Solved

Cisco Wireless LAN controller issue with RADIUS

Posted on 2014-02-04
7
7,890 Views
Last Modified: 2014-02-11
We have a Cisco WLC 2504 connected to the LAN. All Cisco AIR-AP-1252 APs connects to the WLC. I configured WLC to communicate with our RADIUS server which is windows 2008 and provide DHCP IPs to clients. I am missing Something

We get following message on the WLC. I can provide more information as required.

Log 	System Time	Trap
0 Tue Feb 4 11:50:59 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 120) for client a0:88:b4:6b:c6:14 / user 'unknown' 
1 Tue Feb 4 11:50:50 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 119) for client 00:40:96:ae:94:98 / user 'unknown' 
2 Tue Feb 4 11:50:45 2014 AAA Authentication Failure for UserName:wcsadmin User Type: WLAN USER 
3 Tue Feb 4 11:50:37 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 118) for client a0:88:b4:6b:c6:14 / user 'unknown' 
4 Tue Feb 4 11:50:32 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 117) for client 00:40:96:ae:94:98 / user 'unknown' 
5 Tue Feb 4 11:50:26 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 116) for client 84:3a:4b:05:a2:b2 / user 'unknown' 
6 Tue Feb 4 11:50:13 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 115) for client 00:40:96:ae:94:98 / user 'unknown' 
7 Tue Feb 4 11:50:08 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 114) for client a0:88:b4:6b:91:bc / user 'unknown' 
8 Tue Feb 4 11:49:55 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 113) for client 00:40:96:ae:94:98 / user 'unknown' 
9 Tue Feb 4 11:49:46 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 112) for client a0:88:b4:6b:91:bc / user 'unknown' 
10 Tue Feb 4 11:49:36 2014 RADIUS server 10.22.12.1:1812 failed to respond to request (ID 111) for client 00:40:96:ae:94:98 / user 'unknown' 

Open in new window


Cisco 2500 series wireless controller
Management IP Address 10.22.12.250
Software Version 7.0.116.0
Field Recovery Image Version - 1.0.0
License Level - Base
0
Comment
Question by:Miftaul
  • 3
  • 3
7 Comments
 
LVL 18

Assisted Solution

by:Sushil Sonawane
Sushil Sonawane earned 100 total points
ID: 39832097
It seems your user authentication issue. Please configure user name and password properly.

For more info refer below link :

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 400 total points
ID: 39834245
I think you've not configured the WLC as a RADIUS client on the RADIUS server, or the RADIUS shared secret is incorrect.
0
 
LVL 11

Author Comment

by:Miftaul
ID: 39834799
Please provide some guidelines or reading on this.
0
The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

 
LVL 45

Accepted Solution

by:
Craig Beck earned 400 total points
ID: 39835144
This article relates to a 5508 WLC running v7.4 code, but the concept and configuration is exactly the same...

http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080bfb19a.shtml
0
 
LVL 11

Author Comment

by:Miftaul
ID: 39847294
I did a debug with my Laptops MAC on the WLC console and get the following. Please help.
(Cisco Controller) >debug client 84-3a-4b-ad-09-82

(Cisco Controller) >*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Adding mobile on LWAPP AP 00:07:7d:d2:f8:d0(0)
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Association received from mobile on AP 00:07:7d:d2:f8:d0
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Applying site-specific IPv6 override for station 84:3a:4b:ad:09:82 - vapId 1, site 'default-group', interface 'management'
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Applying IPv6 Interface Policy for station 84:3a:4b:ad:09:82 - vlan 40, interface id 0, interface 'management'
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 STA - rates (8): 130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Processing RSN IE type 48, length 22 for mobile 84:3a:4b:ad:09:82
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 Received RSN IE with 0 PMKIDs from mobile 84:3a:4b:ad:09:82
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_0: Feb 10 12:29:53.961: 84:3a:4b:ad:09:82 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)

*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)

*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 00:07:7d:d2:f8:d0 vapId 1 apVapId 1for this client
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:07:7d:d2:f8:d0 vapId 1 apVapId 1
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 apfMsAssoStateInc
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 84:3a:4b:ad:09:82 on AP 00:07:7d:d2:f8:d0 from Idle to Associated

*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 Sending Assoc Response to station on BSSID 00:07:7d:d2:f8:d0 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_0: Feb 10 12:29:53.962: 84:3a:4b:ad:09:82 apfProcessAssocReq (apf_80211.c:5241) Changing state for mobile 84:3a:4b:ad:09:82 on AP 00:07:7d:d2:f8:d0 from Associated to Associated

