Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3003
Views
3
Helpful
24
Replies

reason (Cred Fail) on Interface capwap

Leo TI
Level 1
Level 1

‎12-04-2023 10:01 AM

Hello friends, I have a virtual WLC 9800 running version 17.6.5. A client is unable to connect from a specific PC, but can connect successfully from other devices. I have verified the credentials, and they are correct. The specific PC can connect normally to a WLC 2504.

2023/12/04 13:29:00.654796 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (note): MAC: ec2e.9835.cc35 Association received. BSSID 00d7.8f2f.6c2d, WLAN lab_doble_authe, Slot 1 AP 00d7.8f2f.6c20, AP_REUNIONES
2023/12/04 13:29:00.655090 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_INIT -> S_CO_ASSOCIATING
2023/12/04 13:29:00.655422 {wncd_x_R0-0}{1}: [dot11-validate] [17015]: (ERR): MAC: ec2e.9835.cc35 Failed to dot11 ie validate aironet ipaddr. Aironet ipaddr IE is not present in Assoc Request
2023/12/04 13:29:00.655826 {wncd_x_R0-0}{1}: [dot11] [17015]: (note): MAC: ec2e.9835.cc35 Association success. AID 4, Roaming = False, WGB = False, 11r = False, 11w = False Fast roam = False
2023/12/04 13:29:00.656069 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_ASSOCIATING -> S_CO_L2_AUTH_IN_PROGRESS
2023/12/04 13:29:00.656460 {wncd_x_R0-0}{1}: [client-auth] [17015]: (note): MAC: ec2e.9835.cc35 ADD MOBILE sent. Client state flags: 0x71 BSSID: MAC: 00d7.8f2f.6c2d capwap IFID: 0x90000009, Add mobiles sent: 1
2023/12/04 13:29:00.662780 {wncd_x_R0-0}{1}: [client-auth] [17015]: (note): MAC: ec2e.9835.cc35 L2 Authentication initiated. method DOT1X, Policy VLAN 0, AAA override = 0 , NAC = 0
2023/12/04 13:29:00.664541 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [17015]: (note): Authentication Success. Resolved Policy bitmap:11 for client ec2e.9835.cc35
2023/12/04 13:29:07.229614 {wncd_x_R0-0}{1}: [errmsg] [17015]: (note): %DOT1X-5-FAIL: R0/0: wncd: Authentication failed for client (ec2e.9835.cc35) with reason (Cred Fail) on Interface capwap_90000009 AuditSessionID 320A16AC00001A8B35E04467 Username: rosario
2023/12/04 13:29:07.229914 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [17015]: (ERR): SANET_AUTHC_FAILURE - Cred Fail, username rosario, audit session id 320A16AC00001A8B35E04467
2023/12/04 13:29:07.229939 {wncd_x_R0-0}{1}: [errmsg] [17015]: (note): %SESSION_MGR-5-FAIL: R0/0: wncd: Authorization failed or unapplied for client (ec2e.9835.cc35) on Interface capwap_90000009 AuditSessionID 320A16AC00001A8B35E04467. Failure reason: Authc fail. Authc failure reason: Cred Fail.
2023/12/04 13:29:07.230915 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (note): MAC: ec2e.9835.cc35 Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_CLIENT_CREDENTIAL_FAILURE, details: , fsm-state transition 00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|01|07|13|1a|23|
2023/12/04 13:29:07.231175 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (note): MAC: ec2e.9835.cc35 Delete mobile payload sent forbssid: 00d7.8f2f.6c2d WTP mac: 00d7.8f2f.6c20 slot id: 1
2023/12/04 13:29:07.231193 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_L2_AUTH_IN_PROGRESS -> S_CO_DELETE_IN_PROGRESS
2023/12/04 13:29:07.231321 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (ERR): MAC: ec2e.9835.cc35 CLT populate Record: failed to populate anchor ip
2023/12/04 13:29:07.231666 {wncd_x_R0-0}{1}: [sanet-shim-translate] [17015]: (note): MAC: ec2e.9835.cc35 Session manager disconnect event called, session label: 0x23000a86
