topic Re: cisco wlc 3504 ssid authentication windows AD in Wireless

cisco wlc 3504 ssid authentication windows AD

edwincharles — Tue, 29 Mar 2022 09:52:24 GMT

Dears,

need help with windows 10 clients trying to connect SSID using AD authentication not working

Re: cisco wlc 3504 ssid authentication windows AD

Sandeep Choudhary — Tue, 29 Mar 2022 10:18:15 GMT

Hi,

Go through these:

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/211277-WLC-with-LDAP-Authentication-Configurati.html

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/108008-ldap-web-auth-wlc.html

Regards

Dont forget to rate helpful posts

Re: cisco wlc 3504 ssid authentication windows AD

Flavio Miranda — Tue, 29 Mar 2022 10:32:13 GMT

I saw some informations on the log that called my attention and I´d like you to take a look:

site 'default-group', interface 'savc-guest-interface'

Assigning flex webauth ACL ID :65535 for vlan : 8

Does the interface for this SSID is named guest for some reason or it is intended to be guest network? Also, take care with default group. It may trick you on some things like WLAN ID, for example. Ideally, avoid use it.

But, you problem is related to this log:

Processing Access-Reject for mobile 00:28:f8:d3:13:cd
Entering Backend Auth Failure state (id=-1) for mobile 00:28:f8:d3:13:cd

And for that, you need to look at the Authenticion server. There might be the answer on why client had been refused. It can be wrong certificate, wrong credentials and so on and so forth.

The fact is, whatever it might be, the answers is on the authentication server or on the client.

Re: cisco wlc 3504 ssid authentication windows AD

Mark Elsen — Tue, 29 Mar 2022 10:50:15 GMT

- Below you will find the output of your debug file when processed by : https://cway.cisco.com/tools/WirelessDebugAnalyzer/ , you may want to disabled fast roaming (for a test) , check if that can help. And since the radius error , check the radius server logs too

Show Time

Show Task

Show Translated

Show Original

Show Prior First Connection

Show All

TimeTaskTranslated

Mar 29 12:44:40.967	*apfMsConnTask_7	Client made new Association to AP/BSSID BSSID 84:f1:47:c5:58:e8 AP 3F-AP4-Corridor4
Mar 29 12:44:40.967	*apfMsConnTask_7	The Reassociation Request from the client comes with 0 PMKID
Mar 29 12:44:40.967	*apfMsConnTask_7	The Reassociation Request from the client comes with 0 PMKID
Mar 29 12:44:40.967	*apfMsConnTask_7	Client is entering the 802.1x or PSK Authentication state
Mar 29 12:44:40.967	*apfMsConnTask_7	Client has successfully cleared AP association phase
Mar 29 12:44:40.967	*apfMsConnTask_7	WLC/AP is sending an Association Response to the client with status code 0 = Successful association
Mar 29 12:44:40.972	*Dot1x_NW_MsgTask_5	Client will be required to Reauthenticate in 1800 seconds
Mar 29 12:44:40.972	*Dot1x_NW_MsgTask_5	WLC/AP is sending EAP-Identity-Request to the client
Mar 29 12:44:40.992	*Dot1x_NW_MsgTask_5	WLC/AP is sending EAP-Identity-Request to the client
Mar 29 12:45:10.084	*Dot1x_NW_MsgTask_5	Client sent EAP-Identity-Response to WLC/AP
Mar 29 12:45:10.087	*Dot1x_NW_MsgTask_5	RADIUS Server denied access
Mar 29 12:45:14.946	*Dot1x_NW_MsgTask_5	WLC/AP is sending EAP-Identity-Request to the client