Configure 802.1X on 9800 series WLC and ISE

1. Configure AAA

Add the ISE address to the 9800 WLC.

Configure Server Groups (optional, not required).

Configure AAA Method (required), If not configured, authentication will fail, which will be discussed in 6. Verification.

2. Configure WLAN

Add WLAN.

Make sure that 802.1x is checked.

Select the AAA Method configured in 1. Configure AAA.

3. Configure Location

Add Location.

After adding APs to Location, it will rejoin.

4. Configure ISE

Add WLC address to ISE.

Configure Shared Secret.

Add user.

Configure Policy Sets.

5. AAA Override

This is optional, if you need to configure a more complex network environment, you can refer to the following configuration process.

6. Verification

haifeli-C9800#show wireless client summary
Number of Clients: 1

MAC Address    AP Name                                        Type ID   State             Protocol Method     Role
-------------------------------------------------------------------------------------------------------------------------
0000.xxxx.zzzz C9117AXI-1                                     WLAN 1    Run               11n(2.4) Dot1x      Local

Number of Excluded Clients: 0


haifeli-C9800#

If you did not configured AAA Method in 1. Configure AAA, you may encounter the following error message.

haifeli-C9800#
*Apr 20 19:46:17.377: %DOT1X-5-FAIL: Chassis 1 R0/0: wncd: Authentication failed for client (0000.xxxx.zzzz) with reason (AAA Server Down) on Interface capwap_90400003 AuditSessionID XXXXXXXX000000XXXXXXXXXX
*Apr 20 19:46:17.377: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (0000.xxxx.zzzz) on Interface capwap_XXXXXXXX AuditSessionID XXXXXXXX000000XXXXXXXXXX. Failure reason: Authc fail. Authc failure reason: AAA Server Down.

6 Responses

  1. Samuel Cabe says:

    best love lines

  2. Chengzhi Miao says:

    youxiu

  3. mar says:

    Hi,

    Thank you for the post. In case, I only need authentication of User credential (not need override VLAN). So only policy authentication is enough?

  4. john says:

    In this situation, whether could combin local mab for a client ?

Leave a Reply

Your email address will not be published.