WLC EAP-TLS VLAN and DACL Troubleshooting

Executive Summary

This runbook documents the troubleshooting process for wireless EAP-TLS authentication issues where:

  • EAP authentication succeeds at ISE

  • WLC receives VLAN/DACL attributes from RADIUS

  • Client gets disconnected immediately after EAP success

Root Causes Identified

Issue Symptom Resolution

VLAN Naming Mismatch

Failed attribute name MANAGEMENT_VLAN

Rename WLC VLAN to match ISE attribute

VLAN Not in Policy Profile

WLC ignores dynamic VLAN, uses hardcoded

Add VLAN to policy profile’s allowed VLANs

DACL Download Disabled

ACL Failure. Failed attribute name xACSACLx-IP-…​

Enable VSA and AAA authorization commands

MGMT VLAN = Static IPs

DHCP timeout after successful auth

Configure static IP on client WiFi connection

Prerequisites

  • SSH access to WLC (10.50.1.40)

  • ISE admin access for policy verification

  • Linux client with EAP-TLS configured

Phase 1: Diagnostics

1.1 Verify ISE Authentication Result

Query ISE DataConnect for recent authentications:

dsource d000 dev/ise
netapi ise dc query "
  SELECT
    TO_CHAR(acs_timestamp, 'HH24:MI:SS') as time,
    calling_station_id as mac,
    selected_azn_profiles as profile,
    passed as status
  FROM mnt.radius_auth_48_live
  WHERE user_name LIKE '%evanusmodestus%'
  ORDER BY acs_timestamp DESC
  FETCH FIRST 5 ROWS ONLY"

Expected: PASSED=1 with correct authorization profile

1.2 Check wpa_supplicant Logs

On Linux client:

journalctl -u wpa_supplicant -f --since "5 minutes ago"

Key patterns:

Log Pattern Meaning

CTRL-EVENT-EAP-SUCCESS

EAP authentication passed (ISE accepted)

CTRL-EVENT-DISCONNECTED reason=250

WLC rejected session (VLAN/DACL issue)

CTRL-EVENT-CONNECTED

Successfully associated

1.3 Check WLC Logging

ssh admin@{wlc-ip}
show logging | include VLAN|ACL|Failed

Error patterns:

! VLAN naming mismatch
*ewlc-infra-capwapEventTrace: VLAN Failure. Failed attribute name MANAGEMENT_VLAN

! DACL download disabled
*ewlc-infra-capwapEventTrace: ACL Failure. Failed attribute name xACSACLx-IP-DACL_ADMIN_FULL-696eef58

Phase 2: VLAN Configuration

2.1 Check Existing VLANs

show vlan summary
Example output
VLAN ID   Name                 Shutdown
100       MGMT_VLAN            No       ! <-- ISE sends MANAGEMENT_VLAN
10        DATA_VLAN            No
40        IOT_VLAN             No

Problem: ISE authorization profile sends MANAGEMENT_VLAN but WLC has MGMT_VLAN.

2.2 Rename VLAN to Match ISE

configure terminal
vlan 100
 name MANAGEMENT_VLAN
 exit
end
write memory

2.3 Add VLAN to Policy Profile

Check current policy:

show wireless profile policy detailed POLICY-DOMUS_SECURE | include vlan|VLAN

If only one VLAN (e.g., vlan 10), you need to add the management VLAN:

configure terminal
wireless profile policy POLICY-DOMUS_SECURE
 shutdown
 exit
Shutting down the policy briefly disconnects all clients on that SSID. 
wireless profile policy POLICY-DOMUS_SECURE
 vlan MANAGEMENT_VLAN
 no shutdown
 exit
end
write memory

Phase 3: DACL Configuration

3.1 Check DACL Requirements

9800 WLC DACL download requires IOS XE 17.10.1 or later.

show version | include IOS

3.2 Enable VSA for DACL Download

CRITICAL: Without this, WLC ignores DACL attributes from RADIUS.

show run all | include radius-server vsa

If VSA is not enabled:

configure terminal
radius-server vsa send authentication
end

3.3 Enable AAA Authorization

CRITICAL: Required for WLC to process authorization attributes (VLAN, DACL).

show run | include aaa authorization

Required commands:

configure terminal
aaa authorization network default group radius
end
write memory

3.4 Verify DACL Download

After client authenticates successfully:

show access-lists | include xACSACLx
Example output
Extended IP access list xACSACLx-IP-DACL_ADMIN_FULL-696eef58
    2 permit ip any any (10 matches)

The DACL appears dynamically - it is NOT configured statically on the WLC.

