Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1760
Views
10
Helpful
6
Replies

Older LEAP/PEAP clients won't connect to new 9800-CL controller.

gary_lytle
Level 1
Level 1

‎07-22-2019 04:54 PM - edited ‎07-05-2021 10:44 AM

Hello!

 

We have just installed a new 9800-CL controller on ESXi to replace old 4400 controllers.  We have connected a single 9115AXI in the lab for testing.  The new controller connects to RADIUS on the same Cisco Secure ACS 5.3.0.40.10 as the old controllers.

 

So far, the SSIDs that support EAP-TLS and PSK are working fine, but older clients running LEAP or PEAP will not connect.  We have disabled Fast Transition on the WLAN Layer 2 security with no change.

 

Laptops connect fine with EAP-TLS.

Cisco 8821 phones connect fine with PEAP.

Cisco 7921 phones fail with both LEAP and PEAP. (WLC reports no response from client).

Dell/Wyse C10 thin clients fail with both LEAP and PEAP. (Nothing in WLC log, client reports fail to associate, err=18).

 

All work fine on the 4400 controllers with the same SSID and security settings, so I assume the problem is not with the ACS configuration.

 

Are there other settings I need to change on the WLC to enable backwards-compatibility?

 

Thank you for any insights.

Gary

0 Helpful
6 Replies 6

Flavio Miranda
VIP
VIP

‎07-23-2019 12:13 PM

Hi 

I failed to find a documentation but to me this protocols is no longer supported and the WLC. By the way, 4400 to 9800 is a huge move!!

 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

gary_lytle
Level 1
Level 1
In response to Flavio Miranda

‎07-23-2019 05:46 PM

Hello Miranda,

Thanks for replying.  The issue for the C10 thin clients turned out to be a mismatch between the supported speeds on the client and the mandatory speeds in the RF policy.  With that resolved, they are able to connect with LEAP and PEAP.

So the problem with the phones is something else.  I suspect they may not recognize the EAPOL version 3 advertised by the WLC.

Regards,

Gary

patoberli
VIP Alumni
VIP Alumni
In response to gary_lytle

‎07-24-2019 04:56 AM

Can you do a 'client debug heremacaddressofclient' on the WLC and then try to connect? Please post the output here.
You maybe need to couple this with a 'debug aaa heresomeoptions' if the first one doesn't provide a lot of useful data.
0 Helpful

gary_lytle
Level 1
Level 1
In response to patoberli

‎07-24-2019 01:16 PM

Hello patoberli,

Thanks for replying.  It does not look like the 9800 has the "client" commands, so I captured with the "Radioactive Trace" in the GUI.

 

 

Preview file
137 KB
0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to gary_lytle

‎07-25-2019 12:10 AM

Sorry, forgot again that the 9800 is running a completely different software, which I sadly don't have any experience with.
Anyway, Authentication is Success, so that is good.Your radius sends various information back to the WLC, does for example the vlan interface 202 exist on your new WLC:

2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: User-Name [1] 10 "wptlcip1"
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Cisco AVpair [1] 21 "service-type=Framed"
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Framed-MTU [12] 6 1485
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: EAP-Message [79] 15 ...
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Message-Authenticator[80] 18 ...
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: EAP-Key-Name [102] 2 *
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Cisco AVpair [1] 43 "audit-session-id=1B2011AC00000943258EBA96"
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Cisco AVpair [1] 14 "method=dot1x"
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Cisco AVpair [1] 25 "client-iif-id=805309191"
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Cisco AVpair [1] 13 "vlan-id=202"
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: NAS-IP-Address [4] 6 172.17.29.8
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: NAS-Port-Id [87] 17 "capwap_90000002"
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: NAS-Port [5] 6 10612
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Called-Station-Id [30] 31 "2c-4f-52-be-63-80:WackerVoice"
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Calling-Station-Id [31] 19 "4c-00-82-85-e7-ae"
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Airespace-WLAN-ID [1] 6 2
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Cisco AVpair [1] 29 "cisco-wlan-ssid=WackerVoice"
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Nas-Identifier [32] 11 "zptlwlc01"
2019/07/24 19:56:47.494 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Started 2 sec timeout
2019/07/24 19:56:47.495 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Received from id 1812/131 172.17.2.18:0, Access-Challenge, len 89
2019/07/24 19:56:47.495 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: authenticator 15 82 5f f5 77 89 dc 08 - a6 db 68 c0 df 93 22 bb
2019/07/24 19:56:47.495 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: State [24] 43 ...
2019/07/24 19:56:47.495 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: EAP-Message [79] 8 ...
2019/07/24 19:56:47.495 {wncd_x_R0-0}{1}: [radius] [22206]: (info): RADIUS: Message-Authenticator[80] 18 ...

On the other hand I see those two lines:
2019/07/24 19:58:12.075 {wncd_x_R0-0}{1}: [client-keymgmt] [22206]: (ERR): MAC: 4c00.8285.e7ae Keymgmt: Failed to eapol key m3 retransmit failure. Max retries for M3 over
2019/07/24 19:58:12.075 {wncd_x_R0-0}{1}: [client-keymgmt] [22206]: (info): MAC: 4c00.8285.e7ae Keymgmt: eapol key failure. Sending client key exchange failure to auth fsm,reason code: 15

This could indicate a client driver issue or to weak signal, or of course a bug.

gary_lytle
Level 1
Level 1
In response to patoberli

‎07-25-2019 09:49 PM

I read somewhere that some older clients reject offers of newer EAPOL versions instead of negotiating down.  I don't know if this is what is going on, but it seems like a possible cause.

But we've decided that we really should be retiring these old phones anyway, so we are going to go ahead and upgrade them along with the infrastructure.

Thanks for the feedback.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card