Solved: Re: Unable to Log into WLC

DeeReal_99 · ‎08-12-2022

Hello,

I am having an issue logging into my C9800L WLC due to an expired PAC. Issue exists both at the CLI and the GUI. ISE(2.7) and DNA(2.2.3.5) are also throwing connection errors. Does anyone have any insight on how to resolve this issue?

Thanks,

Daryl

aghoush · ‎12-12-2022

just wanted to update you that we managed to solve this with the support from TAC team:

- we have access to the GUI as we have added 2 separate admin accounts from day1 , one is used for GUI access and one for ssh and WLC EXEC configuration in ISE (administration -- network Device -- WLC )

using the command prompt GUI in WLC:

- we managed to reset the WLC device cts credential using : clear cts credentials
- then reassign the wlc device cts password again :

cts credentials id WLC-DEVICE-ID PASSWORD ( WLS DEVICE-ID AND PASSWORD AS SHOW in ISE )

do a refresh for cts and pac :
clear cts environment-data
cts refresh pac

View solution in original post

ammahend · ‎08-12-2022

Can you paste the exact error log

-hope this helps-

DeeReal_99 · ‎08-15-2022

Please see the screenshots I posted.

Thanks...

Arne Bier · ‎08-14-2022

If you have a local user account on the WLC then one trick I often use is to untick the TACACS (or RADIUS if RADIUS is used for device admin) in ISE for that particular device. Then the WLC loses comms with ISE for device admin and will be forced to use the local account for logins. Of course, you hope that the the "aaa authenticaiton" and "aaa authorization" commands were done right to include the "local" option - I suspect DNAC does provision aaa that way - give it a try.

As for the PAC - perhaps others can answer that - you can try to re-provision the device through DNAC - or, fix the aaa config yourself using shared secret instead of PAC.

PAC (as far as I know) is used by DNAC because it's a handy way to setup the CTS (Cisco Trust Sec) stuff in one go - if you don't use SDA/CTS then don't worry about PAC - just revert to using regular TACACS/RADIUS shared secret configs.

DeeReal_99 · ‎08-15-2022

Thanks for the Arne, I will try during our next maintenance window

DeeReal_99 · ‎08-15-2022

Here are some of the screenshots I took...

aghoush · ‎12-09-2022

Hello Dary ,

I wonder if you can share how you managed to solve this , as I have the same issue , ssh CLI access to WLC is not possible due to PAC expired , DNAC cannot provision WLC due to this issue , all devices are supposed to renew PAC automatically but failed on WLC.

I can access the WLC from GUI but not through ssh CLI

WLC OOB Pac showing expired in ISE (Network Devices )

Thanks

Anas

DeeReal_99 · ‎12-09-2022

Hi aghoush,

Odd that you are able to access GUI. When this happens, I am locked out of both gui and cli(odd because I am no guru..lol). The issue clears up after a reboot of the WLC. It grabbed a new PAC from ISE. I have an open TAC case to come up with a way to avoid this in the future. Unfortunately, syncing up with the Tech has been a chore. For the time being, my plan is to setup a reminder to renew the PAC 1 week prior to expiration. This will have to do until we can develop a more automated process.

And btw, I have not ventured down the path Arne recommended above as of yet. But will try at some point until we fully realize SDA.

I hope that helps.

aghoush · ‎12-12-2022

just wanted to update you that we managed to solve this with the support from TAC team:

- we have access to the GUI as we have added 2 separate admin accounts from day1 , one is used for GUI access and one for ssh and WLC EXEC configuration in ISE (administration -- network Device -- WLC )

using the command prompt GUI in WLC:

- we managed to reset the WLC device cts credential using : clear cts credentials
- then reassign the wlc device cts password again :

cts credentials id WLC-DEVICE-ID PASSWORD ( WLS DEVICE-ID AND PASSWORD AS SHOW in ISE )

do a refresh for cts and pac :
clear cts environment-data
cts refresh pac

Thomas Obbekaer Thomsen · ‎08-04-2023

But what is the root cause ? (Sure the PAC is expired, should the 9800 not just auto renew it ?).

Is there a BugID for this ?

Thanks

Thomas

stian.johansen · ‎08-07-2023

We are also having this issue. We can only login to the WLC after a reboot. CLI and GUI won't work. CLI gives error message "PAC Expired"

Is there a bug on this? And how can we fix the root cause?

woocash_m · ‎08-30-2023

Hi,

We have the same issue for the second time.

Our setup is ISE 2.7 patch 8 and DNA 2.2.3.5

WLC upgraded to 17.03.07 since the previous episode of the issue.

So last time we had this issue PAC renewal failed on a second automated attempt.

Issue fixed the same way as this time with

clear cts environment-data

cts refresh pac

22/03/2023 06:26 PM
## 1-st auto-renew:
Credential Lifetime: 19:58:30 BST Jun 20 2023
Refresh timer is set for 12w4d

## 2-nd auto-renew:
Credential Lifetime: 05:13:50 BST Aug 24 2023
Refresh timer is set for 9w5d

This failed on the second attempt.

I have a TAC case open for this. I will post it here if we get the cause of the issue.

Thanks,

Lucas

woocash_m · ‎12-11-2023

Hi,

So we got to the bottom of this with TAC.

The issue is due to authentication events for WLC user in ISE not logged in the prrt-server.log.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwi41440

denny_strijdonck · ‎01-25-2024

We have the same issue with our WLC but also several switches. However, the conditions in the mentioned bug do NOT apply:

- No account disable policy

- No logging collection filter

However, the PAC file hasnt renewed automatically on several devices.

ben.posner · ‎02-06-2024

i have the same issue with our DNA and ise 3.2 setup. have not found a resolution as yet.