Hi
From the log you have providet it looks like the WLC can't communicate with the ClearPass server on the Radius port:
%RADIUS_AUDIT_MESSAGE-6-RADIUS_DEAD: Chassis 1 R0/0: wncd: RADIUS server x.x.x.x:1812,1813 is not responding.
Have you allowed the Radius traffic through the firewall and also added the WLC IP address as a Network Device with correct shared secret?
The fact that the guest user get's an IP has nothing to do with the issue, as it's not the client that will use Radius to ClearPass, it's the WLC.
But if you plan to have a captive portal, you must make sure the http and https ports are open from the client to ClearPass.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Aug 30, 2024 11:03 AM
From: axom678
Subject: WLC 9800 Guest SSID not redirecting to Guest Portal in Clearpass
Hi All,
We have an issue where the Guest Client (SSID in WLC9800) gets an IP from the DHCP server (in Fortigate) but it never reaches the clearpass server (from what I understand from the logs). I have followed the below procedure. Checked all firewall policies. I also double checked the Redirect ACL multiple times and do not see any issue. From the WLC i can ping the Clearpass server fine.
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217931-configure-9800-wlc-and-aruba-clearpass.html#toc-hId-2126303558
We have other Radius and Tacacs requests from the same controller to the Radius server which works fine. The issue is only with the guest ssid.
Logs in WLC:
%RADIUS_AUDIT_MESSAGE-6-RADIUS_DEAD: Chassis 1 R0/0: wncd: RADIUS server x.x.x.x:1812,1813 is not responding.
%CLIENT_EXCLUSION_SERVER-5-ADD_TO_EXCLUSIONLIST_REASON_DYNAMIC: Chassis 1 R0/0: wncmgrd: Client MAC: xxxx.0ffb.xxxx was added to exclusion list associated with AP Name:NY-FORUM-15, BSSID:MAC: 0000.0000.0000, reason:802.11 association failure
%SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (xxxx.0ffb.xxxx) on Interface capwap_900000bb AuditSessionID 1F0110AC00093797A393D9BF. Failure reason: Authc fail. Authc failure reason: AAA Server Down.
%SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (xxxx.0ffb.xxxx) on Interface capwap_9000011d AuditSessionID 1F0110AC00093796A393D925. Failure reason: Authc fail. Authc failure reason: AAA Server Down.