topic Re: Unable to Log into WLC in Network Access Control

Unable to Log into WLC

DeeReal_99 — Fri, 12 Aug 2022 21:39:17 GMT

Hello,

I am having an issue logging into my C9800L WLC due to an expired PAC. Issue exists both at the CLI and the GUI. ISE(2.7) and DNA(2.2.3.5) are also throwing connection errors. Does anyone have any insight on how to resolve this issue?

Thanks,

Daryl

Re: Unable to Log into WLC

Ambuj M — Sat, 13 Aug 2022 01:55:25 GMT

Can you paste the exact error log

Re: Unable to Log into WLC

Arne Bier — Sun, 14 Aug 2022 20:25:28 GMT

If you have a local user account on the WLC then one trick I often use is to untick the TACACS (or RADIUS if RADIUS is used for device admin) in ISE for that particular device. Then the WLC loses comms with ISE for device admin and will be forced to use the local account for logins. Of course, you hope that the the "aaa authenticaiton" and "aaa authorization" commands were done right to include the "local" option - I suspect DNAC does provision aaa that way 😉 - give it a try.

As for the PAC - perhaps others can answer that - you can try to re-provision the device through DNAC - or, fix the aaa config yourself using shared secret instead of PAC.

PAC (as far as I know) is used by DNAC because it's a handy way to setup the CTS (Cisco Trust Sec) stuff in one go - if you don't use SDA/CTS then don't worry about PAC - just revert to using regular TACACS/RADIUS shared secret configs.

Re: Unable to Log into WLC

DeeReal_99 — Mon, 15 Aug 2022 12:08:30 GMT

Here are some of the screenshots I took...

Re: Unable to Log into WLC

DeeReal_99 — Mon, 15 Aug 2022 12:09:52 GMT

Please see the screenshots I posted.

Thanks...

Re: Unable to Log into WLC

DeeReal_99 — Mon, 15 Aug 2022 14:20:48 GMT

Thanks for the Arne, I will try during our next maintenance window

Re: Unable to Log into WLC

aghoush — Fri, 09 Dec 2022 12:07:15 GMT

Hello Dary ,

I wonder if you can share how you managed to solve this , as I have the same issue , ssh CLI access to WLC is not possible due to PAC expired , DNAC cannot provision WLC due to this issue , all devices are supposed to renew PAC automatically but failed on WLC.

I can access the WLC from GUI but not through ssh CLI

WLC OOB Pac showing expired in ISE (Network Devices )

Thanks

Anas

Re: Unable to Log into WLC

DeeReal_99 — Fri, 09 Dec 2022 16:54:03 GMT

Hi aghoush,

Odd that you are able to access GUI. When this happens, I am locked out of both gui and cli(odd because I am no guru..lol). The issue clears up after a reboot of the WLC. It grabbed a new PAC from ISE. I have an open TAC case to come up with a way to avoid this in the future. Unfortunately, syncing up with the Tech has been a chore. For the time being, my plan is to setup a reminder to renew the PAC 1 week prior to expiration. This will have to do until we can develop a more automated process.

And btw, I have not ventured down the path Arne recommended above as of yet. But will try at some point until we fully realize SDA.

I hope that helps.

Re: Unable to Log into WLC

aghoush — Mon, 12 Dec 2022 17:44:23 GMT

just wanted to update you that we managed to solve this with the support from TAC team:

- we have access to the GUI as we have added 2 separate admin accounts from day1 , one is used for GUI access and one for ssh and WLC EXEC configuration in ISE (administration -- network Device -- WLC )

using the command prompt GUI in WLC:

- we managed to reset the WLC device cts credential using : clear cts credentials
- then reassign the wlc device cts password again :

cts credentials id WLC-DEVICE-ID PASSWORD ( WLS DEVICE-ID AND PASSWORD AS SHOW in ISE )

do a refresh for cts and pac :
clear cts environment-data
cts refresh pac

Re: Unable to Log into WLC

Thomas Obbekaer Thomsen — Fri, 04 Aug 2023 10:28:53 GMT

But what is the root cause ? (Sure the PAC is expired, should the 9800 not just auto renew it ?).

Is there a BugID for this ?

Thanks

Thomas

Re: Unable to Log into WLC

stian.johansen — Mon, 07 Aug 2023 11:57:01 GMT

We are also having this issue. We can only login to the WLC after a reboot. CLI and GUI won't work. CLI gives error message "PAC Expired"

Is there a bug on this? And how can we fix the root cause?

Re: Unable to Log into WLC

woocash_m — Wed, 30 Aug 2023 09:19:48 GMT

Hi,

We have the same issue for the second time.

Our setup is ISE 2.7 patch 8 and DNA 2.2.3.5

WLC upgraded to 17.03.07 since the previous episode of the issue.

So last time we had this issue PAC renewal failed on a second automated attempt.

Issue fixed the same way as this time with

clear cts environment-data

cts refresh pac

22/03/2023 06:26 PM
## 1-st auto-renew:
Credential Lifetime: 19:58:30 BST Jun 20 2023
Refresh timer is set for 12w4d

## 2-nd auto-renew:
Credential Lifetime: 05:13:50 BST Aug 24 2023
Refresh timer is set for 9w5d

This failed on the second attempt.

I have a TAC case open for this. I will post it here if we get the cause of the issue.

Thanks,

Lucas

Re: Unable to Log into WLC

woocash_m — Mon, 11 Dec 2023 11:18:54 GMT

Hi,

So we got to the bottom of this with TAC.

The issue is due to authentication events for WLC user in ISE not logged in the prrt-server.log.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwi41440

Re: Unable to Log into WLC

denny_strijdonck — Fri, 26 Jan 2024 07:15:27 GMT

We have the same issue with our WLC but also several switches. However, the conditions in the mentioned bug do NOT apply:

- No account disable policy

- No logging collection filter

However, the PAC file hasnt renewed automatically on several devices.

Re: Unable to Log into WLC

ben.posner — Wed, 07 Feb 2024 00:41:02 GMT

i have the same issue with our DNA and ise 3.2 setup. have not found a resolution as yet.

Re: Unable to Log into WLC

denny_strijdonck — Mon, 12 Feb 2024 07:23:17 GMT

Rebooting the WLC helped for us

Re: Unable to Log into WLC

Emirage — Thu, 22 Aug 2024 08:36:14 GMT

I've had this problem as well. We couldn't log in with either Radius or local account.

We had to block all radius traffic so the WLC did a fall back to the local account. Then we used the commands, posted in earlier in this post:

Using the CLI:

-reset the WLC device cts credential using : clear cts credentials
- then reassign the wlc device cts password again :

cts credentials id WLC-DEVICE-ID PASSWORD ( WLS DEVICE-ID AND PASSWORD AS SHOW in ISE )

do a refresh for cts and pac :
clear cts environment-data
cts refresh pac

And it worked. But it will expire again in a few months.

Re: Unable to Log into WLC

Thomas Obbekaer Thomsen — Wed, 18 Dec 2024 10:15:59 GMT

This seems to be the bug hit : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwk90748

Just says "Fixed" but no software mentioned of fixed release.