Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3325
Views
0
Helpful
7
Replies

WLAN 8021X_REQD Problem

florian666
Visitor

‎01-17-2020 01:19 AM - edited ‎07-05-2021 11:33 AM

Hello community

I have a lot of log entries because of 802.1x problems.

003204: Jan 16 11:13:13.293 MET: *%APF-4-MSCB_DEL_FAILED:Switch 1 R0/0: wcm: Unable to delete the client entry ( f86f.c108.c481 ) from client exclusion list: client not found.
003205: Jan 16 11:22:10.634 MET: *%LWAPP-3-REPLAY_ERR:Switch 1 R0/0: wcm: Received replay error on slot 1, WLAN ID 1, count 1 from AP 70db.9876.e570
003206: Jan 16 11:25:47.759 MET: *%LWAPP-3-REPLAY_ERR:Switch 1 R0/0: wcm: Received replay error on slot 1, WLAN Cisco 3850ID 1, count 1 from AP 00a3.8e18.1670
003207: Jan 16 11:42:14.731 MET: *%LWAPP-3-REPLAY_ERR:Switch 1 R0/0: wcm: Received replay error on slot 0, WLAN ID 2, count 41 from AP 70db.98ed.e620
003208: Jan 16 11:53:17.617 MET: *%APF-4-ADD_TO_BLACKLIST_REASON:Switch 1 R0/0: wcm: Client f86f.c108.c481 () was added to exclusion list. Reason: 802.1X authentication failure
003209: Jan 16 12:02:09.458 MET: *%LWAPP-3-REPLAY_ERR:Switch 1 R0/0: wcm: Received replay error on slot 0, WLAN ID 1, count 1 from AP 00a3.8e18.6320
003210: Jan 16 12:03:57.379 MET: *%APF-4-ADD_TO_BLACKLIST_REASON:Switch 1 R0/0: wcm: Client f8e9.4e1e.441a () was added to exclusion list. Reason: 802.1X authentication failure
003211: Jan 16 12:24:09.422 MET: *%LWAPP-3-REPLAY_ERR:Switch 1 R0/0: wcm: Received replay error on slot 0, WLAN ID 1, count 2 from AP 00a3.8e18.6320
003212: Jan 16 12:45:24.606 MET: *%APF-4-ADD_TO_BLACKLIST_REASON:Switch 1 R0/0: wcm: Client f86f.c108.c481 () was added to exclusion list. Reason: 802.1X authentication failure
003213: Jan 16 13:00:07.972 MET: *%LWAPP-3-REPLAY_ERR:Switch 1 R0/0: wcm: Received replay error on slot 0, WLAN ID 2, count 1 from AP 70db.984c.d2e0
003214: Jan 16 13:00:30.182 MET: *%APF-4-ADD_TO_BLACKLIST_REASON:Switch 1 R0/0: wcm: Client f86f.c108.c481 () was added to exclusion list. Reason: 802.1X authentication failure
003215: Jan 16 13:30:07.664 MET: *%LWAPP-3-REPLAY_ERR:Switch 1 R0/0: wcm: Received replay error on slot 0, WLAN ID 0, count 1 from AP 00a3.8e28.9720
003216: Jan 16 13:31:46.427 MET: *%APF-4-ADD_TO_BLACKLIST_REASON:Switch 1 R0/0: wcm: Client 74b5.879d.cdac () was added to exclusion list. Reason: 802.1X authentication failure
003217: Jan 16 13:32:07.662 MET: *%LWAPP-3-REPLAY_ERR:Switch 1 R0/0: wcm: Received replay error on slot 0, WLAN ID 2, count 6 from AP 00a3.8e28.9720
003218: Jan 16 13:39:08.213 MET: *%APF-4-ADD_TO_BLACKLIST_REASON:Switch 1 R0/0: wcm: Client f86f.c108.c481 () was added to exclusion list. Reason: 802.1X authentication failure
003219: Jan 16 13:44:07.645 MET: *%LWAPP-3-REPLAY_ERR:Switch 1 R0/0: wcm: Received replay error on slot 0, WLAN ID 2, count 1 from AP 00a3.8e28.9720
003220: Jan 16 13:46:09.323 MET: *%LWAPP-3-REPLAY_ERR:Switch 1 R0/0: wcm: Received replay error on slot 1, WLAN ID 1, count 1 from AP 00a3.8e18.6320
003221: Jan 16 13:49:56.303 MET: *%APF-4-ADD_TO_BLACKLIST_REASON:Switch 1 R0/0: wcm: Client f86f.c1a5.05c2 () was added to exclusion list. Reason: 802.1X authentication failure
003222: Jan 16 13:56:01.910 MET: *%APF-4-ADD_TO_BLACKLIST_REASON:Switch 1 R0/0: wcm: Client f86f.c1a5.05c2 () was added to exclusion list. Reason: 802.1X authentication failure

 

There are only a few clients with this problem. The strange thing is, that we do not have 802.1x enabled.

 

What can i do? Can someone help me?

 

Greets

Flo

 

 

Labels:
0 Helpful
7 Replies 7

Scott Fella
Hall of Fame
Hall of Fame

‎01-17-2020 04:03 AM

Have you looked to see if those devices are yours? Might be a device that is trying to connect using 802.1x and might be driver related to the device.
-Scott
*** Please rate helpful posts ***
0 Helpful

florian666
Visitor
In response to Scott Fella

‎01-17-2020 04:17 AM

Hello Scott

Thanks for your reply! 

No not yet, because its a customer and its difficult to check. But how can i blacklist this devices for a longer period?

How can i edit the exclusion list?

 

Greets

Florian

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to florian666

‎01-17-2020 04:30 AM

In the GUI or cli you can add the MAC address to an exclusion list that is permanent.
-Scott
*** Please rate helpful posts ***
0 Helpful

florian666
Visitor
In response to Scott Fella

‎01-17-2020 04:38 AM - edited ‎01-17-2020 04:39 AM

The problem is, i can not find any exclusion list. I see only the exclusion policies under Wireless Protection Policies.

Also the command show exclusionlist is not working! 

 

The wlc 3850 is running on 16.3.9

0 Helpful

mschfr
Frequent Visitor
Frequent Visitor
In response to florian666

‎01-17-2020 06:08 AM

Hi Florian,

 

check the picture below, the path is "Security" -> "Disabled Clients" -> Manual Disable

There you can click "New" on the top right corner and add the MAC address of those clients.

 

BR,

Marco

 

Clipboard01.jpg

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to florian666

‎01-17-2020 06:28 AM

Ah... you are running converged access. You should open a TAC case for that issue you are seeing.
-Scott
*** Please rate helpful posts ***
0 Helpful

Rich R
VIP
VIP
In response to Scott Fella

‎01-18-2020 03:58 AM

And be warned that Cisco abandoned converged access after that release so unless TAC already have a fix for that they're going to tell you that it will not be fixed because the feature is not supported in future releases:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-5/release_notes/ol-16-5-3850.html
Important Notes
Converged Access (CA) is not supported beyond Cisco IOS XE Denali 16.3.x.
On the Cisco Catalyst 3850 Series Switches, CA is supported in the Cisco IOS XE Denali 16.3.x software release, which has extended support for 40 months.
------------------------------
Please click Helpful if this post helped you and Accept as Solution if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card