cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4686
Views
3
Helpful
21
Replies

9800-CL WLC Repeated Client Exclusion for Wrong PSK

CARL90
Level 1
Level 1

I've recently inherited a 9800-CL WLC with a somewhat questionable configuration.  It seems to be working as expected, however reviewing the Syslog shows regular repeated errors.  The error in question is:

%CLIENT_EXCLUSION_SERVER-5-ADD_TO_EXCLUSIONLIST_REASON_DYNAMIC: Chassis 1 R0/0: wncmgrd: Client MAC: dcb5.XX was added to exclusion list associated with AP Name:AP013, BSSID:MAC: 84f1.XX, reason:Wrong PSK

I'm seeing these appear about once per minute or more.  The error is thrown repeatedly for the same device every few minutes it appears with a decent number of devices causing the error while on-site.  Oddly enough there haven't been any reported issues with disconnects or failure to connect.  From what I've found, based on the MAC address every device being reported is an Apple device, almost certainly to be an iPhone that is issued to users.  Is there any specific configuration that may have been misconfigured that might cause this issue?  Any ideas would be greatly appreciated.

21 Replies 21

Currently running 17.8.1 

jagan.chowdam
Spotlight
Spotlight

Cisco IOS XE 17.8.1 is a short-lived release with no MRs planned. For all features and hardware supported starting 17.8.1, you are recommended to use 17.9.4 + SMU_CSCwh87343 + APSP(as needed) OR 17.9.4a + APSP(as needed).

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214749-tac-recommended-ios-xe-builds-for-wirele.html#toc-hId--897198255

I would upgrade WLC to stable 17.9.4a code to make sure I'm not hitting any bugs.

Jagan Chowdam

/**Please rate helpful responses**/

 

eglinsky2012
Spotlight
Spotlight

@CARL90- Did you find a resolution to this? I'm having the same issue with some older Paciolan-supplied ticket scanners after moving APs from 8540 to 9800. It's only an issue with these specific scanners. Newer Android-based scanners and my iPhone are able to connect, so I know that the PSK, VLAN, etc. are configured correctly. I did try enabling fast transition with "PSK" and "FT-PSK" as mentioned in another thread with no luck.

We attempted the 9800 migration with 17.9.4 last summer, and we opted to move the needed APs back to the 8540 to get through the school year. We're trying again and it continues on 17.9.5 APSP5. As soon as we move the APs back to the 8540, the scanners connect successfully.

From the debug analyzer:

2024/08/10 22:03:34.524dot11Association success for client, assigned AID is: 2. Client performed fast roam.
2024/08/10 22:03:34.540client-keymgmtCould not validate MIC received in M2 message
2024/08/10 22:03:34.540client-keymgmtFast roam key validation failure on M2
2024/08/10 22:03:35.539client-keymgmtCould not validate MIC received in M2 message
2024/08/10 22:03:35.539client-keymgmtFast roam key validation failure on M2
2024/08/10 22:03:36.557client-keymgmtCould not validate MIC received in M2 message
2024/08/10 22:03:36.557client-keymgmtFast roam key validation failure on M2
2024/08/10 22:03:37.536client-keymgmtReached maximum retries for M1
2024/08/10 22:03:37.536client-orch-smController initiated client deletion with code: CO_CLIENT_DELETE_REASON_EXCLUDE_WRONG_PSK. Explanation: Client excluded due to wrong PSK password. Actions: Check PSK configuration on client

@eglinsky2012 

This is beginning to look like CSCvz96924.

I don't know if that's the issue since the AP had just rebooted as part of the controller move/code upgrade.

presume you've tried obvious things like different PSK - change/remove special characters, shorten the length of the string etc?

@Rich R- Thanks, good thoughts. The PSK is 48 characters with only numbers and letters. I thought it might be an issue with inputting to the tiny box in the GUI, so I tried with CLI instead with no luck. And, it does work with other devices. Maybe I'll give shortening it a try, though that would require a lot of coordination with the users as there are a couple dozen of these devices.

This brings me back to something that a Wyebot sensor informed me about a while back when we were testing it. We inadvertently had had one of several APs on an 8540 instead of a 9800 in the room the Wyebot was in, and the Wyebot warned about a discrepancy in encryption/security between the same SSID broadcasted between the 8540 AP and the 9800 APs, even though they both had identical configuration on both WLCs, and no clients (that I'm aware of) have an issue connection to the SSID on either controller, except these ticket scanners on the 9800s. The discrepancy was between WPA2-Enterprise SSIDs and not WPA2-Personal, but perhaps that difference applies to Personal as well. Unfortunately, I no longer have access to the Wyebot to see if the difference applies to PSK SSIDs and what exactly the discrepancy was. Thought I'd bring this up in case anyone else knows anything more about this discrepancy.

Review Cisco Networking for a $25 gift card