WiSM - Radius server Connectivity issues

Unanswered Question
Jul 7th, 2010
User Badges:

I have both of my radius servers setup on my controller, however my client cannot authenticate. I consistently get an IP of and an associate state. Reading through the "Understanding Debug Client on WLC's" it states that I should get an APF Process similar to this:

Wed Oct 31 10:46:15 2007: 00:1b:77:42:07:69 apfProcessAssocReq
    (apf_80211.c:3838) Changing state for mobile 00:1b:77:42:07:69 on AP
    00:1c:0j:ca:5f:c0 from Associated to Associated

!--- The association response was sent successfully; now APF keeps the
!--- client in associated state and sets the association timestamp on this point.

I get this...but then I don't go to the next phase, which should be...

Dot1x Process

Wed Oct 31 10:46:15 2007: 00:1b:77:42:07:69 Creating a new PMK Cache Entry
    for station 00:1b:77:42:07:69 (RSN 0)

!--- APF calls Dot1x to allocate a new PMK cached entry for the client. 
!--- RSN is disabled (zero value).

Wed Oct 31 10:46:15 2007: 00:1b:77:42:07:69 Initiating WPA PSK to mobile

!--- Dot1x signals a new WPA or WPA2 PSK exchange with mobile.

On my 6509, I have the radius servers configured:

Hostname#show radius server-group all
Sever group radius
    Sharecount = 1  sg_unconfigured = FALSE
    Type = standard  Memlocks = 1
    Server(,1646) Transactions:
    Authen: Not Available       Author:Not Available    Acct:Not Available
    Server(,1646) Transactions:
    Authen: Not Available       Author:Not Available    Acct:Not Available

I've gone back and forth and made multiple changes..no luck. Just cant get to the Radius server. Any command i'm missing in the controller? Any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Cook Wed, 07/07/2010 - 06:55
User Badges:
  • Bronze, 100 points or more

Are you sure you have connectivity to your radius servers from the wism module?  Anything in the failed attemtpt log on the ACS box?  Also, are you positive that the radius keys match between the wism and ACS configs?

bobby.grewal Wed, 07/07/2010 - 06:59
User Badges:

Thanks for the quick reply. I get nothing in the ACS logs. I’m positive the radius keys match.

John Cook Wed, 07/07/2010 - 07:03
User Badges:
  • Bronze, 100 points or more

How about a ping from the console of the wism to the ACS box?  And your ACS will need to have the wism's management address configured (not the service port address).

bobby.grewal Wed, 07/07/2010 - 07:10
User Badges:

Yes, I'm able to ping the Radius server from both the WiSM console/WLC. I have the WiSM's management address setup in the ACS as well.

Gary Smith Wed, 07/07/2010 - 07:25
User Badges:

Is the time and date configured correctly on the WLC and ACS?

Gary Smith Wed, 07/07/2010 - 07:31
User Badges:

Your RADIUS is configured to use 1645,1646 -  This isn't being blocked anywhere?

bobby.grewal Wed, 07/07/2010 - 07:43
User Badges:

No, 1645 and 1646 is not being blocked. I am migrating from a WLSM to the WiSM, and the WLSM uses those ports, no problem.

John Cook Wed, 07/07/2010 - 07:32
User Badges:
  • Bronze, 100 points or more

Just to confirm, you do have your ACS configured to log failed and successful attempts right? (system config / logging / failed attempts / configure under CSV /  enable logging is checked).  Just trying to make sure that we see any potential logs that might help.


bobby.grewal Wed, 07/07/2010 - 07:34
User Badges:

Correct, I do have that...Seems like something simple I'm missing.

Gary Smith Wed, 07/07/2010 - 07:36
User Badges:

On the ssid which you are trying to authenticate through, is the DHCP scope set correctly? Is the dhcp required ticked in advanced?

Like you said, probably something simple. :-)

bobby.grewal Wed, 07/07/2010 - 07:40
User Badges:

On my SSID, I have the WLAN pointing to my controller interface. I do not have the DHCP required ticket checked in the advance tab. I'm doing EAP-TLS/802.1x. Just to confirm, I dropped the security back to WPA-PSK/AES and was able to obtain an IP from my DHCP scope. So my DHCP looks good.

John Cook Wed, 07/07/2010 - 07:44
User Badges:
  • Bronze, 100 points or more

Not sure what client you are using, but can you try just using leap or peap (preferably leap) rather than eap-tls to see if we can get any logs?

bobby.grewal Wed, 07/07/2010 - 07:48
User Badges:

FYI...I am migrating from a WLSM with EAP-TLS to the WiSM. That's why I'm puzzled as to why I can't connect. Seems like it would be an easy transition.

Gary Smith Wed, 07/07/2010 - 07:50
User Badges:

you should be seeing failures in the WLC logs, and or, the ACS. Do you have accounting configured on the WLC?

bobby.grewal Wed, 07/07/2010 - 07:53
User Badges:

Yes, I have that configured. I don't see any failures in the logs, just authcheck, 802.1xREQD, then nothing.

Gary Smith Wed, 07/07/2010 - 08:25
User Badges:

yep - I see it now. Thanks.. Point of interest for you.. Get away from  Go to at least

Gary Smith Wed, 07/07/2010 - 08:36
User Badges:

Can't see anything obvious in the config. Do the WLC upgrade and let us know if it makes any difference. The version you are on has all sorts of issues. Possibly related to you problem.

bobby.grewal Thu, 07/08/2010 - 12:09
User Badges:

No, I upgraded to Still no authentication. No hits on the ACS even. I'm convinced that there is nothing wrong with my WiSM configuration. I guess I have to start looking at my ACS server (but how much is there really to look at???)

bobby.grewal Wed, 08/11/2010 - 10:40
User Badges:

Hey Gary,

I wanted to give you an update. I was able to resolve this issue a few days after we emailed. The resolution was to update the Cisco Secure Services Client configuration for my new test SSID.

Thanks again for your help,

Bobby Grewal


This Discussion