Wireless Access

 View Only
Expand all | Collapse all

Authentication RADIUS server fail with "try later message" from users?

This thread has been viewed 9 times
  • 1.  Authentication RADIUS server fail with "try later message" from users?

    Posted Sep 16, 2018 01:44 AM

    Hi everyone,

     

    I'm need to all help on the problem as description on subject. Specific as following:

     

    I have 2 WLC 7010 OS 8.3 both running Standalone (10.26.3.10) and Standby (10.26.3.11) with VRRP IP (10.26.3.12). The synchronization between the two devices is working fine.

     

    I am configuring authentication with RADIUS server 2016 (10.26.14.3). Authentication from WLC with CLI "aaa test-server mschapv2 servername username password" is ok. But when I authenticate from users, I get the message "try later". I also received a "server rejected" message when the CLI "show auth-tracebuf mac MAC-Client" message from the user received a "try later" message, and "authmgr [3514]: <522275> <3514> <WARN> | authmgr User Authentication failed. Username = abc userip = 0.0.0.0 usermac = f0: 79: e8: a2: 2b: db authmethod = 802.1x servername = TD-RADIUS-01 serverip = 10.26.14.3 apname = AP-01 bssid = b4 : 5d: 50: 0d: b4: 21".

    The important thing I want to say here is that when I first configure everything works fine (Windows laptop, Android, iPhone). But about 20 minutes later, users can't authenticate and receive a "try later" message.

    Look forward to the help of everyone.

    Thank you everyone.



  • 2.  RE: Authentication RADIUS server fail with "try later message" from users?

    Posted Sep 16, 2018 08:24 AM

    Do users see the "try later" message on the Captive Portal?



  • 3.  RE: Authentication RADIUS server fail with "try later message" from users?

    Posted Sep 16, 2018 08:40 AM

    Thank you, cjoseph.

    Yes It looks like below.

    timeout-trylater-message.PNG



  • 4.  RE: Authentication RADIUS server fail with "try later message" from users?

    Posted Sep 16, 2018 09:17 AM

    If it says "server rejected", there must be a log on the server saying why...



  • 5.  RE: Authentication RADIUS server fail with "try later message" from users?

    Posted Sep 16, 2018 09:21 AM

    I only received a message server rejected from WLC (10.26.3.10) when showing the CLI "show auth-tracebuf mac MAC-Client" and not saying why. What should I do next?

     

    Thank you.



  • 6.  RE: Authentication RADIUS server fail with "try later message" from users?

    Posted Sep 16, 2018 09:25 AM

    The radius server should have a message about why it is rejecting the authentication from the controller.



  • 7.  RE: Authentication RADIUS server fail with "try later message" from users?

    Posted Sep 16, 2018 09:30 AM

    In this case, the message "server rejected" can guess what the cause?



  • 8.  RE: Authentication RADIUS server fail with "try later message" from users?

    Posted Sep 16, 2018 09:59 AM

    I cannot guess.  You should find out why the radius server is rejecting the controller authentication so you can understand what is happening.  That is typically in the radius server logs.



  • 9.  RE: Authentication RADIUS server fail with "try later message" from users?

    Posted Sep 16, 2018 10:34 AM

    So why can I still authenticate from WLC using CLI "aaa test-server mschapv2 servername username password"?

     



  • 10.  RE: Authentication RADIUS server fail with "try later message" from users?
    Best Answer

    Posted Sep 16, 2018 10:40 AM

    Yes, you should be able run that command, successfully all of the time.  You need to find out why the Radius Server is rejecting the other authentication.  A aaa server test is not always identical to the authentication that is sent to the radius server.  The controller only reports what the radius server is saying to it.  The only clue you would have about this is to look at the radius server logs and find out why it is rejecting the controller authentication.

     

    You can find out how often these rejections take place on the controller by running the command "show aaa authentication-server radius statistics" on the commandline of the controller.



  • 11.  RE: Authentication RADIUS server fail with "try later message" from users?

    Posted Sep 17, 2018 01:16 PM

    I checked back on the RADIUS server and found that the authentication cert has expired. I installed another cert but it still doesn't work.



  • 12.  RE: Authentication RADIUS server fail with "try later message" from users?

    Posted Sep 17, 2018 01:44 PM

    Does the radius server require you to restart after you install a new certificate?



  • 13.  RE: Authentication RADIUS server fail with "try later message" from users?

    Posted Sep 18, 2018 12:06 AM

    Yes, I restarted the NPS service and the RADIUS server. But users can't authenticate.

     

    Please check the configuration on my WLC.

    1. Configure authentication Radius server

    configure-authen-radius-server.PNG2. Configure WLAN

    - General tab

    WLAN-general-tab.PNG

    - Security tab

    WLAN-security-tab.PNG

    - Access tab

    WLAN-access-tab.PNG

     

    Thank you, cjoseph.

     

     



  • 14.  RE: Authentication RADIUS server fail with "try later message" from users?

    Posted Sep 18, 2018 03:32 AM

    What message are you getting on the controller?

    What message are you getting on the NPS server?  What is it saying?

     

    Those are the two questions that need to be asked.  The controller will not let users on if the NPS server is rejecting the connection.



  • 15.  RE: Authentication RADIUS server fail with "try later message" from users?

    Posted Sep 18, 2018 06:24 AM

    Message on WLC is still "server rejected" and on NPS server is "Network Policy Server dined access to a user".