Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2439
Views
11
Helpful
48
Replies

Windows laptop not able to join 802.1x SSID on C9800-CL

Simon Z
Level 1
Level 1

‎08-26-2025 01:45 PM

I am in the middle of migrating WLC 5520 (8.10.190.0) to C9800-CL (17.12.05) while APs remain the same (3802i). AAA servers are ISE 3.4 patch 2. We use centralized switching (no Flex mode). I have an 802.1X SSID allowing both EAP-TLS and PEAP+MSCHAPv2. The SSID on WLC 5520 works for pretty much all devices we have. The same SSID on C9800-CL works for most devices I tested so far but one particular Windows laptop.

  1. The same laptop connects to the SSID on 5520 without any issues using EAP-TLS. Tried different Windows builds (10 and 11) and updated Wi-Fi NIC driver to the latest. Machine certificate is fine. Tried manually adding network with EAP-TLS, and PEAP + MSCHAPv2. None worked with the new C9800-CL.
  2. There is no logs for this particular laptop/MAC on ISE meaning the Authenticator (C9800-CL) is not sending Radius request to Authentication Server (ISE) when the Supplicant client tries to join the SSID.
  3. I did some packet captures on the C9800-CL by providing “Inner Filter MAC” and did a comparison between a successful connection and a failed one.

It’s interesting to notice the captured packets are between the C9800-CL and the AP, but 802.1X authentication is between the supplicant (laptop) and the AP (BSSID MAC). On a successful connection, after the supplicant sends Response with Identity (host/xxxxxx), the AP sends a EAP-TLS Request, and after quite a few EAP packets exchange authentication succeeds.

SimonZ_0-1756240489592.png

On a failed connection, after the supplicant sends Response with Identity (host/xxxxxx), the AP just sends a Failure EAP packet and never sends a 802.1X proposal:

SimonZ_1-1756240489596.png

This explains why ISE never sees a Radius request for this particular laptop. I’ve tested 5 Windows laptops and a few iOS/Android devices so far, and found only one problematic laptop, but I don’t know how many more out of about 1000 laptops may experience the same issue.

A TAC ticket is going nowhere, and the engineer insists something is wrong with the laptop but doesn’t know what exactly is wrong. I’ve seen some similar issues online and it seems nobody was able to explain why there is no logs on Radius servers. Has anyone seen this?

0 Helpful
48 Replies 48

MHM Cisco World
VIP
VIP

‎08-26-2025 02:11 PM

I see same issue month ago' but what can I say' engineer leave us with many Q and dont reply to our comment.

Anyway' what I understand'

There are two inner and outer authc 

The identity wlc receive for outer authc is wrong and this make authc failed.

MHM

Simon Z
Level 1
Level 1
In response to MHM Cisco World

‎08-26-2025 02:24 PM

My understanding is PEAP + MSCHAPv2, PEAP + EAP-TLS etc. use outer and inner authc, but EAP-TLS alone uses only one layer. I am thinking a compatibility issue between 3802 AP and C9800-CL but according to this matrix they are supported.

0 Helpful

MHM Cisco World
VIP
VIP
In response to Simon Z

‎08-26-2025 02:28 PM

Yes correct eap-tls use only one authc

Let take it as reference 

Connect laptop to wlc 5500 and capture traffic and connect it to wlc 9800 and capture traffic 

Then identity response open both packet and share it here let me check different 

MHM

0 Helpful

Simon Z
Level 1
Level 1
In response to MHM Cisco World

‎08-27-2025 07:48 AM

Unfortunately the only way to do packet capture on 5520 is to use an AP as monitor AP, which I don't have one handy now. When I try "config ap packet-dump" it says my AP doesn't support it.

0 Helpful

Parithosh Vema
Cisco Employee
Cisco Employee
In response to Simon Z

‎08-27-2025 10:51 AM

Hey @Simon Z, although the 5520 doesn't support packet capture natively you can still achieve it via this flow: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/211342-packet-captures-on-aireos-wlc.html 

Since its Identity response you are after, give this a shot and compare against 9800, for AP side packet capture I would suggest to do an EPC on the switch where AP is connected and do the same for 5520 vs 9800.

0 Helpful

Simon Z
Level 1
Level 1

‎08-26-2025 02:38 PM

It may not be easy to do packet capture on 5520. Wireshark on the laptop seems not be able to capture all 802.11 traffic as the Wi-Fi card doesn't support "Monitor mode". I am going to try if I can do it on the AP.

0 Helpful

Mark Elsen
Hall of Fame
Hall of Fame

‎08-26-2025 11:36 PM

 

  - @Simon Z    Use client debugging for this  windows laptop using instructions from https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity
                        These so called RadioActive Traces can be analyzed with Wireless Debug Analyzer

                        Outputs from commands mentioned in https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#toc-hId-866973845
                        can also be useful

                        Validate the configuration of your new  C9800-CL controller using the CLI command
                         show tech wireless and feed the output from that  into Wireless Config Analyzer

  M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

Simon Z
Level 1
Level 1
In response to Mark Elsen

‎08-27-2025 07:43 AM

Wireless Debug Analyzer shows a simple reason: Cred Fail. For whatever reason, the WLC/AP and the client don't try any of the 802.1X protocols. As soon as the client provides Identity as host/<FQDM>, WLC/AP says Failure.

Screenshot 2025-08-27 101247.jpg

Wireless Config Analyzer shows 1 error 16 warnings - none seems related to the issue.

0 Helpful

MHM Cisco World
VIP
VIP
In response to Simon Z

‎08-27-2025 07:56 AM

In wlc 9800 there is EPC use it to share traffic between WLC abd ISE' let see if WLC is end authc or ISE 

Share ISE ver abd wlc ver 

Thanks 

MHM

0 Helpful

Mark Elsen
Hall of Fame
Hall of Fame
In response to Simon Z

‎08-27-2025 11:32 PM

 

   - @Simon Z    If the issue is experienced on one laptop only and not the rest of them ,then the issue is not related to the wireless infrastructure : my advice is to safe user data , and re-install the laptop from scratch.

  M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

Simon Z
Level 1
Level 1
In response to Mark Elsen

‎08-28-2025 11:04 AM

Well, the current Windows 11 was a fresh install. Prior to that I installed Win 10 on it. The reason why I keep digging is this particular laptop has no issue to join the same SSID on 5520. Even though I am not able to capture any EAP packets on 5520, but I have logs on ISE showing it hit the right authC and authA policies using EAP-TLS.


0 Helpful

Simon Z
Level 1
Level 1

‎08-27-2025 08:40 AM - edited ‎08-27-2025 08:42 AM

I specify 9800 as source and ISE as destination in EPC, then try to join the SSID on the problematic laptop. Nothing is captured. When I try on a good laptop, I see lots of Radius traffic.

9800 is v17.12.05. ISE is v3.4 patch 2.

MHM Cisco World
VIP
VIP
In response to Simon Z

‎08-27-2025 08:49 AM

Good, now what is good laptop and bad laptop?

What is OS for both laptop? 

0 Helpful

Simon Z
Level 1
Level 1

‎08-27-2025 09:10 AM

The bad one is now  Win11 version 24H2 (a fresh install). Tried Win10 on it earlier. Same issue.

The good ones include Win10 (22H2), Win 11 (22H2 and 24H2).

They all have the latest Windows updates.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card