无线认证请求过多造成WLC-Radius拥堵崩溃现象就及解决方法

最新推荐文章于 2019-12-07 10:51:31 发布

weixin_33862514

最新推荐文章于 2019-12-07 10:51:31 发布

阅读量825

点赞数

文章标签：移动开发操作系统

原文链接：https://yq.aliyun.com/articles/491056

版权

Logging现象：

RADIUS server 10.200.1.X:1812 deactivated on WLAN 1

RADIUS auth-server 10.200.1.X:1812 unavailable

RADIUS auth-server 10.200.1.X:1812 available

RADIUS server 10.200.1.X:1812 activated on WLAN 1

……

RADIUS server 10.200.1.X:1812 activated on WLAN 1

RADIUS server 10.200.1.X:1812 deactivated on WLAN 1

RADIUS auth-server 10.200.1.X:1812 unavailable

RADIUS server 10.200.1.X:1812 failed to respond to request

RADIUS auth-server 10.200.1.X:1812 available

RADIUS server 10.200.1.X:1812 activated on WLAN 1

RADIUS server 10.200.1.X:1812 deactivated on WLAN 1

RADIUS auth-server 10.200.1.X:1812 unavailable

RADIUS server 10.200.1.103:1812 failed to respond to request

RADIUS auth-server 10.200.1.103:1812 available

RADIUS server 10.200.1.X:1812 activated on WLAN 1

RADIUS server 10.200.1.X:1812 deactivated on WLAN 1

RADIUS auth-server 10.200.1.X:1812 unavailable

RADIUS server 10.200.1.X:1812 failed to respond to request

AAA Authentication Failure for UserName:xxxxxx\sap_pm User Type: WLAN USER

……<<<<大量重复出现traps logs；

*Dot1x_NW_MsgTask_2: 18:15:30.003: #DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:861 Received invalid EAPOL-key M2 msg in START state - invalid secure bit; KeyLen 40, Key type 1, client 28:b2:bd:b7:01:42 <<<<大量重复出现Message Logs；

Look for:

High Retry: First Request ratio (should be no more than 10%)
High Reject: Accept ratio
High Timeout: First Request ratio (should be no more than 5%)

解决方法：

· ①"Excessive 802.1X Authentication Failures" is selected in the WLC's global Client Exclusion Policies.

· Client exclusion is enabled in the WLAN's advanced settings.

· Client exclusion timeout is set to at least 120 seconds.（60 to 300 seconds）

④ Disable Aggressive Failover, which does not allow a single misbehaving supplicant to cause the WLC to fail between the RADIUS servers.

Use the CLI command: “config radius aggressive-failover disable”

To see the current state, use: “show radius summary”

and look for the line "Aggressive Failover" near the top of the output. There is no GUI option for this setting.

⑤Configure Fast Secure Roaming for your clients.

· Make sure that Microsoft Windows EAP clients use Wi-Fi Protected Access 2 (WPA2)/Advanced Encryption Standard (AES) so they can use Opportunistic Key Caching (OKC).

· If you can segregate Apple iOS clients to their own WLAN, then you can enable 802.11r on that WLAN.

· Enable Cisco Centralized Key Management (CCKM) for any WLAN that supports 792x phones (but do not enable CCKM on any Service Set Identifier (SSID) that supports Microsoft Windows or Android clients, because they tend to have problematic CCKM implementations).

· Enable Sticky Key Caching (SKC) for any EAP WLAN that supports the Macintosh Operating System (MAC OS) X and/or Android clients.
Refer to 802.11 WLAN Roaming and Fast-Secure Roaming on CUWN for more information. http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116493-technote-technology-00.html

Note: Monitor your WLC Pairwise Master Key (PMK) cache usage at peak times with the show pmk-cache all command. If you reach your maximum PMK-cache size, or get close to it, then you will probably have to disable SKC.

参考链接：

https://supportforums.cisco.com/discussion/11702421/getting-disconnected-randomly-5508-controller-3300-series-laps

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html

https://supportforums.cisco.com/discussion/11827081/radius-server-failed-respond-request

转载自小伙伴鱼排饭的博客