9800CL 17.12.4 not able to reach RADIUS (ISE)

mqontt · ‎02-13-2025

Hey Guys,

We have a AAA override WLAN on the 9800 that communicates with ISE and ise then sends VLAN name to put users in correct vlans according to the policies on ISE.

I have configured new virtual WLC cluster on esxi and now im trying to test out the SSIDs.

However im not able to get the radius working on this particular new cluster.

Im always getting errors:

Failure reason: Authc fail. Authc failure reason: AAA Server Down.

which are self explanatory, WLC is not able to communicate with AAA (ISE) via RADIUS.

We're using OOB mgmt via mgmt-intf port, and have properly defined vrf usage within AAA servers (defined vrf and also source intf) and also for the CoA. Anyway it doesnt work with the standard WMI, as we tried that as well.

What i have checked:

- IP connectivity (or rather radius over udp) is there, nothing blocks the traffic. When i do test-aaa to Radius (ISE) from WLC and do the TCP dump on the ISE side, i can see Requests coming from the WLC's and ISE sending them back. On the WLC i can see them arriving (i get user rejected message)

- Network device is added to the ISE, i've tried re-adding, changing the secret

- AAA Servers are defined on the WLC with correct secrets (for COA as well), since i temporarily use cleartext

- Authentication method list (dot1x) is defined for the ISE as a server group

- Authentication method list is mentioned on the SSID security settings

- AAA override is enabled on the policy profile

- Changing the source interface from the Mgmt-intf VRF to WMI (and changing the IP of network device within ISE as well)

Nothing works... and im pulling my hair out.

i would appreciate some tips how to handle this issue, since im out of options as of now

WLC is 17.12.4 version (9800-CL), ISE is version 3.1.0.518

MHM Cisco World · ‎02-13-2025

Try below

1- use NAT type ISE

2- make check if ISE and wlc use same radius ports

3- make sure if There is no FW block radius port and CoA (1700)

MHM

mqontt · ‎02-13-2025

we have another (physical) 9800 cluster albeit on another segment working perfectly fine with the same ISE nodes, with exact same configuration

CoA should be fine, anyway when i check tcp dumps on the ISE, nothing arrives from users connecting to SSID. Only thing i can see coming to the ISE is when i use "test aaa" command.

I usually had troubles like these when there was misconfiguration on the AAA method list (dot1x auth method list missing), but not this time

MHM Cisco World · ‎02-13-2025

Can I see l2/l3 secuirty you use ?

Also aaa radius group and aaa server config

In wlc 9800

MHM

mqontt · ‎02-13-2025

aaa authentication dot1x ISE_RAD_AUTH group ISE_RAD_GRP

aaa group server radius ISE_RAD_GRP
server name ISE_psn1
server name ISE_psn2
ip vrf forwarding Mgmt-intf
ip radius source-interface GigabitEthernet1
deadtime 5
mac-delimiter hyphen

!

aaa server radius dynamic-author
client ip.of.first.psn vrf Mgmt-intf server-key testradius1
client ip.of.first.psn vrf Mgmt-intf server-key testradius1

radius server ISE_psn1
address ipv4 IP.of.psn1 auth-port 1812 acct-port 1813
key testradius1
!
radius server ISE_psn2
address ipv4 IP.of.psn2 auth-port 1812 acct-port 1813
key testradius1
!

SSID config:

wlan ssid-name 2 ssid-name
no bss-transition
ccx aironet-iesupport
dot11ax target-waketime
dot11ax twt-broadcast-support
no mu-mimo
radio policy dot11 24ghz
radio policy dot11 5ghz
scan-report association
scan-report roam
no security ft adaptive
security dot1x authentication-list ISE_RAD_AUTH
no shutdown

i mean its nothing obscure, ihave configured dozens of WLCs with Dot1x and AAA override with ISE, and never had problem like this.

marce1000 · ‎02-13-2025

- Start with a basic check of the 9800CL controller's configuration using the CLI command
show tech wireless and feed the output from that into Wireless Config Analyzer
Use the full command denoted in green , do not use show tech , for this

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Scott Fella · ‎02-13-2025

Since it is ESXi, I would personally spin up another 9800-CL and only setup one interface. You never know if something broke initially, but if you have access, might as well spin a new one up. If you can put a machine on the same vlan, you can also use NTRadPing to test auth like PEAP.

-Scott
*** Please rate helpful posts ***

mqontt · ‎02-14-2025

Thanks Scott, unfortunately i cannot spin up any VMs by myself since this is prod vSphere environment but i'll ask around.

might try it in my lab, but i dont have clustered vSphere deployment only single ESXi node

Scott Fella · ‎02-14-2025

That shouldn't matter, having another instance so you can test is valuable. On the 9800 you can do a capture, go to troubleshooting and then packet capture. I'm assuming for a CL, you can do that also.

-Scott
*** Please rate helpful posts ***

mqontt · ‎02-14-2025

BTW, is it possible to do Packet capture on Gi1 from the WLC itself?

I always wondered how to capture packets going through dedicated L3 oob mgmt interface (even on the HW WLC). Is it even possible to do it on the device itself without needing to do some kind of span on the switch ?

thx