WLC 4402 slow authentication

Answered Question
Dec 26th, 2007
User Badges:

We just upgraded to software version 4.2.61.0 and some users are experiencing very long delays during authentication. We use 8021x with RADIUS authentication. When they log into the computer, it hangs for about 60 seconds after entering the password. After that it will hang at the "applying computer settings" screen for anywhere from 10 minutes to forever. This does not happen if the computer is plugged into the wired network. It's random. I can move the AP's to the other controller and it will work for a day or two and then start acting up again. I move them back to the primary controller and it is ok for a day or two. I can't seem to figure this out so I thought I'd get some input from you guys since you have always been a great deal of help.

Thanks

James


EDIT: after the upgrade we have been receiving TONS of MFP anomally detections and Broadcast Deauth events......could this be related?

Correct Answer by Scott Fella about 9 years 3 months ago

In the Security tab under Wireless Protection Policies | AP Authentication / MFP, Protection Type set to none for now. How do you have your WLC setup... primary and backup or are the two spliting the load? What radius server are you running and how many? What do you see in the logs in the radius server?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Scott Fella Thu, 12/27/2007 - 14:13
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Try setting the timeout to 30:

config advanced eap identity-request-timeout 30 and disable MFP.

james-mccarthy Thu, 12/27/2007 - 15:19
User Badges:

I'll try that right now....The problem is that it is a random occurence. Most laptops have no problems but a few just refuse to connect. I'll let you know what I come up with.

Thanks

Scott Fella Thu, 12/27/2007 - 15:34
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

if few refuse to connect, do you mean that it never was able to. Verify that you have the latest drivers on the client side and if using some old devices, make sure you have data rates 1mb and 2.2mb set as mandatory, which is required on some of the legacy devices. This is also required on the Intel 2200 wifi cards with old drivers.

james-mccarthy Thu, 12/27/2007 - 15:40
User Badges:

First off, in your first post, did you want me to disable the MFP infrastructure or disable MFP Frame Validation on the AP?


And all of our laptops are identical with the same driver for the intel 2915ABG ProWireless. All the laptops have the same XP Pro image.

Someone had a laptop yesterday that wouldn't connect. It had the problem I stated earlier. As soon as I moved it to a different AP on a different controller, it worked. So I moved all 38 AP's over to that controller and everything was fine until today. There are two other computers that can't log on. It's very random.

Thanks for all your help. I have already disabled MFP Infrastructure and set the timeout to 30. I'll post with more info....

Correct Answer
Scott Fella Thu, 12/27/2007 - 17:02
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

In the Security tab under Wireless Protection Policies | AP Authentication / MFP, Protection Type set to none for now. How do you have your WLC setup... primary and backup or are the two spliting the load? What radius server are you running and how many? What do you see in the logs in the radius server?

james-mccarthy Thu, 12/27/2007 - 17:06
User Badges:

they are splitting the load technically. If I restart either controller all the AP's default to the other one and stay there. But I've been testing the wireless after I disabled MFP and it seems to be working. I tested a laptop on 10 random AP's and it worked fine.

But under the AP Authentication section, it was set to AP authentication and not MFP. I just disabled MFP per WLAN earlier.


EDIT: We have two radius servers and I don't have access to the logs. The server guy went home hours ago.

Scott Fella Thu, 12/27/2007 - 19:07
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

The reason I asked about how many ACS, is because depending on which one the user hits, their might be an issue. How are you syncing the database between the two? I would set the radius on the WLC to only one ACS and veify that ACS is fine and then vice versa to eliminate ACS issues. Take a look at the pass attemps and failed attempts. You might have to enable this logging if you do not see any logs.

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode