Hello,
After migrating from a Cisco WLC 5520 to a 9800 I am having a strange behavior for particular clients. On a given SSID with Do1x authentication I get clients able to authenticate and very particular one not. After some radioactive tracing I see on succesfull clients that the WLC is sending the RADIUS: Send Access-Request to xx.xx .. On the afected user it doesn't, it stops after a sucessful EAP identity exchange.
Success Client
Failed Client
A show tech wireless on the analyzer doesn't show any particular error and I think the logs above speak for themselves, I also have a PCAP showing the RADIUS request to the successful client:
No RADIUS packet for the failed client though. Again same SSID and same Access Point. Did someone experienced something like that maybe?
Soft Version is 17.12.5 on the WLC9800
Note that when I move this Access Point to the old WLC it works, clients authenticate via dot1x successfully using EAP-TLS with the RADIUS which is an NPS server.
Thanks
BR
Diogo
Hi,
The message is this
2025/06/26 14:13:09.967007944 {wncd_x_R0-0}{1}: [errmsg] [21811]: (note): %DOT1X-5-FAIL: R0/0: wncd: Authentication failed for client (c81c.fe63.79b4) with reason (Cred Fail) on Interface capwap_90000145 AuditSessionID 11015D0A00016D0BAC95D4B7 Username: xxxx
But this is very weired because no Dot1X request has been fired, sent, etc... Let me help you, I will post here bellow a successfull connection from another device in this SSID and another from the device which fails:
Success Device
Failed Device same SSID as above, same Access Point
If you compare both images you see that no RADIUS access request is being sent.
BR
Diogo
