EAP Authentication with WLAN Controllers (WLC) Configuration Example

[LEFT][CODE]http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml[/CODE][B]Document ID: 69730[/B]


[B]Contents[/B][INDENT] [B] Introduction
[/B] [B] Prerequisites
Requirements
Components Used
Conventions
[/B] [B] Configure
Network Diagram
Configure the WLC for Basic Operation and Register the Lightweight APs to the Controller
Configure the WLC for RADIUS Authentication through an External RADIUS Server
Configure WLAN Parameters
Configure Cisco Secure ACS as the External RADIUS Server and Create a User Database for Authentication Clients
Configure the Client
[/B] [B] Verify
[/B] [B] Troubleshoot
Troubleshooting Tips
Extracting the Package File from ACS RADIUS Server for Troubleshooting
[/B] [B] Cisco Support Community - Featured Conversations
[/B] [B] Related Information
[/B][/INDENT][B] Introduction [/B]

This document explains how to configure the Wireless LAN controller (WLC) for Extensible Authentication Protocol (EAP) authentication with the use of an external RADIUS server. This configuration example uses the Cisco Secure Access Control Server (ACS) as the external RADIUS server in order to validate the user credentials.
[B] Prerequisites [/B]

[B] Requirements [/B]

Ensure that you meet these requirements before you attempt this configuration:

[LIST][*] Basic knowledge of the configuration of Lightweight access points (APs) and Cisco WLCs.[*] Basic knowledge of Lightweight AP Protocol (LWAPP)[*] Knowledge of how to configure an external RADIUS server like the Cisco Secure ACS[/LIST]
[B] Components Used [/B]

The information in this document is based on these software and hardware versions:

[LIST][*] Cisco Aironet 1232AG Series Lightweight AP[*] Cisco 4400 Series WLC that runs firmware 5.1[*] Cisco Secure ACS that runs version 4.1[*] Cisco Aironet 802.11 a/b/g Client Adapter[*] Cisco Aironet Desktop Utility (ADU) that runs firmware 4.2[/LIST]
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
[B] Conventions [/B]

Refer to [URL="http://www.cisco.com/en/US/tech/tk801/tk36/technologies_tech_note09186a0080121ac5.shtml"]Cisco Technical Tips Conventions[/URL] for more information on document conventions.
[B] Configure [/B]

In this section, you are presented with the information to configure the features described in this document.
[B]Note: [/B]Use the [URL="http://tools.cisco.com/Support/CLILookup/cltSearchAction.do"]Command Lookup Tool[/URL] ([SIZE=-1] [URL="http://tools.cisco.com/RPF/register/register.do"]registered[/URL] customers only[/SIZE]) in order to find more information on the commands used in this document.
Complete these steps in order to configure the devices for EAP authentication:

[LIST=1][*] [URL="http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml#c1"]Configure the WLC for basic operation and register the Lightweight APs to the controller.[/URL][*] [URL="http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml#c2"]Configure the WLC for RADIUS authentication through an external RADIUS server.[/URL][*] [URL="http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml#c3"]Configure the WLAN parameters.[/URL][*] [URL="http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml#c4"]Configure Cisco Secure ACS as the external RADIUS server and create a user database for authenticating clients.[/URL][/LIST]
[B] Network Diagram [/B]

In this setup, a Cisco 4400 WLC and a Lightweight AP are connected through a hub. An external RADIUS server (Cisco Secure ACS) is also connected to the same hub. All the devices are in the same subnet. The AP is initially registered to the controller. You must configure the WLC and AP for Lightweight Extensible Authentication Protocol (LEAP) authentication. The clients that connect to the AP use LEAP authentication in order to associate with the AP. Cisco Secure ACS is used in order to perform RADIUS authentication.
[IMG]http://www.cisco.com/image/gif/paws/69730/eap-auth-wlc-01.gif[/IMG]
[B] Configure the WLC for Basic Operation and Register the Lightweight APs to the Controller [/B]

Use the startup configuration wizard on the command-line interface (CLI) in order to configure the WLC for basic operation. Alternatively, you can also use the GUI in order to configure the WLC. This document explains the configuration on the WLC with the startup configuration wizard on the CLI.
After the WLC boots for the first time, it directly enters into the startup configuration wizard. Use the configuration wizard in order to configure basic settings. You can run the wizard on the CLI or the GUI. This output shows an example of the startup configuration wizard on the CLI:[INDENT] Welcome to the Cisco Wizard Configuration Tool
Use the '-' character to backup
System Name [Cisco_33:84:a0]: [B]WLC-1[/B]
Enter Administrative User Name (24 characters max): [B]admin[/B]
Enter Administrative Password (24 characters max): *****
Management Interface IP Address: [B]10.77.244.204[/B]
Management Interface Netmask: [B]255.255.255.224[/B]
Management Interface Default Router: [B]10.77.244.220[/B]
Management Interface VLAN Identifier (0 = untagged):
Management Interface Port Num [1 to 4]: [B]1[/B]
Management Interface DHCP Server IP Address: [B]10.77.244.220[/B]
AP Manager Interface IP Address: [B]10.77.244.205[/B]
AP-Manager is on Management subnet, using same values
AP Manager Interface DHCP Server (10.77.244.220):
Virtual Gateway IP Address: [B]1.1.1.1[/B]
Mobility/RF Group Name:[B] Test[/B]
Network Name (SSID): [B]Cisco123[/B]
Allow Static IP Addresses [YES][no]: [B]yes[/B]
Configure a RADIUS Server now? [YES][no]: [B]no[/B]
Warning! The default WLAN security policy requires a RADIUS server.
Please see documentation for more details.
Enter Country Code (enter 'help' for a list of countries) [US]:
Enable 802.11b Network [YES][no]: [B]yes[/B]
Enable 802.11a Network [YES][no]: [B]yes[/B]
Enable 802.11g Network [YES][no]: [B]yes[/B]
Enable Auto-RF [YES][no]: [B]yes[/B]

Configuration saved!
Resetting system with new configuration..[/INDENT]These parameters set up the WLC for basic operation. In this configuration example, the WLC uses [B]10.77.244.204[/B] as the management interface IP address and [B]10.77.244.205[/B] as the AP-manager interface IP address.
Before any other features can be configured on the WLCs, the Lightweight APs have to register with the WLC. This document assumes that the Lightweight AP is registered to the WLC. Refer to the [URL="http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a00806c9e51.shtml"]Lightweight AP (LAP) Registration to a Wireless LAN Controller (WLC) [/URL] for more information on how the Lightweight APs register with the WLC.
[B] Configure the WLC for RADIUS Authentication through an External RADIUS Server [/B]

The WLC needs to be configured in order to forward the user credentials to an external RADIUS server. The external RADIUS server then validates the user credentials and provides access to the wireless clients.
Complete these steps in order to configure the WLC for an external RADIUS server:

[LIST=1][*] Choose [B] Security[/B] and [B]RADIUS Authentication[/B] from the controller GUI to display the RADIUS Authentication Servers page. Then click [B]New[/B] in order to define a RADIUS server.
[IMG]http://www.cisco.com/image/gif/paws/69730/eap-auth-wlc-02.gif[/IMG][*] Define the RADIUS server parameters in the RADIUS Authentication Servers > New page. These parameters include the RADIUS Server IP Address, Shared Secret, Port Number, and Server Status.
The Network User and Management check boxes determine if the RADIUS-based authentication applies for WLC management and network users. This example uses the Cisco Secure ACS as the RADIUS server with IP address 10.77.244.196.[*] Radius server can now be used by the WLC for authentication. You can find the Radius Server listed if you choose [B]Security > Radius > Authentication[/B].
[IMG]http://www.cisco.com/image/gif/paws/69730/eap-auth-wlc-03.gif[/IMG]
RFC 3576 is supported on the Cisco CNS Access Registrar (CAR) RADIUS server, but not on Cisco Secure ACS Server version 4.0 and earlier.
You can also use the local RADIUS server feature in order to authenticate users. Local RADIUS server was introduced with version 4.1.171.0 code. WLCs that run previous versions do not have the local radius feature. Local EAP is an authentication method that allows users and wireless clients to be authenticated locally. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the backend system becomes disrupted or the external authentication server goes down. Local EAP retrieves user credentials from the local user database or the LDAP backend database to authenticate users. Local EAP supports LEAP, EAP-FAST with PACs, EAP-FAST with certificates, and EAP-TLS authentication between the controller and wireless clients.
Local EAP is designed as a backup authentication system. If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients with the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out or no RADIUS servers were configured.
Refer to [URL="http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml"]Local EAP Authentication on the Wireless LAN Controller with EAP-FAST and LDAP Server Configuration Example[/URL] for more information on how to configure Local EAP on Wireless LAN controllers.[/LIST]
[B] Configure WLAN Parameters [/B]

Next, configure the WLAN which the clients use to connect to the wireless network. When you configured the basic parameters for the WLC, you also configured the SSID for the WLAN. You can use this SSID for the WLAN or create a new SSID. In this example, you create a new SSID.
[B]Note: [/B]You can configure up to sixteen WLANs on the controller. The Cisco WLAN Solution can control up to sixteen WLANs for Lightweight APs. Each WLAN can be assigned unique security policies. Lightweight APs broadcast all active Cisco WLAN Solution WLAN SSIDs and enforce the policies that you define for each WLAN.
Complete these steps to configure a new WLAN and its related parameters:

[LIST=1][*] Click [B]WLANs[/B] from the GUI of the controller in order to display the WLANs page.
This page lists the WLANs that exists on the controller.[*] Choose [B]New[/B] in order to create a new WLAN. Enter the Profile name and the WLAN SSID for the WLAN and click [B]Apply[/B]. This example uses Cisco as the SSID.
[IMG]http://www.cisco.com/image/gif/paws/69730/eap-auth-wlc-04.gif[/IMG][*] Once you create a new WLAN, the WLAN > Edit page for the new WLAN appears. In this page you can define various parameters specific to this WLAN that includes General Policies, Security Policies, QOS policies and other Advanced parameters.
[IMG]http://www.cisco.com/image/gif/paws/69730/eap-auth-wlc-05.gif[/IMG]
Choose the appropriate Interface from the drop-down menu. The other parameters can be modified based on the requirement of the WLAN network.
Check the [B]Status[/B] box under General Policies in order to enable the WLAN.[*] Click the [B]Security[/B] tab and choose [B]Layer 2 Security[/B]. From the Layer 2 Security drop-down menu, choose [B]802.1x[/B]. In the 802.1x parameters, choose the WEP key size. This example uses 128-bit WEP key, which is the104-bit WEP key plus the 24-bit Initialization vector.
[IMG]http://www.cisco.com/image/gif/paws/69730/eap-auth-wlc-06.gif[/IMG][*] Choose the [B]AAA Servers[/B] tab. From the Authentication Servers (RADIUS) drop-down menu, choose the appropriate RADIUS server. This server is used to authenticate the wireless clients.
[IMG]http://www.cisco.com/image/gif/paws/69730/eap-auth-wlc-07.gif[/IMG][*] Click [B]Apply[/B] in order to save the configuration.[/LIST]
[B] Configure Cisco Secure ACS as the External RADIUS Server and Create a User Database for Authentication Clients [/B]

Complete these steps to create the user database and enable EAP authentication on the Cisco Secure ACS:

[LIST=1][*] Choose [B]User Setup[/B] from the ACS GUI, enter the username, and click [B]Add/Edit[/B]. In this example the user is [B]ABC.[/B]
[IMG]http://www.cisco.com/image/gif/paws/69730/eap-auth-wlc-08.gif[/IMG][*] When the User Setup page appears, define all the parameters specific to the user. In this example the username, password and Supplementary User Information are configured because you only need this parameters for EAP authentication.
Click [B]Submit[/B] and repeat the same process in order to add more users to the database. By default all users are grouped under the default group and are assigned the same policy as defined for the group. Refer to the [URL="http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080205a5c.html"]User Group Management[/URL] section of [URL="http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_book09186a0080205707.html"]User Guide for Cisco Secure ACS for Windows Server 3.2[/URL] for more information if you want to assign specific users to different groups.
[IMG]http://www.cisco.com/image/gif/paws/69730/eap-auth-wlc-09.gif[/IMG][*] Define the controller as an AAA client on the ACS server. Click [B]Network Configuration[/B] from the ACS GUI.
When the Network Configuration page appears, define the name of the WLC, IP address, shared secret and authentication method (RADIUS Cisco Airespace). Refer to the documentation from the manufacturer for other non-ACS authentication servers.
[B]Note: [/B]The shared secret key that you configure on the WLC and the ACS server must match. The shared secret is case sensitive.
[IMG]http://www.cisco.com/image/gif/paws/69730/eap-auth-wlc-10.gif[/IMG][*] Click [B]System Configuration[/B] and [B]Global Authentication Setup[/B] in order to ensure that the authentication server is configured to perform the desired EAP authentication method. Under the EAP configuration settings, choose the appropriate EAP method. This example uses LEAP authentication. Click [B]Submit[/B] when you are done.
[IMG]http://www.cisco.com/image/gif/paws/69730/eap-auth-wlc-11.gif[/IMG][/LIST]
[B] Configure the Client [/B]

Client should also be configured for the appropriate EAP type. The client proposes the EAP type to the server during the EAP negotiation process. If the server supports that EAP type, it acknowledges the EAP type. If the EAP type is not supported, it sends a Negative acknowledgement and the client again negotiates with a different EAP method. This process continues until a supported EAP type is negotiated. This example uses LEAP as the EAP type.
Complete these steps in order to configure LEAP on the client with Aironet Desktop Utility .

[LIST=1][*] Double-click on the [B]Aironet Utility[/B] icon in order to open it.[*] Click the [B]Profile Management[/B] tab.[*] Click on a profile and choose [B]Modify[/B].[*] Under the General tab, choose a [I]Profile Name[/I]. Enter the [B]SSID[/B] of the WLAN.
[IMG]http://www.cisco.com/image/gif/paws/69730/eap-auth-wlc-12.gif[/IMG]
[B]Note: [/B]SSID is case sensitive and it needs to exactly match with the SSID configured on the WLC.[*] Under the [B]Security[/B] tab, choose [I]802.1x[/I]. Choose the EAP type as [B]LEAP[/B] and click [B]Configure[/B].
[IMG]http://www.cisco.com/image/gif/paws/69730/eap-auth-wlc-13.gif[/IMG][*] Choose [B]Use Temporary Username and Password[/B], which prompts you to enter the user cerdentials each time the computer reboots.
Check one of the three options given here. This example uses [B]Automatically Prompt for Username and Password[/B], which requires you to enter the [I]LEAP[/I] user credentials in addition to the [I]Windows Username and Password[/I] before you login to windows.
Check the [B]Always Resume the Secure Session[/B] check box at the top of the window if you want the LEAP supplicant to always attempt to resume the previous session without the need to prompt you to re-enter your credentials whenever the client adapter roams and reassociates to the network.
[B]Note: [/B]Refer to the [URL="http://www.cisco.com/en/US/docs/wireless/wlan_adapter/cb21ag/user/2.5/configuration/guide/winch5kh.html"]Configuring the Client Adapter [/URL] section of the document [URL="http://www.cisco.com/en/US/docs/wireless/wlan_adapter/cb21ag/user/2.5/configuration/guide/icg04.html"]Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide[/URL] for more information other options.
[IMG]http://www.cisco.com/image/gif/paws/69730/eap-auth-wlc-14.gif[/IMG][*] Under the [B]Advanced[/B] tab, you can configure the Preamble, Aironet extension and other 802.11 options such as Power, Frequency and so forth.[*] Click [B]Ok[/B]. The client now tries to associate with the configured parameters.[/LIST]
[B] Verify [/B]

Use this section to confirm that your configuration works properly.
Try to associate a wireless client with the Lightweight AP using LEAP authentication in order to verify if the configuration works as expected.
[B]Note: [/B]This document assumes that the client profile is configured for LEAP authentication. Refer to [URL="http://cisco.com/en/US/docs/wireless/wlan_adapter/cb21ag/user/4.0/configuration/guide/winch6kh.html"]Using EAP Authentication[/URL] for more information on how to configure the 802.11 a/b/g Wireless Client Adapter for LEAP authentication.
Once the profile for the wireless client is activated, the user is asked to provide the username/password for LEAP authentication. Here is an example:
[IMG]http://www.cisco.com/image/gif/paws/69730/eap-auth-wlc-15.gif[/IMG]
The Lightweight AP and then the WLC pass on the user credentials to the external RADIUS server (Cisco Secure ACS) in order to validate the credentials. The RADIUS server compares the data with the user database and provides access to the wireless client whenever the user credentials are valid in order to verify the user credentials. The Passed Authentication report on the ACS server shows that the client has passed the RADIUS authentication. Here is an example:
[IMG]http://www.cisco.com/image/gif/paws/69730/eap-auth-wlc-16.gif[/IMG]
Upon successful RADIUS authentication the wireless client associates with the Lightweight AP.
[IMG]http://www.cisco.com/image/gif/paws/69730/eap-auth-wlc-17.gif[/IMG]
This can also be checked under the [B]Monitor[/B] tab of WLC GUI. Choose [B]Monitor > Clients[/B] and check for the MAC address of the client.
[IMG]http://www.cisco.com/image/gif/paws/69730/eap-auth-wlc-18.gif[/IMG]
[B] Troubleshoot [/B]

