5520-WLC: Dynamic Client Exclusion due to 802.11 ASSOC FAILURE

Vaishnavi1 · ‎10-30-2023

Clients connecting to specific SSIDs of Cisco 5520 WLC (IOS 8.10.x) are not getting IP addresses and dynamically getting added to an exclusion list, the reason listed as "802.11 Assoc Failure".

Expected behaviour: users have to get a captive portal for entering credentials but these clients are not getting any portal or IP address.

marce1000 · ‎10-30-2023

- You need to get into the reason for the failure of the client to get an IP address ; for that have a checkup of the controller configuration according to : https://community.cisco.com/t5/networking-knowledge-base/show-the-complete-configuration-without-breaks-pauses-on-cisco/ta-p/3115114#toc-hId-1039672820 , you can have this analyzed with :
Wireless Config Analyzer

Further on you can debug clients using instructions mentioned in : https://www.cisco.com/c/en/us/support/docs/wireless/aironet-1200-series/100260-wlc-debug-client.html
You can have client debugs analyzed with : https://cway.cisco.com/tools/WirelessDebugAnalyzer/

Use latest advisory release : https://software.cisco.com/download/home/286284738/type/280926587/release/8.10.190.0

In theory you can disable client exclusion on a particular WLAN : https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-6/b_Cisco_Wireless_LAN_Controller_Configuration_Best_Practices.html#concept_5E9C14D0D3A249A2986A15B65866F48F
but that does not tackle the original problem ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Haydn Andrews · ‎10-30-2023

How is the SSID configured?

Are any clients able to connect to it?

Are any clients connected to the wireless off this WLC at all?

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

Vaishnavi1 · ‎10-31-2023

SSID configured to allow clients based on MAC filtering & ISE authentication when clients enter credentials in a captive portal.

No clients able to connect to this SSID, other SSID working fine.

Yes, clients are connected to Internet sucessfully when trying on local Business SSID.

Leo Laohoo · ‎10-30-2023

Is this happening to all WiFi clients attempting to associate to the SSID or just a handful?

On the SSID, is DHCP Address Assignment set to Required?

Vaishnavi1 · ‎10-31-2023

Yes, same for all clients connecting to this SSID. Other SSID (local Business SSID) is working fine. DHCP Address Assignment is set to Required.

Rich R · ‎11-04-2023

So it's obviously a problem with your SSID (WLAN) configuration. As Marce suggested already check your config, make sure your software is up to date and then debug a client and run the output through debug analyzer. That might reveal the answer straight away or at least show you where to start looking. You still didn't answer the question though about this SSID - is it open, WPA2 PSK or 802.1x?

More generally check your config against the config guides and best practice guide (link below).
Since the clients are never able to associate it must be failing at the MAB stage and never using fallback to web auth on MAC auth failure.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/wlan_security.html
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/MAB/MAB_Dep_Guide.html

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Vaishnavi1 · ‎11-06-2023

After making a few changes to the SSID such as updating the enable session timeout, based on previous debug logs. Now we are seeing a different association error.

SSID is based on MAC Filtering and configured with ISE as AAA servers.

Vaishnavi1 · ‎11-06-2023

New errors we are seeing for this SSID Clients

ammahend · ‎11-06-2023

is your MAB authentication condition set to "continue" is the user is not found ?

-hope this helps-

marce1000 · ‎11-06-2023

>....New errors we are seeing for this SSID Clients
- Check the radius server's logs for these authentications ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Leo Laohoo · ‎11-06-2023

Wireless Debug Analyzer should not be trusted at all. Read THIS.