cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7202
Views
4
Helpful
27
Replies

WLC 9800 not connecting to RADIUS Microsoft NPS

csco10971283
Level 1
Level 1

Dears,

I need urgent support, I spent like 12 hours troubleshooting a wireless issue on my Cisco WLC 9800 for .1x authentication that was working & suddenly stopped.

The software code is 17.9.4a & 17.12.1

Here’s the logs on the WLC:

 

Feb  4 16:16:34.041: %DOT1X-5-FAIL: Chassis 1 R0/0: wncd: Authentication failed for client (8086.f285.a2f5) with reason (AAA Server Down) on Interface capwap_90000016 AuditSessionID 17DC140A00000010C5851691 Username: 123456
Feb  4 16:16:34.041: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (8086.f285.a2f5) on Interface capwap_90000016 AuditSessionID 17DC140A00000010C5851691. Failure reason: Authc fail. Authc failure reason: Credential Failon

The strange thing is wireshark on NPS showing zero packets received from WLC.

 I do confirm all the configuration is correct & nothing changed.

I rebooted WLC many times with no success.

Using NTRadping giving successful authentication.

Is the RADIUS service on the WLC destroyed or what noting that “show aaa servers detailed” showing all WNCD are up but showing 0 in the authentication request count all the time.

 

Thanks,

Ahmed Ossama
CCIE#26611
27 Replies 27

But this SSID is not related to .1x & even not used

Ahmed Ossama
CCIE#26611

0 auth request, meaning there is no WLAN using AAA for security. 
I think there is no issue with AAA since it appear UP.

Thanks A Lot
MHM

How come it’s showing 0 & in the same time it’s giving me credential fail & I’ve AAA method pointing to the RADIUS server

Ahmed Ossama
CCIE#26611

https://lihaifeng.net/?p=699

Same error' and As I was mentioned the wlc not send auth becuase there is no wlan use aaa.

Make double check in which wlan this user associated.

Thanks A Lot
MHM

I checked again,

am pretty sure the WLAN is using AAA.

TPL0-ND-WLC#sh run | sec wlan CNCA_n
wlan CNCA_n policy CNCA
wlan CNCA_n 5 CNCA_n
dot11ax target-waketime
dot11ax twt-broadcast-support
security dot1x authentication-list Employee
security dot1x authorization-list Employee
no shutdown

& it's clearly using AAA as am receiving logs for Credential Fail on WLC

Ahmed Ossama
CCIE#26611

Device# sh aaa dead-criteria radius <server>

 Can you share this 

Thanks A Lot
MHM

TPL0-ND-WLC#sh aaa dead-criteria radius 10.10.10.211
RADIUS: No server group specified. Using radius
RADIUS Server Dead Criteria:
=============================
Server Details:
Address : 10.10.10.211
Auth Port : 1812
Acct Port : 1813
Server Group : radius
Dead Criteria Details:
Configured Retransmits : 3
Configured Timeout : 5
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Dead Detect Time : 10s
Computed Retransmit Tries: 10
Statistics Gathered Since Last Successful Transaction
=====================================================
Max Computed Outstanding Transactions: 0
Max Computed Dead Detect Time: 0s
Max Computed Retransmits : 0

Ahmed Ossama
CCIE#26611

Can I see all config of wlc (cli)

 

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2023.11.11 06:24:37 =~=~=~=~=~=~=~=~=~=~=~=
sh run
Building configuration...

