3800 Series APs (possibly other models) will not accept Apple Device associations (iOS 12.1.4)

dtmyers · ‎03-25-2019

Symptoms:

iOS devices running 12.1.4 failed to connect via 3802 access points, in a WLAN infrastructure running 8.3.143.0 on 5520 WLC hardware in an SSO configuration.

Diagnosis:

Upon initial testing I found that my personal iPad 2 running v10.3.3 connected without issue (and that was the case anywhere on campus).

I also replaced (1) single 1852 AP on a floor full of 3802's and the 1852 associated and connected running v12.1.4 iOS on an Apple device.

Solution:

I recalled the collaboration and synergy between Cisco and Apple - that the new 5520’s and our current code version supported the new “Fastlane” feature (QoS, and other enhancements targeted at iOS devices).

With our “new” site-to-site 5520 WLAN infrastructure only week’s old, it would prove to afford me a vehicle to test with, as I have access to a SSO-pair in our DR site, so I knew I could invoke the Fastlane configuration change without impacting any users (at least initially).

So I made the configuration change on the secondary SSO-pair in our DR site, and then simply migrated one of the affected 3802 access points from production to DR.

Immediately upon testing this proved to be the cure for the failing iOS devices, I have since migrated a couple more APs to the secondary-site controllers, and all have worked like a charm.

Hopefully some of the Cisco collaborators can speak to the specifics, as to why only some models of APs are affected, and why newer iOS device versions displayed this issue, while I older versions of Apple code were oblivious.

I also hope this helps someone and prevents them from days of troubleshooting.

Carlo Terminiello · ‎04-02-2019

Hi,

You don't mention if you are running different code version in both environments? what is the authentication scenario? .1x? have you had a look at debug client and debug aaa logs for anything out of the ordinary? Comparing debugs between the working and non working environments may help here.

rgds

C

t-malensek · ‎04-05-2019

Y

t-malensek · ‎04-05-2019

I have the same wlc and iOS version with same 3802 that I am deploying in a new building. Because there is no cell coverage in the basement the construction workers are using wi-fi calling. Seems like all non-apple devices work fine but iPhone don’t. I tried fast lane and now the iphones work most of the time. However this is a guest ssid and see that fast lane put qos into the highest priority which is not good. Also if I replace the 3802ap with a 3700 series I have no issues. Cisco also said to put my guest radio to use 5ghz and it appears to work that way as well but I want 5ghz to be only for production. I am planning on spinning up another wlc to try different wlc codes. Any ideas would be welcome.

dtmyers · ‎04-10-2019

@carlo

No I wouldn't mix code versions in a site-to-site failover scenario (8.3.143.0 code throughout), PEAP authenticated clients via ACS (soon to betransition RADIUS autentication via ISE).

No interesting or correllated traffic through debugs, Having already found the fix I simply wanted to communicate the resolution in an attempt to save someone else the hours I spent trying to resolve the issue.

dtmyers · ‎04-10-2019

@ t-malensek

I firmly believe this scenario will only manifest itself in a 5Ghz only SSID, as our mixed radio SSID had no issues.

Thanks for the input on the 3700 series, may narrow the issue to just 3800 series then.

This will likely be fixed with a patch soon, or possibly newer versions already have the required code to eliminate the issue.

But running Fastlane in a 5Ghz environment is desirable for iOS, but needs to be documented if this is what Cisco intends for the configuration (or parameters) to consist of.