Solved: Users of Particular SSID not able to get authenticated in WLC

anasubra_2 · ‎05-28-2008

Hi ALL,

We suddenly experiencing issue of getting authenticated for users in particular SSID. These users are setup to use Local LEAP database in the WLC to get authenticated .. The recent trap shows the below message for the users

"AAA Authentication Failure for UserName:test User Type: WLAN USER"

In the message log ,we see the below message

ay 28 19:28:33.552 dtl_arp.c:504 DTL-3-INVALID_ARP_TIMEOUT_ADDR: MAC entry (MAC address) received for timeout is INVALID. Dropping it.

We are not sure ,about the above message and couldn't find an explanation in the WLC meesage guide .....If you have any idea ..Kindly let us know .....

Thanks

Regards

Anantha Subramanian Natarajan

jeromehenry_2 · ‎05-29-2008

Hi Anasubra,

Unfortunately, for now controller is a backup solution. So it can't be configured as a primary. It will only be used if you have no AAA configured or if the configured AAA doesn't reply...

Jerome

View solution in original post

Scott Fella · ‎05-28-2008

Did you happen to add a Radius server to the wlc?

-Scott
*** Please rate helpful posts ***

anasubra_2 · ‎05-29-2008

Hi Fella5,

Yes ,some couple of days back and was associated with different SSID.

Do you think some issues with the same.?

Thanks for the reply.

Regards

Anantha Subramanian Natarajan

jeromehenry_2 · ‎05-29-2008

Yes, Fella is probably right here (5 for you Fella5!). Local EAP is designed as a backup authentication system. If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients with the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out or no RADIUS servers were configured...

So if you have a radius that works, local EAP won't work and authentication will fail...

hth

jerome

Scott Fella · ‎05-29-2008

I didn't want to jump the gun and that is why I asked. You should of seen some failed attempts on the radius server. Now what you have to do, if you have an ACS server is to configure LEAP authentication on that. If you have IAS or another type of radius server, you might not have the ability to support LEAP.

-Scott
*** Please rate helpful posts ***

anasubra_2 · ‎05-29-2008

Thank you very much fella5

Regards

Anantha Subramanian Natarajan

anasubra_2 · ‎05-29-2008

Hi Jeromehenry,

Thank you very much .....Is there a way to configure the primary option as Local LEAP and then the backup option as radius for a particular SSID.....

Thank You

Regards

Anantha Subramanian Natarajan

jeromehenry_2 · ‎05-29-2008

Hi Anasubra,

Unfortunately, for now controller is a backup solution. So it can't be configured as a primary. It will only be used if you have no AAA configured or if the configured AAA doesn't reply...

Jerome

anasubra_2 · ‎05-29-2008

Hi Jerome,

Thank you very much for the answer .

Regards

Anantha Subramanian Natarajan

Rob Huffman · ‎05-29-2008

Hey guys,

Scott and Jerome, that is some pretty slick troubleshooting and also something I have never heard of. +5 points to both of you for your continued great work here!

Thanks again,

Rob