12-04-2023 10:01 AM
Hello friends, I have a virtual WLC 9800 running version 17.6.5. A client is unable to connect from a specific PC, but can connect successfully from other devices. I have verified the credentials, and they are correct. The specific PC can connect normally to a WLC 2504.
2023/12/04 13:29:00.654796 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (note): MAC: ec2e.9835.cc35 Association received. BSSID 00d7.8f2f.6c2d, WLAN lab_doble_authe, Slot 1 AP 00d7.8f2f.6c20, AP_REUNIONES
2023/12/04 13:29:00.655090 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_INIT -> S_CO_ASSOCIATING
2023/12/04 13:29:00.655422 {wncd_x_R0-0}{1}: [dot11-validate] [17015]: (ERR): MAC: ec2e.9835.cc35 Failed to dot11 ie validate aironet ipaddr. Aironet ipaddr IE is not present in Assoc Request
2023/12/04 13:29:00.655826 {wncd_x_R0-0}{1}: [dot11] [17015]: (note): MAC: ec2e.9835.cc35 Association success. AID 4, Roaming = False, WGB = False, 11r = False, 11w = False Fast roam = False
2023/12/04 13:29:00.656069 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_ASSOCIATING -> S_CO_L2_AUTH_IN_PROGRESS
2023/12/04 13:29:00.656460 {wncd_x_R0-0}{1}: [client-auth] [17015]: (note): MAC: ec2e.9835.cc35 ADD MOBILE sent. Client state flags: 0x71 BSSID: MAC: 00d7.8f2f.6c2d capwap IFID: 0x90000009, Add mobiles sent: 1
2023/12/04 13:29:00.662780 {wncd_x_R0-0}{1}: [client-auth] [17015]: (note): MAC: ec2e.9835.cc35 L2 Authentication initiated. method DOT1X, Policy VLAN 0, AAA override = 0 , NAC = 0
2023/12/04 13:29:00.664541 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [17015]: (note): Authentication Success. Resolved Policy bitmap:11 for client ec2e.9835.cc35
2023/12/04 13:29:07.229614 {wncd_x_R0-0}{1}: [errmsg] [17015]: (note): %DOT1X-5-FAIL: R0/0: wncd: Authentication failed for client (ec2e.9835.cc35) with reason (Cred Fail) on Interface capwap_90000009 AuditSessionID 320A16AC00001A8B35E04467 Username: rosario
2023/12/04 13:29:07.229914 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [17015]: (ERR): SANET_AUTHC_FAILURE - Cred Fail, username rosario, audit session id 320A16AC00001A8B35E04467
2023/12/04 13:29:07.229939 {wncd_x_R0-0}{1}: [errmsg] [17015]: (note): %SESSION_MGR-5-FAIL: R0/0: wncd: Authorization failed or unapplied for client (ec2e.9835.cc35) on Interface capwap_90000009 AuditSessionID 320A16AC00001A8B35E04467. Failure reason: Authc fail. Authc failure reason: Cred Fail.
