topic Re: Cisco 9800 Clients Can't Connect to FlexConnect 802.1x WLAN in Wireless

Cisco 9800 Clients Can't Connect to FlexConnect 802.1x WLAN

Chris Terry — Mon, 08 Apr 2024 20:18:58 GMT

I'm trying to migrate from Cisco 5520 WLC to Cisco 9800 WLC. I configured the WLAN with 802.1x and the AP is in FlexConnect mode.

When the client is trying to connect I see it associate with the WLC, but then it gets stuck in authenticating status. I'm not seeing anything on the ISE side meaning nothing reaches ISE. I'm not seeing the client get an IP either. WLC logs show the client being deleted with the reason L2AUTH_CONNECT_TIMEOUT. It seems like it might be all related to DHCP

WLC - 9800 version 17.9.4a
Switch - 9300 version 17.9.4a
WLC only has the Management/AP Management SVI VLAN 5. Clients are using VLAN 100 which is only a layer 2 VLAN on the WLC. The switch has IP helpers for VLAN 100. The Policy only has Central Authentication enabled.

Edit: Added client trace output

Re: Cisco 9800 Clients Can't Connect to FlexConnect 802.1x WLAN

Leo Laohoo — Mon, 08 Apr 2024 22:13:07 GMT

What are the model of APs?

Re: Cisco 9800 Clients Can't Connect to FlexConnect 802.1x WLAN

Chris Terry — Mon, 08 Apr 2024 22:14:12 GMT

The AP model is C9120AXI-B

Re: Cisco 9800 Clients Can't Connect to FlexConnect 802.1x WLAN

Leo Laohoo — Wed, 12 Jun 2024 23:14:48 GMT

Disable and re-enable the SSID. IF the clients are able to connect after that then it could be CSCwi18057/CSCwk17514.

Re: Cisco 9800 Clients Can't Connect to FlexConnect 802.1x WLAN

Chris Terry — Tue, 09 Apr 2024 02:45:17 GMT

It doesn’t look like I’m hitting that bug. I’m not seeing those error logs.

I did go ahead and make the SSID PSK and the client was able to grab an IP and connect without issues. So I have something funky with my 802.1x config(s)

Re: Cisco 9800 Clients Can't Connect to FlexConnect 802.1x WLAN

Mark Elsen — Tue, 09 Apr 2024 07:46:58 GMT

- Have the attached client trace analyzed with : Wireless Debug Analyzer
If that one doesn't work then use client debugging according to https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity and use those as input for Wireless Debug Analyzer
A summarizing view of client behavior can be obtained from : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#anc5

- Important : have a checkup of your 9800 WLC configuration with the CLI command show tech wireless and feed the output from that into : Wireless Config Analyzer

Re: Cisco 9800 Clients Can't Connect to FlexConnect 802.1x WLAN

MHM Cisco World — Tue, 09 Apr 2024 08:04:16 GMT

Sorry can you check if you can ping radius server from AP since you use flex connect.

MHM

Re: Cisco 9800 Clients Can't Connect to FlexConnect 802.1x WLAN

Chris Terry — Tue, 09 Apr 2024 17:04:12 GMT

I can ping from the AP to the radius server

<AP>#ping <RADIUS IP>
Sending 5, 100-byte ICMP Echos to <RADIUS IP>, timeout is 2 seconds

PING <RADIUS IP>
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20.580/20.958/21.818 ms

Re: Cisco 9800 Clients Can't Connect to FlexConnect 802.1x WLAN

PSM — Tue, 09 Apr 2024 19:10:42 GMT

Since you mentioned that "The Policy only has Central Authentication enabled", your authentication is supposed to be done via controller. It looks you are missing some AAA configuration.

Have you defined aaa authentication method using the correct radius group and server ?

Have you mapped authentication method in WLAN profile ?

If yes, can you verify reachability of radius servers and status in WLC.

Re: Cisco 9800 Clients Can't Connect to FlexConnect 802.1x WLAN

Chris Terry — Wed, 10 Apr 2024 03:08:38 GMT

I did confirm I could reach the radius server from the WLC, AP, and switch the WLC was connected which also has the SVIs for the client networks. I mapped the authentication method in the WLAN profile.

I have been able to get it to work. I believe the issue was the aaa authentication config. I went back through the 802.1x WLAN guide for the 9800.

Re: Cisco 9800 Clients Can't Connect to FlexConnect 802.1x WLAN

Chris Terry — Wed, 10 Apr 2024 04:34:04 GMT

So an update... I narrowed down my issue.

The radius/ISE server is configured to authenticate users on the 802.1x WLAN with MSCHAPv2 or PEAP (EAP-TLS). When the client auth side is set to MSCHAPv2 the client isn't able to authenticate or even get an IP, but when I change the client side network auth to PEAP (EAP-TLS) Machine Auth it works as expected.

I did notice when the client was failing to authenticate while configured for MSCHAPv2 under the client information > General > Security it did not show an EAP type

Re: Cisco 9800 Clients Can't Connect to FlexConnect 802.1x WLAN

Leo Laohoo — Wed, 10 Apr 2024 04:37:22 GMT

CSCwf14041: C9120 stops forwarding EAP-Identity-Request to client intermittently

CSCwh68219: 91xx AP not processing EAP-TLS server Hello

CSCwi75798: 9120 didn't receive/transfer EAP response

Re: Cisco 9800 Clients Can't Connect to FlexConnect 802.1x WLAN

Chris Terry — Wed, 10 Apr 2024 04:47:13 GMT

Yikes…

Definitely matching for the first and last bug. I’ll double check if it changing it to PEAP helps at all.

Re: Cisco 9800 Clients Can't Connect to FlexConnect 802.1x WLAN

MHM Cisco World — Wed, 10 Apr 2024 08:59:07 GMT

Can I see

Policy set and authc policy and authz policy you config in ISE.

MHM

Re: Cisco 9800 Clients Can't Connect to FlexConnect 802.1x WLAN

Chris Terry — Wed, 10 Apr 2024 17:41:19 GMT

I changed to PEAP-MSCHAPv2 and it worked. Which makes it sound like I was hitting CSCwf14041. I changed back to EAP-MSCHAPv2 and now that works.

Re: Cisco 9800 Clients Can't Connect to FlexConnect 802.1x WLAN

Leo Laohoo — Wed, 10 Apr 2024 23:01:08 GMT

@Chris Terry wrote:
I changed back to EAP-MSCHAPv2 and now that works.

EAP will work temporarily and then it will stop when the process crashes in the AP.

An alternative fix is to regularly/daily reboot the AP. Some people use EEM (or PI script) to reboot the AP.

Re: Cisco 9800 Clients Can't Connect to FlexConnect 802.1x WLAN

Chris Terry — Fri, 12 Apr 2024 17:57:07 GMT

If it uses PEAP-MSCHAPv2 instead of EAP-MSCHAPv2 would it still run into that issue, or is it EAP as a whole that eventually has issues?

Re: Cisco 9800 Clients Can't Connect to FlexConnect 802.1x WLAN

Leo Laohoo — Fri, 12 Apr 2024 23:31:25 GMT

@Chris Terry wrote:
is it EAP as a whole that eventually has issues?

It is an AP "buffer" thing. It will work, usually after a reboot, and when the buffer gets filled up things go wrong and the multi-CPU of the AP is not fast enough to flush the buffer so "sometimes it may work" and may not.