cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
596
Views
3
Helpful
8
Replies

Users are unable to authenticate from Radius server - cisco 9800 WLC

Hello team,

I have a 9800 WLC in my setup where one of the SSID is configured for .1x authentication, Since yesterday users are unable to authenticate via Radius for this SSID.

There was ("No config changes was done on Radius, Switch or WLC), No Firmware upgrades and no power outages happened and this happened suddenly.

Could someone suggest what are all the things to be checked to find out the root cause like troubleshooting ways connectivity, logs, which logs will state the issue althose.

Thanks.

Rajesh.

1 Accepted Solution

Accepted Solutions

Could you let me know if you refer to any EAP certificate ?

Yes, if all 802.1X client not able to connect out of sudden, always check the EAP certificate expiry.

If so should the new one generated on WLC or radius or suggest if something else.
It is typically on your RADIUS server (not on the WLC)

HTH
Rasika

View solution in original post

8 Replies 8

Please check on RADIUS server logs that will tell the reason for failure. Could be some certificate expiry

HTH
Rasika
*** Pls rate all useful responses ***

Hello Rasika Nayanajith,

Thanks alot for reply.

Could you let me know if you refer to any EAP certificate ?

If so should the new one generated on WLC or radius or suggest if something else.

Thanks

Rajesh

Could you let me know if you refer to any EAP certificate ?

Yes, if all 802.1X client not able to connect out of sudden, always check the EAP certificate expiry.

If so should the new one generated on WLC or radius or suggest if something else.
It is typically on your RADIUS server (not on the WLC)

HTH
Rasika

Thanks alot for the support Rasika.

This worked for me post remapping the EAP certificate on the Radius server.

marce1000
VIP
VIP

 

 - Have a look at https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#anc5

  + You may also want to engage in full client debugging according to https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity
    client debugs can be processed with Wireless Debug Analyzer

  + Common advisory : have a checkup of the 9800 WLC's configuration with the CLI command show tech wireless
     and feed the output from that into Wireless Config Analyzer   do not use a simple show  tech as input for this procedure

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Share this 

-Monitoring >wireless>clients 

Check what is client status ?

-troubleshouting >packet capture 

Check if wlc send receive any packet to/from radius server

MHM

JPavonM
VIP
VIP

Check the expiration date of your RADIUS server certificate been presented to the clients.

If it's a MS NPS one, the certificate is selected per-policy in the Constraints Tab, under PEAP or Smarcard selection.

If it's Cisco ISE, then look into Administration > Certificates and check the one selected for EAP in the PSNs.

Thank you JPavonM,

It was issue with EAP certificate.

We have remapped the certificate on the radius server and users started authenticating.

Review Cisco Networking for a $25 gift card