2023/12/04 13:29:07.230915 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (note): MAC: ec2e.9835.cc35 Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_CLIENT_CREDENTIAL_FAILURE, details: , fsm-state transition 00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|01|07|13|1a|23|
2023/12/04 13:29:07.231175 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (note): MAC: ec2e.9835.cc35 Delete mobile payload sent forbssid: 00d7.8f2f.6c2d WTP mac: 00d7.8f2f.6c20 slot id: 1
2023/12/04 13:29:07.231193 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_L2_AUTH_IN_PROGRESS -> S_CO_DELETE_IN_PROGRESS
2023/12/04 13:29:07.231321 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (ERR): MAC: ec2e.9835.cc35 CLT populate Record: failed to populate anchor ip
2023/12/04 13:29:07.231666 {wncd_x_R0-0}{1}: [sanet-shim-translate] [17015]: (note): MAC: ec2e.9835.cc35 Session manager disconnect event called, session label: 0x23000a86
2023/12/04 13:29:07.233024 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_DELETE_IN_PROGRESS -> S_CO_DELETED
2023/12/04 13:29:07.437295 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (note): MAC: ec2e.9835.cc35 Re-Association received. BSSID 00d7.8f2f.6c22, WLAN lab_doble_authe, Slot 0 AP 00d7.8f2f.6c20, AP_REUNIONES
2023/12/04 13:29:07.438081 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_INIT -> S_CO_ASSOCIATING
2023/12/04 13:29:07.438332 {wncd_x_R0-0}{1}: [dot11-validate] [17015]: (ERR): MAC: ec2e.9835.cc35 Failed to dot11 ie validate aironet ipaddr. Aironet ipaddr IE is not present in Assoc Request
2023/12/04 13:29:07.438379 {wncd_x_R0-0}{1}: [apmgr-db] [17015]: (ERR): Failed to get opt roam statusInvalid (null) rf common record
2023/12/04 13:29:07.438380 {wncd_x_R0-0}{1}: [dot11k] [17015]: (ERR): MAC: ec2e.9835.cc35 Rssi check failed, Unable to get the smart roam status for rf profile default_rf_5gh
2023/12/04 13:29:07.438642 {wncd_x_R0-0}{1}: [dot11] [17015]: (note): MAC: ec2e.9835.cc35 Association success. AID 6, Roaming = False, WGB = False, 11r = False, 11w = False Fast roam = False
2023/12/04 13:29:07.438872 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_ASSOCIATING -> S_CO_L2_AUTH_IN_PROGRESS
2023/12/04 13:29:07.439180 {wncd_x_R0-0}{1}: [client-auth] [17015]: (note): MAC: ec2e.9835.cc35 ADD MOBILE sent. Client state flags: 0x71 BSSID: MAC: 00d7.8f2f.6c22 capwap IFID: 0x90000009, Add mobiles sent: 1
2023/12/04 13:29:07.443490 {wncd_x_R0-0}{1}: [client-auth] [17015]: (note): MAC: ec2e.9835.cc35 L2 Authentication initiated. method DOT1X, Policy VLAN 0, AAA override = 0 , NAC = 0
2023/12/04 13:29:07.445179 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [17015]: (note): Authentication Success. Resolved Policy bitmap:11 for client ec2e.9835.cc35
2023/12/04 13:29:14.051602 {wncd_x_R0-0}{1}: [errmsg] [17015]: (note): %DOT1X-5-FAIL: R0/0: wncd: Authentication failed for client (ec2e.9835.cc35) with reason (Cred Fail) on Interface capwap_90000009 AuditSessionID 320A16AC00001A8C35E05EE4 Username: rosario
2023/12/04 13:29:14.051993 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [17015]: (ERR): SANET_AUTHC_FAILURE - Cred Fail, username rosario, audit session id 320A16AC00001A8C35E05EE4
2023/12/04 13:29:14.052023 {wncd_x_R0-0}{1}: [errmsg] [17015]: (note): %SESSION_MGR-5-FAIL: R0/0: wncd: Authorization failed or unapplied for client (ec2e.9835.cc35) on Interface capwap_90000009 AuditSessionID 320A16AC00001A8C35E05EE4. Failure reason: Authc fail. Authc failure reason: Cred Fail.
