Solved: Disabled clients on the wlc keep getting disabled after removing them

adedipeopeoluwa · ‎06-10-2021

Hello,

please I am experiencing the following challenge and I need urgent assistance on this.

we recently integrated our wlc to a NAC appliance and enforced some policies. Some clients get blocked on the NAC which is also visible on the wlc under disabled clients. Once the wireless clients are remediate and enabled back on the NAC, same reflects on the wlc and they no longer appear on the wlc. This is the normal behavior.

however, we noticed that some other clients that appear as disabled on the wlc do not show as blocked on NAC. The NAC policy was also disabled in order to drill down. When the disabled client is removed manually from the wlc and the client connects successfully on wireless, it gets disabled again as a result of it being added on the exclusion list.

I followed some steps I saw online by disabling the authentication retries under security but situation still persist.

can anyone help out pls

patoberli · ‎06-11-2021

This is an extremely old 8.5. release. I suggest first upgrading to the latest 8.5.x build, there were a lot of bugs fixed.

View solution in original post

Grendizer · ‎06-10-2021

What’s the WLC type and code? and if you’re using AnyConnect, what version?

adedipeopeoluwa · ‎06-11-2021

WLC is 3504, 8.5.105.0

NAC tool we use is forescout not anyconnect.

patoberli · ‎06-11-2021

This is an extremely old 8.5. release. I suggest first upgrading to the latest 8.5.x build, there were a lot of bugs fixed.

Grendizer · ‎06-11-2021

upgrade to 8.10.151.0 after checking the compatibility matrix https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

meaning, if you don't have one of those AP models (3500, 1600, 2600, 3600, 1550) you can upgrade to 8.10

if you have one of these AP models in your network then upgrade to 8.5.171.0

adedipeopeoluwa · ‎06-11-2021

Please see attached log

Rich R · ‎06-11-2021

Like Pat said you're wasting your time trying to troubleshoot such an old release. Bring the software up to date and if you still have problems then it's worth troubleshooting further.

https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html#anc3

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

adedipeopeoluwa · ‎06-16-2021

Thank you all.

I upgraded the WLC to a higher version and I am okay now.