Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
363
Views
1
Helpful
3
Replies

1400 Bridge and ACS

siscospin
Level 1
Level 1

‎12-21-2008 08:47 PM - edited ‎07-03-2021 04:54 PM

Hi

I've configured 2 1400 bridges with the basic settings and have them working fine using EAP and the local Radius Server,...I now introduced an ACS and have the Root Bridge setup as a AAA client. the ACS is mapped to a external user database group in AD,the user is setup and communication between the root bridge, ACS, and AD is fine, but when the non-root bridge goes to acs to auth it locks up the AD account with multiple bad pswds. From the ACS yo can see the user in the failed auth with bad password ..From what I can see I'm missing something with the credentials,.the passwords are identical but I think its encrypting it when the non-root sends it to the ACS.

there is limited documentation (none) for step by step for EAP auth with a ACS radius server.

What am I missing?

thanks in advance

Labels:
0 Helpful
3 Replies 3

didyap
Level 6
Level 6

‎12-26-2008 11:40 AM

Complete these steps in order to troubleshoot your configuration.

1. In the client-side utility or software, create a new profile or connection with the same or similar parameters in order to ensure that nothing has become corrupted in the configuration of the client.

2. In order to eliminate the possibility of RF issues that prevent successful authentication, temporarily disable authentication as shown in these steps:

o From the CLI, use the commands no authentication open eap eap_methods, no authentication network-eap eap_methods and authentication open.

o From the GUI, on the SSID Manager page, un-check Network-EAP, check Open, and set the dropdown list back to No Addition.

If the client successfully associates, then RF does not contribute to the association problem.

3. Verify that shared secret passwords are synchronized between the access point and the authentication server. Otherwise, you can receive this error message:

Invalid message authenticator in EAP request

o From the CLI, check the line radius-server host x.x.x.x auth-port x acct-port x key .

o From the GUI, on the Server Manager page, re-enter the shared secret for the appropriate server in the box labelled "Shared Secret."

The shared secret entry for the access point on the RADIUS server must contain the same shared secret password as those previously mentioned.

4. Remove any user groups from the RADIUS server. Sometimes conflicts can occur between user groups defined by the RADIUS server, and user groups in the underlying domain. Check the logs of the RADIUS server for failed attempts, and the reasons those attempts failed.

siscospin
Level 1
Level 1
In response to didyap

‎12-29-2008 08:19 AM

Sorry,..maybe I wasn't clear,..troubleshooting was done it works with a local Radius but not with ACS 4.1.

This is a non-root bridge that needs to authenticate. Shared secret,..RF,..all that is fine. the problem is that the non-root bridge is sending an encrypted password but not sure where on ACS I have to put the matching settings.

0 Helpful

siscospin
Level 1
Level 1
In response to siscospin

‎01-04-2009 08:17 PM

Anyone?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card