Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
646
Views
5
Helpful
11
Replies

Windows PSK issue with AIR-AP2802I-E-K9 (managed by AIR-CT3504-K9)

bmartins-EMCDDA
Level 1
Level 1

‎05-30-2023 05:06 AM

Dear community,

I am posting here since I have already opened two TAC cases with no solution.

I have 20 APs and only one SSID (WPA2-PSK) in which we change the password every month.

Multiple Windows client versions (10 and 11) from different laptop brands (most of them using Intel Wi-Fi 6 AX201) are not able to connect to the network once the password changes because they are not warned that it changed and the new one is needed.

This results in the clients getting into the AP exclusion list:

 

 

 

•	*apfMsConnTask_1: May 25 13:58:16.665: d4:6a:6a:df:03:b3 Ignoring assoc request due to mobile in exclusion list or marked for deletion
•	*apfMsConnTask_1: May 25 13:58:16.665: d4:6a:6a:df:03:b3 Sending client blacklist entry to roamed AP 00:fc:ba:03:f4:40 with remaining time to be excluded 11sec
•	*apfOpenDtlSocket: May 25 13:58:17.749: d4:6a:6a:df:03:b3 Received management frame ASSOCIATION REQUEST  on BSSID 00:fc:ba:03:ee:a0 destination addr 00:fc:ba:03:ee:a0 slotid 0

 

 

 

The problem doesn't seem to affect mobile devices and only occurs when passwords change. The first-time connection works perfectly.

The wireless controller and APs are running version 8.10.171.0.

So far, the workaround has been to insist on trying to connect and reboot the client, and after that, we get prompted to enter the new password, but this is very frustrating for the users.

Do you have any advice that I should try?

Thank you!

Labels:
0 Helpful
11 Replies 11

marce1000
VIP
VIP

‎05-30-2023 05:14 AM

 

   - Perform full client debugging (the one you listed is only partial) ; you can have client debugs analyzed with : https://cway.cisco.com/wireless-debug-analyzer (look for problem patterns when analyzing different clients)
   As per https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html , use https://software.cisco.com/download/home/286312601/type/280926587/release/8.10.185.0 ; note that aireos and aireos based controllers are getting older , it is therefore becoming more and more advised to run the last (or latest) release available for the 3504 model (in your case) , 

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

bmartins-EMCDDA
Level 1
Level 1
In response to marce1000

‎05-31-2023 02:41 AM

Thanks for the tip!

This is the most interesting message I get after analysing the full client logs with that tool:

bmartinsEMCDDA_0-1685526014641.png

I have updated the infrastructure recently, but I'll also try the latest version you've mentioned.

 

0 Helpful

Flavio Miranda
VIP
VIP

‎05-30-2023 05:25 AM

Hi

 

   I dont believe the Access Point will ever warn the client about the password change. What you can do, if those machine is managed from AD is run some GPO forcing the clients to forget the network before you change the password. Is the only way I believe they will ask to enter the password again. If they are not managed from AD, ask the user to do it manually. 

bmartins-EMCDDA
Level 1
Level 1
In response to Flavio Miranda

‎05-31-2023 02:42 AM

What I would expect is that, after the first connection attempt with the wrong password, Windows would immediately ask me for the new wireless password and not get marked as excluded because of multiple authentication failures.

0 Helpful

Rich R
VIP
VIP
In response to bmartins-EMCDDA

‎05-31-2023 04:30 AM

That you'll need to discuss with Microsoft ...

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎05-30-2023 05:44 PM

@bmartins-EMCDDA wrote:

I have 20 APs and only one SSID (WPA2-PSK) in which we change the password every month.

Multiple Windows client versions (10 and 11) from different laptop brands (most of them using Intel Wi-Fi 6 AX201) are not able to connect to the network once the password changes because they are not warned that it changed and the new one is needed.

That's not a bug.  It is working as intended. 

Regularly changing PSK is very management intensive.   If someone wants to rotate the keys then use RADIUS.   

bmartins-EMCDDA
Level 1
Level 1
In response to Leo Laohoo

‎05-31-2023 02:43 AM

Since we use an MDM, I will also try to deploy the new password through a policy. The issue would then be only with unmanaged devices.

0 Helpful

Rich R
VIP
VIP

‎05-30-2023 11:23 PM

Agreed with what @Flavio Miranda and @Leo Laohoo have already said.

All I can add is that there were MAJOR bugs in the early Intel drivers for those AX201 so make sure the drivers are fully up to date:
https://www.intel.com/content/www/us/en/download/19351/windows-10-and-windows-11-wi-fi-drivers-for-intel-wireless-adapters.html
And refer to TAC recommended code versions for WLC (below) - currently 8.10.185.0 which also has numerous bug fixes since 8.10.171.0 including some specific to your APs (Wave 2) - see also link to Leo's list below.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

bmartins-EMCDDA
Level 1
Level 1
In response to Rich R

‎05-31-2023 02:44 AM

Thank you!

I noticed that some laptops with AX201 have older drivers and will be deploying the latest one you mentioned.

Hopefully, it improves something.

0 Helpful

bmartins-EMCDDA
Level 1
Level 1
In response to bmartins-EMCDDA

‎06-01-2023 12:11 PM

It looks like updating the driver to the latest release does not fix the problem.

0 Helpful

Flavio Miranda
VIP
VIP
In response to bmartins-EMCDDA

‎06-01-2023 12:26 PM - edited ‎06-01-2023 12:27 PM

 The beharior you see would not be caused by driver. This is Operacional System behavior.  The solution would be forget the network and reconnect.  If you have this job to change the password once a month, would not be difficult to forget the password and reconnect.

  You need one command line:

netsh wlan delete profile name="WiFi network name"

If you have a Windows server, you can do this in a minute.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card