AAA, WLC, and AP Groups, Anchor Controller, Problem

Unanswered Question
Jul 7th, 2010
User Badges:

All,


First, I have a TAC case open on this problem, but they seem to be stumped and I have been unable to get them to mock it up.  Here are the details and the problem(s):


Have Cisco ACS using backend AD for user authentication

MSCHAP, 802.1x


Three wireless controllers running ver 7.0.98.0; one controller is 4404 the other two are on WiSM blade in 6509.


Many AP Groups and a few mobility achor setups.


Wifi clients used to test are Intel and have the proper drivers 12.4.4.5 and 13.1.1.1


First authentication problem is via SSIDs associated with anchor contollers.  Whenever the SSID is set to use 802.1x, the anchor controller sends message to ACS(RADIUS), but ACS never sees the communication.


Second authentication problem is related to AP Groups.  Whenever a client associates with an AP that is in a specific AP group and that SSID is also associated with that AP group's interface, I get the same result as above - the contoller talks to the ACS, but the ACS never sees the communication.


Note that all the above works fine as long as I am not using 802.1x.  If I am using PSK, it all works flawlessly.


One other thing to note is that, in the case of the AP Group problem, if withing the AP group I associate the SSID with the management interface, the 802.1x works perfectly.  The problem with that is that the client get assigned an IP address from the management Vlan... not what I want, instead, I want the client to get it's IP address from the interface associated with the AP Group.


It is not a routing problem....


I have gone through two TAC engineers and the problem is still not resolved.  So close, but not succesfull.


Any interoperability/Security experts out there that can help nail this thing?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jeffrey Keown Thu, 07/08/2010 - 13:25
User Badges:
  • Cisco Employee,

Hi,


As a sanity check, have you tried sniffing the controller's switch port (or the wism's channel) and then the ACS server's to try and confirm where things are breaking down?

p-blalock Thu, 07/15/2010 - 22:34
User Badges:

Jeff,


Sorry for the late reply.... of course your suggestion was right-on the mark and a wireshark trace uncovered the problem.  I had already re-engaged Cisco TAC and between the wireless engineer and one of their security engineers, they were able to point out that the Cisco ACS 5.0 has a bug specific to this particular problem.  They told me to apply patch, apply OS upgrade, then apply ACS 5.1 upgrade to the ACS.  I was able to apply the patch, but never could get the OS upgrade to take.  For the heck of it, I re-checked the problem after applying the patch and YooHoo!  Works as advertised!


Thanks for showing the interest, it was definetly a pain-point for my customer.

Actions

This Discussion

 

 

Trending Topics - Security & Network