無線認證請求過多造成WLC-Radius擁堵崩潰現象就及解決方法
Logging現象:
RADIUS server 10.200.1.X:1812 deactivated on WLAN 1
RADIUS auth-server 10.200.1.X:1812 unavailable
RADIUS auth-server 10.200.1.X:1812 available
RADIUS server 10.200.1.X:1812 activated on WLAN 1
……
RADIUS server 10.200.1.X:1812 activated on WLAN 1
RADIUS server 10.200.1.X:1812 deactivated on WLAN 1
RADIUS auth-server 10.200.1.X:1812 unavailable
RADIUS server 10.200.1.X:1812 failed to respond to request
RADIUS auth-server 10.200.1.X:1812 available
RADIUS server 10.200.1.X:1812 activated on WLAN 1
RADIUS server 10.200.1.X:1812 deactivated on WLAN 1
RADIUS auth-server 10.200.1.X:1812 unavailable
RADIUS server 10.200.1.103:1812 failed to respond to request
RADIUS auth-server 10.200.1.103:1812 available
RADIUS server 10.200.1.X:1812 activated on WLAN 1
RADIUS server 10.200.1.X:1812 deactivated on WLAN 1
RADIUS auth-server 10.200.1.X:1812 unavailable
RADIUS server 10.200.1.X:1812 failed to respond to request
AAA Authentication Failure for UserName:xxxxxxsap_pm User Type: WLAN USER
AAA Authentication Failure for UserName:xxxxxxsap_pm User Type: WLAN USER
AAA Authentication Failure for UserName:xxxxxxsap_pm User Type: WLAN USER
AAA Authentication Failure for UserName:xxxxxxsap_pm User Type: WLAN USER
AAA Authentication Failure for UserName:xxxxxxsap_pm User Type: WLAN USER
AAA Authentication Failure for UserName:xxxxxxsap_pm User Type: WLAN USER
AAA Authentication Failure for UserName:xxxxxxsap_pm User Type: WLAN USER
AAA Authentication Failure for UserName:xxxxxxsap_pm User Type: WLAN USER
……<<<<大量重複出現traps logs;
*Dot1x_NW_MsgTask_2: 18:15:30.003: #DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:861 Received invalid EAPOL-key M2 msg in START state – invalid secure bit; KeyLen 40, Key type 1, client 28:b2:bd:b7:01:42 <<<<大量重複出現Message Logs;
Look for:
-
High Retry: First Request ratio (should be no more than 10%)
-
High Reject: Accept ratio
-
High Timeout: First Request ratio (should be no more than 5%)
解決方法:
· ①“Excessive 802.1X Authentication Failures” is selected in the WLC`s global Client Exclusion Policies.
· Client exclusion is enabled in the WLAN`s advanced settings.
· Client exclusion timeout is set to at least 120 seconds.(60 to 300 seconds)
④ Disable Aggressive Failover, which does not allow a single misbehaving supplicant to cause the WLC to fail between the RADIUS servers.
Use the CLI command: “config radius aggressive-failover disable”
To see the current state, use: “show radius summary”
and look for the line “Aggressive Failover” near the top of the output. There is no GUI option for this setting.
⑤Configure Fast Secure Roaming for your clients.
· Make sure that Microsoft Windows EAP clients use Wi-Fi Protected Access 2 (WPA2)/Advanced Encryption Standard (AES) so they can use Opportunistic Key Caching (OKC).
· If you can segregate Apple iOS clients to their own WLAN, then you can enable 802.11r on that WLAN.
· Enable Cisco Centralized Key Management (CCKM) for any WLAN that supports 792x phones (but do not enable CCKM on any Service Set Identifier (SSID) that supports Microsoft Windows or Android clients, because they tend to have problematic CCKM implementations).
· Enable Sticky Key Caching (SKC) for any EAP WLAN that supports the Macintosh Operating System (MAC OS) X and/or Android clients.
