Solved: c9800 v17.9.1 web authentication with radius granted but failed

Paulina K. · ‎11-15-2022

Hey,

wlc c9800 with v17.9.1

So I have an issue where I run WLAN with web authetication that points to group of RADIUS servers. When I try to authenticate through captive portal, I receive reply that "authentication failed". The fun part is, radius logs claim that request came and access has been granted within all correct policies and nas-id. Seems like wlc portal is not having it. I double checked if I have CoA, AAA override with NAC, all is enabled - still a no go. Could someone point me in direction of what could be wrong?

Paulina K. · ‎11-15-2022

FYI I did run further debugging on the connection. Result was that apparently wlc was unable to parse attributes from radius access-accept, which resulted in State AUTHENTICATING -> AUTHC_FAIL [INVALID CREDENTIALS]

This is strange behavior, especially where I have another wlc, 8540 v8.10.x, running webauth on same radius and policy, yet has no such issues. As I had no time to figure out if it is software problem or radius server (MS), I pointed authentication to ISE and set up policy there, worked.

2022/11/15 11:01:43.440976005 {wncd_x_R0-0}{1}: [radius] [23990]: (ERR): RADIUS/DECODE: parse VSA parts error
2022/11/15 11:01:43.440976532 {wncd_x_R0-0}{1}: [radius] [23990]: (ERR): RADIUS/DECODE: convert VSA string; FAIL
2022/11/15 11:01:43.440977127 {wncd_x_R0-0}{1}: [radius] [23990]: (ERR): RADIUS/DECODE: cisco VSA type 1; FAIL
2022/11/15 11:01:43.440977526 {wncd_x_R0-0}{1}: [radius] [23990]: (ERR): RADIUS/DECODE: VSA; FAIL
2022/11/15 11:01:43.440978412 {wncd_x_R0-0}{1}: [radius] [23990]: (ERR): RADIUS/DECODE: attribute Vendor-Specific; FAIL
2022/11/15 11:01:43.440979035 {wncd_x_R0-0}{1}: [radius] [23990]: (ERR): RADIUS/DECODE: parse response op decode; FAIL

View solution in original post

marce1000 · ‎11-15-2022

- For starters review the current 9800 configuration with the CLI command : show tech wireless , have the output analyzed by https://cway.cisco.com/tools/WirelessAnalyzer/ , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer. Checkout all advisories!

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Paulina K. · ‎11-15-2022

FYI I did run further debugging on the connection. Result was that apparently wlc was unable to parse attributes from radius access-accept, which resulted in State AUTHENTICATING -> AUTHC_FAIL [INVALID CREDENTIALS]

This is strange behavior, especially where I have another wlc, 8540 v8.10.x, running webauth on same radius and policy, yet has no such issues. As I had no time to figure out if it is software problem or radius server (MS), I pointed authentication to ISE and set up policy there, worked.

2022/11/15 11:01:43.440976005 {wncd_x_R0-0}{1}: [radius] [23990]: (ERR): RADIUS/DECODE: parse VSA parts error
2022/11/15 11:01:43.440976532 {wncd_x_R0-0}{1}: [radius] [23990]: (ERR): RADIUS/DECODE: convert VSA string; FAIL
2022/11/15 11:01:43.440977127 {wncd_x_R0-0}{1}: [radius] [23990]: (ERR): RADIUS/DECODE: cisco VSA type 1; FAIL
2022/11/15 11:01:43.440977526 {wncd_x_R0-0}{1}: [radius] [23990]: (ERR): RADIUS/DECODE: VSA; FAIL
2022/11/15 11:01:43.440978412 {wncd_x_R0-0}{1}: [radius] [23990]: (ERR): RADIUS/DECODE: attribute Vendor-Specific; FAIL
2022/11/15 11:01:43.440979035 {wncd_x_R0-0}{1}: [radius] [23990]: (ERR): RADIUS/DECODE: parse response op decode; FAIL

marce1000 · ‎11-15-2022

- Do the Wireless Analyzer procedure that I described anyway , it will give you lots of useful hints and configuration advices, and or improvements , (if found).

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '