topic Re: dot1x Clients can't get authenticated du to Cred Fail on Cisco 980 in Wireless

dot1x Clients can't get authenticated du to Cred Fail on Cisco 9800

FreddyJay — Tue, 17 Jan 2023 10:57:57 GMT

Hi!

clients cannot join our dot1x SSIDs. We get below messages in our WLC 9800:

WLC1#
Jan 17 10:46:44.155: %DOT1X-5-FAIL: Chassis 1 R0/0: wncd: Authentication failed for client (ee23.093e.5580) with reason (Cred Fail) on Interface capwap_90000002 AuditSessionID 1964900A000006A7BF56A2A1 Username:
Jan 17 10:46:44.155: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (ee23.093e.5580) on Interface capwap_90000002 AuditSessionID 1964900A000006A7BF56A2A1. Failure reason: Authc fail. Authc failure reason: Cred Fail.

our platform is: Cisco IOS Software [Bengaluru], C9800 Software (C9800_IOSXE-K9), Version 17.6.4, RELEASE SOFTWARE (fc1)

Would you please guide me what is the remedy?

Best regards

Farkhan

Re: dot1x Clients can't get authenticated du to Cred Fail on Cisco 980

Mark Elsen — Tue, 17 Jan 2023 12:10:41 GMT

>....Authc fail. Authc failure reason: Cred Fail.
- The reason(s) seems obvious , client credentials are incorrect, if you have backend radius authenticating server(s) , then check the radius logs too.
You may also find these commands useful on the 9800 controller :
show wireless stats client delete reasons
show wireless stats client detail
show wireless client summary

Also review the 9800 configuration with the CLI command : show tech wireless , have the output analyzed by https://cway.cisco.com/tools/WirelessAnalyzer/ , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer. Checkout all advisories!

Re: dot1x Clients can't get authenticated du to Cred Fail on Cisco 980

Gaurav Kansal — Thu, 02 Feb 2023 10:10:01 GMT

Hello Farkhan

Have you checked the Logs in your AAA server, what logs its showing.Because its credentials failed.Please checked the policy also you have applied for dot1x. And Please confirm all user are facing issue or some particular clients.

Re: dot1x Clients can't get authenticated du to Cred Fail on Cisco 980

zachhoiberg — Thu, 23 Feb 2023 17:42:09 GMT

I am seeing the same issue on 17.9.2 using 2802I and 2802E APs. Central authentication for a DOT1X WLAN does not work and no Radius requests are sent from any interface on the C9800-CL device to the radius servers. Tested this with a packet capture at both ends. It is not a communication issue between the C9800-CL and the radius servers, as the "test aaa" command sends radius packets just fine.

Any legitimate connection attempt to the SSID will instantly result in the (Cred Fail) log, even if the credentials are correct.

Disabling central authentication allows the APs themselves to send the DOT1X requests which pass as expected.

I have an open ticket with TAC regarding this issue.

You may want to test with non-central authentication, provided that you setup the wireless client on your RADIUS servers to accommodate the APs doing the authentication themselves.

Re: dot1x Clients can't get authenticated du to Cred Fail on Cisco 980

Schulda — Mon, 27 Feb 2023 13:14:25 GMT

Have you had any success with TAC so far? We seem to have a similar issue now in our environment..

Thanks

Re: dot1x Clients can't get authenticated du to Cred Fail on Cisco 980

Scott Fella — Mon, 27 Feb 2023 15:03:35 GMT

@Schulda you should start a new thread. Majority of folks have a different setup and that makes a big difference. Start a new thread and add as much information as possible. Add what troubleshooting you have done, if this is a new setup or existing, has it worked before, is it with a specific device type or authorization type, etc.

Re: dot1x Clients can't get authenticated du to Cred Fail on Cisco 980

zachhoiberg — Fri, 03 Mar 2023 22:02:31 GMT

I have not had any luck thus far. It seems like the EAP request is sent between the AP and the Controller during Central Authentication, and I see the username passing, but once that packet hits the Controller (which is nearly instantly), the controller doesn't forward it to the defined radius servers and marks it as a failed authentication attempt.

I hope to get more information from TAC next week when I have more time to troubleshoot this further. Additionally, I'd like to state that I am using 2800 series APs for all of this testing, incase this happens to be a model specific issue. I will finally get some 9120s in next week for testing as well.

Re: dot1x Clients can't get authenticated du to Cred Fail on Cisco 980

Scott Fella — Sat, 04 Mar 2023 00:08:13 GMT

What error do you see on the radius server? Are you using ISE?

Re: dot1x Clients can't get authenticated du to Cred Fail on Cisco 980

Mark Elsen — Sat, 04 Mar 2023 06:32:43 GMT

@zachhoiberg   >...seeing the same issue...
Did you also check the same advisories :
    >....Authc fail. Authc failure reason: Cred Fail.
- The reason(s) seems obvious , client credentials are incorrect, if you have backend radius authenticating server(s) , then check the radius logs too.
   You may also find these commands useful on the 9800 controller :
show wireless stats client delete reasons
show wireless stats client detail
show wireless client summary

- If still not resolved perform client debugging as described in : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity , you can have client debugs analyzed with : https://cway.cisco.com/wireless-debug-analyzer

Re: dot1x Clients can't get authenticated du to Cred Fail on Cisco 980

zachhoiberg — Thu, 09 Mar 2023 19:04:38 GMT

I saw nothing on the radius server logs and no traffic hitting the radius server with a packet capture running on the server. We are using Windows NPS, not ISE.

