Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

802.1x Authentication Failure Cisco Wireless LAN Controller (WLC)

Hi there

I have set up our WLC to authenticate wireless users using RADIUS on a Cisco ACS 5.5 and I have also set up the WLC Web Auth using a customized login profile.  The user is able to logon but after a while, users are not able to login and we get the following logs on the WLC:

RADIUS auth-server unavailable

Then without any indication, the RADIUS server becomes available on its own or if I initiate a session with the WLC.  The WLC does respond to client requests for the most part, but when the RADIUS server is unavailable without notice and if the users try to authenticate, they get an error from the WLC that says "login failed".  Any idea what is happening?  I was using an older version of the Software version and Field Recovery Image Version and someone from this site told me I should upgrade it.  I upgraded and didn't have any issues until after a week.  Here is what I am running right now on the WLC:

 

Software Version7.6.110.0
Field Recovery Image Version7.6.101.1

 

Attached is a screenshot of our WLC Advanced tab and our ACS configuration.

 

Here is the EAP configuration of the WLC:

(Cisco Controller) show>advanced eap

EAP-Identity-Request Timeout (seconds)........... 30
EAP-Identity-Request Max Retries................. 2
EAP Key-Index for Dynamic WEP.................... 0
EAP Max-Login Ignore Identity Response........... enable
EAP-Request Timeout (seconds).................... 30
EAP-Request Max Retries.......................... 2
EAPOL-Key Timeout (seconds)...................... 1000
EAPOL-Key Max Retries............................ 2
EAP-Broadcast Key Interval....................... 43200

 

Thanks!

Everyone's tags (1)
1 REPLY
Hall of Fame Super Silver

Try to lower your session

Try to lower your session timer to 1800 which is default.  Also use the default idle timer of 300 seconds.  You can either, disable the idle timer on the WLAN or make sure the global idle timer is set at 300.  This is only for webauth use.  Also, if you have multiple radius servers defined in the global radius group, don't check the network user check box.  You define the radius in the WLAN itself.  I would also not change the radius server EAP timeout, and leave that at default.  As far as 802.1x, make sure your using either WPA/TKIP or WPA2/AES and not both or a mix of each.  Give that a try and see if that helps.

Please rate helpful post and Cisco Support Community will donate to Kiva

Scotty

-Scott
*** Please rate helpful posts ***
1139
Views
0
Helpful
1
Replies