Help adding new WLC to existing ACS

Unanswered Question
May 12th, 2010

Hi All,

I need help with this.

This network has a working WLC that authenticates wireless users against an ACS by MAC address. It works fine.

I need to add a new WLC.

I added the WLC, the APs connect to the WLC fine, but the users get limited connectivity and we've found out that is because the new WLC is getting authentication errors against the ACS.

The configuration of the new WLC is exactly the same as the current working WLC and both controllers show as AAA clients on the ACS.

I want to know if somebody can point me out in the right direction to solve this.

There's connectivity fine between all devices (as far as PING goes), and there's no Firewall or filters in between.

The difference I see on both WLCs is that on the working one (WLC1), under Security - AP Policies, we see the AP Authorization List with the MAC addresses/cert type/hash.  We don't get this information on the non-working WLC (attached document shows both)

Also in the attached document, I'm sending the errors I get no the WLC2 controller.

Any help is greatly appreciated.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Cook Wed, 05/12/2010 - 12:30

What type of errors do you have in the ACS Failed Authentication logs?

Federico Coto F... Wed, 05/12/2010 - 12:54

Thank you.

In the ACS/Failed Attempts this is what I get:

05/12/201013:09:59Authen failed0024d2992d35MacAddress00-24-d2-99-2d-35User Access Filtered....0024d2992d35172.16.10.146..GN


This happens for all the wireless clients connecting to APs for WLC2 (the one not working).

Please let me know.


John Cook Wed, 05/12/2010 - 13:01

The "user access filtered" message is likely caused by either the userid or group having Network Access Restrictions enabled for a the original AAA client, but not the new one. Check out the NAR settings in the user settings and group settings to see if that’s it.

Federico Coto F... Wed, 05/12/2010 - 13:08

Kindly help me out here please.

In the ACS, under Network Configuration/AAA Clients, I see both WLCs (both under a Network Device Group called (Not Assigned))

In the ACS, under Group Setup/MAC Address, I see only the WLC1

In the ACS, under Shared Profile Components/NAR, NAR is not defined (and is not showing under the group MAC Address)

Is this helping?


Jatin Katyal Fri, 05/14/2010 - 03:37


I didn't get you when you say that you see only One WLC under groupsetup/Mac address. Could you please elaborate this?

Also, if you don't know see any NAR configured under shared profile component then check inside the group/user setup there must be either ip based or CLI/DNIS based NAR configured for WLC's and looking at failed attempts it seem that action is denied.




Do rate helpful posts-

Federico Coto F... Fri, 05/14/2010 - 07:02

In the ACS, under Group Setup/MAC Address, I see only the WLC1

Under the Group Setup option, I chose the group called MAC Address and only one WLC was showing (the working one).

I thought that it should recognize the WLC2, but after I added it manually it started working.

Not sure if it makes sense but it's now working fine, thank you.



This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode