Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3037
Views
16
Helpful
40
Replies

Client devices reporting 'Incorrect Wi-Fi password' on PEAP network

t3rebello
Level 1
Level 1

‎11-01-2023 07:59 AM

Hi folks,

Running a Catalyst 9800-40 WLC. 1463 WAP's connected, predominantly C9136I WAP's. 8,817 active clients with 4,796 clients on our SSID using PEAP authentication via ISE on the back end.  

We are observing clients will frequently disconnect from the network despite having strong RSSI and SNR levels. The behavior manifests as 'Incorrect Wi-Fi Password', even though the user has been previously connected with no issues and their wireless profile is saved on their phone. I have seen this exclusively on iPhone devices at this time. The DNAC log timestamps seem to lineup with the log 'Client has requested it be deleted' 

To remediate, users can simply hit cancel and wait, and they will reconnect to the network. I am working a TAC case parallel to this community post. Just wanted to throw this out there in case other people were seeing this in their environment. 

1 person had this problem
Preview file
26 KB
Preview file
199 KB
0 Helpful
40 Replies 40

t3rebello
Level 1
Level 1
In response to listcsbgnetsecurity

‎05-07-2024 08:16 AM

Thank you for the update List, that is very helpful to know. 

Turning off the 2.4 GHz on our production SSID was coincidentally a topic of discussion for other purposes. I think it's high time we start splitting off our dual band SSID's and move towards 5 GHz only, and this is another reason to do so. 

I appreciate you taking the time to come back here and post this, as I never got any traction anywhere else. 

Rich R
VIP
VIP
In response to t3rebello

‎05-10-2024 10:03 AM

What WLC version and APSP are you seeing that on?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

listcsbgnetsecurity
Level 1
Level 1
In response to Rich R

‎05-10-2024 12:18 PM

WLC: C9800-CL - 17.12.1 / APs: C9136I-ROW

0 Helpful

Rich R
VIP
VIP
In response to listcsbgnetsecurity

‎05-10-2024 12:56 PM

Maybe think about upgrading to 17.12.3 - there are quite a lot of bug fixes in 17.12.2 and 17.12.3:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/release-notes/rn-17-12-9800.html#resolved-caveats-for-cisco-ios-xe-dublin-17.12.3
And that's only the more serious bugs which Cisco decided to list in the release notes.  In fact there are a whole lot more which are not listed there.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

listcsbgnetsecurity
Level 1
Level 1
In response to Rich R

‎05-10-2024 01:03 PM

We are considering upgrading to 17.12.3. We are just waiting Cisco become it recommended version that I think it will be soon.

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to listcsbgnetsecurity

‎05-10-2024 08:33 PM

@listcsbgnetsecurity wrote:
We are just waiting Cisco become it recommended version that I think it will be soon.

Don't wait for Cisco.  We are dumping 17.9.X and are about to start going to 17.12.3 -- And I am talking about routers, switches and WLC.  17.9.X is a flaming train wreck.  We've got so many TAC cases around this train and a lot of the workarounds have been "reboot AP, switches, routers" that it is no longer funny.

t3rebello
Level 1
Level 1
In response to Rich R

‎05-10-2024 08:36 PM

17.12.1 for the controller version. Unfamiliar with the APSP terminology. Is that a separate number than the WLC code train? 

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to t3rebello

‎05-10-2024 08:39 PM

APSP means AP Service Pack.  This is a patch for the AP. 

SMU means Software Maintenance Update and this is a patch for the WLC.

t3rebello
Level 1
Level 1
In response to Leo Laohoo

‎05-17-2024 07:20 AM

We haven't applied any service packs or anything other than just upgrading the controller (then subsequently the AP's) to whatever the default service pack would be for controller code 17.12.1.

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to t3rebello

‎05-17-2024 02:46 PM

Not all SMU/APSP is good. 

Take, for example, 17.9.4a APSP8.  Installing APSP8 will cause more damage because it was not tested at all.  Instead of fixing, the APSP8 introduced more catastrophic bug like CSCwj45141 & CSCwi96176 (and a lot more).

It is a balancing act to follow recommendations from TAC blindly or to think smart.  

0 Helpful

listcsbgnetsecurity
Level 1
Level 1
In response to t3rebello

‎05-21-2024 08:30 AM

Justo to inform and keep you apprised, we started facing the issue again last week and we decided to upgrade our WLC / APs to 17.12.3 IOS-XE version. I will let you know about results. 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card