In some more testing this week, Central Authentication is now working at a separate site with a stronger WAN connection. The testing setup used originally was using a cell router for its WAN. Additionally, on that weaker WAN connection, I would occasionally see the CAPWAP tunnels drop and re-establish, presumably due to that weaker connection. I have not seen the same behavior at the new site.

It could be that there is some hidden threshold that the test setup was not meeting that the new site now is, and I am waiting to hear more from TAC after reporting my latest findings.

Re: dot1x Clients can't get authenticated du to Cred Fail on Cisco 980

gaurav mahajan1 — Mon, 24 Apr 2023 11:08:40 GMT

Any update from TAC

even i am observing the same issue

Authentication failed for client (70a8.d39b.f5c8) with reason (Cred Fail) on Interface capwap_90000010 AuditSessionID 0408FA0A000869CBB2E052E7 Username: host/d3187f91-6ca9-4969-ae54-9fe6e0015c2a.beig.birdseyeiglo.com

Re: dot1x Clients can't get authenticated du to Cred Fail on Cisco 980

CSCO11177789 — Sun, 07 May 2023 17:54:22 GMT

same environment cisco 9800 and nps server as a radius side.

and taking similer logs like;

May 7 20:43:24: %SESSION_MGR-5-FAIL: Chassis 2 R0/0: wncd: Authorization failed or unapplied for client (0028.f88f.63f3) on Interface capwap_90000005 AuditSessionID F003320A0000011EF74F7F31. Failure reason: Authc fail. Authc failure reason: Cred Fail.

any update from tac ?

Re: dot1x Clients can't get authenticated du to Cred Fail on Cisco 980

zachhoiberg — Mon, 08 May 2023 12:36:34 GMT

Nothing concrete, but I did update to 17.9.3 and tested the same configuration from a different site (with a stronger WAN signal, our test setup was using a cell modem for its primary connection), and I've been unable to replicate the same behavior since.

I'm unsure if it was simply the update to 17.9.3, the stronger WAN signal (as I was observing the CAPWAP tunnels occasionally timeout/drop from the test setup, which I have not seen since), or a combination of the two.

Do you guys also see the CAPWAP tunnels timing out within your logs periodically?

Re: dot1x Clients can't get authenticated du to Cred Fail on Cisco 980

GEgishira — Thu, 18 May 2023 21:54:55 GMT

Hello All,

I was facing the same issue in my production environment, and just found a solution for my issue. I am working with a 9800-L Wireless Controller and NPS as our radius server.

After checking the logs on my failed authentication requests, I found that under the Authentication Details the request was calling the wrong Network Policy Name. We use a policy that grants us privilege 15 to cisco command lines, and that is what was being called. I moved my new policy ( the one I'm trying to get to work) above the one being called in processing order, and I was able to authenticate finally.

This was a unique situation, but I hope this info helps some.

回复： dot1x Clients can't get authenticated du to Cred Fail on Cisco 980

TriAngel — Tue, 27 Jun 2023 04:38:39 GMT

我在现网也碰到了相同的问题，我检查了客户端证书，发现证书过期了，更新了证书后客户端就可以正常使用网络。

Re: dot1x Clients can't get authenticated du to Cred Fail on Cisco 980

kiranraj — Tue, 16 Jan 2024 13:08:36 GMT

What is the known proper resolution for this issue? I am facing the same issue.

回复： dot1x Clients can't get authenticated du to Cred Fail on Cisco 980

Uncle ZZL — Tue, 30 Jan 2024 06:11:06 GMT

请问你是更新ISE的证书吗？我不管用wlc做本地EAP认证，还是用ISE做raduis认证，都有这个问题。如果是WLC本地认证，是否有证书可以导出的呢？谢谢。

Re: dot1x Clients can't get authenticated du to Cred Fail on Cisco 980

CiscoU9834 — Tue, 05 Mar 2024 21:01:01 GMT

I'm having the same issue with 17.9.4a.
From WLC debug I see 4 login attempts (before setting clients as excluded) but from ISE Live Logs I'm seeing only one request and not the others. It seems that WLC is "caching" authentication.
Someone solved this?

Re: dot1x Clients can't get authenticated du to Cred Fail on Cisco 980

nemrinoureddine — Thu, 07 Mar 2024 14:55:18 GMT

Hello,

In the Windows update of November 10th, EAP was updated to support TLS 1.2. This means that during the TLS handshake, the server announces support for TLS 1.2, enabling the use of TLS 1.2.

> Here is the solution to the problem of configuring TLS version. By default, EAP must add a DWORD value to the TlsVersion registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13 The value of this registry key can be 0xC0, 0x300, or 0xC00

Re: dot1x Clients can't get authenticated du to Cred Fail on Cisco 980

arvinvidal — Thu, 07 Mar 2024 16:13:42 GMT

Are you saying that this registry setting affects "cred fail" errors being described above?