Solved

Cisco Wireless LAN controller issue with RADIUS

Posted on 2014-02-04
7
8,375 Views
Last Modified: 2014-02-11
We have a Cisco WLC 2504 connected to the LAN. All Cisco AIR-AP-1252 APs connects to the WLC. I configured WLC to communicate with our RADIUS server which is windows 2008 and provide DHCP IPs to clients. I am missing Something

We get following message on the WLC. I can provide more information as required.

Log 	System Time	Trap
0 Tue Feb 4 11:50:59 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 120) for client a0:88:b4:6b:c6:14 / user 'unknown' 
1 Tue Feb 4 11:50:50 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 119) for client 00:40:96:ae:94:98 / user 'unknown' 
2 Tue Feb 4 11:50:45 2014 AAA Authentication Failure for UserName:wcsadmin User Type: WLAN USER 
3 Tue Feb 4 11:50:37 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 118) for client a0:88:b4:6b:c6:14 / user 'unknown' 
4 Tue Feb 4 11:50:32 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 117) for client 00:40:96:ae:94:98 / user 'unknown' 
5 Tue Feb 4 11:50:26 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 116) for client 84:3a:4b:05:a2:b2 / user 'unknown' 
6 Tue Feb 4 11:50:13 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 115) for client 00:40:96:ae:94:98 / user 'unknown' 
7 Tue Feb 4 11:50:08 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 114) for client a0:88:b4:6b:91:bc / user 'unknown' 
8 Tue Feb 4 11:49:55 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 113) for client 00:40:96:ae:94:98 / user 'unknown' 
9 Tue Feb 4 11:49:46 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 112) for client a0:88:b4:6b:91:bc / user 'unknown' 
10 Tue Feb 4 11:49:36 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 111) for client 00:40:96:ae:94:98 / user 'unknown' 

Open in new window


Cisco 2500 series wireless controller
Management IP Address 10.22.12.250
Software Version 7.0.116.0
Field Recovery Image Version - 1.0.0
License Level - Base
0
Comment
Question by:Miftaul
  • 3
  • 3
7 Comments
 
LVL 18

Assisted Solution

by:Sushil Sonawane
Sushil Sonawane earned 100 total points
ID: 39832097
It seems your user authentication issue. Please configure user name and password properly.

For more info refer below link :

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 400 total points
ID: 39834245
I think you've not configured the WLC as a RADIUS client on the RADIUS server, or the RADIUS shared secret is incorrect.
0
 
LVL 11

Author Comment

by:Miftaul
ID: 39834799
Please provide some guidelines or reading on this.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 45

Accepted Solution

by:
Craig Beck earned 400 total points
ID: 39835144
This article relates to a 5508 WLC running v7.4 code, but the concept and configuration is exactly the same...

http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080bfb19a.shtml
0
 
LVL 11

Author Comment

by:Miftaul
ID: 39847294
I did a debug with my Laptops MAC on the WLC console and get the following. Please help.
(Cisco Controller) >debug client 84-3a-4b-ad-09-82

(Cisco Controller) >*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Adding mobile on LWAPP AP 00:07:7d:d2:f8:d0(0)
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Association received from mobile on AP 00:07:7d:d2:f8:d0
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Applying site-specific IPv6 override for station 84:3a:4b:ad:09:82 - vapId 1, site 'default-group', interface 'management'
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Applying IPv6 Interface Policy for station 84:3a:4b:ad:09:82 - vlan 40, interface id 0, interface 'management'
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 STA - rates (8): 130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Processing RSN IE type 48, length 22 for mobile 84:3a:4b:ad:09:82
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Received RSN IE with 0 PMKIDs from mobile 84:3a:4b:ad:09:82
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)

*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)

*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 00:07:7d:d2:f8:d0 vapId 1 apVapId 1for this client
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:07:7d:d2:f8:d0 vapId 1 apVapId 1
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 apfMsAssoStateInc
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 84:3a:4b:ad:09:82 on AP 00:07:7d:d2:f8:d0 from Idle to Associated

*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 Sending Assoc Response to station on BSSID 00:07:7d:d2:f8:d0 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 apfProcessAssocReq (apf_80211.c:5241) Changing state for mobile 84:3a:4b:ad:09:82 on AP 00:07:7d:d2:f8:d0 from Associated to Associated

