I am experiencing issues with the Plug and Play process for provisioning new Access Points to Wireless LAN Controllers. Specifically, attempts to provision CA9126 to C9800-CL-K9 fails.
PnP is failing in production so I am testing that on separate environment. My test setup config does not contain dot1x configuration:
Port configuration
interface GigabitEthernet1/0/1
switchport trunk native vlan 100
switchport mode trunk
spanning-tree portfast trunk
spanning-tree bpduguard enable
ip dhcp snooping trustend
I am using EAP-PEAP with username and password. Those are configured by AP Profile (or AP Join Profile). AP join profile is attached to Network Profile, which is attached to site that I am provisioning my APs into.
DNA Center never considers that claim process fails. It moves APs always to provision tab.
Failed Claim looks like this:
- Claiming AP on DNAC
- PNP CONFIG from DNAC
- AP Rebooting: Reset Reason - PnP configured dot1x
log:
[*06/19/2024 13:24:58.2548] PNP CONFIG - Dot1x EAP-TYPE :[EAP-PEAP] Val:[25]
[*06/19/2024 13:24:58.2548] configure_dot1x_eap_type_from_pnp : 25
[*06/19/2024 13:24:58.2548] PnP: Restarting device with new dot1x config.
- After reboot, AP gets IP, joins WLC
[*06/19/2024 13:25:44.2480] check_pnp_dot1x_authentication_status(CHECK) wpa_state:[ASSOCIATED] eap_state:[IDLE] port_status:[Unauthorized].
- For some reason AP tag changes:
[*06/19/2024 13:27:47.4403] AP tag PT_zTest_bTstP_fTstPL_586ce change to default-policy-tag
[*06/19/2024 13:27:48.9863] *** Unable to connect to: 127.0.0.1:4040 - [Errno 111] Connection refused
[*06/19/2024 13:27:49.8433] check_pnp_dot1x_authentication_status(CHECK) wpa_state:[ASSOCIATED] eap_state:[IDLE] port_status:[Unauthorized].
[*06/19/2024 13:28:02.4503] hostapd:dot1x: CTRL-EVENT-EAP-FAILURE EAP authentication failed
[*06/19/2024 13:28:40.4327] check_pnp_dot1x_authentication_status(CHECK) wpa_state:[ASSOCIATED] eap_state:[FAILURE] port_status:[Unauthorized].
[*06/19/2024 13:31:21.1557] CAPWAP State: Join
[*06/19/2024 13:31:31.0707] AP image version 17.12.3.31 backup 17.9.5.47, Controller 17.12.3.31
- AP reboots with following errors:
[*06/19/2024 13:31:50.9407] [12558] - 2024-06-19 13:31:50.941 - (nitro_collect_ctrl.cpp:369) - [Collec][INFO ] - Exporter sd-avc-cloud - set
[*06/19/2024 13:31:51.1207] Powering ON BLE chip initiated by process iot_radio
[*06/19/2024 13:32:02.6007] check_pnp_dot1x_authentication_status(CHECK) wpa_state:[ASSOCIATED] eap_state:[FAILURE] port_status:[Unauthorized].
[*06/19/2024 13:32:02.6007] check_pnp_dot1x_authentication_status(FAILED). Timestamp being reset.
[*06/19/2024 13:32:03.3347] /sbin/reboot -r "3: PnP Day1 Dot1x authentication failure"[[32m OK [0m] Stopped target Timers.
<30>systemd[1]: Stopped target Timers.
[[32m OK [0m] Stopped Cisco image/f Stopping Serial G Stopping iCAP daemon...
Stopping Cisco rtd service...
[[32m OK [0m] Removed slice system-sshd\x2dkeygen.slice.
Stopping DHCPv6 client...
Stopping CiscoSSH server daemon...
[*06/19/2024 13:32:03.4267] grep: /storage/base_capwap_cfg_info: No such file or directory
[*06/19/2024 13:32:03.4307] grep: /storage/base_capwap_cfg_info: No such file or directory
Stopping Cisco led service...
[*06/19/2024 13:32:03.4447]
[*06/19/2024 13:32:03.4447] !!!!! {/usr/bin/led_app} Received SIGTERM signal
When I remove EAP-PEAP configuration, Claim and PnP process finishes without problems.
What’s your AP Join Profile configuration? How should I configure AP Join Profile to make PnP work without losing access with production APs?
