cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7628
Views
0
Helpful
3
Replies

Radius server 00.00.00.00 deactivated in global list

bose_boss
Level 1
Level 1

Hi

we unable to authenticate the users connecting to WLC over EAP-FAST from the ACS 5.1.
AD is integrated with the acs....

The error msg coming in wlc is :Radius server deactivated in global list
Radius server failed to respond to request(ID:xx) for client xx:xx;xx:xx:xx:xx:xx

I find that problem with time skew error happen between the AD and ACS. But after i configured ntp server in acs the problem 
still exist.

I removed the controller from the acs and added back, same thing done in controller(reconfigured aaa settings).

But the problem not resolved 

Thanks

Subhash

3 Replies 3

Stephen Rodriguez
Cisco Employee
Cisco Employee

Subhash,   

     The error on the WLC, is telling us that the AAA server is not responding to it's request.  This could be due to the server being busy, which could be seen by reading through the RDS logs from the ACS, if you have loggin set to full.

But a question.  Is the ACS configured in a vlan that the WLC has as a dynamic interface?   If so, this does go against the best practices for configuring the WLC.  And the WLC will drop these packets.

If the above is the case, you can try to issue the following commands:

config network mgmt-via-dynamic-interface enable.

this should allow the WLC to accept a respons from a device on a dynamic interface.  Be warned however, that this also allows a user on a dynamic interface to be able to reach the HTTP/S and SSH/Telnet interfaces, if they are aware of the address.

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Hi stephen,

Thanks for your responce,

The ACS vlan and WLC dynamin interface are in two different vlan.....

Any another solution...

I have also changed the radius server response time from default to its max....but no use..

Thanks in advance

Subhash M

After working with TAC, I resolved this issue recently.  Increasing the timeout value did not help. On the WLC, try:

config radius aggressive-failover disable

As per http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml :

If the aggressive failover feature is enabled in WLC, the WLC is too aggressive to mark the AAA server as not responding. But, this should not be done because the AAA server is possibly not responsive only to that particular client, if you do silent discard. It can be a response to other valid clients with valid certificates. But, the WLC can still mark the AAA server as not responding and not functional.

In order to overcome this, disable the aggressive failover feature. Issue the config radius aggressive-failover disable command from the controller GUI in order to perform this. If this is disabled, then the controller only fails over to the next AAA server if there are three consecutive clients that fail to receive a response from the RADIUS server.

Review Cisco Networking for a $25 gift card