01-17-2023 02:57 AM
Hi!
clients cannot join our dot1x SSIDs. We get below messages in our WLC 9800:
WLC1#
Jan 17 10:46:44.155: %DOT1X-5-FAIL: Chassis 1 R0/0: wncd: Authentication failed for client (ee23.093e.5580) with reason (Cred Fail) on Interface capwap_90000002 AuditSessionID 1964900A000006A7BF56A2A1 Username:
Jan 17 10:46:44.155: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (ee23.093e.5580) on Interface capwap_90000002 AuditSessionID 1964900A000006A7BF56A2A1. Failure reason: Authc fail. Authc failure reason: Cred Fail.
our platform is: Cisco IOS Software [Bengaluru], C9800 Software (C9800_IOSXE-K9), Version 17.6.4, RELEASE SOFTWARE (fc1)
Would you please guide me what is the remedy?
Best regards
Farkhan
01-29-2024 10:11 PM
请问你是更新ISE的证书吗?我不管用wlc做本地EAP认证,还是用ISE做raduis认证,都有这个问题。如果是WLC本地认证,是否有证书可以导出的呢?谢谢。
01-16-2024 05:08 AM
What is the known proper resolution for this issue? I am facing the same issue.
03-05-2024 01:01 PM
I'm having the same issue with 17.9.4a.
From WLC debug I see 4 login attempts (before setting clients as excluded) but from ISE Live Logs I'm seeing only one request and not the others. It seems that WLC is "caching" authentication.
Someone solved this?
03-07-2024 06:55 AM
Hello,
In the Windows update of November 10th, EAP was updated to support TLS 1.2. This means that during the TLS handshake, the server announces support for TLS 1.2, enabling the use of TLS 1.2.
> Here is the solution to the problem of configuring TLS version. By default, EAP must add a DWORD value to the TlsVersion registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13 The value of this registry key can be 0xC0, 0x300, or 0xC00
03-07-2024 08:13 AM
Are you saying that this registry setting affects "cred fail" errors being described above?
03-07-2024 08:20 AM
We are also experiencing the same issues. Clients will lose connectivity and cannot reconnect. Over-the-air pcaps indicate and traces " %DOT1X-5-FAIL: R0/0: wncd: Authentication failed for client (xxxx.5ba3.xxxx) with reason (Cred Fail)...". The odd part is that ISE does not receive an AAA requests at all. No attempts are logged in Radius Live Logs. The AP and controller seem to be issuing the credential failure on their own. We've had a tac case open since Nov 2023.
Any input from the community will be much appreciated.
03-10-2024 08:43 PM
Hello, Is the problem solved finally?
03-30-2024 12:03 AM
Our network environment have same this issue ?
Did you solved this issue ?
11-27-2024 06:32 AM
Hey Arvinvidal , Is the issue reolved in your environment ? Is TAC still open , what they suggested ? Which IOS version you are running ?
03-15-2024 03:25 AM
Hello,
Yes, the problem has been solved for me. The problem was definitely in Windows 11, possibly in some people with Windows 10 too. To solve this problem, please follow these steps:
To add EAP-TTLS 1.3 to the Windows registry, you typically need to modify registry entries related to network authentication protocols. However, please be cautious when making changes to the registry, as incorrect modifications can cause system instability or other issues. Here's a general guide on how you might proceed:
Open Registry Editor: Press Windows Key + R, type regedit, and press Enter to open the Registry Editor.
Navigate to the Correct Key: Navigate to the appropriate key for your network authentication settings. Typically, this is located at:
Add a New Subkey: Right-click key, then select New > Key. Name this new key TTLS.
Add Protocol Version: Within the TTLS key, create a new DWORD (32-bit) value. Name it Tlsversion.
Set Protocol Version: Double-click on the Tlsversion value you just created and set its value data to "ofc0". This value represents EAP-TTLS version 1.3.
Save Changes: Close the Registry Editor and restart your computer for the changes to take effect.
04-04-2024 12:58 AM
03-20-2024 09:16 PM
I encountered the same issue in my case. When I tested login in with my phone(Android and IOS), there were no logs on the WLC and NPS. However, when I tested with my PC, logs appeared on the NPS, but the username was incorrect. It used the host/computer name instead of the domain/username. I’m not sure if you’ve experienced a similar event.
And I found something strange. On the same day when this issue occurred, my syslog didn’t receive any logs from the Wireless LAN Controller (WLC) until today. It appears that the WLC has stopped sending logs to my syslog server
03-30-2024 01:32 AM
Is there any solution for this issue ?
07-09-2024 12:11 PM
We have the same issue. A WLC9800-L (v17.9.5) doesnt authenticate iphone client, we got these logs in WLC:
Jul 9 18:31:10.101: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (aaaa.bbbb.cccc) on Interface capwap_90000034 AuditSessionID 084114AC0003176298C38A07. Failure reason: Authc fail. Authc failure reason: Cred Fail.
Jul 9 18:31:10.101: %DOT1X-5-FAIL: Chassis 1 R0/0: wncd: Authentication failed for client (aaaa.bbbb.cccc) with reason (Cred Fail) on Interface capwap_90000034 AuditSessionID 084114AC0003176298C38A07 Username: xxxxxx
WLC used to authenticate the iphone (ios 17.5.1) without problems. No logs are written on Cisco ISE nor Windows AD. A credential and mac must to be met in order to be authenticated in Cisco ISE. Only new connections from iphones (android devices work) to this SSID are having problems.
If you enable private wifi address at iphone an error log is successfuly created in Cisco ISE (which is correct), other way none logs are recorded. It seems like WLC doesnt send anything to Cisco ISE.
If someone has clue for this behavior I will appreciate it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide