04-08-2024 12:52 PM - edited 04-08-2024 01:18 PM
I'm trying to migrate from Cisco 5520 WLC to Cisco 9800 WLC. I configured the WLAN with 802.1x and the AP is in FlexConnect mode.
When the client is trying to connect I see it associate with the WLC, but then it gets stuck in authenticating status. I'm not seeing anything on the ISE side meaning nothing reaches ISE. I'm not seeing the client get an IP either. WLC logs show the client being deleted with the reason L2AUTH_CONNECT_TIMEOUT. It seems like it might be all related to DHCP
WLC - 9800 version 17.9.4a
Switch - 9300 version 17.9.4a
WLC only has the Management/AP Management SVI VLAN 5. Clients are using VLAN 100 which is only a layer 2 VLAN on the WLC. The switch has IP helpers for VLAN 100. The Policy only has Central Authentication enabled.
Edit: Added client trace output
Solved! Go to Solution.
04-12-2024 10:57 AM
If it uses PEAP-MSCHAPv2 instead of EAP-MSCHAPv2 would it still run into that issue, or is it EAP as a whole that eventually has issues?
04-12-2024 04:31 PM
@Chris Terry wrote:
is it EAP as a whole that eventually has issues?
It is an AP "buffer" thing. It will work, usually after a reboot, and when the buffer gets filled up things go wrong and the multi-CPU of the AP is not fast enough to flush the buffer so "sometimes it may work" and may not.
04-10-2024 01:59 AM
Can I see
Policy set and authc policy and authz policy you config in ISE.
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide