Solved: Only MacBooks got disassociated from the Wi-Fi

UnderSeige43 · ‎02-03-2023

Hi,

I have a strange behaviour after merging AIR-AP2802I-E-K9 access points from physical 2500 WLC to Cisco vWLC v8.10.171.0.

Immediately after the merging, only Windows operated laptops could join the network by using their enterprise WPA2 credentials. MacBook users connect well at the start, but after entering their credentials and trusting the certificate, they disconnect from the Wi-Fi and the status shows "Authorizing". We still have access points associated with the physical 2500 WLC at other buildings but the Mac users didn't report any problems with this. Also, some Mac users reported that the certification got accepted in the first connection try, but, after a while, both the credentials and certification trust pop up every 1 minute when they try to join the network. Another strange behaviour this time on the vWLC: users are assigned with IPv6 randomly for both Windows and Mac users and even for their mobile devices. And I made sure that no IPv6 settings were enabled on the WLAN or the Global Settings.

iPhones and iPads are associated normally and remain associated without any problems.

Is there are any sittings, I need to check or change in the vWLC beyond the encryption or the 802.1x regarding authorization for MacBook or Apple devices.

I tried all the traditional workarounds to solve this problem. After searching all around, I found that this might be a bug in this vWLC version and the only 2 suggestions are to either using MDM to manage the iOS devices and push the certificates or using Wildcard Certificates. But I am hoping that someone had this issue before and found its cause without using these suggestions.

The following errors were found in the syslog server while this was happening:

*apfReceiveTask: %LOG-4-Q_IND: apf_80211k.c:825 Could not process 802.11 Action. Received RM 11K Action frame through incorrect AP from mobile station. Mobile:AE:66:7E:E5:9A:81.

*aaaQueueReader: %AAA-4-RADSERVER_NOT_FOUND: radius_db.c:3783 Could not find appropriate RADIUS server for WLAN 0 - no mgmt servers configured

vWLC WLAN SSID settings:

Layer 2 Security WPA2+WPA3
Layer 3 Security None
Authentication Servers use Port 1812
Encryption is CCMP128(AES)
Authentication Key Management 802.1X-SHA1

Thank you in advanced.

marce1000 · ‎02-03-2023

- Have a go with https://software.cisco.com/download/home/284464214/type/280926587/release/8.10.183.0 , also check the controller configuration with show run-config commands, and have the output analyzed with https://cway.cisco.com/wireless-config-analyzer

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

marce1000 · ‎02-03-2023

- Have a go with https://software.cisco.com/download/home/284464214/type/280926587/release/8.10.183.0 , also check the controller configuration with show run-config commands, and have the output analyzed with https://cway.cisco.com/wireless-config-analyzer

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

UnderSeige43 · ‎02-05-2023

Thank you @marce1000 ill upgrade and hopefully it will got solved.

marce1000 · ‎02-05-2023

>.... ill upgrade and hopefully it will got solved.
Good plan, as the 9800 platform becomes more common the older aireos releases are getting depreciated ,

M..

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R · ‎02-04-2023

Like @marce1000 says make sure your software is up to date to eliminate known bugs which have been fixed already!

Compare the config on your old WLC to the new one. There will be some expected differences for the different versions but there might be something specific you tuned on the old one that you've missed on the new one.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

UnderSeige43 · ‎02-05-2023

Thank you @Rich R , its definitely a certificate bug that could be solved in the new version. Ill upgrade and let you know if this solve the problem.

Rich R · ‎02-05-2023

And if you still have problems then start changing or disabling newer features that are only there in 8.10 which can sometimes cause problems for buggy clients. See also:
https://bst.cisco.com/bugsearch/bug/CSCwb04138
https://bst.cisco.com/bugsearch/bug/CSCvu24770

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

UnderSeige43 · ‎02-23-2023

Thank you very much for your suggestions, ive managed to solve the problem by upgrading to 18.10.183 version, plus enabling some setting found in the iOS best practices.

Best regards,

Thank you again.

Rich R · ‎02-23-2023

It would be useful for others to know which settings you found were causing problems - what they were set to and what you changed them to.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390