09-09-2024 01:36 AM
I have been trying to set up authentication directly to an MS RADIUS server and so far I have been unsuccessful. Is this at all possible? I have been trying to find a document explaining how to set this up but I only find setups using 802.1x.
Has anyone done this? any help would be greatly appreciated.
Solved! Go to Solution.
09-09-2024 03:37 AM
>....Am I perhaps missing some configuration on the WLC?
- If we talk about that topic then execute the below procedure to validate the WLC configuration
( Troubleshooting notes as mentioned earlier) :
Always have a checkup of the 9800 WLC configuration (after configuring) with the CLI command show tech wireless and feed the output to : Wireless Config Analyzer
use the full command denoted in green , do not use a show tech as input for this procedure
M.
M.
09-09-2024 01:41 AM
You want to access WLC using radius server?
Or wifi host authc by radius?
MHM
09-09-2024 01:43 AM
I want to authenticate hosts using the RADIUS server. The issue is that we currently have not been given budget to buy ISE, so I would like to at least start using AD for authenticating wireless users until we get ISE set up.
09-09-2024 01:44 AM
I don't think there is a way out of 802.1x , it's only the security protocol used
M.
09-09-2024 02:00 AM - edited 09-09-2024 02:01 AM
Hi @marce1000
I have seen that document and I have configured WLC in accordance with what is in it. Yet I am still unable to authenticate to the SSID using my AD credentials. I don't suppose you have a document that describes the configuration on MS RADIUS side ? Everything I have found only defines the configuration on ISE.
I am not the one who has set up the RADIUS side of this, but I do have read access so I can verify configuration if I know what is supposed to be configured.
09-09-2024 02:31 AM
>...I have seen that document and I have configured WLC...
- Have a look at https://howiwifi.com/2020/07/21/cisco-9800-802-1x-eap-user-authentication-with-windows-radius-nps/
(e.g.) and https://www.mcgearytech.com/802-1x-authentication-via-cisco-wlan-active-directory/
Troubleshooting notes :
Always have a checkup of the 9800 WLC configuration (after configuring) with the CLI command show tech wireless and feed the output to : Wireless Config Analyzer
use the full command denoted in green , do not use a show tech as input for this procedure
- If neeed engage in full client debugging according to https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity , these debugs can be analyzed with Wireless Debug Analyzer
Check the NPS radius server's logs too when a client tries to authenticate!!
- Outputs from the commands mentioned in https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#anc5
when you expect everything to be fully operational (or not)
M.
09-09-2024 02:34 AM
Wlc can not connect directly to AD
You need to config radius to integrate with AD
MHM
09-09-2024 03:51 AM
@MHM Cisco WorldMS RADIUS is configured as indicated in the discussion title.
09-09-2024 03:30 AM
After running some debugs and captures around the network I am seeing the following.
This first output is from the syslog on the WLC indicating that the AAA Server is Down.
Authentication failed for client (<MY MAC>) with reason (AAA Server Down) on Interface capwap_99999999 AuditSessionID 11234A0A012346DAD62767DF Username: marius.gunnerud
Though I am seeing that the AAA server is up:
show aaa servers
RADIUS: id 3, priority 1, host 1.1.1.10, auth-port 1812, acct-port 1813, hostname AD
State: current UP
I also see that ICMP keepalive packets are OK. But what I also see in the firewall capture is:
1.1.1.10 > 2.2.2.10 icmp: 1.1.1.10 udp port 1812 unreachable
I did run a radioactive trace on the WLC and only see Retransmits:
2024/09/09 11:40:17.458753070 {wncd_x_R0-0}{1}: [radius] [15338]: (info): RADIUS: Retransmit to (10.10.55.31:1812,1813) for id 0/10
2024/09/09 11:40:17.458757877 {wncd_x_R0-0}{1}: [radius] [15338]: (info): RADIUS(00000000): Route radius Pkt on vrf:0 for:Access-Request to 10.10.55.31:1812
Am I perhaps missing some configuration on the WLC?
09-09-2024 03:37 AM
>....Am I perhaps missing some configuration on the WLC?
- If we talk about that topic then execute the below procedure to validate the WLC configuration
( Troubleshooting notes as mentioned earlier) :
Always have a checkup of the 9800 WLC configuration (after configuring) with the CLI command show tech wireless and feed the output to : Wireless Config Analyzer
use the full command denoted in green , do not use a show tech as input for this procedure
M.
M.
09-09-2024 05:40 AM
There ended up being a configuration error in the accepted protocols on the RADIUS server. That is now fixed and everything works as expected. Thanks for everyone's feedback.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide