Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2434
Views
11
Helpful
48
Replies

Windows laptop not able to join 802.1x SSID on C9800-CL

Simon Z
Level 1
Level 1

‎08-26-2025 01:45 PM

I am in the middle of migrating WLC 5520 (8.10.190.0) to C9800-CL (17.12.05) while APs remain the same (3802i). AAA servers are ISE 3.4 patch 2. We use centralized switching (no Flex mode). I have an 802.1X SSID allowing both EAP-TLS and PEAP+MSCHAPv2. The SSID on WLC 5520 works for pretty much all devices we have. The same SSID on C9800-CL works for most devices I tested so far but one particular Windows laptop.

  1. The same laptop connects to the SSID on 5520 without any issues using EAP-TLS. Tried different Windows builds (10 and 11) and updated Wi-Fi NIC driver to the latest. Machine certificate is fine. Tried manually adding network with EAP-TLS, and PEAP + MSCHAPv2. None worked with the new C9800-CL.
  2. There is no logs for this particular laptop/MAC on ISE meaning the Authenticator (C9800-CL) is not sending Radius request to Authentication Server (ISE) when the Supplicant client tries to join the SSID.
  3. I did some packet captures on the C9800-CL by providing “Inner Filter MAC” and did a comparison between a successful connection and a failed one.

It’s interesting to notice the captured packets are between the C9800-CL and the AP, but 802.1X authentication is between the supplicant (laptop) and the AP (BSSID MAC). On a successful connection, after the supplicant sends Response with Identity (host/xxxxxx), the AP sends a EAP-TLS Request, and after quite a few EAP packets exchange authentication succeeds.

SimonZ_0-1756240489592.png

On a failed connection, after the supplicant sends Response with Identity (host/xxxxxx), the AP just sends a Failure EAP packet and never sends a 802.1X proposal:

SimonZ_1-1756240489596.png

This explains why ISE never sees a Radius request for this particular laptop. I’ve tested 5 Windows laptops and a few iOS/Android devices so far, and found only one problematic laptop, but I don’t know how many more out of about 1000 laptops may experience the same issue.

A TAC ticket is going nowhere, and the engineer insists something is wrong with the laptop but doesn’t know what exactly is wrong. I’ve seen some similar issues online and it seems nobody was able to explain why there is no logs on Radius servers. Has anyone seen this?

0 Helpful
48 Replies 48

Rich R
VIP
VIP
In response to Simon Z

‎09-03-2025 12:10 PM

Yeah I don't buy that - it's a bug in the Cisco code or the Windows/NIC driver code.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Rich R
VIP
VIP
In response to Mark Elsen

‎09-03-2025 12:14 PM

Actually there are dozens of bugs which say the 9800 based wireless infrastructure does not always work perfectly....

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Rich R
VIP
VIP
In response to Simon Z

‎09-03-2025 12:12 PM

Exactly - the wireless infrastructure simply provides the transport (over radius) - the EAP is end to end between client supplicant and AAA server.  That doesn't mean the wireless infrastructure can't break it (and often does) but isn't involved in what method is used.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

MHM Cisco World
VIP
VIP
In response to Simon Z

‎09-03-2025 12:27 PM - edited ‎09-03-2025 12:28 PM

totally correct 
can you send me the capture as PM 
both capture bad and good from wlc 9800

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card