Solved: Cisco C9800 wlc AP C9105AXI-A Radius auth issue

hadi123 · ‎10-17-2024

Hi, I'm having an issue with the C9800 controller and AP C9105AXI-A. We have two sites, each with a WLC. We tested the failover when the AP switches from the secondary WLC, but the RADIUS authentication for the WLAN is not able to authenticate users.

Flavio Miranda · ‎10-19-2024

@hadi123

Are your WLCs in HA SSO or they are standalone WLC in N + 1?

If you are facing radius issue probably you have N +1. Make sure both WLC is added to the Radius server. Connect one AP to the secondary WLC and make sure you can make it work after failover tests.

View solution in original post

Rich R · ‎10-20-2024

Are you sure you added the correct WLC IP address?
Did you define the source IP address for radius to use or if not what interface is the WLC using to reach the radius?
It might not be using the IP address you think it is.
You could also do a packet capture to confirm.
Also have you taken account of the CoA which is on a different UDP port - have you added the radius IP to "aaa server radius dynamic-author"?

Also just because ping is working doesn't mean you have allowed the radius and CoA packets in your ACLs and firewalls - have you checked those?

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

Haydn Andrews · ‎10-20-2024

Login to the RADIUS server

Pull the logs for the client trying to authenticate, it generally will tell you the failure reason. Post it here.

You can also use this test command from the WLC CLI
test aaa group tacacs+ <Username> <password> new-code

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

View solution in original post

balaji.bandi · ‎10-18-2024

what is the logs show, have you added both WLC Controller to NAD in the ISE or radius ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

hadi123 · ‎10-18-2024

Yes, i have added it to the radius, it is pingable from devices such as wlc and Access point.

balaji.bandi · ‎10-18-2024

i mean to say did you added both WLC IP address and Virtual IP to Radius ?

Since you are testing, Failback to Active unit and compare the configuration, make sure both the devices have License correct.

what is the Logs or Errors you see on WLC and Radius Server ?

is this Physical or virtual - and what code running : (reference deployment guide - i am sure you come across this)

https://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/9800/17-1/deployment-guide/c9800-ha-sso-deployment-guide-rel-17-1.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

hadi123 · ‎10-18-2024

Okay, will check on this. Thanks.

Rich R · ‎10-20-2024

Are you sure you added the correct WLC IP address?
Did you define the source IP address for radius to use or if not what interface is the WLC using to reach the radius?
It might not be using the IP address you think it is.
You could also do a packet capture to confirm.
Also have you taken account of the CoA which is on a different UDP port - have you added the radius IP to "aaa server radius dynamic-author"?

Also just because ping is working doesn't mean you have allowed the radius and CoA packets in your ACLs and firewalls - have you checked those?

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Mark Elsen · ‎10-18-2024

>...but the RADIUS authentication for the WLAN is not able to authenticate users.
- What happens then ? Can you also check the logs of the radius server and see if there are any authenticating attempts ?

Also validate the configuration on both WLC's (primary and secondary) by using the CLI command
show tech wireless (not simple 'show tech') and feed the output from that into Wireless Config Analyzer

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

hadi123 · ‎10-18-2024

Okay, noted on this. Thanks.

Flavio Miranda · ‎10-19-2024

@hadi123

Are your WLCs in HA SSO or they are standalone WLC in N + 1?

If you are facing radius issue probably you have N +1. Make sure both WLC is added to the Radius server. Connect one AP to the secondary WLC and make sure you can make it work after failover tests.

hadi123 · ‎10-22-2024

Yes, N + 1 is our set up.

Will do your recommendation, will get back to you as soon as I get the results.

Thanks.

Haydn Andrews · ‎10-20-2024

Login to the RADIUS server

Pull the logs for the client trying to authenticate, it generally will tell you the failure reason. Post it here.

You can also use this test command from the WLC CLI
test aaa group tacacs+ <Username> <password> new-code

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***