Solved: cisco WLC radius authentication issue

fasalrman@gmail.com · ‎07-17-2019

Hi All,

currently iam working on a migration of Cisco wlc 2504 to 3504.

we are using radius authentication with windows NPS to authenticate clients. when i am trying to connect the SSID, computer prompt me to enter the user name and password. once i enter credential it show the certificate in which the thumb print is same as my server certificate used for NPS. once i connect, getting ip address through dhcp and client shows connected. NPS server log shows authentication granted access logs and.i can see the connected client in the wlc.

the issue is wlc generated SNMP trap as, AAA Authentication Failure for Client MAC: 00:24:d7:96:8c:38 UserName:test User Type: WLAN USER Reason: Authentication failed in the controller.

authentication succeeded and client got the ip address through dhcp and shows connected, still WLC showing authentication failure traps.

wlc model: cisco wlc 3504

software version: 8.5.131.0

access point model: cisco 1532e outdoor

what could be the possible issues?

attached screen shots

patoberli · ‎07-19-2019

Do you talk about the user 'test'?
Or do you mean the last line of the screenshot?

Have you added the new WLC IP (assuming it's not using the same addresses as the old one) as a Radius Client on NPS?
What is written in the Event Viewer under Security when you try to authenticate?
Which software version is running on the new WLC?

View solution in original post

Francesco Molino · ‎07-17-2019

Hi

I don't have any 3504 right now but can you share your ssid please or can you validate you have the exact same config between old and new wlc?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

fasalrman@gmail.com · ‎07-17-2019

Hi,

Thank you for the reply

kindly find the attached the ssid details

Francesco Molino · ‎07-18-2019

Thanks for sharing. Can you share the advanced tab config please? I would disable all extra features like Fast Transition to do the test and also enable the account radius in your ssid. Then, just for testing and to keep a config clean for troubleshooting, I would remove local and ldap from Authentication order protocols.

While authenticating, can you a run a debug on your WLC?

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

patoberli · ‎07-19-2019

Do you talk about the user 'test'?
Or do you mean the last line of the screenshot?

Have you added the new WLC IP (assuming it's not using the same addresses as the old one) as a Radius Client on NPS?
What is written in the Event Viewer under Security when you try to authenticate?
Which software version is running on the new WLC?

fasalrman@gmail.com · ‎07-19-2019

Hi All,

contacted cisco TAC and they concluded that when iam trying from my pc which is under my company domain, the first time NPS denied access to the client the first time it is using my own username to authenticate, after 9 seconds the event viewer shows NPS granted access to the client by using the provided username and password.

Tried with mobile and another workstation which is under workgroup no errors were there in WLC

fasalrman@gmail.com · ‎07-19-2019

Hi All,

Contacted Cisco TAC and they concluded that when iam trying from my pc which is under my company domain, the first time NPS denied access to the client the first time it is using my own username to authenticate, after 9 seconds the event viewer shows NPS granted access to the client by using the provided username and password.

Tried with mobile and another workstation which is under work group no errors were there in WLC

patoberli · ‎07-19-2019

Yeah, normal behaviour for domain joined devices. You can create a group policy with the correct profile settings to work around that.