cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
487
Views
3
Helpful
10
Replies

WLC9800 authenticate SSID directly to MS RADIUS server

BoomShakaLak
Level 1
Level 1

I have been trying to set up authentication directly to an MS RADIUS server and so far I have been unsuccessful.  Is this at all possible?  I have been trying to find a document explaining how to set this up but I only find setups using 802.1x.

Has anyone done this?  any help would be greatly appreciated.

1 Accepted Solution

Accepted Solutions

 

           >....Am I perhaps missing some configuration on the WLC?
    - If we talk about that topic then execute the below procedure to validate the WLC configuration

 (  Troubleshooting notes as mentioned earlier) :
 
 Always have a checkup of the 9800 WLC configuration (after configuring) with the CLI command show tech wireless and feed the output to : Wireless Config Analyzer
                       use the full command denoted in green , do not use a show tech as input for this procedure

 M.

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

10 Replies 10

You want to access WLC using radius server?

Or wifi host authc by radius?

MHM

BoomShakaLak
Level 1
Level 1

Hi @MHM Cisco World 

I want to authenticate hosts using the RADIUS server.  The issue is that we currently have not been given budget to buy ISE, so I would like to at least start using AD for authenticating wireless users until we get ISE set up.

marce1000
VIP
VIP

 

      - FYI https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213919-configure-802-1x-authentication-on-catal.html

                I don't think there is a way out of 802.1x , it's only the  security protocol used

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Hi @marce1000 

I have seen that document and I have configured WLC in accordance with what is in it.  Yet I am still unable to authenticate to the SSID using my AD credentials.  I don't suppose you have a document that describes the configuration on MS RADIUS side ?  Everything I have found only defines the configuration on ISE.

I am not the one who has set up the RADIUS side of this, but I do have read access so I can verify configuration if I know what is supposed to be configured.

 

 

            >...I have seen that document and I have configured WLC...
  - Have a look at https://howiwifi.com/2020/07/21/cisco-9800-802-1x-eap-user-authentication-with-windows-radius-nps/
     (e.g.) and https://www.mcgearytech.com/802-1x-authentication-via-cisco-wlan-active-directory/

  Troubleshooting notes :
 
 Always have a checkup of the 9800 WLC configuration (after configuring) with the CLI command show tech wireless and feed the output to : Wireless Config Analyzer
                       use the full command denoted in green , do not use a show tech as input for this procedure

   - If neeed engage in full client debugging according to https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity , these debugs can be analyzed with Wireless Debug Analyzer
                               Check the NPS radius server's logs too when a client tries to authenticate!!

  - Outputs from the commands mentioned in https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#anc5 
                    when you expect everything to be fully operational (or not)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Wlc can not connect directly to AD 

You need to config radius to integrate with AD

MHM

@MHM Cisco WorldMS RADIUS is configured as indicated in the discussion title.

After running some debugs and captures around the network I am seeing the following.

This first output is from the syslog on the WLC indicating that the AAA Server is Down.

Authentication failed for client (<MY MAC>) with reason (AAA Server Down) on Interface capwap_99999999 AuditSessionID 11234A0A012346DAD62767DF Username: marius.gunnerud

Though I am seeing that the AAA server is up:

show aaa servers

RADIUS: id 3, priority 1, host 1.1.1.10, auth-port 1812, acct-port 1813, hostname AD
State: current UP

I also see that ICMP keepalive packets are OK.  But what I also see in the firewall capture is:

1.1.1.10 > 2.2.2.10 icmp: 1.1.1.10 udp port 1812 unreachable

I did run a radioactive trace on the WLC and only see Retransmits:

2024/09/09 11:40:17.458753070 {wncd_x_R0-0}{1}: [radius] [15338]: (info): RADIUS: Retransmit to (10.10.55.31:1812,1813) for id 0/10
2024/09/09 11:40:17.458757877 {wncd_x_R0-0}{1}: [radius] [15338]: (info): RADIUS(00000000): Route radius Pkt on vrf:0 for:Access-Request to 10.10.55.31:1812

Am I perhaps missing some configuration on the WLC?

 

 

 

           >....Am I perhaps missing some configuration on the WLC?
    - If we talk about that topic then execute the below procedure to validate the WLC configuration

 (  Troubleshooting notes as mentioned earlier) :
 
 Always have a checkup of the 9800 WLC configuration (after configuring) with the CLI command show tech wireless and feed the output to : Wireless Config Analyzer
                       use the full command denoted in green , do not use a show tech as input for this procedure

 M.

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

There ended up being a configuration error in the accepted protocols on the RADIUS server.  That is now fixed and everything works as expected.  Thanks for everyone's feedback.

Review Cisco Networking for a $25 gift card