Solved: Cannot get APs to join on bridge nor through Device Auth

mowright · ‎09-29-2025

Hello, I have 2 9124AXE-B I am trying to set up and get mesh working on. I am using a 9800 on version 17.12.5. I cannot get the mesh tab to show up or even get the ap in bridge mode, I have the mac in the Device Authentication mac address list like such, c8:28:e5:3a:e6:cc, as well as Authorize APs against MAC enabled under AP policy but the ap will not join back to the controller, i thought maybe it was the AP itself but i tried a different one and could not get it to join back after turning those settings on even in local mode with the mac address in the list. Any ideas?

Rich R · ‎09-30-2025

> I have the mac in the Device Authentication mac address list like such, c8:28:e5:3a:e6:cc
@mowright the documentation is very clear - the MAC address must be entered all lower case, no punctuation (no dots, no colons, no spaces) otherwise the MAC address will not be matched correctly!
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/215100-join-mesh-aps-to-catalyst-9800-wireless.html

It's an enhancement request to support other formats but it's considered a very low priority to implement - you must only use the bare format for now.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

amandaisaac2812 · ‎09-29-2025

Hi there,I understand you're experiencing issues with your Cisco Access Points (APs) not joining the Wireless LAN Controller (WLC) when operating in bridge mode or through device authentication. Based on your description, it appears that the APs are stuck in the "AP Auth Pending" state.

Here are some steps you can take to troubleshoot and resolve the issue:

1. Add APs to the Authorization List

When an AP is in bridge mode, it must be explicitly added to the WLC's authorization list. This is a security measure to prevent unauthorized devices from joining the network. You can add the APs by their MAC addresses through the WLC's GUI or CLI.

CLI Command:

config ap auth-list add <AP_MAC_Address>

GUI Path
Security > AAA > AP Policies > AP Authorization List

2. Verify AAA and AP Authorization Settings

Ensure that your WLC is configured to authenticate APs using the appropriate method. This can be done via local authentication or through an external AAA server. Check the settings under:

CLI Command:

show running-config aaa

Look for the aaa authorization and ap auth-list settings to confirm they are correctly configured.

3. Check for Duplicate IP Addresses

A common issue is the presence of duplicate IP addresses on the network, which can prevent APs from joining the WLC. Use the following command to check for duplicate IPs:

CLI Command:

show ip arp

Look for any entries where the IP address matches the AP manager IP address. If found, resolve the conflict by changing the IP address of the conflicting device.

4. Verify Firewall and Port Configuration

Ensure that the necessary ports are open on any firewalls between the APs and the WLC. The required ports include:

UDP 5246 (Control)
UDP 5247 (Data)
UDP 16666-16667 (Mobility)
TCP 161-162 (SNMP)

Use the following command to check the WLC's port status:

CLI Command:

show control interface

5. Check for Regulatory Domain Mismatch

If the APs and the WLC are set to different regulatory domains, they may not be able to communicate properly. Verify that both are configured for the same domain:

CLI Command:

show wireless country

If they differ, adjust the settings to match.

6. Review AP and WLC Logs

Examine the logs on both the AP and the WLC for any error messages that could provide more insight into the issue.

WLC CLI Command:

show log

AP CLI Command:

show log

Look for entries related to CAPWAP, authentication failures, or certificate issues.

7. Consider Firmware Compatibility

Ensure that the firmware versions on the APs and the WLC are compatible. Incompatible versions can lead to communication issues. Check the Cisco compatibility matrix for guidance.

If you've gone through these steps and the issue persists, please provide additional details such as the model numbers of the APs and WLC, the firmware versions, and any specific error messages you're encountering. This information will help in providing more targeted assistance.

Best regards.

Rich R · ‎09-30-2025

@amandaisaac2812 this very obvious AI bot cut/paste answer really isn't helpful - anybody can get that answer for themselves. If you have useful personal insight/experience/knowledge to contribute then share it with people here but lengthy pointless copy/paste answers really do not make a useful contribution to the community!

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Mark Elsen · ‎09-29-2025

- @mowright Set the AP in bridge mode using : capwap ap mode bridge ( to be executed on the ap)

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

mowright · ‎09-30-2025

@Mark Elsen would this be while it is connected to the WLC run that?

Mark Elsen · ‎09-30-2025

- @mowright You can do that , but the AP will reboot anyway

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

mowright · ‎09-30-2025

Still does not seem to work, it got the wlc address from dhcp and sent request and then got discovery response then went to DTLS Setup and this is what happened.

CAPWAP State: DTLS Setup
[*09/30/2025 13:45:00.0321] dtls_verify_server_cert: Controller certificate verification successful
[*09/30/2025 13:45:00.7876] 
[*09/30/2025 13:45:00.7876] CAPWAP State: Join
[*09/30/2025 13:45:00.8164] DOT11_CFG[0]: Sending TLV_DOT11_RADIO_TXRX_CAPABILITY slotid 0 radioFraEnabled 0, radioSubType 0, serviceType 0, radioType 1, bandId 0, bssidScheme 0
[*09/30/2025 13:45:00.8171] DOT11_CFG[1]: Sending TLV_DOT11_RADIO_TXRX_CAPABILITY slotid 1 radioFraEnabled 0, radioSubType 0, serviceType 1, radioType 2, bandId 1, bssidScheme 0
[*09/30/2025 13:45:00.8176] DOT11_CFG[2]: Sending TLV_DOT11_RADIO_TXRX_CAPABILITY slotid 2 radioFraEnabled 0, radioSubType 5, serviceType 0, radioType 2, bandId 1, bssidScheme 3
[*09/30/2025 13:45:00.8182] Sending Join request to 10.1.1.92 through port 5256, packet size 1376
[*09/30/2025 13:45:05.7998] DOT11_CFG[0]: Sending TLV_DOT11_RADIO_TXRX_CAPABILITY slotid 0 radioFraEnabled 0, radioSubType 0, serviceType 0, radioType 1, bandId 0, bssidScheme 0
[*09/30/2025 13:45:05.8043] DOT11_CFG[1]: Sending TLV_DOT11_RADIO_TXRX_CAPABILITY slotid 1 radioFraEnabled 0, radioSubType 0, serviceType 1, radioType 2, bandId 1, bssidScheme 0
[*09/30/2025 13:45:05.8048] DOT11_CFG[2]: Sending TLV_DOT11_RADIO_TXRX_CAPABILITY slotid 2 radioFraEnabled 0, radioSubType 5, serviceType 0, radioType 2, bandId 1, bssidScheme 3
[*09/30/2025 13:45:05.8053] Sending Join request to 10.1.1.92 through port 5256, packet size 1376
[*09/30/2025 13:45:10.8114] DOT11_CFG[0]: Sending TLV_DOT11_RADIO_TXRX_CAPABILITY slotid 0 radioFraEnabled 0, radioSubType 0, serviceType 0, radioType 1, bandId 0, bssidScheme 0
[*09/30/2025 13:45:10.8118] DOT11_CFG[1]: Sending TLV_DOT11_RADIO_TXRX_CAPABILITY slotid 1 radioFraEnabled 0, radioSubType 0, serviceType 1, radioType 2, bandId 1, bssidScheme 0
[*09/30/2025 13:45:10.8122] DOT11_CFG[2]: Sending TLV_DOT11_RADIO_TXRX_CAPABILITY slotid 2 radioFraEnabled 0, radioSubType 5, serviceType 0, radioType 2, bandId 1, bssidScheme 3
[*09/30/2025 13:45:10.8128] Sending Join request to 10.1.1.92 through port 5256, packet size 896
[*09/30/2025 13:45:15.8032] DOT11_CFG[0]: Sending TLV_DOT11_RADIO_TXRX_CAPABILITY slotid 0 radioFraEnabled 0, radioSubType 0, serviceType 0, radioType 1, bandId 0, bssidScheme 0
[*09/30/2025 13:45:15.8036] DOT11_CFG[1]: Sending TLV_DOT11_RADIO_TXRX_CAPABILITY slotid 1 radioFraEnabled 0, radioSubType 0, serviceType 1, radioType 2, bandId 1, bssidScheme 0
[*09/30/2025 13:45:15.8040] DOT11_CFG[2]: Sending TLV_DOT11_RADIO_TXRX_CAPABILITY slotid 2 radioFraEnabled 0, radioSubType 5, serviceType 0, radioType 2, bandId 1, bssidScheme 3
[*09/30/2025 13:46:00.0396] OOBImageDnld: OOBImageDownloadTimer expired for image download..
[*09/30/2025 13:46:00.0396] OOBImageDnld: Do common error handler for OOB image download..
[*09/30/2025 13:46:00.0759] 
[*09/30/2025 13:46:00.0759] CAPWAP State: DTLS Teardown
[*09/30/2025 13:46:00.1226] OOBImageDnld: Do common error handler for OOB image download..
[*09/30/2025 13:46:00.2155] status 'upgrade.sh: Script called with args:[CANCEL]'
[*09/30/2025 13:46:00.2553] do CANCEL, part2 is active part
[*09/30/2025 13:46:00.2816] status 'upgrade.sh: Cleanup tmp files ...'
[*09/30/2025 13:46:00.3178] Directory /tmp/ntevents not found.
[*09/30/2025 13:46:00.3185] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state: DTLS Teardown(4).
[*09/30/2025 13:46:00.3185] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state: DTLS Teardown(4).
[*09/30/2025 13:46:05.0415] OOBImageDnld: OOBImageDownloadTimer expired for image download..
[*09/30/2025 13:46:05.0415] OOBImageDnld: Do common error handler for OOB image download..
[*09/30/2025 13:46:05.0648] dtls_queue_first: Nothing to extract!

mowright · ‎09-30-2025

@Mark Elsen I think its more on the AAA side because no ap will rejoin when reset even if their mac is in the device auth.

Mark Elsen · ‎09-30-2025

- @mowright Then you need to inspect the logs on the AAA server and check if the AP's are getting authorized.
If so , further troubleshoot with instructions from :
https://logadvisor.cisco.com/logadvisor/wireless/9800/9800APJoin

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

mowright · ‎09-30-2025

@Mark Elsen How would I check the logs for the local AAA for that Device Auth? Also does any of this need to be enabled?

Mark Elsen · ‎09-30-2025

- @mowright AP authorization is mandatory for bridge APs. Checking the logs on the AAA server must be done on that platform , not the controller and how that is done depends on the type of AAA/Radius server that is being used ,

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

mowright · ‎09-30-2025

@Mark Elsen I have the ISE servers in here for RADIUS but have not done anything with it for ap macs, as far as I knew I thought it was the device auth for all of that was done on the wlc itself. Is there a different way I should be setting this up then?

Mark Elsen · ‎09-30-2025

- @mowright Following this document : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213916-catalyst-9800-wireless-controllers-ap-au.html
You can see that you can authorize the AP mac addresses locally on the controller or
trough an external radius server. Check the document and verify your own setup.

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

mowright · ‎09-30-2025

@Mark Elsen I am seeing this, AGE-5-AP_JOIN_DISJOIN: Chassis 1 R0/3: wncd: AP Event: AP Name: APC828.E53A.E6CC Mac: 18f9.3519.2be0

Am i supposed to be putting in the base radio mac instead of the ethernet mac?

Mark Elsen · ‎09-30-2025

- @mowright Normally I would think : APC828.E53A.E6CC

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)