Hi @Mark Elsen 

I have seen that document and I have configured WLC in accordance with what is in it.  Yet I am still unable to authenticate to the SSID using my AD credentials.  I don't suppose you have a document that describes the configuration on MS RADIUS side ?  Everything I have found only defines the configuration on ISE.

I am not the one who has set up the RADIUS side of this, but I do have read access so I can verify configuration if I know what is supposed to be configured.

            >...I have seen that document and I have configured WLC...
  - Have a look at https://howiwifi.com/2020/07/21/cisco-9800-802-1x-eap-user-authentication-with-windows-radius-nps/
     (e.g.) and https://www.mcgearytech.com/802-1x-authentication-via-cisco-wlan-active-directory/

  Troubleshooting notes :
  Always have a checkup of the 9800 WLC configuration (after configuring) with the CLI command show tech wireless and feed the output to : Wireless Config Analyzer
                       use the full command denoted in green , do not use a show tech as input for this procedure

   - If neeed engage in full client debugging according to https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity , these debugs can be analyzed with Wireless Debug Analyzer
                               Check the NPS radius server's logs too when a client tries to authenticate!!

  - Outputs from the commands mentioned in https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#anc5 
                    when you expect everything to be fully operational (or not)

 M.

Wlc can not connect directly to AD 

You need to config radius to integrate with AD

MHM

@MHM Cisco WorldMS RADIUS is configured as indicated in the discussion title.

After running some debugs and captures around the network I am seeing the following.

This first output is from the syslog on the WLC indicating that the AAA Server is Down.

Authentication failed for client (<MY MAC>) with reason (AAA Server Down) on Interface capwap_99999999 AuditSessionID 11234A0A012346DAD62767DF Username: marius.gunnerud

Though I am seeing that the AAA server is up:

show aaa servers

RADIUS: id 3, priority 1, host 1.1.1.10, auth-port 1812, acct-port 1813, hostname AD
State: current UP

I also see that ICMP keepalive packets are OK.  But what I also see in the firewall capture is:

1.1.1.10 > 2.2.2.10 icmp: 1.1.1.10 udp port 1812 unreachable

I did run a radioactive trace on the WLC and only see Retransmits:

2024/09/09 11:40:17.458753070 {wncd_x_R0-0}{1}: [radius] [15338]: (info): RADIUS: Retransmit to (10.10.55.31:1812,1813) for id 0/10
2024/09/09 11:40:17.458757877 {wncd_x_R0-0}{1}: [radius] [15338]: (info): RADIUS(00000000): Route radius Pkt on vrf:0 for:Access-Request to 10.10.55.31:1812

Am I perhaps missing some configuration on the WLC?

There ended up being a configuration error in the accepted protocols on the RADIUS server.  That is now fixed and everything works as expected.  Thanks for everyone's feedback.