WLC can't communicate with ACS.

fessehatsegaye · ‎06-23-2012

Hello,

I have a new for use ACS 1120 with 5.0.0.21 software. The purpose of the ACS is to authenticate Wireless users based on an ACS defined external identity source, LDAP. The following configs are made:

- LDAP is configured as an external identity source on ACS.

- WLC is configured on ACS as AAA client.

- WLC is configured to use ACS RADIUS server (10.140.19.20) and WLANs are configured for [WPA2][Auth(802.1X)] AAA authentication.

But for some reason AAA requests from WLC can not reach the ACS. Both devices are connected to the same 6506 switch, there is no firewall inbetween. There is no fail/success RADIUS log on ACS. This is the log from the WLC. PLEASE HELP!!!

4	Sat Jun 23 05:41:032012	RADIUS server 10.140.19.20:1813 deactivated in global list
5	Sat Jun 23 05:41:03 2012	RADIUS server 10.140.19.20:1813 failed to respond to request (ID 70) for client 00:22:fa:1d:3a:ae / user 'unknown'
6	Sat Jun 23 05:40:40 2012	RADIUS server 10.140.19.20:1813 deactivated in global list
7	Sat Jun 23 05:40:40 2012	RADIUS server 10.140.19.20:1813 failed to respond to request (ID 69) for client 00:16:ea:c9:2d:dc / user 'unknown'
8	Sat Jun 23 05:40:40 2012	RADIUS server 10.140.19.20:1813 deactivated in global list
9	Sat Jun 23 05:40:40 2012	RADIUS server 10.140.19.20:1813 failed to respond to request (ID 68) for client 00:16:ea:c9:2d:dc / user 'unknown'

andrewswanson · ‎06-23-2012

hello. what EAP type are you using on the wireless clients? see the following link for ldap/EAP compatability in ACS 5:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/user/guide/EAP_PAP_Phase.html#wp1014938

hth

andy

Jatin Katyal · ‎06-23-2012

This is a known issue with ACS 5.0

You won't even see any request/packet on ACS for wireless/eap traffic.

Please upgrade it to 5.1 pr above. This issue will be resolved.

Regards,

Jatin

Do rate helpful posts-

~Jatin

fessehatsegaye · ‎06-23-2012

Dear Jatin,

Do you mean I can not see any EAP logs or it does not support EAP? If I can not see any logs how am I supposed to work on it?

Another thing, is there any way I can upgrade it to v5.1 with out having a cisco contract number? I couldnt download the upgrade files.

Jatin Katyal · ‎06-24-2012

Yes, you won't see any hits on ACS for PEAP authentication failure. Also, you should have a valid contract with Cisco before you download the latest images.

If you would like to test, you may download the evaluation vesrion of ACS 5.3 along with the trial license file.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/installation/guide/csacs_vmware.html#wp1069919

Regards,

Jatin

Do rate helpful posts-

~Jatin

fessehatsegaye · ‎06-24-2012

I couldnt even download the evaluation version unless I have a valid contract number, it is much easier to download an evaluation licese. How do I download the evaluation version of ACS5.3 ?

Tarik Admani · ‎06-24-2012

The best thing to do at this point is to reach out to your Sales team or contact the vendor you purchased your ACS 1121 from, so they can get the software to you. The intent of the forums is to help solve configuration issues. If the issue you are running into warrants a software upgrade then you have to seek other channels in order to get your problem solved.

I dont mean to offend but I recently was an employee of Cisco working in TAC and have been a member of the support community and I am trying to help point your efforts in the right direction.

thanks,

Tarik Admani