Re: Apple Devices - Not Connecting to Cisco Access Point

RS19 · ‎01-17-2021

I am running Cisco 5520 Wireless Controller.

The AP model is AIR-AP1852I-Q-K9 , The IOS version is 8.8.130.0

There are 2 SSIDs configured

SSID#1 : INTRA_WIFI - For Internal Wireless LAN network : Uses certificate authentication

SSID#2 : GUESTWIFI - For guest Internet access : Uses username & password authentication : PSK (WAP2/WAP3 personal)

There are nearly 50 APs. We rebooted all the APs as part of maintenance.

After the APs are rebooted,

1. Users using iPhone/ipad are not able to connected to GUESTWIFI (Users got password incorrect msg)

2. Laptop users are able to connect to GUESTWIFI

3. Laptop Users are able to connect to INTRA_WIFI (iPhone users are not allowed to connected to INTRA_WIFI)

1. Users using iPhone/ipad are not able to connected to GUESTWIFI (Users got password incorrect msg)

Eventhough the password is correct users are not able to login via iPhone/ipad

We again rebooted all the APs & after that the users are not facing the same issue. The issue got resolved.

Is there any reason for this to happen? Below are some of the logs which I found in the WLC.

*Dot1x_NW_MsgTask_4: Jan 15 10:06:25.524: %DOT1X-3-PSK_CONFIG_ERR: 1x_ptsm.c:756 Client 8a:33:b9:93:e4:9c may be using an incorrect PSK
*Dot1x_NW_MsgTask_1: Jan 15 08:52:59.721: %DOT1X-3-PSK_CONFIG_ERR: 1x_ptsm.c:756 Client 56:fa:d5:01:e8:19 may be using an incorrect PSK
*Dot1x_NW_MsgTask_1: Jan 15 10:01:00.477: %DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:452 Invalid replay counter from client 98:00:c6:d1:d4:19 - got 00 00 00 00 00 00 00 04, expected 00 00 00 00 00 00 00 00

Leo Laohoo · ‎01-17-2021

Do you have any debugs when the authentication fails?
Have you tried using OPEN authentication (as a test)?

RS19 · ‎01-17-2021

Do you have any debugs when the authentication fails?
Yeah I have taken the debug log, when it fails.
Have you tried using OPEN authentication (as a test)?
Just want to clarify. You mean, access the GUESTWIFI without authentication. If that is the case, no I have not done it.

Leo Laohoo · ‎01-17-2021

@RS19 wrote:
Yeah I have taken the debug log, when it fails.

Attach the debugs so we can have a look.

@RS19 wrote:
no I have not done it.

Try it.

RS19 · ‎01-17-2021

I can not share the full debug logs.

Please find the logs related to the MAC address of the device which had the problem.

*dot1xMsgTask: Jan 15 15:43:28.171: %DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1724 Unable to send EAPOL-key msg - invalid WPA state (2) - client 56:fa:d5:01:e8:19
*Dot1x_NW_MsgTask_1: Jan 15 15:33:11.570: %DOT1X-3-PSK_CONFIG_ERR: 1x_ptsm.c:756 Client 56:fa:d5:01:e8:19 may be using an incorrect PSK
*Dot1x_NW_MsgTask_1: Jan 15 13:30:37.692: %DOT1X-3-CLIENT_NOT_FOUND: dot1x_msg_task.c:1787 Unable to process 802.1X 1 msg - client 56:fa:d5:01:e8:19 not found
*Dot1x_NW_MsgTask_1: Jan 15 13:30:32.694: %DOT1X-3-CLIENT_NOT_FOUND: dot1x_msg_task.c:1787 Unable to process 802.1X 1 msg - client 56:fa:d5:01:e8:19 not found
*Dot1x_NW_MsgTask_1: Jan 15 08:52:59.721: %DOT1X-3-PSK_CONFIG_ERR: 1x_ptsm.c:756 Client 56:fa:d5:01:e8:19 may be using an incorrect PSK

Jan 15 07:08:20 kernel: [*01/15/2021 07:08:20.9313] CLSM[56:FA:D5:01:E8:19]: US Auth(b0) seq 1249 IF 33 slot 1 vap 1 len 64 sta
te 8021X

Leo Laohoo · ‎01-17-2021

@RS19 wrote:

I can not share the full debug logs.

Cool. Please contact Cisco TAC.

RS19 · ‎01-17-2021

But any insights, what could be the possible reasons for this ?

Laptops are able to connect without any issue, but issues with iPhone/ipad devices

Some thing strange scenario & after reboot of the APs it started to work.

Leo Laohoo · ‎01-17-2021

@RS19 wrote:

But any insights, what could be the possible reasons for this ?

Please contact Cisco TAC.

marce1000 · ‎01-18-2021

- One thing you may consider is upgrading to the current advisory release for the 5520 which is 8.10.130.0 , check if the problem persists afterwards.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

KVKSAI · ‎02-01-2022

Hi Mate,

Is issue solved? If yes can you provide the solution for this? I have similar issue in my envi and looking on following parameters, in my case few IOS are connecting few are not.

let's have a look at the following parameters.

Problem statement : IOS devices are not connecting to Guest wifi( PSK, WPA2+ WPA3 SAE)

Points to checking:

1. When you run the debug the 4 way hand shake is completing?

2. Do you have WPA2 and WPA3 policies enabled? Under Guestwifi layer 2 security?

3. Users are having issue on both radios 2.4 n 5Ghz?

4. Fast transition is adaptive or enabled?

Scott Fella · ‎02-01-2022

Might want to look at what is compatible right now with Apple device. This also shows what you need to configure on the wlan for it to work.

WPA3 Deployment Guide - Cisco

-Scott
*** Please rate helpful posts ***

Leo Laohoo · ‎02-01-2022

No one knows the status of this issue because the OP does not want to furnish debug information/logs.

It is better if you can create a new thread so we can do proper debugs and troubleshooting.