Solved: Re: Cisco 9800 Clients Can't Connect to FlexConnect 802.1x WLAN - Page 2

Chris Terry · ‎04-08-2024

I'm trying to migrate from Cisco 5520 WLC to Cisco 9800 WLC. I configured the WLAN with 802.1x and the AP is in FlexConnect mode.

When the client is trying to connect I see it associate with the WLC, but then it gets stuck in authenticating status. I'm not seeing anything on the ISE side meaning nothing reaches ISE. I'm not seeing the client get an IP either. WLC logs show the client being deleted with the reason L2AUTH_CONNECT_TIMEOUT. It seems like it might be all related to DHCP

WLC - 9800 version 17.9.4a
Switch - 9300 version 17.9.4a
WLC only has the Management/AP Management SVI VLAN 5. Clients are using VLAN 100 which is only a layer 2 VLAN on the WLC. The switch has IP helpers for VLAN 100. The Policy only has Central Authentication enabled.

Edit: Added client trace output

Chris Terry · ‎04-12-2024

If it uses PEAP-MSCHAPv2 instead of EAP-MSCHAPv2 would it still run into that issue, or is it EAP as a whole that eventually has issues?

Leo Laohoo · ‎04-12-2024

@Chris Terry wrote:
is it EAP as a whole that eventually has issues?

It is an AP "buffer" thing. It will work, usually after a reboot, and when the buffer gets filled up things go wrong and the multi-CPU of the AP is not fast enough to flush the buffer so "sometimes it may work" and may not.

MHM Cisco World · ‎04-10-2024

Can I see

Policy set and authc policy and authz policy you config in ISE.

MHM