Complete these steps to troubleshoot the configurations:

[LIST=1][*] Use the [B]debug lwapp events enable[/B] command in order to check if the AP registers with the WLC.[*] Check if the RADIUS server receives and validates the authentication request from the wireless client. Check the NAS-IP- Address, date and time in order to verify if the WLC was able to reach the Radius server.
Check the Passed Authentications and Failed Attempts reports on the ACS server in order to accomplish this. These reports are available under Reports and Activities on the ACS server. Here is an example when the RADIUS server authentication fails:
[IMG]http://www.cisco.com/image/gif/paws/69730/eap-auth-wlc-19.gif[/IMG]
[B]Note: [/B]Refer to [URL="http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a00800afec1.shtml#intro"]Obtaining Version and AAA Debug Information for Cisco Secure ACS for Windows[/URL] for information on how to troubleshoot and obtain debug information on Cisco Secure ACS.[*] You can also use these [B]debug[/B] commands in order to troubleshoot AAA authentication:
[LIST][*] [B]debug aaa all enable[/B]—Configures the debug of all AAA messages.[*] [B]debug dot1x packet enable[/B]—Enables the debug of all dot1x packets.[/LIST]
Here is a sample output from the [B]debug 802.1x aaa enable[/B] command. [INDENT] (Cisco Controller) >[B]debug dot1x aaa enable[/B]

*Sep 23 15:15:43.792: 00:40:96:ac:dd:05 Adding AAA_ATT_USER_NAME(1) index=0
*Sep 23 15:15:43.793: 00:40:96:ac:dd:05 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
*Sep 23 15:15:43.793: 00:40:96:ac:dd:05 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
*Sep 23 15:15:43.793: 00:40:96:ac:dd:05 Adding AAA_ATT_NAS_PORT(5) index=3
*Sep 23 15:15:43.793: 00:40:96:ac:dd:05 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=4
*Sep 23 15:15:43.793: 00:40:96:ac:dd:05 Adding AAA_ATT_NAS_IDENTIFIER(32) index=5
*Sep 23 15:15:43.793: 00:40:96:ac:dd:05 Adding AAA_ATT_VAP_ID(1) index=6
*Sep 23 15:15:43.794: 00:40:96:ac:dd:05 Adding AAA_ATT_SERVICE_TYPE(6) index=7
*Sep 23 15:15:43.794: 00:40:96:ac:dd:05 Adding AAA_ATT_FRAMED_MTU(12) index=8
*Sep 23 15:15:43.794: 00:40:96:ac:dd:05 Adding AAA_ATT_NAS_PORT_TYPE(61) index=9
*Sep 23 15:15:43.794: 00:40:96:ac:dd:05 Adding AAA_ATT_EAP_MESSAGE(79) index=10
*Sep 23 15:15:43.794: 00:40:96:ac:dd:05 Adding AAA_ATT_MESS_AUTH(80) index=11
*Sep 23 15:15:43.794: 00:40:96:ac:dd:05 AAA EAP Packet created request = 0x1533a288.. !!!!
*Sep 23 15:15:43.794: 00:40:96:ac:dd:05 Sending EAP Attribute (code=2, length=8, id=2) for mobile 00:40:96:ac:dd:05
*Sep 23 15:15:43.794: 00000000: 02 02 00 08 01 41 42 43 .....ABC
*Sep 23 15:15:43.794: 00:40:96:ac:dd:05 [BE-req] [B]Sending auth request to 'RADIUS' (proto 0x140001)[/B]
*Sep 23 15:15:43.799: 00:40:96:ac:dd:05 [BE-resp] AAA response 'Interim Response'
*Sep 23 15:15:43.799: 00:40:96:ac:dd:05 [BE-resp] Returning AAA response
*Sep 23 15:15:43.799: 00:40:96:ac:dd:05 AAA Message 'Interim Response' received for mobile 00:40:96:ac:dd:05
*Sep 23 15:15:43.799: 00:40:96:ac:dd:05 Received EAP Attribute (code=1, length=19,id=3, dot1xcb->id = 2) for mobile 00:40:96:ac:dd:05
*Sep 23 15:15:43.799: 00000000: 01 03 00 13 11 01 00 08 42 3a 8e d1 18 24 e8 9f ........B:...$..
*Sep 23 15:15:43.799: 00000010: 41 42 43 ABC
*Sep 23 15:15:43.799: 00:40:96:ac:dd:05 Skipping AVP (0/80) for mobile 00:40:96:ac:dd:05
*Sep 23 15:15:43.901: 00:40:96:ac:dd:05 Adding AAA_ATT_USER_NAME(1) index=0
*Sep 23 15:15:43.901: 00:40:96:ac:dd:05 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
*Sep 23 15:15:43.901: 00:40:96:ac:dd:05 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
*Sep 23 15:15:43.901: 00:40:96:ac:dd:05 Adding AAA_ATT_NAS_PORT(5) index=3
*Sep 23 15:15:43.901: 00:40:96:ac:dd:05 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=4
*Sep 23 15:15:43.901: 00:40:96:ac:dd:05 Adding AAA_ATT_NAS_IDENTIFIER(32) index=5
*Sep 23 15:15:43.901: 00:40:96:ac:dd:05 Adding AAA_ATT_VAP_ID(1) index=6
*Sep 23 15:15:43.901: 00:40:96:ac:dd:05 Adding AAA_ATT_SERVICE_TYPE(6) index=7
*Sep 23 15:15:43.901: 00:40:96:ac:dd:05 Adding AAA_ATT_FRAMED_MTU(12) index=8
*Sep 23 15:15:43.902: 00:40:96:ac:dd:05 Adding AAA_ATT_NAS_PORT_TYPE(61) index=9
*Sep 23 15:15:43.902: 00:40:96:ac:dd:05 Adding AAA_ATT_EAP_MESSAGE(79) index=10
*Sep 23 15:15:43.902: 00:40:96:ac:dd:05 Adding AAA_ATT_RAD_STATE(24) index=11
*Sep 23 15:15:43.902: 00:40:96:ac:dd:05 Adding AAA_ATT_MESS_AUTH(80) index=12
*Sep 23 15:15:43.902: 00:40:96:ac:dd:05 AAA EAP Packet created request = 0x1533a288.. !!!!
*Sep 23 15:15:43.902: 00:40:96:ac:dd:05 Sending EAP Attribute (code=2, length=35, id=3) for mobile 00:40:96:ac:dd:05
*Sep 23 15:15:43.902: 00000000: 02 03 00 23 11 01 00 18 83 f1 5b 32 cf 65 04 ed ...#......[2.e..
*Sep 23 15:15:43.902: 00000010: da c8 4f 95 b4 2e 35 ac c0 6b bd fa 57 50 f3 13 ..O...5..k..WP..
*Sep 23 15:15:43.904: 00000020: 41 42 43 ABC
*Sep 23 15:15:43.904: 00:40:96:ac:dd:05 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
*Sep 23 15:15:43.907: 00:40:96:ac:dd:05 [BE-resp] AAA response 'Interim Response'
*Sep 23 15:15:43.907: 00:40:96:ac:dd:05 [BE-resp] Returning AAA response
*Sep 23 15:15:43.907: 00:40:96:ac:dd:05 [B]AAA Message 'Interim Response' received for mobile 00:40:96:ac:dd:05[/B]