Refer to 802.11 WLAN Roaming and Fast-Secure Roaming on CUWN for more information. http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116493-technote-technology-00.html
Note: Monitor your WLC Pairwise Master Key (PMK) cache usage at peak times with the show pmk-cache all command. If you reach your maximum PMK-cache size, or get close to it, then you will probably have to disable SKC.
參考連結:
https://supportforums.cisco.com/discussion/11702421/getting-disconnected-randomly-5508-controller-3300-series-laps
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html
https://supportforums.cisco.com/discussion/11827081/radius-server-failed-respond-request
轉載自小夥伴魚排飯的部落格
本文轉自Grodd51CTO部落格,原文連結:http://blog.51cto.com/juispan/2066738,如需轉載請自行聯絡原作者
相關文章
- asp.net Session造成請求阻塞現象ASP.NETSession
- windows10桌面崩潰怎麼修復_win10桌面無限崩潰解決方法WindowsWin10
- win10 64位出現吉格斯崩潰怎麼解決_win10英雄聯盟無限崩潰吉格斯修復方法Win10
- 分享:MySQL資料庫崩潰解決過程MySql資料庫
- 絕地求生崩潰怎麼解決win10_win10絕地求生崩潰的解決方法Win10
- 解決實名軟體造成的 XP系統崩潰問題(轉)
- win10系統firefox多開崩潰怎麼修復_win10 firefox多開總是崩潰解決方法Win10Firefox
- iOS應用崩潰了,如何透過崩潰手機連線電腦查詢日誌方法iOS應用崩潰
- win10 pr崩潰怎麼解決_win10 pr崩潰解決辦法Win10
- win10 360瀏覽器崩潰如何解決_win10開啟360瀏覽器就崩潰處理方法Win10瀏覽器
- wifi無線認證WiFi
- axios傳送兩次請求原因及解決方法iOS
- Laravel 使用 ApiToken 認證請求LaravelAPI
- [解決] Goland 開啟後直接崩潰GoLand
- Android 12 “致命”崩潰解決之路Android
- YOLOv3訓練過程中出現過擬合現象的解決方法YOLO
- 網線和光纖測試及認證的解決方案
- qq遊戲崩潰w10解決方法_w10系統玩qq遊戲老崩潰如何修復遊戲
- win10工作管理員崩潰怎麼解決_win10工作管理員崩潰黑屏修復方法Win10
- win10 qq影片崩潰怎麼修復_win10系統qq影片老是崩潰解決方法Win10
- 360瀏覽器總是崩潰是為什麼 360經常崩潰解決修復方法介紹瀏覽器
- Oracle EBS提交過多請求批量取消的方法Oracle
- w10玩lol經常崩潰怎麼辦_w10玩英雄聯盟崩潰的解決方法
- Android7.1.1Toast崩潰解決方案AndroidAST
- AI|經常崩潰的問題解決AI
- MySQL 8.0.11 無故崩潰MySql
- win10系統用一會就崩潰如何解決Win10
- vue專案--瀏覽器出現卡頓及崩潰的原因查詢與解決方案Vue瀏覽器
- 通過 Passport 實現 API 請求認證(移動端的密碼授權令牌)PassportAPI密碼
- 透過 Passport 實現 API 請求認證(移動端的密碼授權令牌)PassportAPI密碼
- WkWebView 令人崩潰的崩潰WebView
- js ajax請求封裝及解決node請求跨域問題JS封裝跨域
- 某銀行無線網路頻繁掉線重認證分析、解決方案及抓包經驗分享
- HD-OS無線網路卡透過whql認證
- win10 qq視訊崩潰怎麼修復_win10系統qq視訊老是崩潰解決方法Win10
- win10系統驅動崩潰怎麼辦_win10系統驅動經常崩潰解決方法Win10
- axios請求超時,設定重新請求的完美解決方法iOS
- Source Insight崩潰的解決辦法