https://community.cisco.com/t5/wireless/client-able-to-connect-due-to-invalid-pmkid/m-p/5313280#M285008 <P>Answers -&nbsp;</P> <P>1. what invalid pmkid says? Invalid password? If can someone clear here about what is pmkid and why it's needed.<BR />Ans - PMKID is an unique identifier which gets generated as part of the auth mechanism between a client and AP. This ID identifies the PMK used for encrypting comm between and client and AP. During the 4 way handshake the first key that gets generated is MSK. PMK gets derived from MSK.&nbsp;The PMKID is derived from this key and exchanged as part of the handshake process. During fast roaming process, this&nbsp;PMKID allows clients to quickly and securely reconnect to different APs without re-authenticating from scratch.</P> <P>2. How do I validate what makes pmkid being invalid? Does it have expiry time to be valid?<BR />Ans - We do have option to validate but not east to figure out as it need OTA, WLC internal RA trace and EPC. Every single new auth will generate a new PMKID.<BR /><BR />Coming back to your scenario, when the user is already connected to SSID and in RUN state, that means PMKID is already generated. This will come in picture if the device tries to roam. Although it might be physically not moving but if the driver is sensitive and getting signals from multiple APs with almost same signals strength, it can try to roam. Now when WLC says invalid pmkid, there could be 2 possibilities - either device is sending a wrong PMKID which WLC/AP is not aware of. Or else device is sending a correct PMKID, however WLC/AP is reporting it in wrong way. So in your scenario first thing that need to validated if the device is roaming across different APs while physically located in one place. If that's happening and you don't want that, data rates/power levels can be tweaked to see if you can stop that. If that gets stopped, roaming won't happen and subsequently no further issue for PMKID mismatch.</P> Thu, 24 Jul 2025 04:18:41 GMT Saikat Nandy 2025-07-24T04:18:41Z https://community.cisco.com/t5/wireless/client-able-to-connect-due-to-invalid-pmkid/m-p/5312563#M284962 <P>Hello Everyone,</P><P>&nbsp;</P><P>I'm facing client disconnection , it tries to connect to the AP and the user is steady and not moving. Captured RA traces and found out the it is happening due to PMKID is sent during authentication.</P><P>Client sending authentication request to AP and AP sending back authentication response with status invalid pmkid.</P><P>&nbsp;</P><P>Two concerns here,</P><P>1. what invalid pmkid says? Invalid password? If can someone clear here about what is pmkid and why it's needed.</P><P>2. How do I validate what makes pmkid being invalid? Does it have expiry time to be valid?</P> Tue, 22 Jul 2025 21:50:02 GMT https://community.cisco.com/t5/wireless/client-able-to-connect-due-to-invalid-pmkid/m-p/5312563#M284962 Maccarony 2025-07-22T21:50:02Z https://community.cisco.com/t5/wireless/client-able-to-connect-due-to-invalid-pmkid/m-p/5312718#M284970 <P>&nbsp;</P> <P>&nbsp; -&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1900455">@Maccarony</a>&nbsp; &nbsp; &nbsp;What software <STRONG>version</STRONG> are you using on the 9800 controller ?<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; + Checkout these<FONT color="#FF6600"><EM> bug reports :</EM></FONT><BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<A href="https://bst.cloudapps.cisco.com/bugsearch?pf=prdNm&amp;prdNam=Cisco%20Catalyst%209800%20Series%20Wireless%20Controllers&amp;kw=pmkid&amp;bt=custV&amp;sb=anfr" target="_blank">https://bst.cloudapps.cisco.com/bugsearch?pf=prdNm&amp;prdNam=Cisco%20Catalyst%209800%20Series%20Wireless%20Controllers&amp;kw=pmkid&amp;bt=custV&amp;sb=anfr</A></P> <P>&nbsp; M.</P> Wed, 23 Jul 2025 06:20:14 GMT https://community.cisco.com/t5/wireless/client-able-to-connect-due-to-invalid-pmkid/m-p/5312718#M284970 Mark Elsen 2025-07-23T06:20:14Z https://community.cisco.com/t5/wireless/client-able-to-connect-due-to-invalid-pmkid/m-p/5312795#M284979 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1900455">@Maccarony</a>&nbsp;you can get some undestanding of how PMK, GTK and authentication process work from following link<BR /><BR /><A href="https://mrncciew.com/2014/09/11/cwsp-pmk-caching-preauthentication/" target="_blank">https://mrncciew.com/2014/09/11/cwsp-pmk-caching-preauthentication/</A></P> Wed, 23 Jul 2025 09:38:16 GMT https://community.cisco.com/t5/wireless/client-able-to-connect-due-to-invalid-pmkid/m-p/5312795#M284979 srimal99 2025-07-23T09:38:16Z https://community.cisco.com/t5/wireless/client-able-to-connect-due-to-invalid-pmkid/m-p/5313037#M284985 <P>Thanks for sharing , I understand its a unique key mutual between AP to station, my concern is it related to password practically when we try to login to wireless network and shown up window with user/password.