Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
651
Views
0
Helpful
1
Replies

WSA and CDA

David Niemann
Level 3
Level 3

‎08-13-2015 05:53 AM

I have multiple WSAs utilizing the CDA for transparent auth.  I have the CDA agent logging to a syslog and I see a bunch of these messages.

 

Aug 13 08:20:50 <CDASERVERNAME> CSCOibf_Failed_Attempts 0002999937 1 0 2015-08-13 08:20:50.158 -05:00 0005730563 5400 NOTICE Failed-Attempt: IBF request failed, IBFVersion=ibf-1.0 (win32), ConfigVersionId=8, Device IP Address=<WSA1IPADDRESS>, Device Port=62071, DestinationIPAddress=0.0.0.0, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=WSA, Protocol=Radius, RequestLatency=0, NetworkDeviceName=<WSA1>, User-Name=<removed>, NAS-IP-Address=<removed>, cisco-av-pair=entity-attr:request=*, cisco-av-pair=entity-attr:entity-id:ip=<CLIENTIP>, cisco-av-pair=entity-attr:cntl:notify=true, IbfSessionID=<CDASERVERNAME>/226267020/682525, SelectedAccessService=Network Access, Step=11001 , Step=11017 , Step=15012 , Step=12864 , Step=12866 , Step=11003 , Response={RadiusPacketType=AccessReject; },

Aug 13 08:20:50 <CDASERVERNAME> CSCOibf_RADIUS_Diagnostics 0002999936 1 0 2015-08-13 08:20:50.158 -05:00 0005730561 12866 INFO  IBF_RADIUS_SERVER: Could not find identity in Identity Cache, IBFVersion=ibf-1.0 (win32), ConfigVersionId=8, Device IP Address=<WSA1>, Device Port=62071, DestinationIPAddress=0.0.0.0, DestinationPort=1812, RadiusPacketType=AccessRequest, RadiusIdentifier=14, User-Name=<removed>, NAS-IP-Address=<WSA1>, cisco-av-pair=entity-attr:request=*, cisco-av-pair=entity-attr:entity-id:ip=<CLIENTIP>, cisco-av-pair=entity-attr:cntl:notify=true, IbfSessionID=orwmgtnet202/226267020/682525, SelectedAccessService=Network Access,

The CDA agent indicates WSA1 is in-sync

 

C:\IBF\CLI>adacfg client status
Subscribed-IP   Sync-Status
--------------- -----------
<removed> In-Sync
<removed> In-Sync

All the DCs are showing up

C:\IBF\CLI>adacfg dc list
Name      Host/IP              Username        Domain-Name Latest Status
--------- -------------------- --------------- ----------- -------------
DRWDMC202 <removed> <removed> <removed> up
ORWDMC02  <removed>  <removed> <removed>up
ORWDMC201 <removed> -<removed> <removed>up
ORWDMC202 <removed> <removed> <removed>up
SOWDMC201 <removed> <removed> <removed>up

The cache is populated, but it does appear to only have entries from only one of the 5 DCs that are defined and I don't see the client IP in question.

Labels:
0 Helpful
1 Reply 1

Tom Foucha
Cisco Employee
Cisco Employee

‎08-18-2015 05:40 AM

Hard to troubleshoot from just the above information. I recommend you open a TAC case and let our engineers take a look at things. Good luck - Tom

0 Helpful
Customers Also Viewed These Support Documents