Hi

Have you had any success with TAC so far? We seem to have a similar issue now in our environment..

Thanks

@Schulda you should start a new thread.  Majority of folks have a different setup and that makes a big difference.  Start a new thread and add as much information as possible.  Add what troubleshooting you have done, if this is a new setup or existing, has it worked before, is it with a specific device type or authorization type, etc.

I have not had any luck thus far. It seems like the EAP request is sent between the AP and the Controller during Central Authentication, and I see the username passing, but once that packet hits the Controller (which is nearly instantly), the controller doesn't forward it to the defined radius servers and marks it as a failed authentication attempt. 

I hope to get more information from TAC next week when I have more time to troubleshoot this further. Additionally, I'd like to state that I am using 2800 series APs for all of this testing, incase this happens to be a model specific issue. I will finally get some 9120s in next week for testing as well.

What error do you see on the radius server?  Are you using ISE?

I saw nothing on the radius server logs and no traffic hitting the radius server with a packet capture running on the server. We are using Windows NPS, not ISE.

In some more testing this week, Central Authentication is now working at a separate site with a stronger WAN connection. The testing setup used originally was using a cell router for its WAN. Additionally, on that weaker WAN connection, I would occasionally see the CAPWAP tunnels drop and re-establish, presumably due to that weaker connection. I have not seen the same behavior at the new site.

It could be that there is some hidden threshold that the test setup was not meeting that the new site now is, and I am waiting to hear more from TAC after reporting my latest findings.

            @zachhoiberg      >...seeing the same issue...
                           Did you also check the same advisories :
                     >....Authc fail. Authc failure reason: Cred Fail.
 - The reason(s) seems obvious , client credentials are incorrect, if you have backend radius authenticating server(s) , then check the radius logs too.
   You may also find these commands useful on the 9800 controller  :
                   show wireless stats client delete reasons
                   show wireless stats client detail
                   show wireless client summary 

    Also review the 9800   configuration with the CLI command : show  tech   wireless , have the output analyzed by  https://cway.cisco.com/tools/WirelessAnalyzer/  , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer.               Checkout all advisories!

- If still not resolved perform client debugging as described in : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity , you can have client debugs analyzed with : https://cway.cisco.com/wireless-debug-analyzer

 M.

Nothing concrete, but I did update to 17.9.3 and tested the same configuration from a different site (with a stronger WAN signal, our test setup was using a cell modem for its primary connection), and I've been unable to replicate the same behavior since.

I'm unsure if it was simply the update to 17.9.3, the stronger WAN signal (as I was observing the CAPWAP tunnels occasionally timeout/drop from the test setup, which I have not seen since), or a combination of the two.

Do you guys also see the CAPWAP tunnels timing out within your logs periodically?