Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
912
Views
11
Helpful
15
Replies

AP stop to authenticate by dot1x into LAN

Go to solution
Mirek_Tichy
Level 1
Level 1

‎08-23-2025 09:26 AM

C9800-40 17.12.x, C91xx local mode, EAP-FAST authentication to C9300 with a MAB fallback.

After some weeks or months some APs failed to authenticate themself to dot1x secured LAN. Typicaly after an upgrade some APs are lost. ISE reports:

  • Event 5440 Endpoint abandoned EAP session and started new
  • Failure Reason 22063 Wrong password

We have a fallback configuration so all that APs will pass by MAB and are working well. That means they give a new config from the WLC during the Join. But APs stay in the wrong password state.

AP#sho ap authentication status
key_mgmt=IEEE 802.1X (no WPA)
wpa_state=ASSOCIATED
address=ac:4a:56:00:00:00
Supplicant PAE state=HELD
suppPortStatus=Unauthorized
EAP state=FAILURE
selectedMethod=43 (EAP-FAST)
eap_tls_version=TLSv1.2
EAP TLS cipher=ADH-AES128-SHA
tls_session_reused=0
EAP-FAST Phase2 method=MSCHAPV2

"clear authentication session" on the switchport or "capwap ap reset" on the AP don't solve the problem.

The only solution is a full reload of the AP. After that each AP authenticate itself correctly and re-authenticate continuously for an unknown time period.

I think it is a task for the TAC but I am trying to ask here first.

0 Helpful
15 Replies 15
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card