×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ACS 4.2-Radius

Unanswered Question
Mar 31st, 2014
User Badges:

  Hi

I am running ACS 4.2 in my environment and configure TACACS for Cisco IOS devices. Now we have build cisco wilreless controller which we need to get authenticated with Radius. I have configured Radius on controller and ACS too but unable to login on WLC.

 

Could you help me out in troubleshooting issue or what i am doing wrong.

Any help is really appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jatin Katyal Mon, 03/31/2014 - 19:53
User Badges:
  • Cisco Employee,

Hi Anukalp,

In order to configure admin access of WLC via ACS 4.2 - radius protocol. Please follow the below listed link:

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-securit...

In case it doesn't work, please run the debugs on WLC and paste it here.


Cisco Controller) >debug aaa events enable

 

Regards,

Jatin Katyal

*Do rate helpful posts*

Anukalp S Tue, 04/01/2014 - 11:59
User Badges:

 

 

Hi Jatin,

Thanks for your help,i had already gone through shared link but didn't work. Pls see logs below.

 ====================================================================

(Cisco Controller) >debug aaa events enable

(Cisco Controller) >*aaaQueueReader: Apr 02 00:22:51.203: 93:00:00:00:00:00 Successful transmission of Authentication Packet (id 125) to 10..110.130.183:1645, proxy state 93:00:00:00:00:00-02:00
*radiusTransportThread: Apr 02 00:22:53.203: 93:00:00:00:00:00 Successful transmission of Authentication Packet (id 125) to 10..110.130.183:1645, proxy state 93:00:00:00:00:00-02:00
*radiusTransportThread: Apr 02 00:22:55.207: 93:00:00:00:00:00 Successful transmission of Authentication Packet (id 125) to 10..110.130.183:1645, proxy state 93:00:00:00:00:00-02:00
*radiusTransportThread: Apr 02 00:22:57.212: 93:00:00:00:00:00 Max retransmission of Access-Request (id 125) to 10..110.130.183 reached for mobile 93:00:00:00:00:00
*radiusTransportThread: Apr 02 00:22:57.212: 93:00:00:00:00:00 Returning AAA Error 'Authentication Failed' (-4) for mobile 93:00:00:00:00:00
*emWeb: Apr 02 00:22:57.212: Authentication failed for test
*radiusTransportThread: Apr 02 00:23:11.271: ****Enter processIncomingMessages: response code=2

*radiusTransportThread: Apr 02 00:23:11.271: ****Enter processRadiusResponse: response code=2


===========================================================================

Anukalp S Tue, 04/01/2014 - 13:26
User Badges:

 

Pasting more logs, pls help

---------------------------------------------------------------------------------------------

*radiusTransportThread: Apr 02 01:51:01.626: a1:00:00:00:00:00 Successful transmission of Authentication Packet (id 156) to 10.110.130.183:1645, proxy state a1:00:00:00:00:00-02:00
*radiusTransportThread: Apr 02 01:51:01.626: f0:4f:7c:71:82:23 Successful transmission of Authentication Packet (id 155) to 10.110.130.183:1645, proxy state f0:4f:7c:71:82:23-00:40
*radiusTransportThread: Apr 02 01:51:01.635: ****Enter processIncomingMessages: response code=3

*radiusTransportThread: Apr 02 01:51:01.635: ****Enter processRadiusResponse: response code=3

*radiusTransportThread: Apr 02 01:51:01.635: f0:4f:7c:71:82:23 Access-Reject received from RADIUS server 10.110.130.183 for mobile f0:4f:7c:71:82:23 receiveId = 0
*radiusTransportThread: Apr 02 01:51:01.635: f0:4f:7c:71:82:23 Returning AAA Error 'Authentication Failed' (-4) for mobile f0:4f:7c:71:82:23
*radiusTransportThread: Apr 02 01:51:03.630: a1:00:00:00:00:00 Successful transmission of Authentication Packet (id 156) to 10.110.130.183:1645, proxy state a1:00:00:00:00:00-02:00
*radiusTransportThread: Apr 02 01:51:05.634: a1:00:00:00:00:00 Max retransmission of Access-Request (id 156) to 10.110.130.183 reached for mobile a1:00:00:00:00:00
*radiusTransportThread: Apr 02 01:51:05.634: a1:00:00:00:00:00 Returning AAA Error 'Authentication Failed' (-4) for mobile a1:00:00:00:00:00
*emWeb: Apr 02 01:51:05.634: Authentication failed for test
*radiusTransportThread: Apr 02 01:51:09.840: ****Enter processIncomingMessages: response code=2

*radiusTransportThread: Apr 02 01:51:09.840: ****Enter processRadiusResponse: response code=2

*radiusTransportThread: Apr 02 01:51:09.840: Unable to match RADIUS response wit
*apfMsConnTask_4: Apr 02 01:51:19.205: apfVapRadiusClientInfoGet: Client F0:4F:7                                                                                        , dpPort:0, srcPort:0
*aaaQueueReader: Apr 02 01:51:19.205: f0:4f:7c:71:82:23 Successful transmission                                                                                         -00:40
*radiusTransportThread: Apr 02 01:51:21.917: ****Enter processIncomingMessages:

*radiusTransportThread: Apr 02 01:51:21.917: ****Enter processRadiusResponse: re

*radiusTransportThread: Apr 02 01:51:21.917: Unable to match RADIUS response wit
*apfMsConnTask_4: Apr 02 01:51:26.688: f0:4f:7c:71:82:23 Filtering RADIUS Access
*apfReceiveTask: Apr 02 01:51:36.813: f0:4f:7c:71:82:23 Sending Accounting reque
*radiusTransportThread: Apr 02 01:51:39.203: ****Enter processIncomingMessages:

*radiusTransportThread: Apr 02 01:51:39.203: ****Enter processRadiusResponse: re

*radiusTransportThread: Apr 02 01:51:39.203: f0:4f:7c:71:82:23 Access-Reject rec
*radiusTransportThread: Apr 02 01:51:39.203: f0:4f:7c:71:82:23 Returning AAA Err
*apfMsConnTask_4: Apr 02 01:51:51.171: apfVapRadiusClientInfoGet: Client F0:4F:7                                                                                        , dpPort:0, srcPort:0
*aaaQueueReader: Apr 02 01:51:51.171: f0:4f:7c:71:82:23 Successful transmission                                                                                         -00:40
*apfMsConnTask_4: Apr 02 01:51:58.741: f0:4f:7c:71:82:23 Filtering RADIUS Access
*apfMsConnTask_4: Apr 02 01:52:06.218: f0:4f:7c:71:82:23 Filtering RADIUS Access-Request for station f0:4f:7c:71:82:23 (802.11 assoc attempts 2)
*radiusTransportThread: Apr 02 01:52:11.177: f0:4f:7c:71:82:23 Successful transmission of Authentication Packet (id 158) to 10.110.130.183:1645, proxy state f0:4f:7c:71:82:23-00:40
*radiusTransportThread: Apr 02 01:52:11.265: ****Enter processIncomingMessages: response code=3

*radiusTransportThread: Apr 02 01:52:11.265: ****Enter processRadiusResponse: response code=3

*radiusTransportThread: Apr 02 01:52:11.265: f0:4f:7c:71:82:23 Access-Reject received from RADIUS server 10.110.130.183 for mobile f0:4f:7c:71:82:23 receiveId = 0
*radiusTransportThread: Apr 02 01:52:11.265: f0:4f:7c:71:82:23 Returning AAA Error 'Authentication Failed' (-4) for mobile f0:4f:7c:71:82:23
*apfReceiveTask: Apr 02 01:52:11.265: f0:4f:7c:71:82:23 SGT received is '' with length 0 for station f0:4f:7c:71:82:23
*apfMsConnTask_4: Apr 02 01:52:13.777: apfVapRadiusClientInfoGet: Client F0:4F:7C:71:82:23  dynamic int attributes srcAddr: 0.0.0.0 , gw: 0.0.0.0 mask: 0.0.0.0 , vlan:0, dpPort:0, srcPort:0

(Cisco Controller) >*aaaQueueReader: Apr 02 01:52:13.777: f0:4f:7c:71:82:23 Successful transmission of Authentication Packet (id 159) to 10.110.130.183:1645, proxy state f0:4f:7c:71:82:23-00:40
*apfMsConnTask_4: Apr 02 01:52:21.490: f0:4f:7c:71:82:23 Filtering RADIUS Access-Request for station f0:4f:7c:71:82:23 (802.11 assoc attempts 4)
*apfMsConnTask_4: Apr 02 01:52:29.079: f0:4f:7c:71:82:23 Filtering RADIUS Access-Request for station f0:4f:7c:71:82:23 (802.11 assoc attempts 5)
*radiusTransportThread: Apr 02 01:52:33.781: f0:4f:7c:71:82:23 Successful transmission of Authentication Packet (id 159) to 10.110.130.183:1645, proxy state f0:4f:7c:71:82:23-00:40
*radiusTransportThread: Apr 02 01:52:33.790: ****Enter processIncomingMessages: response code=3

*radiusTransportThread: Apr 02 01:52:33.790: ****Enter processRadiusResponse: response code=3

*radiusTransportThread: Apr 02 01:52:33.791: f0:4f:7c:71:82:23 Access-Reject received from RADIUS server 10.110.130.183 for mobile f0:4f:7c:71:82:23 receiveId = 0
*radiusTransportThread: Apr 02 01:52:33.791: f0:4f:7c:71:82:23 Returning AAA Error 'Authentication Failed' (-4) for mobile f0:4f:7c:71:82:23
*apfReceiveTask: Apr 02 01:52:33.791: f0:4f:7c:71:82:23 SGT received is '' with length 0 for station f0:4f:7c:71:82:23
*apfReceiveTask: Apr 02 01:52:43.773: f0:4f:7c:71:82:23 Sending Accounting request (2) for station f0:4f:7c:71:82:23

-------------------------------------------------------------------------------------------------------------------------------

Jatin Katyal Tue, 04/01/2014 - 16:39
User Badges:
  • Cisco Employee,

I see radius is sending access-reject.

radiusTransportThread: Apr 02 01:52:11.265: f0:4f:7c:71:82:23 Access-Reject received from RADIUS server 10.110.130.183 for mobile f0:4f:7c:71:82:23 receiveId = 0

You need to check on ACS 4.2 > reports and activity > failed attempts for the corresponding hit. This would we can determine where is the issue.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

Anukalp S Tue, 04/01/2014 - 17:37
User Badges:

 

 Hi.. this is what we could find in failed attempts logs.

 

Message-Type    User-Name    Group-Name    Caller-ID    Network Access Profile Name    Authen-Failure-Code    Author-Failure-Code    Author-Data    NAS-Port    NAS-IP-Address
Authen failed    f04f7c718223    Default Group    f0-4f-7c-71-82-23    (Default)    External DB user invalid or bad password            1    X.X.X.X
Authen failed    f04f7c718223    Default Group    f0-4f-7c-71-82-23    (Default)    External DB user invalid or bad password            1    X.X.X.X
Authen failed    f04f7c718223    Default Group    f0-4f-7c-71-82-23    (Default)    External DB user invalid or bad password            1    X.X.X.X
Authen failed    f04f7c718223    Default Group    f0-4f-7c-71-82-23    (Default)    External DB user invalid or bad password            1    X.X.X.X
Authen failed    f04f7c718223    Default Group    f0-4f-7c-71-82-23    (Default)    External DB user invalid or bad password            1    X.X.X.X

 

Jatin Katyal Tue, 04/01/2014 - 19:13
User Badges:
  • Cisco Employee,

Looking at the error message it seems to be an issue with ACS and Active directory integration issues. 

Can you please try to access WLC admin portal using ACS internal or local user database just to rule out AD issues.

Normally we see that error message when we haven't followed post installation task for ACS 4.2.

Is ACS running on domain controller or member server? What is the OS of the server?

 

Regards,

Jatin Katyal

*Do ratee helpful posts*

Anukalp S Tue, 04/01/2014 - 23:04
User Badges:

 

 Hi jatin.. Thanks for your help. This user "test" we already created in ACS internal database and  shared you its above logs.Also i think ACS server is integrated with AD server properly because i have another IOS devices for which we have configured TACACS and we login into IOS devices with AD credentials successfully.

Since we are in phase of implementing wireless environment in our network so Radius came into in picture. Also want to tell you that i configured Tacacs on wireless controller for testing and we got successfully login into controller with AD credentials, only issue facing with Radius configuration.

I cannot stick with Tacacs on controller because SSID cannot get authenticated through Tacacs as i didnt find option on ssid configuration so moved for Radius configuration but finding these issues.

ACS server is seperate with AD server and has windows 2003 OS.

 

Pls help.

Anukalp S Fri, 04/04/2014 - 14:25
User Badges:

 

 Hi..

 i have worked on this more and found that logs shared above of ACS server failed attempts were non relevant.

 

Actually i have noticed that wireless controller showing below logs

--------------------------------------------------------------------------------------

*radiusTransportThread: Apr 05 02:43:22.358: f3:00:00:00:00:00 Successful transmission of Authentication Packet (id 95) to 10.110.130.183:1645, proxy state f3:00:00:00:00:00-02:00

*radiusTransportThread:  Max retransmission of Access-Request (id 89) to 10.110.130.183 reached for mobile ec:00:00:00:00:00
*radiusTransportThread: Apr 05 02:19:09.136: ec:00:00:00:00:00 Returning AAA Error 'Authentication Failed'

------------------------------------------------------------------------------------------------

And when i check in ACS for failed attempts logs then i dont find any relevant logs there but when i check it in passed authentication logs i find it message "Authen OK". So it seems that ACS is accepting authentication but why i am still  not able to login on wireless controller, it dispalys login page again.

 

Pls help me here..

Jatin Katyal Fri, 04/04/2014 - 14:35
User Badges:
  • Cisco Employee,

If authentication is being passed than 2 things can checked:

1.] Make sure you are hitting the right group.

2.] Service-type should be configured as Administrative for that group.

Looks like you're failing the authorization piece.

Anukalp S Fri, 04/04/2014 - 14:57
User Badges:

 

 Hi..

 Service type is already Administrative and group is also correct even i check it putting WLC on default group it didn't work.

Is there any thing we are missing.?

Jatin Katyal Fri, 04/04/2014 - 15:07
User Badges:
  • Cisco Employee,

So far I have not seen attribute being pushed down to WLC. Couple of things you can try:

1.] On the ACS > Network devices > look for WLC radius client > change the "authenticate using" to radius IETF.

2.] On the WLC, please make sure under priority order > management user > check if we have moved radius as an authentication method.

3.] On the WLC under security > radius > authentication > please ensure we have management option enabled.

4.] As a last step, try and delete WLC from ACS and ACS from WLC and re-add them back.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

Anukalp S Fri, 04/04/2014 - 15:36
User Badges:

 

 Hi.

 I tried changing authenticating to Radius IETF.

I checked authentication method, Radius is put on top.

I checked management is enabled.

I removed WLC from ACS and ACS server from WLC

But still it didn't work.

Is it kind of a bug?

Jatin Katyal Mon, 03/31/2014 - 20:34
User Badges:
  • Cisco Employee,

Erick My friend,

It Should be  role1=ALL smiley

Actions

This Discussion