01-06-2020 01:23 PM - edited 07-05-2021 11:30 AM
I have an issue with Mobility Express and Apple iPhones and iPad not staying connected. The older iPad will disconnect as soon as you hit the on/off button, the new iPad pro only would connect once and will not connect again. I had to put up a 1242 in autonomous mode to handle the iPads for now and they have no issues on it. The two iPhones will just randomly disconnect and not reconnect until used. None of the 5 android devices, four laptops, and one desktop have this issue at all. I have two AP’s one is a 1815i (the controller for now) and the other is a 1832i. I started with version 8.5.x and upgraded to 8.10.x and the issue is still there. When I check the Best Practices, it shows that for my Apple WLAN the following items have a red x:
‘Over the DS has to be disabled’
‘WMM Policy should to be required’ (yes that’s exactly what it says, some needs to grammar check this stuff!).
All the other items have a green check. The problem is I cannot find any setting in the GUI or docs that point to the GUI or CLI ways of configuring these settings. The Cisco Mobility Express Best Practices Guide is proving to be useless. I am a at a loss since I am a UC guy and have not work on wireless in years. Almost ready to move back to all autonomous AP’s, buy a 2504, or put up a google mesh for the Apple devices. Any idea or pointers to documents that show how to set DS and WMM settings
01-06-2020 01:59 PM
01-06-2020 02:17 PM
It's running 8.10.105.0, was on 8.5 to start with.
I have no idea where to disable Fast Transition.
802.11K, v, and r were not disabled. I changed that now and users are already reporting that their iPhones connected and then 5 minutes later disconnect and will not reconnect.
01-06-2020 02:20 PM
Also the best practices has a lot more red x's for that WLAN.
01-06-2020 03:57 PM
I will take the "Best Practice" dashboard with a hint of salt, in the wireless world we like to start the sentence "It depends".
Leo's question direct to possible issues your iOS devices may have with Fast Transitioning (FT or 802.11r), BSS Transition (802.11v) and Assisted Roaming (802.11k).
If you want to understand these features in greater detail Cisco explain them on the Enterprise Mobility 8.5 Design Guide
To check if the features are enabled or disabled, you can go via the CLI and run the following commands
show wlan summary <== This will confirm the WLAN ID of the SSID in question
show wlan <WLAN ID> <== This will give you a detailed view of all the features enabled and disabled on your SSID.
The 802.11k,v,r will normally be near the bottom of the output. The general rule is to disable 802.11v, as for 802.11k,r you may want to disable or enable depending on your current situation. If you only have one AP, well then you might as well just disable all roaming features. It all depends...
01-07-2020 08:32 AM
First thank you to everyone for the help.
Things look a little better today. With 802.11r/v/k off the iPhones users connected this morning and are staying connected and able to move from the 1st floor to the 2nd with out issue. Seams the the older iPad 4 is working good as well. The iPad Pro however will not even connect at all.
I have tried an open SSID when I set the system up and the iPhones and older iPad had the same issues, we did not have the iPad Pro at the time. However, I cannot even think about doing that again since the people next door jumped right on it. Maybe I can try the open SSID with MAC filtering for the iPad Pro. Like I said I am Unified Communications guy who has not touched wireless in 15 years and never need more then one AP in the house, so I will have to read the docs and do a lot of learning to get up to speed on this stuff. Maybe even have to add wireless to my lab setup.
Would a 2504 be a better idea then using mobility express, since for this new house I will need to add at least two more AP's?
The system was setup with 8.5.151 two months ago, which had all the same issues, and only upgraded to 8.10.105 a few days ago.
Here is out put of the show WLAN command (no I did not pick the SSID, my wife did):
WLAN Identifier.................................. 5
Profile Name..................................... AppleSucks
Network Name (SSID).............................. AppleSucks
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum Clients Allowed.......................... Unlimited
Security Group Tag............................... Unknown(0)
Maximum number of Clients per AP Radio........... 200
ATF Policy....................................... 0
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 180 seconds
Session Timeout.................................. 1800 seconds
User Idle Timeout................................ 300 seconds
Sleep Client..................................... disable
Sleep Client Timeout............................. 720 minutes
Sleep Client Auto Auth Feature................... Enabled
Web Auth Captive Bypass Mode..................... Disabled
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... none
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Scope Name.................................. none
Central NAT...................................... Disabled
Central NAT Peer-Peer Blocking................... Disabled
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Tunnel Profile................................... Unconfigured
EoGRE Override VLAN state........................ disable
EoGRE Override VLAN ID........................... 0
Quality of Service............................... Platinum
Per-BSSID Rate Limits............................ Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-WLAN Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Disabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Disabled
Accounting.................................... Global Servers
Interim Update............................. Enabled
Interim Update Interval.................... 0
Framed IPv6 Acct AVP ...................... Prefix
Authorization ACA............................. Disabled
Accounting ACA................................ Disabled
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Enabled (Profile 'gbl_eap_profile')
Radius NAI-Realm................................. Disabled
Radius Authentication caching.................... Disabled
Mu-Mimo.......................................... Enabled
Security
802.11 Authentication:........................ Open System
FT Support.................................... Enabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2/WPA3)........ Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
WPA3 (RSN IE).............................. Disabled
WPA2/WPA3 Encryption Ciphers
TKIP Cipher............................. Disabled
CCMP128/AES Cipher...................... Enabled
CCMP256 Cipher.......................... Disabled
GCMP128 Cipher.......................... Disabled
GCMP256 Cipher.......................... Disabled
OSEN IE.................................... Disabled
Auth Key Management
802.1x.................................. Enabled
802.1x-SHA2............................. Disabled
PSK..................................... Disabled
PSK-SHA2................................ Disabled
CCKM.................................... Disabled
FT-1X(802.11r).......................... Enabled
FT-PSK(802.11r)......................... Disabled
OSEN-1X................................. Disabled
SUITEB-1X............................... Disabled
SUITEB192-1X............................ Disabled
OWE..................................... Disabled
SAE..................................... Disabled
OWE Transition Mode........................ Disabled
OWE Transition Mode WLAN id................ 0
Auto Key PSK .............................. Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Enabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web Authentication Timeout.................... 300
Web-Passthrough............................... Disabled
Mac-auth-server............................... 0.0.0.0
Web-portal-server............................. 0.0.0.0
qrscan-des-key................................
