Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14259
Views
20
Helpful
5
Replies

[Cisco ACS] 11036 The Message-Authenticator RADIUS attribute is invalid

Go to solution
Patrick Tran
Level 1
Level 1

‎09-07-2012 06:51 AM - edited ‎03-10-2019 07:30 PM

Hi,

I got many Cisco AP which are linked to 2 Cisco WLC.

On each WLC, I configured a primary and a secondary RADIUS Server.

RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)

Primary and secondary ACS configurations are synchronized.

There are no problem between primary WLC and Cisco ACS (primary and secondary).

When secondary WLC requests primary Cisco ACS, I get this error "11036 The Message-Authenticator RADIUS attribute is invalid"

Secondary WLC automatically contacts secondary Cisco ACS and it works fine.

Cisco ACS description for this error: "This maybe because of mismatched Shared Secrets."

The two Cisco ACS are synchronized so I should have same error on them...

Why does primary ACS generate this error?

Thanks for your help,

Patrick

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎09-11-2012 01:32 AM - edited ‎01-26-2019 12:03 PM

Patrick: The shared secret mismatch could be from WLC side, not from ACS side.

Make sure that the shared secret of the primary radius server is configured correctly on the secondary WLC.

 

HTH

 

Amjad

 

Rating useful replies is more useful than saying "Thank you"

View solution in original post

5 Replies 5

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎09-11-2012 01:32 AM - edited ‎01-26-2019 12:03 PM

Patrick: The shared secret mismatch could be from WLC side, not from ACS side.

Make sure that the shared secret of the primary radius server is configured correctly on the secondary WLC.

 

HTH

 

Amjad

 

Rating useful replies is more useful than saying "Thank you"

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Amjad Abdullah

‎09-11-2012 06:10 AM

Amjad,

That is a good observation, shouldnt 7.3 (which recently released) help put these types of issues to rest? I hear that the configuration can now be replicated from one controller to the next in a failover setup.

Thanks,

Tarik Admani
*Please rate helpful posts*

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni
In response to Tarik Admani

‎09-12-2012 12:31 AM 

Tarik Admani wrote:
Amjad,
That is a good observation, shouldnt 7.3 (which recently released) help put these types of issues to rest? I hear that the configuration can now be replicated from one controller to the next in a failover setup.
Thanks,
Tarik Admani 
*Please rate helpful posts*

Yes. That is a good point.

With 7.3 you can use high availability (HA) between two WLCs and you can configure only one WLC (the primary) and all the configuraiotn can be replicated and synched to the other WLC (the secondary).

The two WLCs in the HA must be on same subnet though. Otherwise hot-standby HA between WLCs can't be used.

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
Patrick Tran
Level 1
Level 1
In response to Amjad Abdullah

‎09-12-2012 12:07 AM

Hi Amjad,

Thanks for your help.

It was a shared secret mismatch from WLC side...

Regards,

Patrick

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni
In response to Patrick Tran

‎09-12-2012 12:28 AM

Thank you Patrick,

Glad that I could help.

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful
Customers Also Viewed These Support Documents