AAA, WLC, and AP Groups, Anchor Controller, Problem
First, I have a TAC case open on this problem, but they seem to be stumped and I have been unable to get them to mock it up. Here are the details and the problem(s):
Have Cisco ACS using backend AD for user authentication
Three wireless controllers running ver 126.96.36.199; one controller is 4404 the other two are on WiSM blade in 6509.
Many AP Groups and a few mobility achor setups.
Wifi clients used to test are Intel and have the proper drivers 188.8.131.52 and 184.108.40.206
First authentication problem is via SSIDs associated with anchor contollers. Whenever the SSID is set to use 802.1x, the anchor controller sends message to ACS(RADIUS), but ACS never sees the communication.
Second authentication problem is related to AP Groups. Whenever a client associates with an AP that is in a specific AP group and that SSID is also associated with that AP group's interface, I get the same result as above - the contoller talks to the ACS, but the ACS never sees the communication.
Note that all the above works fine as long as I am not using 802.1x. If I am using PSK, it all works flawlessly.
One other thing to note is that, in the case of the AP Group problem, if withing the AP group I associate the SSID with the management interface, the 802.1x works perfectly. The problem with that is that the client get assigned an IP address from the management Vlan... not what I want, instead, I want the client to get it's IP address from the interface associated with the AP Group.
It is not a routing problem....
I have gone through two TAC engineers and the problem is still not resolved. So close, but not succesfull.
Any interoperability/Security experts out there that can help nail this thing?
Re: AAA, WLC, and AP Groups, Anchor Controller, Problem
Sorry for the late reply.... of course your suggestion was right-on the mark and a wireshark trace uncovered the problem. I had already re-engaged Cisco TAC and between the wireless engineer and one of their security engineers, they were able to point out that the Cisco ACS 5.0 has a bug specific to this particular problem. They told me to apply patch, apply OS upgrade, then apply ACS 5.1 upgrade to the ACS. I was able to apply the patch, but never could get the OS upgrade to take. For the heck of it, I re-checked the problem after applying the patch and YooHoo! Works as advertised!
Thanks for showing the interest, it was definetly a pain-point for my customer.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...