取消
显示结果 
搜索替代 
您的意思是: 
cancel
3233
查看次数
10
有帮助
2
评论
Pengfei Yu
Spotlight
Spotlight

Logging现象:

RADIUS server 10.200.1.X:1812 deactivated on WLAN 1

RADIUS auth-server 10.200.1.X:1812 unavailable

RADIUS auth-server 10.200.1.X:1812 available

RADIUS server 10.200.1.X:1812 activated on WLAN 1

……

RADIUS server 10.200.1.X:1812 activated on WLAN 1

RADIUS server 10.200.1.X:1812 deactivated on WLAN 1

RADIUS auth-server 10.200.1.X:1812 unavailable

RADIUS server 10.200.1.X:1812 failed to respond to request

RADIUS auth-server 10.200.1.X:1812 available

RADIUS server 10.200.1.X:1812 activated on WLAN 1

RADIUS server 10.200.1.X:1812 deactivated on WLAN 1

RADIUS auth-server 10.200.1.X:1812 unavailable

RADIUS server 10.200.1.103:1812 failed to respond to request

RADIUS auth-server 10.200.1.103:1812 available

RADIUS server 10.200.1.X:1812 activated on WLAN 1

RADIUS server 10.200.1.X:1812 deactivated on WLAN 1

RADIUS auth-server 10.200.1.X:1812 unavailable

RADIUS server 10.200.1.X:1812 failed to respond to request

AAA Authentication Failure for UserName:xxxxxx\sap_pm User Type: WLAN USER

AAA Authentication Failure for UserName:xxxxxx\sap_pm User Type: WLAN USER

AAA Authentication Failure for UserName:xxxxxx\sap_pm User Type: WLAN USER

AAA Authentication Failure for UserName:xxxxxx\sap_pm User Type: WLAN USER

AAA Authentication Failure for UserName:xxxxxx\sap_pm User Type: WLAN USER

AAA Authentication Failure for UserName:xxxxxx\sap_pm User Type: WLAN USER

AAA Authentication Failure for UserName:xxxxxx\sap_pm User Type: WLAN USER

AAA Authentication Failure for UserName:xxxxxx\sap_pm User Type: WLAN USER

……<<<<大量重复出现traps logs;

*Dot1x_NW_MsgTask_2:  18:15:30.003: #DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:861 Received invalid EAPOL-key M2 msg in START  state - invalid secure bit; KeyLen 40, Key type 1, client 28:b2:bd:b7:01:42  <<<<大量重复出现Message Logs;


235934jg85wgk4llpr7nk7.png

Look for:

  • High Retry: First Request ratio (should be no more than 10%)
  • High Reject: Accept ratio
  • High Timeout: First Request ratio (should be no more than 5%)

解决方法:

·      "Excessive 802.1X Authentication Failures" is selected in the WLC's global Client Exclusion Policies.

·         Client exclusion is enabled in the WLAN's advanced settings.

·         Client exclusion timeout is set to at least 120 seconds.60 to 300 seconds

235755hcfr9wzfu77w7bga.png235807s88ufa1iuf58e38l.png

 ②Set RADIUS retransmission timeouts to at least five seconds.

000507pl5xfjfy74hyy5yc.png

Set Session-Timeout to at least eight hours.

000644f11f3c8mr8w2088w.png

 Disable Aggressive Failover, which does not allow a single misbehaving supplicant to cause the WLC to fail between the RADIUS servers.

  Use the CLI command:  “config radius aggressive-failover disable”

To see the current state, use:  show radius summary

and look for the line "Aggressive Failover" near the top of the output. There is no GUI option for this setting.

Configure Fast Secure Roaming for your clients.

·         Make sure that Microsoft Windows EAP clients use Wi-Fi Protected Access 2 (WPA2)/Advanced Encryption Standard (AES) so they can use Opportunistic Key Caching (OKC).

·         If you can segregate Apple iOS clients to their own WLAN, then you can enable 802.11r on that WLAN.

·         Enable Cisco Centralized Key Management (CCKM) for any WLAN that supports 792x phones (but do not enable CCKM on any Service Set Identifier (SSID) that supports Microsoft Windows or Android clients, because they tend to have problematic CCKM implementations).

·         Enable Sticky Key Caching (SKC) for any EAP WLAN that supports the Macintosh Operating System (MAC OS) X and/or Android clients.
Refer to 
802.11 WLAN Roaming and Fast-Secure Roaming on CUWN for more information.                  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116493-technote-technology-00.html

Note:  Monitor your WLC Pairwise Master Key (PMK) cache usage at peak times with the show pmk-cache all command. If you reach your maximum PMK-cache size, or get close to it, then you will probably have to disable SKC.

 

参考链接:

https://supportforums.cisco.com/discussion/11702421/getting-disconnected-randomly-5508-controller-3300-series-laps

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html

https://supportforums.cisco.com/discussion/11827081/radius-server-failed-respond-request 


2 评论
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区: