Re: Cisco EWC C9105AXI-K not able to perform local authentication.

Lee Win Neng · ‎09-14-2022

Hi all,

I had some questions regarding on my FlexConnect C9105AXI-K does not able to perform local authentication when remote office was disconnected from EWC C9105AXI-K in HQ. While I had checked on the policy profile and found that the Central Authentication under "WLAN Switching Policy" was not able to disable. I am facing difficulties to connect client to the wireless SSID when disconnection between remote office and HQ.

Kindly need some advice that is there any CLI command that I can use to disable to central authentication or does my EWC C9105AXI-K support local authentication?

Thank you for your kind assistance.

marce1000 · ‎09-15-2022

- Check if this thread can contain hints : https://community.cisco.com/t5/wireless/cisco-wlc-flex-connect-ssid-radius-authentication-when-wlc-is/td-p/3792394

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R · ‎09-17-2022

Not sure if it is supported - flex feature matrix suggests that it should be.

There is definitely a problem with that toggle on the web interface - I'd say it's a bug. If it wasn't supported that should not be shown at all.

But you can change it on CLI in the policy profile (the profile must be disabled/shutdown before you can change it):
C9120AXI-WLC#sh run | sec Test
wireless profile policy Test
no central association
no central authentication
no central dhcp
no central switching
description "Test local auth"
dhcp-tlv-caching
http-tlv-caching
no shutdown
C9120AXI-WLC#
You'll have to try it and test it ...

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Lee Win Neng · ‎09-21-2022

Hi rrudling,

Thank you for your advice and I am now able to disable the "central authentication" in the policy profile but after disabled I am still facing some issue to connect my handheld to the wireless network when AP in flex mode (disconnect from controller).

Kindly need your expertise to advice for any possible mistake or misconfiguration.

Lee Win Neng · ‎09-21-2022

Hi rrudling,

I am using local PSK authentication "[WPA2][PSK][AES]", using version 17.06.01b for C9105AXI-K with EWC. While I had enabled tag persistence as attached below.

Lee Win Neng · ‎09-21-2022

Besides, I had attached some configuration under the profile

wireless profile policy "Test"
no central association
no central authentication
no central dhcp
no central switching
description "Test"
no shutdown
wireless tag policy "Test"
description "Test"
wlan "Test Wireless SSID" policy "Test"
policy-tag "Test"

Rich R · ‎09-21-2022

My only other suggestion is upgrade to 17.6.4 and if still not working then open a TAC case. It might be that they decided not to support "local auth" since the EWC is designed to sit on the same LAN/VLAN as the rest of the APs so it wouldn't really make much sense. EWC is not designed to work remotely (even though it does) so I suspect the way you're using it is not supported.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Rich R · ‎09-21-2022

What type of authentication are you using?
What version of software are you using?
Do you have tag persistence enabled?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Lee Win Neng · ‎10-05-2022

Hi rrudling,

The authentication was using WPA2+PSK (AES) and the tag persistence was enabled in the wireless controller.

The current version using was 17.6.1b and found that there was some bug on this version that will be resolved in 17.6.2 onwards as below. Unfortunately I am not able to access/view the bug ID.

CSCvy41272: Cisco IOS XE 17.6: 11k on FlexConnect mode is not working as expected.

I had tried to configure the "no central authentication", "no central association", "no central dhcp" and "no central switching" but still not working, kindly need some expertise advice on this.

Rich R · ‎10-05-2022

CSCvy41272 is hidden for some reason so only TAC can give you the detail.

So you can:
1. Try upgrading to 17.6.4 or 17.9.1
2. Check your config on https://cway.cisco.com/wireless-config-analyzer/ using output of "show tech wireless"
3. Contact Cisco TAC

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Lee Win Neng · ‎11-12-2022

Managed to resolve the issue by "enabled" the fast transition instead of "adaptive enabled" as default.