Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
9824
Views
0
Helpful
7
Replies

cisco WLC radius authentication issue

Go to solution
fasalrman@gmail.com
Level 1
Level 1

‎07-17-2019 02:34 PM - edited ‎07-05-2021 10:43 AM

Hi All,

currently iam working on a migration of Cisco wlc 2504 to 3504.

we are using radius authentication with windows NPS to authenticate clients. when i am trying to connect the SSID, computer prompt me to enter the user name and password. once i enter credential it show the certificate in which the thumb print is same as my server certificate used for NPS. once i connect, getting ip address through dhcp and client shows connected. NPS server log shows authentication granted access logs and.i can see the connected client in the wlc.

the issue is wlc generated SNMP trap as, AAA Authentication Failure for Client MAC: 00:24:d7:96:8c:38 UserName:test User Type: WLAN USER Reason: Authentication failed  in  the controller.

authentication succeeded and client got the ip address through dhcp and shows connected, still WLC showing authentication failure traps.

wlc model: cisco wlc 3504

software version: 8.5.131.0

access point model: cisco 1532e outdoor

what could be the possible issues?

attached screen shots

1 person had this problem
Labels:
error wlc1.JPG
Preview file
49 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
patoberli
VIP Alumni
VIP Alumni

‎07-19-2019 07:34 AM

Do you talk about the user 'test'?
Or do you mean the last line of the screenshot?

Have you added the new WLC IP (assuming it's not using the same addresses as the old one) as a Radius Client on NPS?
What is written in the Event Viewer under Security when you try to authenticate?
Which software version is running on the new WLC?

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎07-17-2019 09:10 PM

Hi

I don't have any 3504 right now but can you share your ssid please or can you validate you have the exact same config between old and new wlc?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
fasalrman@gmail.com
Level 1
Level 1
In response to Francesco Molino

‎07-17-2019 09:54 PM

Hi,

Thank you for the reply

kindly find the attached the ssid details

155.JPG
Preview file
70 KB
156.JPG
Preview file
42 KB
157.JPG
Preview file
45 KB
158.JPG
Preview file
29 KB
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to fasalrman@gmail.com

‎07-18-2019 08:34 AM

Thanks for sharing. Can you share the advanced tab config please? I would disable all extra features like Fast Transition to do the test and also enable the account radius in your ssid. Then, just for testing and to keep a config clean for troubleshooting, I would remove local and ldap from Authentication order protocols.

While authenticating, can you a run a debug on your WLC?

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
patoberli
VIP Alumni
VIP Alumni

‎07-19-2019 07:34 AM

Do you talk about the user 'test'?
Or do you mean the last line of the screenshot?

Have you added the new WLC IP (assuming it's not using the same addresses as the old one) as a Radius Client on NPS?
What is written in the Event Viewer under Security when you try to authenticate?
Which software version is running on the new WLC?
0 Helpful

Go to solution
fasalrman@gmail.com
Level 1
Level 1
In response to patoberli

‎07-19-2019 11:46 AM

Hi All,

contacted cisco TAC and they concluded that when iam trying from my pc which is under my company domain, the first time NPS denied access to the client the first time it is using my own username to authenticate, after 9 seconds the event viewer shows NPS granted access to the client by using the provided username and password.

Tried with mobile and another workstation which is under workgroup no errors were there in WLC 

 

0 Helpful

Go to solution
fasalrman@gmail.com
Level 1
Level 1
In response to patoberli

‎07-19-2019 11:47 AM

Hi All,

Contacted Cisco TAC and they concluded that when iam trying from my pc which is under my company domain, the first time NPS denied access to the client the first time it is using my own username to authenticate, after 9 seconds the event viewer shows NPS granted access to the client by using the provided username and password.

Tried with mobile and another workstation which is under work group no errors were there in WLC 

 

0 Helpful

Go to solution
patoberli
VIP Alumni
VIP Alumni
In response to fasalrman@gmail.com

‎07-19-2019 12:32 PM

Yeah, normal behaviour for domain joined devices. You can create a group policy with the correct profile settings to work around that.
0 Helpful
Review Cisco Networking for a $25 gift card
Top