One of our NAC servers was having a problem authenticating users recently:
Wed Feb 1 20:17:05 2017 : Error: (10012414) [etsnac] The AAA server response ID: 10012414 had an unknown command: 35.
[/code]so no-one could get on the wireless. I rebooted the appliance and it came back fine. The wireless controller however stopped sending it RADIUS authentication requests, despite it being the only RADIUS server configured for the VNS. If I added the secondary NAC server to the VNS, that one worked fine, but after removing it, the wireless controller still wouldn't talk to the original NAC server. In the end I had to reboot the wireless controller and then everyone was good again. Is there some way I can tell the EWC that a RADIUS server is good again? Or see what it was stuck on?
As for why we have two NAC servers but only one configured in the VNS, iOS somehow knows they are different (despite having the same SSL certificate) and requires going to settings tapping on the wifi network and accepting the certificate when you roam to an AP that's using the second NAC server before it will connect. Has anyone managed to configure two NAC servers such that iOS can't tell the difference?
The correct way to do this in iOS/macOS is create a wifi configuration profile containing the CA that's signed the RADIUS server certificate, then it will trust both servers. We do this for our Macs, but it's not convenient to do this with iOS since you generally need wifi connected to install profiles, amongst other reasons.