Troubleshooting Wireless Connectivity

Wireless connectivity failures are uniquely frustrating — the client shows signal bars, the AP is blinking, yet nothing works. Unlike wired faults where a bad cable is immediately obvious, wireless failures hide across five distinct layers: the RF environment (can the signal physically reach the client?), authentication (does the PSK or 802.1X credential match?), association (does the SSID exist and is the client allowed to join?), VLAN mapping (does the WLAN push the client into the correct VLAN on the wired side?), and DHCP (is there an IP address server reachable from that VLAN?). A fault at any one layer produces the same visible symptom — "connected but no internet" or "cannot connect at all" — but the fix is completely different for each.

This lab uses a Cisco Wireless LAN Controller (WLC) in a centralised architecture where all traffic is tunnelled through CAPWAP back to the WLC before hitting the wired network. For background on this architecture see Lightweight vs Autonomous APs and Access Points and WLC. For initial WLC setup see WLC Getting Started and for SSID-to-VLAN configuration see WLC SSID VLAN Mapping. For the DHCP server that wireless clients depend on see DHCP Server Configuration.

1. Wireless Association Process — End-to-End

The Six Stages a Client Must Pass Through

Every successful wireless connection traverses these stages in order. A failure at any stage prevents all subsequent stages — knowing which stage failed tells you exactly which failure category to investigate:

Stage 1 — RF / Physical Can the client hear the AP beacon? Signal below -75 dBm, wrong channel, excessive interference? FAIL → client never sees the SSID / "no networks found" Stage 2 — SSID Discovery & Probe Does the SSID name on the client match exactly what the AP broadcasts? Hidden SSID? FAIL → client cannot find the network / "SSID not found" Stage 3 — 802.11 Authentication Open system (WPA2/3) or Shared Key? 802.11 auth frame exchange. FAIL → "Authentication failed" before any credential check Stage 4 — Security Authentication (PSK / 802.1X / Web Auth) WPA2-PSK: does the client passphrase produce the correct PMK? 802.1X: does RADIUS accept the credential? Check show radius server. FAIL → "Wrong password" / "Authentication timeout" Stage 5 — Association & VLAN Mapping Client associates to the AP. WLC maps the WLAN to a VLAN. Is the WLAN-to-interface binding correct on the WLC? Is the VLAN allowed on the trunk between SW and WLC? FAIL → client associates but cannot get an IP / wrong subnet Stage 6 — DHCP / IP Address Acquisition Client broadcasts DHCPDISCOVER on the assigned VLAN. Is a DHCP server reachable? Is the scope active with free leases? FAIL → "Limited connectivity" / APIPA 169.254.x.x address NetsTuts

Five Failure Categories and Their Signatures

# Category Stage Client Symptom Primary Diagnostic
1 RF / Interference 1 Weak signal, frequent drops, low throughput, cannot see SSID WLC RF summary, AP channel/power, site survey
2 SSID Mismatch 2 Network not found; client connects to wrong SSID show wlan summary, WLC WLAN status
3 PSK / Authentication Failure 4 "Incorrect password" / "Authentication failed" — client retries repeatedly WLC client event log, show wireless client detail
4 VLAN Mapping Error 5 Client associates, shows connected, gets wrong IP or no IP show wireless client detail, trunk verification
5 DHCP Failure 6 Connected to SSID, no IP address (169.254.x.x or 0.0.0.0) show wireless client detail, show ip dhcp pool

2. Lab Topology & Scenario

Laptop (wireless client) 802.11ac NetsTuts_AP1 CAPWAP tunnel to WLC NetsTuts_SW1 Gi0/2 trunk → WLC Gi0/3 trunk → AP (VLANs 10,20,99) WLC Mgmt VLAN 99 192.168.99.2 R1 Router-on-a-Stick Gi0/1 → SW1 WLANs on WLC WLAN 1 SSID: "Corp-Staff" Security: WPA2-PSK · Interface: VLAN 10 (192.168.10.0/24) WLAN 2 SSID: "Corp-Guest" Security: WPA2-PSK · Interface: VLAN 20 (192.168.20.0/24) DHCP servers (on R1) VLAN 10: pool on Gi0/1.10 (192.168.10.0/24) VLAN 20: pool on Gi0/1.20 (192.168.20.0/24) Trunks must allow VLANs 10, 20, 99 Five Fault Scenarios A SSID not visible on client SSID typo — WLC broadcasts "Corp-Staf" instead of "Corp-Staff" B Authentication fails after correct SSID selected Wrong PSK — WLC WLAN 1 passphrase changed, client still uses old one C Connects but gets wrong IP subnet VLAN mapping error — WLAN 1 bound to VLAN 20 interface instead of VLAN 10 D Connects to WLAN but shows "Limited connectivity" DHCP failure — VLAN 10 pool exhausted or DHCP server unreachable E Poor signal / frequent disconnects RF interference — AP1 and neighbour AP both on channel 6 Primary diagnostics show wireless client summary show wireless ap summary show wlan summary show ap dot11 5ghz channel show ip dhcp binding show interfaces trunk NetsTuts

3. Step 1 — Primary Diagnostic Commands

show wireless client summary (IOS-XE WLC)

NetsTuts_WLC#show wireless client summary
Number of Local Clients: 2

MAC Address       AP Name          WLAN  State         Protocol  Method
-----------       -------          ----  -----         --------  ------
a4:c3:f0:11:22:33 NetsTuts_AP1     1     Associated    11ac      WPA2
b8:27:eb:44:55:66 NetsTuts_AP1     2     Associated    11n       WPA2
This is the first command to run. It shows every wireless client currently known to the WLC — their MAC address, which AP they are on, which WLAN (by number), their association state, 802.11 protocol, and security method. A client that fails to authenticate never appears here. A client stuck in "Authenticating" state points to a PSK or 802.1X fault. A client showing "Associated" but with no IP address (visible in detail output) points to a VLAN or DHCP fault.

show wireless client detail mac-address [MAC]

NetsTuts_WLC#show wireless client detail mac-address a4:c3:f0:11:22:33
Client MAC Address               : a4:c3:f0:11:22:33
Client Username                  : N/A
AP Name                          : NetsTuts_AP1
AP MAC Address                   : 00:1a:2b:3c:4d:5e
Client State                     : Associated
Wireless LAN Id                  : 1
Wireless LAN Network Name (SSID) : Corp-Staff
BSSID                            : 00:1a:2b:3c:4d:5f
Connected For                    : 142 seconds
Channel                          : 6
IP Address                       : 192.168.10.105
Gateway                          : 192.168.10.1
Netmask                          : 255.255.255.0
VLAN                             : 10
Association Id                   : 1
Authentication Algorithm         : WPA2 PSK
Security Policy                  : WPA2
Encryption Cipher                : CCMP (AES)
RSSI                             : -58 dBm
SNR                              : 32 dB
Data Rate                        : 300.0 Mb/s
Tx Bytes                         : 124512
Rx Bytes                         : 89023
This is the most information-dense single command for wireless troubleshooting. Every field is a diagnostic checkpoint. Key fields to verify: Client State (Associated vs Authenticating vs Excluded), SSID (correct network?), VLAN (correct VLAN number?), IP Address (correct subnet? or 0.0.0.0?), RSSI (signal strength — should be better than -70 dBm for reliable operation), SNR (signal-to-noise ratio — should be above 20 dB).

show wlan summary

NetsTuts_WLC#show wlan summary
Number of WLANs: 2

WLAN ID  WLAN Profile Name / SSID               Status    Interface Name
-------  -------------------------------------  ------    --------------
1        Corp-Staff / Corp-Staff                Enabled   vlan10-interface
2        Corp-Guest / Corp-Guest                Enabled   vlan20-interface
Shows all WLANs, their SSID, enabled/disabled status, and the WLC interface (VLAN) they are mapped to. A disabled WLAN will not beacon — clients cannot find it. The interface name column links each WLAN to a specific VLAN, which is the primary check for VLAN mapping faults.

show wireless client detail — Key State Values

Client State Meaning Likely Fault
Associated Client completed 802.11 association — security exchange succeeded If no IP: VLAN mapping or DHCP fault (Stage 5/6)
Authenticating Client is stuck in the security handshake — PSK/802.1X exchange in progress or failing Wrong PSK, RADIUS unreachable, EAP timeout (Stage 4)
Excluded Client has been blacklisted by the WLC after repeated auth failures Wrong PSK entered multiple times; check exclusion list
Probing Client is sending probe requests but not attempting to associate SSID not found by client; RF too weak; SSID disabled
IP Learn Association succeeded but client has not yet obtained an IP address DHCP failure — scope exhausted, server unreachable, VLAN wrong

WLC Event Log (GUI and CLI)

! ── View recent client events ────────────────────────────
NetsTuts_WLC#show logging | include a4:c3:f0:11:22:33
%DOT11-6-ASSOC: Station a4:c3:f0:11:22:33 Associated Key Mgmt[WPA2 PSK]
%DOT11-3-DISASSOC: Station a4:c3:f0:11:22:33 Disassociated Reason: Auth_Failed
%CLIENT-3-EXCLUDED: Client a4:c3:f0:11:22:33 excluded Reason: Auth_Failure_Threshold
The WLC log is the single richest source of wireless fault information. Filter by MAC address using show logging | include [MAC] to extract only the relevant client events. Log entries explicitly state the reason code — Auth_Failed confirms a PSK or credential fault, Disassoc_Leaving indicates a clean client-initiated disconnect, and Excluded means the WLC has blacklisted the client after repeated failures. For full logging output see show logging.

