topic Re: Local Authentication Server does not update policy on AP in Wireless

Local Authentication Server does not update policy on AP

Toy Thompson — Fri, 31 Oct 2025 08:57:21 GMT

I have a Cisco 9800 WLC running 17.12.5 and I have 1 central site (local mode APs where the WLC resides) and about 10 remote sites with APs in FlexConnect Mode and Local Authentication. Each remote site has a local authentication server with the authentication server at the central site as the backup.
At some of the remote sites local authentication works 100%, but at some sites it does not. I have verified the Policy Profile, Flex Profile and Site Tags at the "non-working" sites and compared them to the working sites and they are exactly the same except for Name and IPs which are specific to the site.
Clients at the "non-working" sites authenticate with the servers at the central site and not the server locally to the site. If we remove the backup authentication server all together clients at the non-working site still authenticate with the central site authentication server. We have verified "Central DHCP", "Central Authentication" & "Central Switching" are all disabled

Re: Local Authentication Server does not update policy on AP

Mark Elsen — Fri, 31 Oct 2025 09:15:22 GMT

- @Toy Thompson Verify the controller's configuration with the CLI command : show tech wireless
and feed the output from that into Wireless Config Analyzer
Use the full command as outlined in green , it does not work with show tech-support

Re: Local Authentication Server does not update policy on AP

Toy Thompson — Mon, 03 Nov 2025 08:58:53 GMT

Hi Mark. I have analyzed the output of the command with the analyzer. The analyzer did not provide any issues relating to the configuration of the profiles. I also manually compared the various profiles and tags in the analyzer itself and they are all pretty much identical except for the native and client vlans of the different sites. what did stand out is that the config analyzer only reports authentication information going to and from the backup aaa server however we validated the clients actually authenticate to the local aaa servers for remote sites that are working but no traffic shows for any of the remote site aaa servers?

Re: Local Authentication Server does not update policy on AP

Mark Elsen — Mon, 03 Nov 2025 13:04:49 GMT

- @Toy Thompson Then you will have to debug the "none-working" clients according to :
https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity
These resulting debugs , so called RadioActive Traces can be analyzed with:
Wireless Debug Analyzer

Re: Local Authentication Server does not update policy on AP

srimal99 — Wed, 05 Nov 2025 10:06:31 GMT

Are you using ISE as authenitcation server , have to check the policy rules ?