Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6194
Views
26
Helpful
9
Replies

MAC address bypass not working on Catalyst 9800-CL Software version 17.3.3

Go to solution
permadi_paris
Level 1
Level 1

‎04-18-2021 08:18 PM - edited ‎07-05-2021 01:10 PM

Hello,

 

I have catalyst 9130AXI connected to Catalyst 9800-CL (OS 16.12.5) installed on my Virtual Machine.

I configured Mac Address Bypass on this version and it works well, but there are problem with 5Ghz radio, it keep restarting 5Ghz radio on catalyst 9130AXI. the AP show this error before restarting the radios:

beacon stuck.jpeg

[*03/25/2021 10:17:59.8668] DOT11_DRV[1]: Beacon Stuck - reset radio for recovery

[*03/25/2021 10:17:59.8669] DOT11_DRV[1]: *** Triggered FW assert for radio failure (Beacons stuck)

[*03/25/2021 10:17:59.8669] 

[*03/25/2021 10:17:59.8736] DOT11_DRV[1]: *** Resetting Radio 1

[*03/25/2021 10:17:59.8736] DOT11_DRV[1]: Stop Radio1 - Begin

[*03/25/2021 10:17:59.8898] DOT11_DRV[1]: Stop Radio1 - End

 

and so I try software version for 17.3.3 for this implementation.

in this software version, the issue on 5Ghz radio is solved but there is another issue on Mac Address Bypass.

I've configure Mac Address Bypass on 1 SSID, but I unable to connect my Laptop(with registered mac address).

On the vWLC, there are some log that show this error:

Apr 16 03:20:19.934: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (94db.c903.9372) on Interface capwap_9000000c AuditSessionID 0000000000001061D89DEDDE. Failure reason: Authc fail. Authc failure reason: AAA Server Down.
Apr 16 03:20:20.999: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (94db.c903.9372) on Interface capwap_90000005 AuditSessionID 0000000000001062D89DF206. Failure reason: Authc fail. Authc failure reason: AAA Server Down.
Apr 16 03:20:21.935: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (94db.c903.9372) on Interface capwap_9000000c AuditSessionID 0000000000001063D89DF5AE. Failure reason: Authc fail. Authc failure reason: AAA Server Down.

Please advice regarding this issue.

Thanks.

 

note:

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
permadi_paris
Level 1
Level 1

‎09-27-2021 08:23 PM

Hi All,

I want to give my update regarding this issue.
it turn out that it was a bug on 17.3 software (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv43870) that the entry format for the mac address must be without any separator.

Thanks all for all your suggestion and input.

View solution in original post

9 Replies 9

Go to solution
marce1000
VIP
VIP

‎04-19-2021 12:10 AM

 

         - FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs86066

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
permadi_paris
Level 1
Level 1
In response to marce1000

‎04-19-2021 12:30 AM

Hi marce1000,

 

thanks for the reply.

we've overcome the problem regarding "Beacon Stuck" on 5Ghz radio by installing version 17.3.3.

but there are another problem occur as I mention above regarding Mac Address Bypass.

do you have any advice regarding issue with Mac Address Bypass?

 

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to permadi_paris

‎04-27-2021 07:26 AM

The error message TELLS you what the problem is: "AAA Server Down".

So check your config and work out why the WLC cannot connect to your radius server! config/routes/ACL/source interface etc

 

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

Go to solution
adventurer
Level 1
Level 1

‎09-26-2021 09:14 AM

Did anyone manage to fix this MAC filter problem, or found a version in 17.x that works ?

Failure reason: Authc fail. Authc failure reason: AAA Server Down.

 

I'm also following the steps in this article, https://0x2142.com/how-to-catalyst-9800-mac-filtering/

Same error.

I have done exactly the same create the MAC address list local within wlc, so the error message seems like a bug.

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to adventurer

‎09-26-2021 02:51 PM

Have you checked https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz30708 ?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Go to solution
adventurer
Level 1
Level 1
In response to Rich R

‎09-27-2021 05:14 AM - edited ‎09-27-2021 05:15 AM

I just had a read of CSCvz30708 and rebooted the wlc as per the resolution.

Still no good.

 

Example here's the whole chain of events when a device attempt to connect.

2021/09/27 21:47:30.477303 {wncd_x_R0-0}{1}: [client-orch-sm] [25006]: (note): MAC: xxxx.xxxx.xxxx Association received. BSSID b838.xxxx.xxxx, WLAN testssid, Slot 1 AP b838.xxxx.xxxx, AP72

2021/09/27 21:47:30.477394 {wncd_x_R0-0}{1}: [client-orch-state] [25006]: (note): MAC: xxxx.xxxx.xxxx Client state transition: S_CO_INIT -> S_CO_ASSOCIATING

2021/09/27 21:47:30.477500 {wncd_x_R0-0}{1}: [dot11-validate] [25006]: (ERR): MAC: xxxx.xxxx.xxxx Validating Samsung Device Info subtypes failed

2021/09/27 21:47:30.477663 {wncd_x_R0-0}{1}: [client-orch-state] [25006]: (note): MAC: xxxx.xxxx.xxxx Client state transition: S_CO_ASSOCIATING -> S_CO_MACAUTH_IN_PROGRESS

2021/09/27 21:47:30.477673 {wncd_x_R0-0}{1}: [client-auth] [25006]: (note): MAC: xxxx.xxxx.xxxx MAB Authentication initiated. Policy VLAN 10, AAA override = 1, NAC = 0

2021/09/27 21:47:30.477685 {wncd_x_R0-0}{1}: [sanet-shim-translate] [25006]: (ERR): xxxx.xxxx.xxxx wlan_profile Not Found : Device information attributes not populated

2021/09/27 21:47:30.478165 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [25006]: (note): Authentication Success. Resolved Policy bitmap:11 for client xxxx.xxxx.xxxx

2021/09/27 21:47:30.478440 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [25006]: (ERR): SANET_AUTHC_FAILURE - AAA Server Down username 8cb8xxxxxxxx, audit session id 5501010A000000162714D7B1,

2021/09/27 21:47:30.478620 {wncd_x_R0-0}{1}: [errmsg] [25006]: (note): %SESSION_MGR-5-FAIL: Authorization failed or unapplied for client (xxxx.xxxx.xxxx) on Interface capwap_90000004 AuditSessionID 5501010A000000162714D7B1. Failure reason: Authc fail. Authc failure reason: AAA Server Down.

2021/09/27 21:47:30.478687 {wncd_x_R0-0}{1}: [client-orch-state] [25006]: (note): MAC: xxxx.xxxx.xxxx Client state transition: S_CO_MACAUTH_IN_PROGRESS -> S_CO_ASSOCIATING

2021/09/27 21:47:30.478692 {wncd_x_R0-0}{1}: [dot11] [25006]: (ERR): MAC: xxxx.xxxx.xxxx Failed to assoc failure tr state entry. Incorrect validation status value :1

2021/09/27 21:47:30.479444 {wncd_x_R0-0}{1}: [dot11] [25006]: (ERR): MAC: xxxx.xxxx.xxxx Dot11 update co assoc fail. Sent assoc failure to CO. delete reason: 9, CO_CLIENT_DELETE_REASON_MAB_FAILED

 

Strange error to have when the AAA is local wlc itself.

Unfortunately can't try to upgrade higher version, old access point this is the highest it can support.

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to adventurer

‎09-27-2021 06:44 AM

Then I think you need to open a case with Cisco TAC and keep us updated on what they say.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

Go to solution
permadi_paris
Level 1
Level 1

‎09-27-2021 08:23 PM

Hi All,

I want to give my update regarding this issue.
it turn out that it was a bug on 17.3 software (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv43870) that the entry format for the mac address must be without any separator.

Thanks all for all your suggestion and input.

Go to solution
adventurer
Level 1
Level 1
In response to permadi_paris

‎09-28-2021 04:29 AM

Brilliant this is exactly the solution.

 

Cisco should have coded the error log much better, it's no MAC matching, not AAA server down.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card