Solved: Re: Disable Client Exclusion on EWC

brentpavlovich · ‎02-13-2023

Ran into a weird problem that all started when I changed the PSK a WLAN uses. The SSID of the WLAN stayed the same, only the PSK changed. Since changing the PSK, even though we went through and updated the password on the wireless devices connecting to the WLAN that changed, they all initially connected fine. But soon we noticed randomly, devices were disconnecting from the network. Watching logs on the controller it shows the clients are getting added to the exclusion list due to the wrong PSK. Eventually all those same devices time out of the exclusion list, then connect fine without issue. Some time passes and they get added to the exclusion list again. I can't figure out if the problem is due to an issue with the wireless APs/controller or the clients themselves. All i can say though is this is happening to multiple types of clients (computers, phones, smart devices (plugs, Alexa, etc.)) so there isn't any commonality there. Thinking it was a bug with the IOS, i upgraded the firmware but the problem persisted. Tried wiping the entire config of the APs/controller and added back the PSK with the new config but the problem remained. So now I'm out of ideas and want to instead figure out how to just disable the client exclusion feature hoping that keeps devices connected. I understand the security ramifications of this, but for now am running out of options. Any and all responses on either what might be causing clients to get added to the exclusion list or how to disable it all together are much appreciated!

I am running two C9130AXI-B access points which are configured as an embedded wireless controller. Firmware version Cisco IOS XE Software, Version 17.09.02.

Scott Fella · ‎02-14-2023

I don't have an EWC but from a 9800 controller, you define this on the Policy Profile:

wireless profile policy <your policy profile>
no exclusionlist
exclusionlist timeout 0

-Scott
*** Please rate helpful posts ***

View solution in original post

marce1000 · ‎02-13-2023

- You may try : (Cisco EWC Controller) >config wps client-exclusion all disable

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

brentpavlovich · ‎02-14-2023

Unfortunately i believe that command only works in AireOS. It doesn't accept the command on the EWC.

marce1000 · ‎02-14-2023

>...Unfortunately i believe that command only works in AireOS. It doesn't accept the command on the EWC.
Check if these commands can provide more insights :
show wireless stats client detail
show wireless stats client delete reasons
show wireless client history disconnected summary
show logging profile wireless filter <CLIENTMAC>

Also have a checkup of the EWC controller configuration with the CLI command : show tech wireless , have the output analyzed by https://cway.cisco.com/tools/WirelessAnalyzer/ , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer. Checkout all advisories!

- Look into client debugging : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity , you can have client debugs analyzed with : https://cway.cisco.com/wireless-debug-analyzer

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R · ‎02-14-2023

Haven't tried it myself but I see these in "show run all" (handy for looking for default config):
wireless wps client-exclusion all
wireless wps client-exclusion dot11-assoc
wireless wps client-exclusion dot1x-auth
wireless wps client-exclusion dot1x-timeout
wireless wps client-exclusion ip-theft
wireless wps client-exclusion web-auth

So try no xxxx on those?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Scott Fella · ‎02-14-2023

I don't have an EWC but from a 9800 controller, you define this on the Policy Profile:

wireless profile policy <your policy profile>
no exclusionlist
exclusionlist timeout 0

-Scott
*** Please rate helpful posts ***

brentpavlovich · ‎02-14-2023

I tried "no wireless wps client-exclusion all" in global config and that didn't have any affect. On the actual wireless profile policy though "no exclusionlist" has seemed to work. Ill give it a day or so before calling it completely resolved, but so far watching the logs no clients have been added. Thank you all for the suggestions!