Solved: Re: MAC address bypass not working on Catalyst 9800-CL Software versio

permadi_paris · ‎04-18-2021

Hello,

I have catalyst 9130AXI connected to Catalyst 9800-CL (OS 16.12.5) installed on my Virtual Machine.

I configured Mac Address Bypass on this version and it works well, but there are problem with 5Ghz radio, it keep restarting 5Ghz radio on catalyst 9130AXI. the AP show this error before restarting the radios:

beacon stuck.jpeg

[*03/25/2021 10:17:59.8668] DOT11_DRV[1]: Beacon Stuck - reset radio for recovery

[*03/25/2021 10:17:59.8669] DOT11_DRV[1]: *** Triggered FW assert for radio failure (Beacons stuck)

[*03/25/2021 10:17:59.8669] 

[*03/25/2021 10:17:59.8736] DOT11_DRV[1]: *** Resetting Radio 1

[*03/25/2021 10:17:59.8736] DOT11_DRV[1]: Stop Radio1 - Begin

[*03/25/2021 10:17:59.8898] DOT11_DRV[1]: Stop Radio1 - End

and so I try software version for 17.3.3 for this implementation.

in this software version, the issue on 5Ghz radio is solved but there is another issue on Mac Address Bypass.

I've configure Mac Address Bypass on 1 SSID, but I unable to connect my Laptop(with registered mac address).

On the vWLC, there are some log that show this error:

Apr 16 03:20:19.934: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (94db.c903.9372) on Interface capwap_9000000c AuditSessionID 0000000000001061D89DEDDE. Failure reason: Authc fail. Authc failure reason: AAA Server Down.
Apr 16 03:20:20.999: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (94db.c903.9372) on Interface capwap_90000005 AuditSessionID 0000000000001062D89DF206. Failure reason: Authc fail. Authc failure reason: AAA Server Down.
Apr 16 03:20:21.935: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (94db.c903.9372) on Interface capwap_9000000c AuditSessionID 0000000000001063D89DF5AE. Failure reason: Authc fail. Authc failure reason: AAA Server Down.

Please advice regarding this issue.

Thanks.

note:

I've also try vWLC software version 17.4.1, 17.5.1 but the issue regarding Mac Address Bypass still there
for Mac Address Bypass configuration, i'm following this guide: https://0x2142.com/how-to-catalyst-9800-mac-filtering/

permadi_paris · ‎09-27-2021

Hi All,

I want to give my update regarding this issue.
it turn out that it was a bug on 17.3 software (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv43870) that the entry format for the mac address must be without any separator.

Thanks all for all your suggestion and input.

View solution in original post

marce1000 · ‎04-19-2021

- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs86066

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

permadi_paris · ‎04-19-2021

Hi marce1000,

thanks for the reply.

we've overcome the problem regarding "Beacon Stuck" on 5Ghz radio by installing version 17.3.3.

but there are another problem occur as I mention above regarding Mac Address Bypass.

do you have any advice regarding issue with Mac Address Bypass?

Rich R · ‎04-27-2021

The error message TELLS you what the problem is: "AAA Server Down".

So check your config and work out why the WLC cannot connect to your radius server! config/routes/ACL/source interface etc

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

adventurer · ‎09-26-2021

Did anyone manage to fix this MAC filter problem, or found a version in 17.x that works ?

Failure reason: Authc fail. Authc failure reason: AAA Server Down.

I'm also following the steps in this article, https://0x2142.com/how-to-catalyst-9800-mac-filtering/

Same error.

I have done exactly the same create the MAC address list local within wlc, so the error message seems like a bug.

Rich R · ‎09-26-2021

Have you checked https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz30708 ?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

adventurer · ‎09-27-2021

I just had a read of CSCvz30708 and rebooted the wlc as per the resolution.

Still no good.

Example here's the whole chain of events when a device attempt to connect.

2021/09/27 21:47:30.477303 {wncd_x_R0-0}{1}: [client-orch-sm] [25006]: (note): MAC: xxxx.xxxx.xxxx Association received. BSSID b838.xxxx.xxxx, WLAN testssid, Slot 1 AP b838.xxxx.xxxx, AP72

2021/09/27 21:47:30.477394 {wncd_x_R0-0}{1}: [client-orch-state] [25006]: (note): MAC: xxxx.xxxx.xxxx Client state transition: S_CO_INIT -> S_CO_ASSOCIATING

2021/09/27 21:47:30.477500 {wncd_x_R0-0}{1}: [dot11-validate] [25006]: (ERR): MAC: xxxx.xxxx.xxxx Validating Samsung Device Info subtypes failed

2021/09/27 21:47:30.477663 {wncd_x_R0-0}{1}: [client-orch-state] [25006]: (note): MAC: xxxx.xxxx.xxxx Client state transition: S_CO_ASSOCIATING -> S_CO_MACAUTH_IN_PROGRESS

2021/09/27 21:47:30.477673 {wncd_x_R0-0}{1}: [client-auth] [25006]: (note): MAC: xxxx.xxxx.xxxx MAB Authentication initiated. Policy VLAN 10, AAA override = 1, NAC = 0

2021/09/27 21:47:30.477685 {wncd_x_R0-0}{1}: [sanet-shim-translate] [25006]: (ERR): xxxx.xxxx.xxxx wlan_profile Not Found : Device information attributes not populated

2021/09/27 21:47:30.478165 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [25006]: (note): Authentication Success. Resolved Policy bitmap:11 for client xxxx.xxxx.xxxx

2021/09/27 21:47:30.478440 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [25006]: (ERR): SANET_AUTHC_FAILURE - AAA Server Down username 8cb8xxxxxxxx, audit session id 5501010A000000162714D7B1,

2021/09/27 21:47:30.478620 {wncd_x_R0-0}{1}: [errmsg] [25006]: (note): %SESSION_MGR-5-FAIL: Authorization failed or unapplied for client (xxxx.xxxx.xxxx) on Interface capwap_90000004 AuditSessionID 5501010A000000162714D7B1. Failure reason: Authc fail. Authc failure reason: AAA Server Down.

2021/09/27 21:47:30.478687 {wncd_x_R0-0}{1}: [client-orch-state] [25006]: (note): MAC: xxxx.xxxx.xxxx Client state transition: S_CO_MACAUTH_IN_PROGRESS -> S_CO_ASSOCIATING

2021/09/27 21:47:30.478692 {wncd_x_R0-0}{1}: [dot11] [25006]: (ERR): MAC: xxxx.xxxx.xxxx Failed to assoc failure tr state entry. Incorrect validation status value :1

2021/09/27 21:47:30.479444 {wncd_x_R0-0}{1}: [dot11] [25006]: (ERR): MAC: xxxx.xxxx.xxxx Dot11 update co assoc fail. Sent assoc failure to CO. delete reason: 9, CO_CLIENT_DELETE_REASON_MAB_FAILED

Strange error to have when the AAA is local wlc itself.

Unfortunately can't try to upgrade higher version, old access point this is the highest it can support.

Rich R · ‎09-27-2021

Then I think you need to open a case with Cisco TAC and keep us updated on what they say.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

permadi_paris · ‎09-27-2021

Hi All,

I want to give my update regarding this issue.
it turn out that it was a bug on 17.3 software (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv43870) that the entry format for the mac address must be without any separator.

Thanks all for all your suggestion and input.

adventurer · ‎09-28-2021

Brilliant this is exactly the solution.

Cisco should have coded the error log much better, it's no MAC matching, not AAA server down.

MAC address bypass not working on Catalyst 9800-CL Software version 17.3.3