Solved: Cisco 9800 Clients Can't Connect to FlexConnect 802.1x WLAN

Chris Terry · ‎04-08-2024

I'm trying to migrate from Cisco 5520 WLC to Cisco 9800 WLC. I configured the WLAN with 802.1x and the AP is in FlexConnect mode.

When the client is trying to connect I see it associate with the WLC, but then it gets stuck in authenticating status. I'm not seeing anything on the ISE side meaning nothing reaches ISE. I'm not seeing the client get an IP either. WLC logs show the client being deleted with the reason L2AUTH_CONNECT_TIMEOUT. It seems like it might be all related to DHCP

WLC - 9800 version 17.9.4a
Switch - 9300 version 17.9.4a
WLC only has the Management/AP Management SVI VLAN 5. Clients are using VLAN 100 which is only a layer 2 VLAN on the WLC. The switch has IP helpers for VLAN 100. The Policy only has Central Authentication enabled.

Edit: Added client trace output

Leo Laohoo · ‎04-09-2024

CSCwf14041: C9120 stops forwarding EAP-Identity-Request to client intermittently

CSCwh68219: 91xx AP not processing EAP-TLS server Hello

CSCwi75798: 9120 didn't receive/transfer EAP response

View solution in original post

Leo Laohoo · ‎04-08-2024

What are the model of APs?

Chris Terry · ‎04-08-2024

The AP model is C9120AXI-B

Leo Laohoo · ‎04-08-2024

Disable and re-enable the SSID. IF the clients are able to connect after that then it could be CSCwi18057.

Chris Terry · ‎04-08-2024

It doesn’t look like I’m hitting that bug. I’m not seeing those error logs.

I did go ahead and make the SSID PSK and the client was able to grab an IP and connect without issues. So I have something funky with my 802.1x config(s)

MHM Cisco World · ‎04-09-2024

Sorry can you check if you can ping radius server from AP since you use flex connect.

MHM

Chris Terry · ‎04-09-2024

I can ping from the AP to the radius server

<AP>#ping <RADIUS IP>
Sending 5, 100-byte ICMP Echos to <RADIUS IP>, timeout is 2 seconds

PING <RADIUS IP>
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20.580/20.958/21.818 ms

marce1000 · ‎04-09-2024

- Have the attached client trace analyzed with : Wireless Debug Analyzer
If that one doesn't work then use client debugging according to https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity and use those as input for Wireless Debug Analyzer
A summarizing view of client behavior can be obtained from : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#anc5

- Important : have a checkup of your 9800 WLC configuration with the CLI command show tech wireless and feed the output from that into : Wireless Config Analyzer

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

PradeepSingh · ‎04-09-2024

Since you mentioned that "The Policy only has Central Authentication enabled", your authentication is supposed to be done via controller. It looks you are missing some AAA configuration.

Have you defined aaa authentication method using the correct radius group and server ?

Have you mapped authentication method in WLAN profile ?

If yes, can you verify reachability of radius servers and status in WLC.

Chris Terry · ‎04-09-2024

I did confirm I could reach the radius server from the WLC, AP, and switch the WLC was connected which also has the SVIs for the client networks. I mapped the authentication method in the WLAN profile.

I have been able to get it to work. I believe the issue was the aaa authentication config. I went back through the 802.1x WLAN guide for the 9800.

Chris Terry · ‎04-09-2024

So an update... I narrowed down my issue.

The radius/ISE server is configured to authenticate users on the 802.1x WLAN with MSCHAPv2 or PEAP (EAP-TLS). When the client auth side is set to MSCHAPv2 the client isn't able to authenticate or even get an IP, but when I change the client side network auth to PEAP (EAP-TLS) Machine Auth it works as expected.

I did notice when the client was failing to authenticate while configured for MSCHAPv2 under the client information > General > Security it did not show an EAP type

Leo Laohoo · ‎04-09-2024

CSCwf14041: C9120 stops forwarding EAP-Identity-Request to client intermittently

CSCwh68219: 91xx AP not processing EAP-TLS server Hello

CSCwi75798: 9120 didn't receive/transfer EAP response

Chris Terry · ‎04-09-2024

Yikes…

Definitely matching for the first and last bug. I’ll double check if it changing it to PEAP helps at all.

Chris Terry · ‎04-10-2024

I changed to PEAP-MSCHAPv2 and it worked. Which makes it sound like I was hitting CSCwf14041. I changed back to EAP-MSCHAPv2 and now that works.

Leo Laohoo · ‎04-10-2024

@Chris Terry wrote:
I changed back to EAP-MSCHAPv2 and now that works.

EAP will work temporarily and then it will stop when the process crashes in the AP.

An alternative fix is to regularly/daily reboot the AP. Some people use EEM (or PI script) to reboot the AP.