Wireless Access

So, I've spent the last few hours digging in the MM/WLC GUI and CLI along with the 1400 page CLI guide and Configuration guide trying to peel the onion of RADIUS. 4 authentication servers were set up for the initial build. I am trying to migrate to the last 2 and remove the first 2. I began by trying to delete one of the first auth servers. It is removed from the Server Groups but I cannot delete it from All Servers because it "is in use". I took the IP out of the Server Options and I am still in the same place. I can't seem to get rid of this first server, but I don't think it is authenticating any hosts. 

What are some commands to determine what server a host is using for authentication? In the connected WLC, I am using *show user authentication-method dot1x* to get the MAC of a host, then *show auth-tracebuf mac xx:xx:xx:xx:xx:xx* and I see the name of one of the old servers. The other way would be check the log for that host. 

As you can imagine, this is much more involved than that. I am currently looking for commands and ideas to clear the mud. Then, I will try to get a host to authenticate with one of the two "new" servers. I moved them up in the "ISE" server group, but it looks like the old server is still authenticating hosts as it is the third authentication server in the group.

------------------------------
Kirk Christensen
------------------------------

"show user-table verbose" will tell you in a column, which AAA server a device used to authenticate...but that is not what's stopping you from deleting it.  

Type "show aaa authentication-server radius" on a WLC to see if your AAA server still has any references.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Sep 28, 2021 03:35 PM
From: Kirk Christensen
Subject: RADIUS Primer

So, I've spent the last few hours digging in the MM/WLC GUI and CLI along with the 1400 page CLI guide and Configuration guide trying to peel the onion of RADIUS. 4 authentication servers were set up for the initial build. I am trying to migrate to the last 2 and remove the first 2. I began by trying to delete one of the first auth servers. It is removed from the Server Groups but I cannot delete it from All Servers because it "is in use". I took the IP out of the Server Options and I am still in the same place. I can't seem to get rid of this first server, but I don't think it is authenticating any hosts. 

What are some commands to determine what server a host is using for authentication? In the connected WLC, I am using *show user authentication-method dot1x* to get the MAC of a host, then *show auth-tracebuf mac xx:xx:xx:xx:xx:xx* and I see the name of one of the old servers. The other way would be check the log for that host. 

As you can imagine, this is much more involved than that. I am currently looking for commands and ideas to clear the mud. Then, I will try to get a host to authenticate with one of the two "new" servers. I moved them up in the "ISE" server group, but it looks like the old server is still authenticating hosts as it is the third authentication server in the group.

------------------------------
Kirk Christensen
------------------------------