cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2231
Views
11
Helpful
15
Replies

Cisco 9120 in EWC with WLAN MAC local filtering issue

Edgar078
Level 1
Level 1

Good day,

I have an EWC Access Point 9120 which has an SSID with PSK and MAC filtering local, however it is not allowing me to connect the devices, it gives me a message:

 

 

Jan 26 17:11:30.353: %MAB-5-FAIL: Chassis 1 R0/0: wncd: Authentication failed for client (0c9a.3cd2.bab3) with reason (AAA Server Down) on Interface capwap_90000004 AuditSessionID 00000000000001ED3D5C65E8

Jan 26 17:11:30.494: %CLIENT_EXCLUSION_SERVER-5-ADD_TO_EXCLUSIONLIST_REASON_DYNAMIC: Chassis 1 R0/0: wncd: Client MAC: 0c9a.3cd2.bab3 was added to exclusion list associated with AP Name:AP-SALA-JUNTAS, BSSID:MAC: 0000.0000.0000, reason:802.11 association failure

Jan 26 17:11:30.494: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (0c9a.3cd2.bab3) on Interface capwap_90000004 AuditSessionID 00000000000001F23D5C6675. Failure reason: Authc fail. Authc failure reason: AAA Server Down.

 

1 Accepted Solution

Accepted Solutions

Rich R
VIP
VIP

Did you configure as per the guide?
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213922-configure-mac-authentication-ssid-on-cis.html#toc-hId-2036295870

View solution in original post

15 Replies 15

marce1000
VIP
VIP

 

                           >... with reason (AAA Server Down) on Interface ...
 - For some reason an AAA server is being contacted  ; review the running configuration  with :  show running-config | inc aaa

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R
VIP
VIP

Did you configure as per the guide?
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213922-configure-mac-authentication-ssid-on-cis.html#toc-hId-2036295870

Hello @Rich R 

Yes, I have it configured like the guide you shared with me.

What version of software are you using?

17.09.04

Haydn Andrews
VIP Alumni
VIP Alumni

It appears that you have AAA configured on the SSID, as its trying to send the auth to a AAA server

 

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

Hello @Haydn Andrews 

I have configured this part according to the guide.

Authentication is local, there is no external radius server or tacacs.

Edgar078_0-1706547997311.png

 

Can i see the wlan l2 secuirty page 

Thanks 

MHM

Hi @MHM Cisco World 

This is the WLAN configuration

Edgar078_0-1706558001523.pngEdgar078_1-1706558016582.png

Regards!

 

Authorization list name is different between l2 secuirty and what you previously share?

Also if you match name make sure thst ypu select Local and not click authc.

Do that and make sure the mac is add to authz and check again.

Thanks 

MHM

ChaseFF
Level 1
Level 1

I have the same issue on 17.9.4a.  Without the Authorization List, my PSK Authentication works and can join the SSID, but as soon I add the Authorization List, the PSK stops working, and I get Authentication failures "Authentication failed for client (abcd.1234.5678) with reason (AAA Server Down)" even though I did not add AAA Server Authentication. 

Rich R
VIP
VIP

I have just tested it on my EWC running 17.13.1 and it works fine.

Note that error message is misleading.  That actually just means it did not find a username (MAC) match in the local list.  I confirmed that in my testing.

If you followed the instructions precisely per the guide then your MAC address username is entered in lower case without any punctuation (no dots, no colons, no dashes).  If you put . : or - in your mac then it won't match.

Also make sure you have Allow AAA Override enabled on your Policy Profile.

ChaseFF
Level 1
Level 1

There it was plain as day. 

"Write the mac address in all lowercase without a separator"!!!!

Thanks Rich for the smack in the back of the head

Review Cisco Networking for a $25 gift card