Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2501
Views
10
Helpful
24
Replies

Fortinac and WLC 9800 controller

terrance-mccallum
Level 1
Level 1

‎12-12-2024 11:05 AM

New network tech here, just implemented a NAC system along with a WLC9800 model. My NAC system put all unknown devices into a quarantine VLAN for example VLan 100 they go through a portal page and register as either guest or a domain user which will get either a guest or domain vlan address. Portal page works perfect and registration goes fine. The issue im seeing is either after registration the client sits for almost 30 minutes before It changes the client to the correct VLAN or I can manually go in the WLC and delete that client and it will instantly get the address that it should based off the registration. Any idea where to start this troubleshooting, with the old WLC things seem to switch over pretty quickly but having issue since new one was implemented. Any ideas where to start to investigate this???

24 Replies 24

MHM Cisco World
VIP
VIP

‎12-12-2024 11:59 AM

NAC return CoA re-auth or port bounce ?

since vlan is change you need to port bounce 

MHM

0 Helpful

terrance-mccallum
Level 1
Level 1
In response to MHM Cisco World

‎12-13-2024 04:12 AM

I don't think there is no port bounce config, I do see a COA server key in the WLC but im not quite sure it's working. Is there a method to test this manually to see if this is working?

MHM Cisco World
VIP
VIP
In response to terrance-mccallum

‎12-13-2024 09:14 AM

I send you PM

MHM

0 Helpful

marce1000
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎12-13-2024 09:21 AM

 

  @MHM Cisco World   wrote :                             >I send you PM
                                                 - What's wrong with sharing knowledge in the community ?

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R
VIP
VIP
In response to marce1000

‎12-25-2024 05:10 PM

Agreed with @marce1000 - the whole point of Cisco Community is to share knowledge not keep it secret!

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Flavio Miranda
VIP
VIP

‎12-13-2024 04:49 AM

@terrance-mccallum 

 You probably have the features "support for CoA" and "AAA overide" enable, right?

terrance-mccallum
Level 1
Level 1
In response to Flavio Miranda

‎12-13-2024 05:17 AM

Correct, and I also can run the " show aaa server detail " command and see my radius server list and shows enabled. however I am not seeing any vlan change when made in the NAC system, unless I delete the client from the WLC completely it will then come back with the assigned VLAN, If not mistaken in old WLC the NAC would do this step automatically when a change was made, however now it is not.

0 Helpful

Flavio Miranda
VIP
VIP
In response to terrance-mccallum

‎12-13-2024 05:32 AM

On the link below, Cisco show how to implement a similar setup using ISE but I believe you can check the WLC part which should be the same.

At the end of this document, they show how you can get a Radioactive Trace that can be helpfull for you. You can share the logs here, if possible.

 

It is possible to enable the Radioactive traces to ensure successful transfer of the RADIUS attributes to the WLC. In order to do so, do these steps:

  1. From the controller GUI, navigate to Troubleshooting > Radioactive Trace > +Add.
  2. Enter the Mac Address of the wireless client.
  3. Select Start.
  4. Connect the client with the WLAN.
  5. Navigate to Stop > Generate > Choose 10 minutes > Apply to Device > Select the trace file to download the log.

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/217043-configure-dynamic-vlan-assignment-with-c.html

 

terrance-mccallum
Level 1
Level 1
In response to Flavio Miranda

‎12-13-2024 07:25 AM

attached

Preview file
74 KB
0 Helpful

Flavio Miranda
VIP
VIP
In response to terrance-mccallum

‎12-13-2024 08:47 AM

 

Seems like the radius communication is fine

2024/12/13 10:15:31.287576879 {wncd_x_R0-5}{1}: [aaa-attr-inf] [24831]: (info): [ Applied attribute : tunnel-type 0 13 [vlan] ]
2024/12/13 10:15:31.287578693 {wncd_x_R0-5}{1}: [aaa-attr-inf] [24831]: (info): [ Applied attribute : tunnel-medium-type 0 6 [ALL_802] ]
2024/12/13 10:15:31.287580124 {wncd_x_R0-5}{1}: [aaa-attr-inf] [24831]: (info): [ Applied attribute :tunnel-private-group-id 0 "48" ]
2024/12/13 10:15:31.287581563 {wncd_x_R0-5}{1}: [aaa-attr-inf] [24831]: (info): [ Applied attribute : username 0 "e40d366921f7" ]
2024/12/13 10:15:31.287587016 {wncd_x_R0-5}{1}: [aaa-attr-inf] [24831]: (info): [ Applied attribute : timeout 0 28800 (0x7080) ]

 

Did you took the action of remove the client?

2024/12/13 10:19:02.121 client-orch-sm Controller initiated client deletion with code: CO_CLIENT_DELETE_REASON_ADMIN_RESET. Explanation: Administrator removed the client, or in some scenarios, AAA server requested client delete. Actions: None required

If you did, can you take the debug but not interfere to compare?

0 Helpful

terrance-mccallum
Level 1
Level 1
In response to Flavio Miranda

‎12-13-2024 08:49 AM

No, I feel like that's the issue it's not doing that step, but if i manually go and delete it, it will then get the correct address and everything works fine. I dont' know why its' not doing the delete even though it's being told to do so.

0 Helpful

terrance-mccallum
Level 1
Level 1

‎12-13-2024 08:51 AM

To add to that, If i let this device sit for a long time up to like 20 minutes it will eventually go through almost like it fails out and at some points tries again and works at that point.

 

0 Helpful

Flavio Miranda
VIP
VIP
In response to terrance-mccallum

‎12-13-2024 09:00 AM

this seems to be some kind of time out.  30 minutes is 1800 seconds which seems to be the session time out for your WLC 

0 Helpful

Flavio Miranda
VIP
VIP
In response to terrance-mccallum

‎12-13-2024 09:02 AM

Try to reduce the Session time out  and see if that makes difference

 

FlavioMiranda_0-1734109333349.jpeg

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card