Re: Android 10 won't connect to secure SSID

savicmilos789 · ‎04-29-2025

Hi everyone,
At our factory, we’re experiencing a strange issue with one device and our Wi-Fi network. We're using a Cisco WLC 9800 controller with C9120AXI-E and AIR-AP2802I-E-K9 access points. We have two SSIDs: “secure” and “guest.”

The problem is with connecting a Unitech PA710 industrial phone to the secure network. It connects to the guest network without any issues. The device is running Android 10, and no further updates are available.

According to our monitoring tools, there are no connection attempts from this device to the secure SSID. The error shown on the Android device is:
NETWORK_SELECTION_DISABLED_ASSOCIATION_REJECTION

Rich R · ‎04-29-2025

That means there is some kind of technical incompatibility between the device and the WiFi.
For example if it is trying to use WPA+TKIP instead of WPA2+AES.
You'll need to get the technical spec of the device from the manufacturer or get an OTA (Over The Air) packet capture to see what it is trying to do that's causing the problem.
Sometimes these custom devices using very old, cheap WiFi chipsets with equally old drivers which don't support newer generations of WiFi so the outcome might be that you need to upgrade the device to a newer generation of product to work with modern WiFi solutions. Unfortunately you can't expect antique products to work forever with newer generations of technology - at some point you have to upgrade.

You could also try doing a debug on the client MAC on the AP.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Saikat Nandy · ‎04-29-2025

Let me take a step back and try to connect few dots here since we don't know the version your WLC is running, SSID config etc.

Regular google search of "Unitech PA710 industrial phone" gives me - https://www.info-kod.com/datastore/filestore/48/PA700_Brochure_EN.pdf and probably this is the one you are using as well. I am not getting anything else. If you have the specific data sheet, certainly we can have a look here. If the above link is the right one, then it supports 802.11 b/g/n only. We don't have any other information whether it likes 802.11k/v/r etc or any specific types of AKM settings. So you might have to play with these settings a bit.

Secondly 'NETWORK_SELECTION_DISABLED_ASSOCIATION_REJECTION' it means that assoc is getting rejected and potential root cause would be that the device is sending some parameters/IE in the assoc which might be not configured in the WLAN settings or not liked by the AP/WLC.

As @Rich R mentioned, your first step here would be to start debugging. Take -

9800 RA trace + EPC - https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213949-wireless-debugging-and-log-collection-on.html

AP client trace - https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/200480-Troubleshooting-Guide-for-Wireless-Clien.html (Section -2800/3800 Series | AP-COS Debug Commands)

OTA - https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217057-configure-access-point-in-sniffer-mode-o.html and if you have a macbook - https://www.cisco.com/c/en/us/support/docs/wireless-mobility/80211/200527-Fundamentals-of-802-11-Wireless-Sniffing.html

Last but not the least, guessing this issue could be CSCvu24770

Leo Laohoo · ‎04-29-2025

What firmware is the controller on?

And I agree with @Saikat Nandy, that this could, potentially, be CSCvu24770.

savicmilos789 · ‎04-29-2025

I apologize — I accidentally posted the wrong phone model number in my initial post.

WLC 9800-L Software version 17.9.5
Unitech PA760: https://www.ute.com/en/products/detail/PA760

9800 RA Trace:

Logging display requested on 2025/04/30 06:57:36 (Central) for Hostname: [WLC-9800-IT], Model: [C9800-L-F-K9 ], Version: [17.09.05], SN: [FOC23516D04], MD_SN: [FCL235100A6]

This is everything RA Trace captured.

I’ll do the packet sniffing part later today and post the results once I’m done.

marce1000 · ‎04-29-2025

- @savicmilos789 If you talk about RA Trace , then you need to execute instructions from :
https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity

To have a complete overview of the client's behavior when it is connecting or trying to.
These so called Radio Active traces can be analyzed with Wireless Debug Analyzer

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R · ‎04-29-2025

Even more reason to believe that the client is being affected by CSCvu24770 because it's not actually attempting to associate.
"Some Android 10 clients have a bug wherein, if they encounter a "DEO_IE", they fail to attempt to associate."

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Rich R · ‎04-29-2025

Ok so now we know it's a reasonably modern (802.11ac) piece of hardware running Android 10, WLC running 17.9.5 and the WLAN is WPA2,802.1x,AES so I'd concur with Leo and Saikat that CSCvu24770 is a very strong possibility so read it through and check your settings.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

savicmilos789 · ‎04-30-2025

debugTrace_0016.0946.5d30 secure.txt is RA Trace from WLC 9800 when Android device is trying to connect to secure network
debugTrace_0016.0946.5d30 guest.txt is RA Trace from WLC 9800 when Android device is trying to connect to guest network (works fine)
sniffer.pcapng is captured OTA when Android device is trying to connect to secure SSID

AP used as sniffer is C9120AXI-E, I’ve followed the procedure given by Saikat Nandy in the link.

MHM Cisco World · ‎04-30-2025

What is authc you use ?

PEAP-TLS or EAP-TLS' issue come from win10 cert. It not validate wlc (server) cert.

MHM

savicmilos789 · ‎04-30-2025

PEAP-TLS, we have many phones that works perfectly fine.

MHM Cisco World · ‎04-30-2025

And you use wildcard cert. For ISE server?

MHM

savicmilos789 · ‎04-30-2025

Yes, and it is active

Leo Laohoo · ‎05-03-2025

Reboot the AP and see if it works.

Saikat Nandy · ‎04-30-2025

I have gone through your logs and unfortunately not helping as such. I can see that the phone can connect to the guest SSID - which is a local web auth based SSID. The other RA file is empty - so not helping. At the same time if I look into the OTA, I can only see a bunch of probes coming out from this device but there is no response. So the next step would be to take the AP client trace (in fact I will encourage to take everything - WLC RA, AP client debug & trace + OTA all in sync). While taking AP client trace you can add 'debug client <client mac>' along with rest of the commands. In addition to that, 'show tech wireless' from WLC will be helpful.