topic Re: WLC 9800-L - Authentication failed for client in Wireless

WLC 9800-L - Authentication failed for client

Marcin.Bachmatiuk — Fri, 04 Feb 2022 16:21:04 GMT

Hi,

i have a problem with authentication in WLC 9800-L, I have configured the Radius servers and SSID, but the client cannot authenticate himself to radius.

Feb  4 16:16:34.041: %DOT1X-5-FAIL: Chassis 1 R0/0: wncd: Authentication failed for client (8086.f285.a2f5) with reason (AAA Server Down) on Interface capwap_90000016 AuditSessionID 17DC140A00000010C5851691 Username: 123456
Feb  4 16:16:34.041: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (8086.f285.a2f5) on Interface capwap_90000016 AuditSessionID 17DC140A00000010C5851691. Failure reason: Authc fail. Authc failure reason: AAA Server Down.

Can anyone help me ??

Re: WLC 9800-L - Authentication failed for client

Jerome BERTHIER — Fri, 04 Feb 2022 16:31:41 GMT

Hello

Both logs entries "AAA Server Down" point that the RADIUS server was not available.

So you have to check the connectivity between the WLC controler and the AAA server.

Back to basics :

- verify IP or fqdn and transport ports of RADIUS server assigned to the SSID.

- if fqdn, check that WLC can resolve it , so check its DNS config and availabilty.

- verify if the RADIUS IP if joinable from WLC : routing and filtering between both

- verify that shared secret is correct on both sides

- verify that WLC is declared as NAS client on the RADIUS

Do you have any logs from request on the RADIUS server ?

Regards

Re: WLC 9800-L - Authentication failed for client

Marcin.Bachmatiuk — Fri, 04 Feb 2022 16:54:18 GMT

This is where the problem is that I got the data from the company's headquarters on the WLC 5520 which is working now everything is OK.

Unfortunately, the RADIUS server cannot be accessed 😞

I checked sh aaa servers detailed

RADIUS: id 1, priority 1, host 10.0.0.1, auth-port 1812, acct-port 1813, hostname RADIUS
     State: current UP, duration 12422s, previous duration 0s
     Dead: total time 0s, count 0
     Platform State from SMD: current UP, duration 12422s, previous duration 0s
     SMD Platform Dead: total time 0s, count 0
     Platform State from WNCD (1) : current UP
     Platform State from WNCD (2) : current UP
     Platform State from WNCD (3) : current UP
     Platform State from WNCD (4) : current UP
     Platform State from WNCD (5) : current UP
     Platform State from WNCD (6) : current UP
     Platform State from WNCD (7) : current UP
     Platform State from WNCD (8) : current UP, duration 10305s, previous duration 299s
     Platform Dead: total time 999s, count 1
     Quarantined: No
     Authen: request 19, timeouts 18, failover 1, retransmission 12
             Response: accept 0, reject 0, challenge 0
             Response: unexpected 0, server error 0, incorrect 0, time 0ms
             Transaction: success 0, failure 6
             Throttled: transaction 0, timeout 0, failure 0
             Malformed responses: 0
             Bad authenticators: 0
     Author: request 0, timeouts 0, failover 0, retransmission 0
             Response: accept 0, reject 0, challenge 0
             Response: unexpected 0, server error 0, incorrect 0, time 0ms
             Transaction: success 0, failure 0
             Throttled: transaction 0, timeout 0, failure 0
             Malformed responses: 0
             Bad authenticators: 0
     Account: request 0, timeouts 0, failover 0, retransmission 0
             Request: start 0, interim 0, stop 0
             Response: start 0, interim 0, stop 0
             Response: unexpected 0, server error 0, incorrect 0, time 0ms
             Transaction: success 0, failure 0
             Throttled: transaction 0, timeout 0, failure 0
             Malformed responses: 0
             Bad authenticators: 0
     Elapsed time since counters last cleared: 3h27m
     Estimated Outstanding Access Transactions: 1
     Estimated Outstanding Accounting Transactions: 0
     Estimated Throttled Access Transactions: 0
     Estimated Throttled Accounting Transactions: 0
     Maximum Throttled Transactions: access 0, accounting 0
 Consecutive Response Failures: total 5
             SMD Platform : max 0, current 0 total 0
             WNCD Platform: max 5, current 5 total 5
             IOSD Platform : max 0, current 0 total 0
     Consecutive Timeouts: total 17
             SMD Platform : max 0, current 0 total 0
             WNCD Platform: max 17, current 17 total 17
             IOSD Platform : max 0, current 0 total 0
     Requests per minute past 24 hours:
             high - 3 hours, 27 minutes ago: 0
             low  - 3 hours, 27 minutes ago: 0
             average: 0