</P><P>So invalid password says invalid pmkid?</P> Wed, 23 Jul 2025 16:54:59 GMT https://community.cisco.com/t5/wireless/client-able-to-connect-due-to-invalid-pmkid/m-p/5313037#M284985 Maccarony 2025-07-23T16:54:59Z https://community.cisco.com/t5/wireless/client-able-to-connect-due-to-invalid-pmkid/m-p/5313042#M284986 <P>Only make sure wifi client add correct password.</P> <P>If yoh use symbols in password try change it.</P> <P>MHM</P> Wed, 23 Jul 2025 17:02:38 GMT https://community.cisco.com/t5/wireless/client-able-to-connect-due-to-invalid-pmkid/m-p/5313042#M284986 MHM Cisco World 2025-07-23T17:02:38Z https://community.cisco.com/t5/wireless/client-able-to-connect-due-to-invalid-pmkid/m-p/5313068#M284990 <P>So invalid pmkid means incorrect password?</P> Wed, 23 Jul 2025 17:41:35 GMT https://community.cisco.com/t5/wireless/client-able-to-connect-due-to-invalid-pmkid/m-p/5313068#M284990 Maccarony 2025-07-23T17:41:35Z https://community.cisco.com/t5/wireless/client-able-to-connect-due-to-invalid-pmkid/m-p/5313077#M284991 <P>If you not do roaming' then it can be issue of wrong password.</P> <P>MHM</P> Wed, 23 Jul 2025 18:02:52 GMT https://community.cisco.com/t5/wireless/client-able-to-connect-due-to-invalid-pmkid/m-p/5313077#M284991 MHM Cisco World 2025-07-23T18:02:52Z https://community.cisco.com/t5/wireless/client-able-to-connect-due-to-invalid-pmkid/m-p/5313280#M285008 <P>Answers -&nbsp;</P> <P>1. what invalid pmkid says? Invalid password? If can someone clear here about what is pmkid and why it's needed.<BR />Ans - PMKID is an unique identifier which gets generated as part of the auth mechanism between a client and AP. This ID identifies the PMK used for encrypting comm between and client and AP. During the 4 way handshake the first key that gets generated is MSK. PMK gets derived from MSK.&nbsp;The PMKID is derived from this key and exchanged as part of the handshake process. During fast roaming process, this&nbsp;PMKID allows clients to quickly and securely reconnect to different APs without re-authenticating from scratch.</P> <P>2. How do I validate what makes pmkid being invalid? Does it have expiry time to be valid?<BR />Ans - We do have option to validate but not east to figure out as it need OTA, WLC internal RA trace and EPC. Every single new auth will generate a new PMKID.<BR /><BR />Coming back to your scenario, when the user is already connected to SSID and in RUN state, that means PMKID is already generated. This will come in picture if the device tries to roam. Although it might be physically not moving but if the driver is sensitive and getting signals from multiple APs with almost same signals strength, it can try to roam. Now when WLC says invalid pmkid, there could be 2 possibilities - either device is sending a wrong PMKID which WLC/AP is not aware of. Or else device is sending a correct PMKID, however WLC/AP is reporting it in wrong way. So in your scenario first thing that need to validated if the device is roaming across different APs while physically located in one place. If that's happening and you don't want that, data rates/power levels can be tweaked to see if you can stop that. If that gets stopped, roaming won't happen and subsequently no further issue for PMKID mismatch.</P> Thu, 24 Jul 2025 04:18:41 GMT https://community.cisco.com/t5/wireless/client-able-to-connect-due-to-invalid-pmkid/m-p/5313280#M285008 Saikat Nandy 2025-07-24T04:18:41Z https://community.cisco.com/t5/wireless/client-able-to-connect-due-to-invalid-pmkid/m-p/5313282#M285009 <P>are you using fast transition ? if yes disable and test again.&nbsp;</P> Thu, 24 Jul 2025 04:22:43 GMT https://community.cisco.com/t5/wireless/client-able-to-connect-due-to-invalid-pmkid/m-p/5313282#M285009 Ambuj M 2025-07-24T04:22:43Z https://community.cisco.com/t5/wireless/client-able-to-connect-due-to-invalid-pmkid/m-p/5313827#M285016 <P>is this an intune managed device? What authentication method is being used: EAP-TLS, EAP-PEAP with MSChapv2<BR />are these windows 11 devices with credential guard enabled</P> <P>what is PMK cache set to if intune managed devices&nbsp;</P> <P>Had situation where PMK cache was set to 5min and this caused similar issues. Also EAP-PEAP is not supported if Credential Guard is enabled from Microsoft</P> Thu, 24 Jul 2025 23:20:10 GMT https://community.cisco.com/t5/wireless/client-able-to-connect-due-to-invalid-pmkid/m-p/5313827#M285016 Haydn Andrews 2025-07-24T23:20:10Z