Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
128523
Views
3
Helpful
12
Replies

WLC 9800 Guest SSID not redirecting to Guest Portal in Clearpass

axom789
Level 1
Level 1

‎08-30-2024 07:07 AM

Hi All,

We have an issue where the Guest Client (SSID in WLC9800) gets an IP from the DHCP server (in Fortigate) but it never reaches the clearpass server (from what I understand from the logs). I have followed the below procedure. Checked all firewall policies. I also double checked the Redirect ACL multiple times and do not see any issue. From the WLC i can ping the Clearpass server fine. 

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217931-configure-9800-wlc-and-aruba-clearpass.html#toc-hId-2126303558
We have other Radius and Tacacs requests from the same controller to the Radius server which works fine. The issue is only with the guest ssid. 

Logs in WLC:

%RADIUS_AUDIT_MESSAGE-6-RADIUS_DEAD: Chassis 1 R0/0: wncd: RADIUS server x.x.x.x:1812,1813 is not responding.

%CLIENT_EXCLUSION_SERVER-5-ADD_TO_EXCLUSIONLIST_REASON_DYNAMIC: Chassis 1 R0/0: wncmgrd: Client MAC: xxxx.0ffb.xxxx was added to exclusion list associated with AP Name:NY-FORUM-15, BSSID:MAC: 0000.0000.0000, reason:802.11 association failure

%SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (xxxx.0ffb.xxxx) on Interface capwap_900000bb AuditSessionID 1F0110AC00093797A393D9BF. Failure reason: Authc fail. Authc failure reason: AAA Server Down.

%SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (xxxx.0ffb.xxxx) on Interface capwap_9000011d AuditSessionID 1F0110AC00093796A393D925. Failure reason: Authc fail. Authc failure reason: AAA Server Down.

I am fairly new to wireless world and still learning. Any advise is greatly appreciated.

0 Helpful
12 Replies 12

marce1000
VIP
VIP

‎08-30-2024 07:48 AM

 

 - It seems that the controller can not reach the radius server for the clients using the Guest SSID. For starters check the logs on the used radius server too when those clients try to connect , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

axom789
Level 1
Level 1
In response to marce1000

‎08-30-2024 07:52 AM

There is no hit/logs on the Radius server when i look up the device.

 

0 Helpful

marce1000
VIP
VIP
In response to axom789

‎08-30-2024 09:41 AM

 

                 >...There is no hit/logs on the Radius server when i look up the device.
  - Then you must review the WAN settings for the Guest SSID , look where the radius servers are defined and check for correctness (also check reachability of the radius servers from the controller)
     +  Use https://logadvisor.cisco.com/logadvisor/wireless/9800/9800CWA
      for guest access troubleshooting
     + Also have a checkup of the 9800 WLC configuration with the CLI command show tech wireless and feed the output to : Wireless Config Analyzer
                                        use the full command as denoted in green, do not use a simple show tech as input for this
    procedure 
   + Further engage in full client debugging according to https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity , these debugs can be analyzed with Wireless Debug Analyzer

 -+ Outputs from the commands mentioned in https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#anc5 can also be useful when changes are made

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

MHM Cisco World
VIP
VIP

‎08-30-2024 07:53 AM - edited ‎08-30-2024 07:54 AM

You need to open port from Wlc to Aruba include two radius port and coa port and dns and http port 

These ports open in FW

MHM

0 Helpful

axom789
Level 1
Level 1
In response to MHM Cisco World

‎08-30-2024 07:58 AM

For one site we already have this guest ssid working. Can you please advise on where else I should look in the wlc to confirm the opened ports ? 

0 Helpful

MHM Cisco World
VIP
VIP
In response to axom789

‎08-30-2024 08:01 AM

In FW

The WLC will use mgmt IP or vlan guest IP to connect to radius if radius behind FW then these port must open

MHM

0 Helpful

axom789
Level 1
Level 1
In response to MHM Cisco World

‎08-30-2024 02:05 PM

I'll double check fw and revert. 

axom789
Level 1
Level 1
In response to MHM Cisco World

‎09-04-2024 01:56 PM

So, the radius port udp 1813 1812, dns, https and https are open.  

Rich R
VIP
VIP
In response to axom789

‎09-04-2024 04:38 PM

You need to map the source and destination for the traffic flows.
DNS, http and https will be from the client.
Radius will be from the WLC.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

axom789
Level 1
Level 1
In response to Rich R

‎09-06-2024 01:49 PM

Thanks but i am really confused of the traffic flow in this situation.

The wlc is in aws. I also have a public ip mapped to the private ip of the clearpass server as this is a guest ssid.

Please correct me if i am wrong but the traffic flow in this case is - Guest Client - AP - WLC (AWS)- FW (hairpin nat configured) - FW - Radius. 

 

Rich R
VIP
VIP
In response to axom789

‎09-09-2024 01:28 AM - edited ‎09-09-2024 01:29 AM

802.1x is a layer 2 interaction between client <-> AP, the client never communicates directly with radius at layer 3 because the authentication happens before the client even gets an IP address.

The radius communication is between WLC <-> radius server (central authentication) or AP <-> radius server (flexconnect local authentication or local fall-back).  The client authentication details are encapsulated in the radius packets.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Rich R
VIP
VIP

‎08-31-2024 06:52 AM - edited ‎09-01-2024 04:02 AM

And remember to reach the portal the client must be able to reach the server, not just the WLC.
So get the radius working - which could be a routing or ACL or firewall or radius pre-shared key issue and make sure WLC is a recognised client on the radius server.  As MHM said you must also allow CoA traffic from radius > WLC.
Refer to https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html and https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/config-guide/b_wl_17_9_cg/m_vewlc_central_web_authentication.html
This document is old but nicely summarises all the ports and protocols:
https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113344-cuwn-ppm.html
And I just realised the current info is included in the release notes: Network Protocols and Port Matrix 

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card