Re: 802.1x with ACS 5.0 and WLC PEAP/MSCHAPv2

Wow, didn't know GS accepts attachments. :-)

I take it your WLC IP is 172.30.3.4.
Is your ACS installed on VMWare running some Linux flavor?
If yes, (just a wild guess) do you have any interface on that Linux box
with IP address 172.30.x.x and netmask 255.255.0.0?

A.

Lora Ganeva wrote:
> Hi,
>
> Clients are authenticating correctly when going through an autonomous AP. Problem arises when we try to use light weight AP with the WLC.
> There isn't any trace in the ACS, for some reason it is not logging communication from this WLC. Actually I am using the same Acs for 802.1x for 10 switches, part of the authentications coming from these switches are logged and part of them aren't. It seems like the ACS has a problem with logging as I have already mention. We have discovered that requests are reaching the ACS by sniffing the traffic (see the ethereal attached).
> Only requests, no replies...
>
> 10x in advance,
> Lora
>
> -----Original Message-----
> From: Ryan West [mailto:rwest_at_zyedge.com]
> Sent: 22 `LI 2009 G. 14:04
> To: Alexei Monastyrnyi; Lora Ganeva
> Cc: ccielab_at_groupstudy.com
> Subject: RE: 802.1x with ACS 5.0 and WLC PEAP/MSCHAPv2
>
> Lora,
>
> Another two things I would look at are the debugs from the WLC for AAA authentication and that you've loaded a trusted certificate on the ACS box. Then make sure the clients are set to validate to that certificate on the PEAP properties of the Authentication tab.
>
> One more thing to check, assuming the SSID isn't in guest mode, SP3 added a really nifty checkbox (unchecked by default) under the Association tab, Connect even if this network is not broadcasting. Make sure that's checked as well.
>
> -ryan
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Alexei Monastyrnyi
> Sent: Wednesday, July 22, 2009 6:11 AM
> To: Lora Ganeva
> Cc: ccielab_at_groupstudy.com
> Subject: Re: 802.1x with ACS 5.0 and WLC PEAP/MSCHAPv2
>
> Hey Lora.
>
> I haven't seen ACS 5 live but from what you have told us, this shouldn't
> be a version-specific issue.
>
> I'd check the following:
> - if there is a port mismatch on WLC vs ACS, i.e. 1645 vs 1812 or the
> other way around.
> - if you block those ports somewhere in between.
> - if your WLC IP address is AAA client for ACS with correct shared secret.
> - if your logging for failed attempts is configured correctly on ACS (it
> is all right by default)
>
> I'd also try to download some RADIUS authentication test tool, plenty of
> them, just google for one.
>
> HTH,
> A.
>
>
> Lora Ganeva wrote:
>
>> Dear experts,
>>
>>
>>
>> I am facing problems with the following setup:
>>
>>
>>
>> Cisco WLC with light weight APs and the latest ACS 5.0.
>>
>> I am trying to put a successful PEAP session, but for some reason RADIUS
>> requests are sent from the WLC towards the ACS, but there is no response
>> from the Radius. One additional problem with troubleshooting is the fact
>> that my ACS fails to log this communication. The ACS is trial and I
>> cannot contact the TAC for support. Do you have any experience in
>> scenarios like this?
>>
>> Clients are windows XP SP3 computers with all the Microsoft settings and
>> hotfixes applied, incl. registry settings, etc.
>>
>>
>>
>> Any help will be appreciated,
>>
>>
>>
>> Thanks in advance,
>>
>> Lora
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Jul 22 2009 - 22:12:00 ART