Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WiSM - Radius server Connectivity issues

I have both of my radius servers setup on my controller, however my client cannot authenticate. I consistently get an IP of 0.0.0.0 and an associate state. Reading through the "Understanding Debug Client on WLC's" it states that I should get an APF Process similar to this:

Wed Oct 31 10:46:15 2007: 00:1b:77:42:07:69 apfProcessAssocReq
    (apf_80211.c:3838) Changing state for mobile 00:1b:77:42:07:69 on AP
    00:1c:0j:ca:5f:c0 from Associated to Associated

!--- The association response was sent successfully; now APF keeps the
!--- client in associated state and sets the association timestamp on this point.

I get this...but then I don't go to the next phase, which should be...

Dot1x Process

Wed Oct 31 10:46:15 2007: 00:1b:77:42:07:69 Creating a new PMK Cache Entry
    for station 00:1b:77:42:07:69 (RSN 0)

!--- APF calls Dot1x to allocate a new PMK cached entry for the client. 
!--- RSN is disabled (zero value).

Wed Oct 31 10:46:15 2007: 00:1b:77:42:07:69 Initiating WPA PSK to mobile
    00:1b:77:42:07:69

!--- Dot1x signals a new WPA or WPA2 PSK exchange with mobile.

On my 6509, I have the radius servers configured:

Hostname#show radius server-group all
Sever group radius
    Sharecount = 1  sg_unconfigured = FALSE
    Type = standard  Memlocks = 1
    Server(172.16.7.252:1645,1646) Transactions:
    Authen: Not Available       Author:Not Available    Acct:Not Available
    Server(172.16.7.251:1645,1646) Transactions:
    Authen: Not Available       Author:Not Available    Acct:Not Available

I've gone back and forth and made multiple changes..no luck. Just cant get to the Radius server. Any command i'm missing in the controller? Any ideas?

29 REPLIES
Bronze

Re: WiSM - Radius server Connectivity issues

Are you sure you have connectivity to your radius servers from the wism module?  Anything in the failed attemtpt log on the ACS box?  Also, are you positive that the radius keys match between the wism and ACS configs?

New Member

Re: WiSM - Radius server Connectivity issues

Thanks for the quick reply. I get nothing in the ACS logs. I’m positive the radius keys match.

New Member

Re: WiSM - Radius server Connectivity issues

Can you ping the RADIUS server from the WLC?

Bronze

Re: WiSM - Radius server Connectivity issues

How about a ping from the console of the wism to the ACS box?  And your ACS will need to have the wism's management address configured (not the service port address).

New Member

Re: WiSM - Radius server Connectivity issues

Yes, I'm able to ping the Radius server from both the WiSM console/WLC. I have the WiSM's management address setup in the ACS as well.

New Member

Re: WiSM - Radius server Connectivity issues

Is the time and date configured correctly on the WLC and ACS?

New Member

Re: WiSM - Radius server Connectivity issues

Yes, I have my NTP server configured in the WLC.

New Member

Re: WiSM - Radius server Connectivity issues

Your RADIUS is configured to use 1645,1646 -  This isn't being blocked anywhere?

New Member

Re: WiSM - Radius server Connectivity issues

No, 1645 and 1646 is not being blocked. I am migrating from a WLSM to the WiSM, and the WLSM uses those ports, no problem.

Bronze

Re: WiSM - Radius server Connectivity issues

Just to confirm, you do have your ACS configured to log failed and successful attempts right? (system config / logging / failed attempts / configure under CSV /  enable logging is checked).  Just trying to make sure that we see any potential logs that might help.

-John

New Member

Re: WiSM - Radius server Connectivity issues

Correct, I do have that...Seems like something simple I'm missing.

New Member

Re: WiSM - Radius server Connectivity issues

On the ssid which you are trying to authenticate through, is the DHCP scope set correctly? Is the dhcp required ticked in advanced?

Like you said, probably something simple. :-)

New Member

Re: WiSM - Radius server Connectivity issues

On my SSID, I have the WLAN pointing to my controller interface. I do not have the DHCP required ticket checked in the advance tab. I'm doing EAP-TLS/802.1x. Just to confirm, I dropped the security back to WPA-PSK/AES and was able to obtain an IP from my DHCP scope. So my DHCP looks good.

Bronze

Re: WiSM - Radius server Connectivity issues

Not sure what client you are using, but can you try just using leap or peap (preferably leap) rather than eap-tls to see if we can get any logs?

New Member

Re: WiSM - Radius server Connectivity issues

FYI...I am migrating from a WLSM with EAP-TLS to the WiSM. That's why I'm puzzled as to why I can't connect. Seems like it would be an easy transition.

New Member

Re: WiSM - Radius server Connectivity issues

you should be seeing failures in the WLC logs, and or, the ACS. Do you have accounting configured on the WLC?

New Member

Re: WiSM - Radius server Connectivity issues

Yes, I have that configured. I don't see any failures in the logs, just authcheck, 802.1xREQD, then nothing.

New Member

Re: WiSM - Radius server Connectivity issues

fancy posting the show run-config??

New Member

Re: WiSM - Radius server Connectivity issues

Sure, standby...

New Member

Re: WiSM - Radius server Connectivity issues

Attached...(WLC1)

New Member

Re: WiSM - Radius server Connectivity issues

no file??

New Member

Re: WiSM - Radius server Connectivity issues

You didn't see it attached in the top?

New Member

Re: WiSM - Radius server Connectivity issues

yep - I see it now. Thanks.. Point of interest for you.. Get away from 6.0.182.0  Go to at least 6.0.196.0.

New Member

Re: WiSM - Radius server Connectivity issues

Can't see anything obvious in the config. Do the WLC upgrade and let us know if it makes any difference. The version you are on has all sorts of issues. Possibly related to you problem.

New Member

Re: WiSM - Radius server Connectivity issues

Will do...I will let you know what I find. Thanks Gary!

New Member

Re: WiSM - Radius server Connectivity issues

Any joy??

New Member

Re: WiSM - Radius server Connectivity issues

No, I upgraded to 7.0.98.0. Still no authentication. No hits on the ACS even. I'm convinced that there is nothing wrong with my WiSM configuration. I guess I have to start looking at my ACS server (but how much is there really to look at???)

New Member

Re: WiSM - Radius server Connectivity issues

Have you tried PEAP? When you try for example PEAP or LEAP - can you see passed attempts on the ACS?

New Member

Re: WiSM - Radius server Connectivity issues

Hey Gary,

I wanted to give you an update. I was able to resolve this issue a few days after we emailed. The resolution was to update the Cisco Secure Services Client configuration for my new test SSID.

Thanks again for your help,

Bobby Grewal

1574
Views
0
Helpful
29
Replies