topic Re: MAP not able to join WLC in Wireless

MAP not able to join WLC

Cisco Admin xyz — Tue, 13 Jun 2023 18:21:08 GMT

Dear Cisco Community

I am having Trouble, joining a Cisco MAP (9124AXI) to a Cisco 9800-L WLC through a Cisco RAP (also 9124AXI). In the Web-Interface of the WLC (Monitoring -> AP Statistics -> myRAP -> Mesh -> Neighbor) I can see the RAP recognizes the MAP as neighbor AP:

But the MAP never actually joins the WLC. It nevers shows a message about a successful join.

Under radioactive trace I collected some logs on the WLC of the MAP. These Logs show "authz_list: Not present under wlan configuration". But the MAC Address of the MAP is stored in the AAA List "Device Authentication" on the WLC under "AAA Advanced". An AAA Method List for Authentication as well as a AAA List for Authorization are configured.

I expect the map to show up on the WLC under Configuration -> Access Points -> All Access Points after a successful join. Is that assumption wrong? Will the MAP even after a successfull join not show up there?

Do you have any suggestions for Troubleshooting?

Thanks for any answers in advance.

Re: MAP not able to join WLC

Rich R — Wed, 14 Jun 2023 13:52:42 GMT

Have you configured it as per the example at the end of https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/215100-join-mesh-aps-to-catalyst-9800-wireless.html

The Authentication and Authorization methods are configured under the mesh profile and then the mesh profile is configured in the AP join profile.

That error though suggests you might be referencing authz_list that doesn't exist - check your config carefully and using https://cway.cisco.com/wireless-config-analyzer/ with the output of "show tech wireless"

Re: MAP not able to join WLC

Cisco Admin xyz — Fri, 16 Jun 2023 09:36:24 GMT

Thanks for the response.

I have the APs configured like in the example. An authorization Method under "AAA method list" is configured as well. The selected Authorization profile is existing and configured as in the example. It is also selected in the Mesh Profile.

The config analyzer has not found a mesh config error.

I find it confusing, that the AP is able to find the configured Authentication Profile but fails to find the selected authorization Profile, because both are selected in the Mesh Profile:

The Mesh Profile is applied to the AP by a site-tag.

Re: MAP not able to join WLC

Rich R — Fri, 16 Jun 2023 10:48:57 GMT

And what version of software are you using?
Make sure you're using latest TAC recommended version as per link below to ensure you have known bugfixes.

If you're sure the config is correct and you've checked the names match exactly, and software is up to date - then time for a TAC case.

Re: MAP not able to join WLC

Cisco Admin xyz — Fri, 16 Jun 2023 14:29:52 GMT

I checked the configuration multiple times against the tutorial you sent me in your first post. It seems correctly configured to me. So I will try upgrading the WLC to a newer Version.

Re: MAP not able to join WLC

LC.IT — Mon, 19 Jun 2023 21:19:16 GMT

Did you fix the problem?

Re: MAP not able to join WLC

Cisco Admin xyz — Tue, 20 Jun 2023 05:41:40 GMT

Not yet. But I will upgrade the WLC. Possibly that will solve the issue. I post my solution here once I found it. Do you have the same weird behavior?

Re: MAP not able to join WLC

LC.IT — Tue, 20 Jun 2023 10:53:23 GMT

Yes, same problem and same AP model but I have EWC here running version 17.9.3

Today I will try version 17.6.4

Re: MAP not able to join WLC

Rich R — Tue, 20 Jun 2023 11:33:31 GMT

@LC.IT If you intend to downgrade to 17.6 then use 17.6.5 - not 17.6.4!

Always refer to current TAC recommended list (below). Note that TAC are currently saying:
Cisco recommends 17.9.3 CCO image for all deployments.

Re: MAP not able to join WLC

LC.IT — Thu, 22 Jun 2023 02:20:24 GMT

Here just works running 17.9.3 with PSK authentication. EAP failing on 17.6.4 and 17.9.3.

Re: MAP not able to join WLC

Infinite Networks Anthony — Fri, 30 Jun 2023 09:21:03 GMT

I came here from a link on Reddit. We had a similar issue on 17.6.X. TAC found the issue which was that we had the Mesh Bridge Group Name set which was causing the MAP to not auth using EAP. We removed the the Bridge Group name and rebooted the MAP and it connected.

Re: MAP not able to join WLC

Cisco Admin xyz — Mon, 11 Sep 2023 09:29:41 GMT

Sorry for posting the actual solution so late.

The MAP was not able to join the WLC because of a misconfiguration of our switchport to which the RAP was connected. In our environment we use dot1x or MAB to authenticate devices with Cisco ISE.

We allowed the Ethernet and Radio MACs of the MAP and RAP to join via MAB. In the ISE login we were able to see that Cisco ISE successfully authenticated the RAP using MAB and never saw an authentication error regarding the MAP.

But the MAP was not able to get authenticated because of the following configuration on the Switchport to which the RAP and therefore also the MAP were connected to our LAN: "access-session host-mode multi-domain" This Settings allows only allows for one Data and One Voice VLAN Device to be authenticated on that specific switchport.

Changing this setting to "access-session host-mode multi-host" or "access-session host-mode multi-auth" solved the problem since it allows for more than one Data-VLAN Device to be authenticated. You can read more here: https://community.cisco.com/t5/network-access-control/access-session-host-mode-option-for-an-ap-port/td-p/3810472

Another possability would be to remove the dot1x and MAB configurations from the port entirely but this would not be that secure.