Current configuration : 19481 bytes
!
! Last configuration change at 05:43:09 PST Sat Nov 11 2023 by root
! NVRAM config last updated at 02:14:22 PST Sat Nov 11 2023 by root
!
version 17.9
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
!
hostname TPL0-ND-WLC
!
boot-start-marker
boot system bootflash:packages.conf
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
aaa new-model
!
--More--  !
aaa group server radius DALRADIUS
server name DALRADIUS
ip radius source-interface Vlan10
deadtime 5
!
aaa group server ldap test
server CNCA
!
aaa authentication login Guest_Wi-Fi local
aaa authentication login test group DALRADIUS
aaa authentication dot1x Employee group DALRADIUS
aaa authorization network CNCA_Services local
aaa authorization network Employee group DALRADIUS
aaa authorization network test group DALRADIUS
aaa authorization credential-download Guest_Wi-Fi local if-authenticated
aaa authorization credential-download Employee group DALRADIUS
!
!
aaa attribute list CNCA_Services
attribute type ssid "CNCA Services_n"
!
aaa attribute list wlan_lobby_access
!
aaa server radius dynamic-author
client 10.10.10.211
!
aaa session-id common
clock timezone PST -8 0
vtp mode off
--More--  vtp version 1
!
!
!
!
!
!
!
ip host tools.cisco.com 72.163.4.38
ip domain lookup source-interface Vlan3
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
eap profile EAP
method fast
method peap
method leap
pki-trustpoint CISCO_IDEVID_SUDI
!
!
!
--More--  !
!
!
!
parameter-map type webauth global
type webauth
virtual-ip ipv4 192.0.2.1
redirect on-success google.com
!
access-session mac-move deny
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2016556975
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2016556975
revocation-check none
rsakeypair TP-self-signed-2016556975
hash sha256
!
crypto pki trustpoint SLA-TrustPoint
enrollment terminal
revocation-check crl
hash sha256
--More--  !
crypto pki trustpoint US
enrollment terminal pem
subject-name C=US, CN=tpl0-ND-WLC.caminonuevo.org
subject-alt-name tpl0-ND-WLC.caminonuevo.org
revocation-check none
rsakeypair TP-self-signed-2016556975
!
crypto pki trustpoint tpl0-nd-wlc
enrollment terminal pem
subject-name C=US, CN=tpl0-ND-WLC.caminonuevo.org
subject-alt-name tpl0-ND-WLC.caminonuevo.org
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-2016556975
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32303136 35353639 3735301E 170D3232 30373131 31373536
30315A17 0D333230 37313031 37353630 315A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30313635
35363937 35308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 0100D6A6 2A2E44CB E7A7FA4F 6B4C7EA4 AC9CFD03 096B0B87 D9CA7A7C
DEBEA482 A3AF2169 28A776B9 E5344FF6 286A1E73 2302BF4D A0E4A31B 6EE9858F
967AACF4 EE5F4D50 B993CB05 9641354B 6BF781EF C4FFAA06 DC902FF4 C1C97A6B
0196C47C 447E24C1 AFFAE4F0 678BDC9E 2B36E3FA EFFCE256 13D65069 3B2A41AE
26DFEA85 83DB55FB B3424CE0 16ADB08A BAF23C47 5E589D84 6A2D5043 3278A240
9456AAFC B06464D0 5E250A06 C01A7594 3A2F36F0 4E0ED21D ED9356E4 AFDA667C
8C31FC74 1B05F7E8 21A05F1B B0F76D81 02AF437D E84CC339 18BA30BD 7EF9DCD6
--More--   65907313 0F743A79 F04F2C3D 8C12D89E 497CFC3B 63332B36 5C65123F 739153C3
D8CFF70E 992B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
301F0603 551D2304 18301680 147486E2 347BE48E B2D1B58F 1F3D0FE3 A1CCC8C1
2F301D06 03551D0E 04160414 7486E234 7BE48EB2 D1B58F1F 3D0FE3A1 CCC8C12F
300D0609 2A864886 F70D0101 05050003 82010100 0068581B 2ADE2625 CC9E6723
FEB37680 6D48E56B 798CA81E DDAC33C0 ED3D95CF 2510B6C2 E7DAE9FA FD11FB5D
F34A7CD0 9C296A92 6E37FA43 69E2A044 A098CAA2 3F2A3F2C 0DAE90C1 A8F33BBB
F9CB2963 E4ADB67F 97D13A86 5923FE73 2BDDE061 E1D8CDCD 97C8AF70 21FB2BCC
C4A1F091 E0DD22DE C43FCE7F 7CDAB448 411ADBDB E215A43D 3F89BDDE B1F4C3D2
E66ACF52 4205C54A 58280B0E 94B70DE3 ED010503 1B7DD333 7C448922 5D991B00
1AF064CC 155656BA 060F7CCC 4B4EC76D E2F7F7FD 9B1B6370 8C1A5E63 8C8D06B6
A223B341 1EB81119 08E47C4B EDBBE86F FC121A87 2F0AD3E7 7093B826 C5F404E8
5D628989 2A180776 B840E2C9 51D8C451 8621D0FB
quit
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
--More--   DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
crypto pki certificate chain US
crypto pki certificate chain tpl0-nd-wlc
!
!
license udi pid C9800-L-C-K9 sn FCL261901EM
license smart transport callhome
device classifier
memory free low-watermark processor 170271
!
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
linksec policy must-secure
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
linksec policy should-secure
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
service-template DEFAULT_CRITICAL_DATA_TEMPLATE
service-template webauth-global-inactive
--More--   inactivity-timer 3600
diagnostic bootup level minimal
!
!
enable secret 9 $9$QYWgo3Jb5uYysU$LL9M8mjsmAVLWGNmLNKerR4PCR0Qda.Cj/5x5Eo/vN6
!
username root privilege 15 secret 9 $9$3/QH2l6H4/EH2E$2EzwaPhQ10K6QY5UaNIrjHVqvq/gwfYetNsd56arTh.
username 541379948d29 mac aaa attribute list CNCA_Services wlan-profile-name "CNCA Services_n" description osos
user-name cnca_guest
creation-time 1699549809
description Guest-User
password 0 cnca_guest
type network-user description Guest-User guest-user lifetime year 0 month 0 day 11 hour 0 minute 0 second 0
user-name cncalobby
creation-time 1699552762
privilege 0
view LobbyAdminView
secret 9 $9$2l2J4/II3V.I4.$1Om2FR/O8r1.kl5lRuaPMnYNorpZBuof3HogToqvXGI
type lobby-admin
!
redundancy
mode sso
!
crypto engine compliance shield disable
!
!
!
!
vlan internal allocation policy ascending
!
--More--  vlan 3
name WLC
!
vlan 10
!
vlan 40
name VLAN40
!
vlan 45
name VLAN45
!
vlan 100,150,160,170,172,180
!
vlan 200
name VLAN200
!
!
!
class-map match-any AVC-Reanchor-Class
match protocol cisco-jabber-audio
match protocol cisco-jabber-video
match protocol webex-media
match protocol webex-app-sharing
match protocol webex-control
match protocol webex-meeting
match protocol wifi-calling
!
!
!
!
--More--  !
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Port-channel1
switchport mode trunk
switchport nonegotiate
!
interface TwoGigabitEthernet0/0/0
switchport trunk allowed vlan 100
switchport mode trunk
negotiation auto
no snmp trap link-status
!
interface TwoGigabitEthernet0/0/1
negotiation auto
no snmp trap link-status
!
interface TwoGigabitEthernet0/0/2
negotiation auto
--More--   no snmp trap link-status
!
interface TwoGigabitEthernet0/0/3
negotiation auto
no snmp trap link-status
!
interface TenGigabitEthernet0/1/0
switchport mode trunk
switchport nonegotiate
negotiation auto
no snmp trap link-status
channel-group 1 mode on
!
interface TenGigabitEthernet0/1/1
switchport mode trunk
switchport nonegotiate
negotiation auto
no snmp trap link-status
channel-group 1 mode on
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 192.168.1.1 255.255.255.0
negotiation auto
no mop enabled
!
interface Vlan1
no ip address
no ip proxy-arp
!
--More--  interface Vlan3
ip address 10.10.3.2 255.255.255.0
no ip proxy-arp
!
interface Vlan10
ip address 10.10.10.212 255.255.255.0
!
interface Vlan40
description WIRELESS-PRIVATE
ip address 10.10.40.8 255.255.252.0
no ip proxy-arp
!
interface Vlan45
description WIRELESS-GUEST
ip address 10.10.45.8 255.255.255.0
no ip proxy-arp
!
interface Vlan100
description CNCA-Students-WiFi
ip address 10.10.100.8 255.255.255.0
no ip proxy-arp
!
interface Vlan150
description CNCA
ip address 10.10.150.8 255.255.252.0
no ip proxy-arp
!
interface Vlan160
description CNCA Students
ip address 10.10.160.8 255.255.252.0
--More--   no ip proxy-arp
!
interface Vlan170
description CNCA Services
ip address 10.10.170.8 255.255.255.0
no ip proxy-arp
!
interface Vlan172
description Guest-LAN
ip address 10.10.172.8 255.255.255.0
no ip proxy-arp
!
interface Vlan180
description CNCA Guest
ip address 10.10.180.8 255.255.255.0
no ip proxy-arp
!
interface Vlan200
description CNCA_HVAC
ip address 10.10.200.8 255.255.255.0
no ip proxy-arp
!
ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
!
ip tftp source-interface Vlan3
ip tftp blocksize 8192
ip route 0.0.0.0 0.0.0.0 10.10.3.1
--More--  ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.1.1.254
!
!
!
!
!
!
ldap server CNCA
ipv4 10.10.10.11
base-dn DC=CaminoNuevo,DC=org
!
radius-server attribute wireless accounting username-delimiter hyphen
!
radius server DALRADIUS
address ipv4 10.10.10.211 auth-port 1812 acct-port 1813
key 1234567890
