topic Re: Android 13 cannot join SSID via DOT1X authentication on C9800 in Wireless

Android 13 cannot join SSID via DOT1X authentication on C9800

Scorpioo — Thu, 06 Mar 2025 19:27:28 GMT

Hello guys,

old WLC - AirOS 5520 - version 8.10.196.0

new WLC - C9800 - IOS XE 17.12.04

we are migrating APs from old WLC to new one per Wireless refresh. We have C9120AXI-E APs moved to new WLC and have 2 main SSIDs:

1. guest SSID - PSK authentication, fast transition in adaptive mode

2. CORP SSID - DOT1X authentication, FT disabled

On CORP SSID on new WLC, we can see associated Windows laptops, working fine.

But, Android phones/tablets (Android 13) working fine on old WLC on CORP SSID, but cannot connect same SSID with same settings on new C9800 WLC. We performed packet capture and radioactive trace, when client is trying to connect to CORP SSID, but there is nothing logged for that connection. It looks like communication between Android devices and WLC is not working at all.

SSIDs are pushed to Android devices via Intune and should authenticate via certificate. ISE also doesnt see any logs for Android devices on new WLC C9800.

Config of CORP SSID:

WLAN Profile Name : Corp-profile
================================================
Identifier : 22
Description :
Network Name (SSID) : Corp
Status : Enabled
Broadcast SSID : Enabled
Advertise-Apname : Disabled
Universal AP Admin : Disabled
Max Associated Clients per WLAN : 0
Max Associated Clients per AP per WLAN : 0
Max Associated Clients per AP Radio per WLAN : 200
OKC : Enabled
Number of Active Clients : 21
CHD per WLAN : Enabled
WMM : Allowed
WiFi Direct Policy : Disabled
Channel Scan Defer Priority:
Priority (default) : 5
Priority (default) : 6
Scan Defer Time (msecs) : 100
Media Stream Multicast-direct : Disabled
CCX - AironetIe Support : Disabled
Peer-to-Peer Blocking Action : Disabled
Configured Radio Bands
2.4GHz : Enabled
5GHz : Enabled
Slot : Enabled on all slots
Operational State of Radio Bands
2.4GHz : UP
5GHz : UP
Slot : Enabled on all slots
DTIM period for 802.11a radio : 1
DTIM period for 802.11b radio : 1
Local EAP Authentication : Disabled
Mac Filter Authorization list name : Disabled
Mac Filter Override Authorization list name : Disabled
Accounting list name :
802.1x authentication list name : dnac-XXXX-XXXX
802.1x authorization list name : Disabled
Security
FT Support : Disabled
FT Reassociation Timeout (secs) : 20
FT Over-The-DS mode : Disabled
Web Based Authentication : Disabled
OWE Transition Mode : Disabled
Conditional Web Redirect : Disabled
Splash-Page Web Redirect : Disabled
Webauth On-mac-filter Failure : Disabled
Webauth Authentication List Name : Disabled
Webauth Authorization List Name : Disabled
Webauth Parameter Map : Disabled
Security-2.4GHz/5GHz
802.11 Authentication : Open System
Static WEP Keys : Disabled
Wi-Fi Protected Access (WPA/WPA2/WPA3) : Enabled
WPA (SSN IE) : Disabled
WPA2 (RSN IE) : Enabled
MPSK : Disabled
EasyPSK : Disabled
AES Cipher : Enabled
CCMP256 Cipher : Disabled
GCMP128 Cipher : Disabled
GCMP256 Cipher : Disabled
Randomized GTK : Disabled
WPA3 (WPA3 IE) : Disabled
Auth Key Management
802.1x : Enabled
PSK : Disabled
CCKM : Disabled
FT dot1x : Disabled
FT PSK : Disabled
FT SAE : Disabled
Dot1x-SHA256 : Disabled
PSK-SHA256 : Disabled
SAE : Disabled
OWE : Disabled
SUITEB-1X : Disabled
SUITEB192-1X : Disabled
SAE PWE Method : Hash to Element, Hunting and Pecking(H2E-HNP)
Transition Disable : Disabled
CCKM TSF Tolerance (msecs) : 1000
OSEN : Disabled
PMF Support : Disabled
PMF Association Comeback Timeout (secs): 1
PMF SA Query Time (msecs) : 200
Security-6GHz
WPA3 (WPA3 IE) : Disabled
Auth Key Management
FT dot1x : Disabled
FT SAE : Disabled
Dot1x-SHA256 : Disabled
SAE : Disabled
OWE : Disabled
SUITEB-1X : Disabled
SUITEB192-1X : Disabled
SAE PWE Method : Hash to Element(H2E)
PMF Support : Required
PMF Association Comeback Timeout (secs): 1
PMF SA Query Time (msecs) : 200
Band Select : Disabled
Load Balancing : Disabled
Multicast Buffer : Disabled
Multicast Buffers (frames) : 0
IP Source Guard : Disabled
Assisted-Roaming
Neighbor List : Enabled
Prediction List : Disabled
Dual Band Support : Disabled
IEEE 802.11v parameters
Directed Multicast Service : Enabled
BSS Max Idle : Enabled
Protected Mode : Disabled
Traffic Filtering Service : Disabled
BSS Transition : Enabled
Disassociation Imminent : Disabled
Optimised Roaming Timer (TBTTS) : 40
Timer (TBTTS) : 200
Dual Neighbor List : Disabled
WNM Sleep Mode : Disabled
802.11ac MU-MIMO : Enabled
802.11ax parameters
802.11ax Operation Status : Enabled
OFDMA Downlink : Enabled
OFDMA Uplink : Enabled
MU-MIMO Downlink : Enabled
MU-MIMO Uplink : Enabled
BSS Target Wake Up Time : Disabled
BSS Target Wake Up Time Broadcast Support : Disabled
802.11 protocols in 2.4GHz band
Protocol : dot11bg
Advanced Scheduling Requests Handling : Disabled
mDNS Gateway Status : Bridge
WIFI Alliance Agile Multiband : Disabled
Device Analytics
Advertise Support : Disabled
Advertise Support for PC analytics : Disabled
Share Data with Client : Disabled
Client Scan Report (11k Beacon Radio Measurement)
Request on Association : Disabled
Request on Roam : Disabled
WiFi to Cellular Steering : Disabled
Advanced Scheduling Requests Handling : Disabled
6Ghz Client Steering : Disabled
Locally Administered Address Configuration
Deny LAA clients : Disabled
Latency Measurements Announcements : Disabled

Where could be an issue? Same clients are able to connect to old WLC CORP SSID via certificate, but cannot associate on new WLC. Android phones are working correctly on new WLC, when connected to Guest SSID via PSK.

New WLC was provisioned via DNAC, no manual configuration.

Re: Android 13 cannot join SSID via DOT1X authentication on C9800

Scott Fella — Thu, 06 Mar 2025 19:49:24 GMT

Look at the logs on your radius server.... are you using Cisco ISE? You should be able to determine why its failing from the radius side of things. Your radius servers have not changed at all I'm assuming.

Re: Android 13 cannot join SSID via DOT1X authentication on C9800

Scorpioo — Thu, 06 Mar 2025 20:05:27 GMT

ISE didn't change, no new config there. But still, ISE doesn't see anything - clients MAC addresses are not visible under logs on ISE. It looks like it cannot communicate with WLC and per that also not communicating with ISE about certificate authentication/authorization.

Re: Android 13 cannot join SSID via DOT1X authentication on C9800

Scott Fella — Thu, 06 Mar 2025 20:15:47 GMT

Okay, then it must be some settin gon the WLAN that is making them fail. I would make sure that no features are enabled on the 9800 WLAN when you compare that to the AireOS WLAN configuration.

Re: Android 13 cannot join SSID via DOT1X authentication on C9800

Scorpioo — Thu, 06 Mar 2025 20:37:12 GMT

I disabled fast transtion, also Advanced scheduling and advertise support, while I read, that it could create issues for Android device. It didnt fix it.

I didnt find any major difference to AirOS WLAN config:

Profile Name..................................... Corp
Network Name (SSID).............................. Corp
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
Random MAC Filtering............................. Disabled
AAA Policy Override.............................. Enabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Enabled
DHCP ....................................... Enabled
HTTP ....................................... Enabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Enabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum Clients Allowed.......................... Unlimited
Security Group Tag............................... Unknown(0)
Maximum number of Clients per AP Radio........... 200
ATF Policy....................................... 0
Number of Active Clients......................... 34
Number of Active Random-Mac Clients.............. 5
Exclusionlist Timeout............................ 180 seconds
Session Timeout.................................. 7200 seconds
User Idle Timeout................................ 3500 seconds
Sleep Client..................................... disable
Sleep Client Timeout............................. 720 minutes
Sleep Client Auto Auth Feature................... Enabled
Web Auth Captive Bypass Mode..................... None
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... none
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ private
Multicast Interface.............................. private
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
WLAN URL ACL..................................... unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ default-mdns-profile
DHCP Server...................................... Default
Central NAT Peer-Peer Blocking................... Unknown
DHCP Address Assignment Required................. Enabled
Static IP client tunneling....................... Disabled
Tunnel Profile................................... Unconfigured
EoGRE Override VLAN state........................ disable
EoGRE Override VLAN ID........................... 0
PMIPv6 Mobility Type............................. none
PMIPv6 MAG Profile........................... Unconfigured
PMIPv6 Default Realm......................... Unconfigured
PMIPv6 NAI Type.............................. Hexadecimal
PMIPv6 MAG location.......................... WLC
Quality of Service............................... Platinum
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Disabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ XXXX 1812 *
Authentication................................ XXXX 1812 *
Authentication................................ XXXX 1812 *
Accounting.................................... XXXX 1813 *
Accounting.................................... XXXX1813 *
Accounting.................................... XXXX 1813 *
Interim Update............................. Enabled
Interim Update Interval.................... 0
Framed IPv6 Acct AVP ...................... Prefix
Authorization ACA............................. Disabled
Accounting ACA................................ Disabled
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Radius NAI-Realm................................. Disabled
Radius Authentication caching.................... Disabled
Mu-Mimo.......................................... Enabled
Security

802.11 Authentication:........................ Open System
FT Support.................................... Adaptive
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2/WPA3)........ Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
WPA3 (RSN IE).............................. Disabled
WPA2/WPA3 Encryption Ciphers
TKIP Cipher............................. Disabled
CCMP128/AES Cipher...................... Enabled
CCMP256 Cipher.......................... Disabled
GCMP128 Cipher.......................... Disabled
GCMP256 Cipher.......................... Disabled
OSEN IE.................................... Disabled
Auth Key Management
802.1x.................................. Enabled
802.1x-SHA2............................. Disabled
PSK..................................... Disabled
PSK-SHA2................................ Disabled
CCKM.................................... Disabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
OSEN-1X................................. Disabled
SUITEB-1X............................... Disabled
SUITEB192-1X............................ Disabled
OWE..................................... Disabled
SAE..................................... Disabled
OWE Transition Mode........................ Disabled
OWE Transition Mode WLAN id................ 0
Auto Key PSK .............................. Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Disabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web Authentication Timeout.................... 300
Web-Passthrough............................... Disabled
Mac-auth-server............................... 0.0.0.0
Web-portal-server............................. 0.0.0.0
qrscan-des-key................................
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Disabled
FlexConnect Central Association............... Disabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
flexconnect PPPoE pass-through................ Disabled
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Flexconnect Post-Auth IPv4 ACL................ Unconfigured
Flexconnect Post-Auth IPv6 ACL................ Unconfigured
Client MFP.................................... Optional
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Disabled
AVC Visibilty.................................... Enabled
AVC Profile Name................................. AUTOQOS-AVC-PROFILE
OpenDns Profile Name............................. None
OpenDns Wlan Mode................................ ignore
OpenDns Wlan Dhcp Option 6....................... enable
Flow Monitor Name................................ dnac
Split Tunnel Configuration
Split Tunnel................................. Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Enabled
802.11k Neighbor List Dual Band.................. Enabled
802.11v Directed Multicast Service............... Enabled
802.11v BSS Max Idle Service..................... Enabled
802.11v BSS Transition Service................... Enabled
802.11v BSS Transition Disassoc Imminent......... Disabled
802.11v BSS Transition Disassoc Timer............ 200
802.11v BSS Transition OpRoam Disassoc Timer..... 40
802.11v BSS Transition Neigh List Dual Band...... Disabled
DMS DB is empty
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Universal Ap Admin............................... Disabled
Broadcast Tagging................................ Disabled
PRP.............................................. Disabled
Fast Receive..................................... Disabled
11ax Downlink MU-MIMO............................ Enabled
11ax Uplink MU-MIMO.............................. Enabled
11ax Downlink OFDMA.............................. Enabled
11ax Uplink OFDMA................................ Enabled
11ax Admin state................................. Enabled
Wifi Alliance Multiband Operation................ Disabled
11ax Target Wake Time............................ Enabled
Advanced Scheduling Requests..................... Disabled

Mobility Anchor List
WLAN ID IP Address Status Priority
------- --------------- ------ --------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