2023/12/04 13:29:07.233024 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_DELETE_IN_PROGRESS -> S_CO_DELETED
2023/12/04 13:29:07.437295 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (note): MAC: ec2e.9835.cc35 Re-Association received. BSSID 00d7.8f2f.6c22, WLAN lab_doble_authe, Slot 0 AP 00d7.8f2f.6c20, AP_REUNIONES
2023/12/04 13:29:07.438081 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_INIT -> S_CO_ASSOCIATING
2023/12/04 13:29:07.438332 {wncd_x_R0-0}{1}: [dot11-validate] [17015]: (ERR): MAC: ec2e.9835.cc35 Failed to dot11 ie validate aironet ipaddr. Aironet ipaddr IE is not present in Assoc Request
2023/12/04 13:29:07.438379 {wncd_x_R0-0}{1}: [apmgr-db] [17015]: (ERR): Failed to get opt roam statusInvalid (null) rf common record
2023/12/04 13:29:07.438380 {wncd_x_R0-0}{1}: [dot11k] [17015]: (ERR): MAC: ec2e.9835.cc35 Rssi check failed, Unable to get the smart roam status for rf profile default_rf_5gh
2023/12/04 13:29:07.438642 {wncd_x_R0-0}{1}: [dot11] [17015]: (note): MAC: ec2e.9835.cc35 Association success. AID 6, Roaming = False, WGB = False, 11r = False, 11w = False Fast roam = False
2023/12/04 13:29:07.438872 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_ASSOCIATING -> S_CO_L2_AUTH_IN_PROGRESS
2023/12/04 13:29:07.439180 {wncd_x_R0-0}{1}: [client-auth] [17015]: (note): MAC: ec2e.9835.cc35 ADD MOBILE sent. Client state flags: 0x71 BSSID: MAC: 00d7.8f2f.6c22 capwap IFID: 0x90000009, Add mobiles sent: 1
2023/12/04 13:29:07.443490 {wncd_x_R0-0}{1}: [client-auth] [17015]: (note): MAC: ec2e.9835.cc35 L2 Authentication initiated. method DOT1X, Policy VLAN 0, AAA override = 0 , NAC = 0
2023/12/04 13:29:07.445179 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [17015]: (note): Authentication Success. Resolved Policy bitmap:11 for client ec2e.9835.cc35
2023/12/04 13:29:14.051602 {wncd_x_R0-0}{1}: [errmsg] [17015]: (note): %DOT1X-5-FAIL: R0/0: wncd: Authentication failed for client (ec2e.9835.cc35) with reason (Cred Fail) on Interface capwap_90000009 AuditSessionID 320A16AC00001A8C35E05EE4 Username: rosario
2023/12/04 13:29:14.051993 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [17015]: (ERR): SANET_AUTHC_FAILURE - Cred Fail, username rosario, audit session id 320A16AC00001A8C35E05EE4
2023/12/04 13:29:14.052023 {wncd_x_R0-0}{1}: [errmsg] [17015]: (note): %SESSION_MGR-5-FAIL: R0/0: wncd: Authorization failed or unapplied for client (ec2e.9835.cc35) on Interface capwap_90000009 AuditSessionID 320A16AC00001A8C35E05EE4. Failure reason: Authc fail. Authc failure reason: Cred Fail.
2023/12/04 13:29:14.052691 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (note): MAC: ec2e.9835.cc35 Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_CLIENT_CREDENTIAL_FAILURE, details: , fsm-state transition 00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|01|07|13|1a|23|
2023/12/04 13:29:14.053158 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (note): MAC: ec2e.9835.cc35 Delete mobile payload sent forbssid: 00d7.8f2f.6c22 WTP mac: 00d7.8f2f.6c20 slot id: 0
2023/12/04 13:29:14.053183 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_L2_AUTH_IN_PROGRESS -> S_CO_DELETE_IN_PROGRESS
2023/12/04 13:29:14.053318 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (ERR): MAC: ec2e.9835.cc35 CLT populate Record: failed to populate anchor ip
2023/12/04 13:29:14.053781 {wncd_x_R0-0}{1}: [sanet-shim-translate] [17015]: (note): MAC: ec2e.9835.cc35 Session manager disconnect event called, session label: 0xd9000a87
