09-06-2013 07:43 AM - edited 07-04-2021 12:46 AM
Hi Everyone,
We have users who are able to get the IP address but unable to access any internet sites.
I check the trap logs on the WLC
RADIUS server 192.168.50.1:1812 failed to respond to request (ID 16) for client 88:53:2e:99:24:b5 / user 'unknown'
RADIUS server 192.168.50.1:1812 activated on WLAN 1
RADIUS server 192.168.60.1:1812 deactivated on WLAN 1
RADIUS server 192.168.60.1:1812 failed to respond to request (ID 200) for client 88:53:2e:99:24:b5 / user 'unknown'
RADIUS server 192.168.60.1:1812 activated on WLAN 1
RADIUS server 192.168.50.1:1812 deactivated on WLAN 1
RADIUS server 192.168.50.1:1812 failed to respond to request (ID 15) for client 88:53:2e:99:24:b5 / user 'unknown'
RADIUS server 192.168.50.1:1812 activated on WLAN 1
RADIUS server 192.168.50.1:1812 failed to respond to request (ID 16) for client 88:53:2e:99:24:b5 / user 'unknown'
RADIUS server 192.168.50.1:1812 activated on WLAN 1
RADIUS server 192.168.60.1:1812 deactivated on WLAN 1
RADIUS server 192.168.60.1:1812 failed to respond to request (ID 200) for client 88:53:2e:99:24:b5 / user 'unknown'
RADIUS server 192.168.60.1:1812 activated on WLAN 1
RADIUS server 192.168.50.1:1812 deactivated on WLAN 1
RADIUS server 192.168.50.1:1812 failed to respond to request (ID 15) for client 88:53:2e:99:24:b5 / user 'unknown'
RADIUS server 192.168.50.1:1812 activated on WLAN 1
Need to know how can i troubleshoot this further?
Regards
Mahesh
Solved! Go to Solution.
09-06-2013 07:56 AM
Looks like your WLC and radius server arent connecting ..
Check the radius server and see if the WLC is set up correctly. Make sure the secret is correct.Also check the logs and post if there are any ...
On the WLC do a debug aaa events enable connect a client and post the output
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
09-06-2013 08:04 AM
If you are doing 802.1x authentication, your clients should not get an IP address unless they authenticate successfully. I would test with an open ssid and make sure they get a valid IP address and that they can ping local resources on the same layer 2 subnet and also be able to ping the gateway and then be able to ping an Internet site like yahoo. See where it fails as if you created a new subnet, you need to make sure that you also have added the subnet to the NAT.
Sent from Cisco Technical Support iPhone App
09-06-2013 10:13 AM
Can they get to internal resources? Is this a new WLAN and subnet that was created?
HTH,
Steve
------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
09-06-2013 12:17 PM
I would do the troubleshooting in following sequence.
1. Put a wired PC on to the vlan allocated for WLAN1
2. Check whether wired PC gets an IP & can browse internet
3. If that works, then we know no issue of DHCP & not issue with L3/NAT routing to access internet
4. If step2, does not work then your issue is not within wireless, you have to change the focus of your troubleshoot.
5. If step2 works, then test a wireless client with OPEN Authentication (No ACS involvment).If this does not work,then it means wireless client does not get proper IP connectivity. Check dynamic interface configuration for this WLAN & make sure gateway addresses correctly configured. Also VLANs are trunk across to WLC from switch.
6. If step5 works, then try your client with ACS & see the client get successfully authenticated. If not it may be WLC to ACS issue. Troubleshoot that in that case.
Do some troubleshooting like this & let us know the outcome. I am sure you will abe to find out the issue easily in this way.
HTH
Rasika
09-06-2013 12:23 PM
LOL ... this poor guy getting all this advice..
While I think mine is the most sound .. Obvious radius issues are shown #just saying
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
09-06-2013 12:31 PM
George,
ha..ha.. you may be correct...you are telling the answer to this instance. I am going more broader & give him some general advice he can use it for other scenario as well...hope he is fine with that..
I am telling him an approach one day he can become an expert like you by just looking at the log & can pin point the issue.
Rasika
09-06-2013 07:56 AM
Looks like your WLC and radius server arent connecting ..
Check the radius server and see if the WLC is set up correctly. Make sure the secret is correct.Also check the logs and post if there are any ...
On the WLC do a debug aaa events enable connect a client and post the output
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
09-06-2013 08:04 AM
If you are doing 802.1x authentication, your clients should not get an IP address unless they authenticate successfully. I would test with an open ssid and make sure they get a valid IP address and that they can ping local resources on the same layer 2 subnet and also be able to ping the gateway and then be able to ping an Internet site like yahoo. See where it fails as if you created a new subnet, you need to make sure that you also have added the subnet to the NAT.
Sent from Cisco Technical Support iPhone App
09-06-2013 10:13 AM
Can they get to internal resources? Is this a new WLAN and subnet that was created?
HTH,
Steve
------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
09-06-2013 12:17 PM
I would do the troubleshooting in following sequence.
1. Put a wired PC on to the vlan allocated for WLAN1
2. Check whether wired PC gets an IP & can browse internet
3. If that works, then we know no issue of DHCP & not issue with L3/NAT routing to access internet
4. If step2, does not work then your issue is not within wireless, you have to change the focus of your troubleshoot.
5. If step2 works, then test a wireless client with OPEN Authentication (No ACS involvment).If this does not work,then it means wireless client does not get proper IP connectivity. Check dynamic interface configuration for this WLAN & make sure gateway addresses correctly configured. Also VLANs are trunk across to WLC from switch.
6. If step5 works, then try your client with ACS & see the client get successfully authenticated. If not it may be WLC to ACS issue. Troubleshoot that in that case.
Do some troubleshooting like this & let us know the outcome. I am sure you will abe to find out the issue easily in this way.
HTH
Rasika
09-06-2013 12:23 PM
LOL ... this poor guy getting all this advice..
While I think mine is the most sound .. Obvious radius issues are shown #just saying
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
09-06-2013 12:31 PM
George,
ha..ha.. you may be correct...you are telling the answer to this instance. I am going more broader & give him some general advice he can use it for other scenario as well...hope he is fine with that..
I am telling him an approach one day he can become an expert like you by just looking at the log & can pin point the issue.
Rasika
09-06-2013 01:03 PM
Hi Everyone,
Sorry for getting late on this.
Issue was Current Radius servers were replaced by new one yesterdy night.
I put the New Radius server IP in the WLC and users were able to access the internet.
So George was spot on!
Thanks to everyone to answering the post.
USers were getting IP from the DHCP via external DHCP server.
Best regards
MAhesh
Message was edited by: mahesh parmar
09-06-2013 01:10 PM
So George was spot on!
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: