Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
508
Views
0
Helpful
3
Replies

ACS 3.3(1) Build 16 Problem - CSRadius Service

mikepent
Level 1
Level 1

‎05-17-2006 06:16 AM - edited ‎03-10-2019 02:35 PM

We are in the process of setting up a wireless network using ACS 3.3(1) and Cisco 1200 Access Points. The access points have several SSID’s configured, each on it’s on VLAN. Two of the SSID’s are used by XP SP2 clients to logon to a Windows 2003 Active Directory Domain using Radius and PEAP Authentication. Another SSID is used for LEAP to provide network access to PDA’s running Windows Mobile 2003/Windows Mobile 5. Unknown user policy is configured to use the external Windows Database.

90% of the time everything is working perfectly, the XP Clients are connecting using PEAP machine authentication at boot up and user authentication after logon to the domain. The PDA’s also connect with no problem.

However, every couple of hours we are finding that authentication stops working. The clients (XP and PDA) cannot associate with the access points and we have identified the CSRadius service as the problem. To get things going again we have to restart the CSRadius service (which at the point of failure is using 50% of the CPU cycles). We have enabled full logging and having monitored the logs over the last couple of weeks (especially the CSAuth and CSRadius logs) we can find no standout problems.

Our current config consists of:

ACS 3.3(1) Build 16 running on Windows Server 2003 (no SP or Patches installed)

Cisco AP’s 1200 Series with firmware 12.3.8

10 x XP SP2 Clients (Hotfix KB885453 installed) using Intel 2200BG/Atheros Wireless Adapters with PEAP on Windows Wireless Zero Config

25 x Dell Axim X50/X51 PDA’s using LEAP on Funk Odyssey client

PEAP Settings:

ACS self-generated Certificate

EAP-MSCHAPv2 Enabled

EAP-GTC Disabled

Fast Reconnect Disabled

Machine Authentication Enabled – Aging time 12 hours, No Access for unsuccessful machine authentication

Does anyone have any suggestions where we may be going wrong?

Labels:
0 Helpful
3 Replies 3

darpotter
Level 5
Level 5

‎05-18-2006 01:33 PM

Hi

There are various causes for this and your best bet will likely be a call to the TAC to get an escalated support case going. Unless its a known bug they will likely hand over the ACS Dev.

Could you post part of your RDS.log?

Darran

0 Helpful

mikepent
Level 1
Level 1
In response to darpotter

‎05-22-2006 01:51 AM

This was the log just after the last failure:

RDS 05/22/2006 10:42:42 E 0028 3248 Exception trapped at D:\ccData\snapViews\Snap_rgoren_matis-build12@ismg_israel_acs@ACS-B-708\ismg_israel_acs\Acs\DZRadius\RadiusExtensions.c:360 [ExtensionPoint: Exception trapped]

RDS 05/22/2006 10:42:42 E 0028 3248 Exception trapped at D:\ccData\snapViews\Snap_rgoren_matis-build12@ismg_israel_acs@ACS-B-708\ismg_israel_acs\Acs\DZRadius\RADIUS.C:370 [Exception occured processing authentication packet]

RDS 05/22/2006 10:42:42 E 0028 3248 Exception trapped at D:\ccData\snapViews\Snap_rgoren_matis-build12@ismg_israel_acs@ACS-B-708\ismg_israel_acs\Acs\DZRadius\RSERV.C:1363 [Exception trapped in worker thread]

RDS 05/22/2006 10:43:03 A 1413 2400 ============================== SERVICE STARTED ================================

RDS 05/22/2006 10:43:03 A 1414 2400 Version is 3.3(1.16)

RDS 05/22/2006 10:43:03 A 1172 3744 Dispatch thread ready on Radius Auth Port [1812]

RDS 05/22/2006 10:43:03 A 1172 2776 Dispatch thread ready on Radius Acct Port [1646]

RDS 05/22/2006 10:43:03 A 1172 2108 Dispatch thread ready on Radius Auth Port [1645]

RDS 05/22/2006 10:43:03 A 1172 0996 Dispatch thread ready on Radius Acct Port [1813]

RDS 05/22/2006 10:43:03 A 0757 2400 Service available

RDS 05/22/2006 10:47:54 A 0903 3348 Server stop requested

RDS 05/22/2006 10:47:55 A 0826 2400 Calling CMFini()

RDS 05/22/2006 10:47:56 A 0828 2400 CMFini() Complete

RDS 05/22/2006 10:47:56 A 0848 2400 ============================== SERVICE STOPPED ================================

RDS 05/22/2006 10:47:56 A 1413 1356 ============================== SERVICE STARTED ================================

RDS 05/22/2006 10:47:56 A 1414 1356 Version is 3.3(1.16)

RDS 05/22/2006 10:47:56 A 1172 1140 Dispatch thread ready on Radius Auth Port [1812]

RDS 05/22/2006 10:47:56 A 1172 2408 Dispatch thread ready on Radius Acct Port [1646]

RDS 05/22/2006 10:47:56 A 1172 2588 Dispatch thread ready on Radius Auth Port [1645]

RDS 05/22/2006 10:47:56 A 1172 3140 Dispatch thread ready on Radius Acct Port [1813]

RDS 05/22/2006 10:47:56 A 0757 1356 Service available

0 Helpful

darpotter
Level 5
Level 5
In response to mikepent

‎05-23-2006 12:59 PM

If youre getting exceptions in the Radius extension point handler you DEFINATELY need to contact the TAC.

An exception is basically like a GPF (aka crash) only its been caught and logged.

These are serious and need to be escalated to ACS dev.

Darran

0 Helpful
Customers Also Viewed These Support Documents