Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
245
Views
0
Helpful
4
Replies

Local Authentication Server does not update policy on AP

Toy Thompson
Level 1
Level 1

‎10-31-2025 01:56 AM - edited ‎10-31-2025 01:57 AM

I have a Cisco 9800 WLC running 17.12.5 and I have 1 central site (local mode APs where the WLC resides) and about 10 remote sites with APs in FlexConnect Mode and Local Authentication. Each remote site has a local authentication server with the authentication server at the central site as the backup.
At some of the remote sites local authentication works 100%, but at some sites it does not. I have verified the Policy Profile, Flex Profile and Site Tags at the "non-working" sites and compared them to the working sites and they are exactly the same except for Name and IPs which are specific to the site.
Clients at the "non-working" sites authenticate with the servers at the central site and not the server locally to the site. If we remove the backup authentication server all together clients at the non-working site still authenticate with the central site authentication server. We have verified "Central DHCP", "Central Authentication" & "Central Switching" are all disabled

Labels:
Preview file
3 KB
0 Helpful
4 Replies 4

Mark Elsen
Hall of Fame
Hall of Fame

‎10-31-2025 02:15 AM

 

  - @Toy Thompson    Verify the controller's configuration with the CLI command : show tech wireless
                                  and feed the output from that into                                      Wireless Config Analyzer
                                  Use the full command as outlined in green , it does not work with show tech-support

  M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

Toy Thompson
Level 1
Level 1

‎11-03-2025 12:58 AM

Hi Mark. I have analyzed the output of the command with the analyzer. The analyzer did not provide any issues relating to the configuration of the profiles. I also manually compared the various profiles and tags in the analyzer itself and they are all pretty much identical except for the native and client vlans of the different sites. what did stand out is that the config analyzer only reports authentication information going to and from the backup aaa server however we validated the clients actually authenticate to the local aaa servers for remote sites that are working but no traffic shows for any of the remote site aaa servers?

0 Helpful

Mark Elsen
Hall of Fame
Hall of Fame
In response to Toy Thompson

‎11-03-2025 05:04 AM

 

  - @Toy Thompson    Then you will have to debug  the "none-working" clients according to :
                                  https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity
                                  These resulting debugs , so called RadioActive Traces can be analyzed with:
                                                                                    Wireless Debug Analyzer

   M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

srimal99
Level 1
Level 1

‎11-05-2025 02:06 AM

Are you using ISE as authenitcation server , have to check the policy rules ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card