Solved: Re: WLC AP authentication timeout?

chrismes · ‎06-15-2022

Hello!
We've a central WLC5508 with AP2801.
There a several remote sites with APs in Flexconnect mode.
Users just connecting to central wlc for authentication which is done on NPS.
One remote site is permanently complaining, that they have troubles connecting to Notebook-WLAN which is the same for all sites. This site is connected via site-2-site vpn tunnel through the internet.
Is it possible that authentication is timing out? I've already increased the value for Radius server timeout to 5 seconds on the WLC, but the WLC and radius are on the same place, the distance between APs and WLC is high. Usually the APs are joined.

Thanks.

jonathga94 · ‎06-15-2022

Check the latency between the AP and WLC sites, if it is too high the wireless client might be timing out the authetication thus dropping the onboard process. you could enable link latency on the APs in the problematic site so you could have an idea of the CAPWAP round trip time, the link below explains how to enable link latecy:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76/b_cg76_chapter_01111000.pdf

Also the link below shows the WAN requirements for flexconect, make sure you are under the target to use flexconnect central authentication, otherwise, you should use flexconnect local authentication to avoid any authentication issue created by WAN latency:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-8/FlexConnect_DG.html#pgfId-43317

Additionally, make sure there are no packets drops between sites.

regards.

View solution in original post

MHM Cisco World · ‎06-15-2022

Are you config auth using certificate?

balaji.bandi · ‎06-15-2022

troubles connecting to Notebook-WLAN

If this is only WLAN having issue, rest of the SSID (WLAN) working over site to site ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Flavio Miranda · ‎06-15-2022

Hi

Try to get one trouble client mac address and run the "degug client 'mac address' " save the output and share here. Through the debug we can get an idea on what is going on.

jonathga94 · ‎06-15-2022

Check the latency between the AP and WLC sites, if it is too high the wireless client might be timing out the authetication thus dropping the onboard process. you could enable link latency on the APs in the problematic site so you could have an idea of the CAPWAP round trip time, the link below explains how to enable link latecy:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76/b_cg76_chapter_01111000.pdf

Also the link below shows the WAN requirements for flexconect, make sure you are under the target to use flexconnect central authentication, otherwise, you should use flexconnect local authentication to avoid any authentication issue created by WAN latency:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-8/FlexConnect_DG.html#pgfId-43317

Additionally, make sure there are no packets drops between sites.

regards.

JPavonM · ‎06-16-2022

In addition to all of this, check if you are working with assymetric MTUs as I have this same issue with Flex APs behind Meraki MX using SD-WAN. Uner this scenario (and maybe also yours with site-2-site VPN) authentication in some sites fails due to MTU assimetry between the remote location (higher MTU) and central one (lower MTU) which makes the AP to constantly renegotiate CAPWAP MTU which makes 802.1X packets to be dropped (specially reauth on sites with more than 1-AP during roaming).

For me, setting all MTUs to same value did the trick.

There is a new defect for this behaviour which is been analised to be fixed, as AP CAPWAP tunnel keeps constantly shifting from 576 bytes to 1005 bytes.