https://community.cisco.com/t5/network-access-control/acs-5-0-radius-timeout-with-wlc-7-0/m-p/1782685#M247039 <HTML><HEAD></HEAD><BODY><P> It seems as though you are using ACS 5.0 without any patches.</P><P></P><P>For your information the product release is now up to 5.2 and ACS 5.3 is soon to be released</P><P></P><P>I seem to remember there was an issue with ACS 5.0 operations with WLC that was resolved in patch for 5.0</P><P></P><P>I am not sure of the specific CDETS but may be:</P><P><SPAN><STRONG>CSCsy17858</STRONG></SPAN><SPAN><STRONG> Incorrect handling of Tunnel-Type &amp; Tunnel-Client-Endpoint attrs</STRONG></SPAN></P><P><SPAN><STRONG> </STRONG></SPAN></P><P>ACS 5.0 has a cumulative patch appraoch with all fixes being accumulated</P><P>My recommendation would be to download patch 8 for ACS 5.0: 5.0.0.21.8</P><P></P><P>Patch can be downloaded from CCO</P><P></P><DIV><P>To install a patch define a repository on ACS (cumulative patches are larger than 32MB so you can't use TFTP for this), copy the patch file to the repository, then on ACS' CLI:</P><P></P><P># acs patch install <FILENAME> repository <REPOSITORY name=""></REPOSITORY></FILENAME></P></DIV></BODY></HTML> Wed, 31 Aug 2011 15:09:04 GMT jrabinow 2011-08-31T15:09:04Z https://community.cisco.com/t5/network-access-control/acs-5-0-radius-timeout-with-wlc-7-0/m-p/1782683#M247021 <P>Hi Guys,</P><P></P><P>I am configuring a Cisco Secure ACS 1120 appliance running ACS 5.0.0.21 to handle RADIUS request from a Cisco WLC 5508 appliance running version 7.0.116.0.</P><UL><LI style="margin-top: px; margin-bottom: px;">these devices have open communication on all ports - no firewalls or ACL's</LI><LI style="margin-top: px; margin-bottom: px;">they have successful ping communication</LI></UL><P></P><P>The following statements illustrate <STRONG>some but not all </STRONG>the debugging I have done to ensure each device functions as it should in isolation.</P><UL><LI style="margin-top: px; margin-bottom: px;">Using a simple windows RADIUS server (radserv2.exe) instead of the Cisco ACS&nbsp; <UL><LI style="margin-top: px; margin-bottom: px;">This <STRONG>works</STRONG> and the WLC gets RADIUS response from my makeshift server</LI></UL></LI><LI style="margin-top: px; margin-bottom: px;">Using a simple windows EAP client to query the ACS using RADIUS protocol&nbsp;&nbsp; <UL><LI style="margin-top: px; margin-bottom: px;">this <STRONG>works</STRONG> and the ACS processes the RADIUS request and sends a response</LI></UL></LI><LI style="margin-top: px; margin-bottom: px;">Placed a wireshark client on the network to inspect timeout. <UL><LI style="margin-top: px; margin-bottom: px;">Wireshark logs the packet from the WLC to the ACS using port 1812 but doesn't see any packet&nbsp; responses from the ACS</LI></UL></LI></UL><P></P><P>At the moment I have the </P><OL start="1"><LI style="margin-top: px; margin-bottom: px;">WLC accepting the association from the wireless client and </LI><LI style="margin-top: px; margin-bottom: px;">sending the RADIUS (PEAP, EAP-FAST or EAP-TLS) request to the ACS, </LI><LI style="margin-top: px; margin-bottom: px;">the WLC receives no response and generates a timeout message and disassociates from the client. <OL start="1"><LI style="margin-top: px; margin-bottom: px;"><STRONG>note </STRONG>this is not a reject or similar message, the ACS simple does not even process the packet. i.e. there is absolutely nothing in the ACS logs to suggest it even received a radius packet from the WLC.</LI></OL></LI></OL><P></P><P>In summary the WLC and the ACS successfully function independently but they do not communicate via radius.</P><P></P><P>Any assistance appreciated Thanks</P> Mon, 11 Mar 2019 01:21:23 GMT https://community.cisco.com/t5/network-access-control/acs-5-0-radius-timeout-with-wlc-7-0/m-p/1782683#M247021 dpicomms 2019-03-11T01:21:23Z https://community.cisco.com/t5/network-access-control/acs-5-0-radius-timeout-with-wlc-7-0/m-p/1782684#M247029 <HTML><HEAD></HEAD><BODY><P>Check the service selection screen, is the RADIUS policy being hit at all?</P></BODY></HTML> Wed, 31 Aug 2011 13:59:39 GMT https://community.cisco.com/t5/network-access-control/acs-5-0-radius-timeout-with-wlc-7-0/m-p/1782684#M247029 Javier Henderson 2011-08-31T13:59:39Z https://community.cisco.com/t5/network-access-control/acs-5-0-radius-timeout-with-wlc-7-0/m-p/1782685#M247039 <HTML><HEAD></HEAD><BODY><P> It seems as though you are using ACS 5.0 without any patches.</P><P></P><P>For your information the product release is now up to 5.2 and ACS 5.3 is soon to be released</P><P></P><P>I seem to remember there was an issue with ACS 5.0 operations with WLC that was resolved in patch for 5.0</P><P></P><P>I am not sure of the specific CDETS but may be:</P><P><SPAN><STRONG>CSCsy17858</STRONG></SPAN><SPAN><STRONG> Incorrect handling of Tunnel-Type &amp; Tunnel-Client-Endpoint attrs</STRONG></SPAN></P><P><SPAN><STRONG> </STRONG></SPAN></P><P>ACS 5.0 has a cumulative patch appraoch with all fixes being accumulated</P><P>My recommendation would be to download patch 8 for ACS 5.0: 5.0.0.21.8</P><P></P><P>Patch can be downloaded from CCO</P><P></P><DIV><P>To install a patch define a repository on ACS (cumulative patches are larger than 32MB so you can't use TFTP for this), copy the patch file to the repository, then on ACS' CLI:</P><P></P><P># acs patch install <FILENAME> repository <REPOSITORY name=""></REPOSITORY></FILENAME></P></DIV></BODY></HTML> Wed, 31 Aug 2011 15:09:04 GMT https://community.cisco.com/t5/network-access-control/acs-5-0-radius-timeout-with-wlc-7-0/m-p/1782685#M247039 jrabinow 2011-08-31T15:09:04Z https://community.cisco.com/t5/network-access-control/acs-5-0-radius-timeout-with-wlc-7-0/m-p/1782686#M247048 <HTML><HEAD></HEAD><BODY><P>issue resolved by upgrading from 5.0 to 5.2, Thanks for the help!</P></BODY></HTML> Wed, 21 Sep 2011 05:14:14 GMT https://community.cisco.com/t5/network-access-control/acs-5-0-radius-timeout-with-wlc-7-0/m-p/1782686#M247048 dpicomms 2011-09-21T05:14:14Z