Phase 4: Client Configuration

4.1 MANAGEMENT_VLAN Uses Static IPs

The MANAGEMENT_VLAN (10.50.1.0/24) uses static IP addressing by design - no DHCP server.

If your ISE policy assigns MANAGEMENT_VLAN to admin workstations, configure static IP:

nmcli conn modify "Domus-WiFi-EAP-TLS" \
  ipv4.method manual \
  ipv4.addresses "10.50.1.200/24" \
  ipv4.gateway "{gateway-infra}" \
  ipv4.dns "{bind-ip}"
nmcli conn up "Domus-WiFi-EAP-TLS"

4.2 Verify Connection

nmcli conn show --active | grep -i wifi
ip -4 addr show wlp0s20f3 | awk '/inet / {print $2}'

Phase 5: Verification

5.1 WLC Client Status

show wireless client summary
Expected output
MAC Address        AP Name         WLAN   State    Protocol  Method
7015.fbf8.47ec     AP4800          4      Run      11ac      Dot1x

5.2 Client Detail (VLAN + DACL)

show wireless client mac-address 7015.fbf8.47ec detail
Key fields to verify
VLAN: 100
Applied Policies:
  Tag: Idle
  DACL: xACSACLx-IP-DACL_ADMIN_FULL-696eef58

5.3 Access List Counters

show access-lists xACSACLx-IP-DACL_ADMIN_FULL-696eef58

Look for (N matches) - traffic is flowing through the DACL.

Quick Reference

WLC Commands Summary

Task Command

List VLANs

show vlan summary

Show policy detail

show wireless profile policy detailed POLICY-DOMUS_SECURE

Check VSA status

show run all | include radius-server vsa

Check AAA authz

show run | include aaa authorization

Show client detail

show wireless client mac-address <mac> detail

Show downloaded DACLs

show access-lists | include xACSACLx

Clear exclusion (if client stuck)

clear wireless client mac-address <mac>

ISE Authorization Profile Requirements

For dynamic VLAN assignment:

Attribute Value

Access Type

ACCESS_ACCEPT

VLAN ID/Name

MANAGEMENT_VLAN (must match WLC VLAN name exactly)

DACL Name

DACL_ADMIN_FULL (ISE generates the xACSACLx prefix)

Common Disconnect Reason Codes

Code Meaning Fix

250

Association denied (VLAN/ACL failure)

Check WLC logs for Failed attribute name

15

4-way handshake timeout

Check EAP config, cert validity

3

Deauthenticated - leaving

Normal disconnect

4

Disassociated - inactivity

Normal timeout

Related Runbooks

Session Log (2026-03-08)

Incident Timeline

Time Event

00:00

Linux laptop (modestus-razer) fails to connect to Domus-Secure

+5min

wpa_supplicant shows CTRL-EVENT-EAP-SUCCESS then CTRL-EVENT-DISCONNECTED reason=250

+10min

ISE DataConnect confirms PASSED=1 with Domus_Admin_Profile

+15min

WLC logs show VLAN Failure. Failed attribute name MANAGEMENT_VLAN

+20min

VLAN 100 renamed from MGMT_VLAN to MANAGEMENT_VLAN

+25min

VLAN added to policy profile (required brief shutdown)

+30min

WLC logs show ACL Failure. Failed attribute name xACSACLx-IP-DACL_ADMIN_FULL-696eef58

+35min

Enabled radius-server vsa send authentication

+40min

Added aaa authorization network default group radius

+45min

Authentication works, DHCP fails (MGMT VLAN = static IPs)

+50min

Static IP configured on WiFi connection

+55min

Success - Client connected, VLAN 100, DACL downloaded

Configuration Changes Applied

! VLAN rename
vlan 100
 name MANAGEMENT_VLAN

! Policy profile VLAN
wireless profile policy POLICY-DOMUS_SECURE
 vlan MANAGEMENT_VLAN

! DACL enablement
radius-server vsa send authentication
aaa authorization network default group radius

Key Learnings

  1. VLAN names must match exactly - ISE sends MANAGEMENT_VLAN, WLC must have that exact name

  2. Policy profile needs all possible VLANs - Can’t dynamically assign a VLAN not in the policy

  3. VSA is required for DACL download - Without radius-server vsa send authentication, WLC ignores DACL

  4. AAA authorization enables attribute processing - Without aaa authorization network default, no VLAN/DACL

  5. Infrastructure VLANs may use static IPs - Design decision for MGMT network