cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
634
Views
0
Helpful
8
Replies

Users unable to access the internet sites

mahesh18
Level 6
Level 6

Hi Everyone,

We have users who are able to get the IP address but unable to access any internet sites.

I check the trap logs on the WLC

RADIUS server 192.168.50.1:1812 failed to respond to request (ID 16) for client 88:53:2e:99:24:b5 / user 'unknown'

RADIUS server 192.168.50.1:1812 activated on WLAN 1

RADIUS server 192.168.60.1:1812 deactivated on WLAN 1

RADIUS server 192.168.60.1:1812 failed to respond to request (ID 200) for client 88:53:2e:99:24:b5 / user 'unknown'

RADIUS server 192.168.60.1:1812 activated on WLAN 1

RADIUS server 192.168.50.1:1812 deactivated on WLAN 1

RADIUS server 192.168.50.1:1812 failed to respond to request (ID 15) for client 88:53:2e:99:24:b5 / user 'unknown'

RADIUS server 192.168.50.1:1812 activated on WLAN 1
RADIUS server 192.168.50.1:1812 failed to respond to request (ID 16) for client 88:53:2e:99:24:b5 / user 'unknown'
RADIUS server 192.168.50.1:1812 activated on WLAN 1
RADIUS server 192.168.60.1:1812 deactivated on WLAN 1
RADIUS server 192.168.60.1:1812 failed to respond to request (ID 200) for client 88:53:2e:99:24:b5 / user 'unknown'
RADIUS server 192.168.60.1:1812 activated on WLAN 1
RADIUS server 192.168.50.1:1812 deactivated on WLAN 1
RADIUS server 192.168.50.1:1812 failed to respond to request (ID 15) for client 88:53:2e:99:24:b5 / user 'unknown'
RADIUS server 192.168.50.1:1812 activated on WLAN 1

Need to know  how can i troubleshoot this further?

Regards

Mahesh

6 Accepted Solutions

Accepted Solutions

George Stefanick
VIP Alumni
VIP Alumni

Looks like your WLC and radius server arent connecting ..

Check the radius server and see if the WLC is set up correctly. Make sure the secret is correct.Also check the logs and post if there are any ...

On the WLC do a debug aaa events enable connect a client and post the output

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

Scott Fella
Hall of Fame
Hall of Fame

If you are doing 802.1x authentication, your clients should not get an IP address unless they authenticate successfully. I would test with an open ssid and make sure they get a valid IP address and that they can ping local resources on the same layer 2 subnet and also be able to ping the gateway and then be able to ping an Internet site like yahoo. See where it fails as if you created a new subnet, you need to make sure that you also have added the subnet to the NAT.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

Stephen Rodriguez
Cisco Employee
Cisco Employee

Can they get to internal resources?  Is this a new WLAN and subnet that was created?

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

I would do the troubleshooting in  following sequence.

1. Put a wired PC on to the vlan allocated for WLAN1

2. Check whether wired PC gets an IP & can browse internet

3. If that works, then we know no issue of DHCP & not issue with L3/NAT routing to access internet

4. If step2, does not work then your issue is not within wireless, you have to change the focus of your troubleshoot.

5. If step2 works, then test a wireless client with OPEN Authentication (No ACS involvment).If this does not work,then it means wireless client does not get proper IP connectivity. Check dynamic interface configuration for this WLAN & make sure gateway addresses correctly configured. Also VLANs are trunk across to WLC from switch.

6. If step5 works, then try your client with ACS & see the client get successfully authenticated. If not it may be WLC to ACS issue. Troubleshoot that in that case.

Do some troubleshooting like this & let us know the outcome. I am sure you will abe to find out the issue easily in this way.

HTH

Rasika

View solution in original post

LOL ... this poor guy getting all this advice..

While I think mine is the most sound .. Obvious radius issues are shown  #just saying

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

George,

ha..ha.. you may be correct...you are telling the answer to this instance. I am going more broader & give him some general advice he can use it for other scenario as well...hope he is fine with that..

I am telling him an approach one day he can become an expert like you by just looking at the log & can pin point the issue.

Rasika

View solution in original post

8 Replies 8

George Stefanick
VIP Alumni
VIP Alumni

Looks like your WLC and radius server arent connecting ..

Check the radius server and see if the WLC is set up correctly. Make sure the secret is correct.Also check the logs and post if there are any ...

On the WLC do a debug aaa events enable connect a client and post the output

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Scott Fella
Hall of Fame
Hall of Fame

If you are doing 802.1x authentication, your clients should not get an IP address unless they authenticate successfully. I would test with an open ssid and make sure they get a valid IP address and that they can ping local resources on the same layer 2 subnet and also be able to ping the gateway and then be able to ping an Internet site like yahoo. See where it fails as if you created a new subnet, you need to make sure that you also have added the subnet to the NAT.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Stephen Rodriguez
Cisco Employee
Cisco Employee

Can they get to internal resources?  Is this a new WLAN and subnet that was created?

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

I would do the troubleshooting in  following sequence.

1. Put a wired PC on to the vlan allocated for WLAN1

2. Check whether wired PC gets an IP & can browse internet

3. If that works, then we know no issue of DHCP & not issue with L3/NAT routing to access internet

4. If step2, does not work then your issue is not within wireless, you have to change the focus of your troubleshoot.

5. If step2 works, then test a wireless client with OPEN Authentication (No ACS involvment).If this does not work,then it means wireless client does not get proper IP connectivity. Check dynamic interface configuration for this WLAN & make sure gateway addresses correctly configured. Also VLANs are trunk across to WLC from switch.

6. If step5 works, then try your client with ACS & see the client get successfully authenticated. If not it may be WLC to ACS issue. Troubleshoot that in that case.

Do some troubleshooting like this & let us know the outcome. I am sure you will abe to find out the issue easily in this way.

HTH

Rasika

LOL ... this poor guy getting all this advice..

While I think mine is the most sound .. Obvious radius issues are shown  #just saying

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

George,

ha..ha.. you may be correct...you are telling the answer to this instance. I am going more broader & give him some general advice he can use it for other scenario as well...hope he is fine with that..

I am telling him an approach one day he can become an expert like you by just looking at the log & can pin point the issue.

Rasika

Hi Everyone,

Sorry  for getting late  on this.

Issue was Current Radius servers were replaced by new one yesterdy night.

I put the New Radius server IP  in the WLC  and users were able to access the internet.

So George was spot on!

Thanks to everyone to answering the post.

USers were getting IP  from the DHCP  via external DHCP server.

Best regards

MAhesh

Message was edited by: mahesh parmar

So George was spot on!

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: