01-22-2014 02:14 AM - edited 07-05-2021 12:01 AM
Hello
I'm looking at using "radius server overwrite interface" on a WLAN as a replacement for Called-Station-ID for Radius to match on SSID.
When I enable "radius server overwrite interface" on a WLAN and join a client to the SSID I can see (via packet capture) that the WLC is correctly sourcing the Radius packets with the WLAN's "dynamic" interface IP Address. The problem is that the Radius server doesn't repond to these requests. Radius is configured with rules to match the new IP address but I see nothing (pass or fail) in the logs.
Interestingly, the packet captures shows the correct NAS IP address (the WLAN interface IP Address) but always shows the WLC hostname as NAS-ID (regardless of NAS-ID settings on the WLAN or WLAN interface)
I've tried WLC software 7.4.110.0, 7.4.121.0 and 7.6.100.0 with the same results but Radius never responds. Radius is Cisco ACS 5.5.0.46. Any ideas as to why this is happening?
Thanks
Andy
Solved! Go to Solution.
01-22-2014 04:37 AM
When you enable this, this requires you to add that IP address for that interface as a AAA client in radius. This is because the source is now that interface IP address and not the WLC management. So now instead of one entry for the WLC as a AAA device, you have two.
Sent from Cisco Technical Support iPhone App
Sent from Cisco Technical Support iPhone App
01-22-2014 11:57 AM
Hi Andy,
When you add WLC onto ACS, did you use WLC management interface IP ? If so radius request may drop since it is sourcing from different IP address to what it configured for.
Either you have to give IP range (where dynamic interface belongs to) or configure Default Network Device where ACS accetps request from any device (does not matter what IP it source from )
Try that & see
HTH
Rasika
**** Pls rate all useful responses ****
01-22-2014 04:37 AM
When you enable this, this requires you to add that IP address for that interface as a AAA client in radius. This is because the source is now that interface IP address and not the WLC management. So now instead of one entry for the WLC as a AAA device, you have two.
Sent from Cisco Technical Support iPhone App
Sent from Cisco Technical Support iPhone App
01-22-2014 06:28 AM
Thanks for the reply. AAA client is already in place but still see nothing in logs. Its almost as if ACS isn't receiving the packet - I'll do some more packet captures to confirm ACS is receiving ok.
Thanks
Andy
01-22-2014 06:29 AM
So you have a AAA client with the up address of the dynamic interface? Did you reboot the WLC?
Sent from Cisco Technical Support iPhone App
01-22-2014 06:39 AM
Yes, ACS has AAA client with the address of the dynamic interface. When I do a packet capture of traffic from WLC I can see Access-Request packets with NAS-IP correctly set to the address of the dynamic interface. On ACS I see nothing in the logs (pass or fail). I tried deleting the AAA client to see if that gave a fail in the logs but again I see nothing. WLC has been rebooted a number of times.
Thanks
Andy
01-22-2014 06:50 AM
I will have to test that again... i'm running v7.6 though. I typically havent used that in a long time since I usually use regex in my policies.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
01-22-2014 06:55 AM
Just tested it out and I did enable Radius Server Overwrite interface and used the interface on the AP Group and it sourced from the dynamic interface. I do see failed logs on my ISE.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
01-22-2014 06:55 AM
Try removing the radius server on the WLC and adding it back on.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
01-22-2014 07:43 AM
I removed the radius servers from WLC and readded them. No channge though - with "radius server overwrite interface" enabled Radius server doesn't repsond with nothing in the logs. As soon as i disable "radius server overwrite interface", WLAN authentication works ok.
WLC is sending the Radius packets ok with "radius server overwrite interface" enabled but ACS seems to 'ignore' them. I'm currently using the production ACS servers for this - I'll install an eval so I can have a better look at what ACS is doing when "radius server overwrite interface" is enabled.
Thanks
andy
01-22-2014 11:57 AM
Hi Andy,
When you add WLC onto ACS, did you use WLC management interface IP ? If so radius request may drop since it is sourcing from different IP address to what it configured for.
Either you have to give IP range (where dynamic interface belongs to) or configure Default Network Device where ACS accetps request from any device (does not matter what IP it source from )
Try that & see
HTH
Rasika
**** Pls rate all useful responses ****
01-22-2014 04:15 PM
Well let me ask... When I upgraded my ACS to v5.5, I don't see any logs anymore, even TACACS. Authentication still works of radius and tacacs but no logs.
Sent from Cisco Technical Support iPhone App
01-23-2014 02:44 AM
I installed an eval version of ACS 5.5.0.46 and added a simple config:
I added the eval ACS to my test WLC and tested authentication successfully from a WLAN without "radius server overwrite interface" enabled. This authentication was logged ok in ACS
I enabled "radius server overwrite interface" on the WLAN and tried to authenticate again and saw same problem as previously. Client sees authentiction fail, WLC reports that Radius didn't respond and nothing appears in ACS Radius authentication logs.
I enabled ACS runtime debug on the eval and tried the authentication again (with "radius server overwrite interface" still enabled . The ACS runtime logs shows ACS receiving the request but doesn't seem to process it with no error given. I've attached the ACS runtime logs for when it receives an authentication request from the WLC with "radius server overwrite interface" enabled.
I'll trash the 5.5 eval and try an earlier version of ACS.
Cheers
Andy
01-23-2014 02:51 AM
Andy,
That's weird. Like I mentioned, I do see logs on ISE, but I don't see and radius or tacacs logs on v5.5 ever since I upgraded. So basically, I have no insight to why a user or device failed authentication. Maybe I will revert back to v5.4.
Sent from Cisco Technical Support iPhone App
01-23-2014 05:34 AM
Hi Scott
installed ACS 5.4 0.46.6 and I still have the same problem - ACS doesn't respond to request from WLC when "radius server overwrite interface" is enabled on WLAN and nothing appears in the logs. With "radius server overwrite interface" disabled on the WLAN, authentication is a success and I can see this in the logs.
I had a look a the packet captures I took earlier and the attributes in the Access-Request look ok - the only attribute I wasn't sure about was Message-Authenticator. Found this ietf document http://www.ietf.org/rfc/rfc2869.txt which mentions "silent discards" of Radius packets with non existent or incorrect Message-Authenticator attributes. I'm not sure if this is what I'm seeing on ACS when it receives the "radius server overwrite interface" Access-Request packets. ACS is under contract so I will contact TAC about this.
Mt production ACS cluster was upgraded from latest version of 5.3 to 5.5 with no loss of historic logs (logging after upgrade worked fine also). The upgrade did take a while with the log-collector. When it had completed I checked the Data Upgrade Status under Monitoring configuration and it showed that the upgrade was successful.
Thanks for your help with this.
Cheers
Andy
01-23-2014 05:37 AM
I upgraded from 5.4 to 5.5 and also didn't loose historical data... Just new data. Let me know what TAC comes up with.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide