Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco Wireless LAN controller issue with RADIUS

Posted on 2014-02-04
7
Medium Priority
?
10,096 Views
Last Modified: 2014-02-11
We have a Cisco WLC 2504 connected to the LAN. All Cisco AIR-AP-1252 APs connects to the WLC. I configured WLC to communicate with our RADIUS server which is windows 2008 and provide DHCP IPs to clients. I am missing Something

We get following message on the WLC. I can provide more information as required.

Log 	System Time	Trap
0 Tue Feb 4 11:50:59 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 120) for client a0:88:b4:6b:c6:14 / user 'unknown' 
1 Tue Feb 4 11:50:50 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 119) for client 00:40:96:ae:94:98 / user 'unknown' 
2 Tue Feb 4 11:50:45 2014 AAA Authentication Failure for UserName:wcsadmin User Type: WLAN USER 
3 Tue Feb 4 11:50:37 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 118) for client a0:88:b4:6b:c6:14 / user 'unknown' 
4 Tue Feb 4 11:50:32 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 117) for client 00:40:96:ae:94:98 / user 'unknown' 
5 Tue Feb 4 11:50:26 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 116) for client 84:3a:4b:05:a2:b2 / user 'unknown' 
6 Tue Feb 4 11:50:13 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 115) for client 00:40:96:ae:94:98 / user 'unknown' 
7 Tue Feb 4 11:50:08 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 114) for client a0:88:b4:6b:91:bc / user 'unknown' 
8 Tue Feb 4 11:49:55 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 113) for client 00:40:96:ae:94:98 / user 'unknown' 
9 Tue Feb 4 11:49:46 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 112) for client a0:88:b4:6b:91:bc / user 'unknown' 
10 Tue Feb 4 11:49:36 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 111) for client 00:40:96:ae:94:98 / user 'unknown' 

Open in new window


Cisco 2500 series wireless controller
Management IP Address 10.22.12.250
Software Version 7.0.116.0
Field Recovery Image Version - 1.0.0
License Level - Base
0
Comment
Question by:Miftaul
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 18

Assisted Solution

by:Sushil Sonawane
Sushil Sonawane earned 400 total points
ID: 39832097
It seems your user authentication issue. Please configure user name and password properly.

For more info refer below link :

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml
0
 
LVL 47

Assisted Solution

by:Craig Beck
Craig Beck earned 1600 total points
ID: 39834245
I think you've not configured the WLC as a RADIUS client on the RADIUS server, or the RADIUS shared secret is incorrect.
0
 
LVL 11

Author Comment

by:Miftaul
ID: 39834799
Please provide some guidelines or reading on this.
0
Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

 
LVL 47

Accepted Solution

by:
Craig Beck earned 1600 total points
ID: 39835144
This article relates to a 5508 WLC running v7.4 code, but the concept and configuration is exactly the same...

http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080bfb19a.shtml
0
 
LVL 11

Author Comment

by:Miftaul
ID: 39847294
I did a debug with my Laptops MAC on the WLC console and get the following. Please help.
(Cisco Controller) >debug client 84-3a-4b-ad-09-82

(Cisco Controller) >*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Adding mobile on LWAPP AP 00:07:7d:d2:f8:d0(0)
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Association received from mobile on AP 00:07:7d:d2:f8:d0
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Applying site-specific IPv6 override for station 84:3a:4b:ad:09:82 - vapId 1, site 'default-group', interface 'management'
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Applying IPv6 Interface Policy for station 84:3a:4b:ad:09:82 - vlan 40, interface id 0, interface 'management'
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 STA - rates (8): 130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Processing RSN IE type 48, length 22 for mobile 84:3a:4b:ad:09:82
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Received RSN IE with 0 PMKIDs from mobile 84:3a:4b:ad:09:82
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)

*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)

*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 00:07:7d:d2:f8:d0 vapId 1 apVapId 1for this client
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:07:7d:d2:f8:d0 vapId 1 apVapId 1
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 apfMsAssoStateInc
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 84:3a:4b:ad:09:82 on AP 00:07:7d:d2:f8:d0 from Idle to Associated

*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 Sending Assoc Response to station on BSSID 00:07:7d:d2:f8:d0 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 apfProcessAssocReq (apf_80211.c:5241) Changing state for mobile 84:3a:4b:ad:09:82 on AP 00:07:7d:d2:f8:d0 from Associated to Associated

*dot1xMsgTask: Feb 10 12:29:53.963: 84:3a:4b:ad:09:82 Station 84:3a:4b:ad:09:82 setting dot1x reauth timeout = 36000
*dot1xMsgTask: Feb 10 12:29:53.963: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Connecting state
*dot1xMsgTask: Feb 10 12:29:53.963: 84:3a:4b:ad:09:82 Sending EAP-Request/Identity to mobile 84:3a:4b:ad:09:82 (EAP Id 1)
*Dot1x_NW_MsgTask_2: Feb 10 12:29:53.978: 84:3a:4b:ad:09:82 Received EAPOL START from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:53.978: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Connecting state
*Dot1x_NW_MsgTask_2: Feb 10 12:29:53.978: 84:3a:4b:ad:09:82 Sending EAP-Request/Identity to mobile 84:3a:4b:ad:09:82 (EAP Id 2)
*Dot1x_NW_MsgTask_2: Feb 10 12:29:53.996: 84:3a:4b:ad:09:82 Received EAPOL EAPPKT from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:53.997: 84:3a:4b:ad:09:82 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 Received EAPOL EAPPKT from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 Username entry (xxx@abc.org) created for mobile
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 Received Identity Response (count=2) from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 EAP State update from Connecting to Authenticating for mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Authenticating state
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 Entering Backend Auth Response state for mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Received EAPOL START from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Aborting state
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Connecting state
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Sending EAP-Request/Identity to mobile 84:3a:4b:ad:09:82 (EAP Id 4)
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Reached Max EAP-Identity Request retries (3) for STA 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Sent Deauthenticate to mobile on BSSID 00:07:7d:d2:f8:d0 slot 0(caller 1x_auth_pae.c:3021)
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Scheduling deletion of Mobile Station:  (callerId: 6) in 10 seconds
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Disconnected state
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Not sending EAP-Failure for STA 84:3a:4b:ad:09:82
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Association received from mobile on AP 00:07:7d:d2:f8:d0
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Applying site-specific IPv6 override for station 84:3a:4b:ad:09:82 - vapId 1, site 'default-group', interface 'management'
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Applying IPv6 Interface Policy for station 84:3a:4b:ad:09:82 - vlan 40, interface id 0, interface 'management'
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 STA - rates (8): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Processing RSN IE type 48, length 22 for mobile 84:3a:4b:ad:09:82
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Received RSN IE with 0 PMKIDs from mobile 84:3a:4b:ad:09:82
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) Initializing policy
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)

*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)

*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 00:07:7d:d2:f8:d0 vapId 1 apVapId 1for this client
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:07:7d:d2:f8:d0 vapId 1 apVapId 1
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 84:3a:4b:ad:09:82 on AP 00:07:7d:d2:f8:d0 from Associated to Associated

*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_0: Feb 10 12:30:12.339: 84:3a:4b:ad:09:82 Sending Assoc Response to station on BSSID 00:07:7d:d2:f8:d0 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_0: Feb 10 12:30:12.339: 84:3a:4b:ad:09:82 apfProcessAssocReq (apf_80211.c:5241) Changing state for mobile 84:3a:4b:ad:09:82 on AP 00:07:7d:d2:f8:d0 from Associated to Associated

*dot1xMsgTask: Feb 10 12:30:12.342: 84:3a:4b:ad:09:82 Station 84:3a:4b:ad:09:82 setting dot1x reauth timeout = 36000
*dot1xMsgTask: Feb 10 12:30:12.342: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Connecting state
*dot1xMsgTask: Feb 10 12:30:12.342: 84:3a:4b:ad:09:82 Sending EAP-Request/Identity to mobile 84:3a:4b:ad:09:82 (EAP Id 1)
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.361: 84:3a:4b:ad:09:82 Received EAPOL START from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.361: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Connecting state
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.361: 84:3a:4b:ad:09:82 Sending EAP-Request/Identity to mobile 84:3a:4b:ad:09:82 (EAP Id 2)
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.383: 84:3a:4b:ad:09:82 Received EAPOL EAPPKT from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.383: 84:3a:4b:ad:09:82 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.401: 84:3a:4b:ad:09:82 Received EAPOL EAPPKT from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.401: 84:3a:4b:ad:09:82 Received Identity Response (count=2) from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.401: 84:3a:4b:ad:09:82 EAP State update from Connecting to Authenticating for mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.401: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Authenticating state
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.401: 84:3a:4b:ad:09:82 Entering Backend Auth Response state for mobile 84:3a:4b:ad:09:82

Open in new window

0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39848644
Can you post the config from the WLC?

show run-config commands

Can you also post a few of the entries from the NPS logs?  I'll need the Custom NPS Logs in the Windows Event Viewer.
0
 
LVL 11

Author Closing Comment

by:Miftaul
ID: 39849953
Thank you both, it turned out to be the shared secret mismatch. I did change it few times to make sure, it started working when I rebooted the WLC.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question