Local Policy
----------------
Priority Policy Name
-------- ---------------

Lync State ...................................... Disabled
Audio QoS Policy................................. Silver
Video QoS Policy................................. Silver
App-Share QoS Policy............................. Silver
File Transfer QoS Policy......................... Silver
Lync State ...................................... Disabled
Audio QoS Policy................................. Silver
Video QoS Policy................................. Silver
App-Share QoS Policy............................. Silver
File Transfer QoS Policy......................... Silver
File Transfer QoS Policy......................... Silver
QoS Fastlane Status.............................. Disable
Selective Reanchoring Status..................... Disable
Lobby Admin Access............................... Disabled

Fabric Status
--------------

Fabric status.................................... Disable
Vnid Name........................................
Vnid............................................. 0
Applied SGT Tag.................................. 0
Peer Ip Address.................................. 0.0.0.0
Flex Acl Name....................................
Flex IPv6 Acl Name...............................
Flex Avc Policy Name.............................

U3-Interface................................... Disable

U3-Reporting Interval.......................... 30

We have also other C9800, where it is working fine. I compared WLAN config with them and it there is exact match.

Re: Android 13 cannot join SSID via DOT1X authentication on C9800

Leo Laohoo — Thu, 06 Mar 2025 20:57:29 GMT

CSCwb52755

Re: Android 13 cannot join SSID via DOT1X authentication on C9800

Scorpioo — Thu, 06 Mar 2025 21:01:45 GMT

nope, as FT is disabled on new WLC for CORP SSID.

Re: Android 13 cannot join SSID via DOT1X authentication on C9800

Scott Fella — Thu, 06 Mar 2025 21:20:25 GMT

On the GUI, make sure your WLAN is set for WPA/WPA2 not WPA2/WPA3

Re: Android 13 cannot join SSID via DOT1X authentication on C9800

Scorpioo — Thu, 06 Mar 2025 21:33:58 GMT

It is set on WPA/WPA2, checked it before.

Re: Android 13 cannot join SSID via DOT1X authentication on C9800

Scott Fella — Thu, 06 Mar 2025 21:50:24 GMT

Here is my setup from my home lab for 802.1x, works on Windows, MacOS, iOS and Android.

WLAN Profile Name :Se****Dot1x
================================================
Identifier : 451
Description :
Network Name (SSID) : Se****Dot1x
Status : Enabled
Broadcast SSID : Enabled
Advertise-Apname : Enabled
Universal AP Admin : Disabled
Max Associated Clients per WLAN : 0
Max Associated Clients per AP per WLAN : 0
Max Associated Clients per AP Radio per WLAN : 200
OKC : Enabled
Number of Active Clients : 1
CHD per WLAN : Enabled
WMM : Allowed
WiFi Direct Policy : Disabled
Channel Scan Defer Priority:
Priority (default) : 5
Priority (default) : 6
Scan Defer Time (msecs) : 100
Media Stream Multicast-direct : Disabled
CCX - AironetIe Support : Enabled
Peer-to-Peer Blocking Action : Disabled
Configured Radio Bands
5GHz : Enabled
Slot : Enabled on all slots
Operational State of Radio Bands
5GHz : UP
Slot : Enabled on all slots
DTIM period for 802.11a radio : 1
DTIM period for 802.11b radio : 1
Local EAP Authentication : Disabled
Mac Filter Authorization list name : Disabled
Mac Filter Override Authorization list name : Disabled
Accounting list name :
802.1x authentication list name : radAuthCmethod
802.1x authorization list name : Disabled
Security
FT Support : Adaptive
FT Reassociation Timeout (secs) : 20
FT Over-The-DS mode : Disabled
Web Based Authentication : Disabled
OWE Transition Mode : Disabled
Conditional Web Redirect : Disabled
Splash-Page Web Redirect : Disabled
Webauth On-mac-filter Failure : Disabled
Webauth Authentication List Name : Disabled
Webauth Authorization List Name : Disabled
Webauth Parameter Map : Disabled
Security-2.4GHz/5GHz
802.11 Authentication : Open System
Static WEP Keys : Disabled
Wi-Fi Protected Access (WPA/WPA2/WPA3) : Enabled
WPA (SSN IE) : Disabled
WPA2 (RSN IE) : Enabled
MPSK : Disabled
EasyPSK : Disabled
AES Cipher : Enabled
CCMP256 Cipher : Disabled
GCMP128 Cipher : Disabled
GCMP256 Cipher : Disabled
Randomized GTK : Disabled
WPA3 (WPA3 IE) : Disabled
Auth Key Management
802.1x : Enabled
PSK : Disabled
CCKM : Disabled
FT dot1x : Disabled
FT PSK : Disabled
FT SAE : Disabled
FT SAE-EXT-KEY : Disabled
Dot1x-SHA256 : Disabled
PSK-SHA256 : Disabled
SAE : Disabled
SAE-EXT-KEY : Disabled
OWE : Disabled
SUITEB-1X : Disabled
SUITEB192-1X : Disabled
SAE PWE Method : Hash to Element, Hunting and Pecking(H2E-HNP)
Transition Disable : Disabled
CCKM TSF Tolerance (msecs) : 1000
OSEN : Disabled
PMF Support : Disabled
PMF Association Comeback Timeout (secs): 1
PMF SA Query Time (msecs) : 200
Beacon Protection : Disabled
Security-6GHz
WPA3 (WPA3 IE) : Disabled
Auth Key Management
FT dot1x : Disabled
FT SAE : Disabled
FT SAE-EXT-KEY : Disabled
Dot1x-SHA256 : Disabled
SAE : Disabled
SAE-EXT-KEY : Disabled
OWE : Disabled
SUITEB-1X : Disabled
SUITEB192-1X : Disabled
SAE PWE Method : Hash to Element(H2E)
PMF Support : Required
PMF Association Comeback Timeout (secs): 1
PMF SA Query Time (msecs) : 200
Beacon Protection : Disabled
Band Select : Disabled
Load Balancing : Disabled
Multicast Buffer : Disabled
Multicast Buffers (frames) : 0
IP Source Guard : Disabled
Assisted-Roaming
Neighbor List : Enabled
Prediction List : Disabled
Dual Band Support : Disabled
IEEE 802.11v parameters
Directed Multicast Service : Enabled
BSS Max Idle : Enabled
Protected Mode : Disabled
Traffic Filtering Service : Disabled
BSS Transition : Enabled
Disassociation Imminent : Disabled
Optimised Roaming Timer (TBTTS) : 40
Timer (TBTTS) : 200
Dual Neighbor List : Disabled
WNM Sleep Mode : Disabled
802.11ac MU-MIMO : Enabled
802.11ax parameters
802.11ax Operation Status : Enabled
OFDMA Downlink : Enabled
OFDMA Uplink : Enabled
MU-MIMO Downlink : Enabled
MU-MIMO Uplink : Enabled
BSS Target Wake Up Time : Disabled
BSS Target Wake Up Time Broadcast Support : Disabled
802.11be profile name : default-dot11be-profile
802.11 protocols in 2.4GHz band
Protocol : dot11bg
Advanced Scheduling Requests Handling : Enabled
mDNS Gateway Status : Bridge
WIFI Alliance Agile Multiband : Disabled
Device Analytics
Advertise Support : Enabled
Advertise Support for PC analytics : Enabled
Share Data with Client : Disabled
Client Scan Report (11k Beacon Radio Measurement)
Request on Association : Disabled
Request on Roam : Disabled
WiFi to Cellular Steering : Disabled
Advanced Scheduling Requests Handling : Enabled
6Ghz Client Steering : Disabled
Locally Administered Address Configuration
Deny LAA clients : Disabled
Latency Measurements Announcements : Disabled
Client geolocation
FTM responder : Disabled
Advertise AP location : Disabled

Re: Android 13 cannot join SSID via DOT1X authentication on C9800

Mark Elsen — Fri, 07 Mar 2025 07:19:17 GMT

- For testing if you know to which AP a particular android phone will connect
; issue this command first on the AP:
show ap client-trace events mac <android mac address>
. Then during the connecting process (and later) follow up on the outputs shown or check the logs on the AP

Re: Android 13 cannot join SSID via DOT1X authentication on C9800

Rich R — Mon, 10 Mar 2025 02:13:36 GMT

> We have also other C9800, where it is working fine.
There must be a difference.
Are the WLC and APs running the exact same code version on the same AP models? (show ap image, show install summ)
Have you compared all the config - line by line, side by side, with a good compare tool to highlight differences which you could easily miss?
That means WLAN, policy profile, AAA config, radius config - everything applied to that SSID.

> new WLC - C9800 - IOS XE 17.12.04
Do you have latest SMUs and APSP installed as per TAC recommended doc (link below)?

Have you used the Config Analyzer (link below) to check for obvious errors in the config?

Re: Android 13 cannot join SSID via DOT1X authentication on C9800

FeralCat — Fri, 01 May 2026 16:59:27 GMT

was there any resolution to this? i have a similar issue.

Re: Android 13 cannot join SSID via DOT1X authentication on C9800

Leo Laohoo — Sat, 02 May 2026 02:25:50 GMT

What firmware is the WLC on?

What AP model is this problem occuring?