We have just installed a new 9800-CL controller on ESXi to replace old 4400 controllers. We have connected a single 9115AXI in the lab for testing. The new controller connects to RADIUS on the same Cisco Secure ACS 18.104.22.168.10 as the old controllers.
So far, the SSIDs that support EAP-TLS and PSK are working fine, but older clients running LEAP or PEAP will not connect. We have disabled Fast Transition on the WLAN Layer 2 security with no change.
Laptops connect fine with EAP-TLS.
Cisco 8821 phones connect fine with PEAP.
Cisco 7921 phones fail with both LEAP and PEAP. (WLC reports no response from client).
Dell/Wyse C10 thin clients fail with both LEAP and PEAP. (Nothing in WLC log, client reports fail to associate, err=18).
All work fine on the 4400 controllers with the same SSID and security settings, so I assume the problem is not with the ACS configuration.
Are there other settings I need to change on the WLC to enable backwards-compatibility?
Thank you for any insights.
I failed to find a documentation but to me this protocols is no longer supported and the WLC. By the way, 4400 to 9800 is a huge move!!
-If I helped you somehow, please, rate it as useful.-
Thanks for replying. The issue for the C10 thin clients turned out to be a mismatch between the supported speeds on the client and the mandatory speeds in the RF policy. With that resolved, they are able to connect with LEAP and PEAP.
So the problem with the phones is something else. I suspect they may not recognize the EAPOL version 3 advertised by the WLC.
I read somewhere that some older clients reject offers of newer EAPOL versions instead of negotiating down. I don't know if this is what is going on, but it seems like a possible cause.
But we've decided that we really should be retiring these old phones anyway, so we are going to go ahead and upgrade them along with the infrastructure.
Thanks for the feedback.