09-14-2021 04:28 AM
Hi,
we are in testing the new WLAN environment of WLC 9800 and 3 APs 91xx, buttwo Smartphones: One+ 8, Sony XZ2 can not connect to the WiFi, while this works with 2700s APs
- there are no requests seen on the Radius (there is no request from phone coming on the Radius server)
- works well if tried with other devices - laptops and phones Samsung, Apple, Dell
- same scenario works well if client is connecting to open/free test WiFi
- tried to off/on 11ax - no go
Debug: Client is 4c4f.eedc.3d5a https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213949-wireless-debugging-and-log-collection-on.html#anc12 2021/09/02 08:41:25.413827 {wncd_x_R0-0}{1}: [client-orch-sm] [17738]: (note): MAC: 4c4f.eedc.3d5a Re-Association received. BSSID ccdb.93f0.e66e, old BSSID 64f6.9d10.d23e, WLAN wlan_eduroam, Slot 1 AP ccdb.93f0.e660, ap-hrz-f223 2021/09/02 08:41:25.413986 {wncd_x_R0-0}{1}: [sanet-shim-miscellaneous] [17738]: (ERR): MAC: 4c4f.eedc.3d5a get_fabric_sgt_tag_value: Fabric mode is not enabled 2021/09/02 08:41:25.414332 {wncd_x_R0-0}{1}: [dot11-validate] [17738]: (ERR): MAC: 4c4f.eedc.3d5a Failed to Dot11 validate dot11i pmkids. No matching pmkid for the pmk available in cache 2021/09/02 08:41:25.414575 {wncd_x_R0-0}{1}: [dot11] [17738]: (note): MAC: 4c4f.eedc.3d5a Association success. AID 2, Roaming = True, WGB = False, 11r = False, 11w = False 2021/09/02 08:41:25.415106 {wncd_x_R0-0}{1}: [client-orch-sm] [17738]: (note): MAC: 4c4f.eedc.3d5a DELETE mobile sent to BSSID 64f6.9d10.d23e 2021/09/02 08:41:25.415180 {wncd_x_R0-0}{1}: [client-orch-state] [17738]: (note): MAC: 4c4f.eedc.3d5a Client state transition: S_CO_RUN -> S_CO_L2_AUTH_IN_PROGRESS 2021/09/02 08:41:25.415889 {wncd_x_R0-0}{1}: [client-auth] [17738]: (note): MAC: 4c4f.eedc.3d5a ADD MOBILE sent. Client state flags: 0x71 BSSID: MAC: ccdb.93f0.e66e capwap IFID: 0x9000000a 2021/09/02 08:41:25.434716 {wncd_x_R0-0}{1}: [client-auth] [17738]: (note): MAC: 4c4f.eedc.3d5a L2 Authentication initiated. method DOT1X, Policy VLAN 0,AAA override = 1 , NAC = 0 2021/09/02 08:41:25.434729 {wncd_x_R0-0}{1}: [sanet-shim-translate] [17738]: (ERR): 4c4f.eedc.3d5a wlan_profile Not Found : Device information attributes not populated 2021/09/02 08:41:25.538688 {wncd_x_R0-0}{1}: [client-auth] [17738]: (note): MAC: 4c4f.eedc.3d5a L2 Authentication Key Exchange Start. Resolved VLAN: 912, Audit Session id: 15AF16AC00000A4CA5701487 2021/09/02 08:41:25.548106 {wncd_x_R0-0}{1}: [client-keymgmt] [17738]: (note): MAC: 4c4f.eedc.3d5a EAP Key management successful. AKM:DOT1X Cipher:CCMP WPA Version: WPA2 2021/09/02 08:41:25.548317 {wncd_x_R0-0}{1}: [client-orch-sm] [17738]: (note): MAC: 4c4f.eedc.3d5a Mobility discovery triggered. Client mode: Local 2021/09/02 08:41:25.548321 {wncd_x_R0-0}{1}: [client-orch-state] [17738]: (note): MAC: 4c4f.eedc.3d5a Client state transition: S_CO_L2_AUTH_IN_PROGRESS -> S_CO_MOBILITY_DISCOVERY_IN_PROGRESS 2021/09/02 08:41:25.548355 {wncd_x_R0-0}{1}: [mm-client] [17738]: (note): MAC: 4c4f.eedc.3d5a Mobility Successful. Roam Type None, Sub Roam Type MM_SUB_ROAM_TYPE_INTRA_INSTANCE, Previous BSSID MAC: 64f6.9d10.d23e Client IFID: 0xa000000a, Client Role: Local PoA: 0x9000000a PoP: 0x0 2021/09/02 08:41:25.548514 {wncd_x_R0-0}{1}: [client-auth] [17738]: (note): MAC: 4c4f.eedc.3d5a ADD MOBILE sent. Client state flags: 0x76 BSSID: MAC: ccdb.93f0.e66e capwap IFID: 0x9000000a 2021/09/02 08:41:25.548660 {wncd_x_R0-0}{1}: [client-orch-state] [17738]: (note): MAC: 4c4f.eedc.3d5a Client state transition: S_CO_MOBILITY_DISCOVERY_IN_PROGRESS -> S_CO_DPATH_PLUMB_IN_PROGRESS 2021/09/02 08:41:25.548824 {wncd_x_R0-0}{1}: [client-orch-state] [17738]: (note): MAC: 4c4f.eedc.3d5a Client state transition: S_CO_DPATH_PLUMB_IN_PROGRESS -> S_CO_IP_LEARN_IN_PROGRESS 2021/09/02 08:41:25.549077 {wncd_x_R0-0}{1}: [sanet-shim-miscellaneous] [17738]: (ERR): MAC: 4c4f.eedc.3d5a get_fabric_sgt_tag_value: Fabric mode is not enabled 2021/09/02 08:41:25.549266 {wncd_x_R0-0}{1}: [client-orch-state] [17738]: (note): MAC: 4c4f.eedc.3d5a Client state transition: S_CO_IP_LEARN_IN_PROGRESS -> S_CO_RUN 2021/09/02 08:42:10.991198 {wstatsd_R0-0}{1}: [avc-stats] [17075]: (debug): Received stats record for app 'unknown'(app-id: 0xd000001), client MAC: 4c4f.eedc.3d5a , SSID 'eduroam', direction egress (1), WLAN ID <not provided>, #bytes 520, #packets 10
what could be the cause of this ?
Regards
Boris
Solved! Go to Solution.
09-21-2021 03:16 PM
Just a quick update; please refer the symptoms for this bug as well.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu24770/?rfs=iqvred
Another symptom when you do a OTA pcap you will see the probe request and response but no association request.
09-14-2021 04:53 AM
Hello Boris,
the debug you pasted shows a successful connection. Client ends in "RUN" state, which is good.
What version is running on your WLC? Are your 2700 APs are connected to the same 9800 WLC and use the same SSID and configuration as the 9100 APs?
Can you paste the log of a failed connection? Whats the error message on the phones?
09-14-2021 05:42 AM - edited 10-01-2021 04:36 AM
Hi Tony,
Version 17.03.04; WLAN SSID is visible
- WLAN forget.delete.reboot has been tried many times
- Authentication runs over RADIUS;
- config of 2700 and 9100 are identical
- on the client we see IP can not be found etc
log unsuccessful try:
Regards
Borislav
09-14-2021 07:39 AM
Try to disable 802.11r (Fast Transition) if enabled. In my testing, even on Adaptive, it seems to be broken with at least Android 10 devices (they can't connect). I tested this on WLC 8.10.158.90 though.
09-21-2021 04:19 AM - edited 09-21-2021 04:20 AM
it was already disabled;
will check Android ver and if other phones that can connect are on different ver.
thanks!
09-14-2021 08:39 AM
Also this client states that it is in RUN state so it successfully connected to the network. Next step would be DHCP. Does it get an IP address in VLAN903?
09-21-2021 04:18 AM
on the phone we have "IP request" so it does not get IP probably.
09-14-2021 08:52 AM
Is the tags same across all the AP's?
Also is the devices running Android 11? If yes Android 11 QPR1 clients (December 2020 security update) will not be able to connect to any 802.1x authenticated wireless network that uses a self-signed certificate, a private certificate authority (CA) or a public certificate authority (CA) that is not pre-loaded within the Android 11 OS certificate trust store. The "Do Not Validate" certificate option traditionally used to bypass full certificate validation has been removed.
Possible resolutions:-
The RADIUS certificate used by the 802.1x wireless controller or access point must use either A certificate signed by a trusted public Root certificate authority and configured to supply clients with the full certificate chain (root -> intermediate(s) -> server), OR In the case of self-signed or private CA, pre-load the root and any intermediate certificates on the device's trust store prior to connection.
09-22-2021 07:33 AM
update: "Fast Transition" was adaptive enable, when switched to disable or enable
- we got one of the two phones connected;
Android ver. 10
the issue does not persist on APs2700 connected to the same controller 9800 WLC and the same SSID but with the 91k APs the phones can not connect.
Regards
Boris
09-21-2021 03:16 PM
Just a quick update; please refer the symptoms for this bug as well.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu24770/?rfs=iqvred
Another symptom when you do a OTA pcap you will see the probe request and response but no association request.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide