WLAN troubleshooting is a critical skill for the CCNA 200-301 exam and for real-world network engineering. Wireless networks introduce unique challenges—RF interference, signal attenuation, client compatibility, and security misconfigurations—that can cause intermittent connectivity, poor performance, or complete outages. This chapter covers systematic troubleshooting methodology, common WLAN issues, and the IOS commands used to diagnose and resolve problems. Exam objective 2.9 specifically tests your ability to identify and fix WLAN issues using a structured approach.
Jump to a section
Imagine you're a sound engineer at a large concert venue. The band (access point, AP) plays music (Wi-Fi signal) that the audience (wireless clients) needs to hear clearly. The venue has multiple speakers (multiple APs) placed around the floor. Your job is to ensure every seat (client location) gets good sound (strong signal) without echoes (interference) or dead zones (coverage gaps). If a speaker is too close to another, the sound waves overlap and cause distortion (co-channel interference). If a speaker is too far, the audience hears static (low SNR). If a wall (obstacle) blocks the sound, some seats hear nothing (dead spot). When troubleshooting, you walk around with a sound meter (Wi-Fi analyzer) to measure volume (RSSI) and clarity (SNR). You check that all speakers are on the same channel (frequency) and not competing. You also ensure the mixing board (WLC) sends the right audio levels (transmit power) to each speaker. If a client reports crackling (packet loss), you check for other devices (microwaves, Bluetooth) that emit interfering frequencies. You might move a speaker (adjust AP placement) or reduce its volume (lower transmit power) to reduce overlap. The systematic approach—start at the client, check signal, check interference, check configuration—mirrors WLAN troubleshooting: verify client association, check signal strength, look for interference, and validate AP/WLC settings.
WLAN Troubleshooting Methodology
WLAN troubleshooting follows a structured approach similar to wired troubleshooting but with additional RF considerations. The OSI model is still relevant—most WLAN issues occur at Layer 1 (physical/RF) and Layer 2 (MAC/association). A common methodology is:
- Verify client association: Is the client connected to the correct SSID? Use show wireless client summary on the WLC or show wlan clients on an autonomous AP.
- Check signal strength and SNR: Weak signal (RSSI below -75 dBm) or low SNR (below 20 dB) causes poor performance. Use show wireless client mac-address <mac> detail to see RSSI and SNR.
- Check for interference: Use the WLC's CleanAir feature or a spectrum analyzer to detect non-Wi-Fi interference (microwaves, Bluetooth, cordless phones).
- Verify AP and WLC configuration: Ensure the AP is joined to the correct WLC, the WLAN is enabled, security settings match client capabilities, and VLAN assignment is correct.
- Check roaming and client mobility: If the client moves, verify it can roam between APs without losing connectivity.
- Examine logs: Use show logging on the WLC or debug client <mac> to see association and authentication failures.
Common WLAN Issues and Their Causes
1. Client cannot associate to the WLAN
- Causes: wrong SSID, disabled WLAN, mismatched security (e.g., WPA2 vs WPA3), MAC filter denying client, AP not broadcasting SSID (SSID hidden), client driver issues.
- Verification: Use show wlan summary to check WLAN status. Use show wireless client summary to see if client appears. Check security settings with show wlan <id> security.
2. Intermittent connectivity or slow performance
- Causes: co-channel interference (CCI) from overlapping APs on same channel, adjacent-channel interference (ACI) from overlapping channels, non-Wi-Fi interference, high client density, low signal strength, channel utilization > 80%, packet loss due to collisions in 2.4 GHz.
- Verification: Use show ap auto-rf 802.11b (or 11a) to see channel utilization and interference. Use show ap config general <ap-name> to see channel and power. Use a Wi-Fi analyzer on a laptop to see signal strength and noise floor.
3. Authentication or DHCP failures
- Causes: wrong pre-shared key (PSK), 802.1X authentication server unreachable, RADIUS timeout, DHCP server unreachable or exhausted IP pool, VLAN mismatch between AP and switch.
- Verification: Check client logs for authentication errors. Use debug client <mac> on WLC to see EAP or PSK handshake. Check DHCP with show ip dhcp binding on the DHCP server or switch.
4. Roaming issues
- Causes: sticky clients (client holds weak signal too long), fast roaming not enabled (802.11r), APs not on same subnet (L3 roaming requires mobility), neighbor AP list missing.
- Verification: Use show wireless client roaming history <mac> to see roam attempts. Check AP neighbor list with show ap config general <ap-name> | include Neighbor.
Key IOS Commands for WLAN Troubleshooting
On a Cisco WLC (or switch with wireless capabilities), the following commands are essential:
show wlan summary
show wlan <id> detail
show wireless client summary
show wireless client mac-address <mac> detail
show ap summary
show ap config general <ap-name>
show ap auto-rf 802.11b
show ap auto-rf 802.11a
show ap dot11 5ghz channel
show ap dot11 24ghz channel
show logging
show interface <interface> statusExample output for show wireless client mac-address aaaa.bbbb.cccc detail:
Client MAC Address : aaaa.bbbb.cccc
Client State : Associated
AP Name : AP01
WLAN Profile Name : Corporate
SSID : CorpNet
RSSI : -65 dBm
SNR : 25 dB
Channel : 36 (5 GHz)
Tx Rate : 866.7 Mbps
Rx Rate : 866.7 Mbps
Authentication : PSK
Roam Count : 3
Last Roam : 00:02:34For autonomous APs, use:
show dot11 associations
show dot11 statistics
show interface dot11radio0Interaction with Related Protocols
WLAN troubleshooting often involves understanding how wireless interacts with wired infrastructure:
- VLANs: The AP tags wireless traffic with a VLAN based on WLAN-to-VLAN mapping. Mismatched VLANs cause connectivity issues. Use show wlan <id> to see VLAN ID.
- DHCP: Clients get IP addresses from a DHCP server. If the AP is in a different subnet, ensure DHCP relay is configured on the switch or WLC.
- RADIUS/TACACS+: For enterprise authentication, the WLC acts as a RADIUS client. Check RADIUS server reachability and shared secret.
- PoE: APs require Power over Ethernet. Insufficient PoE budget can cause AP to reboot or not power on. Use show power inline on the switch.
Troubleshooting Flowchart
A systematic approach reduces guesswork. Start with the client, then move to the AP, then to the WLC, then to the wired network.
Verify Client Association and IP
Start by checking if the client is associated to the correct WLAN and has an IP address. On the WLC, use `show wireless client summary` to list all clients. If the client is not listed, check if the WLAN is enabled and the client is within range. If the client is listed but has no IP address, check DHCP. Use `show wireless client mac-address <mac> detail` to see the client's IP, RSSI, SNR, and association state. If the client shows 'Associated' but no IP, the DHCP server may be unreachable or the VLAN assignment is wrong. Verify the WLAN's VLAN ID with `show wlan <id>` and ensure the corresponding SVI or DHCP relay is configured on the wired network.
Check Signal Strength and SNR
Weak signal or low SNR causes poor performance and disconnections. From the client detail output, check RSSI (should be > -75 dBm for good connectivity) and SNR (should be > 20 dB). If RSSI is low, the client may be too far from the AP or there are obstacles. If SNR is low, there is high noise floor from interference. Use a Wi-Fi analyzer on a laptop to measure signal at the client's location. On the WLC, use `show ap auto-rf 802.11a` (or 11b) to see channel utilization and noise floor for each AP. High noise (above -80 dBm) indicates interference. You may need to adjust AP placement, increase transmit power (if allowed), or reduce co-channel interference.
Examine AP and WLC Configuration
Verify that the AP is operational and joined to the WLC. Use `show ap summary` to see AP status (Registered, Disabled, etc.). If an AP is 'Not Joined', check network connectivity (PoE, VLAN, routing). For a joined AP, use `show ap config general <ap-name>` to see its channel, power, and antenna settings. Ensure the WLAN profile is configured correctly: SSID, security mode (WPA2, WPA3, 802.1X), VLAN, and enabled status. Use `show wlan <id> security` to view security settings. Common mistakes: WLAN disabled, wrong PSK, or MAC filtering enabled without adding the client's MAC. Also check that the AP's radio is enabled: `show ap dot11 5ghz channel` should show a channel number, not 'Disabled'.
Check for Interference and Channel Utilization
Interference is a major cause of WLAN issues. Use `show ap auto-rf 802.11a` to see channel utilization and interference for 5 GHz APs. Look for channels with utilization > 80% or high interference. If an AP's channel shows high utilization, there may be co-channel interference from other APs on the same channel, or non-Wi-Fi interference. Use CleanAir (if available) to identify non-Wi-Fi sources: `show ap cleanair <ap-name>`. For autonomous APs, use `show interface dot11radio0` to see channel utilization. If interference is detected, change the AP's channel using `ap name <ap-name> channel <channel>` (on WLC) or manually assign a less congested channel. Also check for adjacent channel overlap (channels 1,6,11 for 2.4 GHz).
Verify Authentication and DHCP
If the client associates but cannot get an IP or fails authentication, check the authentication process. For PSK, ensure the passphrase matches exactly (case-sensitive). For 802.1X, verify RADIUS server reachability: `show radius server statistics` on WLC. Use `debug client <mac>` to see EAP messages. For DHCP issues, check the DHCP server logs and ensure the VLAN assigned to the WLAN has a DHCP server or relay. On the WLC, use `show interface <interface>` to see the management interface IP and VLAN. If the client gets an APIPA address (169.254.x.x), DHCP is failing. Check that the switchport connecting the AP is in the correct VLAN and that DHCP snooping is not blocking traffic.
Examine Roaming Behavior
If clients experience drops when moving, check roaming. Use `show wireless client roaming history <mac>` to see roam attempts and failures. If roam fails, ensure that APs are on the same subnet (L2 roaming) or that mobility is configured for L3 roaming. Check that 802.11r (Fast Roaming) is enabled on the WLAN if clients support it: `show wlan <id> security ft`. Also verify that APs are in the same RF group for seamless roaming. Use `show ap config general <ap-name> | include RF-Group` to see the group. If client sticks to a far AP, adjust minimum RSSI thresholds: `ap name <ap-name> dot11 5ghz min-rssi -80` to force disassociation when signal is weak.
In a typical enterprise deployment, you might have 50-200 APs managed by a WLC. One common scenario is a user in a conference room complaining of slow internet during a video call. You start by checking the client association on the WLC: the user is associated to AP-Conference with RSSI -72 dBm and SNR 18 dB. The SNR is borderline. Using show ap auto-rf 802.11a, you see that channel utilization on AP-Conference's channel (36) is 85% and noise floor is -82 dBm. There is heavy interference, likely from other APs in nearby offices on the same channel. You decide to change AP-Conference to channel 149, which has lower utilization. After the change, SNR improves to 25 dB and the user reports better performance.
Another scenario: A warehouse deployment where clients roam between APs mounted on the ceiling. Users report that their handheld scanners disconnect when moving from one aisle to another. You check roaming history and see frequent roam failures. The issue is that APs are on different VLANs (L3 roaming) and mobility is not configured. You configure a mobility group on the WLC and ensure all APs are in the same group. You also enable 802.11r for fast roaming. After changes, roams succeed and disconnections stop.
A third scenario: A guest network where clients can associate but cannot get an IP address. The WLAN is configured with VLAN 100, but the switchport connecting the AP is in VLAN 200 (native VLAN mismatch). You verify with show vlan on the switch and correct the trunk configuration. After fixing, clients receive IP addresses from the DHCP server in VLAN 100. These real-world cases highlight the importance of systematic troubleshooting using show commands and understanding RF fundamentals.
For CCNA 200-301 exam objective 2.9 (WLAN troubleshooting), expect scenario-based questions where you must identify the most likely cause of a wireless issue and the correct corrective action. The exam tests your ability to interpret show command output and apply a logical troubleshooting methodology.
Common wrong answers and why candidates choose them: 1. 'The AP is not powered on' when the client cannot associate. But the client sees the SSID (so AP is on) but authentication fails. Candidates often jump to power issues without checking logs. 2. 'Increase transmit power' for a client with low RSSI but high interference. Increasing power can increase co-channel interference and make things worse. The correct answer may be to move the AP or change channels. 3. 'Disable SSID broadcast' for a client that cannot find the SSID. If the client is configured with the correct SSID, hiding the SSID doesn't help; the client must have the exact SSID. The issue is likely a mismatch. 4. 'The WLAN is disabled' when the client can associate but cannot get an IP. Association works even if DHCP fails. Candidates confuse association with DHCP success.
Specific values to know:
RSSI: -75 dBm or higher (closer to 0) is good; below -80 dBm is poor.
SNR: > 20 dB is good; < 15 dB is poor.
Channel utilization: > 80% indicates congestion.
Noise floor: -80 dBm or higher (less negative) indicates high noise.
Default 2.4 GHz channels: 1, 6, 11 (non-overlapping).
Default 5 GHz channels: 36, 40, 44, 48, etc.
For scenario questions, use elimination: if the client is associated, the issue is not association-related (e.g., wrong SSID). If the client has an IP, DHCP is not the issue. If the client can ping the gateway, routing is fine. Focus on the layer where symptoms appear.
Use a systematic approach: verify association, signal, interference, configuration, and roaming.
RSSI below -75 dBm or SNR below 20 dB indicates poor signal quality.
Channel utilization above 80% suggests congestion from co-channel interference or non-Wi-Fi sources.
Key WLC show commands: show wireless client summary, show ap auto-rf, show wlan detail.
Authentication failures are often due to mismatched PSK or RADIUS issues; use debug client on WLC.
Roaming issues can be resolved by enabling 802.11r or configuring mobility groups for L3 roaming.
Always check the wired infrastructure: VLAN mismatch, PoE, DHCP relay, and trunk configuration.
These come up on the exam all the time. Here's how to tell them apart.
Co-Channel Interference (CCI)
Occurs when multiple APs use the same channel and overlap in coverage.
Causes collisions and reduced throughput due to CSMA/CA waiting.
Mitigated by proper channel planning and lowering transmit power.
Common in dense deployments with limited channels (e.g., 2.4 GHz).
Shows high channel utilization on the same channel.
Adjacent-Channel Interference (ACI)
Occurs when APs use overlapping channels (e.g., channels 1 and 2 in 2.4 GHz).
Causes signal leakage into adjacent channels, increasing noise floor.
Mitigated by using non-overlapping channels (1,6,11 in 2.4 GHz; all 5 GHz channels).
More common in 2.4 GHz due to limited non-overlapping channels.
Shows increased noise floor on adjacent channels.
Mistake
If a client can see the SSID, the AP must be configured correctly.
Correct
The AP may broadcast the SSID but have other misconfigurations like disabled WLAN, wrong security, or MAC filtering that prevent association. Seeing the SSID only means the beacon is being sent.
Candidates confuse beacon transmission with full functionality.
Mistake
Increasing AP transmit power always improves client connectivity.
Correct
Higher power can increase co-channel interference and cause clients to stick to a far AP instead of roaming to a closer one. It may also violate regulatory limits. The correct approach is to adjust power based on coverage needs and minimize overlap.
Intuitive thinking that more power is always better, ignoring RF coexistence.
Mistake
If a client has an IP address, DHCP is working and the issue is elsewhere.
Correct
Having an IP does not guarantee DHCP is working correctly; the client may have a stale lease or APIPA address. Always verify the IP address is from the correct subnet and that the DHCP server is reachable.
Candidates assume DHCP success from IP presence without checking the actual address.
Mistake
All wireless issues are due to RF interference.
Correct
Many issues are due to configuration errors (wrong VLAN, security mismatch, disabled WLAN) or wired infrastructure problems (PoE, trunk misconfiguration). RF is one piece of the puzzle.