*dot1xMsgTask: Feb 10 12:29:53.963: 84:3a:4b:ad:09:82 Station 84:3a:4b:ad:09:82 setting dot1x reauth timeout = 36000
*dot1xMsgTask: Feb 10 12:29:53.963: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Connecting state
*dot1xMsgTask: Feb 10 12:29:53.963: 84:3a:4b:ad:09:82 Sending EAP-Request/Identity to mobile 84:3a:4b:ad:09:82 (EAP Id 1)
*Dot1x_NW_MsgTask_2: Feb 10 12:29:53.978: 84:3a:4b:ad:09:82 Received EAPOL START from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:53.978: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Connecting state
*Dot1x_NW_MsgTask_2: Feb 10 12:29:53.978: 84:3a:4b:ad:09:82 Sending EAP-Request/Identity to mobile 84:3a:4b:ad:09:82 (EAP Id 2)
*Dot1x_NW_MsgTask_2: Feb 10 12:29:53.996: 84:3a:4b:ad:09:82 Received EAPOL EAPPKT from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:53.997: 84:3a:4b:ad:09:82 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 Received EAPOL EAPPKT from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 Username entry (xxx@abc.org) created for mobile
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 Received Identity Response (count=2) from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 EAP State update from Connecting to Authenticating for mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Authenticating state
*Dot1x_NW_MsgTask_2: Feb 10 12:29:54.011: 84:3a:4b:ad:09:82 Entering Backend Auth Response state for mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Received EAPOL START from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Aborting state
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Connecting state
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Sending EAP-Request/Identity to mobile 84:3a:4b:ad:09:82 (EAP Id 4)
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Reached Max EAP-Identity Request retries (3) for STA 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Sent Deauthenticate to mobile on BSSID 00:07:7d:d2:f8:d0 slot 0(caller 1x_auth_pae.c:3021)
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Scheduling deletion of Mobile Station:  (callerId: 6) in 10 seconds
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Disconnected state
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.009: 84:3a:4b:ad:09:82 Not sending EAP-Failure for STA 84:3a:4b:ad:09:82
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Association received from mobile on AP 00:07:7d:d2:f8:d0
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Applying site-specific IPv6 override for station 84:3a:4b:ad:09:82 - vapId 1, site 'default-group', interface 'management'
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Applying IPv6 Interface Policy for station 84:3a:4b:ad:09:82 - vlan 40, interface id 0, interface 'management'
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 STA - rates (8): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Processing RSN IE type 48, length 22 for mobile 84:3a:4b:ad:09:82
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Received RSN IE with 0 PMKIDs from mobile 84:3a:4b:ad:09:82
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) Initializing policy
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)

*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)

*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 00:07:7d:d2:f8:d0 vapId 1 apVapId 1for this client
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:07:7d:d2:f8:d0 vapId 1 apVapId 1
*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 84:3a:4b:ad:09:82 on AP 00:07:7d:d2:f8:d0 from Associated to Associated

*apfMsConnTask_0: Feb 10 12:30:12.338: 84:3a:4b:ad:09:82 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_0: Feb 10 12:30:12.339: 84:3a:4b:ad:09:82 Sending Assoc Response to station on BSSID 00:07:7d:d2:f8:d0 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_0: Feb 10 12:30:12.339: 84:3a:4b:ad:09:82 apfProcessAssocReq (apf_80211.c:5241) Changing state for mobile 84:3a:4b:ad:09:82 on AP 00:07:7d:d2:f8:d0 from Associated to Associated

*dot1xMsgTask: Feb 10 12:30:12.342: 84:3a:4b:ad:09:82 Station 84:3a:4b:ad:09:82 setting dot1x reauth timeout = 36000
*dot1xMsgTask: Feb 10 12:30:12.342: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Connecting state
*dot1xMsgTask: Feb 10 12:30:12.342: 84:3a:4b:ad:09:82 Sending EAP-Request/Identity to mobile 84:3a:4b:ad:09:82 (EAP Id 1)
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.361: 84:3a:4b:ad:09:82 Received EAPOL START from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.361: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Connecting state
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.361: 84:3a:4b:ad:09:82 Sending EAP-Request/Identity to mobile 84:3a:4b:ad:09:82 (EAP Id 2)
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.383: 84:3a:4b:ad:09:82 Received EAPOL EAPPKT from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.383: 84:3a:4b:ad:09:82 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.401: 84:3a:4b:ad:09:82 Received EAPOL EAPPKT from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.401: 84:3a:4b:ad:09:82 Received Identity Response (count=2) from mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.401: 84:3a:4b:ad:09:82 EAP State update from Connecting to Authenticating for mobile 84:3a:4b:ad:09:82
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.401: 84:3a:4b:ad:09:82 dot1x - moving mobile 84:3a:4b:ad:09:82 into Authenticating state
*Dot1x_NW_MsgTask_2: Feb 10 12:30:12.401: 84:3a:4b:ad:09:82 Entering Backend Auth Response state for mobile 84:3a:4b:ad:09:82

Open in new window

0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39848644
Can you post the config from the WLC?

show run-config commands

Can you also post a few of the entries from the NPS logs?  I'll need the Custom NPS Logs in the Windows Event Viewer.
0
 
LVL 11

Author Closing Comment

by:Miftaul
ID: 39849953
Thank you both, it turned out to be the shared secret mismatch. I did change it few times to make sure, it started working when I rebooted the WLC.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now