Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

WPA auth down when first ACS is DOWN

The system consists of 10 standalone AP.

The client is authenticated through WPA MsCHAPv2 with TKIP.

The remote servers are two ACS version 3.2.

When the server ACS 10.0.0.1 went down some client disconnect.

It is possible that the AP does not realize in time that the first server is down then the authentication request goes timeout?

Is possible change the time in an AP it is checked if a server is down?

#########################################

ip subnet-zero

no ip domain lookup

!

!

aaa new-model

!

!

aaa group server radius rad_eap

server 10.0.0.1 auth-port 1645 acct-port 1646

server 10.0.0.2 auth-port 1645 acct-port 1646

!

aaa authentication login CONSOLE none

aaa authentication login VTY line

aaa authentication login eap_methods group rad_eap

aaa cache profile admin_cache

all

!

aaa session-id common

!

dot11 ssid test

authentication open eap eap_methods

authentication key-management wpa

guest-mode

!

!

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

ssid test

!

speed basic-1.0 basic-2.0 basic-5.5 basic-11.0

channel 2412

station-role root

rts threshold 2312

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

hold-queue 160 in

!

interface BVI1

ip address 10.0.0.3 255.255.255.0

no ip route-cache

!

ip default-gateway 10.0.0.254

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

!

snmp-server view basic iso included

snmp-server community wlse RW

snmp-server community public RO

snmp-server enable traps tty

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.0.0.1 auth-port 1645 acct-port 1646 key qazse4

radius-server host 10.0.0.2 auth-port 1645 acct-port 1646 key qazse4

radius-server vsa send accounting

#########################################

thanks.

Mirko Severi

1 REPLY
Silver

Re: WPA auth down when first ACS is DOWN

The shared secret key that you configure on the WLC and the ACS server must match. The shared secret is case sensitive.

Verify you configuration also..

debug dot1x events enable-Enables the debug of all dot1x events

For further information click this link.

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008095382f.shtml#c3

113
Views
0
Helpful
1
Replies
CreatePlease to create content