4 11:49:36 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 111) for client 00:40:96:ae:94:98 / user 'unknown' 

Open in new window


Cisco 2500 series wireless controller
Management IP Address 10.22.12.250
Software Version 7.0.116.0
Field Recovery Image Version - 1.0.0
License Level - Base
0
Comment
Question by:Miftaul
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 18

Assisted Solution

by:Sushil Sonawane
Sushil Sonawane earned 100 total points
ID: 39832097
It seems your user authentication issue. Please configure user name and password properly.

For more info refer below link :

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml
0
 
LVL 46

Assisted Solution

by:Craig Beck
Craig Beck earned 400 total points
ID: 39834245
I think you've not configured the WLC as a RADIUS client on the RADIUS server, or the RADIUS shared secret is incorrect.
0
 
LVL 11

Author Comment

by:Miftaul
ID: 39834799
Please provide some guidelines or reading on this.
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 
LVL 46

Accepted Solution

by:
Craig Beck earned 400 total points
ID: 39835144
This article relates to a 5508 WLC running v7.4 code, but the concept and configuration is exactly the same...

http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080bfb19a.shtml
0
 
LVL 11

Author Comment

by:Miftaul
ID: 39847294
I did a debug with my Laptops MAC on the WLC console and get the following. Please help.
(Cisco Controller) >debug client 84-3a-4b-ad-09-82

(Cisco Controller) >*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Adding mobile on LWAPP AP 00:07:7d:d2:f8:d0(0)
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Association received from mobile on AP 00:07:7d:d2:f8:d0
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Applying site-specific IPv6 override for station 84:3a:4b:ad:09:82 - vapId 1, site 'default-group', interface 'management'
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Applying IPv6 Interface Policy for station 84:3a:4b:ad:09:82 - vlan 40, interface id 0, interface 'management'
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 STA - rates (8): 130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Processing RSN IE type 48, length 22 for mobile 84:3a:4b:ad:09:82
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Received RSN IE with 0 PMKIDs from mobile 84:3a:4b:ad:09:82
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)

*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)

*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 00:07:7d:d2:f8:d0 vapId 1 apVapId 1for this client
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:07:7d:d2:f8:d0 vapId 1 apVapId 1
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 apfMsAssoStateInc
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 84:3a:4b:ad:09:82 on AP 00:07:7d:d2:f8:d0 from Idle to Associated

*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 Sending Assoc Response to station on BSSID 00:07:7d:d2:f8:d0 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 apfProcessAssocReq (apf_80211.c:5241) Changing state for mobile 84:3a:4b:ad:09:82 on AP 00:07:7d:d2:f8:d0 from Associated to Associated

*dot1xMsgTask: Feb 10 12:29:53.963: 84:3a:4b:ad:09:82 Station 84:3a:4b:ad:09:82 setting dot1x reauth timeout = 36000
*dot1xMsgTask: Feb 10 12:29:53.963: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Connecting state
*dot1xMsgTask: Feb 10 12:29:53.963: 84:3a:4b:ad:09:82 Sending EAP-Request/Identity to mobile 84:3a:4b:ad:09:82 (EAP Id 1)
*Dot1x_NW_MsgTask_2: Feb 10 12:29:53.978: 84:3a:4b:ad:09:82 Received EAPOL START from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:53.978: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Connecting state
*Dot1x_NW_MsgTask_2: Feb 10 12:29:53.978: 84:3a:4b:ad:09:82 Sending EAP-Request/Identity to mobile 84:3a:4b:ad:09:82 (EAP Id 2)
*Dot1x_NW_MsgTask_2: Feb 10 12:29:53.996: 84:3a:4b:ad:09:82 Received EAPOL EAPPKT from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:53.997: 84:3a:4b:ad:09:82 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 Received EAPOL EAPPKT from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 Username entry (xxx@abc.org) created for mobile
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 Received Identity Response (count=2) from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 EAP State update from Connecting to Authenticating for mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Authenticating state
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 Entering Backend Auth Response state for mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Received EAPOL START from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Aborting state
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Connecting state
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Sending EAP-Request/Identity to mobile 84:3a:4b:ad:09:82 (EAP Id 4)
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Reached Max EAP-Identity Request retries (3) for STA 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Sent Deauthenticate to mobile on BSSID 00:07:7d:d2:f8:d0 slot 0(caller 1x_auth_pae.c:3021)
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Scheduling deletion of Mobile Station:  (callerId: 6) in 10 seconds
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Disconnected state
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Not sending EAP-Failure for STA 84:3a:4b:ad:09:82
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Association received from mobile on AP 00:07:7d:d2:f8:d0
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Applying site-specific IPv6 override for station 84:3a:4b:ad:09:82 - vapId 1, site 'default-group', interface 'management'
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Applying IPv6 Interface Policy for station 84:3a:4b:ad:09:82 - vlan 40, interface id 0, interface 'management'
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 STA - rates (8): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Processing RSN IE type 48, length 22 for mobile 84:3a:4b:ad:09:82
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Received RSN IE with 0 PMKIDs from mobile 84:3a:4b:ad:09:82
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) Initializing policy
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)

*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)

*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 00:07:7d:d2:f8:d0 vapId 1 apVapId 1for this client
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:07:7d:d2:f8:d0 vapId 1 apVapId 1
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 84:3a:4b:ad:09:82 on AP 00:07:7d:d2:f8:d0 from Associated to Associated

*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_0: Feb 10 12:30:12.339: 84:3a:4b:ad:09:82 Sending Assoc Response to station on BSSID 00:07:7d:d2:f8:d0 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_0: Feb 10 12:30:12.339: 84:3a:4b:ad:09:82 apfProcessAssocReq (apf_80211.c:5241) Changing state for mobile 84:3a:4b:ad:09:82 on AP 00:07:7d:d2:f8:d0 from Associated to Associated

*dot1xMsgTask: Feb 10 12:30:12.342: 84:3a:4b:ad:09:82 Station 84:3a:4b:ad:09:82 setting dot1x reauth timeout = 36000
*dot1xMsgTask: Feb 10 12:30:12.342: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Connecting state
*dot1xMsgTask: Feb 10 12:30:12.342: 84:3a:4b:ad:09:82 Sending EAP-Request/Identity to mobile 84:3a:4b:ad:09:82 (EAP Id 1)
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.361: 84:3a:4b:ad:09:82 Received EAPOL START from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.361: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Connecting state
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.361: 84:3a:4b:ad:09:82 Sending EAP-Request/Identity to mobile 84:3a:4b:ad:09:82 (EAP Id 2)
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.383: 84:3a:4b:ad:09:82 Received EAPOL EAPPKT from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.383: 84:3a:4b:ad:09:82 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.401: 84:3a:4b:ad:09:82 Received EAPOL EAPPKT from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.401: 84:3a:4b:ad:09:82 Received Identity Response (count=2) from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.401: 84:3a:4b:ad:09:82 EAP State update from Connecting to Authenticating for mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.401: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Authenticating state
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.401: 84:3a:4b:ad:09:82 Entering Backend Auth Response state for mobile 84:3a:4b:ad:09:82

Open in new window

0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39848644
Can you post the config from the WLC?

show run-config commands

Can you also post a few of the entries from the NPS logs?  I'll need the Custom NPS Logs in the Windows Event Viewer.
0
 
LVL 11

Author Closing Comment

by:Miftaul
ID: 39849953
Thank you both, it turned out to be the shared secret mismatch. I did change it few times to make sure, it started working when I rebooted the WLC.
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question