Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Bronze

WISM using ACS Failover

I have wism and two ACS servers for failover. From time to time, I can see some authenticaion and accounting records on the 2nd ACS server. My primary ACS server is always up. Then why those auth requests go to the 2nd ACS server? Is this because the 1st ACS server is busy? I did not find anything useful in the primary ACS server auth logs. Any one see the similar issue? How can I find out why the authentication fail over to 2nd ACS server? Thanks.

4 REPLIES
Bronze

Re: WISM using ACS Failover

Because the primary and secondary CiscoSecure ACSes send different Authority IDs at the beginning of the EAP-FAST transaction, the end-user client must have a PAC for each Authority ID. A PAC generated by the primary CiscoSecure ACS is not accepted by the secondary CiscoSecure ACS in a replication scheme where the EAP-FAST master server setting is enabled on the secondary CiscoSecure ACS.

New Member

Re: WISM using ACS Failover

We see the same issue when we do the failover testing from primary ACS going to the secondary ACS. When the primary comes back up we still show all authenication going to the secondary. We are not using EAP-FAST we are using LEAP to AD. We need have a tac case open. We actually rebooted the controller and authenication switches back to primary but never clears the alert.

Re: WISM using ACS Failover

This is a known issue, and fixes are coming. The problem is the WLC is a bit too aggresive in it's "dead" times. If it fails to auth one client, the WLC calls it dead and generally does not fail back unless the secondary does the same. If you reboot the controller it will start to use the primary again, and I have heard that on ACS if you stop and start the service it will also trigger the controller to start using it again as well.

If you are on 3.2.171.5/6 you could try the command: config radius aggressive-failover disable. This is supposed to change how aggressive the controller is so that it needs to fail to auth three consecutive clients before we call it dead.

For those of you with 4.0, it is supposed to be in the next MR. due out later this year.

For those intereseted, the bug id is CSCse29193

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Re: WISM using ACS Failover

Querying the bug ID provided above produces "Bug ID CSCse29193 has no detail information at this time. AAA: Server-Dead logic needs update", which is not very helpful.

We seem to be seeing this same issue on WiSMs, however running 4.1.185.0 code. Also using ACS, but this is with PEAP to AD. Rebooting the controller resolves the issue.

I will try the aggressive-failover disable option and see if that makes any difference.

265
Views
5
Helpful
4
Replies
CreatePlease to create content