WLC Fabric with 802.1X EAP (TLS) Delay to Authenticated

Heriberto Diaz · ‎11-28-2019

We have a PoC DNA with Fabric (WLC Fabric) + ISE. When a client connects to SSID Employees with 802.1X EAP (TLS) there is always a delay to access the network and sometimes it repeats until it is achieved.

We currently have the WLC outside the DNA topology connected to an access switch that is part of the production network and the AP is connected to an Edge Fabric.

All the equipment that is within the DNA topology is configured with radius and in ISE they are registered in the network devices section but ISE is out like a shared service so that to get to it, the packets have to leave the DNA topology and go through a SW Core (without Radius configuration) of the productive network. So we have the doubt if it is necessary that all path to the ISE (included SW_Core and Access of production network) must have configured the Radius and maybe this is the cause of delay to authenticated.

And the other question is whether as a best practice do we have the WLC connected to the Border?

Thanks and regards.

Dan Rowe · ‎12-06-2019

Hey Heriberto,

No specific radius configuration should be required on devices outside of the fabric which are in the path to ISE. I have seen similar behavior to yours in the past and often it was due to lack of jumbo frame support on the network devices in and outside of the fabric.

TAC can assist with performing the necessary packet captures to validate this. If you would like to go that route, please proceed with opening a TAC case.

With the traditional wireless LAN controllers (3504, 5520, 8540), it is recommended that the wireless LAN controller is connected outside of the fabric, directly to or past the fusion router. However, it is not uncommon to see the eWLCs (9300/9500) connected to the border node.

Best Regards,