Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access Point Radios trying to authenticate via PEAP against ISE

I have a working installation including a 5508 controller with ISE. The ISE is configured for EAP Chaining and clients are authenticating fine.

 

We are seeing some weird behavior from the Access Points. We see authentication failures from devices trying to authenticate via PEAP, the funny thing is that the username and endpoint ID are the MAC addresses of our APs. we see it once or twice a day from several of the APs.

 

Any ideas on what would cause this and what function of the AP is causing this?

3 REPLIES
VIP Purple

Hi,How does "show radius

Hi,

How does "show radius summary" output looks like specific to Acct & Auth Call statiion ID type.

Also what software code running on your WLC ?

HTH

Rasika

**** Pls rate all useful responses ****

New Member

Hi Rasika,kindly advice.

Hi Rasika,

kindly advice. running on 7.6.130 and Cisco ISE 1.2.1.198, but my case is rejected the authentication, why radio base mac address is try to authenticating to ISE?

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.6.130.0
Bootloader Version............................... 1.0.20
Field Recovery Image Version..................... 7.6.101.1
Firmware Version................................. FPGA 1.7, Env 1.8, USB console 2.2
Build Type....................................... DATA + WPS

 

(Cisco Controller) >show radius summary

Vendor Id Backward Compatibility................. Disabled
Call Station Id Case............................. lower
Acct Call Station Id Type........................ Mac Address
Auth Call Station Id Type........................ Mac Address
Aggressive Failover.............................. Enabled
Keywrap.......................................... Disabled
Fallback Test:
    Test Mode.................................... Off
    Probe User Name.............................. Radius_KeepAlive
    Interval (in seconds)........................ 300
MAC Delimiter for Authentication Messages........ hyphen
MAC Delimiter for Accounting Messages............ hyphen

Authentication Servers

Idx  Type      Server Address        Port    State     Tout  MgmtTout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
---  ----  ----------------------   ------  --------  ----  --------  -------  ------------------------------------------------
1    NM    x.x.x.x              1645    Enabled   2     2         Disabled  Disabled - none/unknown/group-0/0 none/none
2    NM  x.x.x.x               1812    Enabled   2     2         Enabled   Disabled - none/unknown/group-0/0 none/none <-- ISE
3    NM    x.x.x.x             1645    Enabled   2     2         Disabled  Disabled - none/unknown/group-0/0 none/none
4    NM    x.x.x.x               1812    Enabled   2     2         Enabled   Disabled - none/unknown/group-0/0 none/none
<-- ISE

Accounting Servers

Idx  Type      Server Address        Port    State     Tout  MgmtTout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
---  ----  ----------------------   ------  --------  ----  --------  -------  ------------------------------------------------
2      N    x.x.x.x               1813    Enabled   2     2         N/A       Disabled - none/unknown/group-0/0 none/none
3      N     x.x.x.x               1813    Enabled   2     2         N/A       Disabled - none/unknown/group-0/0 none/none

 

 

VIP Purple

Hi,Is it possible to change

Hi,

Is it possible to change the Auth Call Station ID type to AP Radio MAC : SSID as shown below & test it.

(WLC) >show radius summary 

Vendor Id Backward Compatibility......... Disabled
Call Station Id Case..................... lower
Acct Call Station Id Type................ Mac Address
Auth Call Station Id Type................ AP's Radio MAC Address:SSID

 

HTH

Rasika

**** Pls rate all useful responses ***

102
Views
0
Helpful
3
Replies
CreatePlease login to create content