WLC & RADIUS Issue

Unanswered Question
Oct 19th, 2009
User Badges:

Hi,


I have been having a lot of issues with clients at a site that have a WLC and use EAP-TLS to an ACS server across the WAN. Most of the issues are roaming related in that the re-authentication time is very long. I have implemented QOS for the RADIUS traffic but they are still reporting problems.


Looking at the logs on the WLC (5.1.151.0) I see messages simliar to this one for all 5 ACS servers.


RADIUS server 10.x.x.x:1645 deactivated in global list

RADIUS server 10.x.x.x:1645 failed to respond to request (ID 65) for client 00:0b:6b:87:54:d2 /user 'unknown'



What concerns me is the word "deactivated". Does this mean that if an unknown client attempts to connect to this wlan and ACS is unable to authenticate it then the ACS server is "disabled" by the WLC?


Is this the case?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (6 ratings)
Loading.
Jagdeep Gambhir Tue, 10/20/2009 - 14:03
User Badges:
  • Red, 2250 points or more

Please increase radius timeout on wlc to something between 5 to 10 secs. By default it is 2 secs which is quite low.


For unknown users radius would take lil more time to search for user and by that time radius timeouts and WLC deactivates it since there was no response from radius server.


Increasing radius timeout should fix it


Regards,

~JG


Do rate helpful posts


serotonin888 Tue, 10/20/2009 - 23:59
User Badges:

Thanks JG,


Just one other question. The message says that the RADIUS server is disabled. Does this mean that it moves on to the next RADIUS server in the list?


(In the logs I can see the WLC cyclng through all the RADIUS servers in quick succession, diabling them as it fails to get a response for the unknown user)


COuld this almost be a denial of serivce style issue.


Thanks


Jagdeep Gambhir Wed, 10/21/2009 - 07:02
User Badges:
  • Red, 2250 points or more

Hi ,

Yes, if first radius does not respond it will try next radius.


For DOS you need to check the user name that is trying to connect , check if that is a legitimate user or not?


I feel that increasing radius timeout should stop WLC to set Radius server as disabled.



Regards,

~JG


Do rate helpful posts

George Stefanick Wed, 10/21/2009 - 18:41
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

It doesnt disable the ACS permanently. It will cycle through it again should the other ACS stop...

rwegner Thu, 02/09/2012 - 14:43
User Badges:

Be sure to remove the aggressive Radius failover on your controllers using the command:


               config radius aggressive-failover disable’

You may still see problems after increasing your timeout if you forget to disable the aggressive failover...

Actions

This Discussion

 

 

Trending Topics - Security & Network