CISCO ACS 5.x RADIUS EAP-PEAP MS-CHAPv2 BUG WITH A “BIG BITE”: CSCth66302
Saturday, March 19, 2011 at 3:18PM
George

If you are using Cisco ACS 5.1 or 5.2 and you use EAP-PEAP with MSCHAP v2 you should be aware of bug CSCth66302. It’s nasty and could impact your wireless network.

If you leverage EAP-PEAP MS-CHAPv2 in your environment and you are using Cisco ACS version 5.1 or 5.2 you need to be aware of this bug!

The bug we hit was CSCth66302 and it wasn’t pretty. As wireless clients attempted to authenticate the Cisco ACS responded with client failures, thus not authenticating the clients. When you looked at the ACS logs you would immediately see “Radius Authentication Request Rejected due to critical logging error”   in nice big red letters! When you looked at the WLC the logs showed all the EAP-PEAP clients failing authentication.

Interestingly enough, the Cisco WLC NEVER moved to the back up ACS, which was configured under the WLAN. Why? Because the local ACS sever (which was failing) still responded to the client via the WLC. As far as the WLC was concerned, the ACS responded and life was good!

 The Temporary Work Around from TAC

If you still get these messages the workaround is to restart ACS runtime service from the CLI:-

# acs stop runtime
# acs start runtime

Fix Coming in Release 5.3

Cisco TAC stated a fix will be released in ACS 5.3, which is yet to be released.

BUG Information 

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/release/notes/acs_52_rn.html  

 

CSCth66302

RADIUS authentication request rejected because of a critical logging error.

Symptom: Running stress PEAP MS-CHAPV2 against primary ACS machine fails with the following error message:

Radius Authentication Request Rejected due to critical logging error

Conditions: This problem occurs when there is a large deployment setup with one primary connected to seven secondary machines.

Workaround: None.

 

 

Article originally appeared on my80211.com (http://www.my80211.com/).
See website for complete article licensing information.