Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
613
Views
0
Helpful
3
Replies

ACS4.1 Airespace to ACS5.3

ken.montgomery
Level 1
Level 1

‎03-06-2013 05:46 AM - edited ‎03-10-2019 08:09 PM

Hi Everyone,

We've run into an odd situation and I'm wondering if anyone else has as well.  In our network we have an old ACS4.1 server, with a number of older Cisco wireless devices connected to it.  Under their AAA Client Setup they are set to authenticate using RADIUS (Cisco Airespace).  On the ACS 4.1 server, the settings under Interface Configuration, Radius (Cisco Airespace), all settings are checked.

So, as part of our elimination of old servers, we wish to decommission the old ACS4.1 server, and we've moved through ACS 5.1 to ACS5.3.  On the new ACS5.3, we have build the same Network Device and have attempted to duplicate the settings from the older boxes.  Authentication for PC based wireless devices works fine, yet we have some handheld scanner devices that won't authenticate using Radius any longer... and the only thing we can come up with that is different is this (Cisco Airespace) settings... is there a way to duplicate them in the newer ACS to make these devices work (older devices).  I have searched and searched to find a document showing how to migrate these settings but cannot find one.

Has anyone run into anything similar?

Any help is appreciated... Ken

Labels:
0 Helpful
3 Replies 3

maldehne
Cisco Employee
Cisco Employee

‎03-06-2013 05:56 AM

what can you see as the authentication failure reasons?

the attribute value pairs for Airospace are still available

I doubt it might be the issue with that.

Can you send screen shots for the authorization policy controlling the wireless

access.

0 Helpful

ken.montgomery
Level 1
Level 1
In response to maldehne

‎03-06-2013 09:48 AM

Well, that is just it.  There are no authentication failure reasons,  it is like the authentication doesn't try at all.  Newer devices work  fine and authenticate with no problem, even using the same account  info.  These older scanner guns just don't seem to want to talk to the  new server.

The Authorization policy contains one rule, named (ironically) Rule-1

Active  Directory is checked, and appropriate groups are listed.  The user  falls into one of the groups, we have verified that.  Also, the  authorization profile is 'permit access' and the rule is enabled.

Is that what you were asking about?

0 Helpful

maldehne
Cisco Employee
Cisco Employee
In response to ken.montgomery

‎03-06-2013 11:41 AM

If you don't have any entry for attempts using old scanners , then we need to verify why we are not seeing even failed attempt here, if you are using wireless lan controller run the following debug:

debug client < mac address >

debug aaa all enable

while connecting with the Scanner.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents