cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4072
Views
3
Helpful
21
Replies

9800-CL WLC Repeated Client Exclusion for Wrong PSK

CARL90
Level 1
Level 1

I've recently inherited a 9800-CL WLC with a somewhat questionable configuration.  It seems to be working as expected, however reviewing the Syslog shows regular repeated errors.  The error in question is:

%CLIENT_EXCLUSION_SERVER-5-ADD_TO_EXCLUSIONLIST_REASON_DYNAMIC: Chassis 1 R0/0: wncmgrd: Client MAC: dcb5.XX was added to exclusion list associated with AP Name:AP013, BSSID:MAC: 84f1.XX, reason:Wrong PSK

I'm seeing these appear about once per minute or more.  The error is thrown repeatedly for the same device every few minutes it appears with a decent number of devices causing the error while on-site.  Oddly enough there haven't been any reported issues with disconnects or failure to connect.  From what I've found, based on the MAC address every device being reported is an Apple device, almost certainly to be an iPhone that is issued to users.  Is there any specific configuration that may have been misconfigured that might cause this issue?  Any ideas would be greatly appreciated.

21 Replies 21

marce1000
VIP
VIP

 

                   >... with a somewhat questionable configuration.
 - In that context , review the 9800-CL WLC  configuration with the CLI command show  tech wireless and feed the output into 
                                                                                                                           Wireless Config Analyzer

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Currently reviewing that report now actually.  Nothing too major, and nothing that really explains the current log... might be an Apple specific config issue that's not reported as an error/warning.

 

 - Ok, I also noted : https://community.cisco.com/t5/wireless/c9800-exclusion-due-to-wrong-psk-macos-clients-only/m-p/4820972#M254968

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

I had saw this article, but it was specific to Mac OS not iOS like I'm experiencing so I had ruled it out.  Also after comparing RA Trace to his, his clients got past layer 2 authentication suggesting it's a different issue.  Although looking through the RA trace maybe I need to understand this more.  It appears this is the hangup point:

2024/02/05 15:42:05.864client-keymgmtSent M1 for EAPOL 4-Way Handshake
2024/02/05 15:42:05.869client-keymgmtCould not validate MIC received in M2 message
2024/02/05 15:42:05.869client-keymgmtFast roam key validation failure on M2
2024/02/05 15:42:06.865client-keymgmtController did not receive response for M1, sending retransmission

Can i see l2 secuirty of wlan

MHM

CARL90_0-1707750089913.png

 

Disbale adptive FT since you use PSK without FT.

MHM

Disabled.  Still seeing errors reported though...

Wait' until the wifi client re-asso or manually disconnected one wifi client  (you see it mac in log server) and reconnect again and check log server.

MHM

jagan.chowdam
Spotlight
Spotlight

Can you get Radioactive Trace for one of the clients and run it through Cisco Wireless Debug Analyzer and see if it points to any errors
https://cway.cisco.com/wireless-debug-analyzer/ 

Make sure to capture the radio active trace for complete session.

Jagan Chowdam

/**Please rate helpful responses**/

Parsed RA Trace for a single client provided repeating entries of the following:

Time Task Translated
2024/02/05 14:56:21.040 client-orch-sm Client made a new Association to an AP/BSSID: BSSID 84f1.XX, WLAN GUEST, Slot 1 AP 84f1.XX, AP012
2024/02/05 14:56:21.041 dot11 Association success for client, assigned AID is: 10. Client performed fast roam.
2024/02/05 14:56:21.055 client-keymgmt Could not validate MIC received in M2 message
2024/02/05 14:56:21.055 client-keymgmt Fast roam key validation failure on M2
2024/02/05 14:56:22.057 client-keymgmt Could not validate MIC received in M2 message
2024/02/05 14:56:22.057 client-keymgmt Fast roam key validation failure on M2
2024/02/05 14:56:23.055 client-keymgmt Could not validate MIC received in M2 message
2024/02/05 14:56:23.055 client-keymgmt Fast roam key validation failure on M2
2024/02/05 14:56:24.050 client-keymgmt Reached maximum retries for M1
2024/02/05 14:56:24.052 client-orch-sm Controller initiated client deletion with code: CO_CLIENT_DELETE_REASON_NOOP. Explanation: Default code when no other reason is known, it should have been replaced with corresponding delete trigger, internal error. Client will recover after a new session. Actions: Collect RA trace for the client

The advanced debug insights are suggesting that following the client "L2 Authentication Request" there's no logged interactions between the device and the AP/WLC.  No authentication failure response, nothing.  Which explains the disconnect reason being "NOOP" which apparently is the error for an unreported/unexplained error... Just repeated entries of this association attempt.

Is Cisco Centralized Key Management (CCKM) feature enabled on the SSID? If it is, can you disable it and check. 

I've seen connectivity issues with new WiFi 6E apple devices when CCKM enabled on SSID level.

Jagan Chowdam

 

Checked, but no dice.  CCKM isn't enabled on any of our SSIDs...

Rich R
VIP
VIP

What version of software are you using?

Review Cisco Networking for a $25 gift card