Solved: 9800 WLC AAA-override flex SSID, client exclusion - SSID FAILURE

mqontt · ‎05-04-2023

Hi Guys,

i'm testing out the 9800 wlc (17.9.3version) with 9120 AP.

I created AAA-override WLAN (ISE pushes vlan id to point the client to right vlan - using flex profile and mapping the vlan names to vlan numbers).

However when client tries to connect to this SSID it is not able to associate.

I ran debugs and i can see (also on ISE) that client goes through dot1x authentication phase and it seems to succeed, since i can see access-accept with proper attribute (vlan name) coming from the ISE to the WLC.

However the client is always put into exclusion list, with the reason "Service Set ID failure" . Which i have never seen before, nor have i clue what could it mean.

Does anyone have any idea what to look out for ?

SANET_AUTHZ_FAILURE - Service Set ID Failure, username CN=CLIENTCERT.LOCAL.DOMAIN, audit session id DEFCA8C00000007FE68ED912

[088e.90e3.abd4:capwap_90000004] Authz failed/unapplied), method: dot1x. Signal switch PI.

%SESSION_MGR-5-FAIL: R0/0: wncd: Authorization failed or unapplied for client (088e.90e3.abd4) on Interface capwap_90000004 AuditSessionID DEFCA8C00000007FE68ED912. Failure Reason: Service Set ID Failure.

%CLIENT_EXCLUSION_SERVER-5-ADD_TO_EXCLUSIONLIST_REASON_DYNAMIC: R0/0: wncmgrd: Client MAC: 088e.90e3.abd4 was added to exclusion list associated with AP Name:APAC4A-56BE-B784, BSSID:MAC: 045f.b91e.f96e, reason:Service Set ID failure

marce1000 · ‎05-05-2023

- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb20613
Also have a checkup review of the 9800 wlc configuration with the CLI command show tech wireless ; have the output analyzed with https://cway.cisco.com/wireless-config-analyzer

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

Flavio Miranda · ‎05-04-2023

Hi

Service Set ID (SSID) seems to be related to the WLAN. Is there any SSID ID attached to the ISE rule?

mqontt · ‎05-05-2023

Yes there is a condition on that policy: "Radius Called-Station-ID" ENDS_WITH ssidname

its strange that this works normally on 5520.

i was wondering if this could maybe have something to do with fact that i didnt delete the previous client authentications from ISE when they were connected to AP that is on 5520 controller.

this is in the debugs as well:

in the debugs i can see this as well:

[sanet-shim-translate] [21213]: (ERR): 088e.90e3.abd4 : Policy resolution failure in sanet, code = 24, Service Set ID Failure

policy resolution failure in Sanet would mean that the ISE was not able to resolve the policy?

docjb0221 · ‎05-04-2023

You might need to make sure ISE isn't trying to use a dACL. I believe dACLs in flexconnect mode are not supported on the 9800s. See https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-10/config-guide/b_wl_17_10_cg/m_dACL.html.

mqontt · ‎05-05-2023

Hi,

for this SSID we do not have dACLs configured. However we have it for some other SSID

But if i create them manually on WLC and push them to the AP via Flex Profile then they should work, right ?

marce1000 · ‎05-05-2023

- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb20613
Also have a checkup review of the 9800 wlc configuration with the CLI command show tech wireless ; have the output analyzed with https://cway.cisco.com/wireless-config-analyzer

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

mqontt · ‎05-05-2023

Bingo!

this is most likely what im encountering.

Since the policy set has result Authorization profile with 2 different cisco-av-pair ssid sent in access-accept

wouldn't have thought that this could be causing issues.

thanks a lot!