Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2515
Views
0
Helpful
3
Replies

ACS 5.0 RADIUS timeout with WLC 7.0

Go to solution
dpicomms
Level 1
Level 1

‎08-30-2011 06:31 PM - edited ‎03-10-2019 06:21 PM

Hi Guys,

I am configuring a Cisco Secure ACS 1120 appliance running ACS 5.0.0.21 to handle RADIUS request from a Cisco WLC 5508 appliance running version 7.0.116.0.

  • these devices have open communication on all ports - no firewalls or ACL's
  • they have successful ping communication

The following statements illustrate some but not all the debugging I have done to ensure each device functions as it should in isolation.

  • Using a simple windows RADIUS server (radserv2.exe) instead of the Cisco ACS 
    • This works and the WLC gets RADIUS response from my makeshift server
  • Using a simple windows EAP client to query the ACS using RADIUS protocol  
    • this works and the ACS processes the RADIUS request and sends a response
  • Placed a wireshark client on the network to inspect timeout.
    • Wireshark logs the packet from the WLC to the ACS using port 1812 but doesn't see any packet  responses from the ACS

At the moment I have the

  1. WLC accepting the association from the wireless client and
  2. sending the RADIUS (PEAP, EAP-FAST or EAP-TLS) request to the ACS,
  3. the WLC receives no response and generates a timeout message and disassociates from the client.
    1. note this is not a reject or similar message, the ACS simple does not even process the packet. i.e. there is absolutely nothing in the ACS logs to suggest it even received a radius packet from the WLC.

In summary the WLC and the ACS successfully function independently but they do not communicate via radius.

Any assistance appreciated Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jrabinow
Level 7
Level 7
In response to Javier Henderson

‎08-31-2011 08:09 AM

It seems as though you are using ACS 5.0 without any patches.

For your information the product release is now up to 5.2 and ACS 5.3 is soon to be released

I seem to remember there was an issue with ACS 5.0 operations with WLC that was resolved in patch for 5.0

I am not sure of the specific CDETS but may be:

CSCsy17858 Incorrect handling of Tunnel-Type & Tunnel-Client-Endpoint attrs

ACS 5.0 has a cumulative patch appraoch with all fixes being accumulated

My recommendation would be to download patch 8 for ACS 5.0: 5.0.0.21.8

Patch can be downloaded from CCO

To install a patch define a repository on ACS (cumulative patches are larger than 32MB so you can't use TFTP for this), copy the patch file to the repository, then on ACS' CLI:

# acs patch install repository

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Javier Henderson
Level 4
Level 4

‎08-31-2011 06:59 AM

Check the service selection screen, is the RADIUS policy being hit at all?

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to Javier Henderson

‎08-31-2011 08:09 AM

It seems as though you are using ACS 5.0 without any patches.

For your information the product release is now up to 5.2 and ACS 5.3 is soon to be released

I seem to remember there was an issue with ACS 5.0 operations with WLC that was resolved in patch for 5.0

I am not sure of the specific CDETS but may be:

CSCsy17858 Incorrect handling of Tunnel-Type & Tunnel-Client-Endpoint attrs

ACS 5.0 has a cumulative patch appraoch with all fixes being accumulated

My recommendation would be to download patch 8 for ACS 5.0: 5.0.0.21.8

Patch can be downloaded from CCO

To install a patch define a repository on ACS (cumulative patches are larger than 32MB so you can't use TFTP for this), copy the patch file to the repository, then on ACS' CLI:

# acs patch install repository

0 Helpful

Go to solution
dpicomms
Level 1
Level 1
In response to jrabinow

‎09-20-2011 10:14 PM

issue resolved by upgrading from 5.0 to 5.2, Thanks for the help!

0 Helpful
Customers Also Viewed These Support Documents