Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
686
Views
0
Helpful
3
Replies

cisco wlc 3504 ssid authentication windows AD

edwincharles
Level 1
Level 1

‎03-29-2022 02:39 AM - edited ‎03-29-2022 02:52 AM

Dears,

need help with windows 10 clients trying to connect SSID using AD authentication not working

Labels:
Preview file
21 KB
0 Helpful
3 Replies 3

Flavio Miranda
VIP
VIP

‎03-29-2022 03:31 AM - edited ‎03-29-2022 03:32 AM

I saw some informations on the log that called my attention and I´d like you to take a look:

site 'default-group', interface 'savc-guest-interface'

Assigning flex webauth ACL ID :65535 for vlan : 8

 

Does the interface for this SSID is named guest for some reason or it is intended to be guest network? Also, take care with default group. It may trick you on some things like WLAN ID, for example. Ideally, avoid use it.

 

But, you problem is related to this log:

Processing Access-Reject for mobile 00:28:f8:d3:13:cd
Entering Backend Auth Failure state (id=-1) for mobile 00:28:f8:d3:13:cd

 

And for that, you need to look at the Authenticion server. There might be the answer on why client had been refused. It can be wrong certificate, wrong credentials and so on and so forth.

The fact is, whatever it might be, the answers is on the authentication server or on the client.

0 Helpful

marce1000
VIP
VIP

‎03-29-2022 03:48 AM - edited ‎03-29-2022 03:50 AM

 

 - Below you will find the output of your debug file when processed by :  https://cway.cisco.com/tools/WirelessDebugAnalyzer/ , you may want to disabled fast roaming (for a test) , check if that can help. And since the  radius error , check the radius server logs too

 M.

TimeTaskTranslated

Mar 29 12:44:40.967 *apfMsConnTask_7 Client made new Association to AP/BSSID BSSID 84:f1:47:c5:58:e8 AP 3F-AP4-Corridor4
Mar 29 12:44:40.967 *apfMsConnTask_7 The Reassociation Request from the client comes with 0 PMKID
Mar 29 12:44:40.967 *apfMsConnTask_7 The Reassociation Request from the client comes with 0 PMKID
Mar 29 12:44:40.967 *apfMsConnTask_7 Client is entering the 802.1x or PSK Authentication state
Mar 29 12:44:40.967 *apfMsConnTask_7 Client has successfully cleared AP association phase
Mar 29 12:44:40.967 *apfMsConnTask_7 WLC/AP is sending an Association Response to the client with status code 0 = Successful association
Mar 29 12:44:40.972 *Dot1x_NW_MsgTask_5 Client will be required to Reauthenticate in 1800
seconds
Mar 29 12:44:40.972 *Dot1x_NW_MsgTask_5 WLC/AP is sending EAP-Identity-Request to the client
Mar 29 12:44:40.992 *Dot1x_NW_MsgTask_5 WLC/AP is sending EAP-Identity-Request to the client
Mar 29 12:45:10.084 *Dot1x_NW_MsgTask_5 Client sent EAP-Identity-Response to WLC/AP
Mar 29 12:45:10.087 *Dot1x_NW_MsgTask_5 RADIUS Server denied access
Mar 29 12:45:14.946 *Dot1x_NW_MsgTask_5 WLC/AP is sending EAP-Identity-Request to the client


-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card