Solved: Cannot login to WLC 9800 GUI using Radius

Moudar · ‎10-23-2024

Hi,

We are currently using RADIUS (ISE) for authentication, and while we can successfully log into the CLI of our Cisco 9800 via the AAA server, we encounter a "Wrong Credentials. Please Login again." message when attempting to log into the GUI.

The logs on ISE indicate "5200 Authentication succeeded."

For reference, logging into the GUI using a local account works without any issues.

WLC#sh run | in http
ip http server
ip http secure-server
  destination transport-method http

so any ideas?

Moudar · ‎10-26-2024

This configuration works well:

aaa authentication login default group RADIUS_AUTH local line
aaa authentication dot1x default group RADIUS_AUTH
aaa authorization exec default-web group RADIUS_AUTH local
aaa authorization network default group RADIUS_AUTH
aaa accounting exec default start-stop group RADIUS_AUTH
 
ip http authentication aaa login-authentication default
ip http authentication aaa exec-authorization default-web

It needed to understand the concept of "Method lists"

View solution in original post

marce1000 · ‎10-23-2024

- Do you have the radius server configured to return av pair with priv levels 15 ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Moudar · ‎10-23-2024

do we need to add anything else ? for web auth.

Moudar · ‎10-23-2024

It works now adding "aaa authorization exec default group RADIUS_AUTH" to the aaa configuration

I don't realy understand why adding that line would allow aaa to GUI, when login to CLI it goes directly to #mode

Rich R · ‎10-24-2024

You should have a good read through https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Moudar · ‎10-26-2024

This configuration works well:

aaa authentication login default group RADIUS_AUTH local line
aaa authentication dot1x default group RADIUS_AUTH
aaa authorization exec default-web group RADIUS_AUTH local
aaa authorization network default group RADIUS_AUTH
aaa accounting exec default start-stop group RADIUS_AUTH
 
ip http authentication aaa login-authentication default
ip http authentication aaa exec-authorization default-web

It needed to understand the concept of "Method lists"