Re: C9800-WLAN MAC filter use wrong Radius Server

Bill lo · ‎08-13-2021

Hi community

it seem a software BUG .....，

Has anyone had the same experience?

Environment

WLC modle :9800-L-C

Version : 17.3.2a

Imapct device : Laptop (with OS window10) x 3

SSID Details

WLANs Profile	Security	Radius Server
300302	802.1x/Mac Filter	x.x.x.59
300309	802.1x/Mac Filter	x.x.x.159

Situation

After testing the ISE-Posture function ( use SSID:300309), The client (three staff) cannot go back use 300302;

the Client status is stuck in "Associating" ,and used wrong Radius-Server x.x.x.159 (the correct one is x.x.x.59)

as shown below:

we have tried:

1/ Trun down/up the Wlan profile

2/ Restart the AP

3/ Client PC reboot

not work, still can't use the SSID back , But others endpoint used the SSID:300302 well,

Only the three devices that have connect the testing SSID:300309 imapcted.

Finally we reboot the WLC , and the Devic connect the SSID:300302 success

best regards

Bill

Arshad Safrulla · ‎08-13-2021

Can you post a Radio Active trac while the issue is observed?

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Bill lo · ‎08-13-2021

FYI

Arshad Safrulla · ‎08-13-2021

Deleting the client, reason: 166, CO_CLIENT_DELETE_REASON_MACAUTH_CONNECT_TIMEOUT, Client state S_CO_MACAUTH_IN_PROGRESS

Is the MAC auth done locally in the WLC or by ISE, Is it possible to remove MAC Auth to test with .1x only. Also what the IOS-XE code running?

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Bill lo · ‎08-13-2021

Hi Arshadsaf

1. MAC auth done is done in ISE ( But for WLC GUI info( Client status-general ) , it's taken wrong Radius Server .

ex: SSID 300302 use ISE01 , SSID 300309 use ISE02

2 After WLC reboot , the the problem is solved ( the Deive connect the SSID 300302 success;

Next time when the issue happen, we could make a try :remove MAC Auth to test with .1x only

3 .the Code :17.3.2a

thx

Bill

Rich R · ‎08-16-2021

That definitely sounds like a bug. You should be talking to TAC.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390