Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
635
Views
0
Helpful
3
Replies

SSID or AP for failed client authentication

Spaniard141
Level 1
Level 1

‎07-07-2020 06:43 AM - edited ‎07-05-2021 12:15 PM

Is there a way to see what SSID or even better, what AP a client authentication is failing on? We use a 5508 WLC with an ACS 5.8 for radius authentication and ACS reports only show the mac address for which the failed authentication on a particular user is happening but I am interested to know where that device is.

A user's account keeps getting locked out and the mac address of the device (apple device) that shows in the ACS reports is not from any of her devices so we are trying to figure out what building or location the device is in but unless that device successfully connects I don't know how to tell what AP that is coming from... Any suggestions?

Labels:
0 Helpful
3 Replies 3

Scott Fella
Hall of Fame
Hall of Fame

‎07-07-2020 08:45 AM

Is there any information on the controller or ap Mac address that the ACS logs show? You are saying that a device is authenticating with credentials from a user and getting the account locked, but none of her devices are impacted? So you are thinking someone is using her credentials to try to access the network? If you have a Mac address, you can run a debug on the controller and output that to a file. If you have Prime, maybe lookup that username and see if you see the Mac address and last ap.
-Scott
*** Please rate helpful posts ***
0 Helpful

Rich R
VIP
VIP
In response to Scott Fella

‎07-08-2020 09:47 AM

If you have Prime you can actually just search by the MAC address and you should see the history of where that MAC has been connected.
------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

patoberli
VIP Alumni
VIP Alumni

‎07-08-2020 07:14 AM

Apple devices tend to use random mac addresses for certain functions. Here you find some more information: https://www.turais.de/mac-address-randomization-on-ios-12/
Typically it's not anymore used once the device has successfully connected (although I think you can still enable it in the wireless profile options of the device).
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card