C9800 with Radius

SeokGeunChoi73564 · ‎03-31-2024

Hello everyone.
This time, you need to establish a wireless environment using the WPA3-Enterprise security protocol.
The current physical connection configuration is like this:

C9500 (BB)-C9300(Middle)-C9800(WLC)
C9300-PoE(Uplink to C9300 Mid SW) > C9115AXI.
Radius server is in Server Network.

Test environment.
WLAN Policy and Protocol: Layer 2, Security Mode: WPA3
WPA Parameter: WPA3 Policy, Encryption: CCMP128, Auth Key MGMT: 802.1x-SHA256, FT + 802.1x
Tested wireless client: Samsung laptop.

Here is what has been confirmed so far:
1. Test aaa radius... legacy in C9800: Check the phrase authenticate success in WLC CLI.
2. When attempting to connect to SSID from an actual wireless client, the ID/PW query for RADIUS authentication was checked, and the authentication completion log was checked on the RADIUS server, but the WIFI connection failed.
3. Confirm that the DHCP IP of the VLAN for WPA3 is received from the C9300-PoE switch.

The current problem seems to be that the wireless client is not receiving an IP after authenticating with RADIUS.
It receives IP from the PoE switch that supplies power to the AP to the corresponding VLAN.
What causes can be assumed?
Could it be that the WPA3 protocol is not suitable for my wireless clients?

thank you

marce1000 · ‎04-01-2024

Have a checkup of the 9800 WLC configuration , for starters , with the CLI command show tech wireless and feed the output to : Wireless Config Analyzer

For testing if you know to which AP a particular client will (not) connect (and or in a test setup) ; issue this command first on the AP:
show ap client-trace events mac aa:bb:cc:01:02:03 (the latter mac address must of course be changed to that of the client ). Then during the connecting process (and later) follow up on the outputs shown or check the logs on the AP

- Further engage in full client debugging according to https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity , these debugs can be analyzed with Wireless Debug Analyzer

- Outputs from the commands mentioned in https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#anc5 can also be useful

- Check controller software version and or go for 17.9.5 , if you are currently running an older version ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

SeokGeunChoi73564 · ‎04-10-2024

Hello, thank you for your reply.
As a result of checking through the show ap client-trace events mac (User MAC) command, it was confirmed that there was no direct log from the AP. (A test log in which the password was entered incorrectly remained, but there was no normal test log.)

The result of the 'show radius statistics' command is attached as an image.

Also, only 3 lines of log came out from the 'debug wireless mac <Client_MAC>' command.

%Client_Exclusion_server-5-add-to-exclusionlist-reason-dynamic: Chassis 2 R0/0: wncmgrd: Client MAC: (MAC address of unknown device.) was added to exclusion list associated with AP Name: (AP), BSSID:MAC: (AP), reason:Client Policy failure

We will post additional information about this and the packet capture performed on the C9800 WLC Webui after receiving the file.

In the current state, the RADIUS server displays a log indicating that access permission has been granted to the user normally.
Building a RADIUS server / The RADIUS server settings on the C9800 seem to be fine.
But the wireless client doesn't get an IP. Even though I activated the DHCP server on the NAC device/Cisco BB device one by one.

Since the RADIUS server logs granting access, it doesn't look like any additional work is needed in RADIUS, correct?

Thanks marce1000.