*Sep 23 15:15:43.907: 00:40:96:ac:dd:05 Received EAP Attribute (code=3, length=4,id=3, dot1xcb->id = 3) for mobile 00:40:96:ac:dd:05
*Sep 23 15:15:43.907: 00000000: 03 03 00 04 ....
*Sep 23 15:15:43.907: 00:40:96:ac:dd:05 Skipping AVP (0/80) for mobile 00:40:96:ac:dd:05
*Sep 23 15:15:43.912: 00:40:96:ac:dd:05 Adding AAA_ATT_USER_NAME(1) index=0
*Sep 23 15:15:43.912: 00:40:96:ac:dd:05 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
*Sep 23 15:15:43.912: 00:40:96:ac:dd:05 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
*Sep 23 15:15:43.912: 00:40:96:ac:dd:05 Adding AAA_ATT_NAS_PORT(5) index=3
*Sep 23 15:15:43.912: 00:40:96:ac:dd:05 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=4
*Sep 23 15:15:43.912: 00:40:96:ac:dd:05 Adding AAA_ATT_NAS_IDENTIFIER(32) index=5
*Sep 23 15:15:43.912: 00:40:96:ac:dd:05 Adding AAA_ATT_VAP_ID(1) index=6
*Sep 23 15:15:43.912: 00:40:96:ac:dd:05 Adding AAA_ATT_SERVICE_TYPE(6) index=7
*Sep 23 15:15:43.912: 00:40:96:ac:dd:05 Adding AAA_ATT_FRAMED_MTU(12) index=8
*Sep 23 15:15:43.912: 00:40:96:ac:dd:05 Adding AAA_ATT_NAS_PORT_TYPE(61) index=9
*Sep 23 15:15:43.915: 00:40:96:ac:dd:05 Adding AAA_ATT_EAP_MESSAGE(79) index=10
*Sep 23 15:15:43.915: 00:40:96:ac:dd:05 Adding AAA_ATT_RAD_STATE(24) index=11
*Sep 23 15:15:43.915: 00:40:96:ac:dd:05 Adding AAA_ATT_MESS_AUTH(80) index=12
*Sep 23 15:15:43.915: 00:40:96:ac:dd:05 AAA EAP Packet created request = 0x1533a288.. !!!!
*Sep 23 15:15:43.915: 00:40:96:ac:dd:05 Sending EAP Attribute (code=1, length=19, id=3) for mobile 00:40:96:ac:dd:05
*Sep 23 15:15:43.915: 00000000: 01 03 00 13 11 01 00 08 29 23 be 84 e1 6c d6 ae ........)#...l..
*Sep 23 15:15:43.915: 00000010: 41 42 43 ABC
*Sep 23 15:15:43.915: 00:40:96:ac:dd:05 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
*Sep 23 15:15:43.918: 00:40:96:ac:dd:05 [BE-resp] [B]AAA response 'Success'[/B]
*Sep 23 15:15:43.918: 00:40:96:ac:dd:05 [BE-resp] [B]Returning AAA response[/B]
*Sep 23 15:15:43.918: 00:40:96:ac:dd:05 [B]AAA Message 'Success' received for mobile 00:40:96:ac:dd:05[/B]
*Sep 23 15:15:43.918: 00:40:96:ac:dd:05 processing avps[0]: attribute 8, vendorId 0, valueLen 4
*Sep 23 15:15:43.918: 00:40:96:ac:dd:05 processing avps[1]: attribute 79, vendorId 0, valueLen 35
*Sep 23 15:15:43.918: 00:40:96:ac:dd:05 Received EAP Attribute (code=2, length=35,id=3) for mobile 00:40:96:ac:dd:05
*Sep 23 15:15:43.918: 00000000: 02 03 00 23 11 01 00 18 03 66 2c 6a b3 a6 c3 4c ...#.....f,j...L
*Sep 23 15:15:43.918: 00000010: 98 ac 69 f0 1b e8 8f a2 29 eb 56 d6 92 ce 60 a6 ..i.....).V...`.
*Sep 23 15:15:43.918: 00000020: 41 42 43 ABC
*Sep 23 15:15:43.918: 00:40:96:ac:dd:05 processing avps[2]: attribute 1, vendorId 9, valueLen 16
*Sep 23 15:15:43.918: 00:40:96:ac:dd:05 processing avps[3]: attribute 25, vendorId 0, valueLen 21
*Sep 23 15:15:43.918: 00:40:96:ac:dd:05 processing avps[4]: attribute 80, vendorId 0, valueLen 16[/INDENT][*] Monitor the logs on the WLC in order to check if the RADIUS server receives the user credentials. Click [B]Monitor[/B] in order to check the logs from the WLC GUI. From the left-hand side menu, click [B]Statistics[/B] and click [B]Radius server[/B] from the list of options.
This is very important because in some cases, the RADIUS server never receives the user credentials if the RADIUS server configuration on the WLC is incorrect.
This is how the logs appear on the WLC if the RADIUS parameters are configured incorrectly:
[IMG]http://www.cisco.com/image/gif/paws/69730/eap-auth-wlc-20.gif[/IMG]
You can use a combination of the [B]show wlan summary[/B] command in order to recognize which of your WLANs employ RADIUS server authentication. Then you can view the [B]show client summary[/B] command in order to see which MAC addresses (clients) are successfully authenticated on RADIUS WLANs. You can also correlate this with your Cisco Secure ACS passed attempts or failed attempts logs.[/LIST]
[B] Troubleshooting Tips [/B]


