Re: 802.1x with ACS 5.0 and WLC PEAP/MSCHAPv2

Hi Lora,

Can you do a "test aaa" command at least from the AP? Can we see a debug
radius on the AP please?

If this does not work, it sounds to me like we have a "support" issue here.
Is that kind of hardware supported by that version of ACS?

Sadiq

2009/7/22 Lora Ganeva <lganeva_at_mobiltel.bg>

> Hi,
>
> Yes..172.30.3.4 is the IP address of the WLC. Radius is 192.168.231.132.
> ACS is running on a VMWare server.
>
> BR<
> Lora
>
> -----Original Message-----
> From: Alexei Monastyrnyi [mailto:alexeim73_at_gmail.com]
> Sent: 22 `LI 2009 G. 15:12
> To: Lora Ganeva
> Cc: Ryan West; ccielab_at_groupstudy.com
> Subject: Re: 802.1x with ACS 5.0 and WLC PEAP/MSCHAPv2
>
> Wow, didn't know GS accepts attachments. :-)
>
> I take it your WLC IP is 172.30.3.4.
> Is your ACS installed on VMWare running some Linux flavor?
> If yes, (just a wild guess) do you have any interface on that Linux box
> with IP address 172.30.x.x and netmask 255.255.0.0?
>
> A.
>
>
> Lora Ganeva wrote:
> > Hi,
> >
> > Clients are authenticating correctly when going through an autonomous AP.
> Problem arises when we try to use light weight AP with the WLC.
> > There isn't any trace in the ACS, for some reason it is not logging
> communication from this WLC. Actually I am using the same Acs for 802.1x for
> 10 switches, part of the authentications coming from these switches are
> logged and part of them aren't. It seems like the ACS has a problem with
> logging as I have already mention. We have discovered that requests are
> reaching the ACS by sniffing the traffic (see the ethereal attached).
> > Only requests, no replies...
> >
> > 10x in advance,
> > Lora
> >
> > -----Original Message-----
> > From: Ryan West [mailto:rwest_at_zyedge.com]
> > Sent: 22 `LI 2009 G. 14:04
> > To: Alexei Monastyrnyi; Lora Ganeva
> > Cc: ccielab_at_groupstudy.com
> > Subject: RE: 802.1x with ACS 5.0 and WLC PEAP/MSCHAPv2
> >
> > Lora,
> >
> > Another two things I would look at are the debugs from the WLC for AAA
> authentication and that you've loaded a trusted certificate on the ACS box.
> Then make sure the clients are set to validate to that certificate on the
> PEAP properties of the Authentication tab.
> >
> > One more thing to check, assuming the SSID isn't in guest mode, SP3 added
> a really nifty checkbox (unchecked by default) under the Association tab,
> Connect even if this network is not broadcasting. Make sure that's checked
> as well.
> >
> > -ryan
> >
> > -----Original Message-----
> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Alexei Monastyrnyi
> > Sent: Wednesday, July 22, 2009 6:11 AM
> > To: Lora Ganeva
> > Cc: ccielab_at_groupstudy.com
> > Subject: Re: 802.1x with ACS 5.0 and WLC PEAP/MSCHAPv2
> >
> > Hey Lora.
> >
> > I haven't seen ACS 5 live but from what you have told us, this shouldn't
> > be a version-specific issue.
> >
> > I'd check the following:
> > - if there is a port mismatch on WLC vs ACS, i.e. 1645 vs 1812 or the
> > other way around.
> > - if you block those ports somewhere in between.
> > - if your WLC IP address is AAA client for ACS with correct shared
> secret.
> > - if your logging for failed attempts is configured correctly on ACS (it
> > is all right by default)
> >
> > I'd also try to download some RADIUS authentication test tool, plenty of
> > them, just google for one.
> >
> > HTH,
> > A.
> >
> >
> > Lora Ganeva wrote:
> >
> >> Dear experts,
> >>
> >>
> >>
> >> I am facing problems with the following setup:
> >>
> >>
> >>
> >> Cisco WLC with light weight APs and the latest ACS 5.0.
> >>
> >> I am trying to put a successful PEAP session, but for some reason RADIUS
> >> requests are sent from the WLC towards the ACS, but there is no response
> >> from the Radius. One additional problem with troubleshooting is the fact
> >> that my ACS fails to log this communication. The ACS is trial and I
> >> cannot contact the TAC for support. Do you have any experience in
> >> scenarios like this?
> >>
> >> Clients are windows XP SP3 computers with all the Microsoft settings and
> >> hotfixes applied, incl. registry settings, etc.
> >>
> >>
> >>
> >> Any help will be appreciated,
> >>
> >>
> >>
> >> Thanks in advance,
> >>
> >> Lora
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net