[TIP] Cisco 9800: Baselining MAC filtering and PSK failures

TIP - Cisco 9800: Baselining MAC filtering and PSK failures

MAC Filtering Failure

Some times is good to leverage a quick call to solve an issue to baseline the behaviour of both correct authentication or failures. This time is an SSID with WPA2 Personal, with MAC filtering for Dynamic VLAN asignment via Cisco ISE. 

A field engineer called me because one RF Gun was not authenticating to the SSID. Knowing there is a MAC filtering on the SSID (for Dynamic Vlan Assignment) in addition to a PSK, I quickly checked the exclusion reason on the 9800:

And also on ISE it was clear that the MAC address was not added to the allowed list :

Although I didn´t used the Cisco Wireless Debug Analyzer until this was solved, this is the output for the current issue:


Solution: The solution was easy, just add the MAC address to the authorized list.


PSK Failure

While I was adding the MAC address, the field engineer informed me, he re-entered the PSK on the RF Gun thinking that maybe that was the error ¬¬. This time the message on the 9800 was the following:

Again, I didn´t used the Cisco Wireless Debug Analyzer until this was solved, but for this base-lining, here is documented the output:

Solution: Even more clear now, right? the PSK was not entered correctly, so it was double checked and re-entered correctly again.

Correct behavior

And to end this TIP/Baseline, let´s see the correct expected behavior

Run status on the 9800:
MAC address added to the authorization list which will assign the device to an specific VLAN:
The Cisco Wireless Debug Analyzer will provide the following output:
And although is not a very interesting capture, here we can see the capture performed on the 9800:




Comentarios

Entradas populares de este blog

Cisco 9800 Roam Type 802.11i Slow vs 802.11i Fast vs 802.11r

Captura de paquetes desde el móvil con ANALITI

Configurar Cisco WLC y Aruba Clearpass para Guest con Mac Caching