Guest

Preview Tool

Cisco Bug: CSCvt26556 - FlexConnect AP central RADIUS authentication issues

Last Modified

Jun 11, 2020

Products (1)

  • Cisco Aironet 1850 Series Access Points

Known Affected Releases

8.5(151.0) 8.5(161.0)

Description (partial)

Symptom:
EAP authentication is failing because the Flex AP is not forwarding EAP messages coming from client, it actually looks for a local RADIUS server to do Local Auth even when it is configured to do Central Auth.  

This is interrupting the EAP authentication handshake, the client sends an EAP response that is never forwarded upstream so it restarts the authentication process and stays that way until the client manually disconnects and re-connects the client. 
A reboot of the Ap fixes the issue temporarily 

From the WLC debug you will only see the EAP exchange being restarted over an over until the association process times out. 

Access Point debugs and traces show the AP transmitting the EAP request down to the client, the client replies with an EAP response, we can see that first EAP response coming into Ap's radio and then the AP tries to communicate with a RADIUS Server like doing Local Authentication instead of just sending the EAP response upstream to the WLC which is the expected when doing Central Authentication. 
AP logs:
hostapd: apr0v0:RADIUS: No authentication server configured

Conditions:
Flex AP doing Local switching with Central Authentication.
SSID doing 802.1x with Central Association and Central Authentication. 
Issue is triggered after using the Ap normally, the Ap does not look to be losing the WLC or moving between WLCs. 

This impacts Wave 2 Aps. 

AireOS=8.5.161.0
              8.5.151.0
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.