2023/12/04 13:29:14.052691 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (note): MAC: ec2e.9835.cc35 Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_CLIENT_CREDENTIAL_FAILURE, details: , fsm-state transition 00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|01|07|13|1a|23|
2023/12/04 13:29:14.053158 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (note): MAC: ec2e.9835.cc35 Delete mobile payload sent forbssid: 00d7.8f2f.6c22 WTP mac: 00d7.8f2f.6c20 slot id: 0
2023/12/04 13:29:14.053183 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_L2_AUTH_IN_PROGRESS -> S_CO_DELETE_IN_PROGRESS
2023/12/04 13:29:14.053318 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (ERR): MAC: ec2e.9835.cc35 CLT populate Record: failed to populate anchor ip
2023/12/04 13:29:14.053781 {wncd_x_R0-0}{1}: [sanet-shim-translate] [17015]: (note): MAC: ec2e.9835.cc35 Session manager disconnect event called, session label: 0xd9000a87
2023/12/04 13:29:14.055192 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_DELETE_IN_PROGRESS -> S_CO_DELETED
2023/12/04 13:29:21.134272 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (note): MAC: ec2e.9835.cc35 Association received. BSSID 00d7.8f2f.6c2d, WLAN lab_doble_authe, Slot 1 AP 00d7.8f2f.6c20, AP_REUNIONES
2023/12/04 13:29:21.134588 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_INIT -> S_CO_ASSOCIATING
2023/12/04 13:29:21.134920 {wncd_x_R0-0}{1}: [dot11-validate] [17015]: (ERR): MAC: ec2e.9835.cc35 Failed to dot11 ie validate aironet ipaddr. Aironet ipaddr IE is not present in Assoc Request
2023/12/04 13:29:21.135369 {wncd_x_R0-0}{1}: [dot11] [17015]: (note): MAC: ec2e.9835.cc35 Association success. AID 5, Roaming = False, WGB = False, 11r = False, 11w = False Fast roam = False
2023/12/04 13:29:21.135582 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_ASSOCIATING -> S_CO_L2_AUTH_IN_PROGRESS
2023/12/04 13:29:21.135969 {wncd_x_R0-0}{1}: [client-auth] [17015]: (note): MAC: ec2e.9835.cc35 ADD MOBILE sent. Client state flags: 0x71 BSSID: MAC: 00d7.8f2f.6c2d capwap IFID: 0x90000009, Add mobiles sent: 1
2023/12/04 13:29:21.140043 {wncd_x_R0-0}{1}: [client-auth] [17015]: (note): MAC: ec2e.9835.cc35 L2 Authentication initiated. method DOT1X, Policy VLAN 0, AAA override = 0 , NAC = 0
2023/12/04 13:29:21.142386 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [17015]: (note): Authentication Success. Resolved Policy bitmap:11 for client ec2e.9835.cc35
2023/12/04 13:29:28.503154 {wncd_x_R0-0}{1}: [errmsg] [17015]: (note): %DOT1X-5-FAIL: R0/0: wncd: Authentication failed for client (ec2e.9835.cc35) with reason (Cred Fail) on Interface capwap_90000009 AuditSessionID 320A16AC00001A8D35E09465 Username: rosario
2023/12/04 13:29:28.503468 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [17015]: (ERR): SANET_AUTHC_FAILURE - Cred Fail, username rosario, audit session id 320A16AC00001A8D35E09465
2023/12/04 13:29:28.503497 {wncd_x_R0-0}{1}: [errmsg] [17015]: (note): %SESSION_MGR-5-FAIL: R0/0: wncd: Authorization failed or unapplied for client (ec2e.9835.cc35) on Interface capwap_90000009 AuditSessionID 320A16AC00001A8D35E09465. Failure reason: Authc fail. Authc failure reason: Cred Fail.
