cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
24619
Views
20
Helpful
27
Replies

dot1x Clients can't get authenticated du to Cred Fail on Cisco 9800

FreddyJay
Level 1
Level 1

Hi!

clients cannot join our dot1x SSIDs. We get below messages in our WLC 9800:

WLC1#
Jan 17 10:46:44.155: %DOT1X-5-FAIL: Chassis 1 R0/0: wncd: Authentication failed for client (ee23.093e.5580) with reason (Cred Fail) on Interface capwap_90000002 AuditSessionID 1964900A000006A7BF56A2A1 Username: 
Jan 17 10:46:44.155: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (ee23.093e.5580) on Interface capwap_90000002 AuditSessionID 1964900A000006A7BF56A2A1. Failure reason: Authc fail. Authc failure reason: Cred Fail.

 

our platform is: Cisco IOS Software [Bengaluru], C9800 Software (C9800_IOSXE-K9), Version 17.6.4, RELEASE SOFTWARE (fc1)

 

Would you please guide me what is the remedy?

Best regards

Farkhan

 

 

 

 

27 Replies 27

请问你是更新ISE的证书吗?我不管用wlc做本地EAP认证,还是用ISE做raduis认证,都有这个问题。如果是WLC本地认证,是否有证书可以导出的呢?谢谢。

kiranraj
Level 1
Level 1

What is the known proper resolution for this issue? I am facing the same issue. 

CiscoU9834
Level 1
Level 1

I'm having the same issue with 17.9.4a.
From WLC debug I see 4 login attempts (before setting clients as excluded) but from ISE Live Logs I'm seeing only one request and not the others. It seems that WLC is "caching" authentication.
Someone solved this?

nemrinoureddine
Level 1
Level 1

Hello,

In the Windows update of November 10th, EAP was updated to support TLS 1.2. This means that during the TLS handshake, the server announces support for TLS 1.2, enabling the use of TLS 1.2.

> Here is the solution to the problem of configuring TLS version. By default, EAP must add a DWORD value to the TlsVersion registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13 The value of this registry key can be 0xC0, 0x300, or 0xC00

Are you saying that this registry setting affects "cred fail" errors being described above?

arvinvidal
Level 1
Level 1

We are also experiencing the same issues.  Clients will lose connectivity and cannot reconnect.  Over-the-air pcaps indicate and traces " %DOT1X-5-FAIL: R0/0: wncd: Authentication failed for client (xxxx.5ba3.xxxx) with reason (Cred Fail)...".  The odd part is that ISE does not receive an AAA requests at all.  No attempts are logged in Radius Live Logs.   The AP and controller seem to be issuing the credential failure on their own.   We've had a tac case open since Nov 2023.  

Any input from the community will be much appreciated.

Hello, Is the problem solved finally?

Our network environment have same this issue ?
Did you solved this issue ?

nemrinoureddine
Level 1
Level 1

Hello,

Yes, the problem has been solved for me. The problem was definitely in Windows 11, possibly in some people with Windows 10 too. To solve this problem, please follow these steps:

To add EAP-TTLS 1.3 to the Windows registry, you typically need to modify registry entries related to network authentication protocols. However, please be cautious when making changes to the registry, as incorrect modifications can cause system instability or other issues. Here's a general guide on how you might proceed:

  1. Open Registry Editor: Press Windows Key + R, type regedit, and press Enter to open the Registry Editor.

  2. Navigate to the Correct Key: Navigate to the appropriate key for your network authentication settings. Typically, this is located at:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13
    1. Add a New Subkey: Right-click key, then select New > Key. Name this new key TTLS.

    2. Add Protocol Version: Within the TTLS key, create a new DWORD (32-bit) value. Name it Tlsversion.

    3. Set Protocol Version: Double-click on the Tlsversion value you just created and set its value data to "ofc0tlsversion.PNG". This value represents EAP-TTLS version 1.3.

    4. Save Changes: Close the Registry Editor and restart your computer for the changes to take effect.

I encountered the same issue in my case. When I tested login in with my phone(Android and IOS), there were no logs on the WLC and NPS. However, when I tested with my PC, logs appeared on the NPS, but the username was incorrect. It used the host/computer name instead of the domain/username. I’m not sure if you’ve experienced a similar event.

And I found something strange. On the same day when this issue occurred, my syslog didn’t receive any logs from the Wireless LAN Controller (WLC) until today. It appears that the WLC has stopped sending logs to my syslog server

Hai Bang Nguyen
Level 1
Level 1

Is there any solution for this issue ?

oscar-badilla
Level 1
Level 1

We have the same issue. A WLC9800-L (v17.9.5) doesnt authenticate iphone client, we got these logs in WLC:

Jul 9 18:31:10.101: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (aaaa.bbbb.cccc) on Interface capwap_90000034 AuditSessionID 084114AC0003176298C38A07. Failure reason: Authc fail. Authc failure reason: Cred Fail.

Jul 9 18:31:10.101: %DOT1X-5-FAIL: Chassis 1 R0/0: wncd: Authentication failed for client (aaaa.bbbb.cccc) with reason (Cred Fail) on Interface capwap_90000034 AuditSessionID 084114AC0003176298C38A07 Username: xxxxxx

WLC used to authenticate the iphone (ios 17.5.1) without problems. No logs are written on Cisco ISE nor Windows AD. A credential and mac must to be met in order to be authenticated in Cisco ISE. Only new connections from iphones (android devices work) to this SSID are having problems.

If you enable private wifi address at iphone an error log is successfuly created in Cisco ISE (which is correct), other way none logs are recorded. It seems like WLC doesnt send anything to Cisco ISE.

If someone has clue for this behavior I will appreciate it.

 

Review Cisco Networking for a $25 gift card