Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 10646
  • Last Modified:

Cisco Wireless LAN controller issue with RADIUS

We have a Cisco WLC 2504 connected to the LAN. All Cisco AIR-AP-1252 APs connects to the WLC. I configured WLC to communicate with our RADIUS server which is windows 2008 and provide DHCP IPs to clients. I am missing Something

We get following message on the WLC. I can provide more information as required.

Log 	System Time	Trap
0 Tue Feb 4 11:50:59 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 120) for client a0:88:b4:6b:c6:14 / user 'unknown' 
1 Tue Feb 4 11:50:50 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 119) for client 00:40:96:ae:94:98 / user 'unknown' 
2 Tue Feb 4 11:50:45 2014 AAA Authentication Failure for UserName:wcsadmin User Type: WLAN USER 
3 Tue Feb 4 11:50:37 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 118) for client a0:88:b4:6b:c6:14 / user 'unknown' 
4 Tue Feb 4 11:50:32 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 117) for client 00:40:96:ae:94:98 / user 'unknown' 
5 Tue Feb 4 11:50:26 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 116) for client 84:3a:4b:05:a2:b2 / user 'unknown' 
6 Tue Feb 4 11:50:13 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 115) for client 00:40:96:ae:94:98 / user 'unknown' 
7 Tue Feb 4 11:50:08 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 114) for client a0:88:b4:6b:91:bc / user 'unknown' 
8 Tue Feb 4 11:49:55 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 113) for client 00:40:96:ae:94:98 / user 'unknown' 
9 Tue Feb 4 11:49:46 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 112) for client a0:88:b4:6b:91:bc / user 'unknown' 
10 Tue Feb 4 11:49:36 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 111) for client 00:40:96:ae:94:98 / user 'unknown' 

Open in new window


Cisco 2500 series wireless controller
Management IP Address 10.22.12.250
Software Version 7.0.116.0
Field Recovery Image Version - 1.0.0
License Level - Base
0
Miftaul
Asked:
Miftaul
  • 3
  • 3
3 Solutions
 
Sushil SonawaneCommented:
It seems your user authentication issue. Please configure user name and password properly.

For more info refer below link :

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml
0
 
Craig BeckCommented:
I think you've not configured the WLC as a RADIUS client on the RADIUS server, or the RADIUS shared secret is incorrect.
0
 
MiftaulAuthor Commented:
Please provide some guidelines or reading on this.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
Craig BeckCommented:
This article relates to a 5508 WLC running v7.4 code, but the concept and configuration is exactly the same...

http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080bfb19a.shtml
0
 
MiftaulAuthor Commented:
I did a debug with my Laptops MAC on the WLC console and get the following. Please help.
(Cisco Controller) >debug client 84-3a-4b-ad-09-82

(Cisco Controller) >*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Adding mobile on LWAPP AP 00:07:7d:d2:f8:d0(0)
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Association received from mobile on AP 00:07:7d:d2:f8:d0
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Applying site-specific IPv6 override for station 84:3a:4b:ad:09:82 - vapId 1, site 'default-group', interface 'management'
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Applying IPv6 Interface Policy for station 84:3a:4b:ad:09:82 - vlan 40, interface id 0, interface 'management'
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 STA - rates (8): 130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Processing RSN IE type 48, length 22 for mobile 84:3a:4b:ad:09:82
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Received RSN IE with 0 PMKIDs from mobile 84:3a:4b:ad:09:82
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)

*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)

*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 00:07:7d:d2:f8:d0 vapId 1 apVapId 1for this client
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:07:7d:d2:f8:d0 vapId 1 apVapId 1
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 apfMsAssoStateInc
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 84:3a:4b:ad:09:82 on AP 00:07:7d:d2:f8:d0 from Idle to Associated

*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 Sending Assoc Response to station on BSSID 00:07:7d:d2:f8:d0 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 apfProcessAssocReq (apf_80211.c:5241) Changing state for mobile 84:3a:4b:ad:09:82 on AP 00:07:7d:d2:f8:d0 from Associated to Associated

