04-08-2024 12:52 PM - edited 04-08-2024 01:18 PM
I'm trying to migrate from Cisco 5520 WLC to Cisco 9800 WLC. I configured the WLAN with 802.1x and the AP is in FlexConnect mode.
When the client is trying to connect I see it associate with the WLC, but then it gets stuck in authenticating status. I'm not seeing anything on the ISE side meaning nothing reaches ISE. I'm not seeing the client get an IP either. WLC logs show the client being deleted with the reason L2AUTH_CONNECT_TIMEOUT. It seems like it might be all related to DHCP
WLC - 9800 version 17.9.4a
Switch - 9300 version 17.9.4a
WLC only has the Management/AP Management SVI VLAN 5. Clients are using VLAN 100 which is only a layer 2 VLAN on the WLC. The switch has IP helpers for VLAN 100. The Policy only has Central Authentication enabled.
Edit: Added client trace output
Solved! Go to Solution.
04-09-2024 09:37 PM
CSCwf14041: C9120 stops forwarding EAP-Identity-Request to client intermittently
CSCwh68219: 91xx AP not processing EAP-TLS server Hello
CSCwi75798: 9120 didn't receive/transfer EAP response
04-08-2024 03:13 PM
What are the model of APs?
04-08-2024 03:13 PM - edited 04-08-2024 03:14 PM
The AP model is C9120AXI-B
04-08-2024 03:28 PM - edited 06-12-2024 04:14 PM
Disable and re-enable the SSID. IF the clients are able to connect after that then it could be CSCwi18057/CSCwk17514.
.
04-08-2024 07:45 PM
It doesn’t look like I’m hitting that bug. I’m not seeing those error logs.
I did go ahead and make the SSID PSK and the client was able to grab an IP and connect without issues. So I have something funky with my 802.1x config(s)
04-09-2024 01:04 AM
Sorry can you check if you can ping radius server from AP since you use flex connect.
MHM
04-09-2024 10:04 AM
I can ping from the AP to the radius server
<AP>#ping <RADIUS IP>
Sending 5, 100-byte ICMP Echos to <RADIUS IP>, timeout is 2 seconds
PING <RADIUS IP>
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20.580/20.958/21.818 ms
04-09-2024 12:46 AM
- Have the attached client trace analyzed with : Wireless Debug Analyzer
If that one doesn't work then use client debugging according to https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity and use those as input for Wireless Debug Analyzer
A summarizing view of client behavior can be obtained from : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#anc5
- Important : have a checkup of your 9800 WLC configuration with the CLI command show tech wireless and feed the output from that into : Wireless Config Analyzer
M.
04-09-2024 12:10 PM
Since you mentioned that "The Policy only has Central Authentication enabled", your authentication is supposed to be done via controller. It looks you are missing some AAA configuration.
Have you defined aaa authentication method using the correct radius group and server ?
Have you mapped authentication method in WLAN profile ?
If yes, can you verify reachability of radius servers and status in WLC.
04-09-2024 01:18 PM - edited 04-09-2024 08:08 PM
I did confirm I could reach the radius server from the WLC, AP, and switch the WLC was connected which also has the SVIs for the client networks. I mapped the authentication method in the WLAN profile.
I have been able to get it to work. I believe the issue was the aaa authentication config. I went back through the 802.1x WLAN guide for the 9800.
04-09-2024 09:29 PM - edited 04-09-2024 09:34 PM
So an update... I narrowed down my issue.
The radius/ISE server is configured to authenticate users on the 802.1x WLAN with MSCHAPv2 or PEAP (EAP-TLS). When the client auth side is set to MSCHAPv2 the client isn't able to authenticate or even get an IP, but when I change the client side network auth to PEAP (EAP-TLS) Machine Auth it works as expected.
I did notice when the client was failing to authenticate while configured for MSCHAPv2 under the client information > General > Security it did not show an EAP type
04-09-2024 09:37 PM
CSCwf14041: C9120 stops forwarding EAP-Identity-Request to client intermittently
CSCwh68219: 91xx AP not processing EAP-TLS server Hello
CSCwi75798: 9120 didn't receive/transfer EAP response
04-09-2024 09:47 PM
Yikes…
Definitely matching for the first and last bug. I’ll double check if it changing it to PEAP helps at all.
04-10-2024 10:41 AM
I changed to PEAP-MSCHAPv2 and it worked. Which makes it sound like I was hitting CSCwf14041. I changed back to EAP-MSCHAPv2 and now that works.
04-10-2024 04:01 PM
@Chris Terry wrote:
I changed back to EAP-MSCHAPv2 and now that works.
EAP will work temporarily and then it will stop when the process crashes in the AP.
An alternative fix is to regularly/daily reboot the AP. Some people use EEM (or PI script) to reboot the AP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide