RADIUS server activated / deactivated on WLAN X

alex.roth · ‎03-18-2013

Since I moved our WLC Controller ( 5508 ) from Version 7.0 to Version 7.2.111.3 I got above failure messages.

Until now I changed the radius timeout from 2 to 10 seconds and also I disabled the aggressive failover without

success. Any idea what else it could be ?

Thanks
Alr

Scott Fella · ‎03-18-2013

Is your radius local? Post the show WLAN and the show radius summary

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Amjad Abdullah · ‎03-18-2013

Are you sure the connectivity is maintained between the WLC and the RADIUS? is there any ping loss for example if you play a continuous ping from WLC to the radius?

What is your radius server?

Rating useful replies is more useful than saying "Thank you"

David Watkins · ‎03-18-2013

This could be your issue

CSCty84002

This was found when moving to 7.2.110.0. I'm not sure if it was resolved in later 7.2 release. Essentially the calling-station-id default setting moves from IP Address to MAC Address. You might try changing this setting back to IP Address.

alex.roth · ‎03-18-2013

Checked the settings on the WLC but the Call Station ID Type setting is IP Address and not Mac Address.

show wlan X

WLAN Identifier.................................. X
Profile Name..................................... XXXX
Network Name (SSID).............................. XXXX
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status ....................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 29
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. Infinity
CHD per WLAN..................................... Disabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver
Scan Defer Priority.............................. 5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
    Authentication................................X.X.X.X 1812
   Authentication................................ X.X.X.X 1812
   Accounting.................................... Global Servers
      Interim Update............................. Disabled
   Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security

   802.11 Authentication:........................ Open System
   FT Support.................................... Disabled
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Enabled
      WPA (SSN IE)............................... Enabled
         TKIP Cipher............................. Enabled
         AES Cipher.............................. Disabled
      WPA2 (RSN IE).............................. Enabled
         TKIP Cipher............................. Disabled
         AES Cipher.............................. Enabled
                                                               Auth Key Management
         802.1x.................................. Enabled
         PSK..................................... Disabled
         CCKM.................................... Disabled
         FT-1X(802.11r).......................... Disabled
         FT-PSK(802.11r)......................... Disabled
      FT Reassociation Timeout................... 20
      FT Over-The-DS mode........................ Enabled
      GTK Randomization.......................... Disabled
      SKC Cache Support.......................... Disabled
      CCKM TSF Tolerance......................... 1000
   Wi-Fi Direct policy configured................ Disabled
   EAP-Passthrough............................... Disabled
   CKIP ......................................... Disabled
   Web Based Authentication...................... Disabled
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   FlexConnect Local Switching................... Enabled
   FlexConnect Local Authentication.............. Disabled
   FlexConnect Learn IP Address.................. Enabled
   Client MFP.................................... Optional
   Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled

(Cisco Controller) >show radius summary

Vendor Id Backward Compatibility................. Disabled
Call Station Id Case............................. lower
Call Station Id Type............................. IP Address
Aggressive Failover.............................. Disabled
Keywrap.......................................... Disabled
Fallback Test:
    Test Mode.................................... Off
    Probe User Name.............................. cisco-probe
    Interval (in seconds)........................ 300
MAC Delimiter for Authentication Messages........ hyphen
MAC Delimiter for Accounting Messages............ hyphen

Authentication Servers

Idx Type Server Address    Port    State     Tout MgmtTout RFC3576 IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
--- ---- ---------------- ------ -------- ---- -------- ------- ------------------------------------------------
1    NM    X.X.X.X      1812    Enabled   10    2         Enabled   Disabled - none/unknown/group-0/0 none/none
2    NM    X.X.X.X     1812    Enabled   10    2         Enabled   Disabled - none/unknown/group-0/0 none/none

We used a MS NPS server as radius .

Thanks

Alr

Scott Fella · ‎03-18-2013

A couple things. On your encryption, use only WPA2/AES. You have both WPA/TKIP and WPA2/AES which causes client issues. Now on your radius serves, uncheck the Network User check box. You don't need if since you assign it on the WLAN AAA tab

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

alex.roth · ‎03-19-2013

Thanks all fotr your help. It looks like I´m going to open a Tac Case together with Cisco.

Scott Fella · ‎03-19-2013

You did upload the FUS image when you upgraded to v7.2 correct? I have seen issues on installs with that not being done. This is a separate image that takes about 35-40 minutes to complete.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

alex.roth · ‎03-19-2013

Hi,

Not done until know, Ok I´ve two controllers with this issue, will test it one one.

Thanks

Alr

alex.roth · ‎03-19-2013

Additional question because it seems to be in connection therewith.

Before the Radius will change I´ve an unknown user problem.

See below the error message:

RADIUS server X.X.X.X:1812 activated on WLAN 5

RADIUS server X.X.X.X:1812 deactivated on WLAN 5

RADIUS server X.X.X.X:1812 failed to respond to request (ID 124) for client X.X.X.X / user 'unknown'

RADIUS server X.X.X.X:1812 failed to respond to request (ID 113) for client X.X.X.X / user 'unknown'

RADIUS server X.X.X.X:1812 failed to respond to request (ID 102) for client X.X.X.X / user unknown'

I got this message with the same user mac over the day very often.

Maybe this information is helpful.

thx

Alr

alex.roth · ‎03-21-2013

Added the client to the disabled client list . Now the problems solved.

Alr

Abhishek Abhishek · ‎03-21-2013

For radius server configuration on WLC you can use the following ways-

FlexConnect Groups and Backup RADIUS Servers

You can configure the controller to allow a FlexConnect access point in standalone mode to perform full 802.1X authentication to a backup RADIUS server. You can configure a primary backup RADIUS server or both a primary and secondary backup RADIUS server. These servers can be used when the FlexConnect access point is in of these two modes: standalone or connected.

FlexConnect Groups and Local Authentication

You can configure the controller to allow a FlexConnect access point in standalone mode to perform LEAP or EAP-FAST authentication for up to 100 statically configured users. The controller sends the static list of usernames and passwords to each FlexConnect access point when it joins the controller. Each access point in the group authenticates only its own associated clients.

This feature is ideal for customers who are migrating from an autonomous access point network to a lightweight FlexConnect access point network and are not interested in maintaining a large user database or adding another hardware device to replace the RADIUS server functionality available in the autonomous access point.

Note

--------------------------------------------------------------------------------

This feature can be used with the FlexConnect backup RADIUS server feature. If a FlexConnect is configured with both a backup RADIUS server and local authentication, the FlexConnect access point always attempts to authenticate clients using the primary backup RADIUS server first, followed by the secondary backup RADIUS server (if the primary is not reachable), and finally the FlexConnect access point itself (if the primary and secondary are not reachable).

--------------------------------------------------------------------------------

The number of FlexConnect groups and access point support depends on the platform that you are using. You can configure the following:
•Up to 100 FlexConnect groups and 25 access points per group for a Cisco 5500 Series Controller.
•Up to 1000 FlexConnect groups and 50 access points per group for a Cisco Flex 7500 Series Controller in the 7.2 release.
•Up to 2000 FlexConnect groups and 100 access points per group for Cisco Flex 7500 and Cisco 8500 Series Controllers in the 7.3 release.
•Up to 20 FlexConnect groups and up to 25 access points per group for the remaining platforms.

You can also refer the following links for more information-

http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/flexconnect/config_flexconnect_chapter_011.html#ID1255

http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps10315/product_bulletin_c25-722724.html

cindy.crawford · ‎02-24-2015

I have this problem too, the timeout change didn't help