topic Re: Windows laptop not able to join 802.1x SSID on C9800-CL in Wireless

Windows laptop not able to join 802.1x SSID on C9800-CL

Simon Z — Tue, 26 Aug 2025 20:45:25 GMT

I am in the middle of migrating WLC 5520 (8.10.190.0) to C9800-CL (17.12.05) while APs remain the same (3802i). AAA servers are ISE 3.4 patch 2. We use centralized switching (no Flex mode). I have an 802.1X SSID allowing both EAP-TLS and PEAP+MSCHAPv2. The SSID on WLC 5520 works for pretty much all devices we have. The same SSID on C9800-CL works for most devices I tested so far but one particular Windows laptop.

The same laptop connects to the SSID on 5520 without any issues using EAP-TLS. Tried different Windows builds (10 and 11) and updated Wi-Fi NIC driver to the latest. Machine certificate is fine. Tried manually adding network with EAP-TLS, and PEAP + MSCHAPv2. None worked with the new C9800-CL.
There is no logs for this particular laptop/MAC on ISE meaning the Authenticator (C9800-CL) is not sending Radius request to Authentication Server (ISE) when the Supplicant client tries to join the SSID.
I did some packet captures on the C9800-CL by providing “Inner Filter MAC” and did a comparison between a successful connection and a failed one.

It’s interesting to notice the captured packets are between the C9800-CL and the AP, but 802.1X authentication is between the supplicant (laptop) and the AP (BSSID MAC). On a successful connection, after the supplicant sends Response with Identity (host/xxxxxx), the AP sends a EAP-TLS Request, and after quite a few EAP packets exchange authentication succeeds.

On a failed connection, after the supplicant sends Response with Identity (host/xxxxxx), the AP just sends a Failure EAP packet and never sends a 802.1X proposal:

This explains why ISE never sees a Radius request for this particular laptop. I’ve tested 5 Windows laptops and a few iOS/Android devices so far, and found only one problematic laptop, but I don’t know how many more out of about 1000 laptops may experience the same issue.

A TAC ticket is going nowhere, and the engineer insists something is wrong with the laptop but doesn’t know what exactly is wrong. I’ve seen some similar issues online and it seems nobody was able to explain why there is no logs on Radius servers. Has anyone seen this?

Re: Windows laptop not able to join 802.1x SSID on C9800-CL

MHM Cisco World — Tue, 26 Aug 2025 21:11:47 GMT

I see same issue month ago' but what can I say' engineer leave us with many Q and dont reply to our comment.

Anyway' what I understand'

There are two inner and outer authc

The identity wlc receive for outer authc is wrong and this make authc failed.

MHM

Re: Windows laptop not able to join 802.1x SSID on C9800-CL

Simon Z — Tue, 26 Aug 2025 21:24:51 GMT

My understanding is PEAP + MSCHAPv2, PEAP + EAP-TLS etc. use outer and inner authc, but EAP-TLS alone uses only one layer. I am thinking a compatibility issue between 3802 AP and C9800-CL but according to this matrix they are supported.

Re: Windows laptop not able to join 802.1x SSID on C9800-CL

MHM Cisco World — Tue, 26 Aug 2025 21:28:03 GMT

Yes correct eap-tls use only one authc

Let take it as reference

Connect laptop to wlc 5500 and capture traffic and connect it to wlc 9800 and capture traffic

Then identity response open both packet and share it here let me check different

MHM

Re: Windows laptop not able to join 802.1x SSID on C9800-CL

Simon Z — Tue, 26 Aug 2025 21:38:32 GMT

It may not be easy to do packet capture on 5520. Wireshark on the laptop seems not be able to capture all 802.11 traffic as the Wi-Fi card doesn't support "Monitor mode". I am going to try if I can do it on the AP.

Re: Windows laptop not able to join 802.1x SSID on C9800-CL

Mark Elsen — Wed, 27 Aug 2025 06:36:49 GMT

- @Simon Z Use client debugging for this windows laptop using instructions from https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity
These so called RadioActive Traces can be analyzed with Wireless Debug Analyzer

Outputs from commands mentioned in https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#toc-hId-866973845
can also be useful

Validate the configuration of your new C9800-CL controller using the CLI command
show tech wireless and feed the output from that into Wireless Config Analyzer

Re: Windows laptop not able to join 802.1x SSID on C9800-CL

Simon Z — Wed, 27 Aug 2025 14:43:16 GMT

Wireless Debug Analyzer shows a simple reason: Cred Fail. For whatever reason, the WLC/AP and the client don't try any of the 802.1X protocols. As soon as the client provides Identity as host/<FQDM>, WLC/AP says Failure.

Wireless Config Analyzer shows 1 error 16 warnings - none seems related to the issue.

Re: Windows laptop not able to join 802.1x SSID on C9800-CL

Simon Z — Wed, 27 Aug 2025 14:48:38 GMT

Unfortunately the only way to do packet capture on 5520 is to use an AP as monitor AP, which I don't have one handy now. When I try "config ap packet-dump" it says my AP doesn't support it.

Re: Windows laptop not able to join 802.1x SSID on C9800-CL

MHM Cisco World — Wed, 27 Aug 2025 14:56:09 GMT

In wlc 9800 there is EPC use it to share traffic between WLC abd ISE' let see if WLC is end authc or ISE

Share ISE ver abd wlc ver

Thanks

MHM

Re: Windows laptop not able to join 802.1x SSID on C9800-CL

Simon Z — Wed, 27 Aug 2025 15:42:03 GMT

I specify 9800 as source and ISE as destination in EPC, then try to join the SSID on the problematic laptop. Nothing is captured. When I try on a good laptop, I see lots of Radius traffic.

9800 is v17.12.05. ISE is v3.4 patch 2.

Re: Windows laptop not able to join 802.1x SSID on C9800-CL

MHM Cisco World — Wed, 27 Aug 2025 15:49:50 GMT

Good, now what is good laptop and bad laptop?

What is OS for both laptop?

Re: Windows laptop not able to join 802.1x SSID on C9800-CL

Simon Z — Wed, 27 Aug 2025 16:10:03 GMT

The bad one is now Win11 version 24H2 (a fresh install). Tried Win10 on it earlier. Same issue.

The good ones include Win10 (22H2), Win 11 (22H2 and 24H2).

They all have the latest Windows updates.

Re: Windows laptop not able to join 802.1x SSID on C9800-CL

MHM Cisco World — Wed, 27 Aug 2025 17:23:21 GMT

Ok in your original post you can capture traffic

Capture both wifi good and bad

Abd share the identity response from client I need to see it

MHM

Re: Windows laptop not able to join 802.1x SSID on C9800-CL

Parithosh Vema — Wed, 27 Aug 2025 17:51:13 GMT

Hey @Simon Z, although the 5520 doesn't support packet capture natively you can still achieve it via this flow: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/211342-packet-captures-on-aireos-wlc.html

Since its Identity response you are after, give this a shot and compare against 9800, for AP side packet capture I would suggest to do an EPC on the switch where AP is connected and do the same for 5520 vs 9800.

Re: Windows laptop not able to join 802.1x SSID on C9800-CL

Simon Z — Wed, 27 Aug 2025 18:30:03 GMT

For a good connection, it's a bunch of EAP and TLSv1.2 packets:

I believe my issue is very similar to this one:

https://community.cisco.com/t5/wireless/reason-cred-fail-on-interface-capwap/td-p/4971126/page/2

The OP claimed he fixed the issue by adding a Windows Registry key named TTLS (to apply to EAP-TTLS) and a DWORD named Tlsversion in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13. I believe the value fc0 forces Windows to use one of TLS 1.0, 1.1 or 1.2, not TLS 1.3. I did the same to no avail.

Re: Windows laptop not able to join 802.1x SSID on C9800-CL

MHM Cisco World — Wed, 27 Aug 2025 18:36:30 GMT

Friend only I need to see identity response for both cases

MHM

Re: Windows laptop not able to join 802.1x SSID on C9800-CL

Simon Z — Wed, 27 Aug 2025 19:21:35 GMT

Sorry @Parithosh Vema I missed your post. I followed the instruction. I specified src/dst as 5520/AP and AP/5520 and this is what I got:

Unfortunately there is no EAP traffic being captured. Not sure I used a wrong ACL. Apparently the client doesn't have an IP yet at this stage. I did notice there is some limitations by doing this:

Re: Windows laptop not able to join 802.1x SSID on C9800-CL

Simon Z — Wed, 27 Aug 2025 19:34:30 GMT

Hi @MHM Cisco World, right after client replied with Identity host/<FQDN>, The AP requests for EAP-TLS, the client then starts a TLSv1.2 handshake, and client and server start to identity each other with certificates.

On a failed connection, the AP simply says Failure.

Re: Windows laptop not able to join 802.1x SSID on C9800-CL

MHM Cisco World — Wed, 27 Aug 2025 19:37:06 GMT

I need to see how client reply for identity request

I need to see how hostname and op in that packet

MHM

Re: Windows laptop not able to join 802.1x SSID on C9800-CL

Simon Z — Wed, 27 Aug 2025 19:51:52 GMT

Client replies with this format: host/<hostname.xxx.org.local>, where xxx.org.local is our AD domain name. We have a CA infrastructure in the domain to issue certs to ISE and all clients.