WLC not integrating with Radius Server

Calin Cristea · ‎03-05-2012

Hello world,

I have the following situation:

One WLC 2000 Series (software version 7.0.230.0) with multiple SSID`s, one is with 802.1x integrated with a Radius Server.

Everything worked fine until fiew days ago, when users were unable to logon via they`re certificates on Windows XP.

The infrastracture didn`t suffer modifications.

What i have checked: Radius certification isn`t expired, client certification isn`t expired, the password between controller and Radius is correct.

There are no ACL`s between the WLC and the remote Server. I can ping the devices, other SSIDs on the same controller (wpa/psk) are working correct.

The AP`s are 1242.

I have tried deleting the SSID, configure it back. The OS on Windows Server is 2003 Standard. The AP`s are configured H-Reap.

I have increased the Server Timeout from Radius Authentication Servers from 2 to 30 sec.

The message logs recived on WLC Trap Logs:

RADIUS server X.X.X.X:1812 failed to respond to request (ID 161) for client xx.xx.xx.xx.xx.xx/ user 'unknown'

The message from the debug dot1x aaa enable:

*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_CALLING_STATION_ID(31) index=1

*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_CALLED_STATION_ID(30) index=2

*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_PORT(5) index=3

*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4

*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5

*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_IDENTIFIER(32) index=6

*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_VAP_ID(1) index=7

*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_SERVICE_TYPE(6) index=8

*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_FRAMED_MTU(12) index=9

*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_PORT_TYPE(61) index=10

*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_EAP_MESSAGE(79) index=11

*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_RAD_STATE(24) index=12

*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_MESS_AUTH(80) index=13

*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df AAA EAP Packet created request = 0x1cff348c.. !!!!

*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Sending EAP Attribute (code=2, length=6, id=10) for mobile xx.xx.xx.xx.xx.xx.
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00000000: 02 0a 00 06 0d 00 ......
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
*radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df [BE-resp] AAA response 'Interim Response'
*radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df [BE-resp] Returning AAA response
*radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df AAA Message 'Interim Response' received for mobile xx.xx.xx.xx.xx.xx.
*Dot1x_NW_MsgTask_7: Mar 06 09:37:07.329: 00:15:e9:33:75:df Skipping AVP (0/27) for mobile xx.xx.xx.xx.xx.xx.

The messages on Windows 2003 Standard:

User Y was denied access.

Fully-Qualified-User-Name = xx.domain.com/Users_T/user

NAS-IP-Address = X.X>X.X

NAS-Identifier = Cisco_

Called-Station-Identifier = ---------------------

Calling-Station-Identifier = ---------------------

Client-Friendly-Name = ---------------------

Client-IP-Address = ---------------------

NAS-Port-Type = Wireless - IEEE 802.11

NAS-Port = 1

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server = <undetermined>

Policy-Name = Wireless Policy

Authentication-Type = EAP

EAP-Type = Smart Card or other certificate

Reason-Code = 262

Reason = The supplied message is incomplete. The signature was not verified.User Y was denied access.
Fully-Qualified-User-Name = xx.domain.com/Users_T/user

NAS-IP-Address = X.X>X.X
NAS-Identifier = Cisco_
Called-Station-Identifier = ---------------------
Calling-Station-Identifier = ---------------------
Client-Friendly-Name = ---------------------
Client-IP-Address = ---------------------
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless Policy
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 262
Reason = The supplied message is incomplete. The signature was not verified.

Can anyone help why i cannot log the users via 802.1x ?

Scott Fella · ‎03-06-2012

Is the certificate on the cleint machine still valid and also on the radius server. I would also try to restart the IAS service or reboot the box just to make sure its not hung.

-Scott
*** Please rate helpful posts ***

Calin Cristea · ‎03-06-2012

Hi Scott,

The certificate is still valid on the pc, i even renew it. On the server aswell.

I have restarted the IAS Service, The IAS Server, the controller, access point...

Scott Fella · ‎03-06-2012

Okay that is good..... this is what I would do next. I would create a test ssid that uses PEAP MSchapv2 and create a new policy in IAS that is basic. Allow 802.1x wireless and user group only and see if you can reconfigure one of the XP machines for PEAP. Can you also post a screen shot of your polices (connection and network) so we can review it.

-Scott
*** Please rate helpful posts ***