2023/12/04 13:29:28.505974 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (note): MAC: ec2e.9835.cc35 Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_CLIENT_CREDENTIAL_FAILURE, details: , fsm-state transition 00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|01|07|13|1a|23|
2023/12/04 13:29:28.506260 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (note): MAC: ec2e.9835.cc35 Delete mobile payload sent forbssid: 00d7.8f2f.6c2d WTP mac: 00d7.8f2f.6c20 slot id: 1
2023/12/04 13:29:28.506292 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_L2_AUTH_IN_PROGRESS -> S_CO_DELETE_IN_PROGRESS
2023/12/04 13:29:28.506436 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (ERR): MAC: ec2e.9835.cc35 CLT populate Record: failed to populate anchor ip
2023/12/04 13:29:28.506809 {wncd_x_R0-0}{1}: [sanet-shim-translate] [17015]: (note): MAC: ec2e.9835.cc35 Session manager disconnect event called, session label: 0x90000a88
2023/12/04 13:29:28.508729 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_DELETE_IN_PROGRESS -> S_CO_DELETED
2023/12/04 13:29:28.627648 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (note): MAC: ec2e.9835.cc35 Re-Association received. BSSID 00d7.8f2f.6c22, WLAN lab_doble_authe, Slot 0 AP 00d7.8f2f.6c20, AP_REUNIONES
2023/12/04 13:29:28.627947 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_INIT -> S_CO_ASSOCIATING
2023/12/04 13:29:28.628278 {wncd_x_R0-0}{1}: [dot11-validate] [17015]: (ERR): MAC: ec2e.9835.cc35 Failed to dot11 ie validate aironet ipaddr. Aironet ipaddr IE is not present in Assoc Request
2023/12/04 13:29:28.628338 {wncd_x_R0-0}{1}: [apmgr-db] [17015]: (ERR): Failed to get opt roam statusInvalid (null) rf common record
2023/12/04 13:29:28.628340 {wncd_x_R0-0}{1}: [dot11k] [17015]: (ERR): MAC: ec2e.9835.cc35 Rssi check failed, Unable to get the smart roam status for rf profile default_rf_5gh
2023/12/04 13:29:28.628656 {wncd_x_R0-0}{1}: [dot11] [17015]: (note): MAC: ec2e.9835.cc35 Association success. AID 8, Roaming = False, WGB = False, 11r = False, 11w = False Fast roam = False
2023/12/04 13:29:28.628893 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_ASSOCIATING -> S_CO_L2_AUTH_IN_PROGRESS
2023/12/04 13:29:28.629273 {wncd_x_R0-0}{1}: [client-auth] [17015]: (note): MAC: ec2e.9835.cc35 ADD MOBILE sent. Client state flags: 0x71 BSSID: MAC: 00d7.8f2f.6c22 capwap IFID: 0x90000009, Add mobiles sent: 1
2023/12/04 13:29:28.653824 {wncd_x_R0-0}{1}: [client-auth] [17015]: (note): MAC: ec2e.9835.cc35 L2 Authentication initiated. method DOT1X, Policy VLAN 0, AAA override = 0 , NAC = 0
2023/12/04 13:29:28.655626 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [17015]: (note): Authentication Success. Resolved Policy bitmap:11 for client ec2e.9835.cc35
2023/12/04 13:29:33.880699 {wncd_x_R0-0}{1}: [errmsg] [17015]: (note): %DOT1X-5-FAIL: R0/0: wncd: Authentication failed for client (ec2e.9835.cc35) with reason (Cred Fail) on Interface capwap_90000009 AuditSessionID 320A16AC00001A8E35E0B1BE Username: rosario
2023/12/04 13:29:33.881008 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [17015]: (ERR): SANET_AUTHC_FAILURE - Cred Fail, username rosario, audit session id 320A16AC00001A8E35E0B1BE
2023/12/04 13:29:33.881037 {wncd_x_R0-0}{1}: [errmsg] [17015]: (note): %SESSION_MGR-5-FAIL: R0/0: wncd: Authorization failed or unapplied for client (ec2e.9835.cc35) on Interface capwap_90000009 AuditSessionID 320A16AC00001A8E35E0B1BE. Failure reason: Authc fail. Authc failure reason: Cred Fail.
2023/12/04 13:29:33.881822 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (note): MAC: ec2e.9835.cc35 Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_CLIENT_CREDENTIAL_FAILURE, details: , fsm-state transition 00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|01|07|13|1a|23|
2023/12/04 13:29:33.882080 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (note): MAC: ec2e.9835.cc35 Delete mobile payload sent forbssid: 00d7.8f2f.6c22 WTP mac: 00d7.8f2f.6c20 slot id: 0
2023/12/04 13:29:33.882098 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_L2_AUTH_IN_PROGRESS -> S_CO_DELETE_IN_PROGRESS
2023/12/04 13:29:33.882269 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (ERR): MAC: ec2e.9835.cc35 CLT populate Record: failed to populate anchor ip
2023/12/04 13:29:33.882802 {wncd_x_R0-0}{1}: [sanet-shim-translate] [17015]: (note): MAC: ec2e.9835.cc35 Session manager disconnect event called, session label: 0xa6000a89
2023/12/04 13:29:33.883957 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_DELETE_IN_PROGRESS -> S_CO_DELETED
12-05-2023 08:48 AM
Hello, can you explain to me where I make that configuration, please?
