Solved: Re: Cant connect to network, but first time work

maximeg0189 · ‎12-12-2023

Hello,

I am having a complicated issue, I am doing some test with the TAC but its a bit more than that I believe. Here is my problem, when you connect the the network the first time it work fine. If you click disconnect and reconnect it says ''Cant connect to this network'' every single time. you either have to reboot or wait 10m and try again it will work.

We have a SDA Fabric / Certificate auth for the corpo wireless. but it always work the first time, after 10m or after a reboot.

I did a radioactive trace from WLC. The success attempt is a 30-60s trace of the login and the failed one is the same. Success one is bigger size because I waited for the connection success and the failed one fails right away.

Thank you for the help in advance

**More info, The issue started 2 months ago, it worked perfectly before that. I did tons of OS-side troubleshooting but nothing works on the OS side it wont reconnect.

andy!doesnt!like!uucp · ‎12-19-2023

i'd advice to open case in TAC.

View solution in original post

jalejand · ‎12-18-2023

Can you upload the RA trace from the WLC with the failed attempt?

maximeg0189 · ‎12-18-2023

Sorry really thought I did... let me give you some context.

SuccessLogin is RA after a reboot, first connection

Second is after I hit ''Disconnect'' and ''Reconnect'' right away and it failed

but it also fail if I move in the building with the laptop it doesnt connect to other aps without a reboot or 10minutes without changing location

andy!doesnt!like!uucp · ‎12-18-2023

well... from this entry "

%DOT1X-5-FAIL: R0/0: wncd: Authentication failed for client (6449.7d7f.ec57) with reason (Cred Fail) on Interface capwap_9000000c AuditSessionID 11296E0A000747215E2CFB83 Username: host/L301043.******.org" it looks like endpoint fails to authenticate. do you have failed session record from ISE?

maximeg0189 · ‎12-18-2023

Yes this is the error I have but we use certificate authentication so there is no username-password to actually enter.

First time it work right away Certificate is fine but if you move in the building or disconnect-reconnect it gives this error

andy!doesnt!like!uucp · ‎12-18-2023

so do u have the failed log entry from ISE to share it here?

maximeg0189 · ‎12-19-2023

This is the failed authentification log. I will try to do endpoint debug in ISE. Maybe I can see which certificate is used each attempt.

Do you have any troubleshooting step I could do I think the issue is most likely related to the certificate bein used

andy!doesnt!like!uucp · ‎12-19-2023

Interesting case. u have rightmost output cut of pdf thus i can only guess about what is in use.

22072 Selected identity source sequence - ISQ_
22070 Identity name is taken from certificate attr
22047 User name attribute is missing in client ce
Subject - Common Name

looks like ISE complains on either the client certificate's attribute Subject CN is missing or contains wrong data. try to collect tcpdump of failed session on the PSN. you will find in the capture certificate sent by client. there should be CN= attribute & i guess it should look like hostname or FQDN.

maximeg0189 · ‎12-19-2023

Hello Andy,

I found something wierd, When I do the Endpoint debug, it suddenly work. I can connect/disconect/connect without any issues. as soon as I end the debugger the issue happen again it saays ''Cant connect to network''.

andy!doesnt!like!uucp · ‎12-19-2023

i'd advice to open case in TAC.