03-18-2013 06:00 AM - edited 07-03-2021 11:44 PM
Since I moved our WLC Controller ( 5508 ) from Version 7.0 to Version 7.2.111.3 I got above failure messages.
Until now I changed the radius timeout from 2 to 10 seconds and also I disabled the aggressive failover without
success. Any idea what else it could be ?
Thanks
Alr
03-18-2013 06:08 AM
Is your radius local? Post the show WLAN
Sent from Cisco Technical Support iPhone App
03-18-2013 06:21 AM
Are you sure the connectivity is maintained between the WLC and the RADIUS? is there any ping loss for example if you play a continuous ping from WLC to the radius?
What is your radius server?
Rating useful replies is more useful than saying "Thank you"
03-18-2013 07:57 AM
This could be your issue
This was found when moving to 7.2.110.0. I'm not sure if it was resolved in later 7.2 release. Essentially the calling-station-id default setting moves from IP Address to MAC Address. You might try changing this setting back to IP Address.
03-18-2013 10:16 AM
Checked the settings on the WLC but the Call Station ID Type setting is IP Address and not Mac Address.
show wlan X
WLAN Identifier.................................. X
Profile Name..................................... XXXX
Network Name (SSID).............................. XXXX
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status ....................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 29
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. Infinity
CHD per WLAN..................................... Disabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver
Scan Defer Priority.............................. 5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................X.X.X.X 1812
Authentication................................ X.X.X.X 1812
Accounting.................................... Global Servers
Interim Update............................. Disabled
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Enabled
TKIP Cipher............................. Enabled
AES Cipher.............................. Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Enabled
PSK..................................... Disabled
CCKM.................................... Disabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Enabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Enabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
(Cisco Controller) >show radius summary
Vendor Id Backward Compatibility................. Disabled
Call Station Id Case............................. lower
Call Station Id Type............................. IP Address
Aggressive Failover.............................. Disabled
Keywrap.......................................... Disabled
Fallback Test:
Test Mode.................................... Off
Probe User Name.............................. cisco-probe
Interval (in seconds)........................ 300
MAC Delimiter for Authentication Messages........ hyphen
MAC Delimiter for Accounting Messages............ hyphen
Authentication Servers
Idx Type Server Address Port State Tout MgmtTout RFC3576 IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
--- ---- ---------------- ------ -------- ---- -------- ------- ------------------------------------------------
1 NM X.X.X.X 1812 Enabled 10 2 Enabled Disabled - none/unknown/group-0/0 none/none
2 NM X.X.X.X 1812 Enabled 10 2 Enabled Disabled - none/unknown/group-0/0 none/none
We used a MS NPS server as radius .
Thanks
Alr
03-18-2013 01:04 PM
A couple things. On your encryption, use only WPA2/AES. You have both WPA/TKIP and WPA2/AES which causes client issues. Now on your radius serves, uncheck the Network User check box. You don't need if since you assign it on the WLAN AAA tab
Sent from Cisco Technical Support iPhone App
03-19-2013 05:26 AM
Thanks all fotr your help. It looks like I´m going to open a Tac Case together with Cisco.
03-19-2013 05:30 AM
You did upload the FUS image when you upgraded to v7.2 correct? I have seen issues on installs with that not being done. This is a separate image that takes about 35-40 minutes to complete.
Sent from Cisco Technical Support iPhone App
03-19-2013 05:36 AM
Hi,
Not done until know, Ok I´ve two controllers with this issue, will test it one one.
Thanks
Alr
03-19-2013 08:23 AM
Additional question because it seems to be in connection therewith.
Before the Radius will change I´ve an unknown user problem.
See below the error message:
RADIUS server X.X.X.X:1812 activated on WLAN 5
RADIUS server X.X.X.X:1812 deactivated on WLAN 5
RADIUS server X.X.X.X:1812 failed to respond to request (ID 124) for client X.X.X.X / user 'unknown'
RADIUS server X.X.X.X:1812 failed to respond to request (ID 113) for client X.X.X.X / user 'unknown'
RADIUS server X.X.X.X:1812 failed to respond to request (ID 102) for client X.X.X.X / user unknown'
I got this message with the same user mac over the day very often.
Maybe this information is helpful.
thx
Alr
03-21-2013 02:40 AM
Added the client to the disabled client list . Now the problems solved.
Alr
03-21-2013 10:40 AM
For radius server configuration on WLC you can use the following ways-
FlexConnect Groups and Backup RADIUS Servers
You can configure the controller to allow a FlexConnect access point in standalone mode to perform full 802.1X authentication to a backup RADIUS server. You can configure a primary backup RADIUS server or both a primary and secondary backup RADIUS server. These servers can be used when the FlexConnect access point is in of these two modes: standalone or connected.
FlexConnect Groups and Local Authentication
You can configure the controller to allow a FlexConnect access point in standalone mode to perform LEAP or EAP-FAST authentication for up to 100 statically configured users. The controller sends the static list of usernames and passwords to each FlexConnect access point when it joins the controller. Each access point in the group authenticates only its own associated clients.
This feature is ideal for customers who are migrating from an autonomous access point network to a lightweight FlexConnect access point network and are not interested in maintaining a large user database or adding another hardware device to replace the RADIUS server functionality available in the autonomous access point.
Note
--------------------------------------------------------------------------------
This feature can be used with the FlexConnect backup RADIUS server feature. If a FlexConnect is configured with both a backup RADIUS server and local authentication, the FlexConnect access point always attempts to authenticate clients using the primary backup RADIUS server first, followed by the secondary backup RADIUS server (if the primary is not reachable), and finally the FlexConnect access point itself (if the primary and secondary are not reachable).
--------------------------------------------------------------------------------
The number of FlexConnect groups and access point support depends on the platform that you are using. You can configure the following:
•Up to 100 FlexConnect groups and 25 access points per group for a Cisco 5500 Series Controller.
•Up to 1000 FlexConnect groups and 50 access points per group for a Cisco Flex 7500 Series Controller in the 7.2 release.
•Up to 2000 FlexConnect groups and 100 access points per group for Cisco Flex 7500 and Cisco 8500 Series Controllers in the 7.3 release.
•Up to 20 FlexConnect groups and up to 25 access points per group for the remaining platforms.
You can also refer the following links for more information-
02-24-2015 12:29 PM
I have this problem too, the timeout change didn't help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide