Re: IOS-XE WLC : Radius config not visible through GUI (9800 and EWC)

Slabre · ‎01-19-2022

Hello,

Hardware : 9800, 9120 EWC

Software : 16.12.4a for 9800, 17.3.4 for 9120 EWC

We performed some AAA changes on our WLCs and we had to reset the AAA config with a "no aaa new-model".

At this point there were no AAA config at all visible either through CLI or GUI.

But we already had our first issue : all our RADIUS requests were sent to our ISE servers, even if none of them were configured on our WLCs. We still can't find out why.

Then we started to properly configure RADIUS through CLI.

The second issue is there : the RADIUS config is visible through CLI as expected, but absolutely not through GUI. This is still the case on many of our WLCs.

Then with or without our RADIUS config, our WLCs apprently continue to correctly send RADIUS requests.

I didn't find a bug for this, did I miss something else ? I don't think this behaviour is expected.

Thank you

Flavio Miranda · ‎01-19-2022

HI

Not expected at all. You probably hit some undocumented bug. If I were you, I´d upgrade

Slabre · ‎01-20-2022

We'll try that but I'm almost without hope since we have 17.3.4 on our EWC and the recommended is 17.4.3c, not a huge gap.

Arshad Safrulla · ‎01-19-2022

for 9800 WLC, you are running obsolete IOS-XE code. So the first recommendation would be to upgrade. Then since you are facing the similar issue in both EWC and 9800 WLC I doubt the issue may be coming from the web browser side, so clear the cache or use private mode, disable all the extensions and try again. I would also try to restart the boxes to make sure that this is not a temporary issue. If you don't want to restart then you can open a TAC case and definitely they will end up suggesting to try with another browser or upgrade to the latest.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Slabre · ‎01-20-2022

Not an issue from web browser or computer, several people tried and same results everywhere.

We opened a TAC case in parrallel, I'll update here. Thank you.

Rich R · ‎01-20-2022

We didn't get all our radius config working correctly till 17.6.1 - combination of bug fixes and feature implementations to achieve AireOS feature parity (more or less). Beware that in earlier releases some radius commands are accepted on CLI and appear in the config but the WLC simply ignores them - they do nothing.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Slabre · ‎01-20-2022

Well... I have to say, 9XXX WLCs are little bit annoying regarding the bugs or lack of features. We don't want to upgrade to a non-starred IOS version, so we won't be able to upgrade to 17.6.X.

Thanks for your feedback... even if it's a bad one !

Scott Fella · ‎01-20-2022

Reading through this post, it makes me wonder. I have multiple 9800's I use for testing with clients connected and I change the heck out of my config and especially the aaa for radius and tacacs. I have never ran into that issue and had not had any issues with dot1x or tacacs. Again, that could just be my environment, but I even just spun up a new vm running the latest code and just blew in my AAA and everything just worked. I have taken my snippets of my config and pasted them in different versions of code with no issue.

Now as far as what code to use. If your system is working, then you stick with that version or code train unless there is a bug fix. Features, once you have something working and working fine, is just a "want". If your system is not working well, then you need to have someone review your configuration, or like what was mentioned, go through the config analyzer, or upgrade or downgrade. This is why folks have extra equipment, so they can test. I wouldn't go with a gold star code, if I have not tested it our and validated that there were no issues. If I rolled out that code and later found an issue, you are back to step 1 to determine your changes in config or upgrade/downgrade.

You are not tied to the gold code, just remember, if you choose that route, then you are stuck if something is broken until they star another version. This route is not good due to how long it will take you to remediate any issues.

-Scott
*** Please rate helpful posts ***