Showing results for 
Search instead for 
Did you mean: 
Frequent Contributor

WLC4402 and Symbol MC3090 Handhelds

Weird issue:

I have some handhelds using certificates to connect to the internet in my office.

The handhelds can connect in all the complex but inside a warehouse, all the config for the APs is the same, we use 1242s and 1131s (yes inside the warehouse we have both models) and the ports where we have the APs connected were configured as trunk, at the time we set them up as access for the wireless vlan (in this case vlan 7).....

A little detail, if I take a laptop and try to connect inside the warehouse, I can with no problem at all but the handhelds cannot connect.

On the WLC4400 I can see all the handhelds associated to the wireless network but under the Policy Manager State I get "8021X_REQD" for all those handhelds inside the warehouse.

Any clues?


Posted by WebUser Eridanny Aviña



What security are you using?

Is the aps at the warehouse and the office area all on the same WLC or different WLCs?

Both locations are controller based, correct?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
Leo Laohoo
VIP Community Legend

In addition to George's post, try this little experiment:

1.  Create a generic SSID for the sake of testing if the Symbol/Motorola handsets can connect;

2.  OPEN authentication (or NO authentication);

3.  Simple SSID:  No funky characters.  Just alpha-numeric ones;

4.  Broadcast SSID.

Now roam.  If you can roam between two or more APs with this SSID, then start cranking up by enabling non-broadcasting or hidden SSID and so on, and so forth.

My guess is you'll start getting issues when you disable broadcast SSID or if you go beyond WPA/PSK. 


Have you examined any logs on the RADIUS server? How about a debug (client and dot1x aaa enable)? If there are separate controllers, are they in the same Mobility Group?

Sent from Cisco Technical Support iPad App

Frequent Contributor

I appreciate your comments.

More status:

Same WLC for all APs, we tried connecting the APs to an Xpress 500, 2960 and a 3560-8PC and none of them worked (inside the warehouse). Outside is different.

We can discard interference o low signal as we are able to connect a laptop with no issue and all the test we tried using an AP on one hand and the handheld in the other.

We tried configuring the ports on the path to the WLC as trunk and as access to the wireless vlan and again it didn't work.

Nothing weird on the RADIUS logs and there are no access list on the APs or the switches.

Any more thoughts?


Posted by WebUser Eridanny Aviña

Leo Laohoo
VIP Community Legend

Did you try my suggestion/recommendation?

What about a client debug?  Client detail on GUI?  My guess is you are seeing decrypt errors.  Try Leo's suggestion to start with an open SSID and re-apply encryption later.  How about after rebooting the APs?

Thanks for the doc!

Sent from Cisco Technical Support iPad App

Frequent Contributor

leolaohoo I saw your comments and we tried that with no avail.

What we are getting on the WLC is "802.x required" while on the handheld it says “Authentication successful, but we received an invalid key”. This would be the certificate invalid or wrong but what we don't get is why the handheld is able to connect in the other part of the complex? Using same WLC (only one, no redundancy) with IOS

No more clues on the RADIUS logs or the WLC debugs


Posted by WebUser Eridanny Aviña

Leo Laohoo
VIP Community Legend

we tried that with no avail.  What we are getting on the WLC is "802.x required" while on the handheld it says “Authentication successful, but we received an invalid key”. 

That's not OPEN authentication.

The devil's in the details. How about giving us a clue and attaching the controller client debug output?

Another thing to try. Enable telnet on the AP where there's handhelds connecting, and after logging into the AP, issue the following commands:

sh controller d0 | beg ---Clients

sh controller d1 | beg ---Clients

Sent from Cisco Technical Support iPad App

Frequent Contributor

Leo we did try with open authentication and as I said, it didn't work.

What I posted afterwards is the log we are getting with the regular setup.

According to Symbol they release an upgrade for the application used to connect to wireless networks that might be related to our issues and our corporate agrees on that upgrade. I'll let you know if this solved the issue.

Thanks for the comments though.


Posted by WebUser Eridanny Aviña

your fastest ticket to the solution is to first identify why the client is stuck in dot1x . If you are doing EAP PEAP or EAP TLS it is mostly likely cert issue.

Please run the following debugs and post the output.

>config session timeout 30

> debug client

followed by this command intermittently

>show client detal

If you have a radius , check the radius logs after this.

Lookout for access-reject or accesss accept in the debugs

Without these its all guess work and  it will take a long time to get to a solution.


I would highly suggest the debugs that the other members have requested.  The proof will be in the pudding at that point and any "changes" are a shot in the dark without it.

Another thing to consider since you mention these devices work fine inside the office, but not in the warehouse is AP placement and antenna orientation.  It is fairly often that APs are deployed with poor RF consideration for large warehouses.  Can you describe the mounting location of these APs?  You mention you are using 1131 and 1242s so please describe each.

Are the APs mounted to a high ceiling?  Are there large racks or obstructions that can lead to attenuation or unwanted multipath, etc?  How high are the APs mounted?  For the 1242's, what type of antenna and what orientation are these antennas (ie, for instance with a dipole; are the antennas pointed downards/perpindicular to the ground, or a re they horizontal/parallel to the ground?)

What power level do you see your APs in the warehouse transmitting at?  How does this compare to inside?

Also; you mention your APs are configured for a trunk?  Unless you are performing H-REAP local switching, which it doesn't sound like as the APs are local to the WLC at this campus, then you should keep your AP on an access port.  The AP will just need to be able to get back to the WLC on this single VLAN with it's client CAPWAP data.  Clients will egress the WLC on their respective VLANs through your dynamic interfaces; they do not require a trunk port at the AP itself.  This should not have any affect on your problem; but I would suggest keeping the AP config clean and simple.

Content for Community-Ad