Cisco Mobility Express Access Point keep disconnecting/excluding clients/users from time to time, the configuration seems fine on the controller but somehow, it keeps excluding clients.
Sometime we can discover following errors
[Date] [Time] [AP IP address] [AP Name]: *Dot1x_NW_MsgTask_0: [Date] [Time]: %DOT1X-4-MAX_EAP_RETRIES: 1x_auth_pae.c:6710 Max EAP identity request retries (3) exceeded for client [MAC Address]
The above error can be caused by many factors, some of them can be, low signal strength between AP and the client, RF interference etc. which cause the client to keep re-authenticating, eventually caused a behavior seemed with many tries of authentication, this triggers the protection from “Client Exclusion Policy” finally the client gets excluded for a period of time. The results will be the clients keeps getting disconnected. Local EAP parameters can be one of the reason as well.
Distribute the access points correctly at right distance, adjust antenna power for access points correctly, configure the RF frequency correctly to minimize interference, eventually improve the RF signal quality, and strength reaching out at clients. That should reduce the error.
There are some workaround may or may not work
(Cisco Access Point disconnecting clients from time to time can be caused by signal issue plus following settings, we can use following workaround to get around with it but it’s not recommended to disable them completely for enterprise environment since those are security features.)
EAP-Identity-Request Timeout (seconds) EAP-Identity-Request Max Retries EAP Key-Index for Dynamic WEP EAP Max-Login Ignore Identity Response EAP-Request Timeout (seconds) EAP-Request Max Retries EAPOL-Key Timeout (milliseconds) EAPOL-Key Max Retries EAP-Broadcast Key Interval RSN Capability Validation
Show current Local EAP settings
1 Login to Cisco Controller (Mobility Express) via console or SSH
2 Type following command
show advanced eap
Change Local EAP settings
config advanced eap [name] [value]
Increase value for “EAP-Identity-Request Max Retries” may fix or reduce following error
[Date] [Time] [AP IP address] [AP Name]: *Dot1x_NW_MsgTask_0: [Date] [Time]: %DOT1X-4-MAX_EAP_RETRIES: 1x_auth_pae.c:6710 Max EAP identity request retries (3) exceeded for client [Client MAC Address]
More information about EAP-* (non-Cisco official)
This timer affects how long we wait between EAP Identity Requests. By default this is one second (4.1 and lower) and 30 seconds (4.2 and greater. The reason for this change was, we found that some clients, hand helds, phones, scanners etc, had a hard time responding fast enough. Devices like laptops, usually do not require a manipulation of these values. Available value is from 1 to 120.
So, what happens with this attribute set to a value of 30? When the client first connects, it sends and EAPOL Start to the network, the WLC sends down an EAP packet, requesting the user or machines Identity. If the WLC does not receive the Identity Response, it sends another Identity Request 30 seconds after the first. This happens on initial connection, and when the client roams.
What happens when we increase this timer? If everything is good, there is no impact. However, if there is an issue in the network (including client issues, AP issues, RF issues), this can cause delays in network connectivity. For example, if you set the timer to the maximum value of 120 seconds, the WLC waits 2 minutes between Identity Requests. If the client is roaming, and the Response is not received by the WLC, we have created, at minimum, a two minute outage for this client.
Recommendations for this timer is to set it at 5. There is no current reason, to place this timer at it’s maximum value.
EAP-Identity-Request Max Retries
So, for max retries, what does this value do? In short, this is the number of times the WLC will send the Identity Request to the client, before removing it’s entry from the MSCB. Once the Max Retries is reached, the WLC sends a de-authentication frame to the client, forcing them to restart the EAP process. Available value is 1 to 20. So let’s look at this for a moment.
The Max Retries is going to work with the Identity Timeout. If you have your Identity Timeout set to 120, and your Max Retries to 20 how long does it take for the client to be removed? 120 * 20 = 2400. So it would take 40 minutes for the client to be removed, and to start the EAP process over again. If instead you set the Identity timeout to 5, with the Max Retires of 12, 5 * 12 = 60. So there is one minute until the client is removed, and it has to start EAP over.
Recommendations for the Max Retries is 12.
For the EAPOL-Key Timeout value, the default is 1 second or 1000 milliseconds. What this means is when it comes time to exchange the EAPOL keys between the AP and client, the AP will send the key and wait up to 1 second by default for the client to respond. After waiting the defined time value, the AP will re-transmit the key again. You can use the command “config advanced eap eapol-key-timeout <time>” to alter this setting. The available values in 6.0 are between 200 and 5000 milliseconds, while codes prior to 6.0 allow for values between 1 and 5 seconds. Keep in mind that if you have a client which isn’t responding to a key attempt, extending the timers out can give them a little more time to respond….however, this could also prolong the time it takes for the WLC/AP to deauthenticate the client in order for the whole 802.1x process to start fresh.
EAPOL-Key Max Retries
For the EAPOL-Key Max Retries value, the default is 2. What this means is that we will retry the original key attempt to the client 2 times. This setting can be altered using the command “config advanced eap eapol-key-retries <retries>”. The available values are between 0 and 4 retries. Using the default value for the eapol key timeout (1 sec) and the default value for the eapol key retry (2) the process would go as follows if a client doesn’t respond to the initial key attempt:
1 – AP sends key attempt to the client 2 – Wait 1 second for a reply 3 – If no reply, then send eapol key retry attempt #1 4 – Wait 1 second for a reply 5 – If no reply, then send eapol key retry attempt #2 6 – If there is still not a response from the client and the retry value is met, then deauthenticate the client.
Again, as with the EAPOL-Key Timeout, extending the EAPOL-Key retry value could in some circumstances be beneficial, however setting it to the max may again be harmful as the deauthenticate message would be prolonged. 
Types of Client Exclusion Policies for Mobility Express Controller
Excessive 802.11 Association Failures—Clients are excluded on the sixth 802.11 association attempt, after five consecutive failures. Excessive 802.11 Authentication Failures—Clients are excluded on the sixth 802.11 authentication attempt, after five consecutive failures. Excessive 802.1X Authentication Failures—Clients are excluded on the fourth 802.1X authentication attempt, after three consecutive failures. IP Theft or IP Reuse—Clients are excluded if the IP address is already assigned to another device. Excessive Web Authentication Failures—Clients are excluded on the fourth web authentication attempt, after three consecutive failures. 
How to: Check current Client Exclusion Policy settings for Mobility Express Controller
1 Connect to the Mobility Express controller via console or SSH
(Use “show exclusionlist” to check excluded users )
2 Use “show wps summary” to show current Client Exclusion Policies
show wps summary
How to: Modify/Change Client Exclusion Policies for Mobility Express Controller
To disable “Excessive 802.11-association failures”
config wps client-exclusion 802.11-assoc disable
To enable “Excessive 802.11-association failures”
config wps client-exclusion 802.11-assoc enable
To enable/disable Excessive 802.11-authentication failures
5 Extract Cisco firmware “AIR-APxxxx-Xx-ME-8-10-112-0.zip” packet to a folder, in the example we use “D:\cisco”
We should have following folder structure
6 Launch SolarWinds TFTP Server or your favourite tftp server software
7 Configure the tftp server, in the example we use SolarWinds TFTP Server, Click on “File”
8 Then click on “Configure”
9 Make sure we have entered the correct “TFTP Server Root Directory” then click on “Start” button to start the TFTP service, finally click on “OK” button
9.1 Make sure you have allowed incoming connection to the tftp server in the windows firewall (In other words, make sure the access point can successfully download the files from the tftp server successfully)
10 Back to Cisco Mobility Express, double check the details filled are all correct, click on “Update” button to begin the Update process. (Update progress information will be displayed at the top of the page)
(Do not disconnect the power/Ethernet cable from the access point, or stop the tftp service etc. It may damage the device)
(You should be able to see the log from the tftp server)
11 Once it’s done the device will restart if you have checked “Auto Restart”
12 When fully booted, you should be able to use it again.