Procedure https://cll-ng.cisco.

com/content/xtrac/2

Discovery 19: Troubleshoot Wireless Client Connectivity

Issues
Task 1: Determine Your Lab ID
Your lab session has a unique ID that will be used to configure certain aspects of your lab. The lab ID
consists of a Pod Group number and a Pod number. In this task, you will telnet to the Campus Switch to
determine your lab ID.

Activity
Step 1: Connect to the Admin PC, and log in with the username student and password of
1234QWer.

Step 2: From the Admin PC, open the Putty application, and Telnet to the Campus Switch,
10.10.10.23.

1 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Step 3: Log in with the username of student and a password of 1234QWer.

Notice the hostname of the switch, ENCOR-PGyy-Pxx where yy is the pod group number and xx is
the pod number. Note the information below, and then close the Putty window.
Pod Group (PG): _________________
Pod (P): _________________

2 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Task 2: Troubleshoot the Issue in Which Users Are Unable to

Connect to the Sales WLAN
Users have reported the inability to connect to the ENCOR-PGyy-Pxx-Sales SSID to reach the network.
In this task, you will be guided through the process of verifying the problem, and then diagnosing and
resolving the issue.

Activity
First, you will attempt to access the network from the Client PC to verify the problem.
Step 1: Connect to the Client PC using the username student and password of 1234QWer.

Step 2: Click the network icon from the Windows system tray at the bottom-right part of the screen
and notice that the ENCOR-PGyy-Pxx-Sales SSID is not available.

3 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

To begin troubleshooting, access the 9800 Campus WLC.

Step 3: From the Admin PC, open the Chrome browser and connect to the Campus 9800 WLC,
10.10.10.30, using the username admin and password 1234QWer.
If notified that the connection is not trusted, you will need to click Advanced and then Proceed to
the server. This warning is issued because the Cisco WLC uses a self-signed certificate.

4 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Step 4: Notice that the Dashboard shows 1 Access Point as operational and the status as Up for
802.11 5 GHz and 2.4 GHz. This status indicates that the AP has associated with the Campus 9800
WLC and has received its configuration.

Next, you will verify that the Campus AP is broadcasting the Sales SSID, periodically sending beacons
to be identified by wireless clients.
Step 5: Verify that the Sales SSID is being broadcast by navigating to Configuration>Tags &
Profiles>WLANs.

5 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Step 6: Click the name of the Sales WLAN and notice that Broadcast SSID is ENABLED.

With the Cisco 9800 WLC, access points are configured through tags which are based on a broadcast
domain, the site it belongs to, and the RF characteristics desired. Once tagged, the AP gets a list of
WLANs to be broadcasted along with the properties of the respective SSIDs, properties of the APs on
the local/remote site, and the RF properties of the network.
Next you will verify that the proper configuration has been applied to the AP by determining the tags

6 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

that were sent to it.

Step 7: Verify that the tags associated with the Campus location have been applied to the AP by
navigating to Monitoring>Wireless>AP Statistics.

Step 8: Notice that the Default AP Profile and Site, Policy, and RF tags are currently applied to the
AP rather than the tags of the Campus location. Having the default tags applied is why you saw that
the Wireless LAN Controller Dashboard displays 1 AP operational in a previous step.
The tags with the Sales and Accounting WLAN profiles are associated with the Campus location.
Since the Default tags that are applied to the AP do not have the proper profiles defined, the client
will not see the corresponding SSIDs.

7 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Next, you will apply the proper tags to the AP.

Step 9: Access the Campus location by navigating to Configuration>Wireless Setup>Basic.

Step 10: Notice that the number of Joined APs is 0 which indicates the Campus-related tags have
not been applied to the AP. Select the Campus location to edit its properties.

8 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Step 11: Select the Wireless Networks tab to verify the Sales WLAN is on this location.

Step 12: Select the AP Provisioning tab and notice that there is no AP listed in the APs on this
Location section.

9 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Step 13: To apply the Campus-related tags and assign the proper configuration to the required AP,
in the Add/Select APs section on the left side of the screen, check the box next to the AP’s MAC
address that is listed. Then click the blue arrow button to move the AP to the APs on this Location
section.

Step 14: Verify that the AP has been moved to the APs on this Location section and click the
Apply button to send the configuration to the AP.

10 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Step 15: Once you click Apply, notice that the location still indicates 0 Joined APs. This behavior
occurs because when the configuration is applied to the AP, it restarts its association to the
controller and the CAPWAP tunnel is re-established. Refreshing the browser screen after 60 seconds
should display 1 Joined AP to the location.

Step 16: Verify that the Campus-related tags have been applied to the AP by again navigating to
Monitoring>Wireless>AP Statistics.

11 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Step 17: Notice that the Campus AP Profile and Site, Policy, and RF tags are currently applied to
the AP.

Next, you will test network connectivity again from the Client PC.
Step 18: From the Client PC, click the network icon from the Windows system tray at the bottom-
right part of the screen and notice that the ENCOR-PGyy-Pxx-Sales SSID is now available. Select
it, uncheck the Connect automatically box and click the Connect button.