[LIST][*] Verify on the controller that RADIUS server is in active state, and not on standby or disabled.[*] Use the [B]ping[/B] command in order to check if the Radius server is reachable from the WLC.[*] Check if the RADIUS server is selected from the drop down menu of the WLAN (SSID).[*] If you use WPA, then you have to install the latest Microsft WPA hotfix for Windows XP SP2. Also, you should upgrade the driver for your client supplicant to the latest.[*] [B] DOT1X-1-MAX_EAPOL_KEY_RETRANS_FOR_MOBILE: MAX EAPOL-Key M1 retransmissions reached for mobile xx:xx:xx:xx:xx [/B]
This error messages indicates that the client does not respond in time to the controller during the WPA (802.1x) key negotiation. The controllers set a timer for a response during key negotiation. Typically when you see this message, it is due to an issue with the supplicant. Ensure that you run the latest versions of Client drivers and firmware.You can extend the EAP timers on the controllers to wait for client 802.1x info if you use these commands on the WLC CLI: [INDENT] [B]config advanced eap identity-request-timeout 120
config advanced eap identity-request-retries 20
config advanced eap request-timeout 120
config advanced eap request-retries 20
save config [/B][/INDENT][*] If you do PEAP, for example certificates with XP, SP2 where the cards are managed by the Microsoft wireless-0 utility, you need to get the KB885453 patch from Microsoft.
If you use Windows Zero Config/client supplicant, disable [B]Enable Fast Reconnect[/B]. You can do this if you choose [B]Wireless Network Connection Properties > Wireless Networks > Preferred networks[/B]. Then choose [B]SSID > Properties > Open > WEP > Authentication > EAP type > PEAP > Properties > Enable Fast Reconnect [/B]. You can then find the option to enable or disable at the end of the window.[*] If you have Intel 2200 or 2915 cards, refer to the statements on the Intel website about the known issues with their cards:
[LIST][*] [URL="http://support.intel.com/support/wireless/wlan/pro2200bg/index.htm"]Intel® PRO/Wireless 2200BG Network Connection[/URL] [IMG]http://www.cisco.com/images/exit.gif[/IMG][*] [URL="http://support.intel.com/support/wireless/wlan/pro2915abg/index.htm"]Intel® PRO/Wireless 2915ABG Network Connection[/URL] [IMG]http://www.cisco.com/images/exit.gif[/IMG][/LIST]
Download the most current Intel drivers in order to avoid any issues. You can download Intel drivers at [URL]http://downloadcenter.intel.com/[/URL] [IMG]http://www.cisco.com/images/exit.gif[/IMG][*] If the aggressive failover feature is enabled in WLC, the WLC is too aggressive to mark the AAA server as not responding. But, this should not be done because the AAA server is possibly not responsive only to that particular client, if you do silent discard. It can be a response to other valid clients with valid certificates. But, the WLC can still mark the AAA server as not responding and not functional.
In order to overcome this, disable the aggressive failover feature. Issue the [B]config radius aggressive-failover disable[/B] command from the controller GUI in order to perform this. If this is disabled, then the controller only fails over to the next AAA server if there are three consecutive clients that fail to receive a response from the RADIUS server.[/LIST]
[B] Extracting the Package File from ACS RADIUS Server for Troubleshooting [/B]

If you use ACS as the external radius server, this section can be used to troubleshoot your configuration. The package.cab is a Zip file that contains all the necessary files needed in order to troubleshoot ACS efficiently. You can use the CSSupport.exe utility to create the package.cab, or you can collect the files manually.
Refer to the [URL="http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a00800afec1.shtml#create"]Creating a package.cab File[/URL] section of [I]Obtaining Version and AAA Debug Information for Cisco Secure ACS for Windows[/I] for more information on how to create and extract the package file from WCS

[/LEFT]