Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4315
Views
1
Helpful
11
Replies

Failed to dot11 ie validate aironet ipaddr.

jsjsj
Level 1
Level 1

‎10-06-2023 05:42 AM

I have Cisco Catalyst 9800-CL Wireless Controller and Five 1702I APs that are connected and have DNA Essentials licenses.

Clients have been unable to authenticate. Have DHCP setup and have confirmed that clients are get IP address on the network. Suggestions would be greatly appreciated.

Radioactive Trace indicates the following: 

2023/10/06 08:11:39.649300 {wncd_x_R0-0}{1}: [client-orch-sm] [19103]: (note): MAC: 9cfc.e893.9d79 Association received. BSSID a023.9f19.3c3e, WLAN SCX-COLA-WLC-02, Slot 1 AP a023.9f19.3c30, AP_Name

2023/10/06 08:11:39.649412 {wncd_x_R0-0}{1}: [client-orch-state] [19103]: (note): MAC: 9cfc.e893.9d79 Client state transition: S_CO_INIT -> S_CO_ASSOCIATING

2023/10/06 08:11:39.649552 {wncd_x_R0-0}{1}: [dot11-validate] [19103]: (ERR): MAC: 9cfc.e893.9d79 Failed to dot11 ie validate aironet ipaddr. Aironet ipaddr IE is not present in Assoc Request

2023/10/06 08:11:39.649771 {wncd_x_R0-0}{1}: [dot11] [19103]: (note): MAC: 9cfc.e893.9d79 Association success. AID 16, Roaming = False, WGB = False, 11r = False, 11w = False

2023/10/06 08:11:39.649865 {wncd_x_R0-0}{1}: [client-orch-state] [19103]: (note): MAC: 9cfc.e893.9d79 Client state transition: S_CO_ASSOCIATING -> S_CO_L2_AUTH_IN_PROGRESS

2023/10/06 08:11:39.650306 {wncd_x_R0-0}{1}: [client-auth] [19103]: (note): MAC: 9cfc.e893.9d79 ADD MOBILE sent. Client state flags: 0x31 BSSID: MAC: a023.9f19.3c3e capwap IFID: 0x9000000a, Add mobiles sent: 1

2023/10/06 08:11:39.653190 {wncd_x_R0-0}{1}: [sanet-shim-translate] [19103]: (ERR): 9cfc.e893.9d79 wlan_profile Not Found : Device information attributes not populated

2023/10/06 08:11:39.653249 {wncd_x_R0-0}{1}: [client-auth] [19103]: (note): MAC: 9cfc.e893.9d79 L2 Authentication initiated. method DOT1X, Policy VLAN 0, AAA override = 1 , NAC = 0

2023/10/06 08:11:39.653879 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [19103]: (note): Authentication Success. Resolved Policy bitmap:11 for client 9cfc.e893.9d79

 

0 Helpful
11 Replies 11

DanielP211
VIP Alumni
VIP Alumni

‎10-06-2023 05:43 AM

Hello,

Could you share the aaa configuration (WLC and ISE)?

BR

****Kindly rate all useful posts*****
0 Helpful

jsjsj
Level 1
Level 1

‎10-06-2023 06:38 AM

Hope this is what you want to see.

WLC

Authentication List = Authetication_dot1x = Type dotlx Group Type = Group Assigned Server Group = Radius Server Group

ISE

Name = Profile Name

Server Address = "Assigned Radius Server IP Address."

PAC Key = unchecked

Key Type = Clear Text

Key = "Same Key for Radius Server"

Confirm Key = Same as above

Auth Port = 1812

Acct Port -1813

Server Time Out: 1000

Retry Count : 3

Support for CoA = Enabled

 

0 Helpful

ammahend
VIP Alumni
VIP Alumni

‎10-06-2023 06:59 AM - edited ‎10-06-2023 07:01 AM

problem description is incorrect "Clients have been unable to authenticate. Have DHCP setup and have confirmed that clients are get IP address on the network." if you have authentication setup then clients wont get IP unless authenticated L3 can't work without L2 working properly. Anyways I see a successful L2 authentication for client 9cfc.e893.9d79 in trace but it seems like your policy or authorization on radius is not setup correctly.

to start with share output for

show wlan name <wlan name>

show wireless profile policy detailed <policy name attached to WLAN>

-hope this helps-

jsjsj
Level 1
Level 1
In response to ammahend

‎10-06-2023 09:12 AM

Okay I will get the information you requested, and you see no issue with it indicating:(ERR): MAC: 9cfc.e893.9d79 Failed to dot11 ie validate aironet ipaddr. Aironet ipaddr IE is not present in Assoc Request 

0 Helpful

jsjsj
Level 1
Level 1
In response to jsjsj

‎10-06-2023 10:36 AM

WLAN Name: SCX-COLA-WLC-02

General

Profile Name: S11-GRNV-WLC-02

SSID: S11-GRNV-WLC-02

WLAN ID: 1

Status: Enable

Radio Policy: All

Broadcast SSID: Enable

Preview file
15 KB
0 Helpful

jsjsj
Level 1
Level 1
In response to ammahend

‎10-10-2023 05:11 AM

See requested information attached.

Preview file
17 KB
0 Helpful

jsjsj
Level 1
Level 1
In response to jsjsj

‎10-13-2023 06:12 AM

Any thoughts on a solution to this?

0 Helpful

Rich R
VIP
VIP
In response to jsjsj

‎10-15-2023 04:45 AM

You did not provide "show wireless client mac-address <client-mac> detail" for one of the clients when connected.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Rich R
VIP
VIP

‎10-07-2023 06:19 AM - edited ‎10-07-2023 06:21 AM

Agreed with @ammahend to provide the output of the suggested commands - not a word doc with your summary of GUI checkboxes etc!

No, not worried about Aironet IE log - there are lots of things in debugs that don't matter as client and AP negotiate options and settings.

You stated "Clients have been unable to authenticate. Have DHCP setup and have confirmed that clients are get IP address on the network"
But as @ammahend pointed out - the logs show that authentication DID succeed and DHCP is the next step after authentication so the fact that the client gets an IP address means that the authentication must have succeeded.  So your problem comes after that and is more likely a routing or bridging issue or maybe even an ACL somewhere.

Also provide "show wireless client mac-address <client-mac> detail" for one of the clients when connected.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

jsjsj
Level 1
Level 1
In response to Rich R

‎10-10-2023 05:23 AM

Client Mac Address: 9cfc.e893.9d79

Client Mac Type: Universally Administered Address

Client Ipv4 Address:

Client Username: N/A

AP Name: Columbia_AP

AP Slot: 1

Client State: Associated

Policy Profile: default-policy-profile

Flex Profile: N/A

Wireless LAN Id: 1

WLAN Profile Name: SCX-COLA-WLC-02

BSSID: a023.9f19.3c3f

Connected For: 4 seconds

Protocol: 802.11ac

Channel: 60

Client IIF Id: Unknown

Association Id: 1

Authentication Algorithm: Open System

Idle State timeout: N/A

Re-Authentication Timeout: 1800 sec (Timer not running)

 

Preview file
17 KB
0 Helpful

jsjsj
Level 1
Level 1
In response to Rich R

‎10-13-2023 06:14 AM

Rich any thoughts on the additional information provided.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card