AAA Servers toggles per WLAN

Unanswered Question
Dec 9th, 2008
User Badges:

Dear Team, i have a Controller based Installation with 802.1x Auth via ACSSE and AD. The Controllers running 4.2.173.0. 2 ACSSE are configured. Since a few Days we see Problems with Client Authentication. The WLC Log shows, that the WLAN toggles between the 2 Radius Servers:


84 Tue Dec 9 09:29:19 2008 RADIUS server xx.xx.xx.xx:1812 activated on WLAN 2

85 Tue Dec 9 09:29:19 2008 RADIUS server xx.xx.xx.yy:1812 deactivated on WLAN 2

86 Tue Dec 9 09:29:19 2008 RADIUS server xx.xx.xx.yy:1812 failed to respond to request (ID 148) for client <Client-MAC> / user 'unknown'


Does anyone know, under which Conditions, Timeout etc the WLAN changes the Radius Server? Since we dont run 5.x , we cant use the dedicated Radius Fallback Feature. Has anyone seen this Problem? Regards, Michael


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
paul.pink@viacom.com Tue, 12/30/2008 - 20:54
User Badges:

I get the messages "radius server x.x.x (port x) is deactivaed (xyz times). I have yet to find a solution. I heard that this could be a cosmetic message. If anyone knows the true answer, please share as I am trying to proactively monitor the wireless environment.

Scott Fella Wed, 12/31/2008 - 07:46
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

When you have multiple radius servers configured, the wlc will use the first radius server it communicates with. When that radius server fails or for some reason the wlc can't communicate to that radius sever, the wlc will use the second radius server configured. The wlc will not try to authenticate to the first radius sever until the second an all other radius serves fail. So if you notice authentication failures an also notice errors not on the first or primary radius server, you might not have the same configuration on the radius servers.

Scott Fella Wed, 12/31/2008 - 08:12
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Forgot to mention, if you want the wlc to use the original radius server, you will need to failover the other radius servers.

dave.brown@cone... Wed, 02/01/2012 - 12:36
User Badges:

After working with TAC, I resolved this issue recently.  Increasing the timeout value did not help. On the WLC, try:


config radius aggressive-failover disable


As per http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml :


If the aggressive failover feature is enabled in WLC, the WLC is too aggressive to mark the AAA server as not responding. But, this should not be done because the AAA server is possibly not responsive only to that particular client, if you do silent discard. It can be a response to other valid clients with valid certificates. But, the WLC can still mark the AAA server as not responding and not functional.


In order to overcome this, disable the aggressive failover feature. Issue the config radius aggressive-failover disable command from the controller GUI in order to perform this. If this is disabled, then the controller only fails over to the next AAA server if there are three consecutive clients that fail to receive a response from the RADIUS server.

Actions

This Discussion

 

 

Trending Topics - Security & Network