Solved: Re: MAP not able to join WLC

Cisco Admin xyz · ‎06-13-2023

Dear Cisco Community

I am having Trouble, joining a Cisco MAP (9124AXI) to a Cisco 9800-L WLC through a Cisco RAP (also 9124AXI). In the Web-Interface of the WLC (Monitoring -> AP Statistics -> myRAP -> Mesh -> Neighbor) I can see the RAP recognizes the MAP as neighbor AP:

But the MAP never actually joins the WLC. It nevers shows a message about a successful join.

Under radioactive trace I collected some logs on the WLC of the MAP. These Logs show "authz_list: Not present under wlan configuration". But the MAC Address of the MAP is stored in the AAA List "Device Authentication" on the WLC under "AAA Advanced". An AAA Method List for Authentication as well as a AAA List for Authorization are configured.

I expect the map to show up on the WLC under Configuration -> Access Points -> All Access Points after a successful join. Is that assumption wrong? Will the MAP even after a successfull join not show up there?

Do you have any suggestions for Troubleshooting?

Thanks for any answers in advance.

Rich R · ‎06-16-2023

And what version of software are you using?
Make sure you're using latest TAC recommended version as per link below to ensure you have known bugfixes.

If you're sure the config is correct and you've checked the names match exactly, and software is up to date - then time for a TAC case.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

Cisco Admin xyz · ‎09-11-2023

Sorry for posting the actual solution so late.

The MAP was not able to join the WLC because of a misconfiguration of our switchport to which the RAP was connected. In our environment we use dot1x or MAB to authenticate devices with Cisco ISE.

We allowed the Ethernet and Radio MACs of the MAP and RAP to join via MAB. In the ISE login we were able to see that Cisco ISE successfully authenticated the RAP using MAB and never saw an authentication error regarding the MAP.

But the MAP was not able to get authenticated because of the following configuration on the Switchport to which the RAP and therefore also the MAP were connected to our LAN: "access-session host-mode multi-domain" This Settings allows only allows for one Data and One Voice VLAN Device to be authenticated on that specific switchport.

Changing this setting to "access-session host-mode multi-host" or "access-session host-mode multi-auth" solved the problem since it allows for more than one Data-VLAN Device to be authenticated. You can read more here: https://community.cisco.com/t5/network-access-control/access-session-host-mode-option-for-an-ap-port/td-p/3810472

Another possability would be to remove the dot1x and MAB configurations from the port entirely but this would not be that secure.

View solution in original post

Rich R · ‎06-14-2023

Have you configured it as per the example at the end of https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/215100-join-mesh-aps-to-catalyst-9800-wireless.html

The Authentication and Authorization methods are configured under the mesh profile and then the mesh profile is configured in the AP join profile.

That error though suggests you might be referencing authz_list that doesn't exist - check your config carefully and using https://cway.cisco.com/wireless-config-analyzer/ with the output of "show tech wireless"

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Cisco Admin xyz · ‎06-16-2023

Thanks for the response.

I have the APs configured like in the example. An authorization Method under "AAA method list" is configured as well. The selected Authorization profile is existing and configured as in the example. It is also selected in the Mesh Profile.

The config analyzer has not found a mesh config error.

I find it confusing, that the AP is able to find the configured Authentication Profile but fails to find the selected authorization Profile, because both are selected in the Mesh Profile:

The Mesh Profile is applied to the AP by a site-tag.

Rich R · ‎06-16-2023

And what version of software are you using?
Make sure you're using latest TAC recommended version as per link below to ensure you have known bugfixes.

If you're sure the config is correct and you've checked the names match exactly, and software is up to date - then time for a TAC case.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Cisco Admin xyz · ‎06-16-2023

I checked the configuration multiple times against the tutorial you sent me in your first post. It seems correctly configured to me. So I will try upgrading the WLC to a newer Version.

LC.IT · ‎06-19-2023

Did you fix the problem?

Cisco Admin xyz · ‎06-19-2023

Not yet. But I will upgrade the WLC. Possibly that will solve the issue. I post my solution here once I found it. Do you have the same weird behavior?

LC.IT · ‎06-20-2023

Yes, same problem and same AP model but I have EWC here running version 17.9.3

Today I will try version 17.6.4

Rich R · ‎06-20-2023

@LC.IT If you intend to downgrade to 17.6 then use 17.6.5 - not 17.6.4!

Always refer to current TAC recommended list (below). Note that TAC are currently saying:
Cisco recommends 17.9.3 CCO image for all deployments.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

LC.IT · ‎06-21-2023

Here just works running 17.9.3 with PSK authentication. EAP failing on 17.6.4 and 17.9.3.

Infinite Networks Anthony · ‎06-30-2023

I came here from a link on Reddit. We had a similar issue on 17.6.X. TAC found the issue which was that we had the Mesh Bridge Group Name set which was causing the MAP to not auth using EAP. We removed the the Bridge Group name and rebooted the MAP and it connected.

Cisco Admin xyz · ‎09-11-2023