05-07-2012 10:10 AM - edited 07-03-2021 10:07 PM
Hello,
on a stable WLC setup with two controllers that authenticate Active Directory users through an ACS I have the following problem. On one of the controllers (WLC1) there are a couple of users that recently started to only authenticate if the username is typed in all uppercase, on the other controller (WLC2) which is setup the same way on the ACS these users work either uppercase or lowercase. This only happens for two of fifty or so users.
Doing some troubleshooting on the ACS I don't see the access-reject replies on the log files so I assume it is the controller WLC1 that is rejecting the users. Is it possible that the authentication info for the lowercase username is being stored on a cache on WLC1 which causes the attempt to fail?, if so is there any way to clean it?, or some other suggestion of what the problem cloud be?
Regards,
Gabriel.
05-08-2012 03:41 AM
The wlc will not cache credentials for a device that is trying to associate to the wireless. You should take a look at those two specific machines and maybe double check their profile and drivers. Have you tried using different credentials on those devices to test.
Sent from Cisco Technical Support iPhone App
05-09-2012 01:23 PM
Thanks for the reply. Yes, I have tried using other users on the same device and they work fine. I have also tried with the users that are giving me trouble on other devices and they act the same way only working with all lowercase. Also when I did the test on the other controller WLC2 it was from the same devices that don't work on WLC1 and they worked fine (lowecase and uppercase), that's why I ruled out a client problem and focused on the WLC instead.
05-10-2012 12:56 AM
Gabriel:
I think you better check password and username on third party auth server. If users are using non unicode characters try to reset usernames and/ or passwords to use only normal english characters. Also try writing the password in plain text on problematic machines to make sure that it is being written correctly.
If all is fine try running debug client to make sure there is an access-accept is being received.
What is wlc code version? What radius server you are using?
Sent from Cisco Technical Support iPad App
05-12-2012 12:14 PM
Hello Gabi
In a nutshell, Usernames on Cisco Secure ACS are not case sensetive , so if the RADIUS access request have the username in either upper or lower case , for acs it is the same user.
To figure out what is happenning we need to have the following:
debug client < mac address of the client affected >
debug aaa all enable
sniffer trace on the controller side while the issue is happenning as well
as sniffer traces on the ACS side.
What is the version of ACS you are using? It would be great if you can set the logging level to detailed level and collect the package.cab or support bundle with the time stamp of the issue and upload them here to double check the info for you.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: