Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
18491
Views
25
Helpful
65
Replies

Client devices reporting 'Incorrect Wi-Fi password' on PEAP network

t3rebello
Level 1
Level 1

‎11-01-2023 07:59 AM

Hi folks,

Running a Catalyst 9800-40 WLC. 1463 WAP's connected, predominantly C9136I WAP's. 8,817 active clients with 4,796 clients on our SSID using PEAP authentication via ISE on the back end.  

We are observing clients will frequently disconnect from the network despite having strong RSSI and SNR levels. The behavior manifests as 'Incorrect Wi-Fi Password', even though the user has been previously connected with no issues and their wireless profile is saved on their phone. I have seen this exclusively on iPhone devices at this time. The DNAC log timestamps seem to lineup with the log 'Client has requested it be deleted' 

To remediate, users can simply hit cancel and wait, and they will reconnect to the network. I am working a TAC case parallel to this community post. Just wanted to throw this out there in case other people were seeing this in their environment. 

2 people had this problem
Preview file
26 KB
Preview file
199 KB
0 Helpful
65 Replies 65

listcsbgnetsecurity
Level 1
Level 1
In response to Rich R

‎10-01-2024 08:29 AM

To be honest with you I have never updated an APSP into WLC. Every time I face any issue into wireless platform I search for a new version that correct bugs and issues. Is it common Cisco releasing APSP for all versions? Are you used to update them as soon as they are released?

Other thing is that this version and APSP2 doen't mention any fix on the original issue that we have initially discussed on this community topic that is regarding Apple devices being disconnected asking for password.

0 Helpful

Rich R
VIP
VIP
In response to listcsbgnetsecurity

‎10-01-2024 10:13 AM

@listcsbgnetsecurity  APSP come out in between major releases and sometimes back-port fixes from later releases to earlier releases too.
They should be assessed and tested just like any new software release.  The difference is they only change AP software not WLC software so you can concentrate the testing on the APs.

The APSP is supplemental to the base release it's applied to so you need to refer to the 17.12.4 release notes for fixes in 17.12.4 and then add the fixes that are in the APSP for the APs.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to t3rebello

‎09-04-2024 06:40 AM

It would never happen at home because they would not use PEAP as an example, so never compare that.  It's different if one has a lab at home and uses EAP-TLS, PEAP or even iPSK as an example.  I have seen 'Incorrect Wi-Fi password' when using ISE and iPSK only on iPhones, not other devices.  It also only happens if my device connects to a PSK SSID and then connects to a iPSK SSID.  The iPhone sends a different mac address and I was able to open up a TAC case because I had a test controller tied to a test ISE node and we were able to see the iPhone send two mac addresses.  One of course passed, the iPhones mac, but the other mac address showed up in ISE as a failure.  Again, this only happened with iPhones no matter if it was a 13, 14 or 15.  Androids, Linux, Windows and Mac's worked fine.  So you are heading the right direction. Also note, I don't see this with PEAP in our environment.

-Scott
*** Please rate helpful posts ***
0 Helpful

t3rebello
Level 1
Level 1
In response to Scott Fella

‎09-04-2024 06:42 AM

When I mentioned that they say that it doesn't happen at home, I know it's not an Apples to Apples (get it??? heh) comparison but I am just giving the perspective of the disgruntled user/customer. 


Scott Fella
Hall of Fame
Hall of Fame
In response to t3rebello

‎09-04-2024 07:26 AM

I understand that because too hear that every time a user has issues.  Not like us engineers say that also, especially when your home network works better than when you are at work. These statements from users just shows you how they feel about the network and I really don't blame them.  That is why we always try to ensure what we do doesn't affect the user experience. 

If you have a lab, you should try to replicate the issue so you have more data to provide TAC.  It would be interesting to see if the iPhone is sending another auth with a bogus mac address.  Like what Rich mentioned, maybe upgrade to a different code version in hopes that it would help.  

-Scott
*** Please rate helpful posts ***

abdulrauf01251
Level 1
Level 1

‎10-01-2024 10:19 AM

Thats Great, helpful post

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card