WirelessCCNA 200-301

Wireless WPA2 Authentication Failing for Client

Presenting Symptom

A wireless client fails to authenticate to the corporate WLAN using WPA2-PSK, repeatedly seeing 'Authentication failed' or 'Wrong password' message.

Network Context

The network is a small branch office with a Cisco 9130AXI access point (AP) running IOS XE 17.3, connected to a Cisco Catalyst 9300 switch. The WLAN is configured with WPA2-PSK and AES encryption. The client is a Windows 10 laptop with an Intel Wireless-AC 9560 adapter. The SSID is visible, but authentication fails consistently.

Diagnostic Steps

Check WLAN configuration on the WLC or AP

show wlan summary

WLAN ID 1: SSID 'Corp-WLAN' (enabled)
Security: WPA2-PSK (AES)

Verify that the WLAN is enabled and using WPA2-PSK. If the security type is different (e.g., WPA2-Enterprise) or the WLAN is disabled, that could be the issue.

Verify the PSK configured on the WLAN

show wlan id 1 security

WPA2 PSK Key: ********
Key Management: PSK

Ensure a PSK is configured. If the key is missing or set to a default, authentication will fail. The actual key is hidden, but you can check if it's present.

Check client association and authentication logs

show client detail <client-mac>

MAC: aaaa.bbbb.cccc
State: Authentication failed
Last Auth Failure Reason: Wrong PSK

The client state shows 'Authentication failed' with reason 'Wrong PSK'. This indicates the PSK entered on the client does not match the one configured on the AP.

Verify the PSK on the client side

On Windows: netsh wlan show profile name='Corp-WLAN' key=clear

Key Content: MySecretKey

Compare the PSK shown on the client with the one configured on the AP. A mismatch confirms the root cause.

Root Cause

The WPA2-PSK configured on the client does not match the PSK configured on the wireless LAN. This is typically due to a typo or incorrect key entry on the client device.

Resolution

1. On the client, forget the wireless network and reconnect with the correct PSK. 2. Alternatively, update the PSK on the client via the wireless profile settings. 3. If the PSK on the AP needs to be changed, use the WLC GUI or CLI: `config wlan security wpa akm psk set-key ascii <new-key> <wlan-id>`.

Verification

After re-entering the correct PSK, the client should associate and authenticate successfully. Use `show client detail <client-mac>` and verify the state is 'Associated' and 'Authenticated'. Also check `show wlan id 1 client count` to see the client count increment.

Prevention

1. Use a passphrase that is easy to communicate accurately (e.g., avoid ambiguous characters). 2. Implement a secure method to distribute the PSK, such as using a QR code or a secure portal. 3. Regularly audit WLAN security settings to ensure consistency across all devices.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario may appear as a troubleshooting question where you must identify why a client cannot connect to a WPA2-PSK network. The exam tests your ability to interpret show commands and understand the authentication process. Key fact: WPA2-PSK authentication failure is most commonly due to a PSK mismatch.

Exam Tips

Remember that 'show client detail' reveals the authentication failure reason, such as 'Wrong PSK'.

The exam may present a scenario where the PSK is correct but the client still fails; check for other issues like SSID mismatch or disabled WLAN.

Know the difference between WPA2-PSK and WPA2-Enterprise; the troubleshooting steps differ significantly.

Commands Used in This Scenario

show wlan summary

Displays a summary of all WLANs configured on a Cisco wireless controller, used to quickly verify WLAN IDs, names, SSIDs, status, security settings, and interface bindings.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions