topic Re: C9800 pki auth error in Wireless

C9800 pki auth error

fabio daitx — Tue, 08 Apr 2025 16:20:00 GMT

Access points are not authenticating on Cisco Catalyst 9800-40 Wireless Controller 17.9.5.

Monitoring > Wireless > AP Statistics -> No reboot reason | AP Auth Failure

AP models: C9130AXI-Z and IW6300

Trace logs: Attached

Any suggestion?

Re: C9800 pki auth error

Scott Fella — Tue, 08 Apr 2025 16:36:17 GMT

@fabio daitx Can you provide more info? Do you have any other access points connected or is this a new setup? You have NTP configured on the controller and also validated the country code configuration? Have you tried to put the ap on the same subnet as the controller? These are just basic things to look at and try.

Re: C9800 pki auth error

Saikat Nandy — Tue, 08 Apr 2025 16:37:40 GMT

Few things -

1. Are you really doing AP auth?

2025/04/08 12:50:18.740673830 {wncd_x_R0-2}{2}: [errmsg] [16528]: (note): %CAPWAPAC_SMGR_TRACE_MESSAGE-5-AP_JOIN_DISJOIN: R0/2: wncd: AP Event: AP Name: AP4006.D5E0.2180 Mac: 4006.d5cb.d440 Session-IP: 10.135.148.191[5256] 10.201.233.81[5246] Disjoined AP Auth Failure

Please check from WLC GUI > Configuration > Security > AAA > AAA Advanced > AP Policy ====> and check if you have enabled AP authz. Also if enabled, if that's an intended config (If not, disable that). If intended config, then please check if the AP base ethernet mac address is added to your authz database. Usually AP Auth is mostly used in mesh setup. Refer - https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/215100-join-mesh-aps-to-catalyst-9800-wireless.html

2. Looks like you are running 9800-40 on 17.9.5. According to the trace it looks like 'CISCO_IDEVID_SUDI' trustpoint might be in use for the WMI. Please note that there is a change in SUDI cert happened in 17.9.5. Refer - https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/release-notes/rn-17-9-9800.html (Table 1).

Re: C9800 pki auth error

Mark Elsen — Tue, 08 Apr 2025 16:39:33 GMT

- Adding to 'basic things' being mentioned ; validate the 9800-40 controller's configuration with the
CLI command show tech wireless and feed the output from that into Wireless Config Analyzer

Re: C9800 pki auth error

fabio daitx — Tue, 08 Apr 2025 17:08:41 GMT

Answers:

Do you have any other access points connected or is this a new setup? Yes, have other aps and are working.

You have NTP configured on the controller and also validated the country code configuration? Yes, NTP is working. How dow I validate the country code configuration?

Have you tried to put the ap on the same subnet as the controller? It is not possible, the controller is remotely connected, but now there is also one ap that is in the same subnet and not working.

Re: C9800 pki auth error

fabio daitx — Tue, 08 Apr 2025 17:32:37 GMT

Answers:

1. Are you really doing AP auth? No, I was not supposed to do that. I had enabled that to try making AP authenticate and associate with controller, but now I have just disabled AP Policy ->Authorize APs against MAC (disabled) | Authorize APs against Serial Number (disable) and two other APs associated. Thanks. Now I have only one AP that is not associating, IW6300 (new log attached). It worked once but never more after I configure as bridge (I have already tryed reseting factory defaults, but still not working).

2. Looks like you are running 9800-40 on 17.9.5. I am not sure about 'CISCO_IDEVID_SUDI', what am I supposed to do? Change some configuration? How can I do that?

Re: C9800 pki auth error

Scott Fella — Tue, 08 Apr 2025 17:33:48 GMT

For the country code, you would see the model in the sticker on the access point or on the box. Now to check what country code you have configured already, you can reference this link:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/country-codes.html#config-country-codes

As long as the ap's you have purchased are the same country as the existing ones that are already joined and working to that controller, then the country code is not the issue. Also, looking at the Wireless Matrix, https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html, The ap model you posted is supported on that 9800 code your also posted. Given that you already have existing access points jined to that controller eliminates any issue with the trustpoint.

So what model access point do you have that are successfully joined to that controller and do you have existing access points that are joined on the same switch as the ones you are not able to join? This also helps eliminate an infrastructure issues with either local mode or flexconnect mode.

Re: C9800 pki auth error

Saikat Nandy — Tue, 08 Apr 2025 17:57:09 GMT

I am still seeing AP Auth failure in the logs..since you have disabled the AP Authz, WLC should allow the AP. Now I am more interested to look into these outputs from the AP CLI -

#show capwap client rcb

#show capwap client config

#show ip int br

#show logging

Re: C9800 pki auth error

fabio daitx — Tue, 08 Apr 2025 18:02:33 GMT

Done. No big insight about the problem.

Re: C9800 pki auth error

fabio daitx — Tue, 08 Apr 2025 18:16:27 GMT

It follows attached.

Re: C9800 pki auth error

fabio daitx — Tue, 08 Apr 2025 18:26:27 GMT

IW-6300H-AC-Z-K9 is not listed for Brazil. Since it is the only AP that is not working now, I suppose that it can be related to country code. Can I configure multiple country codes, like for example BR and US in order that model to work? Obs.: I intend to use mesh in future.

Re: C9800 pki auth error

Saikat Nandy — Wed, 09 Apr 2025 00:19:54 GMT

I am sorry! Looks like the logs are collected from controller. As mentioned, the commands shared before need to be run in the problematic AP.

Re: C9800 pki auth error

Scott Fella — Wed, 09 Apr 2025 00:22:11 GMT

Yes you can configure additional country codes on the controller. That should then fix your issue. Just make sure the ap is mounted in the country its made for so that you don't break any regulations.

Re: C9800 pki auth error

Rich R — Thu, 10 Apr 2025 11:13:54 GMT

AP auth is mandatory for bridge mode APs <wink>
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/215100-join-mesh-aps-to-catalyst-9800-wireless.html
"A mesh AP needs to be authenticated for it to join the 9800 controller."

Re: C9800 pki auth error

fabio daitx — Thu, 10 Apr 2025 15:35:19 GMT

Hi, I just solved the problem by manually loggin in the ap and issuing the following command: "capwap ap mode local" as described at https://community.cisco.com/t5/wireless/wlc-9800-l-c-ap-iw-6300h-not-join/td-p/4278159. I didn't understand why aps were associating as bridge, if they factory default reseted. Anyway I also collected the logs (attached) and now I am running the mesh configuration procedure (https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/215100-join-mesh-aps-to-catalyst-9800-wireless.html). Thanks for your help and support.

Re: C9800 pki auth error

Scott Fella — Thu, 10 Apr 2025 15:54:02 GMT

I think what you need to look at is to factory reset it again and see if it goes back to bridge.... that might be something you need to document as that might of been set at the factory.