Re: 9800-CL Public Cloud - Flex with external/remote RADIUS server iss

Paccers · ‎07-12-2024

Hi all,

Hitting a wall with an issue we're seeing and we're not sure if this is our configuration problem or misunderstanding the features.

We have a 9800-CL in public cloud on 17.9.5 code, we're aware you can only run in FlexConnect mode which is fine for us. What we are wanting to do is keep switching, DHCP and dot1x authentication local to the remote LAN and just have CAPWAP management traffic between AP -> WLC. Our remote sites have AD/DHCP/RADIUS on their remote LAN.

We have gone through various docs and guides around configuring this and we have found that RADIUS Authentication specifically is working as intended. PCAPs show that the RADIUS auth is being sent between AP -> RADIUS server and passing fine. We are not seeing RADIUS Accounting requests come in after that though, 0 requests as if they are not being sent at all.

A bit more digging showed that the RADIUS Accounting requests are trying to be sent down to the remote LAN's RADIUS server via our WLC's WMI/L3 interface which does not make much sense to us.. the intention is to have both auth/accounting just flow between AP -> RADIUS server and the auth element is working as intended.

AAA > Auth method list is set to dot1x/group and AAA > Accounting method list is set to identity.
Central switch/auth/DHCP are all off in the policy profile.

We have tried pointing and not pointing to the Accounting method list under Policy Profile > Advanced > AAA Policy > Accounting List with no change to the behaviour.

Also for reference we're running legacy Aironet APs only, a mix of models but majority 3702i and 2802i models.

Are we missing something really obvious? Any help would be appreciated!

marce1000 · ‎07-12-2024

- Start with a checkup and or validation of the 9800-CL configuration using the command
show tech wireless and feed the output from that into Wireless Config Analyzer
Reminder : use the command as show in green : it does not work with only show tech neither with just show tech-support ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Paccers · ‎07-12-2024

Hey @marce1000 I've put the config through WCAE and no config items are highlighted relating to dot1x or AAA for the WLAN. Only related entry is a RADIUS_AUDIT_MESSAGE-6-RADIUS_DEAD log entry where it marks the remote RADIUS server dead because our firewall is blocking the unexpected UDP/1813 traffic from WLC down to the remote site.

marce1000 · ‎07-12-2024

- And is that intended to remain in place , the particular firewall setting , if so why ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Paccers · ‎07-12-2024

Well in theory the FW shouldn't be in the picture, the intention is to not have the RADIUS Accounting sourcing from the centrally-hosted WLC as the Authenticator. We want Acct to remain on the remote site LANs as is currently configured for RADIUS Auth.

marce1000 · ‎07-13-2024

- For the time being I have no further insights concerning the behavior with Radius Accounting that you are seeing.
Options could be to test with 17.12.3 which is now an advisory release too. The benefit being that any
version of the 9800-CL can be downloaded for free and thus be used for testing , either local or as a secondary
controller in the cloud for testing purposes ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

MHM Cisco World · ‎07-15-2024

AP use auth in WLC or in AP itself?

MHM

Rich R · ‎07-15-2024

Hi @Paccers

I believe this is a bug - I just haven't got round to opening an SR for it because it does not seem to be service affecting, it's just an irritation. Although I see the WLC trying to send the accounting (which is wrong) I still see the accounting being sent by the AP (which is correct) so everything is working as it should be.

I only became aware of the WLC trying to send the accounting when the config analyzer reported "AAA: High percentage of failed requests. Radius server(s): 1.2.3.4, 5.6.7.8"

Are you sure the AP is not sending the accounting? I've just done a pcap and confirmed the APs are definitely sending the accounting correctly. These are on 17.9.4 APSP6 at the moment. I doubt any of the changes in 17.9.5 would have changed that behaviour.

I have:
aaa authentication dot1x <aaa-radius-group> group <aaa-radius-group>
aaa accounting identity <aaa-radius-group> start-stop group <aaa-radius-group>
wireless profile flex <flex profile name>
local-accounting radius-server-group <aaa-radius-group>
local-auth radius-server-group <aaa-radius-group>

Have you remembered to include those directives to local operation in the flex profile?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Paccers · ‎07-15-2024

Hi @Rich R,

We managed to resolve our initial issue of not seeing any Accounting from the APs with that 'local-accounting radius-server-group <aaa-radius-group>' command - From docs/vids we've looked in to it seems this used to be GUI option in 17.3 but might only be CLI option under 17.9? Interestingly, according to the 17.9 config guide (https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/config-guide/b_wl_17_9_cg/m_vewlc_flex_connect.html) we should still see the 'Local Accounting Radius Server Group' option in the Flex Profile > Local Authentication area.

Initial tests yesterday confirmed we're now getting Accounting coming in from both AP and WLC as you mentioned, strange! Another thing we noticed is that Called-Station-ID value that we defined on the WLC under AAA Advanced > Radius Attributes is not being honoured by the AP-sourced Accounting-Requests but they are honoured by WLC-sourced Accounting Requests.

Feels like a game of whac-a-mole at the moment!

Paccers · ‎07-17-2024

@Rich Rdo you have any particular insight on called-station-id settings when using Flex w/ local authentication?

If we don't utilise central authentication, I'm guessing there is no way for us define what is sent in the called-station-id value as it doesn't flow via WLC that would set this value to something like site-tag for example?

Rich R · ‎07-18-2024

@Paccers I believe it will still take the config from the WLC global settings - where we have:
radius-server attribute wireless accounting call-station-id ap-name-ssid
radius-server attribute wireless authentication call-station-id ap-name-ssid
That appears to be working correctly for us even on the local auth APs but I haven't actually played around with changing it.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

9800-CL Public Cloud - Flex with external/remote RADIUS server issues