WirelessCCNA 200-301

Hidden SSID Client Cannot Connect Without Manual Profile

Presenting Symptom

A wireless client cannot connect to a hidden SSID unless a manual profile is created on the client device.

Network Context

A small branch office with a Cisco 9130AXI access point running IOS XE 17.3, connected to a Cisco 9300 switch. The WLAN is configured with SSID 'CorpNet' set to broadcast disabled (hidden). Clients are Windows 10 laptops with Intel wireless adapters. The issue occurs when users try to connect by selecting 'Connect to a hidden network' without manually entering the SSID.

Diagnostic Steps

Check WLAN configuration on the access point

show wlan summary

WLAN Profile Name : CorpNet
SSID : CorpNet
Status : Enabled
Broadcast SSID : Disabled

Verify that the WLAN is enabled and broadcast SSID is disabled. If broadcast SSID is enabled, the issue is not about hidden SSID.

Check client association attempts

show dot11 associations client <client-mac>

Client MAC : xxxx.xxxx.xxxx
State : Associated
SSID : CorpNet
VLAN : 10
IP Address : 192.168.10.100

If the client is associated, the problem is likely client-side. If not associated, check for authentication or probe response issues.

Verify probe response behavior

debug dot11 events

dot11d: Received probe request from xxxx.xxxx.xxxx
SSID: CorpNet
Sending probe response to xxxx.xxxx.xxxx
SSID: CorpNet

If the AP sends a probe response only when the probe request includes the exact SSID, it is normal for hidden SSID. If the AP does not respond at all, check the WLAN configuration or radio settings.

Check client-side wireless profile

netsh wlan show profiles

Profiles on interface Wi-Fi:

Group policy profiles (read only)
---------------------------------
    <None>

User profiles
-------------
    All User Profile     : CorpNet
        SSID name        : CorpNet
        Connection mode  : Manual
        Network type     : Infrastructure
        Radio type       : 802.11ax
        Security         : WPA2-Personal

If the profile is set to 'Manual', the client will only connect when the user manually selects the network. If set to 'Automatic', the client will attempt to connect automatically when the SSID is broadcast.

Root Cause

The client's wireless profile for the hidden SSID is configured with 'Connection mode: Manual', which requires the user to manually initiate the connection. When the SSID is hidden, the client does not automatically attempt to connect unless the profile is set to 'Automatic' and the SSID is manually entered once.

Resolution

On the Windows client, modify the wireless profile to set connection mode to automatic: 1. Open Command Prompt as Administrator. 2. Run: netsh wlan set profileparameter name="CorpNet" connectionmode=auto 3. Alternatively, delete the existing profile and reconnect manually: netsh wlan delete profile name="CorpNet" Then connect by selecting 'Connect to a hidden network' and entering the SSID and credentials. The client will save the profile with automatic connection.

Verification

After applying the fix, verify that the client connects automatically: 1. Run: netsh wlan show profiles name="CorpNet" Expected output: Connection mode : Automatic 2. Disconnect and wait for the client to reconnect automatically: netsh wlan disconnect Then check association: netsh wlan show interfaces Expected: State : connected SSID : CorpNet

Prevention

1. Avoid using hidden SSIDs as they provide no real security and cause client connectivity issues. Instead, use strong encryption (WPA2/3) and disable SSID broadcast only if absolutely necessary. 2. Educate users to manually create a profile with the correct SSID and security settings when connecting to a hidden network for the first time. 3. Use enterprise authentication (802.1X) with dynamic VLAN assignment to simplify client configuration.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario tests understanding of wireless client connectivity and the behavior of hidden SSIDs. Questions may appear as multiple-choice or troubleshooting drag-and-drop, asking why a client cannot connect to a hidden SSID. Key fact: A hidden SSID does not appear in client scan results, so the client must have a pre-configured profile with the exact SSID to initiate a connection.

Exam Tips

Remember that hidden SSIDs are not truly hidden; they can be discovered by passive monitoring. The exam emphasizes that hiding the SSID is not a security feature.

Know that clients send probe requests with either a broadcast SSID (null) or a specific SSID. For hidden SSIDs, the AP only responds to probe requests that include the exact SSID.

Be familiar with the Windows netsh commands for troubleshooting wireless profiles, as they are commonly used in exam scenarios.

Commands Used in This Scenario

show dot11 associations

Displays the list of wireless clients currently associated with a Cisco access point, including their MAC addresses, IP addresses, signal strength, and connection state, used for troubleshooting client connectivity and performance issues.

show wlan summary

Displays a summary of all WLANs configured on a Cisco wireless controller, used to quickly verify WLAN IDs, names, SSIDs, status, security settings, and interface bindings.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions