C9800-WLAN MAC filter use wrong Radius Server

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2021 09:38 AM
Hi community
it seem a software BUG .....,
Has anyone had the same experience?
Environment
WLC modle :9800-L-C
Version : 17.3.2a
Imapct device : Laptop (with OS window10) x 3
SSID Details
WLANs Profile | Security | Radius Server |
300302 | 802.1x/Mac Filter | x.x.x.59 |
300309 | 802.1x/Mac Filter | x.x.x.159 |
Situation
After testing the ISE-Posture function ( use SSID:300309), The client (three staff) cannot go back use 300302;
the Client status is stuck in "Associating" ,and used wrong Radius-Server x.x.x.159 (the correct one is x.x.x.59)
as shown below:
we have tried:
1/ Trun down/up the Wlan profile
2/ Restart the AP
3/ Client PC reboot
not work, still can't use the SSID back , But others endpoint used the SSID:300302 well,
Only the three devices that have connect the testing SSID:300309 imapcted.
Finally we reboot the WLC , and the Devic connect the SSID:300302 success
best regards
Bill
- Labels:
-
Wireless LAN Controller
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2021 11:52 AM
Can you post a Radio Active trac while the issue is observed?
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2021 12:16 PM
FYI
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2021 01:50 PM
Deleting the client, reason: 166, CO_CLIENT_DELETE_REASON_MACAUTH_CONNECT_TIMEOUT, Client state S_CO_MACAUTH_IN_PROGRESS
Is the MAC auth done locally in the WLC or by ISE, Is it possible to remove MAC Auth to test with .1x only. Also what the IOS-XE code running?
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-13-2021 07:08 PM
Hi Arshadsaf
1. MAC auth done is done in ISE ( But for WLC GUI info( Client status-general ) , it's taken wrong Radius Server .
ex: SSID 300302 use ISE01 , SSID 300309 use ISE02
2 After WLC reboot , the the problem is solved ( the Deive connect the SSID 300302 success;
Next time when the issue happen, we could make a try :remove MAC Auth to test with .1x only
3 .the Code :17.3.2a
thx
Bill
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2021 04:02 AM
That definitely sounds like a bug. You should be talking to TAC.
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