Re: WLC 9800-L - Authentication failed for client

Scott Fella — Fri, 04 Feb 2022 18:35:35 GMT

Radius logs are the only way to go to understand why a device is unable to authenticate.

Re: WLC 9800-L - Authentication failed for client

Prince.O — Fri, 04 Feb 2022 22:03:57 GMT

Hi Marcin,

I would suggest you take an embedded packet capture while reproducing the issue and then analyze this in Wireshark to validate if the 9800 is sending radius packets to your radius server and not getting any response.

Refer to the link below to configure the packet capture on the 9800:

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213949-wireless-debugging-and-log-collection-on.html#anc17

Access to the radius server is strongly advised in order to validate communication as well as the configuration/validation of the radius keys

Re: WLC 9800-L - Authentication failed for client

Rich R — Mon, 07 Feb 2022 10:32:45 GMT

You're talking about 9800-L and 5520. I think you're saying it's working on 5520 but not 9800-L?

Remember they are different. 5520 sends the radius from the client interface by default. 9800 just follows the routing table so follow the steps the others have already advised above to ensure your radius is sent from the correct interface, can reach the radius and receive replies. Use packet captures to verify.

Re: WLC 9800-L - Authentication failed for client

Marcin.Bachmatiuk — Mon, 07 Feb 2022 12:17:32 GMT

Hi,
Thank you for your help.

Unfortunately, I am not fluent in reading logs by wireshark.

What should I look for?

Re: WLC 9800-L - Authentication failed for client

Rich R — Mon, 07 Feb 2022 12:41:40 GMT

Then check the basics first (config). You need to check all those things the others have mentioned above.

On packet capture you'll be looking for radius request and replies.

Make sure they're being sent to/from the correct IP addresses and ports, on the correct interface.

Re: WLC 9800-L - Authentication failed for client

Scott Fella — Mon, 07 Feb 2022 15:56:05 GMT

So is the issue fixed, I thought that is what you mentioned on another post? If so, what was the fix? I know you mentioned you were not able to access the radis server... I'm just curious on what was done to resolve the issue.

Re: WLC 9800-L - Authentication failed for client

Prince.O — Mon, 07 Feb 2022 19:43:35 GMT

Hi Marcin,

As stated by the others, you'll be looking for radius packets sourcing from your 9800 controller wireless management Ip address to your radius servers as the destination.

When you open the file in wireshark, you can simply type in "radius" in the search bar and hit enter and that should filter the file for any radius packets.

Alternatively, you can also search any packets sent to or received from your radius server IP address with " ip.addr== <RADIUS IP HERE> " in the search bar

Re: WLC 9800-L - Authentication failed for client

Marcin.Bachmatiuk — Tue, 08 Feb 2022 09:34:11 GMT

Hi,

In the attachment screen from wireshark, maybe something will help

Re: WLC 9800-L - Authentication failed for client

Scott Fella — Tue, 08 Feb 2022 10:14:45 GMT

What is the reason you can get access to the radius logs? If there is something that is not configured properly, how would you resolve that. The logs from a device attempt, rejected or passed will help isolate what the issue is. I would never be able to solve radius/tacacs issues without having access to the servers.

Re: WLC 9800-L - Authentication failed for client

Prince.O — Tue, 08 Feb 2022 15:12:46 GMT

So from the attached images from the PCAP, it looks like radius requests are being sent from the 9800 but no response are being received back.

To troubleshoot the issue further, as mentioned, you'll would need access to the radius server logs to get more insight on the possible root cause

Re: WLC 9800-L - Authentication failed for client

network_eng — Tue, 08 Nov 2022 01:23:13 GMT

Sorry to raise this from the dead but I have the owner post issue. The wireshark captures show the access-request messages being sent from the WLC client IP configured in the Microsoft NPS server but the server is giving the error (ID 13): A Radius message was received from the invalid RADIUS client IP x.x.x.x.x (the same one configured).

From Microsoft's site they say this can happen when

In the NPS MMC, a RADIUS client is configured by FQDN or NetBIOS name rather than by IP address, and NPS has not received a DNS server response to the name resolution query. Without the IP address provided by the name resolution query, NPS cannot contact the RADIUS client;
NPS receives communication from a RADIUS client that is not configured in the NPS MMC;
In the NPS MMC, a RADIUS client is configured by either IPv4 or IPv6 address, but the format of the IP address is incorrect.

I checked and IP address is what is being used not FQDN, the client is configured in the radius server, the IP address is correct. What was the solution provided in this post?

Re: WLC 9800-L - Authentication failed for client

Rich R — Tue, 08 Nov 2022 06:19:24 GMT

The original poster didn't actually provide a solution and claimed to not have access to the radius server so no way of knowing it's the same problem. Basic principles apply - read through all the answers provided already.
1. Are you *sure* it's being sent from the same IP you have configured? Remember 9800 follows the routing table to get to the radius and source IP used is either outgoing interface or the one you specify.
2. Have you got the correct shared key configured - I reckon the wrong key could also be an invalid client?

Re: WLC 9800-L - Authentication failed for client

network_eng — Tue, 08 Nov 2022 12:32:29 GMT

When I filter on the wireshark captures done from the 9800 for udp.port==1812 the radius access-request packets show the source address as the configured client IP I used in the radius server config. Is there another way to validate it?

I checked and re-checked the shared key, I even put in the wrong one to see the output which gave a different error message in the show aaa servers command output (it complained about bad authenticators).

I just can't get my finger on this one, I will log a ticket with Cisco today.

Re: WLC 9800-L - Authentication failed for client

network_eng — Tue, 08 Nov 2022 12:39:09 GMT

Btw everything works fine with the old 2504 WLC in the environment but it just doesn't with the 9800 (It is a migration that I am finishing up - guest access works perfectly but not the corporate internet which relies on the radius authentication).

Re: WLC 9800-L - Authentication failed for client

network_eng — Sun, 29 Jan 2023 17:06:19 GMT

I think this might be pointing to asymmetrical routing as I think I should at least be receiving a reject message or some other information if the policy on the server is not matching the received conditions/attributes. I created a new client with exactly what was required from the 9800 WLC but got the same result in the capture as if communication isn't getting back. I will check the routing in the environment to see what is happening. Maybe the packets are being received by the NPS but the reply is being sent back to another interface IP on the WLC that isn't reachable...investigations in progress

Re: WLC 9800-L - Authentication failed for client

Rich R — Sun, 29 Jan 2023 20:45:55 GMT

Remember the 9800 will route the request packet according to the IP routing table so "sh ip rout" will show you whether it's going out the interface you expect it to. If not then correct the routes as required. Obviously the server needs to be able to route back to the source of the radius requests - not necessarily always the same interface it went out of but if it's going through a firewall or NAT then asymmetric routing is likely to cause drops so generally best to make sure the outward (request) and return (reply) routing take the same path. The server radius reply will always go back to the same IP address that the request was sent from - not "another interface IP".

Re: WLC 9800-L - Authentication failed for client

network_eng — Mon, 30 Jan 2023 12:38:14 GMT

That's the thing I can verify that the radius packets are going out the correct interface. I set it manually in the config and verified this in captures. I just think it is strange that the controller is getting no replies at all, nothing, not even a reject message. I can ping it but nothing comes back when a radius packet is sent across. This makes the controller believe that the AAA server is dead when in fact it isn't. The basics have been satisfied from the controller side, the NPS server and traffic flow back to the controller has to be the focus now.