Solved: Re: Changing the Radius server on a 5500

Andrew Cormier · ‎11-20-2012

Hi,

We are retiring our current radius server. It is windows 2003 IAS server (also a DC) that we use for 802.1X auth.

We are moving to server 2008r2. I have already installed NPS and Network Authentication services on the server.

On the existing IAS server I exported the settings (using iasmigreader.exe) and was able to import the profiles (I see the 5500 as a radius client etc)

Our 5500 is still pointing to the old server.

Is it as simple as changing the ip of the RADIUS server to point to the new server?

It looks like I actually have to add the new server and create a new preshared key on the NPS server but only find documents on adding a new 5500 (vs flipping it to a new NPS server)

THoughts?

Thanks

Drew

Scott Fella · ‎11-21-2012

Yes it can be... You should just recreate a new one on both the NPS and the WLC.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

View solution in original post

Scott Fella · ‎11-20-2012

You have to create the new radius on the WLC, then point them in the WLAN and remove the old from the WLAN before you can delete the old IAS servers.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Andrew Cormier · ‎11-20-2012

Thanks for the very quick reply.

Under controller I added the second radius server (didnt remove the first one)

Under WLAN I see I can have up to 3 servers (althought only 1 and 2 are in the dropdown)

I have not choosen server 2 yet. For testing do I simply flip the WLAN from server 1 to server 2?

If that works I can remove server 1?

Scott Fella · ‎11-20-2012

That is correct

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Andrew Cormier · ‎11-21-2012

TThanks sdfsdf

Thanks Scott. Here is what I tested this morning.

Both servers are configured in the security/radius/authentication section

I went to Wlans/WLAN1/Security/AAAServers and changed the Auth server to the new one.

Test.. failed. Here is what I get from the NPS server.

Error: Event ID 18 - "An Access-Request message was received from RADIUS client xxx.xxx.xxx.xxx with a message authenticator attribute that is not valid." (where xxx.xxx etc is the 5500 ip address)

The original shared secret was provided by the conslutants who installed the system. Could it be that I have the wrong secret? If I do NOT have the correct secret how hard is it to change it? Since this wireless network is already in production I am hesitant to break it

Scott Fella · ‎11-21-2012

Yes it can be... You should just recreate a new one on both the NPS and the WLC.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Andrew Cormier · ‎11-21-2012

That worked scott. At first those messages were because of a bad shared secret. Made sure they were correct in the radius client and under the controller security settings.

Thanks!!!

Scott Fella · ‎11-21-2012

Glad you have it working! Thanks for using the rating sysytem.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Andrew Cormier · ‎11-21-2012

ok.. next part is retiring our Enterprise CA ... snooping around I see that what also worked creating a new network policy since the imported one had something screwed up on the certificate side.

Kinda scary for me but so far so good.. thanks again.. especially for the very quick responses.

Scott Fella · ‎11-21-2012

Well that's not an easy task. That could impact not just wireless:) might be simpler if your just upgrading from 2003 to 2008, but I'm no MS expert.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***