*dot1xMsgTask: Feb 10 12:29:53.963: 84:3a:4b:ad:09:82 Station 84:3a:4b:ad:09:82 setting dot1x reauth timeout = 36000
*dot1xMsgTask: Feb 10 12:29:53.963: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Connecting state
*dot1xMsgTask: Feb 10 12:29:53.963: 84:3a:4b:ad:09:82 Sending EAP-Request/Identity to mobile 84:3a:4b:ad:09:82 (EAP Id 1)
*Dot1x_NW_MsgTask_2: Feb 10 12:29:53.978: 84:3a:4b:ad:09:82 Received EAPOL START from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:53.978: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Connecting state
*Dot1x_NW_MsgTask_2: Feb 10 12:29:53.978: 84:3a:4b:ad:09:82 Sending EAP-Request/Identity to mobile 84:3a:4b:ad:09:82 (EAP Id 2)
*Dot1x_NW_MsgTask_2: Feb 10 12:29:53.996: 84:3a:4b:ad:09:82 Received EAPOL EAPPKT from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:53.997: 84:3a:4b:ad:09:82 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 Received EAPOL EAPPKT from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 Username entry (xxx@abc.org) created for mobile
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 Received Identity Response (count=2) from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 EAP State update from Connecting to Authenticating for mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Authenticating state
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 Entering Backend Auth Response state for mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Received EAPOL START from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Aborting state
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Connecting state
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Sending EAP-Request/Identity to mobile 84:3a:4b:ad:09:82 (EAP Id 4)
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Reached Max EAP-Identity Request retries (3) for STA 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Sent Deauthenticate to mobile on BSSID 00:07:7d:d2:f8:d0 slot 0(caller 1x_auth_pae.c:3021)
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Scheduling deletion of Mobile Station:  (callerId: 6) in 10 seconds
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Disconnected state
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Not sending EAP-Failure for STA 84:3a:4b:ad:09:82
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Association received from mobile on AP 00:07:7d:d2:f8:d0
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Applying site-specific IPv6 override for station 84:3a:4b:ad:09:82 - vapId 1, site 'default-group', interface 'management'
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Applying IPv6 Interface Policy for station 84:3a:4b:ad:09:82 - vlan 40, interface id 0, interface 'management'
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 STA - rates (8): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Processing RSN IE type 48, length 22 for mobile 84:3a:4b:ad:09:82
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Received RSN IE with 0 PMKIDs from mobile 84:3a:4b:ad:09:82
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) Initializing policy
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)

*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)

*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 00:07:7d:d2:f8:d0 vapId 1 apVapId 1for this client
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:07:7d:d2:f8:d0 vapId 1 apVapId 1
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 84:3a:4b:ad:09:82 on AP 00:07:7d:d2:f8:d0 from Associated to Associated

*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_0: Feb 10 12:30:12.339: 84:3a:4b:ad:09:82 Sending Assoc Response to station on BSSID 00:07:7d:d2:f8:d0 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_0: Feb 10 12:30:12.339: 84:3a:4b:ad:09:82 apfProcessAssocReq (apf_80211.c:5241) Changing state for mobile 84:3a:4b:ad:09:82 on AP 00:07:7d:d2:f8:d0 from Associated to Associated

*dot1xMsgTask: Feb 10 12:30:12.342: 84:3a:4b:ad:09:82 Station 84:3a:4b:ad:09:82 setting dot1x reauth timeout = 36000
*dot1xMsgTask: Feb 10 12:30:12.342: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Connecting state
*dot1xMsgTask: Feb 10 12:30:12.342: 84:3a:4b:ad:09:82 Sending EAP-Request/Identity to mobile 84:3a:4b:ad:09:82 (EAP Id 1)
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.361: 84:3a:4b:ad:09:82 Received EAPOL START from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.361: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Connecting state
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.361: 84:3a:4b:ad:09:82 Sending EAP-Request/Identity to mobile 84:3a:4b:ad:09:82 (EAP Id 2)
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.383: 84:3a:4b:ad:09:82 Received EAPOL EAPPKT from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.383: 84:3a:4b:ad:09:82 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.401: 84:3a:4b:ad:09:82 Received EAPOL EAPPKT from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.401: 84:3a:4b:ad:09:82 Received Identity Response (count=2) from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.401: 84:3a:4b:ad:09:82 EAP State update from Connecting to Authenticating for mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.401: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Authenticating state
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.401: 84:3a:4b:ad:09:82 Entering Backend Auth Response state for mobile 84:3a:4b:ad:09:82

Open in new window

0
 
Craig BeckCommented:
Can you post the config from the WLC?

show run-config commands

Can you also post a few of the entries from the NPS logs?  I'll need the Custom NPS Logs in the Windows Event Viewer.
0
 
MiftaulAuthor Commented:
Thank you both, it turned out to be the shared secret mismatch. I did change it few times to make sure, it started working when I rebooted the WLC.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now