!
!
control-plane
!
!
!
!
!
banner login ^CC N C A
Only authorized persons proceed.^C
parser view LobbyAdminView
secret 9 $9$Lks1yKAJuLbROE$aCeZWuNXXQWtr8gLlma7uSje4PnSddY9bkSRKw6MggI
commands configure include all user-name
commands configure include aaa attribute list
--More--   commands configure include aaa attribute
commands configure include aaa
commands exec include configure terminal
commands exec include configure
commands exec include all show aaa local guest_user
commands exec include show aaa local
commands exec include show aaa
commands exec include show
!
!
!
line con 0
logging synchronous
stopbits 1
line aux 0
line vty 0 4
length 0
transport input ssh
line vty 5 15
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
ntp server 10.10.3.1 prefer source Vlan3
--More--  !
!
!
!
!
!
wireless aaa policy default-aaa-policy
wireless cts-sxp profile default-sxp-profile
wireless management interface Vlan3
wireless profile airtime-fairness default-atf-policy 0
wireless profile flex default-flex-profile
description "default flex profile"
wireless profile mesh default-mesh-profile
description "Preconfigured default radio profile"
wireless profile multi-bssid default-multi-bssid-profile
description "Default multi bssid profile"
wireless profile radio default-radio-profile
description "Preconfigured default radio profile"
wireless profile policy CNCA
aaa-override
description CNCA
nac
vlan VLAN0150
no shutdown
wireless profile policy VLAN45
description VLAN45
no ip mac-binding
ipv4 dhcp server 10.10.45.1
vlan VLAN45
no shutdown
--More--  wireless profile policy CNCA_HVAC
description CNCA_HVAC
vlan CNCA_HVAC
no shutdown
wireless profile policy "CNCA Guest"
description "CNCA Guest"
vlan VLAN0180
no shutdown
wireless profile policy CNCA-PRIVATE
description CNCA-PRIVATE
no ip mac-binding
ipv4 dhcp server 10.10.40.1
vlan VLAN40
no shutdown
wireless profile policy "CNCA Students"
description "CNCA Students"
vlan VLAN0160
no shutdown
wireless profile policy CNCA-Students-WiFi
description CNCA-Students-WiFi
vlan VLAN0100
no shutdown
wireless profile policy "CNCA Services (Hidden)"
description "CNCA Services (Hidden)"
vlan VLAN0170
no shutdown
wireless profile policy default-policy-profile
description "default policy profile"
vlan VLAN0100
no shutdown
--More--  wireless tag site default-site-tag
description "default site tag"
wireless tag policy default-policy-tag
description "default policy-tag"
wlan CNCA policy VLAN45
wlan osos policy CNCA
wlan test policy CNCA
wlan CNCA_n policy CNCA
wlan CNCA-HVAC policy CNCA_HVAC
wlan CNCA-GUEST policy VLAN45
wlan accessories policy VLAN45
wlan "CNCA Guest_n" policy "CNCA Guest"
wlan CNCA-PRIVATE policy CNCA-PRIVATE
wlan CNCA-Students policy CNCA-Students-WiFi
wlan "CNCA Services_n" policy "CNCA Services (Hidden)"
wlan "CNCA Students_n" policy "CNCA Students"
wireless tag rf default-rf-tag
description "default RF tag"
wireless mgmt-via-wireless
wireless fabric control-plane default-control-plane
wireless country US
wlan CNCA 2 CNCA
security wpa psk set-key ascii 0 8jldm2auaa0vinn1isnn9it
no security wpa akm dot1x
security wpa akm psk
no shutdown
wlan CNCA_n 5 CNCA_n
dot11ax target-waketime
dot11ax twt-broadcast-support
security dot1x authentication-list Employee
--More--   security dot1x authorization-list Employee
no shutdown
wlan CNCA-HVAC 3 CNCA-HVAC
no broadcast-ssid
security wpa psk set-key ascii 0 hprlb7y7sz44wruz29919wd
no security wpa akm dot1x
security wpa akm psk
no shutdown
wlan CNCA-GUEST 4 CNCA-GUEST
security wpa psk set-key ascii 0 welcome!
no security wpa akm dot1x
security wpa akm psk
no shutdown
wlan accessories 6 thingamabobs
security wpa psk set-key ascii 0 "!1234567890!"
no security wpa akm dot1x
security wpa akm psk
no shutdown
wlan "CNCA Guest_n" 11 "CNCA Guest_n"
no broadcast-ssid
no security ft adaptive
no security wpa
no security wpa wpa2
no security wpa wpa2 ciphers aes
no security wpa akm dot1x
security web-auth
security web-auth authentication-list Guest_Wi-Fi
security web-auth parameter-map global
no shutdown
wlan CNCA-PRIVATE 1 CNCA-PRIVATE
--More--   security wpa psk set-key ascii 0 "!Coll3geReadyCollegeB0und!"
no security wpa akm dot1x
security wpa akm psk
no shutdown
wlan CNCA-Students 7 CNCA-Students
security wpa psk set-key ascii 0 #EducationCNCA
no security wpa akm dot1x
security wpa akm psk
no shutdown
wlan "CNCA Services_n" 10 "CNCA Services_n"
no broadcast-ssid
mac-filtering CNCA_Services
no security ft adaptive
security wpa psk set-key ascii 0 creche-holding-subside-gauge
no security wpa akm dot1x
security wpa akm psk
no shutdown
wlan "CNCA Students_n" 9 "CNCA Students_n"
no broadcast-ssid
no security ft adaptive
security wpa psk set-key ascii 0 uphill-dungeon-sirius-focus
no security wpa akm dot1x
security wpa akm psk
no shutdown
ap dot11 24ghz rf-profile Low_Client_Density_rf_24gh
coverage data rssi threshold -90
coverage level 2
coverage voice rssi threshold -90
description "pre configured Low Client Density rfprofile for 2.4gh radio"
high-density rx-sop threshold low
--More--   rate RATE_12M supported
rate RATE_24M supported
rate RATE_6M supported
tx-power v1 threshold -65
no shutdown
ap dot11 24ghz rf-profile High_Client_Density_rf_24gh
description "pre configured High Client Density rfprofile for 2.4gh radio"
high-density rx-sop threshold medium
rate RATE_11M disable
rate RATE_12M mandatory
rate RATE_1M disable
rate RATE_24M supported
rate RATE_2M disable
rate RATE_5_5M disable
rate RATE_6M disable
tx-power min 7
no shutdown
ap dot11 24ghz rf-profile Typical_Client_Density_rf_24gh
description "pre configured Typical Client Density rfprofile for 2.4gh radio"
rate RATE_11M disable
rate RATE_12M mandatory
rate RATE_1M disable
rate RATE_24M supported
rate RATE_2M disable
rate RATE_5_5M disable
rate RATE_6M disable
no shutdown
ap dot11 24ghz rate RATE_12M mandatory
ap dot11 24ghz rate RATE_18M disable
ap dot11 24ghz rate RATE_24M disable
--More--  ap dot11 24ghz rate RATE_36M disable
ap dot11 24ghz rate RATE_48M disable
ap dot11 24ghz rate RATE_54M disable
ap dot11 24ghz rate RATE_6M disable
ap dot11 6ghz rf-profile default-rf-profile-6ghz
description "default rfprofile for 6GHz radio"
rate RATE_12M mandatory
rate RATE_24M mandatory
rate RATE_6M mandatory
no shutdown
ap dot11 5ghz rf-profile Low_Client_Density_rf_5gh
coverage data rssi threshold -90
coverage level 2
coverage voice rssi threshold -90
description "pre configured Low Client Density rfprofile for 5gh radio"
high-density rx-sop threshold low
rate RATE_12M mandatory
rate RATE_24M mandatory
rate RATE_6M mandatory
tx-power v1 threshold -60
no shutdown
ap dot11 5ghz rf-profile High_Client_Density_rf_5gh
description "pre configured High Client Density rfprofile for 5gh radio"
high-density rx-sop threshold medium
rate RATE_12M mandatory
rate RATE_24M mandatory
rate RATE_6M disable
rate RATE_9M disable
tx-power min 7
tx-power v1 threshold -65
--More--   no shutdown
ap dot11 5ghz rf-profile Typical_Client_Density_rf_5gh
description "pre configured Typical Density rfprofile for 5gh radio"
rate RATE_12M mandatory
rate RATE_24M mandatory
rate RATE_6M mandatory
no shutdown
ap dot11 5ghz rate RATE_12M mandatory
ap dot11 5ghz rate RATE_24M mandatory
ap dot11 5ghz rate RATE_6M disable
ap dot11 6ghz rrm monitor measurement 600
ap tag-source-priority 2 source filter
ap tag-source-priority 3 source ap
ap profile default-ap-profile
description "default ap profile"
ap a49b.cd1a.06bc
ap a49b.cd1a.0818
ap a49b.cd1a.0a64
ap a49b.cd1a.0f34
ap a49b.cd1a.1360
ap a49b.cd1a.1370
ap a49b.cd1a.137c
ap a49b.cd1a.13cc
ap a49b.cd1a.13d4
ap a49b.cd1a.13dc
ap a49b.cd1a.1470
ap a49b.cd1a.14a8
ap a49b.cd1a.14cc
ap b811.4b08.3f70
ap b811.4b08.609c
--More--  ap b811.4b08.64ec
ap b811.4b08.6570
ap b811.4b0a.0018
ap b811.4b0a.00ac
ap b811.4b0a.00b4
ap b811.4b0a.01f8
ap b811.4b0a.0204
ap b811.4b0a.0210
ap b811.4b0a.0214
ap b811.4b0a.0220
ap b811.4b0a.0228
ap b811.4b0a.0240
ap b811.4b0a.0250
ap b811.4b0a.0258
ap b811.4b0a.0264
ap b811.4b0a.028c
ap b811.4b0a.02a0
ap b811.4b0a.02a8
ap b811.4b0a.02b0
ap b811.4b0a.02c0
ap b811.4b0a.02e8
ap b811.4b0a.02ec
ap b811.4b0a.031c
ap b811.4b0a.032c
ap b811.4b0a.033c
ap b811.4b0a.034c
ap b811.4b0a.036c
ap b811.4b0a.0370
ap b811.4b0a.0388
ap b811.4b0a.0390
--More--  ap b811.4b0a.0398
ap b811.4b0a.03dc
trapflags ap crash
trapflags ap noradiocards
trapflags ap register
end

