CISCO ACS 5.x RADIUS EAP-PEAP MS-CHAPv2 BUG WITH A “BIG BITE”: CSCth66302
If you are using Cisco ACS 5.1 or 5.2 and you use EAP-PEAP with MSCHAP v2 you should be aware of bug CSCth66302. It’s nasty and could impact your wireless network.
If you leverage EAP-PEAP MS-CHAPv2 in your environment and you are using Cisco ACS version 5.1 or 5.2 you need to be aware of this bug!
The bug we hit was CSCth66302 and it wasn’t pretty. As wireless clients attempted to authenticate the Cisco ACS responded with client failures, thus not authenticating the clients. When you looked at the ACS logs you would immediately see “Radius Authentication Request Rejected due to critical logging error” in nice big red letters! When you looked at the WLC the logs showed all the EAP-PEAP clients failing authentication.
Interestingly enough, the Cisco WLC NEVER moved to the back up ACS, which was configured under the WLAN. Why? Because the local ACS sever (which was failing) still responded to the client via the WLC. As far as the WLC was concerned, the ACS responded and life was good!
The Temporary Work Around from TAC
If you still get these messages the workaround is to restart ACS runtime service from the CLI:-
# acs stop runtime
# acs start runtime
Fix Coming in Release 5.3
Cisco TAC stated a fix will be released in ACS 5.3, which is yet to be released.
BUG Information
CSCth66302 |
RADIUS authentication request rejected because of a critical logging error. Symptom: Running stress PEAP MS-CHAPV2 against primary ACS machine fails with the following error message: Radius Authentication Request Rejected due to critical logging error Conditions: This problem occurs when there is a large deployment setup with one primary connected to seven secondary machines. Workaround: None. |
Reader Comments (4)
Hi George,
Always on top of things, thanks for sharing this issue with ACS !
-steve
Thanks for the heads up.. I was about to install 5.2.x then read this and found out that 5.3 was available now so I searched the release notes and this bug is gone so I upgraded and am testing before I deploy.
Hi,
I am facing this issue in my WLC5508 ""aaa authentication failure for username:xxxx type:WLAN users "" , we have ACS 5.3 and LDAP scenario for users authentication..
most of the users are facing this issues ...pl help!
Hello, I wold post your question / problems on CSC - Cisco Support Community.