cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4278
Views
4
Helpful
9
Replies

Changing the Radius server on a 5500

Andrew Cormier
Level 1
Level 1

Hi,

We are retiring our current radius server. It is windows 2003 IAS server (also a DC) that we use for 802.1X auth.

We are moving to server 2008r2. I have already installed NPS and Network Authentication services on the server.

On the existing IAS server I exported the settings (using iasmigreader.exe) and was able to import the profiles (I see the 5500 as a radius client etc)

Our 5500 is still pointing to the old server.

Is it as simple as changing the ip of the RADIUS server to point to the new server?

It looks like I actually have to add the new server and create a new preshared key on the NPS server but only find documents on adding a new 5500 (vs flipping it to a new NPS server)

THoughts?

Thanks

Drew

1 Accepted Solution

Accepted Solutions

Yes it can be... You should just recreate a new one on both the NPS and the WLC.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

View solution in original post

9 Replies 9

Scott Fella
Hall of Fame
Hall of Fame

You have to create the new radius on the WLC, then point them in the WLAN and remove the old from the WLAN before you can delete the old IAS servers.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Thanks for the very quick reply.

Under controller I added the second radius server (didnt remove the first one)

Under WLAN I see I can have up to 3 servers (althought only 1 and 2 are in the dropdown)

I have not choosen server 2 yet. For testing do I simply flip the WLAN from server 1 to server 2?

If that works I can remove server 1?

That is correct

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

TThanks sdfsdf

Thanks Scott. Here is what I tested this morning.

Both servers are configured in the security/radius/authentication section

I went to Wlans/WLAN1/Security/AAAServers and changed the Auth server to the new one.

Test.. failed. Here is what I get from the NPS server.

Error: Event ID 18 - "An Access-Request message was received from RADIUS client xxx.xxx.xxx.xxx with a message authenticator attribute that is not valid." (where xxx.xxx etc is the 5500 ip address)

The original shared secret was provided by the conslutants who installed the system. Could it be that I have the wrong secret? If I do NOT have the correct secret how hard is it to change it? Since this wireless network is already in production I am hesitant to break it

Yes it can be... You should just recreate a new one on both the NPS and the WLC.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

That worked scott. At first those messages were because of a bad shared secret. Made sure they were correct in the radius client and under the controller security settings.

Thanks!!!

Scott Fella
Hall of Fame
Hall of Fame

Glad you have it working! Thanks for using the rating sysytem.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

ok.. next part is retiring our Enterprise CA ... snooping around I see that what also worked creating a new network policy since the imported one had something screwed up on the certificate side.

Kinda scary for me but so far so good.. thanks again.. especially for the very quick responses.

Well that's not an easy task. That could impact not just wireless:) might be simpler if your just upgrading from 2003 to 2008, but I'm no MS expert.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Review Cisco Networking for a $25 gift card