on a stable WLC setup with two controllers that authenticate Active Directory users through an ACS I have the following problem. On one of the controllers (WLC1) there are a couple of users that recently started to only authenticate if the username is typed in all uppercase, on the other controller (WLC2) which is setup the same way on the ACS these users work either uppercase or lowercase. This only happens for two of fifty or so users.
Doing some troubleshooting on the ACS I don't see the access-reject replies on the log files so I assume it is the controller WLC1 that is rejecting the users. Is it possible that the authentication info for the lowercase username is being stored on a cache on WLC1 which causes the attempt to fail?, if so is there any way to clean it?, or some other suggestion of what the problem cloud be?
The wlc will not cache credentials for a device that is trying to associate to the wireless. You should take a look at those two specific machines and maybe double check their profile and drivers. Have you tried using different credentials on those devices to test.
Thanks for the reply. Yes, I have tried using other users on the same device and they work fine. I have also tried with the users that are giving me trouble on other devices and they act the same way only working with all lowercase. Also when I did the test on the other controller WLC2 it was from the same devices that don't work on WLC1 and they worked fine (lowecase and uppercase), that's why I ruled out a client problem and focused on the WLC instead.
I think you better check password and username on third party auth server. If users are using non unicode characters try to reset usernames and/ or passwords to use only normal english characters. Also try writing the password in plain text on problematic machines to make sure that it is being written correctly.
If all is fine try running debug client to make sure there is an access-accept is being received.
What is wlc code version? What radius server you are using?
Sent from Cisco Technical Support iPad App
Rating useful replies is more useful than saying "Thank you"
In a nutshell, Usernames on Cisco Secure ACS are not case sensetive , so if the RADIUS access request have the username in either upper or lower case , for acs it is the same user.
To figure out what is happenning we need to have the following:
debug client < mac address of the client affected >
debug aaa all enable
sniffer trace on the controller side while the issue is happenning as well
as sniffer traces on the ACS side.
What is the version of ACS you are using? It would be great if you can set the logging level to detailed level and collect the package.cab or support bundle with the time stamp of the issue and upload them here to double check the info for you.
Listen: https://smarturl.it/CCRS8E33 Follow us: https://twitter.com/ciscochampion The goal for stadium and large venue Wi-Fi is to deliver an exceptional, fast, and reliable wireless experiences to tens of thousands of fan...
We are pleased to announce the immediate availability of the IOS-XE release 17.6.1 for the Catalyst Wireless Controllers. The new code is now posted on the CCO and can be found at this link:
This version now introduces experimental new feature, "Upgrade Advisor, targeted to one of common case generators: what are the supported versions and how to upgrade my current controllers and APs
It supports both AireOS and IOS-XE, covering since ...
Thank you for the overwhelming response to the First and Second EFT refresh of 8.10MR6!
We are excited to announce the third refresh of 8.10 MR6 EFT Program for PRODUCTION deployments.
While the CCO release of 8.10MR6 is just a few we...
Greetings!Thank you for the overwhelming response and feedback for the first 17.3.4 EFT/Beta release.
Now we are excited to announce the second refresh of 17.3.4 EFT/Beta Program for PRODUCTION deployments.
This release is the s...