Solved: WLC 9800-L - Authentication failed for client

Marcin.Bachmatiuk · ‎02-04-2022

Hi,

i have a problem with authentication in WLC 9800-L, I have configured the Radius servers and SSID, but the client cannot authenticate himself to radius.

Feb  4 16:16:34.041: %DOT1X-5-FAIL: Chassis 1 R0/0: wncd: Authentication failed for client (8086.f285.a2f5) with reason (AAA Server Down) on Interface capwap_90000016 AuditSessionID 17DC140A00000010C5851691 Username: 123456
Feb  4 16:16:34.041: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (8086.f285.a2f5) on Interface capwap_90000016 AuditSessionID 17DC140A00000010C5851691. Failure reason: Authc fail. Authc failure reason: AAA Server Down.

Can anyone help me ??

Marcin.Bachmatiuk · ‎02-07-2022

Hi,
Thank you for your help.

Unfortunately, I am not fluent in reading logs by wireshark.

What should I look for?

View solution in original post

Jerome BERTHIER · ‎02-04-2022

Hello

Both logs entries "AAA Server Down" point that the RADIUS server was not available.

So you have to check the connectivity between the WLC controler and the AAA server.

Back to basics :

- verify IP or fqdn and transport ports of RADIUS server assigned to the SSID.

- if fqdn, check that WLC can resolve it , so check its DNS config and availabilty.

- verify if the RADIUS IP if joinable from WLC : routing and filtering between both

- verify that shared secret is correct on both sides

- verify that WLC is declared as NAS client on the RADIUS

Do you have any logs from request on the RADIUS server ?

Regards

Marcin.Bachmatiuk · ‎02-04-2022

This is where the problem is that I got the data from the company's headquarters on the WLC 5520 which is working now everything is OK.

Unfortunately, the RADIUS server cannot be accessed

I checked sh aaa servers detailed

RADIUS: id 1, priority 1, host 10.0.0.1, auth-port 1812, acct-port 1813, hostname RADIUS
     State: current UP, duration 12422s, previous duration 0s
     Dead: total time 0s, count 0
     Platform State from SMD: current UP, duration 12422s, previous duration 0s
     SMD Platform Dead: total time 0s, count 0
     Platform State from WNCD (1) : current UP
     Platform State from WNCD (2) : current UP
     Platform State from WNCD (3) : current UP
     Platform State from WNCD (4) : current UP
     Platform State from WNCD (5) : current UP
     Platform State from WNCD (6) : current UP
     Platform State from WNCD (7) : current UP
     Platform State from WNCD (8) : current UP, duration 10305s, previous duration 299s
     Platform Dead: total time 999s, count 1
     Quarantined: No
     Authen: request 19, timeouts 18, failover 1, retransmission 12
             Response: accept 0, reject 0, challenge 0
             Response: unexpected 0, server error 0, incorrect 0, time 0ms
             Transaction: success 0, failure 6
             Throttled: transaction 0, timeout 0, failure 0
             Malformed responses: 0
             Bad authenticators: 0
     Author: request 0, timeouts 0, failover 0, retransmission 0
             Response: accept 0, reject 0, challenge 0
             Response: unexpected 0, server error 0, incorrect 0, time 0ms
             Transaction: success 0, failure 0
             Throttled: transaction 0, timeout 0, failure 0
             Malformed responses: 0
             Bad authenticators: 0
     Account: request 0, timeouts 0, failover 0, retransmission 0
             Request: start 0, interim 0, stop 0
             Response: start 0, interim 0, stop 0
             Response: unexpected 0, server error 0, incorrect 0, time 0ms
             Transaction: success 0, failure 0
             Throttled: transaction 0, timeout 0, failure 0
             Malformed responses: 0
             Bad authenticators: 0
     Elapsed time since counters last cleared: 3h27m
     Estimated Outstanding Access Transactions: 1
     Estimated Outstanding Accounting Transactions: 0
     Estimated Throttled Access Transactions: 0
     Estimated Throttled Accounting Transactions: 0
     Maximum Throttled Transactions: access 0, accounting 0
 Consecutive Response Failures: total 5
             SMD Platform : max 0, current 0 total 0
             WNCD Platform: max 5, current 5 total 5
             IOSD Platform : max 0, current 0 total 0
     Consecutive Timeouts: total 17
             SMD Platform : max 0, current 0 total 0
             WNCD Platform: max 17, current 17 total 17
             IOSD Platform : max 0, current 0 total 0
     Requests per minute past 24 hours:
             high - 3 hours, 27 minutes ago: 0
             low  - 3 hours, 27 minutes ago: 0
             average: 0

Scott Fella · ‎02-04-2022

Radius logs are the only way to go to understand why a device is unable to authenticate.

-Scott
*** Please rate helpful posts ***

anprassuper · ‎09-26-2023

Issue description:

++ Continuous error logs on WLC and Authentication error on ISE.

++ ISE Server was showing error 5405 RADIUS Request dropped.

Sep 26 19:05:29.419: %SESSION_MGR-5-FAIL: Chassis 1 R0/3: wncd: Authorization failed or unapplied for client (7c61.66c3.7eb1) on Interface capwap_90c00475 AuditSessionID 9A0FDE0A00460B7ED2E1D24B. Failure reason: Authc fail. Authc failure reason: AAA Server Down.
Sep 26 19:05:29.419: %SESSION_MGR-5-FAIL: Chassis 1 R0/1: wncd: Authorization failed or unapplied for client (ac74.b19b.3e53) on Interface capwap_9040041f AuditSessionID 9A0FDE0A0065D3A9D2E1D24A. Failure reason: Authc fail. Authc failure reason: AAA Server Down.
Sep 26 19:05:29.418: %SESSION_MGR-5-FAIL: Chassis 1 R0/4: wncd: Authorization failed or unapplied for client (64cb.e9d4.7b88) on Interface capwap_9100016e AuditSessionID 9A0FDE0A0062A65ED2E1D24A. Failure reason: Authc fail. Authc failure reason: AAA Server Down.
Sep 26 19:05:29.412: %SESSION_MGR-5-FAIL: Chassis 1 R0/4: wncd: Authorization failed or unapplied for client (e0d4.6453.6f3d) on Interface capwap_910000fb AuditSessionID 9A0FDE0A0062A65DD2E1D244. Failure reason: Authc fail. Authc failure reason: AAA Server Down.
Sep 26 19:05:29.403: %SESSION_MGR-5-FAIL: Chassis 1 R0/1: wncd: Authorization failed or unapplied for client (b4cb.57aa.082d) on Interface capwap_90400344 AuditSessionID 9A0FDE0A0065D3A8D2E1D23A. Failure reason: Authc fail. Authc failure reason: AAA Server Down.

Troubleshooting performed:

- verified IP or fqdn and transport ports of RADIUS server assigned to the SSID.

- Checked FQDN that WLC can resolve it , Checked its DNS config and availabilty.

- Verified if the RADIUS IP if joinable from WLC : routing and filtering between both

- Verified that shared secret is correct on both sides

Action Taken:

++ Duplicated session on ISE for WLC and deleted the older one.

++ Reconfigured shared key on ISE and WLC's SSID keep key in clar text to authenticate.

Issue resolved!

Prince.O · ‎02-04-2022

Hi Marcin,

I would suggest you take an embedded packet capture while reproducing the issue and then analyze this in Wireshark to validate if the 9800 is sending radius packets to your radius server and not getting any response.

Refer to the link below to configure the packet capture on the 9800:

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213949-wireless-debugging-and-log-collection-on.html#anc17

Access to the radius server is strongly advised in order to validate communication as well as the configuration/validation of the radius keys

Rich R · ‎02-07-2022

You're talking about 9800-L and 5520. I think you're saying it's working on 5520 but not 9800-L?

Remember they are different. 5520 sends the radius from the client interface by default. 9800 just follows the routing table so follow the steps the others have already advised above to ensure your radius is sent from the correct interface, can reach the radius and receive replies. Use packet captures to verify.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Marcin.Bachmatiuk · ‎02-07-2022

Hi,
Thank you for your help.

Unfortunately, I am not fluent in reading logs by wireshark.

What should I look for?

Scott Fella · ‎02-07-2022

So is the issue fixed, I thought that is what you mentioned on another post? If so, what was the fix? I know you mentioned you were not able to access the radis server... I'm just curious on what was done to resolve the issue.

-Scott
*** Please rate helpful posts ***

Prince.O · ‎02-07-2022

Hi Marcin,

As stated by the others, you'll be looking for radius packets sourcing from your 9800 controller wireless management Ip address to your radius servers as the destination.

When you open the file in wireshark, you can simply type in "radius" in the search bar and hit enter and that should filter the file for any radius packets.

Alternatively, you can also search any packets sent to or received from your radius server IP address with " ip.addr== <RADIUS IP HERE> " in the search bar

Rich R · ‎02-07-2022

Then check the basics first (config). You need to check all those things the others have mentioned above.

On packet capture you'll be looking for radius request and replies.

Make sure they're being sent to/from the correct IP addresses and ports, on the correct interface.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Marcin.Bachmatiuk · ‎02-08-2022

Hi,

In the attachment screen from wireshark, maybe something will help

Scott Fella · ‎02-08-2022

What is the reason you can get access to the radius logs? If there is something that is not configured properly, how would you resolve that. The logs from a device attempt, rejected or passed will help isolate what the issue is. I would never be able to solve radius/tacacs issues without having access to the servers.

-Scott
*** Please rate helpful posts ***

Prince.O · ‎02-08-2022

So from the attached images from the PCAP, it looks like radius requests are being sent from the 9800 but no response are being received back.

To troubleshoot the issue further, as mentioned, you'll would need access to the radius server logs to get more insight on the possible root cause

network_eng · ‎11-07-2022

Sorry to raise this from the dead but I have the owner post issue. The wireshark captures show the access-request messages being sent from the WLC client IP configured in the Microsoft NPS server but the server is giving the error (ID 13): A Radius message was received from the invalid RADIUS client IP x.x.x.x.x (the same one configured).

From Microsoft's site they say this can happen when

In the NPS MMC, a RADIUS client is configured by FQDN or NetBIOS name rather than by IP address, and NPS has not received a DNS server response to the name resolution query. Without the IP address provided by the name resolution query, NPS cannot contact the RADIUS client;
NPS receives communication from a RADIUS client that is not configured in the NPS MMC;
In the NPS MMC, a RADIUS client is configured by either IPv4 or IPv6 address, but the format of the IP address is incorrect.

I checked and IP address is what is being used not FQDN, the client is configured in the radius server, the IP address is correct. What was the solution provided in this post?