12 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Step 19: When prompted, enter the network security key Cisco123, and then click the Next button.
Click the No button when prompted to allow your PC to be discoverable, and wait for the client to
connect to the AP.

Step 20: To test network connectivity, from the taskbar, open a command prompt, and ping the
default gateway, 10.10.30.1. Notice that the ping response is PING: transmit failed. General
failure. This error indicates that the IP protocol has not been established.

13 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Next, you will gather more information to diagnose the problem.

Step 21: To determine if the client was assigned an IP address, select the ENCOR-PGyy-Pxx-Sales
SSID from the system tray again and click Properties.

Step 22: In the Settings window, scroll down to the properties and notice that the client has not
been issued an address which corresponds with the Sales WLAN, 10.10.30.x.

14 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Step 23: Check the status of the wireless client connection by returning to the Campus 9800 WLC
administration pages and navigating to Monitoring>Wireless>Clients.

Step 24: Notice that the state of the wireless client connection is IP Learn, indicating that although
the client is requesting an IP address from a DHCP server, but it has not received its address..

There are numerous reasons a client is unable to obtain an address from a DHCP server. Many

15 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

infrastructure-related reasons include:

Misconfigured DHCP server settings

Intermediary routers not configured as DHCP relay agents
Access control lists block DHCP
Improperly configured WLAN VLANs and VLAN trunking

From a wireless perspective, it is important that the WLAN to which the client is connecting is
associated with the proper VLAN which, in turn, allows the client to obtain an address in the correct
subnet from the DHCP server.
Step 25: Verify the VLAN associated with the Sales WLAN by navigating to
Configuration>Wireless Setup>Basic and choose the Campus location.

Step 26: Click the Wireless Networks tab and notice that the Sales WLAN is associated with
VLAN 11, the incorrect VLAN. VLAN 11 corresponds with a subnet that is not configured to
receive addresses from DHCP.

16 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Next, you will correct the VLAN associated with the Sales WLAN by changing it to VLAN 30.
Step 27: Click the Sales WLAN name, and in the Edit Location Setup window, choose the Sales
VLAN (VLAN 30) from the VLAN/VLAN Group drop-down box and then click Update.

Step 28: In the WLANs on this Location section, verify that the Sales VLAN is now associated
with the Sales VLAN (VLAN 30) and then click Apply.

17 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Next, you will test network connectivity again from the Client PC.
Step 29: From the Client PC, click the network icon from the Windows system tray at the bottom-
right part of the screen and Disconnect from the ENCOR-PGyy-Pxx-Sales WLAN if you are
currently connected, and then click Connect again.

Step 30: Once connected, select the ENCOR-PGyy-Pxx-Sales SSID from the system tray again
and click Properties.

18 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Step 31: In the Settings window, scroll down to the properties and verify that you are given an
address which corresponds with the Sales WLAN, 10.10.30.x.

Step 32: To test network connectivity, from the taskbar, open a command prompt, and ping the
default gateway, 10.10.30.1. A successful ping indicates that you have established network
connectivity.

19 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Step 33: Click the network icon from the Windows system tray at the bottom-right part of the
screen and choose to Disconnect with the ENCOR-PGyy-Pxx-Sales SSID.

Task 3: Troubleshoot the Issue in Which Users Are Unable to

Connect to the Accounting WLAN
Clients have reported the inability to connect to the ENCOR-PGyy-Pxx-Accounting WLAN. In this task,

20 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

you will be guided through the process of verifying the problem, and then diagnosing and resolving the
issue.

Activity
First, you will attempt to access the network from the Client PC.
Step 1: If not already at the Client PC desktop, connect to the Client PC using the username
student and password of 1234QWer.
Step 2: From the Client PC, click the network icon from the Windows system tray at the bottom-
right part of the screen and select the ENCOR-PGyy-Pxx-Accounting SSID.
Uncheck the Connect automatically box and click the Connect button.

Step 3: When prompted, enter the username of accounting_user and a password of Cisco123, and
then click the OK button.

21 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Step 4: Notice that you are unable to connect to the network.

To begin troubleshooting, you will access the 9800 Campus WLC.

Step 5: From the Admin PC, if not already logged into the Campus 9800 WLC, open the Chrome
browser and connect to the Campus 9800 WLC, 10.10.10.30, using the username admin and
password 1234QWer.

22 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

If notified that the connection is not trusted, you will need to click Advanced and then Proceed to
the server. This warning is issued because the Cisco WLC uses a self-signed certificate.
Step 6: Check the status of the client by navigating to Monitoring>Wireless>Clients, and notice
that no client information is available.
The inability of the client to authenticate provided no information.

Step 7: Check the WLC syslog messages by choosing Troubleshooting from the menu pane and
then clicking the Syslog link.

23 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Step 8: Notice the syslog message %DOT1X-5-FAIL: Chassis 1 R0/0: wncd: Authentication
failed for client (2cfd.a161.b0ce) with reason (AAA Server Down) which indicates that the
controller was unable to reach ISE acting as the RADIUS server.

Next you will test connectivity from the Wireless LAN Controller to the ISE server.
Step 9: Return to the Troubleshooting page, and then click the Ping and Trace Route link.

24 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Step 10: From the Ping and Traceroute page, type the address of the ISE server (10.10.10.60) into
the Destination field and click Ping. Notice that the ping is successful, indicating that there is
connectivity with the RADIUS server.

Next, you will verify that the Wireless LAN Controller has been configured with the correct RADIUS
server.
Step 11: To verify the RADIUS server, navigate to Configuration>Security>AAA.

25 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Step 12: Notice that the RADIUS server called ISE-Server has an incorrect address of 10.10.10.66.

Next, you will correct the RADIUS server address by changing it to 10.10.10.60.
Step 13: Click the name of the RADIUS server, ISE-Server, and from the Edit AAA Radius Server
window, change the IPv4/IPv6 Server address to 10.10.10.60, and then click Update and Apply to
Device.

26 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Next, you will test network connectivity again from the Client PC.
Step 14: From the Client PC, click the network icon from the Windows system tray at the bottom-
right part of the screen and select the ENCOR-PGyy-Pxx-Accounting SSID.

Uncheck the Connect automatically box and click the Connect button.

Step 15: When prompted, enter the username of accounting_user and a password of Cisco123, and

27 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

then click the OK button.

Step 16: Notice that you are still unable to connect to the network.

Next, you will gather more information to diagnose the problem.

Step 17: Return to the Campus 9800 WLC administration page and check the syslog messages
again by choosing Troubleshooting from the menu pane and then clicking the Syslog link.

28 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Step 18: Notice the same syslog message, %DOT1X-5-FAIL: Chassis 1 R0/0: wncd:
Authentication failed for client (2cfd.a161.b0ce) with reason (AAA Server Down).

This syslog message indicates that there is still an authentication issue. But now that you have
determined in the previous steps that the Wireless LAN Controller is configured with the proper
RADIUS server, and that it has connectivity to it, you will now turn your attention to the WLAN AAA
configuration.

29 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Step 19: To check the WLAN AAA settings, navigate to Configuration>Tags &
Profiles>WLANs, and click the name of the Accounting WLAN.

Step 20: In the Edit WLAN window, click the Security tab, click the AAA sub-tab, and notice that
no Authentication List has been assigned to the WLAN.

When configuring AAA on the Cisco 9800 WLC, the configuration hierarchy is as follows:

30 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

A WLAN references an Authentication List.

An Authentication List references a Group.
A Group references a RADIUS server.

With no Authentication List assigned to the WLAN, when users connect to the Accounting WLAN, the
Wireless LAN Controller does not know which RADIUS server it is to pass the user credentials to.
Next, you will determine which Authentication List needs to be assigned to the WLAN.
Step 21: To verify if an Authentication List exists, navigate to Configuration>Security>AAA, and
click the AAA Method List tab.

Step 22: Notice there is a list named dot1x-method and it references a Group named ISE-Group.

31 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Step 23: To verify the Group named ISE-Group references the correct RADIUS server, click the
Servers/Groups tab, click the Server Groups sub-tab, and notice that the ISE-Group has the
server named ISE-Server assigned to it.

Step 24: To verify that the server named ISE-Server has the proper IP address, click the Servers
sub-tab, and notice the server named ISE-Server has the proper address of 10.10.10.60. This
address was corrected in previous steps.

32 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Now that you have identified that the configuration hierarchy leads from the dot1x-method
authentication list to the proper RADIUS server, you will assign the list to the Accounting WLAN.
Step 25: Navigate back to Configuration>Tags & Profiles>WLANs, and click the name of the
Accounting WLAN.

Step 26: In the Edit WLAN window, click the Security tab, click the AAA sub-tab, choose the
dot1x-method list from the Authentication List drop-down box, and then click Update and Apply

33 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

to Device.

Next, you will test network connectivity again from the Client PC.
Step 27: From the Client PC, click the network icon from the Windows system tray at the bottom-
right part of the screen and select the ENCOR-PGyy-Pxx-Accounting SSID.

Uncheck the Connect automatically box and click the Connect button.

34 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Step 28: When prompted, enter the username of accounting_user and a password of Cisco123, and
then click the OK button. Wait for the client to successfully connect to the WLAN.

Step 29: Once connected, select the ENCOR-PGyy-Pxx-Accounting SSID from the system tray
again and click Properties.

Step 30: In the Settings window, scroll down to the properties and verify that you are given an
address which corresponds with the Accounting WLAN, 10.10.40.x.

35 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

Step 31: To test network connectivity, from the taskbar, open a command prompt, and ping the
default gateway, 10.10.40.1. A successful ping indicates that you have established network
connectivity.

Step 32: Click the network icon from the Windows system tray at the bottom-right part of the
screen and choose to Disconnect with the ENCOR-PGyy-Pxx-Accounting SSID.

36 din 37 27.05.2020, 09:13

Procedure https://cll-ng.cisco.com/content/xtrac/2

© 2020 Cisco Systems, Inc.

37 din 37 27.05.2020, 09:13