06-26-2020 06:31 AM - edited 07-05-2021 12:13 PM
Hi All,
I have 2 SSID and it works with pre share key and now i want to create 2 SSID to replace the olds for more security.
One SSID will be with authentification certificate and the other one will be with MAC address for the smartphone.
On the first I created a simple authentication without certificat. The users who are in the AD groups "G_CorporateWifi_BlachereGroupe" will access to the network so the authentification will be with their login and password (PEAP) by RADIUS.
I don't see anything on the RADIUS and there is no communicate between WLC and RADIUS. So I checked the controller's logs.
here are the logs from the controller:
*Dot1x_NW_MsgTask_6: Jun 26 15:08:21.380: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:487 Authentication Aborted for client 18:1d:ea:64:0f:6e Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*Dot1x_NW_MsgTask_6: Jun 26 15:08:05.359: %DOT1X-3-AAA_AUTH_SEND_FAIL: 1x_aaa.c:848 Unable to send AAA message for client 18:1d:ea:64:0f:6e
*Dot1x_NW_MsgTask_6: Jun 26 15:08:05.299: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:487 Authentication Aborted for client 18:1d:ea:64:0f:6e Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*Dot1x_NW_MsgTask_6: Jun 26 15:07:40.082: %DOT1X-3-AAA_AUTH_SEND_FAIL: 1x_aaa.c:848 Unable to send AAA message for client 18:1d:ea:64:0f:6e
*Dot1x_NW_MsgTask_6: Jun 26 15:07:31.806: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:487 Authentication Aborted for client 18:1d:ea:64:0f:6e Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*Dot1x_NW_MsgTask_6: Jun 26 15:07:01.104: %DOT1X-3-AAA_AUTH_SEND_FAIL: 1x_aaa.c:848 Unable to send AAA message for client 18:1d:ea:64:0f:6e
*Dot1x_NW_MsgTask_6: Jun 26 15:07:01.063: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:487 Authentication Aborted for client 18:1d:ea:64:0f:6e Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
informations about the controller: Cisco 2500 Series Model 2504
Software Version | 8.5.135.0 |
Field Recovery Image Version |
thanks,
Regards
06-26-2020 06:36 AM
06-26-2020 06:48 AM
Radius authentification configurations: see attached file
shared key "kaiaboss"
Radius NPS server configuration: see attached file
06-26-2020 07:19 AM
More info about NPS config:
http://uat.aventistech.com/cisco-wlc-peap-with-windows-nps-server/
Regards
Dont forget to rate helpful posts
06-26-2020 07:41 AM
06-26-2020 07:18 AM
You checked the box "Radius server overwrite interface"--> Do you need this or not ? if not then uncheck the box.
and try again.
06-26-2020 07:36 AM
06-26-2020 07:44 AM
06-29-2020 12:35 AM
06-29-2020 02:15 AM
06-30-2020 06:20 AM
WLC has a route to the radius and the ping is ok.
I will try to desactivate the windows FW and try again. may be windows defender block
07-06-2020 06:57 AM
Hi All,
All is working well now. I migrated the server on the new network. We were using an old network (192.168.0.0/22) with HP Core but it was a black box for us. The configuration was so bad and we decided to migrate on the new network 10.0.x.0/24) with cisco meraki and FW PaloAlto. So I could see the packet into FW and I opened the necessary rules and then I could see the message on the NPS 's evenments.
So the WLC's configuration was correct, NPS's configurations were correct. I not realy want to waste my time to investigate the old network.
Thanks all and thanks you very much @Sandeep Choudhary
Best Regards
02-26-2021 01:46 AM
Hi,
I have encountered the same problems and errors.
I noticed that I typed the wrong character in the shared secret area.
The problem was resolved when I entered the same shared key on the Cisco ISE and WLC side.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide