cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

368
Views
10
Helpful
6
Replies
Beginner

Older LEAP/PEAP clients won't connect to new 9800-CL controller.

Hello!

 

We have just installed a new 9800-CL controller on ESXi to replace old 4400 controllers.  We have connected a single 9115AXI in the lab for testing.  The new controller connects to RADIUS on the same Cisco Secure ACS 5.3.0.40.10 as the old controllers.

 

So far, the SSIDs that support EAP-TLS and PSK are working fine, but older clients running LEAP or PEAP will not connect.  We have disabled Fast Transition on the WLAN Layer 2 security with no change.

 

Laptops connect fine with EAP-TLS.

Cisco 8821 phones connect fine with PEAP.

Cisco 7921 phones fail with both LEAP and PEAP. (WLC reports no response from client).

Dell/Wyse C10 thin clients fail with both LEAP and PEAP. (Nothing in WLC log, client reports fail to associate, err=18).

 

All work fine on the 4400 controllers with the same SSID and security settings, so I assume the problem is not with the ACS configuration.

 

Are there other settings I need to change on the WLC to enable backwards-compatibility?

 

Thank you for any insights.

Gary

6 REPLIES 6
Highlighted
VIP Advisor

Re: Older LEAP/PEAP clients won't connect to new 9800-CL controller.

Hi 

I failed to find a documentation but to me this protocols is no longer supported and the WLC. By the way, 4400 to 9800 is a huge move!!

 

 

-If I helped you somehow, please, rate it as useful.-

Beginner

Re: Older LEAP/PEAP clients won't connect to new 9800-CL controller.

Hello Miranda,

Thanks for replying.  The issue for the C10 thin clients turned out to be a mismatch between the supported speeds on the client and the mandatory speeds in the RF policy.  With that resolved, they are able to connect with LEAP and PEAP.

So the problem with the phones is something else.  I suspect they may not recognize the EAPOL version 3 advertised by the WLC.

Regards,

Gary

VIP Advocate

Re: Older LEAP/PEAP clients won't connect to new 9800-CL controller.

Can you do a 'client debug heremacaddressofclient' on the WLC and then try to connect? Please post the output here.
You maybe need to couple this with a 'debug aaa heresomeoptions' if the first one doesn't provide a lot of useful data.
Beginner

Re: Older LEAP/PEAP clients won't connect to new 9800-CL controller.

Hello patoberli,

Thanks for replying.  It does not look like the 9800 has the "client" commands, so I captured with the "Radioactive Trace" in the GUI.

 

 

VIP Advocate

Re: Older LEAP/PEAP clients won't connect to new 9800-CL controller.

Sorry, forgot again that the 9800 is running a completely different software, which I sadly don't have any experience with.
Anyway, Authentication is Success, so that is good.Your radius sends various information back to the WLC, does for example the vlan interface 202 exist on your new WLC:

2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: User-Name [1] 10 "wptlcip1"
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Cisco AVpair [1] 21 "service-type=Framed"
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Framed-MTU [12] 6 1485
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: EAP-Message [79] 15 ...
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Message-Authenticator[80] 18 ...
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: EAP-Key-Name [102] 2 *
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Cisco AVpair [1] 43 "audit-session-id=1B2011AC00000943258EBA96"
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Cisco AVpair [1] 14 "method=dot1x"
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Cisco AVpair [1] 25 "client-iif-id=805309191"
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Cisco AVpair [1] 13 "vlan-id=202"
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: NAS-IP-Address [4] 6 172.17.29.8
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: NAS-Port-Id [87] 17 "capwap_90000002"
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: NAS-Port [5] 6 10612
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Called-Station-Id [30] 31 "2c-4f-52-be-63-80:WackerVoice"
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Calling-Station-Id [31] 19 "4c-00-82-85-e7-ae"
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Airespace-WLAN-ID [1] 6 2
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Cisco AVpair [1] 29 "cisco-wlan-ssid=WackerVoice"
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Nas-Identifier [32] 11 "zptlwlc01"
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Started 2 sec timeout
2019/07/24 19:56:47.495 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Received from id 1812/131 172.17.2.18:0, Access-Challenge, len 89
2019/07/24 19:56:47.495 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: authenticator 15 82 5f f5 77 89 dc 08 - a6 db 68 c0 df 93 22 bb
2019/07/24 19:56:47.495 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: State [24] 43 ...
2019/07/24 19:56:47.495 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: EAP-Message [79] 8 ...
2019/07/24 19:56:47.495 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Message-Authenticator[80] 18 ...

On the other hand I see those two lines:
2019/07/24 19:58:12.075 {wncd_x_R0-0}{1}: [client-keymgmt] [22206]: (ERR): MAC: 4c00.8285.e7ae Keymgmt: Failed to eapol key m3 retransmit failure. Max retries for M3 over
2019/07/24 19:58:12.075 {wncd_x_R0-0}{1}: [client-keymgmt] [22206]: (info): MAC: 4c00.8285.e7ae Keymgmt: eapol key failure. Sending client key exchange failure to auth fsm,reason code: 15

This could indicate a client driver issue or to weak signal, or of course a bug.
Beginner

Re: Older LEAP/PEAP clients won't connect to new 9800-CL controller.

I read somewhere that some older clients reject offers of newer EAPOL versions instead of negotiating down.  I don't know if this is what is going on, but it seems like a possible cause.

But we've decided that we really should be retiring these old phones anyway, so we are going to go ahead and upgrade them along with the infrastructure.

Thanks for the feedback.

CreatePlease to create content
Content for Community-Ad

August's Community Spotlight Awards