on a stable WLC setup with two controllers that authenticate Active Directory users through an ACS I have the following problem. On one of the controllers (WLC1) there are a couple of users that recently started to only authenticate if the username is typed in all uppercase, on the other controller (WLC2) which is setup the same way on the ACS these users work either uppercase or lowercase. This only happens for two of fifty or so users.
Doing some troubleshooting on the ACS I don't see the access-reject replies on the log files so I assume it is the controller WLC1 that is rejecting the users. Is it possible that the authentication info for the lowercase username is being stored on a cache on WLC1 which causes the attempt to fail?, if so is there any way to clean it?, or some other suggestion of what the problem cloud be?
The wlc will not cache credentials for a device that is trying to associate to the wireless. You should take a look at those two specific machines and maybe double check their profile and drivers. Have you tried using different credentials on those devices to test.
Sent from Cisco Technical Support iPhone App
Thanks for the reply. Yes, I have tried using other users on the same device and they work fine. I have also tried with the users that are giving me trouble on other devices and they act the same way only working with all lowercase. Also when I did the test on the other controller WLC2 it was from the same devices that don't work on WLC1 and they worked fine (lowecase and uppercase), that's why I ruled out a client problem and focused on the WLC instead.
I think you better check password and username on third party auth server. If users are using non unicode characters try to reset usernames and/ or passwords to use only normal english characters. Also try writing the password in plain text on problematic machines to make sure that it is being written correctly.
If all is fine try running debug client to make sure there is an access-accept is being received.
What is wlc code version? What radius server you are using?
Sent from Cisco Technical Support iPad App
In a nutshell, Usernames on Cisco Secure ACS are not case sensetive , so if the RADIUS access request have the username in either upper or lower case , for acs it is the same user.
To figure out what is happenning we need to have the following:
debug client < mac address of the client affected >
debug aaa all enable
sniffer trace on the controller side while the issue is happenning as well
as sniffer traces on the ACS side.
What is the version of ACS you are using? It would be great if you can set the logging level to detailed level and collect the package.cab or support bundle with the time stamp of the issue and upload them here to double check the info for you.