Loading...
Loading...
Wireless Clients AAA based authentications using vlan attributes are failing as the C9800 is not honoring the vlan attribute sent from RADIUS and marking the authentication as failed due to that The problem happens randomly after some time working properly and affects all authentications How to Identify the Signature? #show vlan #sh plat so process data wncd cha act r0 det SM_CONFIG_DB "table tbl_vlan" content The above commands can be used to make sure RADIUS' vlans sent are present in Controller's database RA traces for a client failing authentication show similar logs: 2022/03/08 16:40:02.560432 {wncd_x_R0-4}{2}: [errmsg] [24399]: (ERR): %ID_MANAGER-3-INVALID_ID: bad id in id_get (Out of IDs!) (id: 0x00000000) -Traceback= 1#5d1c0eea3ebfb5fd8cfe6bce7b2ffc46 errmsg:7F3CCF125000+D20 id_manager:7F3CC9248000+1D43 bi_baaa_core:7F3C9293D000+55C98 bi_baaa_core:7F3C9293D000+55B24 bi_baaa_core:7F3C9293D000+59557 bi_baaa_core:7F3C9293D000+4F441 bi_epm:7F3C8EA7A000+3492F bi_epm:7F3C8EA7A000+3BF2A bi_epm:7F3C8EA7A000+41418 bsm:7F3C6FDDB000+1EB4 bi_epm:7F3C8EA7A000+410B5 bsm:7F3C6FDDB000+1EB4 bi_epm:7F3C8EA7A000+3AA40 bi_epm:7F3C8EA7A000+2D7E4 bi_svm: 2022/03/08 16:40:02.560778 {wncd_x_R0-4}{2}: [ewlc-infra-evq] [24399]: (ERR): SANET_AUTHZ_FAILURE - VLAN Failure username , audit session id 96CD640A000997DC6BB07A90, 2022/03/08 16:40:02.560803 {wncd_x_R0-4}{2}: [errmsg] [24399]: (note): %SESSION_MGR-5-FAIL: Authorization failed or unapplied for client (14f6.d884.85cd) on Interface capwap_91000687 AuditSessionID 96CD640A000997DC6BB07A90. Failure Reason: VLAN Failure. Failed attribute name 600. 2022/03/08 16:40:02.561413 {wncd_x_R0-4}{2}: [sanet-shim-translate] [24399]: (ERR): 14f6.d884.85cd : Policy resolution failure in sanet, code = 1 2022/03/08 16:40:02.561877 {wncd_x_R0-4}{2}: [ewlc-infra-evq] [24399]: (note): Authentication Failure for client 14f6.d884.85cd 2022/03/08 16:40:02.562407 {wncd_x_R0-4}{2}: [client-orch-sm] [24399]: (note): MAC: 14f6.d884.85cd Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_EXCLUDE_VLAN_FAIL, fsm-state transition 00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|01|07|13|98|
802.1x authentication in use and RADIUS server sending VLANS as special attributes
Reboot the controller if there is just one unit If HA is present, failover
Clients failing authentication when aaa override is in use and clients are assigned with different vlans using RADIUS attributes There is no specific time frame, after applying the reload workaround the issue can take from one week to three to re-appear leaving all clients assigned with vlans without possibility to use the wireless network
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
BugZero Plan
Streamline upgrades with automated vendor bug scrubs
BugZero Prevent
Wish you caught this bug sooner? Get proactive today.