Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
79293
Views
106
Helpful
64
Replies

Issues connecting Android 10 to Cisco ME

dovla091
Level 1
Level 1

‎01-10-2020 12:11 AM - edited ‎07-05-2021 11:31 AM

Hi, I had one problem which I found bypass solution, but I would like to share with someone, as I don't want that someone is wasting time as I did troubleshooting the issue.

My case was that I have 15 APs AP1832i set to Cisco ME, so 1 acts as a call it a  "controller", while others are getting the instruction. I have set latest version of firmware for APs - 8.10.105.0

Now I have Nokia 7.1 running Android 10 December 2019 patch, and what I found out that after upgrading Android to version 10 and patching Cisco AP1832i from 8.5 to 8.10, android phone cannot connect anymore.

After 1 hour of troubleshooting I found a bypass. By enabling WPA3 (along with WPA2), android 10 started to connect again.

My guess is either Google completely ditched support for WPA2 (for some reason), in favor for WPA3 or there is some mismatch between Cisco 8.10.105.0 for ME and Google Android 10. By enabling WPA3, phone can successfully connect to our network.

 

I hope I helped someone, and saved him/her some time in dealing with tedious troubleshooting

 

Best regards

15 people had this problem
Labels:
64 Replies 64

Sento
Level 1
Level 1
In response to yinka.adeosun

‎07-21-2020 09:56 AM

Enabling FT should work, at least it works for us.

Regards
0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to yinka.adeosun

‎07-21-2020 11:37 PM

There is a new beta of 8.10.x out which fixes the Android 10 compatibility issues. It should soon be released. Until then I suggest staying on 8.5 or 8.8 if possible.


0 Helpful

JPavonM
VIP
VIP
In response to patoberli

‎04-24-2020 02:18 AM - edited ‎04-24-2020 02:39 AM

Tested AireOS 8.10 with WPA2-Personal/Enterprise only (no-WPA3 config) and tested with PMF in disabled/optional/required state but no luck.

 

Now after testing a WPA3-Enterprise SSID on CLI (IMPORTANT: as there is no way to doing it through GUI) (IMPORTANT: After configuring it WLAN proifile appears as "Open" in GUI), my Xiaomi Mi8 is connecting and authenticated BUT, entering an endless loop of DHCP discovery. Important to note that controller says it is in RUN state before been assigned an IP Address. This is the config for the existing WLAN:

(WLCTEST) >config wlan disable 1
(WLCTEST) >config wlan security wpa akm 802.1x disable 1
(WLCTEST) >config wlan security wpa akm pmf 802.1x enable 1
(WLCTEST) >config wlan security wpa wpa2 disable 1
(WLCTEST) >config wlan security pmf required 1
(WLCTEST) >config wlan enable 1

This is the WLAN summary now:

(WLCTEST) >show wlan 1

WLAN Identifier.................................. 1
Profile Name..................................... _Test810
Network Name (SSID).............................. _Test810
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum Clients Allowed.......................... Unlimited
Security Group Tag............................... Unknown(0)
Maximum number of Clients per AP Radio........... 200
ATF Policy....................................... 0
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 180 seconds
Session Timeout.................................. 1800 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 720 minutes
Sleep Client Auto Auth Feature................... Enabled
Web Auth Captive Bypass Mode..................... Enabled
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... none
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ default-mdns-profile
DHCP Server...................................... Default
DHCP Scope Name.................................. none
Central NAT...................................... Disabled
Central NAT Peer-Peer Blocking................... Disabled
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Tunnel Profile................................... Unconfigured
EoGRE Override VLAN state........................ disable
EoGRE Override VLAN ID........................... 0
Quality of Service............................... Silver
Per-BSSID Rate Limits............................ Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-WLAN Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... 802.1P (Tag=0)
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Disabled
Accounting.................................... Global Servers
Interim Update............................. Enabled
Interim Update Interval.................... 0
Framed IPv6 Acct AVP ...................... Prefix
Authorization ACA............................. Disabled
Accounting ACA................................ Disabled
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Enabled (Profile 'gbl_eap_profile')
Radius NAI-Realm................................. Disabled
Radius Authentication caching.................... Disabled
Mu-Mimo.......................................... Enabled
Security

802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2/WPA3)........ Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Disabled
WPA3 (RSN IE).............................. Enabled
WPA2/WPA3 Encryption Ciphers
TKIP Cipher............................. Disabled
CCMP128/AES Cipher...................... Enabled
CCMP256 Cipher.......................... Disabled
GCMP128 Cipher.......................... Disabled
GCMP256 Cipher.......................... Disabled
OSEN IE.................................... Disabled
Auth Key Management
802.1x.................................. Disabled
802.1x-SHA2............................. Enabled
PSK..................................... Disabled
PSK-SHA2................................ Disabled
CCKM.................................... Disabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
OSEN-1X................................. Disabled
SUITEB-1X............................... Disabled
SUITEB192-1X............................ Disabled
OWE..................................... Disabled
SAE..................................... Disabled
OWE Transition Mode........................ Disabled
OWE Transition Mode WLAN id................ 0
Auto Key PSK .............................. Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Enabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web Authentication Timeout.................... 300
Web-Passthrough............................... Disabled
Mac-auth-server............................... 0.0.0.0
Web-portal-server............................. 0.0.0.0
qrscan-des-key................................
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Enabled
FlexConnect Central Association............... Disabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
flexconnect PPPoE pass-through................ Disabled
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Flexconnect Post-Auth IPv4 ACL................ Unconfigured
Flexconnect Post-Auth IPv6 ACL................ Unconfigured
Client MFP.................................... Optional
PMF........................................... Required
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Disabled
AVC Visibilty.................................... Disabled
Flex Avc Profile Name............................ _Test810
OpenDns Profile Name............................. None
OpenDns Wlan Mode................................ ignore
OpenDns Wlan Dhcp Option 6....................... enable
Flow Monitor Name................................ None
Split Tunnel Configuration
Split Tunnel................................. Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Enabled
802.11k Neighbor List Dual Band.................. Disabled
802.11v Directed Multicast Service............... Enabled
802.11v BSS Max Idle Service..................... Enabled
802.11v BSS Transition Service................... Enabled
802.11v BSS Transition Disassoc Imminent......... Disabled
802.11v BSS Transition Disassoc Timer............ 200
802.11v BSS Transition OpRoam Disassoc Timer..... 40
802.11v BSS Transition Neigh List Dual Band...... Disabled
DMS DB is empty
Band Select...................................... Enabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Universal Ap Admin............................... Disabled
Broadcast Tagging................................ Disabled
PRP.............................................. Disabled
Fast Receive..................................... Disabled
11ax Downlink MU-MIMO............................ Enabled
11ax Uplink MU-MIMO.............................. Enabled
11ax Downlink OFDMA.............................. Enabled
11ax Uplink OFDMA................................ Enabled
Wifi Alliance Multiband Operation................ Disabled
11ax Target Wake Time............................ Enabled

Mobility Anchor List
WLAN ID IP Address Status Priority
------- --------------- ------ --------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

Local Policy
----------------
Priority Policy Name
-------- ---------------

QoS Fastlane Status.............................. Disable
Selective Reanchoring Status..................... Disable
Lobby Admin Access............................... Disabled

Fabric Status
--------------

Fabric status.................................... Disable
Vnid Name........................................
Vnid............................................. 0
Applied SGT Tag.................................. 0
Peer Ip Address.................................. 0.0.0.0
Flex Acl Name....................................
Flex IPv6 Acl Name...............................
Flex Avc Policy Name.............................

U3-Interface................................... Disable

U3-Reporting Interval.......................... 30

(WLCTEST) >

Client output:

(WLCTEST) >show client detail aa:bb:cc:dd:ee:ff
Client MAC Address............................... aa:bb:cc:dd:ee:ff
Client Username ................................. user@domain.com
Client Webauth Username ......................... N/A
Hostname: .......................................
Device Type: .................................... Unclassified
AP MAC Address................................... aa:11:22:33:44:55
AP Name.......................................... AP38-TEST
AP radio slot Id................................. 1
Client State..................................... Associated
User Authenticated by ........................... Local Database
Client User Group................................ user@domain.com
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 1
Wireless LAN Network Name (SSID)................. _Test810
Wireless LAN Profile Name........................ _Test810
WLAN Profile check for roaming................... Disabled
Hotspot (802.11u)................................ Not Supported
Connected For ................................... 12 secs
BSSID............................................ aa:11:22:33:44:5f
Channel.......................................... 64
IP Address....................................... Unknown
Gateway Address.................................. Unknown
Netmask.......................................... Unknown
Association Id................................... 1
Authentication Algorithm......................... Open System
Reason Code...................................... 1
Client IPSK-TAG.................................. N/A
Status Code...................................... 0
Client CCX version............................... No CCX support
Re-Authentication Timeout........................ 1768
QoS Level........................................ Silver
Avg data Rate.................................... 0
Burst data Rate.................................. 0
Avg Real time data Rate.......................... 0
Burst Real Time data Rate........................ 0
Avg Uplink data Rate............................. 0
Burst Uplink data Rate........................... 0
Avg Uplink Real time data Rate................... 0
Burst Uplink Real Time data Rate................. 0
802.1P Priority Tag.............................. disabled
Security Group Tag............................... Unknown(0)
KTS CAC Capability............................... No
Qos Map Capability............................... No
WMM Support...................................... Enabled
APSD ACs....................................... BK BE VI VO
Supported Rates.................................. 12.0,18.0,24.0,36.0,48.0,
............................................. 54.0
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ No
Policy Manager State............................. DHCP_REQD
Pre-auth IPv4 ACL Name........................... none
Pre-auth IPv4 ACL Applied Status................. Unavailable
Pre-auth IPv6 ACL Name........................... none
Pre-auth IPv6 ACL Applied Status................. Unavailable
Pre-auth Flex IPv4 ACL Name...................... none
Pre-auth Flex IPv4 ACL Applied Status............ Unavailable
Pre-auth Flex IPv6 ACL Name...................... none
Pre-auth Flex IPv6 ACL Applied Status............ Unavailable
Pre-auth redirect URL............................ none
Audit Session ID................................. 0d14a8c0000000042ab1a25e
AAA Role Type.................................... none
Acct Interim Interval............................ 0
Local Policy Applied............................. none
IPv4 ACL Name.................................... none
AAA FlexConnect ACL Applied Status............... Unavailable
IPv4 ACL Applied Status.......................... Unavailable
IPv6 ACL Name.................................... none
IPv6 ACL Applied Status.......................... Unavailable
Post-auth Flex IPv6 ACL Name..................... none
Post-auth Flex IPv6 ACL Applied Status........... Unavailable
Layer2 ACL Name.................................. none
Layer2 ACL Applied Status........................ Unavailable
mDNS Status...................................... Disabled
mDNS Profile Name................................ none
No. of mDNS Services Advertised.................. 0
Policy Type...................................... WPA3
Authentication Key Management.................... 802.1x-SHA2
Encryption Cipher................................ CCMP-128 (AES)
Protected Management Frame ...................... Yes
Management Frame Protection...................... No
EAP Type......................................... PEAP
FlexConnect Data Switching....................... Local
FlexConnect Dhcp Status.......................... Local
FlexConnect Vlan Based Central Switching......... No
FlexConnect Authentication....................... Central
FlexConnect Central Association.................. No
FlexConnect VLAN NAME............................ Unavailable
Quarantine VLAN.................................. 0
Access VLAN...................................... 20
Local Bridging VLAN.............................. 0
Client Capabilities:
Radio Capability........................... 802.11ac-w2
CF Pollable................................ Not implemented
CF Poll Request............................ Not implemented
Short Preamble............................. Not implemented
PBCC....................................... Not implemented
Channel Agility............................ Not implemented
Listen Interval............................ 1
Fast BSS Transition........................ Not implemented
11v BSS Transition......................... Implemented
Non-Operable Channels............................ None
Non-Prefer Channels.............................. None
Client Wifi Direct Capabilities:
WFD capable................................ No
Manged WFD capable......................... No
Cross Connection Capable................... No
Support Concurrent Operation............... No
Fast BSS Transition Details:
DNS Server details:
DNS server IP ............................. 0.0.0.0
DNS server IP ............................. 0.0.0.0
Assisted Roaming Prediction List details:


