I've configured 2 1400 bridges with the basic settings and have them working fine using EAP and the local Radius Server,...I now introduced an ACS and have the Root Bridge setup as a AAA client. the ACS is mapped to a external user database group in AD,the user is setup and communication between the root bridge, ACS, and AD is fine, but when the non-root bridge goes to acs to auth it locks up the AD account with multiple bad pswds. From the ACS yo can see the user in the failed auth with bad password ..From what I can see I'm missing something with the credentials,.the passwords are identical but I think its encrypting it when the non-root sends it to the ACS.
there is limited documentation (none) for step by step for EAP auth with a ACS radius server.
Complete these steps in order to troubleshoot your configuration.
1. In the client-side utility or software, create a new profile or connection with the same or similar parameters in order to ensure that nothing has become corrupted in the configuration of the client.
2. In order to eliminate the possibility of RF issues that prevent successful authentication, temporarily disable authentication as shown in these steps:
o From the CLI, use the commands no authentication open eap eap_methods, no authentication network-eap eap_methods and authentication open.
o From the GUI, on the SSID Manager page, un-check Network-EAP, check Open, and set the dropdown list back to No Addition.
If the client successfully associates, then RF does not contribute to the association problem.
3. Verify that shared secret passwords are synchronized between the access point and the authentication server. Otherwise, you can receive this error message:
Invalid message authenticator in EAP request
o From the CLI, check the line radius-server host x.x.x.x auth-port x acct-port x key .
o From the GUI, on the Server Manager page, re-enter the shared secret for the appropriate server in the box labelled "Shared Secret."
The shared secret entry for the access point on the RADIUS server must contain the same shared secret password as those previously mentioned.
4. Remove any user groups from the RADIUS server. Sometimes conflicts can occur between user groups defined by the RADIUS server, and user groups in the underlying domain. Check the logs of the RADIUS server for failed attempts, and the reasons those attempts failed.
Sorry,..maybe I wasn't clear,..troubleshooting was done it works with a local Radius but not with ACS 4.1.
This is a non-root bridge that needs to authenticate. Shared secret,..RF,..all that is fine. the problem is that the non-root bridge is sending an encrypted password but not sure where on ACS I have to put the matching settings.
IntroductionHow to use the Wireless LAN Controller Configuration Analyzer (WLCCA)
Javier Contreras is a Senior Tech Lead for the Wireless Business Unit in Cisco, with over 2 decades of experi...
< PRE >
(#)For this reason being that : - application that doesn't use multicast, sends one copy of each packet ( data unit of traffic at layer 3 ) to each client (" who seeks the traffic ).- application that does use multicast, sends ...
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...