Re: Mobility Express issue with ISE & Cloud Radius server

ittechk4u1 · ‎09-14-2021

I am facing an authentication issue with Mobility express AP/WLC.

Background:

1st WLAN: 802.1x with ISE as Radius

2nd WLAN: 802.1x with Cloud RADIUS SERVER

Switch Port config where AP/WLC is connected:

interface GigabitEthernet3/0/43
switchport trunk native vlan 80
switchport trunk allowed vlan 80,92,172
switchport mode trunk

Problem case:

Once I configure cloud radius on WLC, all my SSIDs (Auth with ISE) stop working except one SSID (Auth via Cloud radius).

If I remove the cloud radius info from WLC and reboot it then all SSID(auth with ISE) works again and ofocurse one SSID(auth with cloud radius) doesnt work.

What could be the issue ?

Thanks in advance

Karsten Iwen · ‎09-14-2021

What exactly did you configure for Cloud RADIUS? Did you make sure that each SSID is using the correct radius server?

ittechk4u1 · ‎09-14-2021

Hi @Karsten Iwen ,

Yes each ssid is configured for correct radius server:

SSID1: 802.1X with Local Radius server(ISE)

SSID2: 802.1x with Cloud Radius server (Cloud)

(TSCWLAN5) >show wlan 3

WLAN Identifier.................................. 3
Profile Name..................................... CorpStaff
Network Name (SSID).............................. CorpStaff
!
skip
!
Radius Servers
Authentication................................ 192.168.21.14 1812 *
Authentication................................ 192.168.21.15 1812 *
Accounting.................................... 192.168.21.14 1813 *
Accounting.................................... 192.168.21.15 1813 *

-------------------------------------------------------------------------------------

(TSCWLAN5) >show wlan 4

WLAN Identifier.................................. 4
Profile Name..................................... M365
Network Name (SSID).............................. CorpM365
!
skip
!
Radius Servers
Authentication................................ 188.166.194.133 1866 *
Authentication................................ 67.207.78.164 1866 *
Accounting.................................... 188.166.194.133 1867 *
Accounting.................................... 67.207.78.164 1867 *

Thanks in advance

Sandeep Choudhary · ‎09-14-2021

Are you sure that after deleting SSID2 & Cloud radius config from ME WLC, SSID1 is working ?

also paste the debug client <mac address> in your worst scenario.

Regards

Dont forget to arte helpful posts

ittechk4u1 · ‎09-14-2021

Hi @Sandeep Choudhary ,

Yes I am sure and did the test again.

If I remove or disable Cloud radius server on ME WLC and reboot it again, my SSID1 is working again.

and if I enabled cloud radius server on ME WLC again then SSID1 stopped working.

Don't understand where exactly the issue is!!!!

Thanks

Karsten Iwen · ‎09-14-2021

Please do an "debug aaa all enable". There you see what the ME tries to do in respect of AAA.

ittechk4u1 · ‎09-14-2021

please find attached debug aaa output.

Thanks

Karsten Iwen · ‎09-14-2021

There are a couple of retransmits to the ISE 192.168.21.14 in the log. What do you see on the ISE Live Log?

ittechk4u1 · ‎09-14-2021

In ISE I can see the successful authentication message but client stuck in auth state ! Its like a loop.

Sandeep Choudhary · ‎09-15-2021

can you run the debug Client <Mac address> command and past the output here.

ittechk4u1 · ‎09-21-2021

Please find the attached debug logs..

ittechk4u1 · ‎09-23-2021

Hi @Grendizer @Leo Laohoo @Sandeep Choudhary Could you please help me to troubleshoot it!