ACS SE problem

Unanswered Question
Feb 23rd, 2007

hi

can somebody fill me in on how to link the WLC 4402 to the Cisco ACS SE.i am trying to authenticate from the windows AD,having configured the Windows Remote Agent and the Windows Database how do i make sure that the WLC can see the ACS.

if somebody have done a similar setup before pleas give me detailed steps as to how to go on about it,i found the ACS to be very complicated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
segopala Sun, 02/25/2007 - 12:27

hi ,

Do "debug aaa all enable "

if your wlc is communicating with ACS server you get the logs

Hope this helps !

Seema

akobwaycct Sun, 02/25/2007 - 23:44

this is the output that i get when i run the debug aaa all enable command from the wlc but i cnt understand the output.

(Cisco Controller) >debug aaa all enable

(Cisco Controller) >

(Cisco Controller) >

(Cisco Controller) >

(Cisco Controller) >Mon Feb 26 09:37:16 2007: User admin authenticated

Mon Feb 26 09:37:16 2007: Returning AAA Error 'Success' (0) for mobile 00:00:00:

57:00:00

Mon Feb 26 09:37:16 2007: AuthorizationResponse: 0x35906990

Mon Feb 26 09:37:16 2007: structureSize................................70

Mon Feb 26 09:37:16 2007: resultCode...................................0

Mon Feb 26 09:37:16 2007: protocolUsed.................................0x0

0000008

Mon Feb 26 09:37:16 2007: proxyState...................................00:

00:00:57:00:00-00:00

Mon Feb 26 09:37:16 2007: Packet contains 2 AVPs:

Mon Feb 26 09:37:16 2007: AVP[01] Service-Type........................

.....0x00000006 (6) (4 bytes)

Mon Feb 26 09:37:16 2007: AVP[02] Airespace / WLAN-Identifier.........

.....0x00000000 (0) (4 bytes)

segopala Mon, 02/26/2007 - 10:00

Hi

Looks like your wlc is not communicating with the acs server ;

Is the basic configuration to accept radius request configured on the acs server ?

Regards

Seema

akobwaycct Mon, 02/26/2007 - 21:25

thats where i am struggling maybe am still trying to install certificates because i am using Peap..where do i get them?

akobwaycct Tue, 02/27/2007 - 00:43

this is the the debug aaa all enable output that i get from my wlc 4402,does it mean that its now communicating with the ACS?

(Cisco Controller) >Tue Feb 27 10:38:30 2007: AccountingMessage Accounting Inter

im: 0x12dccbd8

Tue Feb 27 10:38:30 2007: Packet contains 16 AVPs:

Tue Feb 27 10:38:30 2007: AVP[01] User-Name...........................

.....0012f0325e83 (12 bytes)

Tue Feb 27 10:38:30 2007: AVP[02] Nas-Port............................

.....0x00000001 (1) (4 bytes)

Tue Feb 27 10:38:30 2007: AVP[03] Nas-Ip-Address......................

.....0x0a01100a (167841802) (4 bytes)

Tue Feb 27 10:38:30 2007: AVP[04] NAS-Identifier......................

.....Cisco_46:bf:23 (14 bytes)

Tue Feb 27 10:38:30 2007: AVP[05] Airespace / WLAN-Identifier.........

.....0x00000001 (1) (4 bytes)

Tue Feb 27 10:38:30 2007: AVP[06] Acct-Session-Id.....................

.....45e3f2cc/00:12:f0:32:5e:83/22 (29 bytes)

Tue Feb 27 10:38:30 2007: AVP[07] Acct-Authentic......................

.....0x00000003 (3) (4 bytes)

Tue Feb 27 10:38:30 2007: AVP[08] Acct-Status-Type....................

.....0x00000003 (3) (4 bytes)

Tue Feb 27 10:38:30 2007: AVP[09] Acct-Input-Octets...................

.....0x001d9720 (1939232) (4 bytes)

Tue Feb 27 10:38:30 2007: AVP[10] Acct-Output-Octets..................

.....0x0057727e (5730942) (4 bytes)

Tue Feb 27 10:38:30 2007: AVP[11] Acct-Input-Packets..................

.....0x00002e64 (11876) (4 bytes)

Tue Feb 27 10:38:30 2007: AVP[12] Acct-Output-Packets.................

.....0x000025b0 (9648) (4 bytes)

Tue Feb 27 10:38:30 2007: AVP[13] Acct-Session-Time...................

.....0x0000175a (5978) (4 bytes)

Tue Feb 27 10:38:30 2007: AVP[14] Acct-Delay-Time.....................

.....0x00000000 (0) (4 bytes)

Tue Feb 27 10:38:30 2007: AVP[15] Calling-Station-Id..................

.....10.1.16.119 (11 bytes)

Tue Feb 27 10:38:30 2007: AVP[16] Called-Station-Id...................

.....10.1.16.10 (10 bytes)

Tue Feb 27 10:38:59 2007: AccountingMessage Accounting Interim: 0x12dd8208

Tue Feb 27 10:38:59 2007: Packet contains 16 AVPs:

Tue Feb 27 10:38:59 2007: AVP[01] User-Name...........................

.....00166f9d29bc (12 bytes)

Tue Feb 27 10:38:59 2007: AVP[02] Nas-Port............................

.....0x00000001 (1) (4 bytes)

Tue Feb 27 10:38:59 2007: AVP[03] Nas-Ip-Address......................

.....0x0a01100a (167841802) (4 bytes)

Tue Feb 27 10:38:59 2007: AVP[04] NAS-Identifier......................

.....Cisco_46:bf:23 (14 bytes)

Tue Feb 27 10:38:59 2007: AVP[05] Airespace / WLAN-Identifier.........

.....0x00000001 (1) (4 bytes)

Tue Feb 27 10:38:59 2007: AVP[06] Acct-Session-Id.....................

.....45e40174/00:16:6f:9d:29:bc/25 (29 bytes)

Tue Feb 27 10:38:59 2007: AVP[07] Acct-Authentic......................

akobwaycct Tue, 02/27/2007 - 04:36

man i really appreciate the help am getting from you.

i found the document that you sent very helpful but then the example uses LEAP between the APs and the clients.In my case i chose to use Peap because my wireless adapters only support EAP(PEAP)but ofcourse my APs are Aironets 1242AG,so i chose radius IETF instead of radius Aironet..is that right?

please see the show radius summary output

(Cisco Controller) >

(Cisco Controller) >show radius summary

Vendor Id Backward Compatibility................. Disabled

Credentials Caching.............................. Enabled

Call Station Id Type............................. IP Address

Administrative Authentication via RADIUS......... Enabled

Keywrap.......................................... Disabled

Authentication Servers

Idx Type Server Address Port State Tout RFC3576 IPSec - AuthMode/P

hase1/Group/Lifetime/Auth/Encr

--- ---- ---------------- ------ -------- ---- ------- ------------------

------------------------------

1 NM 10.1.21.3 1812 Enabled 2 Enabled Disabled - none/u

nknown/group-0/0 none/none

Accounting Servers

Index Type Server Address Port State Tout RFC-3576 IPSec - AuthMod

e/Phase1/Group/Lifetime/Auth/Encr

----- ---- ---------------- ------ -------- ---- -------- ---------------

---------------------------------

(Cisco Controller) >

Actions

This Discussion

 

 

Trending Topics - Security & Network