When I attempt to authenticate a user in the ACS local user database, I receive an auth failure. I have enabled debugging in the WLC's CLI and I see that I get an authentication failure from the ACS. Upon reviewing the ACS's 'failed attempts' log, I see the username I attempt to authenticare with but it reports 'CN user unknown' even though this user is the local database.
During troubleshooting, I discovered that if I modify the AAA client for the WLC and change it to 'Cisco Aironet' rather than 'Cisco Airespace', authentication works perfectly, the proper user is authenticated to the local database and I am able to connect to the SSID. The only issue is that because I'm now using Aironet instead of Airespace, the IETF attributes 064, 065, and 081 (VLAN, 802, and the VLAN ID respectively) do not properly assign the VLAN that the user needs to be on.
Typically you would select Cisco Aironet regardless of which type of Cisco Wireless you are using. The Airespace is there more for the older controllers. Dynamic VLAN assignment should work with Cisco Aironet, I have set it up many times. Do you have AAA Override enabled on the WLAN? You could use "debug dot1x all enable" on the controller to make sure the AVP's are being sent down to the controller correctly. They should show up in the debug shortly after the Access Accept.
I determined that a NAP was blocking my authentication using Airespace and can successfully authenticate with both Aironet and Airespace now. I also reviewed the debug output of both types of connections and I can see the proper attributes coming through, but the wireless clients just won't assign to the right VLAN interface.
I've reviewed all of the configuration settings per the document about 40 or 50 times now and I am certain I'm not missing anything. I do indeed have override enabled but the configured interface 'management' is still the one the user is assigned to every time, even in the client connection details under the monitor tab. ARGH!!
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...
I have created a Powershell script to automatically add a Wireless Guest
User on Cisco WLCs. (tested on 2500 Series) The script should be
completely self explanatory. Prerequisites: Powershell SNMP Module
(Install-Module -Name SNMP) SNMP Write Access to y...