WLC 9800 Vlan switching not happening

shaikh.zaid22 · ‎06-01-2023

Hello,

we have wlc 9800 version 17.3.5a integrated with AAA server forescout wherein dynamic vlan switching is configured.

We are experiencing issues with the wlc wherein it is unable to switch vlans from 2 to 10.

2023/06/01 12:22:59.183506 {wncd_x_R0-0}{1}: [client-orch-sm] [23168]: (ERR): MAC: 50eb.7154.284c VLAN Override: VLAN change is NOT allowed in state RUN
2023/06/01 12:22:59.183507 {wncd_x_R0-0}{1}: [sanet-shim-translate] [23168]: (ERR): 50eb.7154.284c :Auth interface failed to process vlan change from 2 to 15
2023/06/01 12:22:59.183596 {wncd_x_R0-0}{1}: [client-auth] [23168]: (ERR): MAC: 50eb.7154.284c client authz result: FAILURE
2023/06/01 12:22:59.183596 {wncd_x_R0-0}{1}: [client-auth] [23168]: (ERR): MAC: 50eb.7154.284c client authz result: FAILURE
2023/06/01 12:22:59.183818 {wncd_x_R0-0}{1}: [client-orch-sm] [23168]: (note): MAC: 50eb.7154.284c Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_EXCLUDE_POLICY_

Kindly assist if anyone encountered the same.

Flavio Miranda · ‎06-01-2023

Hi

The vlan is actually 2 and 15, right?

"Auth interface failed to process vlan change from 2 to 15"

You need to enable aaa-overrride to allow the radius control vlan ID. On the Policy Profile you need to configure the aaa-override

shaikh.zaid22 · ‎06-01-2023

@Flavio Miranda Thanks for the reply.

AAA override checkmark is enabled under the WLAN profile.

thats what i checked first, but then i raised it here with no more ideas left.

Flavio Miranda · ‎06-01-2023

try to run debug aaa protocol radius and let´s see if something useful show up. As you are running a thirty part radius and not ISE, we might consider interoperability problems

Rich R · ‎06-01-2023

Agreed with @Flavio Miranda I think the way your radius is trying to make the change is probably wrong. Have you spoken to the radius vendor to confirm it's compatible with Cisco 9800 WLC? There were changes in CoA behaviour between AireOS and IOS-XE so any radius will need updating for compatibility.
I vaguely recall (from our very early 9800 testing, so might be wrong) that the VLAN override needs to re-auth the client and that might be why you're getting that error "VLAN change is NOT allowed in state RUN"

Either way the radius server needs to be certified with the 9800 - making sure you're using latest version of the product and check compatibility at https://compatibility.forescout.com/ . Also I'd highly recommend upgrade to version 17.6.5 or 17.9.3 (see TAC recommended below) because there were a number of radius fixes, enhancements and feature parity updates after 17.3 which you will be missing on 17.3.5a. It didn't even support radius features we needed (which were in AireOS) until 17.5.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

shaikh.zaid22 · ‎06-01-2023

@Rich R and @Flavio Miranda Thank you for the response.

While checking the compatibility i found the Forescout NAC is not supported with Cisco 9800 wlc.

Now, waiting for the forescout vendor comments. As well as i will raise a case with cisco TAC to understand better should we upgrade it latest to fix this or not.

I will update you guys, thanks alot.

Flavio Miranda · ‎06-02-2023

I suspected. But, I believe it can work.Talk with the RADIUS guys and probably they will find a solution.

Information About VLAN Override

The VLAN override requires the AAA Override to be enabled under the Policy Profile.

You can assign VLAN from the RADIUS server in two ways:

Using IEFT RADIUS attributes 64, 65, and 81—The attribute 81 can be a VLAN ID, VLAN name, or VLAN group name. Both VLAN name and VLAN group are supported. Therefore, VLAN ID does not need to be predetermined on RADIUS.

The RADIUS user attributes used for the VLAN ID assignment are:
- 64 (Tunnel-Type)—Must be set to VLAN (Integer = 13).
- 65 (Tunnel-Medium-Type)—Must be set to 802 (Integer = 6).
- 81 (Tunnel-Private-Group-ID)—Must be set to the corresponding VLAN ID, VLAN name, or VLAN group name.
Using Aire-Interface-Name attribute—Use this attribute to assign a successfully authenticated user to a VLAN interface name (or VLAN ID) as per the user configuration. When you use this attribute, the VLAN name is returned as a string.

The VLAN ID is 12-bits, and takes a value between 1 and 4094, inclusive. Because the Tunnel-Private-Group-ID is of type string, as defined in RFC2868 for use with IEEE 802.1X, the VLAN ID integer value is encoded as a string. When these tunnel attributes are sent, it is necessary to fill in the Tag field.