Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
712
Views
0
Helpful
9
Replies

Cisco router cannot pass 802.1x traffic

studmuffin
Level 1
Level 1

‎09-29-2022 10:37 PM

is there any special settings i have to do on a cisco router if i want to get 802.1x working on a cisco router on a stick everything works on the network except that when i do test aaa radius on the cisco wlc i get radius server unresponsive the wlc can ping the server and it persists with or without windows firewall there is no acl's on the cisco router and dhcp relay is configured and working with ip help-addresses pointing at the dhcp server i just cant seem to get it to work i had it working when my pfsese firewall was doing router on a stick but now i am using my cisco 2901 for speed reasons

0 Helpful
9 Replies 9

Haydn Andrews
VIP Alumni
VIP Alumni

‎09-29-2022 10:49 PM

you talking for radius auth for the WLC. You need a RADIUS server (ISE, Microsoft NPS etc). The router wont work as the authenticator.

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***
0 Helpful

studmuffin
Level 1
Level 1
In response to Haydn Andrews

‎09-29-2022 11:04 PM

I know but the access point controller gets no response from the windows server nps it is set up correctly with the same setup that i had working before but the wlc cant comunicate with the server but there is no firewall in between or acl's and the wlc can ping the windows server

0 Helpful

Rich R
VIP
VIP

‎10-03-2022 04:56 AM

What WLC?
What version of software?
Can ping the server from which interface? (maybe not the same interface the radius is originated from)
You can do debugs on WLC and packet captures on router to see what's happening.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

studmuffin
Level 1
Level 1
In response to Rich R

‎10-03-2022 08:23 AM

WLC is 2504 

version of software is  wlc 8.5.161.0 the software of the router  Version 15.7(3)M5 and the network policy server is windows server 2019

the wlc can ping both its default gateway the default gateway server and the server itself 

can u be nice and get me the commands  i need to run?

0 Helpful

MHM Cisco World
VIP
VIP
In response to studmuffin

‎10-03-2022 09:34 AM

friend I think you add management IP in AAA, and router do NAT and change this IP and hence the AAA refuse the radius packet. 
you need to add NAS-ID to your radius packet toward AAA server, and use this NAS-ID in AAA.
NAS-ID not change during NAT.

0 Helpful

Rich R
VIP
VIP

‎10-03-2022 09:24 AM

"show interface summary" to get the name of the client interface
ping <server ip> "client interface name"
debug aaa all
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/211342-packet-captures-on-aireos-wlc.html
As the server runs Windows you can use Wireshark for packet capture on server side: https://www.wireshark.org/#download

 

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

studmuffin
Level 1
Level 1
In response to Rich R

‎10-03-2022 09:33 AM

do i run these on the cisco router or on the wlc?

0 Helpful

Rich R
VIP
VIP

‎10-03-2022 10:09 AM

Those are all WLC commands.
You can also do packet capture on the router: https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html#anc10

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

studmuffin
Level 1
Level 1
In response to Rich R

‎10-03-2022 10:20 AM

I will get her done later

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card