07-29-2016 12:17 AM - edited 07-05-2021 05:31 AM
Good day,
I have configured my 3850 switch with two SSIDs one for guest and the other for internal uses. I have an acs server in my network which is using AD as its identity store. I have been trying to get authentication to work but with no joy and I am getting the following messages from the switch:
Jul 29 07:09:37.205: AAA/BIND(0000C25D): Bind i/f
Jul 29 07:09:37.217: AAA/AUTHEN/8021X (00000000): Pick method list 'ACS'
Jul 29 07:09:37.217: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified
Jul 29 07:09:42.248: AAA/AUTHEN/8021X (00000000): Pick method list 'ACS'
Jul 29 07:09:42.248: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified
Jul 29 07:09:47.262: AAA/AUTHEN/8021X (00000000): Pick method list 'ACS'
Jul 29 07:09:47.263: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified
Jul 29 07:09:52.343: AAA/AUTHEN/8021X (00000000): Pick method list 'ACS'
Jul 29 07:09:52.344: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified
Jul 29 07:09:57.339: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified
Jul 29 07:09:57.378: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.11.132.30:1645,1646 is not responding.
Jul 29 07:09:57.379: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.11.132.30:1645,1646 is being marked alive.
Jul 29 07:10:02.379: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified
Jul 29 07:10:07.417: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified
Jul 29 07:10:12.498: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified
Jul 29 07:10:12.499: %DOT1X-5-FAIL: Authentication failed for client (d04f.7e52.435c) on Interface Ca2 AuditSessionID 0a0b8447579b01310000c25d
On the ACS I can see the request coming trough but it also drops the request with the following messages:
Radius authentication failed for USER: MAC: 94-65-9C-52-DA-A0 AUTHTYPE:
How can I resolve this issue
Solved! Go to Solution.
07-29-2016 03:38 PM
Jul 29 07:09:57.378: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.11.132.30:1645,1646 is not responding.
Jul 29 07:09:57.379: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.11.132.30:1645,1646 is being marked alive.
From your switch management IP , do you have reachability to ACS ? Is there any ACL applied on upstream switches where SVI defined for switch management/wireless management ?
Here is some reference config with a 3850 WLC, using ISE as RADIUS. Hope that may give some cross reference for your switch configs
https://mrncciew.com/2013/12/06/wlan-config-with-3850-part-2/
HTH
Rasika
*** Pls rate all useful responses ***
07-29-2016 02:33 AM
Hello,
Good idea with attaching the debugs straight away!!!
The message "Jul 29 07:10:07.417: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified" means that the 3850 has tried to communicate with the ACS server but not recieved any response.
Can you let me know what is the software version on the 3850? Also can you check what are the logs on the ACS saying?
Best Regards,
WiFi Trainers (www.wifitrainers.com)
Your one stop solution for all your wireless training needs!
******** Please rate if useful *********
07-29-2016 02:54 AM
Hi,
Thanks for the response.
Please see below and attached in response to the questions asked.
Model Revision Number : U0
Motherboard Revision Number : A0
Model Number : WS-C3850-24P
System Serial Number : FCW1927D0U5
Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 32 WS-C3850-24P 03.06.04.E cat3k_caa-universalk9 BUNDLE
It seems to be trying to authenticate with MAC address but I only want to authenticate with windows credentials.
Thanks,
07-29-2016 03:38 PM
Jul 29 07:09:57.378: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.11.132.30:1645,1646 is not responding.
Jul 29 07:09:57.379: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.11.132.30:1645,1646 is being marked alive.
From your switch management IP , do you have reachability to ACS ? Is there any ACL applied on upstream switches where SVI defined for switch management/wireless management ?
Here is some reference config with a 3850 WLC, using ISE as RADIUS. Hope that may give some cross reference for your switch configs
https://mrncciew.com/2013/12/06/wlan-config-with-3850-part-2/
HTH
Rasika
*** Pls rate all useful responses ***
08-01-2016 10:30 PM
Thanks for the guidance, I discovered a finger slip error. When configuring the IP settings of the ACS I put in the wrong subnet mask so there definitely was no connectivity between the two devices. The rest of my configuration was similar to yours except that I am using an external AD source.
I now have an 5411 EAP Timed out error, any thoughts on that one. I see the troubleshooting guide says it may be the client dropping that off but there is no real fix given,
08-04-2016 04:44 PM
I now have an 5411 EAP Timed out error, any thoughts on that one.
Does this happen to all clients or some of them ? I would try to narrow it down to see if that occurs to particular clients type.
Rasika
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide