Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
720
Views
1
Helpful
6
Replies

WLC 9800 Authentication group confussion

MAHI_VYAS
Level 1
Level 1

‎01-25-2025 08:11 AM

Hi Team,

I have WLC 9800 and we have radius and ldap servers configured, I have authentication method for one of group is configured as Local and no radius/ldap group called in that method list.

Highlight group is called in one of my Wlan and i see users are also getting authenticated, iam not able to figure out how users are getting authenticated.

Can anyone explain about this.

 

mahende17febgmailcom_1-1737821291599.png

mahende17febgmailcom_2-1737821426768.png

Thanks in advance for all support.

 

 

0 Helpful
6 Replies 6

MHM Cisco World
VIP
VIP

‎01-25-2025 08:15 AM

I need to see L2 secuirty and L3 secuirty of this wlan

MHM

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎01-25-2025 09:42 AM - edited ‎01-26-2025 10:14 AM

From what I see in your 2nd picture, you are using local EAP, that means you are not using a radius server but have specified local accounts/ldap on the controller and referencing that in your wlan aaa.  Under your 1st pic, you should look at the Server/Groups and look at the LDAP. However, your configuration doesn't not use any Groups, that to me means local account on the controller.
Your default and ldapdot1x-tac is the same and if shouldn't matter which one you choose.  Now this you can validate by creating a test SSID and using the default first and then the ladpdot1x-tac to see if both authenticates the user.

What I think is that someone created the ldapdot1x-tac and couldn't get it to work.  What your AAA method list shows, for the last two items is the same authentication, but just a different name.  The name doesn't matter in your case because its doing the exact same thing.

ScottFella_0-1737833510048.png

 

-Scott
*** Please rate helpful posts ***

MAHI_VYAS
Level 1
Level 1
In response to Scott Fella

‎01-29-2025 06:10 AM

Hi @Scott Fella ,

In this case how my users are getting authenticated, i do not see any local users on my WLC.

Can you please help in that.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to MAHI_VYAS

‎01-29-2025 06:34 AM

I think you need to look at the overall clients and see how many are connecting to an SSID using whatever profile.  Then also look if you have any local users configured and if you have any ldap servers configured.  The ldap is not going to be used in your configuration.  

I don't know how many SSID's you have nor what the SSID's are configured for, but in the monitoring tab in the GUI, you can look at the clients and also use the filter on SSID.

-Scott
*** Please rate helpful posts ***
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to MAHI_VYAS

‎01-29-2025 06:40 AM - edited ‎01-29-2025 06:56 AM

Maybe you are not using that AAA method so its not being used.  I don't know unless you provide more details, like screenshots or text output.

** Update **

 

I do see you have it configured on one of the SSID's, so you need to see if anyone is actually connecting to that SSID or not.  Again, how you have it configured, it is local auth, so either local user or maybe an admin account. Identify clients using it and why not you try connecting and creating yourself a local user account for testing.  That way you can see it work.

-Scott
*** Please rate helpful posts ***
0 Helpful

Rich R
VIP
VIP

‎01-26-2025 05:18 AM

If you want to know how any particular user is authenticated run a Radioactive Trace on the client MAC address.
You can use Debug Analyzer (link below) to decode the RA trace.
Use Config Analyzer (link below) to check your WLC config.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card