06-15-2022 10:40 AM
Hello!
We've a central WLC5508 with AP2801.
There a several remote sites with APs in Flexconnect mode.
Users just connecting to central wlc for authentication which is done on NPS.
One remote site is permanently complaining, that they have troubles connecting to Notebook-WLAN which is the same for all sites. This site is connected via site-2-site vpn tunnel through the internet.
Is it possible that authentication is timing out? I've already increased the value for Radius server timeout to 5 seconds on the WLC, but the WLC and radius are on the same place, the distance between APs and WLC is high. Usually the APs are joined.
Thanks.
Solved! Go to Solution.
06-15-2022 02:30 PM
Check the latency between the AP and WLC sites, if it is too high the wireless client might be timing out the authetication thus dropping the onboard process. you could enable link latency on the APs in the problematic site so you could have an idea of the CAPWAP round trip time, the link below explains how to enable link latecy:
Also the link below shows the WAN requirements for flexconect, make sure you are under the target to use flexconnect central authentication, otherwise, you should use flexconnect local authentication to avoid any authentication issue created by WAN latency:
Additionally, make sure there are no packets drops between sites.
regards.
06-15-2022 10:54 AM
Are you config auth using certificate?
06-15-2022 10:58 AM
troubles connecting to Notebook-WLAN
If this is only WLAN having issue, rest of the SSID (WLAN) working over site to site ?
06-15-2022 11:57 AM
Hi
Try to get one trouble client mac address and run the "degug client 'mac address' " save the output and share here. Through the debug we can get an idea on what is going on.
06-15-2022 02:30 PM
Check the latency between the AP and WLC sites, if it is too high the wireless client might be timing out the authetication thus dropping the onboard process. you could enable link latency on the APs in the problematic site so you could have an idea of the CAPWAP round trip time, the link below explains how to enable link latecy:
Also the link below shows the WAN requirements for flexconect, make sure you are under the target to use flexconnect central authentication, otherwise, you should use flexconnect local authentication to avoid any authentication issue created by WAN latency:
Additionally, make sure there are no packets drops between sites.
regards.
06-16-2022 01:45 AM
In addition to all of this, check if you are working with assymetric MTUs as I have this same issue with Flex APs behind Meraki MX using SD-WAN. Uner this scenario (and maybe also yours with site-2-site VPN) authentication in some sites fails due to MTU assimetry between the remote location (higher MTU) and central one (lower MTU) which makes the AP to constantly renegotiate CAPWAP MTU which makes 802.1X packets to be dropped (specially reauth on sites with more than 1-AP during roaming).
For me, setting all MTUs to same value did the trick.
There is a new defect for this behaviour which is been analised to be fixed, as AP CAPWAP tunnel keeps constantly shifting from 576 bytes to 1005 bytes.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide