Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

WLC & RADIUS Issue

Hi,

I have been having a lot of issues with clients at a site that have a WLC and use EAP-TLS to an ACS server across the WAN. Most of the issues are roaming related in that the re-authentication time is very long. I have implemented QOS for the RADIUS traffic but they are still reporting problems.

Looking at the logs on the WLC (5.1.151.0) I see messages simliar to this one for all 5 ACS servers.

RADIUS server 10.x.x.x:1645 deactivated in global list

RADIUS server 10.x.x.x:1645 failed to respond to request (ID 65) for client 00:0b:6b:87:54:d2 /user 'unknown'

What concerns me is the word "deactivated". Does this mean that if an unknown client attempts to connect to this wlan and ACS is unable to authenticate it then the ACS server is "disabled" by the WLC?

Is this the case?

Thanks

5 REPLIES

Re: WLC & RADIUS Issue

Please increase radius timeout on wlc to something between 5 to 10 secs. By default it is 2 secs which is quite low.

For unknown users radius would take lil more time to search for user and by that time radius timeouts and WLC deactivates it since there was no response from radius server.

Increasing radius timeout should fix it

Regards,

~JG

Do rate helpful posts

New Member

Re: WLC & RADIUS Issue

Thanks JG,

Just one other question. The message says that the RADIUS server is disabled. Does this mean that it moves on to the next RADIUS server in the list?

(In the logs I can see the WLC cyclng through all the RADIUS servers in quick succession, diabling them as it fails to get a response for the unknown user)

COuld this almost be a denial of serivce style issue.

Thanks

Re: WLC & RADIUS Issue

Hi ,

Yes, if first radius does not respond it will try next radius.

For DOS you need to check the user name that is trying to connect , check if that is a legitimate user or not?

I feel that increasing radius timeout should stop WLC to set Radius server as disabled.

Regards,

~JG

Do rate helpful posts

Re: WLC & RADIUS Issue

It doesnt disable the ACS permanently. It will cycle through it again should the other ACS stop...

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

WLC & RADIUS Issue

Be sure to remove the aggressive Radius failover on your controllers using the command:

               config radius aggressive-failover disable’

You may still see problems after increasing your timeout if you forget to disable the aggressive failover...

12639
Views
29
Helpful
5
Replies
CreatePlease to create content