WAP4410N WPA2 Enterprise Mixed authentication problem against Cisco ACS 4.2

zawminoo2010 · ‎10-23-2011

We have 3 x WAP4410N at new office setup in Singapore.

Customer asked us to setup those 3 AP to make client auth against an ACS 4.2 sitting in US office.

All the user notebooks were joined to Windows domain in US office, before sent out to Singapore office.

We configured APs with WPA2 Enterprise Mixed mode and entered radius server address and secrects correctly.

Logging from ACS shows that users are authenticated successfully but, on the user notebooks, authentication never seems successful and keeps authenticating.

We have tried with other option (RADIUS) but, problem persists.

Please help.

zawminoo2010 · ‎10-28-2011

Could someone please answer?

rocater · ‎10-29-2011

Hello Zaw Min Oo

I am an engineer with the small business support team. The authentication to the ACS should pass through the WAP4410N. I have a few questions I would like to ask in order to better assist you.

What firmware version are you running? Have you tested the authentication to the APs using WPA2-personal or no security?

zawminoo2010 · ‎10-29-2011

Hi Robert,

Firmware version is 2.0.4.2.

We have tested with WPA-personal, WPA2-personal and all worked.

For enterprise, we have tested using WPA-ent, WPA2-ent, WPA2-ent-mixed and RADIUS.

All did not work.

Client keeps flapping between auth and validation.

ACS logs showed that auth OK.

Syslog from AP showed that client was assiciated but it happened repeatedly.

<134>Oct 28 16:13:27 MVIS-SG-AP01 kernel: [sg-internal][A0:88:B4:40:41:D4] Open Authentication 10.200.4.12 28/10 16:13:28.720

<134>Oct 28 16:13:27 MVIS-SG-AP01 kernel: [sg-internal][A0:88:B4:40:41:D4] Associated 10.200.4.12 28/10 16:13:28.720

<134>Oct 28 16:13:29 MVIS-SG-AP01 kernel: [][A0:88:B4:40:41:D4] SUBTYPE_AUTH 10.200.4.12 28/10 16:13:30.720

<134>Oct 28 16:13:29 MVIS-SG-AP01 kernel: [sg-internal][A0:88:B4:40:41:D4] Open Authentication 10.200.4.12 28/10 16:13:30.720

<134>Oct 28 16:13:29 MVIS-SG-AP01 kernel: [sg-internal][A0:88:B4:40:41:D4] Associated 10.200.4.12 28/10 16:13:30.736

<134>Oct 28 16:13:31 MVIS-SG-AP01 kernel: [][A0:88:B4:40:41:D4] SUBTYPE_AUTH 10.200.4.12 28/10 16:13:32.689

Below is the diagram for your kind ref.

US Office Site-to-Site VPN SG Office

ACS --- ASA ------------ Internet ------------ ASA5505 ------ 2960 PoE SW ----- 3 x WAP4410N

\ \___ DNS/DHCP Server

\____ Wired Clients

Note: SG office ASA is 5505 and outside interface is on Vlan 2, inside interface is on Vlan 1. 2960 switch is configured with all ports in Vlan 2. Vlan feature on WAP4410N is disabled. Layer3 communication among US office ACS, SG office ASA5505, DHCP server and WAP4410N is fine. All wired clients in SG office get IP from DHCP server. I feel this is a bit odd and you may need to know.

Do feel free to let me know, should you need further input from me. Thanks!

rocater · ‎10-29-2011

Thank you for the information.

Could you tell me, what is the authentication type you are using on your ACS?

Also, are you getting log in prompt for authentication when connecting?

Have you noticed if the flapping is occuring on the client as well or just the AP?

It seems like this might be something that requires a more in depth look. If you would like, feel free to call us at the SBSC and open a case. Here is a link for contacting us.

http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html

zawminoo2010 · ‎10-29-2011

Thanks for response.

I have asked US office for auth type in ACS. I will update to you, once I get it.

We tested on domain joined NBs with "use windows login info" option and user auth was successful, according to ACS log.

And we also tested with another XP pro NB, which is not joined to domain. We disable the windows login option and it prompted for login info. We entered user/password/domain correctly and saw that auth was successfuil on ACS, too.

Flapping was occuring on client NBs, too. Saw that authenticating and validating identity were flapping.

I may call SBSC, next week.

Do feel free to ask me, should you need further input. Thanks!

zawminoo2010 · ‎10-29-2011

Just received reply from US office.

Authentication type used on ACS is Radius (IETF).

zawminoo2010 · ‎10-31-2011

Hi Robert,

Will you still be helping me here or I have only choice to call SBSC?

I have never called SBSC before.

All the way, I used to open TAC case for support but, this product is not listed in TAC supported product.

So, I presume I can only go to SBSC, if you do not proceed here.

rocater · ‎10-31-2011

So sorry for the delay in getting back with you.

It sounds like everything has been configured correctly on the network. I think it would be best to call in to the support center. We will be able to review the problem much quicker. Opening a case with us is very much like opening with TAC. Since you have done so before, I believe you will find the process to be simple.

zawminoo2010 · ‎10-31-2011

Thanks!

I will try to call SBSC tomorrow.

Asif Majeed · ‎03-13-2012

Dear All

i am having the same issue with the said Cisco 4410n APs with radius auths. Scenario is same as ACS in my head office and users and APs in remote offices, users are allowed added in ACS server as wireless users but authentication keeps on flapping logs show every thing ok but user never gets authenticated from ACS at head office. Thinking to replace APs with Cisco Aironet 1131 aps.

BR
AM