Solved: Radius authentication problem on 5508 controller

bouvot_julien · ‎05-24-2017

Dear,

We've just configured a Cisco 5508 wireless controller on our network.

OS version is 8.0.120.0 and it's not possible to upgrade in order to support 1131AG access points.

We encounter an RADIUS authentication problem on Windows clients.

It's important to say that these clients work with an other controller... Unfortunatelly i didn't see any differences between them.

So, i've checked some parameters :

- First, the controller can ping RADIUS server IP.

- After, I've verified the interface routing with an other SSID created on the same interface and a WPA pre-shared key.

- Checked WPA settings and changed "timers" like i've seen on others subjects...

but no results !

I hope you will help me to find a solution. In addition, I put my logs on attached file.

Wainting your answers,

Julien.

Sandeep Choudhary · ‎05-29-2017

Hi,

Are you sure your polices are configured properly on the radius server. Looks like its not, because it shows as a REJECT."Processing Access-Reject"

Regards

Dont forget to rate helpful posts

View solution in original post

jonathan.cuthbert · ‎05-24-2017

OS version is 8.0.120.0 and it's not possible to upgrade in order to support 1131AG access points.

Anything in the 8.0 code train will support the 1130s.

8.0.140.0 supports them.

bouvot_julien · ‎05-29-2017

That's right... but this controller and this OS version worked on an other site... with same parameters. That's the reason why I'm searching an other cause

marce1000 · ‎05-29-2017

- As stated earlier, check your radius server logs (too) and analyze the particular requests coming from the wl-controller

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

bouvot_julien · ‎05-29-2017

Furthermore, the authentication process failed after this step :

*Dot1x_NW_MsgTask_5: May 24 14:15:30.450: b0:10:41:b8:15:d5 Sending EAP-Request/Identity to mobile b0:10:41:b8:15:d5 (EAP Id 1)
*Dot1x_NW_MsgTask_5: May 24 14:15:30.470: b0:10:41:b8:15:d5 Reset the reauth counter since EAPOL START has been received!!!
*Dot1x_NW_MsgTask_5: May 24 14:15:30.470: b0:10:41:b8:15:d5 reauth_sm state transition 0 ---> 0 for mobile b0:10:41:b8:15:d5 at 1x_reauth_sm.c:53
*Dot1x_NW_MsgTask_5: May 24 14:15:30.470: b0:10:41:b8:15:d5 Received EAPOL START from mobile b0:10:41:b8:15:d5
*Dot1x_NW_MsgTask_5: May 24 14:15:30.470: b0:10:41:b8:15:d5 dot1x - moving mobile b0:10:41:b8:15:d5 into Connecting state
*Dot1x_NW_MsgTask_5: May 24 14:15:30.470: b0:10:41:b8:15:d5 Sending EAP-Request/Identity to mobile b0:10:41:b8:15:d5 (EAP Id 2)
*Dot1x_NW_MsgTask_5: May 24 14:15:30.470: b0:10:41:b8:15:d5 reauth_sm state transition 0 ---> 0 for mobile b0:10:41:b8:15:d5 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_5: May 24 14:15:30.668: b0:10:41:b8:15:d5 Received EAPOL EAPPKT from mobile b0:10:41:b8:15:d5
*Dot1x_NW_MsgTask_5: May 24 14:15:30.668: b0:10:41:b8:15:d5 Received Identity Response (count=1) from mobile b0:10:41:b8:15:d5
*Dot1x_NW_MsgTask_5: May 24 14:15:30.668: b0:10:41:b8:15:d5 Resetting reauth count 1 to 0 for mobile b0:10:41:b8:15:d5
*Dot1x_NW_MsgTask_5: May 24 14:15:30.668: b0:10:41:b8:15:d5 EAP State update from Connecting to Authenticating for mobile b0:10:41:b8:15:d5
*Dot1x_NW_MsgTask_5: May 24 14:15:30.668: b0:10:41:b8:15:d5 dot1x - moving mobile b0:10:41:b8:15:d5 into Authenticating state
*Dot1x_NW_MsgTask_5: May 24 14:15:30.668: b0:10:41:b8:15:d5 reauth_sm state transition 0 ---> 0 for mobile b0:10:41:b8:15:d5 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_5: May 24 14:15:30.668: b0:10:41:b8:15:d5 Entering Backend Auth Response state for mobile b0:10:41:b8:15:d5
*Dot1x_NW_MsgTask_5: May 24 14:15:30.668: b0:10:41:b8:15:d5 reauth_sm state transition 0 ---> 0 for mobile b0:10:41:b8:15:d5 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_5: May 24 14:15:30.679: b0:10:41:b8:15:d5 Processing Access-Reject for mobile b0:10:41:b8:15:d5
*Dot1x_NW_MsgTask_5: May 24 14:15:30.679: b0:10:41:b8:15:d5 reauth_sm state transition 0 ---> 0 for mobile b0:10:41:b8:15:d5 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_5: May 24 14:15:30.679: b0:10:41:b8:15:d5 Sending EAP-Failure to mobile b0:10:41:b8:15:d5 (EAP Id -1)

Sandeep Choudhary · ‎05-29-2017

Hi,

Are you sure your polices are configured properly on the radius server. Looks like its not, because it shows as a REJECT."Processing Access-Reject"

Regards

Dont forget to rate helpful posts

monierabdalgader99015 · ‎08-19-2020

i have the same probelm can any one help in that
Access-Reject received from RADIUS server

Scott Fella · ‎08-19-2020

Please open a new thread and add as much information as possible.

-Scott
*** Please rate helpful posts ***