2023/12/04 13:29:14.055192 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_DELETE_IN_PROGRESS -> S_CO_DELETED
2023/12/04 13:29:21.134272 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (note): MAC: ec2e.9835.cc35 Association received. BSSID 00d7.8f2f.6c2d, WLAN lab_doble_authe, Slot 1 AP 00d7.8f2f.6c20, AP_REUNIONES
2023/12/04 13:29:21.134588 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_INIT -> S_CO_ASSOCIATING
2023/12/04 13:29:21.134920 {wncd_x_R0-0}{1}: [dot11-validate] [17015]: (ERR): MAC: ec2e.9835.cc35 Failed to dot11 ie validate aironet ipaddr. Aironet ipaddr IE is not present in Assoc Request
2023/12/04 13:29:21.135369 {wncd_x_R0-0}{1}: [dot11] [17015]: (note): MAC: ec2e.9835.cc35 Association success. AID 5, Roaming = False, WGB = False, 11r = False, 11w = False Fast roam = False
2023/12/04 13:29:21.135582 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_ASSOCIATING -> S_CO_L2_AUTH_IN_PROGRESS
2023/12/04 13:29:21.135969 {wncd_x_R0-0}{1}: [client-auth] [17015]: (note): MAC: ec2e.9835.cc35 ADD MOBILE sent. Client state flags: 0x71 BSSID: MAC: 00d7.8f2f.6c2d capwap IFID: 0x90000009, Add mobiles sent: 1
2023/12/04 13:29:21.140043 {wncd_x_R0-0}{1}: [client-auth] [17015]: (note): MAC: ec2e.9835.cc35 L2 Authentication initiated. method DOT1X, Policy VLAN 0, AAA override = 0 , NAC = 0
2023/12/04 13:29:21.142386 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [17015]: (note): Authentication Success. Resolved Policy bitmap:11 for client ec2e.9835.cc35
2023/12/04 13:29:28.503154 {wncd_x_R0-0}{1}: [errmsg] [17015]: (note): %DOT1X-5-FAIL: R0/0: wncd: Authentication failed for client (ec2e.9835.cc35) with reason (Cred Fail) on Interface capwap_90000009 AuditSessionID 320A16AC00001A8D35E09465 Username: rosario
2023/12/04 13:29:28.503468 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [17015]: (ERR): SANET_AUTHC_FAILURE - Cred Fail, username rosario, audit session id 320A16AC00001A8D35E09465
2023/12/04 13:29:28.503497 {wncd_x_R0-0}{1}: [errmsg] [17015]: (note): %SESSION_MGR-5-FAIL: R0/0: wncd: Authorization failed or unapplied for client (ec2e.9835.cc35) on Interface capwap_90000009 AuditSessionID 320A16AC00001A8D35E09465. Failure reason: Authc fail. Authc failure reason: Cred Fail.
2023/12/04 13:29:28.505974 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (note): MAC: ec2e.9835.cc35 Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_CLIENT_CREDENTIAL_FAILURE, details: , fsm-state transition 00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|01|07|13|1a|23|
2023/12/04 13:29:28.506260 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (note): MAC: ec2e.9835.cc35 Delete mobile payload sent forbssid: 00d7.8f2f.6c2d WTP mac: 00d7.8f2f.6c20 slot id: 1
2023/12/04 13:29:28.506292 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_L2_AUTH_IN_PROGRESS -> S_CO_DELETE_IN_PROGRESS
2023/12/04 13:29:28.506436 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (ERR): MAC: ec2e.9835.cc35 CLT populate Record: failed to populate anchor ip
2023/12/04 13:29:28.506809 {wncd_x_R0-0}{1}: [sanet-shim-translate] [17015]: (note): MAC: ec2e.9835.cc35 Session manager disconnect event called, session label: 0x90000a88
2023/12/04 13:29:28.508729 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_DELETE_IN_PROGRESS -> S_CO_DELETED