 

Ahmed Ossama
CCIE#26611

Here you go

Ahmed Ossama
CCIE#26611

Rich R
VIP
VIP

At first glance your config appears correct.
"authentication that was working & suddenly stopped."
If that was caused by a bug then we'd expect a reload to fix it but it hasn't.  That means it must be a config change - somewhere...
"I do confirm all the configuration is correct & nothing changed."
Have you actually done a diff on your backup config from when it was working and compared to now (there might have been a change you are not aware of)?
Have you checked the config on the switch/router/firewall between the WLC and radius server?
You say you can ping the radius server and as they're on the same subnet you should have an ARP entry for the server - can you confirm the WLC has an ARP entry for 10.10.10.211?
Also "show ip route"?
Interesting that your Vlan10 interface does not have "no ip proxy-arp" like the others?
Also "show vlan"?

"why I can’t see RADIUS packets in the packet capture of the controller"
Can you tell us the exact capture config you used when you did the packet capture? (show mon cap)
I would do a capture on the physical interface and also on VLAN 10, and remember you also need to enable control-plane for the capture.  Use an ACL which matches any udp to and from port 1812-1813.

What does "sh aaa servers detailed" show?

JPavonM
VIP
VIP

Maybe pretty simpel but, have you double checked the shared secret in use between WLC and NPS and that WLC is configured as RADIUS client?

I think my system would balk at an all numerical key.  

 

Review Cisco Networking for a $25 gift card