*dot1xMsgTask: Feb 10 12:29:53.963: 84:3a:4b:ad:09:82 Station 84:3a:4b:ad:09:82 setting dot1x reauth timeout = 36000
*dot1xMsgTask: Feb 10 12:29:53.963: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Connecting state
*dot1xMsgTask: Feb 10 12:29:53.963: 84:3a:4b:ad:09:82 Sending EAP-Request/Identity to mobile 84:3a:4b:ad:09:82 (EAP Id 1)
*Dot1x_NW_MsgTask_2: Feb 10 12:29:53.978: 84:3a:4b:ad:09:82 Received EAPOL START from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:53.978: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Connecting state
*Dot1x_NW_MsgTask_2: Feb 10 12:29:53.978: 84:3a:4b:ad:09:82 Sending EAP-Request/Identity to mobile 84:3a:4b:ad:09:82 (EAP Id 2)
*Dot1x_NW_MsgTask_2: Feb 10 12:29:53.996: 84:3a:4b:ad:09:82 Received EAPOL EAPPKT from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:53.997: 84:3a:4b:ad:09:82 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 Received EAPOL EAPPKT from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 Username entry (xxx@abc.org) created for mobile
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 Received Identity Response (count=2) from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 EAP State update from Connecting to Authenticating for mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Authenticating state
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 Entering Backend Auth Response state for mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Received EAPOL START from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Aborting state
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Connecting state
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Sending EAP-Request/Identity to mobile 84:3a:4b:ad:09:82 (EAP Id 4)
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Reached Max EAP-Identity Request retries (3) for STA 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Sent Deauthenticate to mobile on BSSID 00:07:7d:d2:f8:d0 slot 0(caller 1x_auth_pae.c:3021)
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Scheduling deletion of Mobile Station:  (callerId: 6) in 10 seconds
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Disconnected state
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Not sending EAP-Failure for STA 84:3a:4b:ad:09:82
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Association received from mobile on AP 00:07:7d:d2:f8:d0
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Applying site-specific IPv6 override for station 84:3a:4b:ad:09:82 - vapId 1, site 'default-group', interface 'management'
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Applying IPv6 Interface Policy for station 84:3a:4b:ad:09:82 - vlan 40, interface id 0, interface 'management'
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 STA - rates (8): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Processing RSN IE type 48, length 22 for mobile 84:3a:4b:ad:09:82
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Received RSN IE with 0 PMKIDs from mobile 84:3a:4b:ad:09:82
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) Initializing policy
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)

*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)

*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 00:07:7d:d2:f8:d0 vapId 1 apVapId 1for this client
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:07:7d:d2:f8:d0 vapId 1 apVapId 1
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 84:3a:4b:ad:09:82 on AP 00:07:7d:d2:f8:d0 from Associated to Associated

*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_0: Feb 10 12:30:12.339: 84:3a:4b:ad:09:82 Sending Assoc Response to station on BSSID 00:07:7d:d2:f8:d0 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_0: Feb 10 12:30:12.339: 84:3a:4b:ad:09:82 apfProcessAssocReq (apf_80211.c:5241) Changing state for mobile 84:3a:4b:ad:09:82 on AP 00:07:7d:d2:f8:d0 from Associated to Associated

*dot1xMsgTask: Feb 10 12:30:12.342: 84:3a:4b:ad:09:82 Station 84:3a:4b:ad:09:82 setting dot1x reauth timeout = 36000
*dot1xMsgTask: Feb 10 12:30:12.342: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Connecting state
*dot1xMsgTask: Feb 10 12:30:12.342: 84:3a:4b:ad:09:82 Sending EAP-Request/Identity to mobile 84:3a:4b:ad:09:82 (EAP Id 1)
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.361: 84:3a:4b:ad:09:82 Received EAPOL START from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.361: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Connecting state
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.361: 84:3a:4b:ad:09:82 Sending EAP-Request/Identity to mobile 84:3a:4b:ad:09:82 (EAP Id 2)
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.383: 84:3a:4b:ad:09:82 Received EAPOL EAPPKT from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.383: 84:3a:4b:ad:09:82 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.401: 84:3a:4b:ad:09:82 Received EAPOL EAPPKT from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.401: 84:3a:4b:ad:09:82 Received Identity Response (count=2) from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.401: 84:3a:4b:ad:09:82 EAP State update from Connecting to Authenticating for mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.401: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Authenticating state
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.401: 84:3a:4b:ad:09:82 Entering Backend Auth Response state for mobile 84:3a:4b:ad:09:82

Open in new window

0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39848644
Can you post the config from the WLC?

show run-config commands

Can you also post a few of the entries from the NPS logs?  I'll need the Custom NPS Logs in the Windows Event Viewer.
0
 
LVL 11

Author Closing Comment

by:Miftaul
ID: 39849953
Thank you both, it turned out to be the shared secret mismatch. I did change it few times to make sure, it started working when I rebooted the WLC.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question