We have deployed a variety of wireless networks using Cisco WLC (2504, 5508 and Virtual WLCs) with (1550e, 1260, 2602 access points) and we have been unable to get apple device to successfully authenticate to corporate SSID's that use 802.1X against a Microsoft IAS server. We have spent numerous hours building different profiles with OS-X Server and other profile configuration utilities with no luck.
Apple devices authenticate just fine to corporate SSIDs if we use autonomous access points using 802.1x against the same Microsoft Radius server but continue to fail when we attempt the same through any of the WLC options referenced above.
Can anyone shed some light into this issue? It seems that radius request only show up on the IAS logs when something is entered in the "outer identity field"
Complete these steps to troubleshoot the configurations:
1. Use the debug lwapp events enable command in order to check if the AP registers with the WLC.
2. Check if the RADIUS server receives and validates the authentication request from the wireless client. Check the NAS-IP- Address, date and time in order to verify if the WLC was able to reach the Radius server.
Check the Passed Authentications and Failed Attempts reports on the Radius server in order to accomplish this.
3. You can also use these debug commands in order to troubleshoot AAA authentication:
• debug aaa all enable—Configures the debug of all AAA messages.
• debug dot1x packet enable—Enables the debug of all dot1x packets.
Here is a sample output from the debug 802.1x aaa enable command:
(Cisco Controller) >debug dot1x aaa enable
4. Monitor the logs on the WLC in order to check if the RADIUS server receives the user credentials. Click Monitor in order to check the logs from the WLC GUI. From the left-hand side menu, click Statistics and click Radius server from the list of options.
This is very important because in some cases, the RADIUS server never receives the user credentials if the RADIUS server configuration on the WLC is incorrect.
This is how the logs appear on the WLC if the RADIUS parameters are configured incorrectly:
You can use a combination of the show wlan summary command in order to recognize which of your WLANs employ RADIUS server authentication. Then you can view the show client summary command in order to see which MAC addresses (clients) are successfully authenticated on RADIUS WLANs. You can also correlate this with your Raduis attempts or failed attempts logs.
• Verify on the controller that RADIUS server is in active state, and not on standby or disabled.
• Use the ping command in order to check if the Radius server is reachable from the WLC.
• Check if the RADIUS server is selected from the drop down menu of the WLAN (SSID).
Hello Thanks for your response. I probably forgot to mention that this issue only applies to apple devices, all windows clients authenticate through the same SSID and Radius server without issues. So the Radius configuration on the controller is good. For some reason mac books, ipads or iphones never get prompt for the server certificate as other devices do.
As I mentioned on my post, the only time I see logs o the radius server is when something "other than the user ID" is entered on the outer identity field of the network configuration profile used on the MAC books.
This was resolved. It turns out that WLC Version 7.5 and above has a bug affecting how the controller sends out the Server certificate used during PEAP authentication, this only seems to affect some hardware (i.e. apple and andriod). I've worked with Cisco TAC, downgraded the controller to 7.4.110 and all worked without issues.
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...