Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Possible AAA server bug in 7.0.240.0 code for 4402 WLC?

Hi Everyone,

     We added a new RADIUS server entry into the WLC today and set up a new wlan with WPA2 / 802.1X + CCKM. We told that WLAN to only use that new radius server. All was fine, we configured the Radius server correctly and it allowed me to connect to the network on the SSID. However, we removed the SSID and noticed that our other exisiting WPA2 / 802.1x wlan may have been using the other radius server we added. We only had the existing Radius server specified in the existing wlan and not the new server. We checked the new radius server accounting log and saw that there were many authentications in the log (not just my one attempt for a test). We disabled the radius service on the new server and found that we got a bunch of AAA failed entries with the new server's ip in the trap log on the controller. I find it really strange that it was even trying to use the new server at all since we deleted the test wlan that was using it. We didn't have it explicity defined in our other 802.1x wlan AAA server list. Is this a bug? Or am I missing something? I thought that the controller would only use the radius servers specified in the wlan if we had them explicitly defined in the list. Any thoughts? It didn't do this on the version 6.0 code. Currently running 7.0.240.0....

2 REPLIES

when you added the server to

when you added the server to the AAA list, did you leave the network user box checked?

 

if you did, this makes that server globally available to all WLAN that use 802.1x authentications.

Though it shouldn't have used it unless the server defined under the WLAN had been called 'dead'

 

HTH,

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Hi Steve,     Yes, I did have

Hi Steve,

     Yes, I did have the network user box checked. That would explain why the other wlan was using it. Every once in a while we get authentication failures from the primary radius server. It is at one of our remote sites. I'm thinking that the other one was added globally and was used because the primary got an auth failure and didn't on the new test one. I'll just have to make sure not to check the network user box when testing the new radius server so it doesn't impact the existing connections. Thanks for the info! I really appreciate it.

 

Craig

27
Views
0
Helpful
2
Replies