Users of Particular SSID not able to get authenticated in WLC

Answered Question
May 28th, 2008
User Badges:

Hi ALL,


We suddenly experiencing issue of getting authenticated for users in particular SSID. These users are setup to use Local LEAP database in the WLC to get authenticated .. The recent trap shows the below message for the users


"AAA Authentication Failure for UserName:test User Type: WLAN USER"


In the message log ,we see the below message


ay 28 19:28:33.552 dtl_arp.c:504 DTL-3-INVALID_ARP_TIMEOUT_ADDR: MAC entry (MAC address) received for timeout is INVALID. Dropping it.


We are not sure ,about the above message and couldn't find an explanation in the WLC meesage guide .....If you have any idea ..Kindly let us know .....


Thanks


Regards

Anantha Subramanian Natarajan

Correct Answer by jeromehenry_2 about 8 years 11 months ago

Hi Anasubra,

Unfortunately, for now controller is a backup solution. So it can't be configured as a primary. It will only be used if you have no AAA configured or if the configured AAA doesn't reply...

Jerome

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (9 ratings)
Loading.
Scott Fella Wed, 05/28/2008 - 17:02
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Did you happen to add a Radius server to the wlc?

anasubra_2 Thu, 05/29/2008 - 02:27
User Badges:

Hi Fella5,


Yes ,some couple of days back and was associated with different SSID.


Do you think some issues with the same.?


Thanks for the reply.


Regards

Anantha Subramanian Natarajan

jeromehenry_2 Thu, 05/29/2008 - 02:36
User Badges:
  • Silver, 250 points or more

Yes, Fella is probably right here (5 for you Fella5!). Local EAP is designed as a backup authentication system. If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients with the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out or no RADIUS servers were configured...

So if you have a radius that works, local EAP won't work and authentication will fail...

hth

jerome

Scott Fella Thu, 05/29/2008 - 03:27
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

I didn't want to jump the gun and that is why I asked. You should of seen some failed attempts on the radius server. Now what you have to do, if you have an ACS server is to configure LEAP authentication on that. If you have IAS or another type of radius server, you might not have the ability to support LEAP.

anasubra_2 Thu, 05/29/2008 - 04:46
User Badges:

Thank you very much fella5


Regards

Anantha Subramanian Natarajan

anasubra_2 Thu, 05/29/2008 - 04:45
User Badges:

Hi Jeromehenry,


Thank you very much .....Is there a way to configure the primary option as Local LEAP and then the backup option as radius for a particular SSID.....


Thank You


Regards

Anantha Subramanian Natarajan

Correct Answer
jeromehenry_2 Thu, 05/29/2008 - 09:51
User Badges:
  • Silver, 250 points or more

Hi Anasubra,

Unfortunately, for now controller is a backup solution. So it can't be configured as a primary. It will only be used if you have no AAA configured or if the configured AAA doesn't reply...

Jerome

anasubra_2 Thu, 05/29/2008 - 12:25
User Badges:

Hi Jerome,


Thank you very much for the answer .


Regards

Anantha Subramanian Natarajan

Rob Huffman Thu, 05/29/2008 - 04:24
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 IP Telephony, Unified Communications

Hey guys,


Scott and Jerome, that is some pretty slick troubleshooting and also something I have never heard of. +5 points to both of you for your continued great work here!


Thanks again,

Rob

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode