10-22-2007 01:55 AM - edited 07-03-2021 02:48 PM
Hi guys ,
I am facing some problem with my Wireless solution .
My wireless soultion contains a WLC and 10-15 AP's.
1)I am using DNS methods for getting the WLC ip address for the AP's (mapping the FQDN
CISCO-LWAPP-CONTROLLER.aja.win.ml.com to the WLC ip address on the DNS server ).And this is working fine for me .
2)When i am trying to connect my laptop to the Wirless network i am getting the PC's MAC listed on the WLC and it is
trying to authenticate from the ACS as well
3)But i am seeing the ACS logs the following error :" NAS duplicated authentication attempt " and it keep on going .
I realy stuck here since i am not sure what is this meant by .So please help me out if some one
got this problem some where before .
10-22-2007 05:38 PM
Hi Guys ,
Any one faced such issues then please update the soulution for the same .
10-22-2007 06:52 PM
How do you have the WLC setup. When you setup your remote client in ACS, you used the management IP address correct?
10-22-2007 11:19 PM
10-23-2007 04:31 AM
Okay so let's go over how the WLC is setup. First make sure your wireless vlans are not part of any existing wired vlans. How doyou have the authentication setup on th eWLAN SSID? How did you setup your policy in your radius server?
10-23-2007 06:25 AM
Please extend the EAP time outs in your CLI from 2 seconds to 12. This should solve your problem. The response is taking longer than 2 seconds to get back to the controller so the controller resends the authentication request over and over thus giving you a duplicate request error. Here is how to do it. I like 12 seconds in case you are using login credentials that require typing.
It is good idea to change the RADIUS timeout to 5 seconds. The default of 2 seconds is acceptable for a fast RADIUS failover, but probably not enough for Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication, or if the RADIUS server has to contact external databases (Active Directory, NAC, SQL, and so forth).
This is how to verify:
(Cisco Controller) >show radius summary
Vendor Id Backward Compatibility............ Disabled
Credentials Caching......................... Disabled
Call Station Id Type........................ IP Address
Administrative Authentication via RADIUS.... Enabled
Aggressive Failover......................... Disabled
Keywrap..................................... DisabledAuthentication Servers
!--- This portion of code has been wrapped to several lines due to spatial
!--- concerns.
Idx Type Server Address Port State Tout RFC3576
--- ---- ---------------- ------ -------- ---- -------
1 N 10.48.76.50 1812 Enabled 2 Enabled
IPSec -AuthMode/Phase1/Group/Lifetime/Auth/Encr
------------------------------------------------
Disabled - none/unknown/group-0/0 none/noneThis is how to configure:
config radius auth retransmit-timeout 1 12
10-23-2007 07:30 PM
Hi Dennis ,
Thanks for the reply .
I tried this on my WLC still not able to authenticate .
Aravind a s
10-23-2007 09:40 PM
Hi Dennis ,
I had applied the patch on my Laptop for this authetication issue (reference KB885453).
I seeing some changes on the ACS's logs now .
Before installing the patch it was continously failing saying "NAS duplicated authentication attempt "
I thing we have to get :"Re-key OK" also for the sucessfull authetication .That i am not seeing on the logs .
10/24/2007 13:30:47 Authen OK AYA\user wireless 00-1B-77-95-62-AE 29 11.106.51.1
10/24/2007 13:28:37 Authen OK AYA\user wireless 00-1B-77-95-62-AE 29 11.106.51.1
10/24/2007 13:26:26 Authen OK AYA\user wireless 00-1B-77-95-62-AE 29 11.106.51.1
10/24/2007 13:26:09 Authen OK host/ESINLTECH00710.aya.win.sl.com wireless 00-1B-77-95-62-AE 29 11.106.51.1
Thanks
Aravind A S
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: