Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1986
Views
20
Helpful
8
Replies

Mobile Devices not connecting on Mac Filtered SSID (Cisco WLC 2504

Go to solution
mbista
Level 1
Level 1

‎01-28-2021 06:50 PM - edited ‎07-05-2021 01:07 PM

Hi I am having a problem connecting my mobile devices (iPad, phone, and tablet) to macfiltered wireless networks. It keeps saying "unable to join" error on phone. However, it connects fine on laptops, after adding the mac address. 

The issue is only with the Macfiltered SSID's. 

Any help would be greatly appreciated. Thank You!!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rich R
VIP
VIP
In response to Scott Fella

‎02-01-2021 04:02 AM

Adding to what Scott said - the fact that you're only seeing this with Apple devices suggests you may have missed the news about Apple implementing Private MAC addresses.  There's a neat summary on the Meraki site but same applies to all wireless networks:
https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Meraki_and_iOS_14_MAC_Address_Randomization

Key point: "This MAC address is different from the device MAC address, is SSID specific, and will remain the same for a given SSID."

*BUT* warning which likely applies for next major iOS release in 2021: "Apple has, however, stated the possibility of implementing rotation of MAC addresses within a single SSID in the future."

So in future the device MAC address could change every day.  You must plan to use a different method of authentication like 802.1x (passpoint) - not MAC address (which was never secure anyway because it is very easy to spoof MAC addresses).

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

View solution in original post

8 Replies 8

Go to solution
MHM Cisco World
VIP
VIP

‎01-28-2021 07:25 PM

are you add Mac address manually in WLC ?

0 Helpful

Go to solution
mbista
Level 1
Level 1

‎01-28-2021 07:57 PM

Yes.

0 Helpful

Go to solution
TJ-20933766
Spotlight
Spotlight

‎01-28-2021 09:20 PM - edited ‎01-28-2021 09:21 PM

Use the command debug client <MACADDRESS> on the WLC's command line. This will enable 8 different debugs that show the most important details on client association and authentication but filter the output to only the specified MAC address of the phone. Can you please run this debug, attempt to connect with one of the trouble devices, and then post the output? There may be quite a lot so saving it to a text file and then uploading the file in your reply would likely be preferable.

0 Helpful

Go to solution
mbista
Level 1
Level 1
In response to TJ-20933766

‎01-28-2021 10:11 PM

Hi, Tyson Thanks for your reply.

Here is the output of the command:

(Cisco Controller) >debug client XX:xx:xx:xx:xx:xx

 

(Cisco Controller) >*Dot1x_NW_MsgTask_7: Jan 29 11:37:33.941: PemLocationConfigured [1]Adding VSA with NAS update and Role[1] with state[0]

*apfReceiveTask: Jan 29 11:49:07.685: Successful update of client idle timeout state. Payload size =8 clientIdleTimeout = 1

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to mbista

‎01-29-2021 12:34 PM

Are you use this MacFilter for Guest WLAN ?

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎01-29-2021 12:09 PM

Double check the mac address and see if randomized mac address is enabled on these devices.  You would have to add the private mac address to the filter along with the base radio mac address in case they disable that feature.

-Scott
*** Please rate helpful posts ***

Go to solution
Rich R
VIP
VIP
In response to Scott Fella

‎02-01-2021 04:02 AM

Adding to what Scott said - the fact that you're only seeing this with Apple devices suggests you may have missed the news about Apple implementing Private MAC addresses.  There's a neat summary on the Meraki site but same applies to all wireless networks:
https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Meraki_and_iOS_14_MAC_Address_Randomization

Key point: "This MAC address is different from the device MAC address, is SSID specific, and will remain the same for a given SSID."

*BUT* warning which likely applies for next major iOS release in 2021: "Apple has, however, stated the possibility of implementing rotation of MAC addresses within a single SSID in the future."

So in future the device MAC address could change every day.  You must plan to use a different method of authentication like 802.1x (passpoint) - not MAC address (which was never secure anyway because it is very easy to spoof MAC addresses).

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Go to solution
MHM Cisco World
VIP
VIP

‎02-01-2021 06:36 AM

is your wlc code is 8.3 ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card