2023/12/04 13:29:28.627648 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (note): MAC: ec2e.9835.cc35 Re-Association received. BSSID 00d7.8f2f.6c22, WLAN lab_doble_authe, Slot 0 AP 00d7.8f2f.6c20, AP_REUNIONES
2023/12/04 13:29:28.627947 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_INIT -> S_CO_ASSOCIATING
2023/12/04 13:29:28.628278 {wncd_x_R0-0}{1}: [dot11-validate] [17015]: (ERR): MAC: ec2e.9835.cc35 Failed to dot11 ie validate aironet ipaddr. Aironet ipaddr IE is not present in Assoc Request
2023/12/04 13:29:28.628338 {wncd_x_R0-0}{1}: [apmgr-db] [17015]: (ERR): Failed to get opt roam statusInvalid (null) rf common record
2023/12/04 13:29:28.628340 {wncd_x_R0-0}{1}: [dot11k] [17015]: (ERR): MAC: ec2e.9835.cc35 Rssi check failed, Unable to get the smart roam status for rf profile default_rf_5gh
2023/12/04 13:29:28.628656 {wncd_x_R0-0}{1}: [dot11] [17015]: (note): MAC: ec2e.9835.cc35 Association success. AID 8, Roaming = False, WGB = False, 11r = False, 11w = False Fast roam = False
2023/12/04 13:29:28.628893 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_ASSOCIATING -> S_CO_L2_AUTH_IN_PROGRESS
2023/12/04 13:29:28.629273 {wncd_x_R0-0}{1}: [client-auth] [17015]: (note): MAC: ec2e.9835.cc35 ADD MOBILE sent. Client state flags: 0x71 BSSID: MAC: 00d7.8f2f.6c22 capwap IFID: 0x90000009, Add mobiles sent: 1
2023/12/04 13:29:28.653824 {wncd_x_R0-0}{1}: [client-auth] [17015]: (note): MAC: ec2e.9835.cc35 L2 Authentication initiated. method DOT1X, Policy VLAN 0, AAA override = 0 , NAC = 0
2023/12/04 13:29:28.655626 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [17015]: (note): Authentication Success. Resolved Policy bitmap:11 for client ec2e.9835.cc35
2023/12/04 13:29:33.880699 {wncd_x_R0-0}{1}: [errmsg] [17015]: (note): %DOT1X-5-FAIL: R0/0: wncd: Authentication failed for client (ec2e.9835.cc35) with reason (Cred Fail) on Interface capwap_90000009 AuditSessionID 320A16AC00001A8E35E0B1BE Username: rosario
2023/12/04 13:29:33.881008 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [17015]: (ERR): SANET_AUTHC_FAILURE - Cred Fail, username rosario, audit session id 320A16AC00001A8E35E0B1BE
2023/12/04 13:29:33.881037 {wncd_x_R0-0}{1}: [errmsg] [17015]: (note): %SESSION_MGR-5-FAIL: R0/0: wncd: Authorization failed or unapplied for client (ec2e.9835.cc35) on Interface capwap_90000009 AuditSessionID 320A16AC00001A8E35E0B1BE. Failure reason: Authc fail. Authc failure reason: Cred Fail.
2023/12/04 13:29:33.881822 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (note): MAC: ec2e.9835.cc35 Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_CLIENT_CREDENTIAL_FAILURE, details: , fsm-state transition 00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|01|07|13|1a|23|
2023/12/04 13:29:33.882080 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (note): MAC: ec2e.9835.cc35 Delete mobile payload sent forbssid: 00d7.8f2f.6c22 WTP mac: 00d7.8f2f.6c20 slot id: 0
2023/12/04 13:29:33.882098 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_L2_AUTH_IN_PROGRESS -> S_CO_DELETE_IN_PROGRESS
2023/12/04 13:29:33.882269 {wncd_x_R0-0}{1}: [client-orch-sm] [17015]: (ERR): MAC: ec2e.9835.cc35 CLT populate Record: failed to populate anchor ip
2023/12/04 13:29:33.882802 {wncd_x_R0-0}{1}: [sanet-shim-translate] [17015]: (note): MAC: ec2e.9835.cc35 Session manager disconnect event called, session label: 0xa6000a89
2023/12/04 13:29:33.883957 {wncd_x_R0-0}{1}: [client-orch-state] [17015]: (note): MAC: ec2e.9835.cc35 Client state transition: S_CO_DELETE_IN_PROGRESS -> S_CO_DELETED

