cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
273
Views
0
Helpful
9
Replies

Cisco router cannot pass 802.1x traffic

studmuffin
Beginner
Beginner

is there any special settings i have to do on a cisco router if i want to get 802.1x working on a cisco router on a stick everything works on the network except that when i do test aaa radius on the cisco wlc i get radius server unresponsive the wlc can ping the server and it persists with or without windows firewall there is no acl's on the cisco router and dhcp relay is configured and working with ip help-addresses pointing at the dhcp server i just cant seem to get it to work i had it working when my pfsese firewall was doing router on a stick but now i am using my cisco 2901 for speed reasons

9 Replies 9

Haydn Andrews
Engager
Engager

you talking for radius auth for the WLC. You need a RADIUS server (ISE, Microsoft NPS etc). The router wont work as the authenticator.

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

I know but the access point controller gets no response from the windows server nps it is set up correctly with the same setup that i had working before but the wlc cant comunicate with the server but there is no firewall in between or acl's and the wlc can ping the windows server

Rich R
VIP Advisor VIP Advisor
VIP Advisor

What WLC?
What version of software?
Can ping the server from which interface? (maybe not the same interface the radius is originated from)
You can do debugs on WLC and packet captures on router to see what's happening.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
Field Notice: FN-72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Recommended
WARNING - see CSCwd37092 Throughput degraded after upgrading to code 8.10.181.0/17.3.6 - 2800/3800/4800 series
- The fix for CSCwd37092 is now released in 8.10.183.0 and
- For IOS-XE 17.3.6 select controller model, go to IOS XE Software AP Service Pack, select CSCwd40096 17.3.6 APSP2
Field Notice: FN-63942 Lightweight APs and WLCs Fail to Create CAPWAP Connections Due to Certificate
                      Expiration - Software Upgrade Recommended
Field Notice: FN-72524 - During Software Upgrade/Downgrade IOS APs Might Remain in Downloading State
                     After 4 Dec 2022 Due to Certificate Expiration - Fixed in 8.10.183.0 and 17.3.6 APSP5 (APSP_CSCwd83653)
                     Also fixed in 8.5.182.7 (8.5 mainline) and 8.5.182.105 (8.5 IRCM) if you can't upgrade to 8.10
                     Note that 8.10.181.0 and 8.10.182.0 have been deferred (withdrawn) and are effectively unsupported by Cisco
___________________________________________
Richard R

WLC is 2504 

version of software is  wlc 8.5.161.0 the software of the router  Version 15.7(3)M5 and the network policy server is windows server 2019

the wlc can ping both its default gateway the default gateway server and the server itself 

can u be nice and get me the commands  i need to run?

friend I think you add management IP in AAA, and router do NAT and change this IP and hence the AAA refuse the radius packet. 
you need to add NAS-ID to your radius packet toward AAA server, and use this NAS-ID in AAA.
NAS-ID not change during NAT.

Rich R
VIP Advisor VIP Advisor
VIP Advisor

"show interface summary" to get the name of the client interface
ping <server ip> "client interface name"
debug aaa all
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/211342-packet-captures-on-aireos-wlc.html
As the server runs Windows you can use Wireshark for packet capture on server side: https://www.wireshark.org/#download

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
Field Notice: FN-72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Recommended
WARNING - see CSCwd37092 Throughput degraded after upgrading to code 8.10.181.0/17.3.6 - 2800/3800/4800 series
- The fix for CSCwd37092 is now released in 8.10.183.0 and
- For IOS-XE 17.3.6 select controller model, go to IOS XE Software AP Service Pack, select CSCwd40096 17.3.6 APSP2
Field Notice: FN-63942 Lightweight APs and WLCs Fail to Create CAPWAP Connections Due to Certificate
                      Expiration - Software Upgrade Recommended
Field Notice: FN-72524 - During Software Upgrade/Downgrade IOS APs Might Remain in Downloading State
                     After 4 Dec 2022 Due to Certificate Expiration - Fixed in 8.10.183.0 and 17.3.6 APSP5 (APSP_CSCwd83653)
                     Also fixed in 8.5.182.7 (8.5 mainline) and 8.5.182.105 (8.5 IRCM) if you can't upgrade to 8.10
                     Note that 8.10.181.0 and 8.10.182.0 have been deferred (withdrawn) and are effectively unsupported by Cisco
___________________________________________
Richard R

do i run these on the cisco router or on the wlc?

Rich R
VIP Advisor VIP Advisor
VIP Advisor

Those are all WLC commands.
You can also do packet capture on the router: https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html#anc10

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
Field Notice: FN-72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Recommended
WARNING - see CSCwd37092 Throughput degraded after upgrading to code 8.10.181.0/17.3.6 - 2800/3800/4800 series
- The fix for CSCwd37092 is now released in 8.10.183.0 and
- For IOS-XE 17.3.6 select controller model, go to IOS XE Software AP Service Pack, select CSCwd40096 17.3.6 APSP2
Field Notice: FN-63942 Lightweight APs and WLCs Fail to Create CAPWAP Connections Due to Certificate
                      Expiration - Software Upgrade Recommended
Field Notice: FN-72524 - During Software Upgrade/Downgrade IOS APs Might Remain in Downloading State
                     After 4 Dec 2022 Due to Certificate Expiration - Fixed in 8.10.183.0 and 17.3.6 APSP5 (APSP_CSCwd83653)
                     Also fixed in 8.5.182.7 (8.5 mainline) and 8.5.182.105 (8.5 IRCM) if you can't upgrade to 8.10
                     Note that 8.10.181.0 and 8.10.182.0 have been deferred (withdrawn) and are effectively unsupported by Cisco
___________________________________________
Richard R

I will get her done later

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers