Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3202
Views
4
Helpful
27
Replies

WLC 9800 not connecting to RADIUS Microsoft NPS

csco10971283
Level 1
Level 1

‎11-11-2023 04:09 AM

Dears,

I need urgent support, I spent like 12 hours troubleshooting a wireless issue on my Cisco WLC 9800 for .1x authentication that was working & suddenly stopped.

The software code is 17.9.4a & 17.12.1

Here’s the logs on the WLC:

 

Feb  4 16:16:34.041: %DOT1X-5-FAIL: Chassis 1 R0/0: wncd: Authentication failed for client (8086.f285.a2f5) with reason (AAA Server Down) on Interface capwap_90000016 AuditSessionID 17DC140A00000010C5851691 Username: 123456
Feb  4 16:16:34.041: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (8086.f285.a2f5) on Interface capwap_90000016 AuditSessionID 17DC140A00000010C5851691. Failure reason: Authc fail. Authc failure reason: Credential Failon

The strange thing is wireshark on NPS showing zero packets received from WLC.

 I do confirm all the configuration is correct & nothing changed.

I rebooted WLC many times with no success.

Using NTRadping giving successful authentication.

Is the RADIUS service on the WLC destroyed or what noting that “show aaa servers detailed” showing all WNCD are up but showing 0 in the authentication request count all the time.

 

Thanks,

Ahmed Ossama
CCIE#26611
1 person had this problem
0 Helpful
27 Replies 27

marce1000
VIP
VIP

‎11-11-2023 04:40 AM

 

  - It seems from the WLC log that it currently can't reach the   NPS radius server ; can you ping it from the WLC ?

    Also have a checkup of the WLC configuration with the CLI command show tech wireless ; feed the output into :
                         Wireless Config Analyzer
    This procedure is strongly adviced 'anyways!' and 'in all circumstances!'

   Use client debugging according to : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity
   You can have client debugs processed with : https://cway.cisco.com/wireless-debug-analyzer

   Overall client behavior can be observed with : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#anc5

 M.
                                                      



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

csco10971283
Level 1
Level 1
In response to marce1000

‎11-11-2023 05:04 AM

I’ve WLC, RADIUS server & NTRadping all in same subnet.

NTRadping authenticate successfully but WLC not even sending packets to NPS.

I’ll do witeless config analyzer & reply again

Ahmed Ossama
CCIE#26611

marce1000
VIP
VIP
In response to csco10971283

‎11-11-2023 05:09 AM

 

           - Don't forget to test if you can ping the RADIUS server from the WLC (?)

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

csco10971283
Level 1
Level 1
In response to marce1000

‎11-11-2023 05:10 AM

Pingable

Ahmed Ossama
CCIE#26611
0 Helpful

marce1000
VIP
VIP
In response to csco10971283

‎11-11-2023 05:25 AM

 

                          >...Pingable
   Take an embedded packet capture while reproducing the issue and then analyze this in Wireshark to validate if the 9800 is sending radius packets to your radius server and not getting any response.
                           Refer to the link below to configure the packet capture on the 9800:

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213949-wireless-debugging-and-log-collection-on.html#anc17

 M.


 



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

csco10971283
Level 1
Level 1
In response to marce1000

‎11-11-2023 05:38 AM

I took packet capture while I reproduced the issue & receiving logs on the WLC for credential fail but the packet capture showing 0 for RADIUS protocol & the packet capture on the RADIUS server also showing nothing received

Ahmed Ossama
CCIE#26611
0 Helpful

marce1000
VIP
VIP
In response to csco10971283

‎11-11-2023 05:51 AM

 

 - You took packet capture on NPS ; the procedure I mention is to see if anything originates from the 9800 ; can you do that too ?

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

csco10971283
Level 1
Level 1
In response to marce1000

‎11-11-2023 05:52 AM

I took both.

The packet capture on WLC showing 0 packets for RADIUS

Ahmed Ossama
CCIE#26611
0 Helpful

marce1000
VIP
VIP
In response to csco10971283

‎11-11-2023 06:02 AM

 

                                         >...The packet capture on WLC showing 0 packets for RADIUS
            Correct the issues I pointed out from WirelessAnalyzer too , if in the end , it would be a 'simple' resource related bug , then a reload of the controller could help , but that has production impact (indeed)

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

csco10971283
Level 1
Level 1
In response to marce1000

‎11-11-2023 06:05 AM

I reloaded the controller 5 times without any success.

any other solution please.

also, the errors in wireless analyzer isn’t related to my issue at all

Ahmed Ossama
CCIE#26611
0 Helpful

marce1000
VIP
VIP
In response to csco10971283

‎11-11-2023 06:37 AM

 

                           >..any other solution please.
                           >also, the errors in wireless analyzer isn’t related to my issue at all
  - Make sure no intermediate firewall device is dropping the radius requests from the controller (e.g.) ; that's a bit a far as it goes for me for the time being , no further inputs ; consider correcting the stuff from WirelessAnalyzer on the long run
  Other options are trying another radius server (including another brand). Or perform tests on a virtual 9800 wireless controller (these are free for download ).

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

csco10971283
Level 1
Level 1
In response to marce1000

‎11-11-2023 06:42 AM

I tried another RADIUS client with the RADIUS server & it’s working fine.

No firewall in the middle.

Again my question why I can’t see RADIUS packets in the packet capture of the controller

Ahmed Ossama
CCIE#26611
0 Helpful

csco10971283
Level 1
Level 1
In response to marce1000

‎11-11-2023 05:15 AM

Here's the WCA analysis report, nothing wrong.
Can you help more please

Ahmed Ossama
CCIE#26611
Preview file
348 KB
0 Helpful

marce1000
VIP
VIP
In response to csco10971283

‎11-11-2023 05:28 AM

 

                           >...Here's the WCA analysis report, nothing wrong.
 - You have errors (also) on the tab wlc1-Check Results ,  these and or all wlc errors should be corrected, the 3th one could be relevant,  

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card