10-13-2011 07:42 AM - edited 07-03-2021 08:55 PM
Hi
we unable to authenticate the users connecting to WLC over EAP-FAST from the ACS 5.1.
AD is integrated with the acs....
The error msg coming in wlc is :Radius server deactivated in global list
Radius server failed to respond to request(ID:xx) for client xx:xx;xx:xx:xx:xx:xx
I find that problem with time skew error happen between the AD and ACS. But after i configured ntp server in acs the problem
still exist.
I removed the controller from the acs and added back, same thing done in controller(reconfigured aaa settings).
But the problem not resolved
Thanks
Subhash
10-13-2011 09:33 AM
Subhash,
The error on the WLC, is telling us that the AAA server is not responding to it's request. This could be due to the server being busy, which could be seen by reading through the RDS logs from the ACS, if you have loggin set to full.
But a question. Is the ACS configured in a vlan that the WLC has as a dynamic interface? If so, this does go against the best practices for configuring the WLC. And the WLC will drop these packets.
If the above is the case, you can try to issue the following commands:
config network mgmt-via-dynamic-interface enable.
this should allow the WLC to accept a respons from a device on a dynamic interface. Be warned however, that this also allows a user on a dynamic interface to be able to reach the HTTP/S and SSH/Telnet interfaces, if they are aware of the address.
HTH,
Steve
----------------------------------------------------------------------------------------------------------
Please remember to rate helpful posts or to mark the question as answered so that it can be found later.
10-13-2011 09:00 PM
Hi stephen,
Thanks for your responce,
The ACS vlan and WLC dynamin interface are in two different vlan.....
Any another solution...
I have also changed the radius server response time from default to its max....but no use..
Thanks in advance
Subhash M
02-01-2012 12:22 PM
After working with TAC, I resolved this issue recently. Increasing the timeout value did not help. On the WLC, try:
config radius aggressive-failover disable
As per http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml :
If the aggressive failover feature is enabled in WLC, the WLC is too aggressive to mark the AAA server as not responding. But, this should not be done because the AAA server is possibly not responsive only to that particular client, if you do silent discard. It can be a response to other valid clients with valid certificates. But, the WLC can still mark the AAA server as not responding and not functional.
In order to overcome this, disable the aggressive failover feature. Issue the config radius aggressive-failover disable command from the controller GUI in order to perform this. If this is disabled, then the controller only fails over to the next AAA server if there are three consecutive clients that fail to receive a response from the RADIUS server.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide