Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
361
Views
0
Helpful
3
Replies

802.1x Broken after upgrade to 7.6.100.0

matthew gosling
Level 1
Level 1

‎03-12-2014 04:38 AM - edited ‎03-10-2019 09:31 PM

Hi,

We are using an OEAP600 AP and reciently moved to version 7.6.100.0 (5508 WLC)to support split tunnel printing. 802.1x is being performed on an NPS server for wireles policy.
Everything appears to be ok on the WLC configuration side - when debugging aaa all i see the following.

*aaaQueueReader: Mar 12 17:38:54.814: a4:67:06:93:f6:cd Sending the packet to v4 host X.X.X.X:1645
*aaaQueueReader: Mar 12 17:38:54.814: a4:67:06:93:f6:cd Successful transmission of Authentication Packet (id 135) to X.X.X.X:1645, proxy state a4:67:06:93:f6:cd-00:01
*aaaQueueReader: Mar 12 17:38:54.814: 00000000: 01 87 00 f4 be 99 b9 3a  e4 31 d3 d4 0a bf e2 cb  .......:.1......
*aaaQueueReader: Mar 12 17:38:54.814: 00000010: 5b d9 f9 04 01 14 6d 79  69 6e 74 72 61 6e 65 74  [.....domain
*aaaQueueReader: Mar 12 17:38:54.814: 00000020: 5c 63 72 6f 6e 69 6e 70  59 03 00 83 06 00 00 00  \usernameY.......
*aaaQueueReader: Mar 12 17:38:54.814: 00000030: 01 1f 13 61 34 2d 36 37  2d 30 36 2d 39 33 2d 66  ...a4-67-06-93-f
*aaaQueueReader: Mar 12 17:38:54.814: 00000040: 36 2d 63 64 1e 0d 31 30  2e 33 2e 32 34 30 2e 31  6-cd..WLCIPADDRESS
*aaaQueueReader: Mar 12 17:38:54.814: 00000050: 30 05 06 00 00 00 0d 1a  31 00 00 00 09 01 2b 61  .......1.....+a
*aaaQueueReader: Mar 12 17:38:54.814: 00000060: 75 64 69 74 2d 73 65 73  73 69 6f 6e 2d 69 64 3d  udit-session-id=
*aaaQueueReader: Mar 12 17:38:54.814: 00000070: 30 61 30 33 66 30 30 61  30 30 30 30 31 33 62 32  0a03f00a000013b2
*aaaQueueReader: Mar 12 17:38:54.814: 00000080: 35 33 32 30 30 30 66 65  04 06 0a 03 f0 0a 20 0c  532000fe........
*aaaQueueReader: Mar 12 17:38:54.814: 00000090: 41 55 47 44 53 57 43 45  30 31 1a 0c 00 00 37 63  WLCHOSTNAME....7c
*aaaQueueReader: Mar 12 17:38:54.814: 000000a0: 01 06 00 00 00 03 06 06  00 00 00 02 0c 06 00 00  ................
*aaaQueueReader: Mar 12 17:38:54.815: 000000b0: 05 14 3d 06 00 00 00 13  40 06 00 00 00 0d 41 06  ..=.....@.....A.
*aaaQueueReader: Mar 12 17:38:54.815: 000000c0: 00 00 00 06 51 05 32 30  39 4f 19 02 01 00 17 01  ....Q.209O......
*aaaQueueReader: Mar 12 17:38:54.815: 000000d0: 6d 79 69 6e 74 72 61 6e  65 74 5c 63 72 6f 6e 69  domain\username
*aaaQueueReader: Mar 12 17:38:54.815: 000000e0: 6e 70 50 12 c0 fa 26 2e  de f9 81 2b 16 a6 bb 9b  P...&....+....
*aaaQueueReader: Mar 12 17:38:54.815: 000000f0: fd 3b 9b 6f                                       .;.o
*radiusTransportThread: Mar 12 17:38:54.816: 00000000: 03 87 00 2c 44 91 99 63  c9 29 8c 10 c4 88 0a b1  ...,D..c.)......
*radiusTransportThread: Mar 12 17:38:54.816: 00000010: 32 3a 13 4a 4f 06 04 01  00 04 50 12 f5 bb a5 67  2:.JO.....P....g
*radiusTransportThread: Mar 12 17:38:54.816: 00000020: 38 93 f0 0e ad db b9 a5  26 d4 79 26              8.......&.y&
*radiusTransportThread: Mar 12 17:38:54.816: ****Enter processIncomingMessages: response code=3

*radiusTransportThread: Mar 12 17:38:54.816: ****Enter processRadiusResponse: response code=3

*radiusTransportThread: Mar 12 17:38:54.816: a4:67:06:93:f6:cd Access-Reject received from RADIUS server X.X.X.X for mobile a4:67:06:93:f6:cd receiveId = 2
*radiusTransportThread: Mar 12 17:38:54.816: a4:67:06:93:f6:cd [Error] Client requested no retries for mobile A4:67:06:93:F6:CD 
*radiusTransportThread: Mar 12 17:38:54.817: a4:67:06:93:f6:cd Returning AAA Error 'Authentication Failed' (-4) for mobile a4:67:06:93:f6:cd
*radiusTransportThread: Mar 12 17:38:54.817: AuthorizationResponse: 0x4259b944

 

On the NPS server we are seeing the username being sent but does not appear to be getting the FQDN ie domain\username even when the "domain\usersname" is used from the user.  We are also seeing that the calling ID is the IP address of the managmenet interface of the WLC (acct and auth calling ID are set to IP address on the WLC for RADIUS). Normally we would see the client MAC address followd with the WLAN ie ab:cc:aa:11:23:12:WLAN

Has anyone had a simmilar problem / seen something like this before ?
Any assistance recommendations will be much appreciated.

 

Thank you in advance.

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Dominic Stalder (old profile)
Level 4
Level 4

‎12-17-2014 03:10 AM

Hi mjgosling1

did you ever solve your problem? I think we are hitting the same problem with a FreeRadius server, we have a lot of RADIUS requests with ID 135 hitting the radius server, which says "duplicate request".

We are running 7.6.120.0.

Thanks in advance and best regards

Dominic

0 Helpful

Dominic Stalder (old profile)
Level 4
Level 4

‎12-18-2014 04:12 AM

Hi mjgosling1

just as an information, we were hitting this bug here: https://tools.cisco.com/bugsearch/bug/CSCuo96366

See discussion here: https://supportforums.cisco.com/discussion/12378951/wlc-761200-radius-problems-freeradius-server

Best regards

Dominic

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents