cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7656
Views
0
Helpful
7
Replies

Radius authntication failure

banavathkiran
Level 1
Level 1

Hi,

We've been struggling with this problem for weeks without a solution yet. Maybe someone can help us. we have radius sever over WAN with PEAP configuration. These days I could see this traps logs offen and clients are unable to connect. I have tried increasing the EAP timer values but still same I can see same logs. when i consult the radius sever admin, He says that for this paticular mac address we are not getting any request or logs and there is not issue with the radius server as other location clients dont have any problem.

Yesterday, we found that all the clients who are authenticated using the radius sever got disconnected and unable to reconnect again. after rebooting the controller only they could able to connect.

What might be the reasonf for this my WLC 2504 is ruuning ver 7.0.240 having access points models 1231 and 1262.

RADIUS server 172.16.100.254:1812 failed to respond to request (ID 187) for client 40:6f:2a:06:51:c0 / user 'unknown'

I can even see this logs

AAA Authentication Failure for UserName:host/dial1 User Type: WLAN USER

7 Replies 7

Amjad Abdullah
VIP Alumni
VIP Alumni

Hi,

You use HREAP APs? HREAP groups?

The radius is located at the same site as the WLC?

Do your clients authenticate via AD? or local users configured on the radius itself?

Whta is your RADIUS server that is being used? (Cisco ACS, Microsoft NPS..etc)?

Any changes were made before the problem to start?

From the last log you provided it mentioned the username as "host/dial1". This looks like Machine authentication.

Are you using Machine authentication for users to connect?

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

1.we are not using the any HREAP Mode access points, All are in local mode only.

2. Radius server is located at different location.

3. Client authenticate via AD

4. Cisco ACS is our radius server

5. No changes are made in WLC, as well as in ACS. Only the clients connected to this WLC are affected (like disconneted)

I Have increased the EAP timers as my radius server is over WAN.

WLC 2504 7.0.240 with 1231 and 1262 access points.

Muhammad Munir
Level 5
Level 5

Hi Kiran

AAA Radius server authentication with PEAP configuration failure can be due to these reasons:

ISE authentication policy is configured for password based authentication, but the supplicant is sending certificate credentials.

ISE authentication policy is configured for certificate based authentication, but the supplicant is sending password based credentials.

User or device was not found in the configured identity store

For more details and remedy please visit:

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_81_troubleshooting_failed_authc.pdf

Thanks Mohammad,

I concered is more about the radius server is not responding to the request of client mac address./ user "unknow". This happend 2 weeks back also, later we came to know that the primary radius ACS running 5.3 services are hanged. So I disabled the primary radius server in wlc.

my seconday is only working and active now, only Im having the issue with this radius server because same time other area WLC are working fine with radius.

Does anything need to configured in radius server like any timers for authentication?

Kiran:

You said there are no chagnes and the radius server shows no logs for the particular clients.

Now, It does not look like a timer issue at all because you mentioned the devices were always working fine.

Make sure that your WLAN config is using both servers under the AAA tab.

Make sure that the correct IP address of both servers is there.

Make sure that your devices are using the correct auth methods (user or machine auth). For example, there could be an update for AD clients from GPO that changes the config of the WLAN profile on the clients (less likely in your situation but possible).

If you make sure that request reaches the RADIUS server then check the fail auth logs for your clients.

Let your RADIUS admin  double check with multiple clients that you have. Let him search the logs for usernames not only MAC addresses. There could be logs that the admin is not able to search for correctly. If the RADIUS log is there then the life is easy and we can easily identify the issue.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

Before there are two radius servers configured for WLAN as primary and secondary. As there was some problem with primary radius sever. I have disabled the primary radius server in my WLC.

Now, it is operating only on single radius server. tell me one thing, If there are any jerk in WAN connection which is affecting the communication between WLC and radius server over WAN is creating this problem.

How freqently the WLC will check the status of radius server whether it should keep the server active or not. If there is no communication for 1 second or something due to some problem in WAN connection, WLC is considering it as inactive and clients already authenticated are disconnecting or new authentications are not accepting. After reboot of WLC, It put the radius server active and clients are authenticating, will this be a problem?

I know that you mentioned you have only one radius working now. But I want to know if you disabled one of them globally or from under the WLAN.

Please show us the output of the following command from the WLC CLI:

show wlan

Regarding the timeout, it is configurable under the RADIUS authentication page under the security tab:

Security -> AAA -> RADIUS -> Authentication (or Accounting).

After opening your server's config, you can find a "Server timeout" value. The default is 2 seconds.

You can issue the command (show radius auth statistics) to see the statistics and the timers about your server. I think this can be helpful to you to isolate your issue.

If a user is authenticated then it will not get disconnected if the server goes down. Only new authenticating users will get affected if the server goes down. If one of the connected users goes down while the server is down then it will not be able to connect again until the server comes back up again.

Also, about RADIUS fallback feature you can read this doc:

http://goo.gl/Ndlj3T

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"