PSK WLAN showing 802.1x Auth Failure

IlijaZhikovski · ‎11-06-2024

Greetings everyone,

I really need help with an issue that appeared randomly out of nowhere. All of a sudden, clients trying to connect to a PSK WLAN show 802.1x authentication failures when trying to connect to this PSK WLAN and these clients go to excluded clients for this reason.

The log which i keep seeing for example is:

Client Excluded: MAC Address:28:cd:c4:71:b0:31, Base Radio MAC:0c:d5:d3:cd:fb:00, Slot:1, Username:Unknown, IP Address:Unknown, Reason:802.1x Authentication failed 3 times., ReasonCode:4

Virtual WLC version: 8.10.190.0

AP model: C9105AXI-E

Configuration of the PSK WLAN:

I'm in desperate need of some help after days of troubleshooting. I'm here to offer any information regarding the issue i'm facing.

Regards

marce1000 · ‎11-06-2024

- I would start by upgrading to https://software.cisco.com/download/home/284464214/type/280926587/release/8.10.196.0
and check if that can help ; that is important these days because aireos solutions are EOL and the platforms should use the last release per model ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

jagan.chowdam · ‎11-06-2024

Share the following output

show wlan <Wlan Number>
show radius summary

Jagan Chowdam

/**Pls rate useful responses**/

IlijaZhikovski · ‎11-06-2024

@marce1000 I'll plan for the following days to make a upgrade from 8.10.190.0 to 8.10.196.0. Hopefully these issues can be sorted out. Also, what are your recommendations about replacing this WLC to plan in the near future? I have around 200 APs, around 1000 to 1500 clients.

@jagan.chowdam Greetings Jagan, here are the following outputs which you requested, attached.

As you can see in the show_wlan.txt file, 802.1x is completely disabled, only PSK is enabled. Like i mentioned, for some unknown reason, i get 802.1x Auth Failures and clients being excluded for this WLAN.

Please if you have any suggestions about resolving this issue, or need any additional information, let me know.

Regards

marce1000 · ‎11-06-2024

- @IlijaZhikovski wrote : Also, what are your recommendations about replacing this WLC to plan in the near future? I have around 200 APs, around 1000 to 1500 clients.

You should certainly migrate to the 9800 platform ; about choosing a model ; checkout https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/nb-06-cat9800-ser-wirel-faq-ctp-en.html
Look at Table 2

To maintain compatibility for access points , use https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R · ‎11-10-2024

Have you tried rebooting the APs?
What is the affected client?
If Windows with Intel driver make sure driver is updated to latest version:
https://www.intel.com/content/www/us/en/download/19351/intel-wireless-wi-fi-drivers-for-windows-10-and-windows-11.html

And updating to last version of code essential to get all available bug fixes as Marce highlighted.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

MHM Cisco World · ‎11-10-2024

Are this issue solved??

MHM

Flavio Miranda · ‎11-10-2024

@IlijaZhikovski

when dealing with weird and unknow issue, start by removing things you dont know why is there. For example, you have WPA2+WPA3 enabled on the Layer2 Security But in Policy you are using only WPA2. Keep config consistent, this avoid trigger more bugs than this device already have.

Disable Fast Transition unless you tested it and this is required for your environment

Lastly, this log "Reason:802.1x Authentication failed 3 times" is not related to your problem. No way the WLC send you 802.1x fail in a PSK transation.

It would be great to see "debug client <mac address> from one client that connect to the mentioned SSID

IlijaZhikovski · ‎11-11-2024

@Rich R Hello Rich, yes, we rebooted the APs multiple times. The affected clients are Dell Laptops and Android/Apple devices.

We will try to the last version of code, which is 8.10.196.0 and see if the issues will be fixed.

@MHM Cisco World Greetings, the issues aren't fixed still.

@Flavio Miranda If i choose WPA+WPA2, it's the same situation, since i'm using only WPA2. These are the options available on the WLC, there's no solely "WPA2" option:

Fast Transition is on Adaptive, but that's by default. I'll try to disable it.

I'll also try to debug a client in the following day.

Regards!

Flavio Miranda · ‎11-11-2024

You can use WPA+WPA2. At least we know very well that WPA and WPA2 is there for a long time and cause no issue. Cant say the same for WPA3.

I had issue with FT in the past andI prefere keep it off.

Send the client debug please while testing. Let see what we can get

MHM Cisco World · ‎11-11-2024

you use simple WPA PSK so why log show 802.1x??
can you check the monitor>client

see in which SSID the client join

MHM

jagan.chowdam · ‎11-11-2024

Have you tried setting the SSID Authentication to "OPEN/None" to see if clients connect without issues? If it's a production SSID, you could create a new SSID with the same settings but set L2 security to "None" for testing.

Jagan Chowdam

Scott Fella · ‎11-11-2024

Create a new SSID that you can test with and just setup the WLAN very basic using WPA + WPA2.

-Scott
*** Please rate helpful posts ***

IlijaZhikovski · ‎11-12-2024

@Flavio Miranda I haven't set WPA2+WPA3 manually on any of my SSIDs. This must've been done by the WLC itself automatically when i upgraded it from 8.7.106.0 to 8.10.190.0. There's also another bug i have on 8.10.190.0 version, i tried setting WPA+WPA2 per your recommendation on a couple of SSIDs, but when i click Apply, the change is not saved, the SSID stays to WPA2+WPA3. At least when i disabled the "Fast Transition" , the change was saved. I guess i can try and create a test SSID with WPA+WPA2.

@MHM Cisco World That's the whole reason why i opened this discussion, the devices attempt to join a PSK WLAN and for some reason i keep seeing 802.1x failures.

@jagan.chowdam I'm gonna create a new SSID to test just in case, using WPA+WPA2 + no Security like you recommended.

@Scott Fella Greetings Scott, i'll try and create a new SSID with your recommendations, thank you!

Meanwhile, I can share with you all the following troubleshooting and "fix" i did for the SSIDs, if you could call it a "fix" even. Here are the steps i've done:

- Tried connecting to the SSID again, got 802.1x failures and client moved to excluded

- Noticed the "11ax Status" is enabled on the SSID, disabled it due to @Rich R recommendation about possible Wi-Fi 6 issues with drivers, got 802.1x failures and client moved to excluded again

- Enabled the "11ax Status" on the SSID, tried to connect again, got 802.1x failures and client moved to excluded again

- After these steps of disabling/enabling "11ax Status" , i then decided to re-enter the same PSK as it was before. Then i tried to connect to the SSID, and the client connected without any issues. No 802.1x failures, no exclusion of the client, no issues at all. The client had successfully connected to the SSID.

A day has passed since i did these changes, I tried connecting again today to the same SSID, the client again connected without any 802.1x failures or exclusions.

I don't know if you could call this a "fix" , but at least this worked for me at the moment of this discussion, not sure if it will stay like this in the near future while i'm planning to move to the Catalyst 9800 Wireless Controller for Cloud. Hopefully it will help for others if they have a similar issue as mine.

I would like to thank everyone for their time and effort regarding these issues, even though we haven't found a permanent "fix".

MHM Cisco World · ‎11-12-2024

@MHM Cisco World That's the whole reason why i opened this discussion, the devices attempt to join a PSK WLAN and for some reason i keep seeing 802.1x failures. <<- did you check the monitoring > client

MHM