Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACS 4.2-Radius

  Hi

I am running ACS 4.2 in my environment and configure TACACS for Cisco IOS devices. Now we have build cisco wilreless controller which we need to get authenticated with Radius. I have configured Radius on controller and ACS too but unable to login on WLC.

 

Could you help me out in troubleshooting issue or what i am doing wrong.

Any help is really appreciated.

14 REPLIES
Cisco Employee

Hi Anukalp,In order to

Hi Anukalp,

In order to configure admin access of WLC via ACS 4.2 - radius protocol. Please follow the below listed link:

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71989-manage-wlc-users-radius.html

In case it doesn't work, please run the debugs on WLC and paste it here.


Cisco Controller) >debug aaa events enable

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~BR Jatin Katyal **Do rate helpful posts**
Community Member

  Hi Jatin,Thanks for your

 

 

Hi Jatin,

Thanks for your help,i had already gone through shared link but didn't work. Pls see logs below.

 ====================================================================

(Cisco Controller) >debug aaa events enable

(Cisco Controller) >*aaaQueueReader: Apr 02 00:22:51.203: 93:00:00:00:00:00 Successful transmission of Authentication Packet (id 125) to 10..110.130.183:1645, proxy state 93:00:00:00:00:00-02:00
*radiusTransportThread: Apr 02 00:22:53.203: 93:00:00:00:00:00 Successful transmission of Authentication Packet (id 125) to 10..110.130.183:1645, proxy state 93:00:00:00:00:00-02:00
*radiusTransportThread: Apr 02 00:22:55.207: 93:00:00:00:00:00 Successful transmission of Authentication Packet (id 125) to 10..110.130.183:1645, proxy state 93:00:00:00:00:00-02:00
*radiusTransportThread: Apr 02 00:22:57.212: 93:00:00:00:00:00 Max retransmission of Access-Request (id 125) to 10..110.130.183 reached for mobile 93:00:00:00:00:00
*radiusTransportThread: Apr 02 00:22:57.212: 93:00:00:00:00:00 Returning AAA Error 'Authentication Failed' (-4) for mobile 93:00:00:00:00:00
*emWeb: Apr 02 00:22:57.212: Authentication failed for test
*radiusTransportThread: Apr 02 00:23:11.271: ****Enter processIncomingMessages: response code=2

*radiusTransportThread: Apr 02 00:23:11.271: ****Enter processRadiusResponse: response code=2


===========================================================================

Community Member

 Pasting more logs, pls help-

 

Pasting more logs, pls help

---------------------------------------------------------------------------------------------

*radiusTransportThread: Apr 02 01:51:01.626: a1:00:00:00:00:00 Successful transmission of Authentication Packet (id 156) to 10.110.130.183:1645, proxy state a1:00:00:00:00:00-02:00
*radiusTransportThread: Apr 02 01:51:01.626: f0:4f:7c:71:82:23 Successful transmission of Authentication Packet (id 155) to 10.110.130.183:1645, proxy state f0:4f:7c:71:82:23-00:40
*radiusTransportThread: Apr 02 01:51:01.635: ****Enter processIncomingMessages: response code=3

*radiusTransportThread: Apr 02 01:51:01.635: ****Enter processRadiusResponse: response code=3

*radiusTransportThread: Apr 02 01:51:01.635: f0:4f:7c:71:82:23 Access-Reject received from RADIUS server 10.110.130.183 for mobile f0:4f:7c:71:82:23 receiveId = 0
*radiusTransportThread: Apr 02 01:51:01.635: f0:4f:7c:71:82:23 Returning AAA Error 'Authentication Failed' (-4) for mobile f0:4f:7c:71:82:23
*radiusTransportThread: Apr 02 01:51:03.630: a1:00:00:00:00:00 Successful transmission of Authentication Packet (id 156) to 10.110.130.183:1645, proxy state a1:00:00:00:00:00-02:00
*radiusTransportThread: Apr 02 01:51:05.634: a1:00:00:00:00:00 Max retransmission of Access-Request (id 156) to 10.110.130.183 reached for mobile a1:00:00:00:00:00
*radiusTransportThread: Apr 02 01:51:05.634: a1:00:00:00:00:00 Returning AAA Error 'Authentication Failed' (-4) for mobile a1:00:00:00:00:00
*emWeb: Apr 02 01:51:05.634: Authentication failed for test
*radiusTransportThread: Apr 02 01:51:09.840: ****Enter processIncomingMessages: response code=2

*radiusTransportThread: Apr 02 01:51:09.840: ****Enter processRadiusResponse: response code=2

*radiusTransportThread: Apr 02 01:51:09.840: Unable to match RADIUS response wit
*apfMsConnTask_4: Apr 02 01:51:19.205: apfVapRadiusClientInfoGet: Client F0:4F:7                                                                                        , dpPort:0, srcPort:0
*aaaQueueReader: Apr 02 01:51:19.205: f0:4f:7c:71:82:23 Successful transmission                                                                                         -00:40
*radiusTransportThread: Apr 02 01:51:21.917: ****Enter processIncomingMessages:

*radiusTransportThread: Apr 02 01:51:21.917: ****Enter processRadiusResponse: re

*radiusTransportThread: Apr 02 01:51:21.917: Unable to match RADIUS response wit
*apfMsConnTask_4: Apr 02 01:51:26.688: f0:4f:7c:71:82:23 Filtering RADIUS Access
*apfReceiveTask: Apr 02 01:51:36.813: f0:4f:7c:71:82:23 Sending Accounting reque
*radiusTransportThread: Apr 02 01:51:39.203: ****Enter processIncomingMessages:

*radiusTransportThread: Apr 02 01:51:39.203: ****Enter processRadiusResponse: re

*radiusTransportThread: Apr 02 01:51:39.203: f0:4f:7c:71:82:23 Access-Reject rec
*radiusTransportThread: Apr 02 01:51:39.203: f0:4f:7c:71:82:23 Returning AAA Err
*apfMsConnTask_4: Apr 02 01:51:51.171: apfVapRadiusClientInfoGet: Client F0:4F:7                                                                                        , dpPort:0, srcPort:0
*aaaQueueReader: Apr 02 01:51:51.171: f0:4f:7c:71:82:23 Successful transmission                                                                                         -00:40
*apfMsConnTask_4: Apr 02 01:51:58.741: f0:4f:7c:71:82:23 Filtering RADIUS Access
*apfMsConnTask_4: Apr 02 01:52:06.218: f0:4f:7c:71:82:23 Filtering RADIUS Access-Request for station f0:4f:7c:71:82:23 (802.11 assoc attempts 2)
*radiusTransportThread: Apr 02 01:52:11.177: f0:4f:7c:71:82:23 Successful transmission of Authentication Packet (id 158) to 10.110.130.183:1645, proxy state f0:4f:7c:71:82:23-00:40
*radiusTransportThread: Apr 02 01:52:11.265: ****Enter processIncomingMessages: response code=3

*radiusTransportThread: Apr 02 01:52:11.265: ****Enter processRadiusResponse: response code=3

*radiusTransportThread: Apr 02 01:52:11.265: f0:4f:7c:71:82:23 Access-Reject received from RADIUS server 10.110.130.183 for mobile f0:4f:7c:71:82:23 receiveId = 0
*radiusTransportThread: Apr 02 01:52:11.265: f0:4f:7c:71:82:23 Returning AAA Error 'Authentication Failed' (-4) for mobile f0:4f:7c:71:82:23
*apfReceiveTask: Apr 02 01:52:11.265: f0:4f:7c:71:82:23 SGT received is '' with length 0 for station f0:4f:7c:71:82:23
*apfMsConnTask_4: Apr 02 01:52:13.777: apfVapRadiusClientInfoGet: Client F0:4F:7C:71:82:23  dynamic int attributes srcAddr: 0.0.0.0 , gw: 0.0.0.0 mask: 0.0.0.0 , vlan:0, dpPort:0, srcPort:0

(Cisco Controller) >*aaaQueueReader: Apr 02 01:52:13.777: f0:4f:7c:71:82:23 Successful transmission of Authentication Packet (id 159) to 10.110.130.183:1645, proxy state f0:4f:7c:71:82:23-00:40
*apfMsConnTask_4: Apr 02 01:52:21.490: f0:4f:7c:71:82:23 Filtering RADIUS Access-Request for station f0:4f:7c:71:82:23 (802.11 assoc attempts 4)
*apfMsConnTask_4: Apr 02 01:52:29.079: f0:4f:7c:71:82:23 Filtering RADIUS Access-Request for station f0:4f:7c:71:82:23 (802.11 assoc attempts 5)
*radiusTransportThread: Apr 02 01:52:33.781: f0:4f:7c:71:82:23 Successful transmission of Authentication Packet (id 159) to 10.110.130.183:1645, proxy state f0:4f:7c:71:82:23-00:40
*radiusTransportThread: Apr 02 01:52:33.790: ****Enter processIncomingMessages: response code=3

*radiusTransportThread: Apr 02 01:52:33.790: ****Enter processRadiusResponse: response code=3

*radiusTransportThread: Apr 02 01:52:33.791: f0:4f:7c:71:82:23 Access-Reject received from RADIUS server 10.110.130.183 for mobile f0:4f:7c:71:82:23 receiveId = 0
*radiusTransportThread: Apr 02 01:52:33.791: f0:4f:7c:71:82:23 Returning AAA Error 'Authentication Failed' (-4) for mobile f0:4f:7c:71:82:23
*apfReceiveTask: Apr 02 01:52:33.791: f0:4f:7c:71:82:23 SGT received is '' with length 0 for station f0:4f:7c:71:82:23
*apfReceiveTask: Apr 02 01:52:43.773: f0:4f:7c:71:82:23 Sending Accounting request (2) for station f0:4f:7c:71:82:23

-------------------------------------------------------------------------------------------------------------------------------

Cisco Employee

I see radius is sending

I see radius is sending access-reject.

radiusTransportThread: Apr 02 01:52:11.265: f0:4f:7c:71:82:23 Access-Reject received from RADIUS server 10.110.130.183 for mobile f0:4f:7c:71:82:23 receiveId = 0

You need to check on ACS 4.2 > reports and activity > failed attempts for the corresponding hit. This would we can determine where is the issue.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~BR Jatin Katyal **Do rate helpful posts**
Community Member

  Hi.. this is what we could

 

 Hi.. this is what we could find in failed attempts logs.

 

Message-Type    User-Name    Group-Name    Caller-ID    Network Access Profile Name    Authen-Failure-Code    Author-Failure-Code    Author-Data    NAS-Port    NAS-IP-Address
Authen failed    f04f7c718223    Default Group    f0-4f-7c-71-82-23    (Default)    External DB user invalid or bad password            1    X.X.X.X
Authen failed    f04f7c718223    Default Group    f0-4f-7c-71-82-23    (Default)    External DB user invalid or bad password            1    X.X.X.X
Authen failed    f04f7c718223    Default Group    f0-4f-7c-71-82-23    (Default)    External DB user invalid or bad password            1    X.X.X.X
Authen failed    f04f7c718223    Default Group    f0-4f-7c-71-82-23    (Default)    External DB user invalid or bad password            1    X.X.X.X
Authen failed    f04f7c718223    Default Group    f0-4f-7c-71-82-23    (Default)    External DB user invalid or bad password            1    X.X.X.X

 

Cisco Employee

Looking at the error message

Looking at the error message it seems to be an issue with ACS and Active directory integration issues. 

Can you please try to access WLC admin portal using ACS internal or local user database just to rule out AD issues.

Normally we see that error message when we haven't followed post installation task for ACS 4.2.

Is ACS running on domain controller or member server? What is the OS of the server?

 

Regards,

Jatin Katyal

*Do ratee helpful posts*

~BR Jatin Katyal **Do rate helpful posts**
Community Member

  Hi jatin.. Thanks for your

 

 Hi jatin.. Thanks for your help. This user "test" we already created in ACS internal database and  shared you its above logs.Also i think ACS server is integrated with AD server properly because i have another IOS devices for which we have configured TACACS and we login into IOS devices with AD credentials successfully.

Since we are in phase of implementing wireless environment in our network so Radius came into in picture. Also want to tell you that i configured Tacacs on wireless controller for testing and we got successfully login into controller with AD credentials, only issue facing with Radius configuration.

I cannot stick with Tacacs on controller because SSID cannot get authenticated through Tacacs as i didnt find option on ssid configuration so moved for Radius configuration but finding these issues.

ACS server is seperate with AD server and has windows 2003 OS.

 

Pls help.

Community Member

  Hi.. i have worked on this

 

 Hi..

 i have worked on this more and found that logs shared above of ACS server failed attempts were non relevant.

 

Actually i have noticed that wireless controller showing below logs

--------------------------------------------------------------------------------------

*radiusTransportThread: Apr 05 02:43:22.358: f3:00:00:00:00:00 Successful transmission of Authentication Packet (id 95) to 10.110.130.183:1645, proxy state f3:00:00:00:00:00-02:00

*radiusTransportThread:  Max retransmission of Access-Request (id 89) to 10.110.130.183 reached for mobile ec:00:00:00:00:00
*radiusTransportThread: Apr 05 02:19:09.136: ec:00:00:00:00:00 Returning AAA Error 'Authentication Failed'

------------------------------------------------------------------------------------------------

And when i check in ACS for failed attempts logs then i dont find any relevant logs there but when i check it in passed authentication logs i find it message "Authen OK". So it seems that ACS is accepting authentication but why i am still  not able to login on wireless controller, it dispalys login page again.

 

Pls help me here..

Cisco Employee

If authentication is being

If authentication is being passed than 2 things can checked:

1.] Make sure you are hitting the right group.

2.] Service-type should be configured as Administrative for that group.

Looks like you're failing the authorization piece.

~BR Jatin Katyal **Do rate helpful posts**
Community Member

  Hi.. Service type is

 

 Hi..

 Service type is already Administrative and group is also correct even i check it putting WLC on default group it didn't work.

Is there any thing we are missing.?

Cisco Employee

So far I have not seen

So far I have not seen attribute being pushed down to WLC. Couple of things you can try:

1.] On the ACS > Network devices > look for WLC radius client > change the "authenticate using" to radius IETF.

2.] On the WLC, please make sure under priority order > management user > check if we have moved radius as an authentication method.

3.] On the WLC under security > radius > authentication > please ensure we have management option enabled.

4.] As a last step, try and delete WLC from ACS and ACS from WLC and re-add them back.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~BR Jatin Katyal **Do rate helpful posts**
Community Member

  Hi. I tried changing

 

 Hi.

 I tried changing authenticating to Radius IETF.

I checked authentication method, Radius is put on top.

I checked management is enabled.

I removed WLC from ACS and ACS server from WLC

But still it didn't work.

Is it kind of a bug?

Community Member

Hello, For management access

Hello,

 

For management access tacacs is the suggested method.

 

Make sure the ACS sends the role=ALL

 

Please follow guide below.

 

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/91631-uwn-tacacs-config.html

 

Regards,

Erdelgad

Cisco Employee

Erick My friend,It Should be

Erick My friend,

It Should be  role1=ALL smiley

~BR Jatin Katyal **Do rate helpful posts**
368
Views
0
Helpful
14
Replies
CreatePlease to create content