×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Mobility groups, ACS 5.x and 802.1x-authentication

Answered Question
Mar 23rd, 2012
User Badges:

At a customer site I've a large Wireless LAN deployment, using 2 WLC 5508. To provide optimal roaming, I configured mobility groups.

802.1x authentication is provided via ACS 5.3.

When shutting down the primary WLC, the clients are moved perfectly to the 2nd 5508 and back, when the 1st controller comes back.

When loosing connection to the primary ACS 5.3, the clients immediately start to authenticate against the 2nd ACS, but when the 1st ACS comes back, the clients are not "switched back" to this device for further authentication. Also WLAN clients new joining the WLAN will still use the 2nd ACS for authentication, even the 1st is fully up and operational.

When bringing down the 2nd ACS, the clients are not authenticating anymore, due to the fact, that they tried to use this device as authenticator regardless whether the 1st ACS ist up.

Testind 802.1x with wired clients, everything works fine - as soon as the 1st ACS server comes back, the clients are authenticating against this one, so I assume it has to do something with the configuration on the WLC's, but I did not find anything wrong.


Did anyone face the same situation or can somebody give me a hint, where to look at ?


Any tipp is very much appreciated

Correct Answer by Justin Kurynny about 5 years 5 months ago

rhub,


On you WLC CLI, try:


config radius fallback-test mode active

config radius aggressive-failover disable



Justin


... typd on tny kybrd.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Scott Fella Fri, 03/23/2012 - 05:29
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

With the newer wlc code, you can set the timers to check the status if the primary. I don't remember if it started in the 6.x or 7.x. But with older code, you did have to shut or take down the secondary in order for the primary radius to take over. I never ran into any issue with the wlc not going back to the primary as king as I fail the secondary.


Thanks,


Scott Fella


Sent from my iPhone

rhub Sun, 03/25/2012 - 11:24
User Badges:

Hi Scott,

many thanks for your reply to my post. I'm currently running at the latest code level and I played around with the timers but none of them seemed to work.


Regards


Roman

Correct Answer
Justin Kurynny Fri, 03/23/2012 - 10:05
User Badges:
  • Silver, 250 points or more

rhub,


On you WLC CLI, try:


config radius fallback-test mode active

config radius aggressive-failover disable



Justin


... typd on tny kybrd.

George Stefanick Sat, 03/24/2012 - 10:55
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

Radius fall back is a god sent when you have a large network. We have 8 radius servers and you can never really know which one is actually working unless you dig into it.


Also here is a little hint if you dont config any radius servers under the WLAN security it falls back to the radius servers you have configured under SECURITY. So you could have up to 17 radius servers in rotation.

rhub Sun, 03/25/2012 - 11:28
User Badges:

Hi George,

I' m running 2 RADIUS servers and both of'em are configured under WLAN security and also security. But nevertheless I will check it out when I'm @ customer site again.


Regards


Roman

rhub Sun, 03/25/2012 - 11:25
User Badges:

Hi Justin,


many thanks for the tipp which I will try when I'm @ customer site next week. I let you know afterwards.


Regards


Roman

rhub Tue, 04/03/2012 - 01:21
User Badges:

Hi Justin,


Today entered the commands as you suggested and it works just great.


Thank you very much for the perfect hint and have a nice day


Regards


Roman

Justin Kurynny Tue, 04/03/2012 - 08:17
User Badges:
  • Silver, 250 points or more

Roman,


That's great news. Thanks for letting us know an thanks for marking the answer.



Justin


... typd on tny kybrd.

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode