Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ACS4.1 Airespace to ACS5.3

Hi Everyone,

We've run into an odd situation and I'm wondering if anyone else has as well.  In our network we have an old ACS4.1 server, with a number of older Cisco wireless devices connected to it.  Under their AAA Client Setup they are set to authenticate using RADIUS (Cisco Airespace).  On the ACS 4.1 server, the settings under Interface Configuration, Radius (Cisco Airespace), all settings are checked.

So, as part of our elimination of old servers, we wish to decommission the old ACS4.1 server, and we've moved through ACS 5.1 to ACS5.3.  On the new ACS5.3, we have build the same Network Device and have attempted to duplicate the settings from the older boxes.  Authentication for PC based wireless devices works fine, yet we have some handheld scanner devices that won't authenticate using Radius any longer... and the only thing we can come up with that is different is this (Cisco Airespace) settings... is there a way to duplicate them in the newer ACS to make these devices work (older devices).  I have searched and searched to find a document showing how to migrate these settings but cannot find one.

Has anyone run into anything similar?

Any help is appreciated... Ken

Cisco Employee

what can you see as the authentication failure reasons?

the attribute value pairs for Airospace are still available

I doubt it might be the issue with that.

Can you send screen shots for the authorization policy controlling the wireless


Well, that is just it.  There are no authentication failure reasons,  it is like the authentication doesn't try at all.  Newer devices work  fine and authenticate with no problem, even using the same account  info.  These older scanner guns just don't seem to want to talk to the  new server.

The Authorization policy contains one rule, named (ironically) Rule-1

Active  Directory is checked, and appropriate groups are listed.  The user  falls into one of the groups, we have verified that.  Also, the  authorization profile is 'permit access' and the rule is enabled.

Is that what you were asking about?

If you don't have any entry for attempts using old scanners , then we need to verify why we are not seeing even failed attempt here, if you are using wireless lan controller run the following debug:

debug client < mac address >

debug aaa all enable

while connecting with the Scanner.

Content for Community-Ad