Re: Login authentication error via CLI on WLC 9800

Simone C · ‎05-06-2024

Hi All,

I'm having a weird issue where I cannot access via CLI on the WLC 9800 using radius authentication user, while I can do so with the same user via GUI. I configured AAA servers and groups to match correctly and activated the HTTP and VTY access:

While trying to access via CLI, ISE give me the following log:

WLC is running on 17.9.3 , SSH is enabled and these are the AAA configs:

aaa new-model
aaa group server radius ISE_Cluster
aaa group server radius Radius_Servers
aaa group server radius CR_Radius-Server
aaa authentication login default local group radius group ISE_Cluster
aaa authentication login ISE_Authentication_Login local group ISE_Cluster
aaa authentication dot1x Radius_Authentication group Radius_Servers
aaa authentication dot1x ISE_Authentication group ISE_Cluster
aaa authentication dot1x CR_Radius_Authentication group CR_Radius-Server
aaa authorization exec default local
aaa authorization exec ISE_Authorization_Login local group ISE_Cluster
aaa authorization network ISE_Authorization group ISE_Cluster
aaa authorization credential-download wcm_loc_serv_cert local
aaa accounting identity ISE_Accounting start-stop group ISE_Cluster

marce1000 · ‎05-06-2024

- What ISE version are you using ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Simone C · ‎05-06-2024

Hi Marce.

ISE Version is 2.7.0.356
Installed Patch: 2,3,7

marce1000 · ‎05-06-2024

- Personally I would consider it too old for the 9800 environment because 2.7 is EOL , you may also want to check the radius server's logs too ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Simone C · ‎05-06-2024

Ok thank your for noticing me about the release, I will check the logs as well to see if there's anythig usefull

balaji.bandi · ‎05-06-2024

i would cross check the config on ISE on the ise side as below - also can you post radius server information from WLC ? (you used different Radius ISE / RADIUS / CR Servers ?)

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Simone C · ‎05-06-2024

Hello Balaji,

No, once I configured the servers and the group i just made sure the associations were correct.

So here the outputs:

jagan.chowdam · ‎05-06-2024

Make sure to configure shell:priv-lvl=15 Cisco-av-pair attribute under authorization profile. Like @balaji.bandi mentioned, have a look at the guide and compare it with your config.

Jagan Chowdam

Simone C · ‎05-06-2024

Hello Jagan,

I've checked the suggested configuration but it is already setted in the authorization profile. I'm now opening a TAC case and see what will be found during the analisys.

Thank you all as always for your support