• November 23, 2020, 05:28:18 PM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: WiNG5.3 RFS6000 & CISCO ACS Radius Server  (Read 7479 times)

0 Members and 1 Guest are viewing this topic.

Offline Kevin

  • Rookie
  • **
  • Posts: 7
WiNG5.3 RFS6000 & CISCO ACS Radius Server
« on: July 05, 2013, 01:23:22 AM »
Hi All,

Hope someone could shed some light on this:

We have WiNG 5.3 RFS6000, with AP 6500 configured with AAA policy pointing to the CISCO ACS Radius. On the CISCO ACS Radius server it is configured to point to our AD for group control.
Radius server using - EAP protocol - PEAP

From the WiNG5.3 controller, during live debug I am seeing message no response from the radius server.

ping replies from the radius server :

PING 20.20.20.10 (20.20.20.10)100 data bytes
108 bytes from 20.20.20.10: seq=0 ttl=59 time=17.472 ms
108 bytes from 20.20.20.10: seq=1 ttl=59 time=19.447 ms



[ap650-72CB20] 05:14:38.240: radius:access-req sent to wireless controller to be proxied to 20.20.20.10:1812. (attempt 1) for 00-1C-BF-35-57-A9 (radius.c:1229)
[ap650-72CB20] 05:14:41.242: radius:access-req sent to wireless controller to be proxied to 20.20.20.10:1812. (attempt 2) for 00-1C-BF-35-57-A9 (radius.c:1229)
[ap650-72CB20] 05:14:44.244: radius:access-req sent to wireless controller to be proxied to 20.20.20.10:1812. (attempt 3) for 00-1C-BF-35-57-A9 (radius.c:1229)
[ap650-72CB20] %%%%>05:14:47.244: radius:no response from radius server ssid:1 for wireless client 00-1C-BF-35-57-A9 (eap.c:300)



Offline hchen01

  • Full Member
  • ***
  • Posts: 73
Re: WiNG5.3 RFS6000 & CISCO ACS Radius Server
« Reply #1 on: July 05, 2013, 02:10:02 AM »
Firstly, you need to make sure that you have already added the IP address of the WLC to the Cisco ACS server.

Offline Kevin

  • Rookie
  • **
  • Posts: 7
Re: WiNG5.3 RFS6000 & CISCO ACS Radius Server
« Reply #2 on: July 05, 2013, 02:15:53 AM »
Thanks. I've already added to the wireless controller in the ACS server with the same secret password. Any other suggestions?

Offline hchen01

  • Full Member
  • ***
  • Posts: 73
Re: WiNG5.3 RFS6000 & CISCO ACS Radius Server
« Reply #3 on: July 05, 2013, 02:43:15 AM »
I reckon that you were choosing the proxy mode, please try "none"

Offline Kevin

  • Rookie
  • **
  • Posts: 7
Re: WiNG5.3 RFS6000 & CISCO ACS Radius Server
« Reply #4 on: July 07, 2013, 08:17:28 PM »
hchen01,

I've changed to none on the RF controller and it is still giving no response to the radius server
00:14:18.729: radius:no response from radius server ssid:1 for wireless client 00-1C-BF-35-57-A9 (eap.c:300)

This problem is on occurred on remote sites. WING 5.3 works fine on the site where the Radius server are on the same site. WING 4.x works fine on the remote sites but not for WING 5.x

Offline hchen01

  • Full Member
  • ***
  • Posts: 73
Re: WiNG5.3 RFS6000 & CISCO ACS Radius Server
« Reply #5 on: July 07, 2013, 08:23:18 PM »
If you were using Local mode (configuration-->wireless-->wireless LANs-->WLAN-->Basic configuration-->bridging mode), you need to add the IP addresses of the AP650s to the ACS server.


Offline Kevin

  • Rookie
  • **
  • Posts: 7
Re: WiNG5.3 RFS6000 & CISCO ACS Radius Server
« Reply #6 on: July 07, 2013, 08:39:19 PM »
my bridge mode is tunnel, also our AP650 doesn't have an IP address


  AP-NAME           AP-LOCATION     RF-DOMAIN        AP-MAC            #RADIOS MODE  #CLIENT           IP
  ap650-72CBB4      sitename   default          B4-C7-99-72-CB-B4       2 W-W         0         0.0.0.0

Offline hchen01

  • Full Member
  • ***
  • Posts: 73
Re: WiNG5.3 RFS6000 & CISCO ACS Radius Server
« Reply #7 on: July 07, 2013, 09:08:15 PM »
Hi Kevin,

As you mentioned, my understanding:
The wireless client can pass the authentication when it was connect to the local AP650 which was adopted by RFS6000 without IP address(adoption: Level 1),

and the wireless client can't pass the authentication when it was connect to the AP650 at remote site which was adopted by the same RFS6000 without IP address(adoption: Level 1).

and there was on issue when you were using firmware WiNG 4 on the WLC.