Labels:
0 Helpful
24 Replies 24

Leo TI
Level 1
Level 1
In response to MHM Cisco World

‎12-05-2023 08:48 AM

Hello, can you explain to me where I make that configuration, please?

0 Helpful

Rich R
VIP
VIP
In response to Leo TI

‎12-06-2023 01:20 AM

If it's central authentications and working on an identically configured AP then not likely to be a problem with the radius config.

Did you read my earlier reply below?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

MHM Cisco World
VIP
VIP
In response to Leo TI

‎12-05-2023 09:28 AM

Friend here can config the vlan use as source to connect to radius server.

Check above photo you share

MHM

0 Helpful

Rich R
VIP
VIP

‎12-04-2023 04:16 PM - edited ‎03-05-2024 03:20 PM

Are the 2 APs both the same model?
Do both APs have the same tags configured? (sh ap tag summ)
Have you tried a CAPWAP restart on the one giving you trouble - ap name <AP-name> reset capwap (try this before reload)?
Have you tried a reload on the one giving you trouble - ap name <AP-name> reset? (most of these problems are resolved by capwap restart or reload)
Does an open SSID work on that AP?
Upgrade to 17.9.4a + APSP8 and if it happens again after that then open a TAC case so TAC can capture all debugs, packet captures, radioactive traces etc for dev team to look at.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

CiscoU9834
Level 1
Level 1

‎03-05-2024 01:00 PM

I'm having the same issue with 17.9.4a.
From WLC debug I see 4 login attempts (before setting clients as excluded) but from ISE Live Logs I'm seeing only one request and not the others. It seems that WLC is "caching" authentication.
Have you solved?

0 Helpful

Rich R
VIP
VIP
In response to CiscoU9834

‎03-05-2024 03:26 PM

Make sure you have APSP8 installed?
If you still see the problem open a TAC case and provide radioactive traces of failed client and AP with packet captures from AP port and WLC and OTA capture of the client.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

nemrinoureddine
Level 1
Level 1

‎03-07-2024 06:56 AM

Solved: 

Hello,

In the Windows update of November 10th, EAP was updated to support TLS 1.2. This means that during the TLS handshake, the server announces support for TLS 1.2, enabling the use of TLS 1.2.

> Here is the solution to the problem of configuring TLS version. By default, EAP must add a DWORD value to the TlsVersion registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13 The value of this registry key can be 0xC0, 0x300, or 0xC00

Rich R
VIP
VIP
In response to nemrinoureddine

‎03-07-2024 07:27 AM

Thanks for the update @nemrinoureddine but you don't say what value you set the key to?

I presume you're referring to this Microsoft article? https://support.microsoft.com/en-gb/topic/windows-10-devices-can-t-connect-to-an-802-1x-environment-179ef277-e6ef-8ea3-cb0e-11a6b80fa955
Setting that value to downgrade your TLS version is a workaround not a solution.  Ultimately your server should be patched to resolve the issue and allow the use of TLS 1.2.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

nemrinoureddine
Level 1
Level 1

‎03-15-2024 03:36 AM

Hello,

Yes, the problem has been solved for me. The problem was definitely in Windows 11, possibly in some people with Windows 10 too. To solve this problem, please follow these steps:

To add EAP-TTLS 1.3 to the Windows registry, you typically need to modify registry entries related to network authentication protocols. However, please be cautious when making changes to the registry, as incorrect modifications can cause system instability or other issues. Here's a general guide on how you might proceed:

  1. Open Registry Editor: Press Windows Key + R, type regedit, and press Enter to open the Registry Editor.

  2. Navigate to the Correct Key: Navigate to the appropriate key for your network authentication settings. Typically, this is located at:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13

    1. Add a New Subkey: Right-click key, then select New > Key. Name this new key TTLS.

    2. Add Protocol Version: Within the TTLS key, create a new DWORD (32-bit) value. Name it Tlsversion.

    3. Set Protocol Version: Double-click on the Tlsversion value you just created and set its value data to "ofc0

      nemrinoureddine_0-1710499004114.png

       

      ". This value represents EAP-TTLS version 1.3.

    4. Save Changes: Close the Registry Editor and restart your computer for the changes to take effect.

jcpatinov
Level 1
Level 1
In response to nemrinoureddine

‎04-24-2024 09:09 AM

Hello, i add this registry and it´s PC connected only once, We have around 100 PC with the same problem, anyone solve this issue? please Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card