Logging现象:
RADIUS server 10.200.1.X:1812 deactivated on WLAN 1
RADIUS auth-server 10.200.1.X:1812 unavailable
RADIUS auth-server 10.200.1.X:1812 available
RADIUS server 10.200.1.X:1812 activated on WLAN 1
……
RADIUS server 10.200.1.X:1812 activated on WLAN 1
RADIUS server 10.200.1.X:1812 deactivated on WLAN 1
RADIUS auth-server 10.200.1.X:1812 unavailable
RADIUS server 10.200.1.X:1812 failed to respond to request
RADIUS auth-server 10.200.1.X:1812 available
RADIUS server 10.200.1.X:1812 activated on WLAN 1
RADIUS server 10.200.1.X:1812 deactivated on WLAN 1
RADIUS auth-server 10.200.1.X:1812 unavailable
RADIUS server 10.200.1.103:1812 failed to respond to request
RADIUS auth-server 10.200.1.103:1812 available
RADIUS server 10.200.1.X:1812 activated on WLAN 1
RADIUS server 10.200.1.X:1812 deactivated on WLAN 1
RADIUS auth-server 10.200.1.X:1812 unavailable
RADIUS server 10.200.1.X:1812 failed to respond to request
AAA Authentication Failure for UserName:xxxxxx\sap_pm User Type: WLAN USER
AAA Authentication Failure for UserName:xxxxxx\sap_pm User Type: WLAN USER
AAA Authentication Failure for UserName:xxxxxx\sap_pm User Type: WLAN USER
AAA Authentication Failure for UserName:xxxxxx\sap_pm User Type: WLAN USER
AAA Authentication Failure for UserName:xxxxxx\sap_pm User Type: WLAN USER
AAA Authentication Failure for UserName:xxxxxx\sap_pm User Type: WLAN USER
AAA Authentication Failure for UserName:xxxxxx\sap_pm User Type: WLAN USER
AAA Authentication Failure for UserName:xxxxxx\sap_pm User Type: WLAN USER
……<<<<大量重复出现traps logs;
*Dot1x_NW_MsgTask_2: 18:15:30.003: #DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:861 Received invalid EAPOL-key M2 msg in START state - invalid secure bit; KeyLen 40, Key type 1, client 28:b2:bd:b7:01:42 <<<<大量重复出现Message Logs;
Look for:
-
High Retry: First Request ratio (should be no more than 10%)
-
High Reject: Accept ratio
-
High Timeout: First Request ratio (should be no more than 5%)
解决方法:
· ①"Excessive 802.1X Authentication Failures" is selected in the WLC's global Client Exclusion Policies.
· Client exclusion is enabled in the WLAN's advanced settings.
· Client exclusion timeout is set to at least 120 seconds.(60 to 300 seconds)
④ Disable Aggressive Failover, which does not allow a single misbehaving supplicant to cause the WLC to fail between the RADIUS servers.
Use the CLI command: “config radius aggressive-failover disable”
To see the current state, use: “show radius summary”
and look for the line "Aggressive Failover" near the top of the output. There is no GUI option for this setting.
⑤Configure Fast Secure Roaming for your clients.
· Make sure that Microsoft Windows EAP clients use Wi-Fi Protected Access 2 (WPA2)/Advanced Encryption Standard (AES) so they can use Opportunistic Key Caching (OKC).
· If you can segregate Apple iOS clients to their own WLAN, then you can enable 802.11r on that WLAN.
· Enable Cisco Centralized Key Management (CCKM) for any WLAN that supports 792x phones (but do not enable CCKM on any Service Set Identifier (SSID) that supports Microsoft Windows or Android clients, because they tend to have problematic CCKM implementations).
· Enable Sticky Key Caching (SKC) for any EAP WLAN that supports the Macintosh Operating System (MAC OS) X and/or Android clients.
Refer to 802.11 WLAN Roaming and Fast-Secure Roaming on CUWN for more information. http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116493-technote-technology-00.html
Note: Monitor your WLC Pairwise Master Key (PMK) cache usage at peak times with the show pmk-cache all command. If you reach your maximum PMK-cache size, or get close to it, then you will probably have to disable SKC.
参考链接:
https://supportforums.cisco.com/discussion/11702421/getting-disconnected-randomly-5508-controller-3300-series-laps
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html
https://supportforums.cisco.com/discussion/11827081/radius-server-failed-respond-request
转载自小伙伴鱼排饭的博客
本文转自Grodd51CTO博客,原文链接:http://blog.51cto.com/juispan/2066738,如需转载请自行联系原作者