Client Dhcp Required: False
Allowed (URL)IP Addresses
-------------------------

AVC Profile Name: ............................... none
OpenDns Profile Name: ........................... none
Fastlane Client: ................................ No
Max DSCP: ....................................... 0
Nas Identifier: ................................. WLCTEST
Client Statistics:
Number of Bytes Received................... 0
Number of Bytes Sent....................... 0
Total Number of Bytes Sent................. 0
Total Number of Bytes Recv................. 0
Number of Bytes Sent (last 90s)............ 0
Number of Bytes Recv (last 90s)............ 0
Number of Packets Received................. 0
Number of Packets Sent..................... 0
Number of Interim-Update Sent.............. 0
Number of EAP Id Request Msg Timeouts...... 0
Number of EAP Id Request Msg Failures...... 0
Number of EAP Request Msg Timeouts......... 0
Number of EAP Request Msg Failures......... 0
Number of EAP Key Msg Timeouts............. 0
Number of EAP Key Msg Failures............. 0
Number of Data Retries..................... 0
Number of RTS Retries...................... 0
Number of Duplicate Received Packets....... 0
Number of Decrypt Failed Packets........... 0
Number of Mic Failured Packets............. 0
Number of Mic Missing Packets.............. 0
Number of RA Packets Dropped............... 0
Number of Policy Errors.................... 0
Radio Signal Strength Indicator............ -54 dBm
Signal to Noise Ratio...................... 41 dB
Client Detected as Inactive................ Yes
Client RBACL Statistics:
Number of RBACL Allowed Packets............ 0
Number of RBACL Denied Packets............. 0
Client Rate Limiting Statistics:
Number of Data Packets Received............ 0
Number of Data Rx Packets Dropped.......... 0
Number of Data Bytes Received.............. 0
Number of Data Rx Bytes Dropped............ 0
Number of Realtime Packets Received........ 0
Number of Realtime Rx Packets Dropped...... 0
Number of Realtime Bytes Received.......... 0
Number of Realtime Rx Bytes Dropped........ 0
Number of Data Packets Sent................ 0
Number of Data Tx Packets Dropped.......... 0
Number of Data Bytes Sent.................. 0
Number of Data Tx Bytes Dropped............ 0
Number of Realtime Packets Sent............ 0
Number of Realtime Tx Packets Dropped...... 0
Number of Realtime Bytes Sent.............. 0
Number of Realtime Tx Bytes Dropped........ 0
Nearby AP Statistics:
AP38-TEST(slot 0)
antenna0: 6 secs ago..................... -41 dBm
antenna1: 6 secs ago..................... -41 dBm
AP38-TEST(slot 1)
antenna0: 11 secs ago.................... -53 dBm
antenna1: 11 secs ago.................... -53 dBm

 

 

The DHCP server is the same like in the other WLAN networks that are working properly. Doing a packet capture in the Meraki MX appliance I see DHCP packets for Discovery and Offer, but non of the Request nor ACK packets. In the WLC debug I only see DHCP packets for request so the controller is missing the ones for the Offer before deauthenticating the client.

 

Is it WPA3-Ent supported on AireOS 8.10? And on ME?

HTH
-Jesus

*** Always Rate Helpful Responses ***

0 Helpful

JPavonM
VIP
VIP
In response to JPavonM

‎04-24-2020 02:46 AM

If you need additional debugs or outputs, I have an OTA packet capture of the process, MX debug, Android debug,....
0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to JPavonM

‎04-24-2020 03:06 AM

Based on the release notes it should be supported:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn810.html#wpa3
But I wouldn't be too surprised if there are still some bugs.
0 Helpful

JPavonM
VIP
VIP
In response to patoberli

‎04-28-2020 11:01 AM - edited ‎04-28-2020 11:04 AM

Hi community,

I was making a mistake when configuring the AP for the testing: AP Native VLAN was incorrectly configured in ME.

I have great news for those using Android 10 devices and not able to associate to a Cisco AireOS ME controller release 8.10.x.

You can configure a WPA3-Enterprise SSID for them to work, or in the other hand, as previously remarked, WPA-WPA3-Personal hybrid SSID. Mine is a Xiaomi Mi8 running android 10 security patch Apr-2020. It is working on AireOS 8.8 WPA2-Ent ready SSID, but it's unable to send association request when upgrading to AireOS 8.8. This is due to smartphone vendor's implementation of Android 10 WPA3 support and I think they are not going back.

The problem is that Cisco is missing the configuration of WPA3-Enterprise in the GUI, so these are the commands to create one from scratch, based on the use of the internal AAA server in the WLC.

 

!
config local-auth eap-profile del gbl_eap_profile
config local-auth eap-profile add gbl_eap_profile
## I use to remove not commonly used suites from default authentication policy "local-auth eap-profile method add leap fast peap gbl_eap_profile"
config local-auth eap-profile cert-issuer cisco gbl_eap_profile
config local-auth eap-profile method add peap gbl_eap_profile
!
config wlan create 1 _WPA3-SSID _WPA3-SSID
config wlan band-select allow disable 1
config wlan local-auth enable gbl_eap_profile 1
config wlan bss-transition enable 1
config wlan radio 1 802.11a-only
config wlan session-timeout 1 86400
config wlan security wpa akm pmf 802.1x enable 1
config wlan security wpa wpa3 enable 1
config wlan security pmf required 1
!
## now disable those security features enabled by default when creating a new SSID supporting WPA3-Ent
config wlan security wpa akm 802.1x disable 1
config wlan security wpa akm cckm disable 1
config wlan security wpa wpa2 disable 1
config wlan security ft disable 1
!
## some good features to enable or tune in your config before enabling the WLAN
config wlan wifidirect allow 1
config wlan qos 1 platinum
config wlan enable 1

 

The rest of the RF tuning is up to every engineer.

 

And this is the verification of the config and the client connection:

 

(WLCTEST) >show wlan 1
WLAN Identifier.................................. 1
Profile Name..................................... _WPA3-SSID
Network Name (SSID).............................. _WPA3-SSID
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum Clients Allowed.......................... Unlimited
Security Group Tag............................... Unknown(0)
Maximum number of Clients per AP Radio........... 200
ATF Policy....................................... 0
Number of Active Clients......................... 1
Exclusionlist Timeout............................ 180 seconds
Session Timeout.................................. 86400 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 720 minutes
Sleep Client Auto Auth Feature................... Enabled
Web Auth Captive Bypass Mode..................... None
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... none
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ default-mdns-profile
DHCP Server...................................... Default
DHCP Scope Name.................................. none
Central NAT...................................... Disabled
Central NAT Peer-Peer Blocking................... Disabled
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Tunnel Profile................................... Unconfigured
EoGRE Override VLAN state........................ disable
EoGRE Override VLAN ID........................... 0
Quality of Service............................... Platinum
Per-BSSID Rate Limits............................ Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-WLAN Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... 802.11a only
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Disabled
Accounting.................................... Global Servers
Interim Update............................. Enabled
Interim Update Interval.................... 0
Framed IPv6 Acct AVP ...................... Prefix
Authorization ACA............................. Disabled
Accounting ACA................................ Disabled
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Enabled (Profile 'gbl_eap_profile')
Radius NAI-Realm................................. Disabled
Radius Authentication caching.................... Disabled
Mu-Mimo.......................................... Enabled
Security

802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2/WPA3)........ Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Disabled
WPA3 (RSN IE).............................. Enabled
WPA2/WPA3 Encryption Ciphers
TKIP Cipher............................. Disabled
CCMP128/AES Cipher...................... Enabled
CCMP256 Cipher.......................... Disabled
GCMP128 Cipher.......................... Disabled
GCMP256 Cipher.......................... Disabled
OSEN IE.................................... Disabled
Auth Key Management
802.1x.................................. Disabled
802.1x-SHA2............................. Enabled
PSK..................................... Disabled
PSK-SHA2................................ Disabled
CCKM.................................... Disabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
OSEN-1X................................. Disabled
SUITEB-1X............................... Disabled
SUITEB192-1X............................ Disabled
OWE..................................... Disabled
SAE..................................... Disabled
OWE Transition Mode........................ Disabled
OWE Transition Mode WLAN id................ 0
Auto Key PSK .............................. Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Disabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
Wi-Fi Direct policy configured................ allowed
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web Authentication Timeout.................... 300
Web-Passthrough............................... Disabled
Mac-auth-server............................... 0.0.0.0
Web-portal-server............................. 0.0.0.0
qrscan-des-key................................
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Enabled
FlexConnect Central Association............... Disabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
flexconnect PPPoE pass-through................ Disabled
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Flexconnect Post-Auth IPv4 ACL................ Unconfigured
Flexconnect Post-Auth IPv6 ACL................ Unconfigured
Client MFP.................................... Optional
PMF........................................... Required
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Disabled
AVC Visibilty.................................... Disabled
Flex Avc Profile Name............................ _WPA3-SSID
OpenDns Profile Name............................. None
OpenDns Wlan Mode................................ ignore
OpenDns Wlan Dhcp Option 6....................... enable
Flow Monitor Name................................ None
Split Tunnel Configuration
Split Tunnel................................. Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Enabled
802.11k Neighbor List Dual Band.................. Disabled
802.11v Directed Multicast Service............... Enabled
802.11v BSS Max Idle Service..................... Enabled
802.11v BSS Transition Service................... Enabled
802.11v BSS Transition Disassoc Imminent......... Disabled
802.11v BSS Transition Disassoc Timer............ 200
802.11v BSS Transition OpRoam Disassoc Timer..... 40
802.11v BSS Transition Neigh List Dual Band...... Disabled
DMS DB is empty
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Universal Ap Admin............................... Disabled
Broadcast Tagging................................ Disabled
PRP.............................................. Disabled
Fast Receive..................................... Disabled
11ax Downlink MU-MIMO............................ Enabled
11ax Uplink MU-MIMO.............................. Enabled
11ax Downlink OFDMA.............................. Enabled
11ax Uplink OFDMA................................ Enabled
Wifi Alliance Multiband Operation................ Disabled
11ax Target Wake Time............................ Enabled

Mobility Anchor List
WLAN ID IP Address Status Priority
------- --------------- ------ --------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

Local Policy
----------------
Priority Policy Name
-------- ---------------

QoS Fastlane Status.............................. Disable
Selective Reanchoring Status..................... Disable
Lobby Admin Access............................... Disabled

Fabric Status
--------------

Fabric status.................................... Disable
Vnid Name........................................
Vnid............................................. 0
Applied SGT Tag.................................. 0
Peer Ip Address.................................. 0.0.0.0
Flex Acl Name....................................
Flex IPv6 Acl Name...............................
Flex Avc Policy Name.............................

U3-Interface................................... Disable

U3-Reporting Interval.......................... 30

(WLCTEST) >show client detail aa:bb:cc:dd:ee:ff
Client MAC Address............................... aa:bb:cc:dd:ee:ff
Client Username ................................. user@domain.com
Client Webauth Username ......................... N/A
Hostname: .......................................
Device Type: .................................... Unclassified
AP MAC Address................................... 50:0f:80:aa:46:c0
AP Name.......................................... AP38-TEST
AP radio slot Id................................. 1
Client State..................................... Associated
User Authenticated by ........................... Local Database
Client User Group................................ user@domain.com
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 1
Wireless LAN Network Name (SSID)................. _WPA3-SSID
Wireless LAN Profile Name........................ _WPA3-SSID
WLAN Profile check for roaming................... Disabled
Hotspot (802.11u)................................ Not Supported
Connected For ................................... 28 secs
BSSID............................................ aa:11:22:33:44:5c
Channel.......................................... 64
IP Address....................................... 192.168.20.19
Gateway Address.................................. 192.168.20.1
Netmask.......................................... 255.255.255.0
IPv6 Address..................................... fe80::a650:0000:abcd:1234
Association Id................................... 1
Authentication Algorithm......................... Open System
Reason Code...................................... 1
Client IPSK-TAG.................................. N/A
Status Code...................................... 0
Client CCX version............................... No CCX support
Re-Authentication Timeout........................ 86390
QoS Level........................................ Platinum
Avg data Rate.................................... 0
Burst data Rate.................................. 0
Avg Real time data Rate.......................... 0
Burst Real Time data Rate........................ 0
Avg Uplink data Rate............................. 0
Burst Uplink data Rate........................... 0
Avg Uplink Real time data Rate................... 0
Burst Uplink Real Time data Rate................. 0
802.1P Priority Tag.............................. disabled
Security Group Tag............................... Unknown(0)
KTS CAC Capability............................... No
Qos Map Capability............................... No
WMM Support...................................... Enabled
APSD ACs....................................... BK BE VI VO
Supported Rates.................................. 12.0,18.0,24.0,36.0,48.0,
............................................. 54.0
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Pre-auth IPv4 ACL Name........................... none
Pre-auth IPv4 ACL Applied Status................. Unavailable
Pre-auth IPv6 ACL Name........................... none
Pre-auth IPv6 ACL Applied Status................. Unavailable
Pre-auth Flex IPv4 ACL Name...................... none
Pre-auth Flex IPv4 ACL Applied Status............ Unavailable
Pre-auth Flex IPv6 ACL Name...................... none
Pre-auth Flex IPv6 ACL Applied Status............ Unavailable
Pre-auth redirect URL............................ none
Audit Session ID................................. 0d14a8c000000002096da85e
AAA Role Type.................................... none
Acct Interim Interval............................ 0
Local Policy Applied............................. none
IPv4 ACL Name.................................... none
AAA FlexConnect ACL Applied Status............... Unavailable
IPv4 ACL Applied Status.......................... Unavailable
IPv6 ACL Name.................................... none
IPv6 ACL Applied Status.......................... Unavailable
Post-auth Flex IPv6 ACL Name..................... none
Post-auth Flex IPv6 ACL Applied Status........... Unavailable
Layer2 ACL Name.................................. none
Layer2 ACL Applied Status........................ Unavailable
mDNS Status...................................... Disabled
mDNS Profile Name................................ none
No. of mDNS Services Advertised.................. 0
Policy Type...................................... WPA3
Authentication Key Management.................... 802.1x-SHA2
Encryption Cipher................................ CCMP-128 (AES)
Protected Management Frame ...................... Yes
Management Frame Protection...................... No
EAP Type......................................... PEAP
FlexConnect Data Switching....................... Local
FlexConnect Dhcp Status.......................... Local
FlexConnect Vlan Based Central Switching......... No
FlexConnect Authentication....................... Central
FlexConnect Central Association.................. No
FlexConnect VLAN NAME............................ Unavailable
Quarantine VLAN.................................. 0
Access VLAN...................................... 20
Local Bridging VLAN.............................. 0
Client Capabilities:
Radio Capability........................... 802.11ac-w2
CF Pollable................................ Not implemented
CF Poll Request............................ Not implemented
Short Preamble............................. Not implemented
PBCC....................................... Not implemented
Channel Agility............................ Not implemented
Listen Interval............................ 1
Fast BSS Transition........................ Not implemented
11v BSS Transition......................... Implemented
Non-Operable Channels............................ None
Non-Prefer Channels.............................. None
Client Wifi Direct Capabilities:
WFD capable................................ No
Manged WFD capable......................... No
Cross Connection Capable................... No
Support Concurrent Operation............... No
Fast BSS Transition Details:
DNS Server details:
DNS server IP ............................. 8.8.8.8
DNS server IP ............................. 4.2.2.2
Assisted Roaming Prediction List details:


Client Dhcp Required: False
Allowed (URL)IP Addresses
-------------------------

AVC Profile Name: ............................... none
OpenDns Profile Name: ........................... none
Fastlane Client: ................................ No
Max DSCP: ....................................... 46
Nas Identifier: ................................. WLCTEST
Client Statistics:
Number of Bytes Received................... 0
Number of Bytes Sent....................... 0
Total Number of Bytes Sent................. 0
Total Number of Bytes Recv................. 0
Number of Bytes Sent (last 90s)............ 0
Number of Bytes Recv (last 90s)............ 0
Number of Packets Received................. 0
Number of Packets Sent..................... 0
Number of Interim-Update Sent.............. 0
Number of EAP Id Request Msg Timeouts...... 0
Number of EAP Id Request Msg Failures...... 0
Number of EAP Request Msg Timeouts......... 0
Number of EAP Request Msg Failures......... 0
Number of EAP Key Msg Timeouts............. 0
Number of EAP Key Msg Failures............. 0
Number of Data Retries..................... 0
Number of RTS Retries...................... 0
Number of Duplicate Received Packets....... 0
Number of Decrypt Failed Packets........... 0
Number of Mic Failured Packets............. 0
Number of Mic Missing Packets.............. 0
Number of RA Packets Dropped............... 0
Number of Policy Errors.................... 0
Radio Signal Strength Indicator............ -48 dBm
Signal to Noise Ratio...................... 47 dB
Client Detected as Inactive................ Yes
Client RBACL Statistics:
Number of RBACL Allowed Packets............ 0
Number of RBACL Denied Packets............. 0
Client Rate Limiting Statistics:
Number of Data Packets Received............ 0
Number of Data Rx Packets Dropped.......... 0
Number of Data Bytes Received.............. 0
Number of Data Rx Bytes Dropped............ 0
Number of Realtime Packets Received........ 0
Number of Realtime Rx Packets Dropped...... 0
Number of Realtime Bytes Received.......... 0
Number of Realtime Rx Bytes Dropped........ 0
Number of Data Packets Sent................ 0
Number of Data Tx Packets Dropped.......... 0
Number of Data Bytes Sent.................. 0
Number of Data Tx Bytes Dropped............ 0
Number of Realtime Packets Sent............ 0
Number of Realtime Tx Packets Dropped...... 0
Number of Realtime Bytes Sent.............. 0
Number of Realtime Tx Bytes Dropped........ 0
Nearby AP Statistics:
AP38-TEST(slot 0)
antenna0: 3 secs ago..................... -52 dBm
antenna1: 3 secs ago..................... -52 dBm
AP38-TEST(slot 1)
antenna0: 1 secs ago..................... -53 dBm
antenna1: 1 secs ago..................... -53 dBm

(WLCTEST) >

 

-HTH-

Jesus

-- Please rate helpful answers --

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to JPavonM

‎04-28-2020 10:55 PM

Thanks for this post.
Quick question, should this not read 8.10 instead of 8.8? "association request when upgrading to AireOS 8.8"
0 Helpful

JPavonM
VIP
VIP
In response to patoberli

‎04-28-2020 11:51 PM

Yes you are right, it should read "the device doesn't send any association request after upgrading to AireOS 8.10"

0 Helpful

Cheng
Cisco Employee
Cisco Employee
In response to JPavonM

‎05-15-2020 04:43 AM

Hi, would you mind sharing your TAC Case ID?

0 Helpful

WHindriks
Level 1
Level 1
In response to Cheng

‎05-15-2020 06:20 AM

Not the previous poster, but we have SR#688982827 open for the same issue.

0 Helpful

Rafael E
Cisco Employee
Cisco Employee
In response to JPavonM

‎05-21-2020 06:52 AM

can you share the SR with TAC?

Saludos,
Rafael - TAC
0 Helpful

WHindriks
Level 1
Level 1

‎04-06-2020 04:59 AM

Thanks! I ran into the same issue with a Nokia 8.1 and the march 2020 update.
Enabling WPA3 resolved the issue.

ph.rammer
Level 1
Level 1
In response to WHindriks

‎05-15-2020 12:41 PM - edited ‎05-15-2020 12:42 PM

Hi,

did you enable an additional "WPA3-only" SSID or did it work when WPA2+WPA3 (both enterprise) were enabled on the same SSID? We did not have success yet on enabling both, only with an additional SSID (Cat9k8, 16.12.2s).

 

best regards

Philipp

0 Helpful

JPavonM
VIP
VIP
In response to ph.rammer

‎05-16-2020 02:54 AM - edited ‎05-16-2020 02:54 AM

I ran into the same issue using the next security features:

- WPA2-PSK-SHA1

- WPA2-PSK-SHA256

- WPA2-PSK-SHA1-SHA256

- WPA2-8021X-SHA1

- WPA2-8021X-SHA256

- WPA2-8021X-SHA1-SHA256

- WPA2-WPA3-SAE

At first time it  worked once when configuring WPA2-WPA3-SAE, but I've never managed to repeat that success after many retries and many factory resets.

I've managed to reproduce this failure in AireOS 8.10 both ME and vWLC, and also running IOS-XE 16.12.2s and 17.1/17.2 in Catalyst 9800, as the AP codes are the same.

I'm working with some Cicso engineers on this so I will post any update.

 

HTH
-Jesus
*** Please Rate Helpful Responses ***

0 Helpful

Cheng
Cisco Employee
Cisco Employee
In response to JPavonM

‎05-16-2020 07:08 PM

Hi Jesus,

 

Did you try to disable Aironet IE?

 

Aironet IE is a Cisco proprietary attribute used by Cisco devices for better connectivity. It contains information, such as the access point name, load, number of associated clients, and so on sent out by the access point (AP) in the beacon and probe responses of the WLAN.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card