cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18439
Views
20
Helpful
16
Replies

WLC "radius server overwrite interface" setting

andrewswanson
Level 7
Level 7

Hello


I'm looking at using "radius server overwrite interface" on a WLAN as a replacement for Called-Station-ID for Radius to match on SSID.

When I enable "radius server overwrite interface" on a WLAN and join a client to the SSID I can see (via packet capture) that the WLC is correctly sourcing the Radius packets with the WLAN's "dynamic" interface IP Address. The problem is that the Radius server doesn't repond to these requests. Radius is configured with rules to match the new IP address but I see nothing (pass or fail) in the logs.

Interestingly, the packet captures shows the correct NAS IP address (the WLAN interface IP Address) but always shows the WLC hostname as NAS-ID (regardless of NAS-ID settings on the WLAN or WLAN interface)

I've tried WLC software 7.4.110.0, 7.4.121.0 and 7.6.100.0 with the same results but Radius never responds. Radius is Cisco ACS 5.5.0.46. Any ideas as to why this is happening?

Thanks
Andy

2 Accepted Solutions

Accepted Solutions

Scott Fella
Hall of Fame
Hall of Fame

When you enable this, this requires you to add that IP address for that interface as a AAA client in radius. This is because the source is now that interface IP address and not the WLC management. So now instead of one entry for the WLC as a AAA device, you have two.

Sent from Cisco Technical Support iPhone App

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

Hi Andy,

When you add WLC onto ACS, did you use WLC management interface IP ? If so radius request may drop since it is sourcing from different IP address to what it configured for.

Either you have to give IP range (where dynamic interface belongs to) or configure Default Network Device where ACS accetps request from any device (does not matter what IP it source from )

Try that & see

HTH

Rasika

**** Pls rate all useful responses ****

View solution in original post

16 Replies 16

Scott Fella
Hall of Fame
Hall of Fame

When you enable this, this requires you to add that IP address for that interface as a AAA client in radius. This is because the source is now that interface IP address and not the WLC management. So now instead of one entry for the WLC as a AAA device, you have two.

Sent from Cisco Technical Support iPhone App

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Thanks for the reply. AAA client is already in place but still see nothing in logs. Its almost as if ACS isn't receiving the packet - I'll do some more packet captures to confirm ACS is receiving ok.

Thanks

Andy

So you have a AAA client with the up address of the dynamic interface? Did you reboot the WLC?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Yes, ACS has AAA client with the address of the dynamic interface. When I do a packet capture of traffic from WLC I can see Access-Request packets with NAS-IP correctly set to the address of the dynamic interface. On ACS I see nothing in the logs (pass or fail). I tried deleting the AAA client to see if that gave a fail in the logs but again I see nothing. WLC has been rebooted a number of times.

Thanks

Andy

I will have to test that again... i'm running v7.6 though.  I typically havent used that in a long time since I usually use regex in my policies.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Just tested it out and I did enable Radius Server Overwrite interface and used the interface on the AP Group and it sourced from the dynamic interface.  I do see failed logs on my ISE.

1-22-2014 8-54-24 AM.jpg

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Try removing the radius server on the WLC and adding it back on.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

I removed the radius servers from WLC and readded them. No channge though - with "radius server overwrite interface" enabled Radius server doesn't repsond with nothing in the logs. As soon as i disable "radius server overwrite interface", WLAN authentication works ok.

WLC is sending the Radius packets ok with "radius server overwrite interface" enabled but ACS seems to 'ignore' them. I'm currently using the production ACS servers for this - I'll install an eval so I can have a better look at what ACS is doing when "radius server overwrite interface" is enabled.

Thanks

andy

Hi Andy,

When you add WLC onto ACS, did you use WLC management interface IP ? If so radius request may drop since it is sourcing from different IP address to what it configured for.

Either you have to give IP range (where dynamic interface belongs to) or configure Default Network Device where ACS accetps request from any device (does not matter what IP it source from )

Try that & see

HTH

Rasika

**** Pls rate all useful responses ****

Scott Fella
Hall of Fame
Hall of Fame

Well let me ask... When I upgraded my ACS to v5.5, I don't see any logs anymore, even TACACS. Authentication still works of radius and tacacs but no logs.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

I installed an eval version of ACS 5.5.0.46 and added a simple config:

  • added Test WLC as AAA devices with management IP and WLAn interface IP
  • created local user on ACS
  • created service policy to match on the Test WLC IP addresses and permit access for successful authentications

I added the eval ACS to my test WLC and tested authentication successfully from a WLAN without "radius server overwrite interface" enabled. This authentication was logged ok in ACS

I enabled "radius server overwrite interface" on the WLAN and tried to authenticate again and saw same problem as previously. Client sees authentiction fail, WLC reports that Radius didn't respond and nothing appears in ACS Radius authentication logs.

I enabled ACS runtime debug on the eval and tried the authentication again (with "radius server overwrite interface" still enabled . The ACS runtime logs shows ACS receiving the request but doesn't seem to process it with no error given. I've attached the ACS runtime logs for when it receives an authentication request from the WLC with "radius server overwrite interface" enabled.

I'll trash the 5.5 eval and try an earlier version of ACS.

Cheers

Andy

Andy,

That's weird. Like I mentioned, I do see logs on ISE, but I don't see and radius or tacacs logs on v5.5 ever since I upgraded. So basically, I have no insight to why a user or device failed authentication. Maybe I will revert back to v5.4.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Hi Scott

installed ACS 5.4 0.46.6 and I still have the same problem - ACS doesn't respond to request from WLC when  "radius server overwrite interface" is enabled on WLAN and nothing appears in the logs. With  "radius server overwrite interface" disabled on the WLAN, authentication is a success and I can see this in the logs.

I had a look a the packet captures I took earlier and the attributes in the Access-Request look ok - the only attribute I wasn't sure about was Message-Authenticator. Found this ietf document http://www.ietf.org/rfc/rfc2869.txt which mentions "silent discards" of Radius packets with non existent or incorrect Message-Authenticator attributes. I'm not sure if this is what I'm seeing on ACS when it receives the  "radius server overwrite interface" Access-Request packets. ACS is under contract so I will contact TAC about this.

Mt production ACS cluster was upgraded from latest version of 5.3 to 5.5 with no loss of historic logs (logging after upgrade worked fine also). The upgrade did take a while with the log-collector. When it had completed I checked the Data Upgrade Status under Monitoring configuration and it showed that the upgrade was successful.

Thanks for your help with this.

Cheers

Andy

I upgraded from 5.4 to 5.5 and also didn't loose historical data... Just new data. Let me know what TAC comes up with.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Review Cisco Networking for a $25 gift card