Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

When WLC authenticate users with secondary RADIUS server?

Hi Sir,

I'm configuring a WLC4404-100. One of the WLANs points to two RADIUS Servers for Authentication and Accounting (please see attached).

I'd like to know, under what circumstances will the WLC authenticate users against the secondary RADIUS Server (in my case, the ACS with IP address 10.200.67.84)?

Please advise.

Thank you.

B.Rgds,

Lim TS

8 REPLIES
Bronze

Re: When WLC authenticate users with secondary RADIUS server?

The WLC will use the 2nd ACS server when the 1st one is not responding. Then the WLC will mark the 1st one as dead and continue to use the 2nd one even the 1st has been back and working. The WLC will fall back to use the 1st one until the 2nd one is dead again.

Pls rate the helpful posts.

Thanks

Zhenning

New Member

Re: When WLC authenticate users with secondary RADIUS server?

Hi,

I navigated to the following on the WLC:

MANAGEMENT -> SNMP -> Trap Logs

I noticed the following SNMP trap:

Fri Dec 8 11:23:21 2006 No Radius Servers Are Responding

I checked the 2nd ACS server, and true, at around the same time 11:23, the 2nd ACS server was authenticating users.

I checked the 1st ACS server; at around the same time 11:23, there wasn't any service suspension or database replication going on. What's the cause of this WLC authenticating with the 2nd ACS server? The network is robust and I don't expect any latency issue. The two RADIUS servers are serving only wireless users, the number is about 120.

On the WLC, I used the default of 2 seconds Retransmit Timeout for both the RADIUS Authentication Servers. Should I fine-tune it to higher value?

*********************************************************************

Retransmit Timeout - Specify the time in seconds after which the RADIUS authentication request will timeout and a retransmission will be taken up by the controller. You can specify a value between 2 to 30 seconds.

*********************************************************************

There are Passed Authentications logged on the 1st ACS server after during & after 11:23. So, I suspect the WLC is doing a kind of load-balancing across the two RADIUS servers.

Please advise.

Thank you.

B.Rgds,

Lim TS

Bronze

Re: When WLC authenticate users with secondary RADIUS server?

I am sure WLC is doing round-robin for two radius servers, not load-balancing. It always works in this way in my network. I confirmed it with TAC before. In your case, after 11:23, do you still see the Passed Authentications logs in both two ACS servers periodically? If it happens periodically, I would like to do a packet sniffer in the network to see if sometimes the ACS servers do not respond the authenticaiton request. I think it should be something wrong at the 1st ACS server around 11:23. Please check carefully for the auth.log and rds.log to see what was happening at that time.

Thanks,

Zhenning

New Member

Re: When WLC authenticate users with secondary RADIUS server?

Hi,

Thanks for your explanation.

I'm using ACS (Windows) version 4.0. Wireless clients "talk" EAP-MSCHAPv2 with the ACS.

I'll check the auth.log and rds.log soonest possible. I'll also check if I see the Passed Authentications logs on both ACS servers periodically.

Nevertheless, both ACS servers are enabled for database replication. Other non-replicated settings, e.g. certificate, EAP, external user databases, are configured identically on the 2nd ACS. Since there were passed authentications on the 2nd RADIUS at 11:23, I'm assuming there's no problem with my 2nd ACS.

Thank you.

B.Rgds,

Lim TS

New Member

Re: When WLC authenticate users with secondary RADIUS server?

Hi,

I get the same problems. In my setup the second RADIUS (FreeRADIUS 1.0.2) server has *exactly* the same configuration to the first one and packet sniffing the link shows the RADIUS server sending an Access-Challenge response which seems to then be silently ignored by the WLC. Meanwhile requests sent by the WLC to my 'primary' RADIUS server work fine.

Its really annoying as I have two RADIUS servers and to the WLC only one is usable. I am running the latest firmware (4.0.179.11) and my bug reporting attempts to Cisco in the pass have been a less than 'pleasent' experience so I am not going down that fruitless path again :(

In your case, try forcibly shuting down your 'primary' RADIUS authentication server and see what happens; I'm willing to bet no authentication is possible.

For me running manual EAP-TTLS tests at the secondary RADIUS server works whilst the WLC sits there sulking.

Any ideas would be greatly appreciated. As the configuration files have been copied from my primary RADIUS server to the secondary one I very much doubt the problem is with my secondary RADIUS server otherwise the primary one would fail also to work :-/

Cheers

Alex

Bronze

Re: When WLC authenticate users with secondary RADIUS server?

In my setup, when I shutdown the primary ACS server, the authentication will be handled by the 2nd ACS server. Just for the first request after primary ACS is down, it will take 7-8 seconds to get response. After the first request, all the authentication requests are handled by 2nd ACS server fine.

New Member

Re: When WLC authenticate users with secondary RADIUS server?

Are you using EAP? Or are you using PEAP, CHAP, PAP or some other authentication method?

Cheers

New Member

Re: When WLC authenticate users with secondary RADIUS server?

Lim,

By default, the WLC will switch from one radius server to the 2nd if it does not get a reply to 1 Request (and the retransmissions). We call this "aggressive" failover.

However, such a response (silent discard) is actually valid when the certificate does not match, so switching between radius servers under such a condition is not ideal. Because of this, you can change the behavior by:

">config radius aggressive-failover disable"

With this configuration, the controller will allow silent discards, and to switch from one radius server to the 2nd, you will need 3 subsequent failed requests (and their retransmissions).

Hope this helps.

2570
Views
5
Helpful
8
Replies