How to Fix: Cisco Mobility Express Controller (Access Point) keep disconnecting/excluding users/clients

Last Updated on

The issue

Cisco Mobility Express Access Point keep disconnecting/excluding clients/users from time to time, the configuration seems fine on the controller but somehow, it keeps excluding clients.

Sometime we can discover following errors

[Date] [Time] [AP IP address] [AP Name]: *Dot1x_NW_MsgTask_0: [Date] [Time]: %DOT1X-4-MAX_EAP_RETRIES: 1x_auth_pae.c:6710 Max EAP identity request retries (3) exceeded for client [MAC Address]

The above error can be caused by many factors, some of them can be, low signal strength between AP and the client, RF interference etc. which cause the client to keep re-authenticating, eventually caused a behavior seemed with many tries of authentication, this triggers the protection from “Client Exclusion Policy” finally the client gets excluded for a period of time. The results will be the clients keeps getting disconnected. Local EAP parameters can be one of the reason as well.

The Fix

Distribute the access points correctly at right distance, adjust antenna power for access points correctly, configure the RF frequency correctly to minimize interference, eventually improve the RF signal quality, and strength reaching out at clients. That should reduce the error.


There are some workaround may or may not work

(Cisco Access Point disconnecting clients from time to time can be caused by signal issue plus following settings, we can use following workaround to get around with it but it’s not recommended to disable them completely for enterprise environment since those are security features.)

1 If you get a lot of excluded clients try to follow this “How to: Check/Enable/Disable Cisco Controller (Access Point) Client Exclusion Policy settings (Mobility Express) via Controller Console” to disable “Client Exclusion Policies”. So that they will not be excluded. (Note: This is a security feature, we really should fix the root cause rather than disabling Client Exclusion Policies, especially within enterprise environment)

2 If you are getting a lot of similar errors in red at the top of this page, try to follow this “How to Check/Change: Cisco Controller/Mobility Express (Access Point) Local EAP settings, commands” to increase value for “EAP-Identity-Request Max Retries” available value is 1 to 20, Recommendations for the Max Retries is 12.

More information about EAP-* parameters can be found in “How to Check/Change: Cisco Controller/Mobility Express (Access Point) Local EAP settings, commands

Leave a Reply

Your email address will not be published. Required fields are marked *