Overemphasis on RF because it's unique to wireless, but configuration errors are equally common.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Co-channel interference (CCI) occurs when multiple APs use the same channel and their coverage overlaps. Since Wi-Fi uses CSMA/CA, only one device can transmit at a time on a given channel, so overlapping APs must wait for each other, reducing throughput. Adjacent-channel interference (ACI) occurs when APs use overlapping channels (e.g., channels 1 and 2 in 2.4 GHz). The signal from one channel leaks into the other, raising the noise floor and reducing SNR. ACI is more severe in 2.4 GHz due to limited non-overlapping channels (1, 6, 11). In 5 GHz, all channels are non-overlapping, so ACI is rare. On the exam, remember that CCI is about same-channel competition, while ACI is about overlapping frequency bands.
To debug a specific client on a Cisco WLC, use the command `debug client <mac-address>`. Replace <mac-address> with the client's MAC address in xxxx.xxxx.xxxx format. This command enables detailed logging for that client, including association, authentication (EAP/PSK), DHCP, and roaming events. To view the debug output, use `show logging` or `monitor log`. Be cautious: debug commands are CPU-intensive and should be used only for specific clients during troubleshooting. To disable, use `no debug client <mac>`. On the exam, you may be asked to interpret debug output to identify the failure point, such as a PSK mismatch or RADIUS timeout.
RSSI (Received Signal Strength Indicator) is measured in dBm and ranges from 0 (best) to -100 (worst). For good connectivity, RSSI should be -75 dBm or higher (closer to 0). At -75 dBm, you can expect reliable data rates. At -80 dBm, performance degrades, and below -85 dBm, connections become unstable. On the exam, remember that -75 dBm is the typical threshold for acceptable signal. SNR (Signal-to-Noise Ratio) should be above 20 dB for good performance. These values are commonly tested in scenario questions.
This indicates that the client has successfully completed Layer 2 association but has not obtained a valid IP address or the gateway is unreachable. First, check if the client has an IP address (use `ipconfig` on Windows). If it has an APIPA address (169.254.x.x), DHCP is failing. Check the DHCP server and relay. If it has a valid IP, check the VLAN assignment: the WLAN might be mapped to a VLAN that does not have a gateway SVI or the switchport connecting the AP is in the wrong VLAN. Also verify that the client's default gateway is correct and that routing is working. Use `show ip route` on the switch or router to ensure the gateway is reachable.
Cisco CleanAir is a feature on certain APs that detects non-Wi-Fi interference sources (e.g., microwaves, Bluetooth, cordless phones). To view interference, use `show ap cleanair <ap-name>` on the WLC. This command displays the type, severity, and channel of the interferer. If CleanAir is not available, you can use a spectrum analyzer (external tool) to identify interference. On the exam, you may be asked to interpret CleanAir output to identify the source of intermittent connectivity. High noise floor on a specific channel without high utilization is a sign of non-Wi-Fi interference.
By default, 802.11r (Fast Roaming) is disabled on Cisco WLCs. It must be explicitly enabled on the WLAN using the command `config wlan security ft enable <wlan-id>` or via the GUI under Security > Fast Roaming. When enabled, it uses PMK caching to reduce roam time to under 50 ms. On the exam, remember that 802.11r is an optional feature and that clients must support it. If a client does not support 802.11r, it will still associate but without fast roaming benefits. A common trap is assuming 802.11r is enabled by default.
Use the command `show wlan <id>` (e.g., `show wlan 1`) to display the WLAN configuration. Look for the 'Interface/Interface Group' field, which shows the VLAN or interface name. For example, 'Guest' or 'VLAN100'. The actual VLAN ID is configured on the interface under the WLC's Interface configuration. To see the VLAN ID for an interface, use `show interface <interface-name>`. For example, `show interface guest` might show 'VLAN ID: 100'. On the exam, you may be given output from `show wlan` and asked to verify that the VLAN matches the expected subnet.
You've just covered WLAN Troubleshooting — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?