ACS 5.5 and Active directory monitoring

sandjose_cisco · ‎04-01-2017

We have had issues reported by the end user of wireless about EAP not getting authenticated .The EAP method chosen is PEAP .

We have see errors such as EAP timed out , AD timed out and radius processing duplicate packets .

We attribute these errors to AD being slow in responding to request from the ACS .

Would like to know how can we enable some stats that shows the AD is infact slow when these EAP fails through.

The WLC used is a Cisco one and has round trip time in the stats but that doesn't imply that AD was slow in responding .

What data or logging does one needs to enable to see the AD response time.

Kanwaljeet Singh · ‎04-01-2017

Hi,

acs/admin# acs-config

Escape character is CNTL/D.

Username: ACS-GUI-USERNAME

Password: ACS-GUI-PASSWORD

acs/admin(config-acs)# debug-log runtime level debug

acs/admin(config-acs)# debug-adclient enable

You can download the support bundle and look at runtime logs or you can also look at below:

show acs-logs filename acsRuntime.log

Show acs-logs details would show you all the files. You do need to come out of acs-config mode to execute this.

You can look for authentication requests and it show you the details of what is going on.

You can also look at AD related logs.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

sandjose_cisco · ‎04-03-2017

Does the debug show the delay between the ACS and AD ?

Is there any stats in place to show the time the AD responds back ?

Also are there any EAP timers or Radius timers that can be configured on ACS ?