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Enabled
FlexConnect Central Association............... Disabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
flexconnect PPPoE pass-through................ Disabled
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Flexconnect Post-Auth IPv4 ACL................ Unconfigured
Flexconnect Post-Auth IPv6 ACL................ Unconfigured
Client MFP.................................... Optional
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Disabled
AVC Visibilty.................................... Enabled
Flex Avc Profile Name............................ AppleSucks
OpenDns Profile Name............................. None
OpenDns Wlan Mode................................ ignore
OpenDns Wlan Dhcp Option 6....................... enable
Flow Monitor Name................................ None
Split Tunnel Configuration
Split Tunnel................................. Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
802.11v Directed Multicast Service............... Disabled
802.11v BSS Max Idle Service..................... Disabled
802.11v BSS Transition Service................... Enabled
802.11v BSS Transition Disassoc Imminent......... Disabled
802.11v BSS Transition Disassoc Timer............ 200
802.11v BSS Transition OpRoam Disassoc Timer..... 40
802.11v BSS Transition Neigh List Dual Band...... Disabled
DMS DB is empty
Band Select...................................... Enabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Universal Ap Admin............................... Disabled
Broadcast Tagging................................ Disabled
PRP.............................................. Disabled
Fast Receive..................................... Disabled
11ax Downlink MU-MIMO............................ Enabled
11ax Uplink MU-MIMO.............................. Enabled
11ax Downlink OFDMA.............................. Enabled
11ax Uplink OFDMA................................ Enabled
Wifi Alliance Multiband Operation................ Disabled
11ax Target Wake Time............................ Enabled
Mobility Anchor List
WLAN ID IP Address Status Priority
------- --------------- ------ --------
802.11u........................................ Disabled
MSAP Services.................................. Disabled
Local Policy
----------------
Priority Policy Name
-------- ---------------
QoS Fastlane Status.............................. Enabled
Selective Reanchoring Status..................... Disable
Lobby Admin Access............................... Disabled
Fabric Status
--------------
Fabric status.................................... Disable
Vnid Name........................................
Vnid............................................. 0
Applied SGT Tag.................................. 0
Peer Ip Address.................................. 0.0.0.0
Flex Acl Name....................................
Flex IPv6 Acl Name...............................
Flex Avc Policy Name.............................
U3-Interface................................... Disable
U3-Reporting Interval.......................... 30
01-07-2020 01:38 PM
@99daviss-Pella wrote:
Would a 2504 be a better idea then using mobility express
WLC 2504 is a bad idea because this model is already end-of-sale and will be end-of-support. The last firmware to support WLC 2504 is 8.5.160.0 and no more firmware release after 8.5.160.0.
With ME, there is still a chance to upgrade to 8.10.X.X (multiple firmware release).
If you are looking for a controller, don't look at the 3504 either because the last firmware release is 8.10.X.X and will not be supported with 16.X.X or 17.X.X firmware. Look for a controller that will support 16.X.X or 17.X.X.
01-09-2020 07:56 AM
01-06-2020 03:06 PM - edited 01-06-2020 03:06 PM
@99daviss-Pella wrote:
I changed that now and users are already reporting that their iPhones connected and then 5 minutes later disconnect and will not reconnect
Create an OPEN SSID and see if this make any differences.
I would recommend downgrade and use the latest 8.5.X.X.
09-12-2021 01:55 AM
Hello
I think disable 802.11 K,V & r not recommended.
I found another solution,
At iphones , you need to make reset network and watch what will happen.
You will find your phone will stay connect without reconnect after miuntes.
Thank you
04-01-2022 03:07 AM
It is a bug, I had the same problem. Switch off the WPA3 option in Wlan security in ME and use WPA2 only.
Symptom: An Apple client (iPhone, Mac) cannot associate to a WPA3-enabled (WPA3 or WPA2+WPA3) PSK SSID after an upgrade to 8.10.151.0.
Conditions: Seen with FlexConnect or Mobility Express APs (any model), with WPA3 or WPA2+WPA3 PSK WLAN configured for central auth. Clients are iPhones running 14.4.2 or macOS 11.2.3. Other WPA3 clients are able to connect. Workaround: Use only WPA2, not WPA3 on the WLAN. Or configure FlexConnect local auth rather than central auth on the WLAN (config wlan flexconnect ap-auth /n/ enable) Further Problem Description: Although this bug was fixed in 8.10.142.0 and 17.3.2, the fix went missing in 8.10.151.0 and 17.3.3. The fix will reappear in 8.10MR6 and 17.3.4.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide