cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
799
Views
15
Helpful
9
Replies

phones cannot connect to WLC 9800 and AP 9100

Hi,
we are in testing the new WLAN environment of WLC 9800 and 3 APs 91xx, but
two Smartphones: One+ 8, Sony XZ2 can not connect to the WiFi, while this works with 2700s APs
- there are no requests seen on the Radius (there is no request from phone coming on the Radius server)
- works well if tried with other devices - laptops and phones Samsung, Apple, Dell
- same scenario works well if client is connecting to open/free test WiFi
- tried to off/on 11ax - no go

Debug:
Client is 4c4f.eedc.3d5a
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213949-wireless-debugging-and-log-collection-on.html#anc12

2021/09/02 08:41:25.413827 {wncd_x_R0-0}{1}: [client-orch-sm] [17738]: (note): MAC: 4c4f.eedc.3d5a Re-Association received. BSSID ccdb.93f0.e66e, old BSSID 64f6.9d10.d23e, WLAN wlan_eduroam, Slot 1 AP ccdb.93f0.e660, ap-hrz-f223
2021/09/02 08:41:25.413986 {wncd_x_R0-0}{1}: [sanet-shim-miscellaneous] [17738]: (ERR): MAC: 4c4f.eedc.3d5a get_fabric_sgt_tag_value: Fabric mode is not enabled
2021/09/02 08:41:25.414332 {wncd_x_R0-0}{1}: [dot11-validate] [17738]: (ERR): MAC: 4c4f.eedc.3d5a Failed to Dot11 validate dot11i pmkids. No matching pmkid for the pmk available in cache
2021/09/02 08:41:25.414575 {wncd_x_R0-0}{1}: [dot11] [17738]: (note): MAC: 4c4f.eedc.3d5a Association success. AID 2, Roaming = True, WGB = False, 11r = False, 11w = False
2021/09/02 08:41:25.415106 {wncd_x_R0-0}{1}: [client-orch-sm] [17738]: (note): MAC: 4c4f.eedc.3d5a DELETE mobile sent to BSSID 64f6.9d10.d23e
2021/09/02 08:41:25.415180 {wncd_x_R0-0}{1}: [client-orch-state] [17738]: (note): MAC: 4c4f.eedc.3d5a Client state transition: S_CO_RUN -> S_CO_L2_AUTH_IN_PROGRESS
2021/09/02 08:41:25.415889 {wncd_x_R0-0}{1}: [client-auth] [17738]: (note): MAC: 4c4f.eedc.3d5a ADD MOBILE sent. Client state flags: 0x71 BSSID: MAC: ccdb.93f0.e66e capwap IFID: 0x9000000a
2021/09/02 08:41:25.434716 {wncd_x_R0-0}{1}: [client-auth] [17738]: (note): MAC: 4c4f.eedc.3d5a L2 Authentication initiated. method DOT1X, Policy VLAN 0,AAA override = 1 , NAC = 0
2021/09/02 08:41:25.434729 {wncd_x_R0-0}{1}: [sanet-shim-translate] [17738]: (ERR): 4c4f.eedc.3d5a wlan_profile Not Found : Device information attributes not populated
2021/09/02 08:41:25.538688 {wncd_x_R0-0}{1}: [client-auth] [17738]: (note): MAC: 4c4f.eedc.3d5a L2 Authentication Key Exchange Start. Resolved VLAN: 912, Audit Session id: 15AF16AC00000A4CA5701487
2021/09/02 08:41:25.548106 {wncd_x_R0-0}{1}: [client-keymgmt] [17738]: (note): MAC: 4c4f.eedc.3d5a EAP Key management successful. AKM:DOT1X Cipher:CCMP WPA Version: WPA2
2021/09/02 08:41:25.548317 {wncd_x_R0-0}{1}: [client-orch-sm] [17738]: (note): MAC: 4c4f.eedc.3d5a Mobility discovery triggered. Client mode: Local
2021/09/02 08:41:25.548321 {wncd_x_R0-0}{1}: [client-orch-state] [17738]: (note): MAC: 4c4f.eedc.3d5a Client state transition: S_CO_L2_AUTH_IN_PROGRESS -> S_CO_MOBILITY_DISCOVERY_IN_PROGRESS
2021/09/02 08:41:25.548355 {wncd_x_R0-0}{1}: [mm-client] [17738]: (note): MAC: 4c4f.eedc.3d5a Mobility Successful. Roam Type None, Sub Roam Type MM_SUB_ROAM_TYPE_INTRA_INSTANCE, Previous BSSID MAC: 64f6.9d10.d23e Client IFID: 0xa000000a, Client Role: Local PoA: 0x9000000a PoP: 0x0
2021/09/02 08:41:25.548514 {wncd_x_R0-0}{1}: [client-auth] [17738]: (note): MAC: 4c4f.eedc.3d5a ADD MOBILE sent. Client state flags: 0x76 BSSID: MAC: ccdb.93f0.e66e capwap IFID: 0x9000000a
2021/09/02 08:41:25.548660 {wncd_x_R0-0}{1}: [client-orch-state] [17738]: (note): MAC: 4c4f.eedc.3d5a Client state transition: S_CO_MOBILITY_DISCOVERY_IN_PROGRESS -> S_CO_DPATH_PLUMB_IN_PROGRESS
2021/09/02 08:41:25.548824 {wncd_x_R0-0}{1}: [client-orch-state] [17738]: (note): MAC: 4c4f.eedc.3d5a Client state transition: S_CO_DPATH_PLUMB_IN_PROGRESS -> S_CO_IP_LEARN_IN_PROGRESS
2021/09/02 08:41:25.549077 {wncd_x_R0-0}{1}: [sanet-shim-miscellaneous] [17738]: (ERR): MAC: 4c4f.eedc.3d5a get_fabric_sgt_tag_value: Fabric mode is not enabled
2021/09/02 08:41:25.549266 {wncd_x_R0-0}{1}: [client-orch-state] [17738]: (note): MAC: 4c4f.eedc.3d5a Client state transition: S_CO_IP_LEARN_IN_PROGRESS -> S_CO_RUN
2021/09/02 08:42:10.991198 {wstatsd_R0-0}{1}: [avc-stats] [17075]: (debug): Received stats record for app 'unknown'(app-id: 0xd000001), client MAC: 4c4f.eedc.3d5a , SSID 'eduroam', direction egress (1), WLAN ID <not provided>, #bytes 520, #packets 10

what could be the cause of this ?

Regards

Boris

1 ACCEPTED SOLUTION

Accepted Solutions
Arshadsaf
Collaborator

Just a quick update; please refer the symptoms for this bug as well.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu24770/?rfs=iqvred

 

Another symptom when you do a OTA pcap you will see the probe request and response but no association request.

______________
Arshad Safrulla

View solution in original post

9 REPLIES 9
Tony Rosolek
Beginner

Hello Boris, 

 

the debug you pasted shows a successful connection. Client ends in "RUN" state, which is good. 

 

What version is running on your WLC? Are your 2700 APs are connected to the same 9800 WLC and use the same SSID and configuration as the 9100 APs?

 

Can you paste the log of a failed connection? Whats the error message on the phones?

 

 

 

 

||| Please rate helpful posts. Thanks! |||

Hi Tony,

Version 17.03.04; WLAN SSID is visible
- WLAN forget.delete.reboot has been tried many times
- Authentication runs over RADIUS;

- config of 2700 and 9100 are identical

- on the client we see IP can not be found etc

 log unsuccessful try:

 

 

 

 

Regards

Borislav

Try to disable 802.11r (Fast Transition) if enabled. In my testing, even on Adaptive, it seems to be broken with at least Android 10 devices (they can't connect). I tested this on WLC 8.10.158.90 though. 

it was already disabled;

will check Android ver and if other phones that can connect are on different ver.

thanks!

 

Also this client states that it is in RUN state so it successfully connected to the network. Next step would be DHCP. Does it get an IP address in VLAN903?

||| Please rate helpful posts. Thanks! |||

on the phone we have "IP request" so it does not get IP probably.

Arshadsaf
Collaborator

Is the tags same across all the AP's?

Also is the devices running Android 11?  If yes Android 11 QPR1 clients (December 2020 security update) will not be able to connect to any 802.1x authenticated wireless network that uses a self-signed certificate, a private certificate authority (CA) or a public certificate authority (CA) that is not pre-loaded within the Android 11 OS certificate trust store. The "Do Not Validate" certificate option traditionally used to bypass full certificate validation has been removed.

 

Possible resolutions:-

The RADIUS certificate used by the 802.1x wireless controller or access point must use either A certificate signed by a trusted public Root certificate authority and configured to supply clients with the full certificate chain (root -> intermediate(s) -> server), OR In the case of self-signed or private CA, pre-load the root and any intermediate certificates on the device's trust store prior to connection.

______________
Arshad Safrulla

update: "Fast Transition" was adaptive enable, when switched to disable or enable

- we got one of the two phones connected;

Android ver. 10

the issue does not persist on APs2700 connected to the same controller 9800 WLC and the same SSID but with the 91k APs the phones can not connect. 

Regards

Boris

 

Arshadsaf
Collaborator

Just a quick update; please refer the symptoms for this bug as well.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu24770/?rfs=iqvred

 

Another symptom when you do a OTA pcap you will see the probe request and response but no association request.

______________
Arshad Safrulla

View solution in original post

Create
Recognize Your Peers
Content for Community-Ad