WiSM - Radius server Connectivity issues

Unanswered Question
Jul 7th, 2010

I have both of my radius servers setup on my controller, however my client cannot authenticate. I consistently get an IP of 0.0.0.0 and an associate state. Reading through the "Understanding Debug Client on WLC's" it states that I should get an APF Process similar to this:

Wed Oct 31 10:46:15 2007: 00:1b:77:42:07:69 apfProcessAssocReq
    (apf_80211.c:3838) Changing state for mobile 00:1b:77:42:07:69 on AP
    00:1c:0j:ca:5f:c0 from Associated to Associated

!--- The association response was sent successfully; now APF keeps the
!--- client in associated state and sets the association timestamp on this point.

I get this...but then I don't go to the next phase, which should be...

Dot1x Process

Wed Oct 31 10:46:15 2007: 00:1b:77:42:07:69 Creating a new PMK Cache Entry
    for station 00:1b:77:42:07:69 (RSN 0)

!--- APF calls Dot1x to allocate a new PMK cached entry for the client. 
!--- RSN is disabled (zero value).

Wed Oct 31 10:46:15 2007: 00:1b:77:42:07:69 Initiating WPA PSK to mobile
    00:1b:77:42:07:69

!--- Dot1x signals a new WPA or WPA2 PSK exchange with mobile.

On my 6509, I have the radius servers configured:

Hostname#show radius server-group all
Sever group radius
    Sharecount = 1  sg_unconfigured = FALSE
    Type = standard  Memlocks = 1
    Server(172.16.7.252:1645,1646) Transactions:
    Authen: Not Available       Author:Not Available    Acct:Not Available
    Server(172.16.7.251:1645,1646) Transactions:
    Authen: Not Available       Author:Not Available    Acct:Not Available

I've gone back and forth and made multiple changes..no luck. Just cant get to the Radius server. Any command i'm missing in the controller? Any ideas?

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Cook Wed, 07/07/2010 - 06:55

Are you sure you have connectivity to your radius servers from the wism module?  Anything in the failed attemtpt log on the ACS box?  Also, are you positive that the radius keys match between the wism and ACS configs?

bobby.grewal Wed, 07/07/2010 - 06:59

Thanks for the quick reply. I get nothing in the ACS logs. I’m positive the radius keys match.

John Cook Wed, 07/07/2010 - 07:03

How about a ping from the console of the wism to the ACS box?  And your ACS will need to have the wism's management address configured (not the service port address).

bobby.grewal Wed, 07/07/2010 - 07:10

Yes, I'm able to ping the Radius server from both the WiSM console/WLC. I have the WiSM's management address setup in the ACS as well.

garrsmith Wed, 07/07/2010 - 07:25

Is the time and date configured correctly on the WLC and ACS?

garrsmith Wed, 07/07/2010 - 07:31

Your RADIUS is configured to use 1645,1646 -  This isn't being blocked anywhere?

bobby.grewal Wed, 07/07/2010 - 07:43

No, 1645 and 1646 is not being blocked. I am migrating from a WLSM to the WiSM, and the WLSM uses those ports, no problem.

John Cook Wed, 07/07/2010 - 07:32

Just to confirm, you do have your ACS configured to log failed and successful attempts right? (system config / logging / failed attempts / configure under CSV /  enable logging is checked).  Just trying to make sure that we see any potential logs that might help.

-John

garrsmith Wed, 07/07/2010 - 07:36

On the ssid which you are trying to authenticate through, is the DHCP scope set correctly? Is the dhcp required ticked in advanced?

Like you said, probably something simple. :-)

bobby.grewal Wed, 07/07/2010 - 07:40

On my SSID, I have the WLAN pointing to my controller interface. I do not have the DHCP required ticket checked in the advance tab. I'm doing EAP-TLS/802.1x. Just to confirm, I dropped the security back to WPA-PSK/AES and was able to obtain an IP from my DHCP scope. So my DHCP looks good.

John Cook Wed, 07/07/2010 - 07:44

Not sure what client you are using, but can you try just using leap or peap (preferably leap) rather than eap-tls to see if we can get any logs?

bobby.grewal Wed, 07/07/2010 - 07:48

FYI...I am migrating from a WLSM with EAP-TLS to the WiSM. That's why I'm puzzled as to why I can't connect. Seems like it would be an easy transition.

garrsmith Wed, 07/07/2010 - 07:50

you should be seeing failures in the WLC logs, and or, the ACS. Do you have accounting configured on the WLC?

bobby.grewal Wed, 07/07/2010 - 07:53

Yes, I have that configured. I don't see any failures in the logs, just authcheck, 802.1xREQD, then nothing.

garrsmith Wed, 07/07/2010 - 08:25

yep - I see it now. Thanks.. Point of interest for you.. Get away from 6.0.182.0  Go to at least 6.0.196.0.

garrsmith Wed, 07/07/2010 - 08:36

Can't see anything obvious in the config. Do the WLC upgrade and let us know if it makes any difference. The version you are on has all sorts of issues. Possibly related to you problem.

bobby.grewal Thu, 07/08/2010 - 12:09

No, I upgraded to 7.0.98.0. Still no authentication. No hits on the ACS even. I'm convinced that there is nothing wrong with my WiSM configuration. I guess I have to start looking at my ACS server (but how much is there really to look at???)

bobby.grewal Wed, 08/11/2010 - 10:40

Hey Gary,

I wanted to give you an update. I was able to resolve this issue a few days after we emailed. The resolution was to update the Cisco Secure Services Client configuration for my new test SSID.

Thanks again for your help,

Bobby Grewal

Actions

This Discussion