Solved: WLC9800 authenticate SSID directly to MS RADIUS server

BoomShakaLak · ‎09-09-2024

I have been trying to set up authentication directly to an MS RADIUS server and so far I have been unsuccessful. Is this at all possible? I have been trying to find a document explaining how to set this up but I only find setups using 802.1x.

Has anyone done this? any help would be greatly appreciated.

marce1000 · ‎09-09-2024

>....Am I perhaps missing some configuration on the WLC?
- If we talk about that topic then execute the below procedure to validate the WLC configuration

( Troubleshooting notes as mentioned earlier) :
Always have a checkup of the 9800 WLC configuration (after configuring) with the CLI command show tech wireless and feed the output to : Wireless Config Analyzer
use the full command denoted in green , do not use a show tech as input for this procedure

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

MHM Cisco World · ‎09-09-2024

You want to access WLC using radius server?

Or wifi host authc by radius?

MHM

BoomShakaLak · ‎09-09-2024

Hi @MHM Cisco World

I want to authenticate hosts using the RADIUS server. The issue is that we currently have not been given budget to buy ISE, so I would like to at least start using AD for authenticating wireless users until we get ISE set up.

marce1000 · ‎09-09-2024

- FYI : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213919-configure-802-1x-authentication-on-catal.html

I don't think there is a way out of 802.1x , it's only the security protocol used

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

BoomShakaLak · ‎09-09-2024

Hi @marce1000

I have seen that document and I have configured WLC in accordance with what is in it. Yet I am still unable to authenticate to the SSID using my AD credentials. I don't suppose you have a document that describes the configuration on MS RADIUS side ? Everything I have found only defines the configuration on ISE.

I am not the one who has set up the RADIUS side of this, but I do have read access so I can verify configuration if I know what is supposed to be configured.

marce1000 · ‎09-09-2024

>...I have seen that document and I have configured WLC...
- Have a look at https://howiwifi.com/2020/07/21/cisco-9800-802-1x-eap-user-authentication-with-windows-radius-nps/
(e.g.) and https://www.mcgearytech.com/802-1x-authentication-via-cisco-wlan-active-directory/

Troubleshooting notes :
Always have a checkup of the 9800 WLC configuration (after configuring) with the CLI command show tech wireless and feed the output to : Wireless Config Analyzer
use the full command denoted in green , do not use a show tech as input for this procedure

- If neeed engage in full client debugging according to https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity , these debugs can be analyzed with Wireless Debug Analyzer
Check the NPS radius server's logs too when a client tries to authenticate!!

- Outputs from the commands mentioned in https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#anc5
when you expect everything to be fully operational (or not)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

MHM Cisco World · ‎09-09-2024

Wlc can not connect directly to AD

You need to config radius to integrate with AD

MHM

BoomShakaLak · ‎09-09-2024

@MHM Cisco WorldMS RADIUS is configured as indicated in the discussion title.

BoomShakaLak · ‎09-09-2024

After running some debugs and captures around the network I am seeing the following.

This first output is from the syslog on the WLC indicating that the AAA Server is Down.

Authentication failed for client (<MY MAC>) with reason (AAA Server Down) on Interface capwap_99999999 AuditSessionID 11234A0A012346DAD62767DF Username: marius.gunnerud

Though I am seeing that the AAA server is up:

show aaa servers

RADIUS: id 3, priority 1, host 1.1.1.10, auth-port 1812, acct-port 1813, hostname AD
State: current UP

I also see that ICMP keepalive packets are OK. But what I also see in the firewall capture is:

1.1.1.10 > 2.2.2.10 icmp: 1.1.1.10 udp port 1812 unreachable

I did run a radioactive trace on the WLC and only see Retransmits:

2024/09/09 11:40:17.458753070 {wncd_x_R0-0}{1}: [radius] [15338]: (info): RADIUS: Retransmit to (10.10.55.31:1812,1813) for id 0/10
2024/09/09 11:40:17.458757877 {wncd_x_R0-0}{1}: [radius] [15338]: (info): RADIUS(00000000): Route radius Pkt on vrf:0 for:Access-Request to 10.10.55.31:1812

Am I perhaps missing some configuration on the WLC?

marce1000 · ‎09-09-2024

>....Am I perhaps missing some configuration on the WLC?
- If we talk about that topic then execute the below procedure to validate the WLC configuration

( Troubleshooting notes as mentioned earlier) :
Always have a checkup of the 9800 WLC configuration (after configuring) with the CLI command show tech wireless and feed the output to : Wireless Config Analyzer
use the full command denoted in green , do not use a show tech as input for this procedure

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

BoomShakaLak · ‎09-09-2024

There ended up being a configuration error in the accepted protocols on the RADIUS server. That is now fixed and everything works as expected. Thanks for everyone's feedback.