12-06-2023 01:20 AM
If it's central authentications and working on an identically configured AP then not likely to be a problem with the radius config.
Did you read my earlier reply below?
12-05-2023 09:28 AM
Friend here can config the vlan use as source to connect to radius server.
Check above photo you share
MHM
12-04-2023 04:16 PM - edited 03-05-2024 03:20 PM
Are the 2 APs both the same model?
Do both APs have the same tags configured? (sh ap tag summ)
Have you tried a CAPWAP restart on the one giving you trouble - ap name <AP-name> reset capwap (try this before reload)?
Have you tried a reload on the one giving you trouble - ap name <AP-name> reset? (most of these problems are resolved by capwap restart or reload)
Does an open SSID work on that AP?
Upgrade to 17.9.4a + APSP8 and if it happens again after that then open a TAC case so TAC can capture all debugs, packet captures, radioactive traces etc for dev team to look at.
03-05-2024 01:00 PM
I'm having the same issue with 17.9.4a.
From WLC debug I see 4 login attempts (before setting clients as excluded) but from ISE Live Logs I'm seeing only one request and not the others. It seems that WLC is "caching" authentication.
Have you solved?
03-05-2024 03:26 PM
Make sure you have APSP8 installed?
If you still see the problem open a TAC case and provide radioactive traces of failed client and AP with packet captures from AP port and WLC and OTA capture of the client.
03-07-2024 06:56 AM
Solved:
Hello,
In the Windows update of November 10th, EAP was updated to support TLS 1.2. This means that during the TLS handshake, the server announces support for TLS 1.2, enabling the use of TLS 1.2.
> Here is the solution to the problem of configuring TLS version. By default, EAP must add a DWORD value to the TlsVersion registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13 The value of this registry key can be 0xC0, 0x300, or 0xC00
03-07-2024 07:27 AM
Thanks for the update @nemrinoureddine but you don't say what value you set the key to?
I presume you're referring to this Microsoft article? https://support.microsoft.com/en-gb/topic/windows-10-devices-can-t-connect-to-an-802-1x-environment-179ef277-e6ef-8ea3-cb0e-11a6b80fa955
Setting that value to downgrade your TLS version is a workaround not a solution. Ultimately your server should be patched to resolve the issue and allow the use of TLS 1.2.
03-15-2024 03:36 AM
Hello,
Yes, the problem has been solved for me. The problem was definitely in Windows 11, possibly in some people with Windows 10 too. To solve this problem, please follow these steps:
To add EAP-TTLS 1.3 to the Windows registry, you typically need to modify registry entries related to network authentication protocols. However, please be cautious when making changes to the registry, as incorrect modifications can cause system instability or other issues. Here's a general guide on how you might proceed:
Open Registry Editor: Press Windows Key + R, type regedit, and press Enter to open the Registry Editor.
Navigate to the Correct Key: Navigate to the appropriate key for your network authentication settings. Typically, this is located at:
Add a New Subkey: Right-click key, then select New > Key. Name this new key TTLS.
Add Protocol Version: Within the TTLS key, create a new DWORD (32-bit) value. Name it Tlsversion.
Set Protocol Version: Double-click on the Tlsversion value you just created and set its value data to "ofc0
". This value represents EAP-TTLS version 1.3.
Save Changes: Close the Registry Editor and restart your computer for the changes to take effect.
04-24-2024 09:09 AM
Hello, i add this registry and it´s PC connected only once, We have around 100 PC with the same problem, anyone solve this issue? please Help
05-22-2024 07:18 AM
@jcpatinov I have implemented the configuration change for the TLS version on the Radius NPS server. In our company, we have almost 900 PCs, and it is impossible that I made this change on all of them! it has worked well
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide