Controllerless Networks

Hello, we have this happen now and then from one of our campus locations. All of our RADIUS traffic has to traverse the WAN back to the DC to auth with CPPM.

Normally when we have this, it's a WAN issue, but recently we had an oddball thing happen. After much troubleshooting and rebooting etc, we changed the VC IP to match the access points IP address that was the acting VC and this fixed it.

I've recommended that the person who found this open a TAC case, but I wanted to see if anyone else had any recommendations for odd crap with the IAP and RADIUS issues

Do you have Dynamic RADIUS proxy set up for the IAP cluster. This will source all RADIUS requests from the VC address and not the AP addresses themselves.

Yes, we have dynamic proxy enabled for both RADIUS and TACACS across the board.

Have you checked that the virtual controller IP Address is set as a NAS IP when configuring RADIUS server attributes with dynamic RADIUS proxy enabled?

Yes, this location was working fine up until about two weeks ago. No changes or upgrades were done to the IAP cluster, it just flipped out. I know these things are probably the dead worst wireless solution you can implement in an enterprise environment so nothing surprises me anymore with them.

No.  Those are not the dead worse thing you can deploy in an enterprise, because we have many customers who have this deployed and working currently.

You didn't say if there was a firewall between sites.

You didn't say how often radius timeouts are occurring.

You didn't say if you looked at the Clearpass event viewer to see if there were any errors that corresponded to the timeouts.

Your post is not detailed enough to make a coherent assessment about what could be going wrong.  You could have answers to the points above, but they must be answered in the course of looking at your issue, because they could all be factors.