In this document Cisco TAC engineer "Varun Ajmani" has explained how to troubleshoot when Clients disconnecting randomly with 5508 (188.8.131.52) authentication issues with SSID's using Ldap via an ACS 184.108.40.206 server.
WLC running 220.127.116.11 (all six controllers are facing same issue)
SSID using 802.1x, ACS 18.104.22.168 (PEAP-MSCHAPv2) with Active Directory
All domain users are getting de-authenticated. Machines have “user or machine authentication” selected when the issue occurs, once they
change it to “machine authentication” or reboot the machine, the issue is resolved.
Errors on ACS
*15039 Selected Authorization Profile is DenyAccess*Radius authentication failed for USER: DISTRICT\testuser MAC: 84-4B-xx-xx-xx-xx AUTHTYPE: PEAP(EAP-MSCHAPv2)*Radius authentication failed for USER: DISTRICT\testuser MAC: 84-4B-xx-xx-xx-xx AUTHTYPE: PEAP(EAP-MSCHAPv2)*Radius authentication failed for USER: DISTRICT\testuser MAC: 84-4B-xx-xx-xx-xx AUTHTYPE: PEAP(EAP-MSCHAPv2)*24423 ACS has not been able to confirm previous successful machine authenticationfor user in Active Directory*11003 Returned RADIUS Access-Reject
The aging time in ACS for End user authentication settings was set to 12 hours. We need to increase the timer to have the users connected throughout.
End User Authentication Settings
End User Authentication Settings
Enable Machine Access Restrictions
Click to ensure that machine authentication results are tied to user authentication and authorization. If you enable this feature, you must set the Aging time.
Aging time (hours) time
Time after a machine was authenticated that a user can be authenticated from that machine. If this time elapses, user authentication fails.
You must set this time if you clicked the Enable Machine Access Restrictions check box.
ACS supports the authentication of computers that are running the Microsoft Windows operating systems that support EAP computer authentication. Machine authentication, also called computer authentication, allows networks services only for computers known to Active Directory.
This feature is especially useful for wireless networks, where unauthorized users outside the physical premises of your workplace can access your wireless access points.
When machine authentication is enabled, there are three different types of authentications. When starting a computer, the authentications occur in this order:
Machine authentication—ACS authenticates the computer prior to user authentication. ACS checks the credentials that the computer provides against the Windows identity store.
User domain authentication—If machine authentication succeeded, the Windows domain authenticates the user. If machine authentication failed, the computer does not have access to Windows domain services and the user credentials are authenticated by using cached credentials that the local operating system retains.
User network authentication—ACS authenticates the user, allowing the user to have network connectivity. If the user exists, the identity store that is specified is used to authenticate the user.
Here is the complete boot capture: If I interrupt the boot, I can tftpboot at the (RNAQ-C7) # prompt a new ap1g4 file as part.bin to the device with no change. #====================== Connected 6:07 PM 10/18/2019 ====================...
Hello,Since we upgraded connections between our buildings we will use central WLC (5520) on our central location. There is around 1500APs on all locations which will be adopted to that WLC.My concern is that when I use local mode, I got my traffic do...
I have a guest network set up that is completely isolated from production, the intent being that visitors are issued a username and can go out to the Internet while they are visiting. I'd like to fix one thing: The visitor connects to the wireless network...
I have a WLC 3504 and it works well with my first network attempt- I had set up a guest network. Clients connected to it receive an IP address and can access the internet. This network is isolated from our production environment, but was almost as easy as...
Hi to all, just a short question.Hi to all We have a wireless controller and want to reach airprint services in the wired lan via wireless clients. Do we need multicast routing in our LAN or just bonjour gateway mdns on the controller...