09-14-2021 01:43 AM
I am facing an authentication issue with Mobility express AP/WLC.
Background:
1st WLAN: 802.1x with ISE as Radius
2nd WLAN: 802.1x with Cloud RADIUS SERVER
Switch Port config where AP/WLC is connected:
interface GigabitEthernet3/0/43
switchport trunk native vlan 80
switchport trunk allowed vlan 80,92,172
switchport mode trunk
Problem case:
Once I configure cloud radius on WLC, all my SSIDs (Auth with ISE) stop working except one SSID (Auth via Cloud radius).
If I remove the cloud radius info from WLC and reboot it then all SSID(auth with ISE) works again and ofocurse one SSID(auth with cloud radius) doesnt work.
What could be the issue ?
Thanks in advance
09-14-2021 01:48 AM
What exactly did you configure for Cloud RADIUS? Did you make sure that each SSID is using the correct radius server?
09-14-2021 02:20 AM
Hi @Karsten Iwen ,
Yes each ssid is configured for correct radius server:
SSID1: 802.1X with Local Radius server(ISE)
SSID2: 802.1x with Cloud Radius server (Cloud)
(TSCWLAN5) >show wlan 3
WLAN Identifier.................................. 3
Profile Name..................................... CorpStaff
Network Name (SSID).............................. CorpStaff
!
skip
!
Radius Servers
Authentication................................ 192.168.21.14 1812 *
Authentication................................ 192.168.21.15 1812 *
Accounting.................................... 192.168.21.14 1813 *
Accounting.................................... 192.168.21.15 1813 *
-------------------------------------------------------------------------------------
(TSCWLAN5) >show wlan 4
WLAN Identifier.................................. 4
Profile Name..................................... M365
Network Name (SSID).............................. CorpM365
!
skip
!
Radius Servers
Authentication................................ 188.166.194.133 1866 *
Authentication................................ 67.207.78.164 1866 *
Accounting.................................... 188.166.194.133 1867 *
Accounting.................................... 67.207.78.164 1867 *
Thanks in advance
09-14-2021 04:32 AM
Are you sure that after deleting SSID2 & Cloud radius config from ME WLC, SSID1 is working ?
also paste the debug client <mac address> in your worst scenario.
Regards
Dont forget to arte helpful posts
09-14-2021 04:40 AM
Hi @Sandeep Choudhary ,
Yes I am sure and did the test again.
If I remove or disable Cloud radius server on ME WLC and reboot it again, my SSID1 is working again.
and if I enabled cloud radius server on ME WLC again then SSID1 stopped working.
Don't understand where exactly the issue is!!!!
Thanks
09-14-2021 05:13 AM
Please do an "debug aaa all enable". There you see what the ME tries to do in respect of AAA.
09-14-2021 05:18 AM
09-14-2021 05:23 AM
There are a couple of retransmits to the ISE 192.168.21.14 in the log. What do you see on the ISE Live Log?
09-14-2021 10:40 PM - edited 09-14-2021 10:40 PM
In ISE I can see the successful authentication message but client stuck in auth state ! Its like a loop.
09-15-2021 06:21 AM
can you run the debug Client <Mac address> command and past the output here.
09-21-2021 12:21 AM
09-23-2021 05:25 AM - edited 09-23-2021 10:54 PM
Hi @Grendizer @Leo Laohoo @Sandeep Choudhary Could you please help me to troubleshoot it!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: