Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
627
Views
0
Helpful
5
Replies

Secondary ACS server not authenticating users via 3850 WLC

Go to solution
scottbreslin
Level 1
Level 1

‎01-25-2016 05:21 AM - edited ‎03-10-2019 11:25 PM

HI - I have an issue whereby my secondary ACS server will not authenticate users when the Primary goes offline.  My setup is as follows:

3850 WLC using code version 03.07.00E

ACS Version 5.6 (Primary/Secondary)

Both ACS servers added to WLC (NLBP-ACS-01 (Primary)  / HEN-ACS-01 (Secondary) ), defined in Server Group (ACS_AUTH) and also Method List (ACS_AUTH).  Method list ACS_AUTH is then applied to SSID.

Performing a 'test aaa server group ACS_AUTH' command to both ACS server results in access response.  So IP/Radius communication is operational between WLC and both ACS servers.

3850 configuration also attached for reference.

Any help would be appreciated.

Thanks


Scott

  

Labels:
Preview file
59 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to scottbreslin

‎01-25-2016 06:29 AM

Please add the below listed commands and test again when you can.

#radius-server deadtime $min$
#radius-server retransmit 1
#radius-server dead-criteria time 5 tries 1

Configuring Settings for All RADIUS Servers

HTH

~ Jatin

~Jatin

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Javier Henderson
Level 4
Level 4

‎01-25-2016 05:32 AM

Does the secondary ACS show any activity at all coming from the switch?

I'd start troubleshooting by enabling "debug radius" and "debug aaa authentication" on the switch, and see what happens when the primary ACS is unreachable.

Javier Henderson

Cisco Systems

0 Helpful

Go to solution
scottbreslin
Level 1
Level 1
In response to Javier Henderson

‎01-25-2016 06:07 AM

Thanks for the reply.

The secondary server shows no authentication attempts from users hitting it.  When I perform the aaa test from the switch cli and get authentication response form the secondary server, when I check the logs it states there was an attempt from the switch but is does not say which ACS it was coming from - The secondary ACs is also the log collector.

The environment is production so I am unable to make any changes such as disable primary ACS and as such limited to what I can do.  Can only make changes once reason behind the issue has been discovered.  I am connecting a new site on Thursday so will take this opportunity to initially configure it with the secondary sever and perform some authentication requests to see if I can see the issue whilst also performing the debugs you mention above.

Thanks

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to scottbreslin

‎01-25-2016 06:29 AM

Please add the below listed commands and test again when you can.

#radius-server deadtime $min$
#radius-server retransmit 1
#radius-server dead-criteria time 5 tries 1

Configuring Settings for All RADIUS Servers

HTH

~ Jatin

~Jatin
0 Helpful

Go to solution
scottbreslin
Level 1
Level 1
In response to Jatin Katyal

‎01-25-2016 06:47 AM

Thanks I will try as soon as possible

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to scottbreslin

‎01-25-2016 10:05 AM

Sounds Good :)

~Jatin
0 Helpful
Customers Also Viewed These Support Documents