Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
296
Views
5
Helpful
5
Replies

C9800 WLC HA SSO and ISE configuration

Go to solution
FilipX
Level 1
Level 1

‎02-04-2025 03:13 AM

I have two C9800-L-F controllers working in standalone configuration. They are both connected to ISE with their WMI addresses, 192.168.168.40 for the first and 192.168.168.43 for the second.
I intend to implement HA SSO (RMI + RP) for these devices, and I am following this guide:
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/220277-configure-high-availability-sso-on-catal.html
My plan is to use 192.168.168.41 and 192.168.168.42 as RMI addresses for both devices, respectively.

There is one thing in the procedure that is not explained very well, considering the AAA authentication. This note is from the guide: "Note: If you are using a AAA server, you need to add both the WMI IP address as well as the RMI IP address as AAA clients on your AAA server. The standby WLC always uses its RMI IP to authenticate SSH sessions. The active WLC uses both RMI and WMI to reach out to the AAA server."

As I understand it, I should add the new (RMI) addresses to ISE configuration for the controllers. But if I try to do so, I get an error on ISE: "Failed to create network device - trustSec.sgaCoaSupportType : CoA cannot be enabled for more than one device."
This means that I can't add a secondary IP for the controller in ISE.

My question is this: which IP should be configured in ISE for each device in the HA pair, the RMI (different IPs for each unit) or WMI, which is a single IP for a HA pair? How can I specify the same WMI for both devices, when ISE does not allow more than one device with the same address?

Thanks,
Filip

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marce1000
Hall of Fame
Hall of Fame
In response to FilipX

‎02-04-2025 04:19 AM

 

  - Use one NAD  with the WMI address only (HA-standby controller is always inactive)
     I would simply create the other 2 NADs anyway and check if they are used or not afterwards in the ISE logs.

     >....Is it possible to have two objects (NADs) with two different IPs for the same device in ISE?
     Yes , for ISE they are simply two different devices

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

5 Replies 5

Go to solution
marce1000
Hall of Fame
Hall of Fame

‎02-04-2025 03:37 AM

 

  - Simple use the WMI IP only ,as far as the RMI is concerned you could create another NAD in ISE with that address.
    For the controller ; always checkout the intended configuration with the CLI command show tech wireless and feed
    the output from that into Wireless Config Analyzer
                                Consider the use of the above procedure mandatory !

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
FilipX
Level 1
Level 1
In response to marce1000

‎02-04-2025 04:06 AM

Thank you for the prompt answer.
Just to be clear, should I have only one NAD in ISE with the WMI address which will serve both controllers?
Are the other two NADs with RMI addresses mandatory or optional?
Is it possible to have two objects (NADs) with two different IPs for the same device in ISE?

Thanks,
Filip

0 Helpful

Go to solution
marce1000
Hall of Fame
Hall of Fame
In response to FilipX

‎02-04-2025 04:19 AM

 

  - Use one NAD  with the WMI address only (HA-standby controller is always inactive)
     I would simply create the other 2 NADs anyway and check if they are used or not afterwards in the ISE logs.

     >....Is it possible to have two objects (NADs) with two different IPs for the same device in ISE?
     Yes , for ISE they are simply two different devices

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎02-04-2025 06:45 AM

In ISE, you can define one NAD for each device and within that configuration, you can specify more than one ip address.  No matter what, you should look at the radius live logs or your tacacs live logs and make sure you see what NAD ip is sending the info.  You should also take time to do a failover to make sure your radius/tacacs is still working.

-Scott
*** Please rate helpful posts ***

Go to solution
FilipX
Level 1
Level 1

‎02-05-2025 02:30 AM

I get an error when I try to add a secondary IP address for a device in ISE. ("Failed to create network device - trustSec.sgaCoaSupportType : CoA cannot be enabled for more than one device.")
So I created one NAD with the WMI address and two more with RMI addresses. As I can see from the live logs, all authentications are using the first NAD. RMI NADs are not used.

Thank you for your help,
Filip

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card