Hi,

Thanks for the reply. Currently I am using version 5.1.4.43. Cisco had told me that this issue was not fixed in v5.2 and I had to wait until 5.3 comes out next month. So much for that. So you are successfully using v5.2 with the WLC 5508's and you are not encountering any of the EAP timeout messages that fill your logs?  We are able to get the clients to authenticate but the WLC seems to also send many of these timeouts and accounting messages, which I had to create an accounting rule for to be able to view my active logs, but the EAP timeout messages still persist. Was there any special configuration you had to create for the WLC5508 or was it a standard authentication using x509 certificates, authenticating against a backend Active Directory? Any help is appreciated.

Your original post indicated that you cannot get users to authenticate and receive EAP error messages.  Are you able to authenticate wireless users with ACS 5.1 now?  I checked my WLC logs and see no EAP timeout messages.

Checked my configuration and here it is (hopefully it's the same as 5.1):

On ACS 5.2

Under Network Resources > Network Devices and AAA Clients, I created a client using my WLC IP with RADIUS checked and a shared secret.

Under Users and Identity Stores > External Identity Stores > Active Directory, I configured a domain name and the credentials. Test Connection to verify connectivity.

In the same tree, select Indentity Store Sequences.  I created a group called UserAuth. In that group, Password based is checked and I have selected AD1 under the Authentication and Attribute Retrieval Search List.

Under Access Policies > Service Selection Rules, Rule1 should match Radius and Results are Default Network Access.

Under Access Policies > Default Network Access > Identity, I created a Rule based result selection called PEAP and the conditions were to match EAP-MSCHAPv2.  Under Results, I have the Identity Store group UserAuth.

Under Access Policies > Default Network Access > Authorization, I created a standard policy I checked EAP Authentication Method to match EAP-MSCHAPv2, checked AD1:ExternalGroups: contain all or any (depending on your AD groups), and Results are Permit Access.

On WLC 7.0

Under Security > AAA > RADIUS > Authentication, I created a Server Index and all it's settings to match up with the AAA client settings.  checked "Network User".

Under WLANs > select the SSID, under the Security tab > AAA Servers, I have enabled Authentication Servers and selected my server I created.  I do not have "Local EAP Authentication" checked.  Under the Layer2 tab, I have Auth Key Mgmt 802.1x selected.

I might be missing some steps but hope this helps a bit.

Regards.

Yes. At my original post I did state that. We have got some authenticaitons to pass, but still get errors on those. The common error from the logs is the following:

Failure Reason: 12303 failed to negotiate EAP, because PEAP not allowed in Access Service

My config consists of the following:

I have a Service Selection for Wireless, matching RADIUS protocol, and Service Type=Framed

The Identity and Authorization rules basically read incoming requests for certificates for a CNAME that maps to a machine account in AD.

I will have to get back to you on the WLC config as it is done by another group. But from what I have seen it is similar to yours.

Again the big quesiton I have is do you have any EAP session timeout messages and/or accounting messages flooding your logs from the WLC, regardless of whether or not authentications pass?

I went back 7 days on my ACS Reports and I dont have that Failure Reason 12303.  I have Failure Reason 5411 EAP session timed out .  This is because the user is using a Blackberry device and for some reason it likes using PEAP as the authentication method even though we selected PEAP (EAP-MSCHAPv2).

Check under Access Policies > Default Network Access, there is a tab called Allowed Protocols.  Is "Allow PEAP" and "Preferred EAP protocol" checked?  What is your Preferred EAP protocol?

Yes! That is the other error we were seeing with the 5508 WLC in ACS logs: Failure Reason 5411 EAP Session times out. We were getting flooded with that particular error in our ACS logs once the 5508 was pointed to our 5.1 server. We do not see that behavior with the 4400 series WLCs. They authenticate just fine and no repeating EAP session timed out messages.

We do not allow PEAP as a protocol. ACS 5.1 does nto have a preferred protocol setting. It only has an Allowed Protocols list. Currently we use EAP-TLS.

Well, we don't use EAP-TLS for some other reasons (that's another story)... but this is what I gathered below based on your Failure Reason 12303.  You probably seen the same thing.

Yes. I have the same information looking at the error code definitions. Unfortunately I think this error is bogus because our clients are not configured for PEAP, even though ACS is seeing it as PEAP.

Do you know what version code you are running on your 5508 WLCs? I am trying to nail down why they keep sending EAP session timeout messages to ACS even after the client has successfully authenticated.

The software version on my 5508 is 7.0.116.0.