Message AAA Server down on wireless controller

Khanh ccnp · ‎04-06-2026

Dear everyone,

I am using a wireless controller with MAC authentication (MAC filtering) configured on a single SSID. MAC authentication was working normally before; however, since a few days ago, clients have been unable to connect to the SSID.

The wireless controller logs show an authentication-related issue. MAC filtering is configured directly on the wireless controller, and no external AAA authentication server is being used.

*Apr 3 04:56:29.539: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (d**3.****.****) on Interface capwap_90000046 AuditSessionID 0000000000061B3751B32A62. Failure reason: Authc fail. Authc failure reason: AAA Server Down.

Could you please help me to fix this issue

Mark Elsen · ‎04-06-2026

- @Khanh ccnp What model of wireless controller are you using , and what is the software version ?

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Khanh ccnp · ‎04-06-2026

We use Cisco Catalyst 9800-L-C , with OS version: IOSXE-17.15.5

Mark Elsen · ‎04-06-2026

- @Khanh ccnp Use commands from https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#toc-hId-866973845 for troubleshooting

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Khanh ccnp · ‎04-06-2026

Thank Mark, I will try it

Mark Elsen · ‎04-06-2026

- @Khanh ccnp Great ! Also validate the configuration of your 9800-L-C wireless controller using the
CLI command show tech wireless and feed the output from that into
Wireless Config Analyzer

Use the full command as outlined in green, it does no work with a simple show tech-support

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Rich R · ‎04-06-2026

@Khanh ccnp
Use Radioactive Trace for one of those MAC addresses and then run the result through Debug Analyzer (link below) to see why it's happening.

Are you sure the clients have not reverted to using randomised MAC addresses which don't match the ones you've added to the WLC?

For example iPhones default to using a rotating MAC address which changes every 2 weeks.
Exact behaviour depends on device brand, OS, OS version and SSID type (open vs PSK etc).
They'll need to use a fixed random MAC or device MAC if you want your list to keep working.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Khanh ccnp · ‎04-07-2026

@Mark Elsen @Rich R Thank you very much. I would like to share all the commands that I have collected from the controllershow radius statistics
Auth. Acct. Both
Maximum inQ length: NA NA 0
Maximum waitQ length: NA NA 0
Maximum doneQ length: NA NA 0
Total responses seen: 0 0 0
Packets with responses: 0 0 0
Packets without responses: 0 0 0
Access Rejects : 0
Access Accepts : 0
Average response delay(ms): 0 0 0
Maximum response delay(ms): 0 0 0
Number of Radius timeouts: 0 0 0
Radius Timers Started: 0 0 0
Radius Timers Created: 0 0 0
Radius Timers Create Failed: 0 0 0
Radius Timers Stopped: 0 0 0
Radius Timers Stop Failed: 0 0 0
Radius Timers Outstanding: 0 0 0
Radius Timers Added: 0 0 0
Radius Timers Add Failed: 0 0 0
Radius Timers Jitterred: 0 0 0
Radius Timers Jitter Failed: 0 0 0
Duplicate ID detects: 0 0 0
Buffer Allocation Failures: 0 0 0
Maximum Buffer Size (bytes): 0 0 0
Malformed Responses : 0 0 0
Bad Authenticators : 0 0 0
Unknown Responses : 0 0 0
Source Port Range: (2 ports only)
1645 - 1646
Last used Source Port/Identifier:
1645/0
1646/0

Elapsed time since counters last cleared: 2w2d6h30m
Radius Latency Distribution:
<= 2ms : 0 0
3-5ms : 0 0
5-10ms : 0 0
10-20ms: 0 0
20-50ms: 0 0
50-100m: 0 0
>100ms : 0 0

Current inQ length : 0
Current doneQ length: 0

Rich R · ‎04-07-2026

And what about the things we asked you to do @Khanh ccnp ?

The radius stats don't tell us anything useful.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Mark Elsen · ‎04-07-2026

- @Khanh ccnp Those data don't indicate any problems.
- Also check the output from : show aaa servers | i Platform Dead: total|RADIUS: id
- Check the logs on the radius servers and verify if it can authenticate wireless clients
- Test radius connectivity on the 9800 controller with commands from :
https://community.cisco.com/t5/wireless/c9800-test-radius-server/m-p/5295834/highlight/true#M283784

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)