Re: Error in authentication

00u18jg7x27DHjRMh5d7 · ‎10-13-2022

Starting this morning on my 9800 WLC I am receiving this error after logging in.

WH01-98K-WLC>enable
% Error in authentication.

There is no prompt for a password after the initial prompt I have had no issues for months this randomly started today. I can access the GUI and have elevated privilege's but not in CLI?

I have tried the following commands with no resolution:

no ip ssh server authenticate user keyboard

username <NAME> privilege 15 password 7 <PW>

aaa new-model

aaa authentication login default local

aaa authentication enable default enable

I attempted to reset the password from CLI in GUI and it wont change I also created another admin account and get the same results.

Arshad Safrulla · ‎10-13-2022

Hi,

Do you have any command authorization enabled for this WLC using TACACS? If not I would suggest you to create a new user with privilage 15. I assume that you have SSH enabled in the WLC and working properly.

username WLCadmin priv 15 secret WLCPassword

enable secret WLCSecret

!

line vty 0 50

login local

transport input SSH

!

If you want this to be done via GUI, then you can go to

Administration>>>Device - to check line config

Configuration>>>Security>>>AAA>>>Advance>>>Interface - to check AAA for lines

You can also use the command runner in GUI

Administration>>>Command line interface

to disable AAA if enabled and then to create the required local users. If you want to enable AAA again I would suggest test it in a test bed or set a reload timer and test all without saving the config, if all the tests are successful then save the config and cancel the reload

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Rich R · ‎10-14-2022

sounds like you forgot to save the config and then it crashed or got power cycled so you lost config - always remember to save config.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

00u18jg7x27DHjRMh5d7 · ‎10-18-2022

Arshad: Thanks for the information, I could only get to the > prompt in SSH would not even ask for PW when using enable but had elevated privilege in GUI I attempted to re run command for access and they would not take. Since this is a virtual appliance I just reloaded the last good image and it came back with no issues and worked as it had been.

Rich: The config was saved, I insure to always save before exiting a session as long as the instance works as it should. We did have a power issue the night before and I am concerned that during the reboot of the image something corrupted. But it takes about 5 min to reload the image and everything came back after that as it should of been.

Rich R · ‎10-18-2022

Glad to hear you got it back
Mmmm interesting I think 9800 code is a bit buggy with config file integrity in some situations.
See one of my other posts about SSO pair losing all wireless config after one of them crashed - Cisco couldn't repro or explain it.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

bazzaroo · ‎08-16-2023

Probably a little late in the day, but I've encountered the same issue myself today. After doing tonnes of config on a 9800 that included enabling aaa, I saved config, logged out and went off for lunch. After coming back an logging into the CLI, I had no exec mode. I had to logon to the GUI, browse to administration->command line interface and issue these commands from there: -

aaa authentication login default local
aaa authentication enable default enable
aaa authorization exec default local if-authenticated

Looks like you were just missing the last line. I can log in with the local creds at the cli again now and it drops me straight into exec mode.

WWS80793 · ‎11-01-2023

I had the same issue and like you amazing people said this what fixed it for me:
aaa new-model

aaa authentication login default local

aaa authentication enable default enable

aaa authorization exec default local if-authenticated

gds456 · ‎09-11-2024

Yes, we can fix the issue with the follow commands:

aaa new-model

aaa authentication login default local

aaa authentication enable default enable

aaa authorization exec default local if-authenticated

we also can fix by:

enable secret xxx

marvin.reyes1 · ‎11-26-2024

A couple years late here, but wanted to post in case someone else comes across this.

Another command you can add is "aaa authorization exec default local" which - in tandem with your configuration above - should allow the exec access you are looking for.

aaa new-model

aaa authentication login default local

aaa authorization exec default local

Error in authentication

SEG: Validation Error : Certificates signature verification failed

事例 : Authentication attempt timed out について

Forward Error Connection 'FEC'

3.3 MAC Authentication Bypass for Wired and Wireless Access

[事例] C1111 で authentication timer inactivity コマンドが動作しない