Solved: Re: 3504 wireless controller Invalid AAA request

gabriel.andersson · ‎04-07-2022

Hi.

We have 3504 Cisco controller configured with a 1832 AP.

Authentication/connection to the configured WLAN fails and we can see the following messages in the 3504 controller.

*radiusTransportThread: Apr 07 09:00:51.379: %AAA-3-INVALID_REQUEST: radius_db.c:3256 Invalid AAA request. unknown

As I understand it this points to the following information.

Explanation The system has received an AAA request with a null or invalid payload.

How can I further troubleshoot this issue?

Regards

Gabriel

Flavio Miranda · ‎04-07-2022

Result Code: No response received from server

This is something that need to be investigated.

Another interesting place to look is at the WLC main dashboard, Monitor tab, Statistics, RADIUS Statistics. A list of Radius server will be shown.

There, clicking in Statistics on the left hand side, you can see :

Authentication Server Statistics
Msg Round Trip Time (milliSeconds) 0
First Requests 0
Retry Requests 0
Accept Responses 0
Reject Responses 0
Challenge Responses 0
Malformed Messages 0
Bad Authenticator Msgs 0
Pending Requests 0
Timeout Requests 0
Unknown Type Msgs 0
Other Drops 0

View solution in original post

gabriel.andersson · ‎04-08-2022

Thanks for your help Flavio.
Your questions and guidance helped med narrow down where the issue was.

I double checked the Network Policy Server service on the NPS RADIUS server and it was not running for some reason even though it is set for Automatic(Delayed) start.
Once I started in manually it all worked flawlessly.

Have a great weekend!

View solution in original post

Flavio Miranda · ‎04-07-2022

Hi

If you run the following command:

test aaa radius username <user name> password <password> wlan-id <wlan-id> ap-group <apgroup-name> server-index <server-index>

test aaa show radius

Do you see the same error message? Do you see any log on the Radius itself? Which radius are you using?

Which version has your WLC?

gabriel.andersson · ‎04-07-2022

Thanks for your reply Flavio.

Below is the output that you requested.

Is the output good or bad?

(Cisco Controller) test>aaa radius username xxxxxxxx password xxxxxxx wlan-id 1 apgroup default-group server-index 2

Radius Test Request
Wlan-id........................................ 1
ApGroup Name................................... default-group

Attributes Values
---------- ------
User-Name gabriel_admin
Called-Station-Id 00-00-00-00-00-00:Blue
Calling-Station-Id 00-11-22-33-44-55
Nas-Port 0x00000001 (1)
Nas-Ip-Address 10.226.170.44
NAS-Identifier MEU-SWE-3504
Airespace / WLAN-Identifier 0x00000001 (1)
User-Password xxxxxxxxxx
Service-Type 0x00000008 (8)
Framed-MTU 0x00000514 (1300)
Nas-Port-Type 0x00000013 (19)
Cisco / Audit-Session-Id 0ae2aa2c0000000b624eb08e
Acct-Session-Id 624eb08e/00:11:22:33:44:55/17

gabriel.andersson · ‎04-07-2022

3504 Controller version is 8.5.140.0.
There are no logs on the radius server which is a Windows server 2012 R2 running as a Network Policy Server.

gabriel.andersson · ‎04-07-2022

(Cisco Controller) >test aaa show radius

Radius Test Request
Wlan-id........................................ 1
ApGroup Name................................... default-group
Server Index................................... 2
Radius Test Response

Radius Server Retry Status
------------- ----- ------
10.226.168.104 6 No response received from server

Authentication Response:
Result Code: No response received from server
No AVPs in Response

Flavio Miranda · ‎04-07-2022

Result Code: No response received from server

This is something that need to be investigated.

Another interesting place to look is at the WLC main dashboard, Monitor tab, Statistics, RADIUS Statistics. A list of Radius server will be shown.

There, clicking in Statistics on the left hand side, you can see :

Authentication Server Statistics
Msg Round Trip Time (milliSeconds) 0
First Requests 0
Retry Requests 0
Accept Responses 0
Reject Responses 0
Challenge Responses 0
Malformed Messages 0
Bad Authenticator Msgs 0
Pending Requests 0
Timeout Requests 0
Unknown Type Msgs 0
Other Drops 0

gabriel.andersson · ‎04-08-2022

Thanks for your feedback Flavio.

I am confused as how to interpet the info in this menu.
Does this info mean that the communication to the RADIUS server does not work since there is no "Accept repsonse"?

RADIUS Servers > Authentication Stats

Server Index
2
Server Address
10.226.168.104
Admin Status
Enabled
Authentication Server Statistics
Msg Round Trip Time (milliSeconds)
0
First Requests
231
Retry Requests
1100
Accept Responses
0
Reject Responses
0
Challenge Responses
0
Malformed Messages
0
Bad Authenticator Msgs
0
Pending Requests
0
Timeout Requests
1320
Unknown Type Msgs
0
Other Drops
0

gabriel.andersson · ‎04-08-2022

Thanks for your help Flavio.
Your questions and guidance helped med narrow down where the issue was.

I double checked the Network Policy Server service on the NPS RADIUS server and it was not running for some reason even though it is set for Automatic(Delayed) start.
Once I started in manually it all worked flawlessly.

Have a great weekend!

MHM Cisco World · ‎04-07-2022

are you config the WLAN and client with same Security L3 and are AAA support it?
this must be match all.