Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
718
Views
0
Helpful
4
Replies

WLC 9800 SSID with "MAC + Local dot1x" Authentication

Hythim Ali El Hadad
Level 6
Level 6

‎05-07-2023 01:30 PM

Hi

Kindly we have WLC 9800, we have a working SSID for our Employee, it's security is set to dot1x with AAA group which is authenticating through radius of our domain

We are creating another SSID with dual authentication "MAC white List + dot1x local authentication with PEAP"

So any user need to connect, we'll enter his MAC and provide him a local user name and password created on the controller

We configured the MAC filtering good and it is working, also we tried this with PSK , and it is working good

Now we changed the PSK into dot1x , then on Security > AAA , we select the authentication list: default [set to dot1x and local] and select EAP profile name: Local-Auth which is configured as local EAP profile with PEAP enabled and certificate trust point set to none

Then we create guest user

Trying to connect but got below error

%SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client 0000.1111.2222 .... Failure reason: Authc fail. Authc failure reason: Cred Fail.

%DOT1X-5-FAIL: Chassis 1 R0/0: wncd: Authentication failed for client 0000.1111.2222 with reason (Cred Fail) on Interface capwap_xxxxxxxx AuditSessionID xxxxxxxx Username: m1

For the test, I have added the SSID manually to select WPA/WPA2 Enterprise with EAP method PEAP and CA certificate: Don't validate

What could be the problem here

 

Thanks

Labels:
0 Helpful
4 Replies 4

Flavio Miranda
VIP
VIP

‎05-07-2023 02:27 PM

Hi

 When you say "Then we create guest user" you mean, you did this?

 

(config)#user-name Example
 creation-time 1572730075
 description Example
 password 0 Cisco123
 type network-user description 1xuser   

 

0 Helpful

Hythim Ali El Hadad
Level 6
Level 6
In response to Flavio Miranda

‎05-07-2023 03:49 PM

Hi

No, I have added it from GUI from Configuration > Security > Guest user as below screen shot

 

HythimAliElHadad_0-1683503184378.png

 

Thanks

0 Helpful

Flavio Miranda
VIP
VIP
In response to Hythim Ali El Hadad

‎05-07-2023 03:53 PM

oh, I would say guest would be for web authentication. Try to add the user as I shown and test.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/215026-local-eap-authentication-on-catalyst-980.html

 

0 Helpful

Hythim Ali El Hadad
Level 6
Level 6
In response to Flavio Miranda

‎05-07-2023 04:21 PM

Hi Flavio

Thanks for your advise, actually I didn't try this way. I'll try this tomorrow morning isa and will get back

Thanks for your care

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card