We have two ACS 4.2 servers behind load balancer(ACE) and we do not see any issues with wireless PEAP authentications. We are going to upgrade these servers to ACS 5.3 soon. Has Cisco confirmed the problem is related with LB? What if the ACS servers are not load balanced, will the problem still exist? Thanks.
--- Dennis Xu Network Analyst, Computing and Communication Services University of Guelph 5198244120 x 56217 ----- Original Message ----- From: "Bruce Boardman" <board...@syr.edu> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Tuesday, October 23, 2012 11:55:31 AM Subject: Re: [WIRELESS-LAN] Wireless Design We are having this exact issue and have been working with TAC for a month. We have clients that are mis -configured pounding the RADIUS servers, and one by one we are identifying and blacklisting devices that have never been on the network. This is only a couple days in the works, but seems to have helped and TAC thinks it's the issue. Per Tac .... Hi Bruce, Good Morning. After discussing the your scenario with the collaboration team, they suggest we track down the EAP -session timeouts and remove those clients or block them before reaching the ACS. “Clients sending malformed requests, or not compliant with the access-challenge that ACS sends after a failure can tie up threads for up to 120 seconds.” And “120” seconds is a lot of time. We have also add a third server for logging. So far so good |Bruce Boardman, Network Engineer, Syracuse University - 315 889-1667 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Chris Toth [ct...@bgsu.edu] Sent: Tuesday, October 23, 2012 11:32 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless Design We are having authentication issues with our wireless network and I was wondering if any other universities are running a similar design without issue. We have 17 wireless controllers each providing both an unsecured web auth and a secured WPA/WPA2 access using radius. The secured access points to a load balancer using radius stickiness for 2 virtual cisco ACS servers running version 5.3. We have approximately 10k associated authenticated wireless users during peak hours. Our authentications servers don’t appear to be working very hard; however, they are having issues. We are working with the vendor to resolve these issues but I am curious if other universities run their auth servers behind a load balancer and how many auth servers are running / per authenticated clients. Any information you could provide would be helpful. Thank you, Chris Toth S enior N etwork T echnician Bowling Green State University Phone: (419) 372-8462 Email: ct...@bgsu.edu ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
