Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

WDS Autthentication Issue - Constant Authentication

Hey guys, hope some one can point me in the right direction here, having a bit of an issue.

Previous to my employment at our company, the person holding my job had setup a WDS enviroment at all of our campuses. In total, we have 4 WDS Masters running right now on 1232AP's and they seem to be working fine. The problem comes in to play with ACS (ver3.3.3). If I looked at my Pass Authentication log, I see my wds ap's authenticating, good, right? NO! Each of the 4 AP Masters authenticates every 30 seconds on the dot. Why? This has made managing log files a complete pain in the a__ as we use our ACS for many other things other then wds. My setup is as follows, on our local campuse I have the 1232 acting as the WDS with approx 54 client AP's. We also have a WLSE running 2.12u and again the ACS is (3.3.3B11). On our AP's we are not uitlizing PEAP/EAP. The previous employee had setup an SSID for this and was testing it, but no users are actually doing anything with it. I've contacted Cisco TAC and after 3days, the Wireless engineer working on this case apparently has gone on vacation with out saying a word. I've debugged the AP side and looked at my full logs on the ACS to see what might be going on in the Radius packet, and this is what I got:

[079] EAP-Message value: ........??."c?.wwds

R[027] Session-Timeout value: 20

ExtensionPoint: End of Attribute Set

Sending response code 11, id 244 to 192.168.5.237 on port 1645

[079] EAP-Message value: ........??."c?.wwds

[027] Session-Timeout value: 20

[080] Message-Authenticator value: 4E 4F 54 20 43 4F 4D 50 55 54 45 44 20 59 45 54

Request from host 192.168.5.237:1645 code=1, id=245, length=157 on port 1645

[001] User-Name value: <REMOVED>

[012] Framed-MTU value: 1400

[030] Called-Station-Id value: 0013.1978.4a2d

[031] Calling-Station-Id value: 0004.23a6.a83e

[006] Service-Type value: 1

[080] Message-Authenticator value: 68 7B 81 93 33 8C 71 20 DC 05 A6 EB 15 8D 87 8F

[079] EAP-Message value: ...#.....0.?l.??~??..?.??.?.?aAiwds

[061] NAS-Port-Type value: 19

[005] NAS-Port value: 467454

[004] NAS-IP-Address value: <REMOVED>

[032] NAS-Identifier value: East1stFlrAP1

ExtensionPoint: Initiating scan of configured extension points...

ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Aironet]

ExtensionPoint: [AironetEAP.dll->AuthenticationExtension] returned [11 - challenge]

ExtensionPoint: Start of Attribute Set

[079] EAP-Message value: ....

[027] Session-Timeout value: 20

ExtensionPoint: End of Attribute Set

Sending response code 11, id 245 to 192.168.5.237 on port 1645

[079] EAP-Message value: ....

[027] Session-Timeout value: 20

080] Message-Authenticator value: 4E 4F 54 20 43 4F 4D 50 55 54 45 44 20 59 45 54

Now, the only thing I see there is the 20second session-timeout, why is this? Is that standard? I attempted to mess with this by looking at the Cisco Aironet attributes that were available in ACS and found:

[026/5842/001] Cisco-Aironet-Session-Timeout

I've tried to add that, knowing it wouldn't work, and it didn't. But I'm not sure where it's getting the 20second time out session from and the fact is, I doubt it's related since the AP's again authenticate every 30seconds down to the T versuses the session-timeout on the radius packet saying 20seconds. But I'm somewhat at a loss here.

1 REPLY
Silver

Re: WDS Autthentication Issue - Constant Authentication

Hi Raun,

maybe this document gives you the right hints for the PEAP - ACS settings:

http://www.cisco.com/en/US/products/hw/wireless/ps430/products_technical_reference_chapter09186a008025d6ee.html

If you want to use Microsoft IAS as Radius Server i amy give you some hints. Unfortunateley i have made a documentation for this task only in german!

For the 20 sec timeout have a look in ACS "System Configuration -> Global Authentication Setup" search for the entry "EAP-MD5" there you find a field "AP EAP request timeout (seconds):". The value is set to 20 by default.

Hope that helps.

Best regards,

Frank

193
Views
0
Helpful
1
Replies
CreatePlease to create content