Logging现象:
RADIUS server 10.200.1.X:1812 deactivated on WLAN 1
RADIUS auth-server 10.200.1.X:1812 unavailable
RADIUS auth-server 10.200.1.X:1812 available
RADIUS server 10.200.1.X:1812 activated on WLAN 1
……
RADIUS server 10.200.1.X:1812 activated on WLAN 1
RADIUS server 10.200.1.X:1812 deactivated on WLAN 1
RADIUS auth-server 10.200.1.X:1812 unavailable
RADIUS server 10.200.1.X:1812 failed to respond to request
RADIUS auth-server 10.200.1.X:1812 available
RADIUS server 10.200.1.X:1812 activated on WLAN 1
RADIUS server 10.200.1.X:1812 deactivated on WLAN 1
RADIUS auth-server 10.200.1.X:1812 unavailable
RADIUS server 10.200.1.103:1812 failed to respond to request
RADIUS auth-server 10.200.1.103:1812 available
RADIUS server 10.200.1.X:1812 activated on WLAN 1
RADIUS server 10.200.1.X:1812 deactivated on WLAN 1
RADIUS auth-server 10.200.1.X:1812 unavailable
RADIUS server 10.200.1.X:1812 failed to respond to request
AAA Authentication Failure for UserName:xxxxxx\sap_pm User Type: WLAN USER
AAA Authentication Failure for UserName:xxxxxx\sap_pm User Type: WLAN USER
AAA Authentication Failure for UserName:xxxxxx\sap_pm User Type: WLAN USER
AAA Authentication Failure for UserName:xxxxxx\sap_pm User Type: WLAN USER
AAA Authentication Failure for UserName:xxxxxx\sap_pm User Type: WLAN USER
AAA Authentication Failure for UserName:xxxxxx\sap_pm User Type: WLAN USER
AAA Authentication Failure for UserName:xxxxxx\sap_pm User Type: WLAN USER
AAA Authentication Failure for UserName:xxxxxx\sap_pm User Type: WLAN USER
……<<<<大量重复出现traps logs;
*Dot1x_NW_MsgTask_2: 18:15:30.003: #DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:861 Received invalid EAPOL-key M2 msg in START state - invalid secure bit; KeyLen 40, Key type 1, client 28:b2:bd:b7:01:42 <<<<大量重复出现Message Logs;
Look for:
- High Retry: First Request ratio (should be no more than 10%)
- High Reject: Accept ratio
- High Timeout: First Request ratio (should be no more than 5%)
解决方法:
· ①"Excessive
802.1X Authentication Failures" is selected in the WLC's global Client
Exclusion Policies.
·
Client exclusion is enabled in the
WLAN's advanced settings.
·
Client exclusion timeout is set to at least 120 seconds.(60 to 300
seconds)
②Set RADIUS retransmission
timeouts to at least five seconds.
③Set Session-Timeout to at least eight
hours.
④ Disable Aggressive Failover, which
does not allow a single misbehaving supplicant to cause the WLC to fail between
the RADIUS servers.
Use the CLI command: “config radius aggressive-failover disable”
To see the
current state, use: “show radius summary”
and look for
the line "Aggressive Failover" near the top of the output. There is
no GUI option for this setting.
⑤Configure Fast Secure Roaming for
your clients.
·
Make sure that Microsoft Windows EAP
clients use Wi-Fi Protected Access 2 (WPA2)/Advanced Encryption Standard (AES)
so they can use Opportunistic Key Caching (OKC).
·
If you can segregate Apple iOS
clients to their own WLAN, then you can enable 802.11r on that WLAN.
·
Enable Cisco Centralized Key
Management (CCKM) for any WLAN that supports 792x phones (but do not enable CCKM on any Service Set Identifier
(SSID) that supports Microsoft Windows or Android clients, because they tend to
have problematic CCKM implementations).
·
Enable Sticky Key Caching (SKC) for any
EAP WLAN that supports the Macintosh Operating System (MAC OS) X and/or Android
clients.
Refer to 802.11 WLAN Roaming and Fast-Secure Roaming on CUWN for
more information. http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116493-technote-technology-00.html
Note:
Monitor your WLC Pairwise Master Key (PMK) cache usage at peak times with
the show pmk-cache all command. If you reach your
maximum PMK-cache size, or get close to it, then you will probably have to
disable SKC.
参考链接:
https://supportforums.cisco.com/discussion/11702421/getting-disconnected-randomly-5508-controller-3300-series-laps
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html
https://supportforums.cisco.com/discussion/11827081/radius-server-failed-respond-request