03-12-2014 04:38 AM - edited 03-10-2019 09:31 PM
Hi,
We are using an OEAP600 AP and reciently moved to version 7.6.100.0 (5508 WLC)to support split tunnel printing. 802.1x is being performed on an NPS server for wireles policy.
Everything appears to be ok on the WLC configuration side - when debugging aaa all i see the following.
*aaaQueueReader: Mar 12 17:38:54.814: a4:67:06:93:f6:cd Sending the packet to v4 host X.X.X.X:1645
*aaaQueueReader: Mar 12 17:38:54.814: a4:67:06:93:f6:cd Successful transmission of Authentication Packet (id 135) to X.X.X.X:1645, proxy state a4:67:06:93:f6:cd-00:01
*aaaQueueReader: Mar 12 17:38:54.814: 00000000: 01 87 00 f4 be 99 b9 3a e4 31 d3 d4 0a bf e2 cb .......:.1......
*aaaQueueReader: Mar 12 17:38:54.814: 00000010: 5b d9 f9 04 01 14 6d 79 69 6e 74 72 61 6e 65 74 [.....domain
*aaaQueueReader: Mar 12 17:38:54.814: 00000020: 5c 63 72 6f 6e 69 6e 70 59 03 00 83 06 00 00 00 \usernameY.......
*aaaQueueReader: Mar 12 17:38:54.814: 00000030: 01 1f 13 61 34 2d 36 37 2d 30 36 2d 39 33 2d 66 ...a4-67-06-93-f
*aaaQueueReader: Mar 12 17:38:54.814: 00000040: 36 2d 63 64 1e 0d 31 30 2e 33 2e 32 34 30 2e 31 6-cd..WLCIPADDRESS
*aaaQueueReader: Mar 12 17:38:54.814: 00000050: 30 05 06 00 00 00 0d 1a 31 00 00 00 09 01 2b 61 .......1.....+a
*aaaQueueReader: Mar 12 17:38:54.814: 00000060: 75 64 69 74 2d 73 65 73 73 69 6f 6e 2d 69 64 3d udit-session-id=
*aaaQueueReader: Mar 12 17:38:54.814: 00000070: 30 61 30 33 66 30 30 61 30 30 30 30 31 33 62 32 0a03f00a000013b2
*aaaQueueReader: Mar 12 17:38:54.814: 00000080: 35 33 32 30 30 30 66 65 04 06 0a 03 f0 0a 20 0c 532000fe........
*aaaQueueReader: Mar 12 17:38:54.814: 00000090: 41 55 47 44 53 57 43 45 30 31 1a 0c 00 00 37 63 WLCHOSTNAME....7c
*aaaQueueReader: Mar 12 17:38:54.814: 000000a0: 01 06 00 00 00 03 06 06 00 00 00 02 0c 06 00 00 ................
*aaaQueueReader: Mar 12 17:38:54.815: 000000b0: 05 14 3d 06 00 00 00 13 40 06 00 00 00 0d 41 06 ..=.....@.....A.
*aaaQueueReader: Mar 12 17:38:54.815: 000000c0: 00 00 00 06 51 05 32 30 39 4f 19 02 01 00 17 01 ....Q.209O......
*aaaQueueReader: Mar 12 17:38:54.815: 000000d0: 6d 79 69 6e 74 72 61 6e 65 74 5c 63 72 6f 6e 69 domain\username
*aaaQueueReader: Mar 12 17:38:54.815: 000000e0: 6e 70 50 12 c0 fa 26 2e de f9 81 2b 16 a6 bb 9b P...&....+....
*aaaQueueReader: Mar 12 17:38:54.815: 000000f0: fd 3b 9b 6f .;.o
*radiusTransportThread: Mar 12 17:38:54.816: 00000000: 03 87 00 2c 44 91 99 63 c9 29 8c 10 c4 88 0a b1 ...,D..c.)......
*radiusTransportThread: Mar 12 17:38:54.816: 00000010: 32 3a 13 4a 4f 06 04 01 00 04 50 12 f5 bb a5 67 2:.JO.....P....g
*radiusTransportThread: Mar 12 17:38:54.816: 00000020: 38 93 f0 0e ad db b9 a5 26 d4 79 26 8.......&.y&
*radiusTransportThread: Mar 12 17:38:54.816: ****Enter processIncomingMessages: response code=3
*radiusTransportThread: Mar 12 17:38:54.816: ****Enter processRadiusResponse: response code=3
*radiusTransportThread: Mar 12 17:38:54.816: a4:67:06:93:f6:cd Access-Reject received from RADIUS server X.X.X.X for mobile a4:67:06:93:f6:cd receiveId = 2
*radiusTransportThread: Mar 12 17:38:54.816: a4:67:06:93:f6:cd [Error] Client requested no retries for mobile A4:67:06:93:F6:CD
*radiusTransportThread: Mar 12 17:38:54.817: a4:67:06:93:f6:cd Returning AAA Error 'Authentication Failed' (-4) for mobile a4:67:06:93:f6:cd
*radiusTransportThread: Mar 12 17:38:54.817: AuthorizationResponse: 0x4259b944
On the NPS server we are seeing the username being sent but does not appear to be getting the FQDN ie domain\username even when the "domain\usersname" is used from the user. We are also seeing that the calling ID is the IP address of the managmenet interface of the WLC (acct and auth calling ID are set to IP address on the WLC for RADIUS). Normally we would see the client MAC address followd with the WLAN ie ab:cc:aa:11:23:12:WLAN
Has anyone had a simmilar problem / seen something like this before ?
Any assistance recommendations will be much appreciated.
Thank you in advance.
12-17-2014 03:10 AM
Hi mjgosling1
did you ever solve your problem? I think we are hitting the same problem with a FreeRadius server, we have a lot of RADIUS requests with ID 135 hitting the radius server, which says "duplicate request".
We are running 7.6.120.0.
Thanks in advance and best regards
Dominic
12-18-2014 01:27 AM
12-18-2014 04:12 AM
Hi mjgosling1
just as an information, we were hitting this bug here: https://tools.cisco.com/bugsearch/bug/CSCuo96366
See discussion here: https://supportforums.cisco.com/discussion/12378951/wlc-761200-radius-problems-freeradius-server
Best regards
Dominic
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide