WLC 5508 & RSA SecurID Integration

Unanswered Question
Mar 8th, 2010
User Badges:

Hi,



I'm trying to integrate a new 5508 with RSA SecureID applicance. We have done this before for 4400 controllers without any problem but we cant get it to work on the 5500.


Note we are using the RSA Authentication Manager RADIUS Server & not ACS.


I have been following this doc http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008090399a.shtml#rsamanager


There is communication between the RSA server & WLC however the RSA server doesnt seem to be happy with the radius type its receveing form the WLC?



Has anyone integrated a secureID applicane with a 5508 ?


Also when I run a show radius authentication statistics I see some Bad authenticator messgaes?



(Cisco Controller) >show radius auth statistics
Authentication Servers:

Server Index..................................... 1
Server Address................................... 161.69.236.160
Msg Round Trip Time.............................. 4060 (msec)
First Requests................................... 2697
Retry Requests................................... 26629
Accept Responses................................. 0
Reject Responses................................. 0
Challenge Responses.............................. 0
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 13
Pending Requests................................. 0
Timeout Requests................................. 31974
Unknowntype Msgs................................. 0
Other Drops...................................... 0


Server Index..................................... 2
Server Address................................... 161.69.216.160
Msg Round Trip Time.............................. 0 (msec)
First Requests................................... 2685

--More-- or (q)uit
Retry Requests................................... 26653
Accept Responses................................. 0
Reject Responses................................. 0
Challenge Responses.............................. 0
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. 13
Timeout Requests................................. 31977
Unknowntype Msgs................................. 0
Other Drops...................................... 0


Server Index..................................... 3
Server Address................................... 161.69.206.160
Msg Round Trip Time.............................. 0 (msec)
First Requests................................... 2616
Retry Requests................................... 26487
Accept Responses................................. 0
Reject Responses................................. 0
Challenge Responses.............................. 0
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. 4

--More-- or (q)uit
Timeout Requests................................. 31763
Unknowntype Msgs................................. 0
Other Drops...................................... 0


Thanks,

Eoin.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
eoinwhite Mon, 03/08/2010 - 10:41
User Badges:

Some more info on this ....



On the RSA side I have selected standard radius as the make/model off the Agent host (i.e the WLC). Now this works fine for the older 4400 controllers but I wonder should I be using Airespace WLAN Switch instead ?


Although this wouldnt make sense as the older 4400's work fine with the "standard" setting.


The only thing thats changed here is the 5500 controller.




/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}



Attachment: 
sahil-dmello Thu, 08/25/2011 - 05:19
User Badges:

Hi Eoin,


Did you get this to work? I have a similar problem and have a hit a wall.


Any help is appreciated.


Thanks,


sahil

eoinwhite Thu, 08/25/2011 - 05:45
User Badges:

Hi Sahil,


I never got this fixed. The customer updated thier corporate standards and moved to PEAP MS-CHAPv2. I had a TAC case open for weeks on it ... they went through everything on the WLC side (and even took a quick look at the RSA side) we never got a resolution even though the 4400 worked perfectly.


Regards,

Eoin.

sahil-dmello Thu, 08/25/2011 - 05:52
User Badges:

Hi Eoin,


Thanks for responding so quickly.

My customer is also running RSA authentication manager (version 7.0 though).

Are you saying you got PEAP MS-CHAPV2 to work with the 5508 and the RSA Radius server?


I would like to achieve that if possible.


Any help is appreciated.


cheers,


sahil

eoinwhite Thu, 08/25/2011 - 05:54
User Badges:

Hey Sahill,


No, what I meant is that they moved away from RSA tokens to authenticating against AD using PEAP MS-CHAPv2.


What was really wierd was that that thier 4400's would work but the 5500's would not.


Regards,

Eoin.

a-shimazaki Wed, 12/05/2012 - 22:11
User Badges:

Hi Eoin,


Did you get this fixed already? I'm now facing the same issue...

Actions

This Discussion

 

 

Trending Topics - Security & Network