cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1297
Views
5
Helpful
3
Replies

After upgrade to 8.5.135, 2800i connected to MAB ports are generating auth errors. All the other APs are fine.

Vasco Costa
Level 1
Level 1

Hi,

 

I've migrated a couple of 5520 from 8.5.120 to 8.5.135 to solve the CSCvi63043 bug that was afecting some 2802i.

 

The upgrade solved that bug but now, in 3 out of 4 2802i APs, we noticed that every 15 minutes or so, the APs would loose connection to the WLC and recicled the registration process. After some troubleshooting and config analysis, we noticed that the only difference was the authentication order configured in the 3850 switch port:

 

with the order set to authentication order mab dot1x the 2802i stays registered in the WLC

with the order set to authentication order dot1x mab the 2802i generate authentication errors until it reauthenticates and registes again in the controller.

 

Only the 2800 are affected. The other APs type ( 2600, 2700, 1532 ) are working without any issues.

 

Anyone has seen this behaviour?

Cheers,
Vasco
1 Accepted Solution

Accepted Solutions

Issue was traced to a bug in the ISE 2.1. The AP mac addresses were deleted from the MAC auth list.
Upgrading the ISE solved the issue
Cheers,
Vasco

View solution in original post

3 Replies 3

Leo Laohoo
Hall of Fame
Hall of Fame
Don't let AP ports join 802.1x. Just give them static VLAN assignments.

That's not an option for that customer. And it's very hard to justify that solution since the configuration has been working perfectly well for more than 3 years with all the other AP types. It should also work with the new 2800 or they might consider to change those APs.

Cheers,
Vasco

Issue was traced to a bug in the ISE 2.1. The AP mac addresses were deleted from the MAC auth list.
Upgrading the ISE solved the issue
Cheers,
Vasco
Review Cisco Networking for a $25 gift card