Is that correct?

If it is correct, the only difference between AP650 at local site and the AP650 at remote site is the physical link type between the AP and the RFS6000, please check the MTU setting on the RFS6000.

If it is not correct, please give us some extra information.

Offline Kevin

  • Rookie
  • **
  • Posts: 7
Re: WiNG5.3 RFS6000 & CISCO ACS Radius Server
« Reply #8 on: July 07, 2013, 09:58:09 PM »
Hi hchen01,

You assumption is correct, except that WING 4.x works fine - can authenticate to our Radius server at remote sites but not WING 5.x. WING 5.x and WING 4.x works fine at head office site where both Radius server and RFS 6000 sitting on the same site. Could it be routing or firewall issues, but I can ping from the remote site to the radius server. I tried to telnet to the radius server from both sites(head office and remote ) on port 1812 and is not open. Is there some utility to test the connections between RFS and the radius server?

Interfaces on the RFS 6000 controller:
Interface me1 is UP
  Hardware-type: ethernet, Mode: Layer 3, Address: 5C-0E-8B-1A-CC-B8
  Index: 2, Metric: 1, MTU: 1500
  Speed: Admin Auto, Operational 100M, Maximum 100M
  Duplex: Admin Auto, Operational Full
  Active-medium: Copper
  Switchport settings: access, access-vlan: n/a
  IP-Address: xx.xx.xx.xx/25
    input packets 2657661, bytes 239872332, dropped 0, multicast packets 0
    input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0
    output packets 134956, bytes 144588860, dropped 0
    output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0
    collisions 0

Interface vlan1 is UP
  Hardware-type: vlan, Mode: Layer 3, Address: 5C-0E-8B-1A-CC-AF
  Index: 4, Metric: 1, MTU: 1500
  IP-Address: unassigned(DHCP)
    input packets 0, bytes 0, dropped 0, multicast packets 0
    input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0
    output packets 95302, bytes 31259056, dropped 0
    output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0
    collisions 0

Interface ge1 is UP
  Hardware-type: ethernet, Mode: Layer 2, Address: 5C-0E-8B-1A-CC-B0
  Index: 2001, Metric: 1, MTU: 1500
  Speed: Admin Auto, Operational 100M, Maximum 1G
  Duplex: Admin Auto, Operational Full
  Active-medium: Copper
  Switchport settings: access, access-vlan: 110
    Input packets 24213432, bytes 6264417646, dropped 0
    Received 18645482 unicasts, 862716 broadcasts, 4705234 multicasts
    Input errors 2, runts 0, giants 0
    CRC 0, frame 0, fragment 2, jabber 0
    Output packets 21907394, bytes 2444455395, dropped 0
    Sent 19320399 unicasts, 47996 broadcasts, 2538999 multicasts
    Output errors 0, collisions 0, late collisions 0
    Excessive collisions 0

Offline Fido

  • Rookie
  • **
  • Posts: 20
Re: WiNG5.3 RFS6000 & CISCO ACS Radius Server
« Reply #9 on: July 11, 2013, 01:24:37 AM »
I believe that if your APs are only layer-2 adopted (no IP address) then you MUST select the proxy option.
This is because in WiNG 5, the authentication is done by the APs by default, but this will fail if the AP has no layer-3, so therefore you must use the controller as a proxy.

In WiNG 4, all authentication is done only by the controller. So that could explain why you have problems in v5 but not v4.

I suggest taking a close look at the proxy settings...

Offline Kevin

  • Rookie
  • **
  • Posts: 7
Re: WiNG5.3 RFS6000 & CISCO ACS Radius Server
« Reply #10 on: July 11, 2013, 01:36:34 AM »
Thanks Fido, I've already tried proxy mode with none and also through wireless controller. Both give the same results no response from radius server. Bridging mode set to tunnel

Offline Fido

  • Rookie
  • **
  • Posts: 20
Re: WiNG5.3 RFS6000 & CISCO ACS Radius Server
« Reply #11 on: July 11, 2013, 01:48:35 AM »
Since it it affecting your remote sites - have you checked your RADIUS port numbers?

WiNG 4 is a bit older so it may use older ports UDP 1645 and UDP 1646 by default

WiNG 5 is a bit newer so it may use newer ports UDP 1812 and UDP 1813 by default

Check in your WiNG 5 settings which pair is being used now, and change it to the other pair, then test both local and remote sites again.

Even if the controller and AAA server support both types it is possible that a firewall somewhere along the route is blocking the specific ports. In this case it is easier to reconfigure the controller than try to search all firewalls.