Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3420
Views
0
Helpful
2
Replies

Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS

jwittry
Level 1
Level 1

‎05-19-2011 02:35 PM - edited ‎03-10-2019 06:06 PM

Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.

I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication.  I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user"  along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.

Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.

Any ideas of what might be the issue or misconfiguration?

Labels:
0 Helpful
2 Replies 2

Tarik Admani
VIP Alumni
VIP Alumni

‎05-25-2011 11:46 PM

Jim,

I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044

It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.

May need to open a TAC case to see if this issue is on the 550x controllers also.

Thanks,

Tarik

0 Helpful

jwittry
Level 1
Level 1
In response to Tarik Admani

‎06-01-2011 07:33 AM

I can't say for certian if we are seeing the identified bug or not but that certainly isn't the root cause as I was not able to successfully authenticate in the new environment at all. According the the bug info, subsequent auth requests after failing over between RADIUS servers should be successful.

I didn't get to the point of taking traces as we were able to resolve the problem. Our MS Windows NPS server needed to be configured to emulate a "Cisco" RADIUS server. I don't manage the NPS environment so I can't offer specific MS NPS configuration details but sufficive to say Cisco-to-MS RADIUS implementations apparently aren't as natively compatible as I'd assumed.

0 Helpful
Customers Also Viewed These Support Documents