05-17-2006 06:16 AM - edited 03-10-2019 02:35 PM
We are in the process of setting up a wireless network using ACS 3.3(1) and Cisco 1200 Access Points. The access points have several SSIDs configured, each on its on VLAN. Two of the SSIDs are used by XP SP2 clients to logon to a Windows 2003 Active Directory Domain using Radius and PEAP Authentication. Another SSID is used for LEAP to provide network access to PDAs running Windows Mobile 2003/Windows Mobile 5. Unknown user policy is configured to use the external Windows Database.
90% of the time everything is working perfectly, the XP Clients are connecting using PEAP machine authentication at boot up and user authentication after logon to the domain. The PDAs also connect with no problem.
However, every couple of hours we are finding that authentication stops working. The clients (XP and PDA) cannot associate with the access points and we have identified the CSRadius service as the problem. To get things going again we have to restart the CSRadius service (which at the point of failure is using 50% of the CPU cycles). We have enabled full logging and having monitored the logs over the last couple of weeks (especially the CSAuth and CSRadius logs) we can find no standout problems.
Our current config consists of:
ACS 3.3(1) Build 16 running on Windows Server 2003 (no SP or Patches installed)
Cisco APs 1200 Series with firmware 12.3.8
10 x XP SP2 Clients (Hotfix KB885453 installed) using Intel 2200BG/Atheros Wireless Adapters with PEAP on Windows Wireless Zero Config
25 x Dell Axim X50/X51 PDAs using LEAP on Funk Odyssey client
PEAP Settings:
ACS self-generated Certificate
EAP-MSCHAPv2 Enabled
EAP-GTC Disabled
Fast Reconnect Disabled
Machine Authentication Enabled Aging time 12 hours, No Access for unsuccessful machine authentication
Does anyone have any suggestions where we may be going wrong?
05-18-2006 01:33 PM
Hi
There are various causes for this and your best bet will likely be a call to the TAC to get an escalated support case going. Unless its a known bug they will likely hand over the ACS Dev.
Could you post part of your RDS.log?
Darran
05-22-2006 01:51 AM
This was the log just after the last failure:
RDS 05/22/2006 10:42:42 E 0028 3248 Exception trapped at D:\ccData\snapViews\Snap_rgoren_matis-build12@ismg_israel_acs@ACS-B-708\ismg_israel_acs\Acs\DZRadius\RadiusExtensions.c:360 [ExtensionPoint: Exception trapped]
RDS 05/22/2006 10:42:42 E 0028 3248 Exception trapped at D:\ccData\snapViews\Snap_rgoren_matis-build12@ismg_israel_acs@ACS-B-708\ismg_israel_acs\Acs\DZRadius\RADIUS.C:370 [Exception occured processing authentication packet]
RDS 05/22/2006 10:42:42 E 0028 3248 Exception trapped at D:\ccData\snapViews\Snap_rgoren_matis-build12@ismg_israel_acs@ACS-B-708\ismg_israel_acs\Acs\DZRadius\RSERV.C:1363 [Exception trapped in worker thread]
RDS 05/22/2006 10:43:03 A 1413 2400 ============================== SERVICE STARTED ================================
RDS 05/22/2006 10:43:03 A 1414 2400 Version is 3.3(1.16)
RDS 05/22/2006 10:43:03 A 1172 3744 Dispatch thread ready on Radius Auth Port [1812]
RDS 05/22/2006 10:43:03 A 1172 2776 Dispatch thread ready on Radius Acct Port [1646]
RDS 05/22/2006 10:43:03 A 1172 2108 Dispatch thread ready on Radius Auth Port [1645]
RDS 05/22/2006 10:43:03 A 1172 0996 Dispatch thread ready on Radius Acct Port [1813]
RDS 05/22/2006 10:43:03 A 0757 2400 Service available
RDS 05/22/2006 10:47:54 A 0903 3348 Server stop requested
RDS 05/22/2006 10:47:55 A 0826 2400 Calling CMFini()
RDS 05/22/2006 10:47:56 A 0828 2400 CMFini() Complete
RDS 05/22/2006 10:47:56 A 0848 2400 ============================== SERVICE STOPPED ================================
RDS 05/22/2006 10:47:56 A 1413 1356 ============================== SERVICE STARTED ================================
RDS 05/22/2006 10:47:56 A 1414 1356 Version is 3.3(1.16)
RDS 05/22/2006 10:47:56 A 1172 1140 Dispatch thread ready on Radius Auth Port [1812]
RDS 05/22/2006 10:47:56 A 1172 2408 Dispatch thread ready on Radius Acct Port [1646]
RDS 05/22/2006 10:47:56 A 1172 2588 Dispatch thread ready on Radius Auth Port [1645]
RDS 05/22/2006 10:47:56 A 1172 3140 Dispatch thread ready on Radius Acct Port [1813]
RDS 05/22/2006 10:47:56 A 0757 1356 Service available
05-23-2006 12:59 PM
If youre getting exceptions in the Radius extension point handler you DEFINATELY need to contact the TAC.
An exception is basically like a GPF (aka crash) only its been caught and logged.
These are serious and need to be escalated to ACS dev.
Darran
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide