Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
12028
Views
10
Helpful
0
Comments

AAA Return or Response Codes

Saravanan Lakshmanan
Cisco Employee
Cisco Employee

‎04-10-2014 05:24 PM - edited ‎11-18-2020 03:07 AM

     

     

    Introduction

    AAA Return or Response Codes 

    Debugs

    Required debugs to be RUN to collect the expected logs

    (Cisco Controller) >debug mac addr <00:13:ce:57:2b:84> 
(Cisco Controller) >debug aaa events enable
 
(OR)

(Cisco Controller) >debug client <00:13:ce:57:2b:84> 
(Cisco Controller) >debug aaa events enable
(Cisco Controller) >debug aaa errors enable

     

    AAA connectivity failure will generate an SNMP trap, if traps enabled.

     

    Returning AAA Error 'Success' (0) for mobile

//Successful Authentication happened, AAA returns access-accept prior to Success (0) to confirm the same.

Returning AAA Error 'Out of Memory' (-2) for mobile

//its the rare reason. CSCud12582  Processing AAA Error 'Out of Memory'

Returning AAA Error 'Authentication Failed' (-4) for mobile

//its the most common reason seen.

     

    Example

    *radiusTransportThread: Jan 24 04:05:12.021: ****Enter processIncomingMessages: response code=3
*radiusTransportThread: Jan 24 04:05:12.021: ****Enter processRadiusResponse: response code=3
*radiusTransportThread: Jan 24 04:05:12.021: e8:39:df:b6:35:bc Access-Reject received from RADIUS server 192.168.1.8 for mobile e8:39:df:b6:35:bc receiveId = 7
*radiusTransportThread: Jan 24 04:05:12.021: e8:39:df:b6:35:bc [Error] Client requested no retries for mobile E8:39:DF:B6:35:BC
*radiusTransportThread: Jan 24 04:05:12.021: e8:39:df:b6:35:bc Returning AAA Error 'Authentication Failed' (-4) for mobile e8:39:df:b6:35:bc
*radiusTransportThread: Jan 24 04:05:12.021: e8:39:df:b6:35:bc [BE-resp] AAA response 'Authentication Failed'
*radiusTransportThread: Jan 24 04:05:12.021: e8:39:df:b6:35:bc [BE-resp] Returning AAA response
*radiusTransportThread: Jan 24 04:05:12.021: e8:39:df:b6:35:bc AAA Message 'Authentication Failed' received for mobile e8:39:df:b6:35:bc

     

    Possible reasons

     

    1. Invalid user account and/or password
    2. Computer not a member of domain, issue on AD side.
    3. Certificate services not working properly
    4. Server Certificate expired or not in use
    5. RADIUS incorrectly configured
    6. Access key incorrectly entered - it IS case-sensitive (so is the SSID)
    7. update Microsoft patches.
    8. EAP timers.
    9. Incorrect eap method configured on client/server.
    10. Client certificate is expired or not in use.

     

    Returning AAA Error 'Timeout' (-5) for mobile


    AAA Server Unreachable, followed by client deauth.

     

    Example

    Wed Oct 26 20:08:50 2011: 00:13:ce:1a:92:41 Max retransmission of Access-Request (id 100) to 155.43.129.216 reached for mobile 00:13:ce:1a:92:41
Wed Oct 26 20:08:50 2011: 00:13:ce:1a:92:41 [Error] Client requested no retries for mobile 00:13:CE:1A:92:41 
Wed Oct 26 20:08:50 2011: 00:13:ce:1a:92:41 Returning AAA Error 'Timeout' (-5) for mobile 00:13:ce:1a:92:41
Wed Oct 26 20:08:50 2011: 00:13:ce:1a:92:41 Processing AAA Error 'Timeout' (-5) for mobile 00:13:ce:1a:92:41
Wed Oct 26 20:08:50 2011: 00:13:ce:1a:92:41 Sent Deauthenticate to mobile on BSSID 00:0b:85:76:d3:e0 slot 1(caller 1x_auth_pae.c:1033)
Wed Oct 26 20:08:50 2011: 00:13:ce:1a:92:41 Scheduling deletion of Mobile Station: (callerId: 65) in 10 seconds

     

    Returning AAA Error 'Internal Error' (-6) for mobile


    Attribute mismatch. AAA sending incorrect/inappropriate attribute(wrong length) that is not understood/compatible with WLC. WLC sends Deauth message followed by 'internal error' message. Ex: CSCum83894     AAA 'Internal Error' and auth fail w/unknown attributes in access accept

     

    Example

    *radiusTransportThread: Feb 21 12:14:36.109: Aborting ATTR processing 599 (avp 26/6)
*radiusTransportThread: Feb 21 12:14:36.109: 40:f0:2f:11:a9:fd Invalid RADIUS response received from server 192.168.0.206 with id=9 for mobile 40:f0:2f:11:a9:fd
*radiusTransportThread: Feb 21 12:14:36.109: 40:f0:2f:11:a9:fd [Error] Client requested no retries for mobile 40:F0:2F:11:A9:FD 
*radiusTransportThread: Feb 21 12:14:36.109: 40:f0:2f:11:a9:fd Returning AAA Error 'Internal Error' (-6) for mobile 40:f0:2f:11:a9:fd
*radiusTransportThread: Feb 21 12:14:36.109:
resultCode...................................-6
*Dot1x_NW_MsgTask_5: Feb 21 12:14:36.109: 40:f0:2f:11:a9:fd Processing AAA Error 'Internal Error' (-6) for mobile 40:f0:2f:11:a9:fd


     

    Returning AAA Error No Server (-7) for mobile


    Radius is not properly configured and or unsupported configuration in use.

     

    Example

     

    *Jun 22 20:32:10.229: 00:21:e9:57:3c:bf Returning AAA Error 'No Server' (-7) for mobile 00:21:e9:57:3c:bf
*Jun 22 20:32:10.229: AuthorizationResponse: 0x1eebb3ec

     

    Reference

    • Dropping fragments

    http://technet.microsoft.com/en-us/library/cc755205(WS.10).aspx
    http://technet.microsoft.com/en-us/library/cc771164(WS.10).aspx

     

    • NPS Reason codes reference for NPS log

    http://technet.microsoft.com/en-us/library/dd197464(v=ws.10).aspx

    Getting Started

    Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

    Customers Also Viewed These Support Documents