Solved: Jul 29 07:09:57.378: %RADIUS

eddiemusa · ‎07-29-2016

Good day,

I have configured my 3850 switch with two SSIDs one for guest and the other for internal uses. I have an acs server in my network which is using AD as its identity store. I have been trying to get authentication to work but with no joy and I am getting the following messages from the switch:

Jul 29 07:09:37.205: AAA/BIND(0000C25D): Bind i/f

Jul 29 07:09:37.217: AAA/AUTHEN/8021X (00000000): Pick method list 'ACS'

Jul 29 07:09:37.217: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified

Jul 29 07:09:42.248: AAA/AUTHEN/8021X (00000000): Pick method list 'ACS'

Jul 29 07:09:42.248: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified

Jul 29 07:09:47.262: AAA/AUTHEN/8021X (00000000): Pick method list 'ACS'

Jul 29 07:09:47.263: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified

Jul 29 07:09:52.343: AAA/AUTHEN/8021X (00000000): Pick method list 'ACS'

Jul 29 07:09:52.344: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified

Jul 29 07:09:57.339: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified

Jul 29 07:09:57.378: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.11.132.30:1645,1646 is not responding.

Jul 29 07:09:57.379: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.11.132.30:1645,1646 is being marked alive.

Jul 29 07:10:02.379: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified

Jul 29 07:10:07.417: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified

Jul 29 07:10:12.498: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified

Jul 29 07:10:12.499: %DOT1X-5-FAIL: Authentication failed for client (d04f.7e52.435c) on Interface Ca2 AuditSessionID 0a0b8447579b01310000c25d

On the ACS I can see the request coming trough but it also drops the request with the following messages:

Radius authentication failed for USER: MAC: 94-65-9C-52-DA-A0 AUTHTYPE:

How can I resolve this issue

Rasika Nayanajith · ‎07-29-2016

Jul 29 07:09:57.378: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.11.132.30:1645,1646 is not responding.
Jul 29 07:09:57.379: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.11.132.30:1645,1646 is being marked alive.

From your switch management IP , do you have reachability to ACS ? Is there any ACL applied on upstream switches where SVI defined for switch management/wireless management ?

Here is some reference config with a 3850 WLC, using ISE as RADIUS. Hope that may give some cross reference for your switch configs

https://mrncciew.com/2013/12/06/wlan-config-with-3850-part-2/

HTH

Rasika

*** Pls rate all useful responses ***

View solution in original post

WiFi Trainers · ‎07-29-2016

Hello,

Good idea with attaching the debugs straight away!!!

The message "Jul 29 07:10:07.417: AAA/AUTHEN(00000000): There is no General DBReply Method Index details may not be specified" means that the 3850 has tried to communicate with the ACS server but not recieved any response.

Can you let me know what is the software version on the 3850? Also can you check what are the logs on the ACS saying?

Best Regards,

WiFi Trainers (www.wifitrainers.com)

Your one stop solution for all your wireless training needs!

******** Please rate if useful *********

eddiemusa · ‎07-29-2016

Hi,

Thanks for the response.

Please see below and attached in response to the questions asked.

Model Revision Number : U0

Motherboard Revision Number : A0

Model Number : WS-C3850-24P

System Serial Number : FCW1927D0U5

Switch Ports Model SW Version SW Image Mode

------ ----- ----- ---------- ---------- ----

* 1 32 WS-C3850-24P 03.06.04.E cat3k_caa-universalk9 BUNDLE

It seems to be trying to authenticate with MAC address but I only want to authenticate with windows credentials.

Thanks,

Rasika Nayanajith · ‎07-29-2016

Jul 29 07:09:57.378: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.11.132.30:1645,1646 is not responding.
Jul 29 07:09:57.379: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.11.132.30:1645,1646 is being marked alive.

From your switch management IP , do you have reachability to ACS ? Is there any ACL applied on upstream switches where SVI defined for switch management/wireless management ?

Here is some reference config with a 3850 WLC, using ISE as RADIUS. Hope that may give some cross reference for your switch configs

https://mrncciew.com/2013/12/06/wlan-config-with-3850-part-2/

HTH

Rasika

*** Pls rate all useful responses ***

eddiemusa · ‎08-01-2016

Thanks for the guidance, I discovered a finger slip error. When configuring the IP settings of the ACS I put in the wrong subnet mask so there definitely was no connectivity between the two devices. The rest of my configuration was similar to yours except that I am using an external AD source.

I now have an 5411 EAP Timed out error, any thoughts on that one. I see the troubleshooting guide says it may be the client dropping that off but there is no real fix given,

Rasika Nayanajith · ‎08-04-2016

I now have an 5411 EAP Timed out error, any thoughts on that one.

Does this happen to all clients or some of them ? I would try to narrow it down to see if that occurs to particular clients type.

Rasika

Radius Authentication Issues on 3850 WLC and Cisco ACS