If you are using Cisco ACS 5.1 or 5.2 and you use EAP-PEAP with MSCHAP v2 you should be aware of bug CSCth66302. It’s nasty and could impact your wireless network.
If you leverage EAP-PEAP MS-CHAPv2 in your environment and you are using Cisco ACS version 5.1 or 5.2 you need to be aware of this bug!
The bug we hit was CSCth66302 and it wasn’t pretty. As wireless clients attempted to authenticate the Cisco ACS responded with client failures, thus not authenticating the clients. When you looked at the ACS logs you
would immediately see “Radius Authentication Request Rejected due to critical logging error” in nice big red letters! When you looked at the WLC the logs showed all the EAP-PEAP clients failing authentication.
Interestingly enough, the Cisco WLC NEVER moved to the back up ACS, which was configured under the WLAN. Why? Because the local ACS sever (which was failing) still responded to the client via the WLC. As far as the WLC was concerned, the ACS responded and life was good!
The Temporary Work Around from TAC
If you still get these messages the workaround is to restart ACS runtime service from the CLI:-
# acs stop runtime
# acs start runtime
Fix Coming in Release 5.3
Cisco TAC stated a fix will be released in ACS 5.3, which is yet to be released.
BUG Information
|
CSCth66302 |
RADIUS authentication request rejected because of a critical logging error. Symptom: Running stress PEAP MS-CHAPV2 against primary ACS machine fails with the following error message: Radius Authentication Request Rejected due to critical logging error Conditions: This problem occurs when there is a large deployment setup with one primary connected to seven secondary machines. Workaround: None. |