Diagnostic Command Summary

Command What It Shows Best Used For
show wireless client summary All associated clients — MAC, AP, WLAN, state, protocol, security First check — is the client visible to the WLC at all?
show wireless client detail mac-address [MAC] Full client record — state, SSID, VLAN, IP, RSSI, SNR, data rates Deep per-client diagnosis — confirm IP, VLAN, signal quality
show wlan summary All WLANs — SSID name, enabled/disabled, interface/VLAN mapping SSID and VLAN mapping verification
show wlan id [n] Full configuration of a single WLAN — security, VLAN, radio policy, QoS Detailed WLAN config audit when summary output is insufficient
show ap summary All APs — name, model, state (registered/unregistered), IP, channel Verify all APs are registered with the WLC before client troubleshooting
show ap dot11 5ghz summary 5 GHz radio status — channel, power, clients per AP RF channel and power audit for 5 GHz band
show logging | include [MAC] All log events for a specific client MAC address Auth failure reason codes, exclusion events, association history
show vlan brief (on switch) VLAN database — confirm VLAN exists and is active Verify the VLAN the WLC maps clients to actually exists on the switch
show interfaces trunk (on switch) Trunk VLAN allowed list — verify WLC and AP VLANs are carried VLAN mapping and DHCP fault isolation — is the VLAN reaching the switch?

4. Scenario A — SSID Mismatch

An SSID is just a text string — a single character difference makes it a completely different network. The client's saved profile will never match the AP beacon, and the client either shows "network not found" or connects to a different (possibly unsecured) SSID of similar name. This is commonly caused by a typo during WLC configuration or a profile copy error on the client.

Introducing the Fault

! ── On IOS-XE WLC — WLAN profile name typo ──────────────
NetsTuts_WLC(config)#wlan Corp-Staf 1 Corp-Staf
! ── SSID now broadcasts as "Corp-Staf" — client profile has "Corp-Staff"

Symptom — Client Cannot Find the Network

NetsTuts_WLC#show wireless client summary
Number of Local Clients: 0
! ── Client does not appear at all — never sent a probe response match

Diagnosis — show wlan summary

NetsTuts_WLC#show wlan summary
WLAN ID  WLAN Profile Name / SSID       Status    Interface Name
-------  ----------------------------   ------    --------------
1        Corp-Staf / Corp-Staf          Enabled   vlan10-interface
2        Corp-Guest / Corp-Guest        Enabled   vlan20-interface
The SSID column clearly shows "Corp-Staf" — one character short of "Corp-Staff." The client's saved profile searches for "Corp-Staff" in beacon frames and finds no match. From the client's perspective the network simply does not exist. SSID names are case-sensitive and space-sensitive — "Corp Staff" (with space), "corp-staff" (lowercase), and "Corp-Staff" (correct) are three distinct SSIDs.

Fix — Correct the SSID

! ── On IOS-XE WLC ────────────────────────────────────────
NetsTuts_WLC(config)#no wlan Corp-Staf 1 Corp-Staf
NetsTuts_WLC(config)#wlan Corp-Staff 1 Corp-Staff
NetsTuts_WLC(config-wlan)#security wpa psk set-key ascii 0 C0rpP@ssw0rd!
NetsTuts_WLC(config-wlan)#no shutdown
NetsTuts_WLC(config-wlan)#exit
On the WLC, the WLAN name and SSID are set in the same command — wlan [profile-name] [wlan-id] [ssid]. Correcting the profile name and SSID restores the beacon. The client's existing saved profile for "Corp-Staff" will now find the beacon and attempt to associate using the saved PSK. Always verify with show wlan summary after any SSID change.
Hidden SSIDs: A WLAN configured with SSID broadcast disabled will not appear in passive scans. Clients must be manually configured with the exact SSID name to connect. If a client reports "network not found" and the SSID appears correct in show wlan summary, check whether broadcast is suppressed with show wlan id [n] — look for "Broadcast SSID: Disabled." Enable broadcast for troubleshooting, then re-disable if security policy requires it.

5. Scenario B — Wrong PSK (Authentication Failure)

A PSK mismatch causes a WPA2 four-way handshake failure. The client sees the SSID, sends a probe request, receives a probe response, completes 802.11 open authentication — and then the four-way handshake fails silently because the PMK (Pairwise Master Key) derived from the client's passphrase does not match the PMK the WLC expects. From the client's perspective this appears as "Authentication failed" or simply an infinite retry loop. For WPA2/WPA3 security fundamentals see Wi-Fi Security.

Introducing the Fault

! ── PSK changed on WLC to new value, client still uses old key ──
NetsTuts_WLC(config)#wlan Corp-Staff 1 Corp-Staff
NetsTuts_WLC(config-wlan)#security wpa psk set-key ascii 0 N3wP@ssw0rd!
NetsTuts_WLC(config-wlan)#exit
! ── Client's saved profile still has "C0rpP@ssw0rd!" ────────────

Symptom — show wireless client summary

NetsTuts_WLC#show wireless client summary
Number of Local Clients: 0
! ── Client not present — failed before association completed

Symptom — WLC Event Log

NetsTuts_WLC#show logging | include a4:c3:f0:11:22:33
%DOT11-6-AUTH_START: Client a4:c3:f0:11:22:33 starting authentication
%DOT11-3-AUTH_FAILED: Client a4:c3:f0:11:22:33 Authentication Failed
    Reason: MIC Failure in 4-way handshake
%DOT11-6-AUTH_START: Client a4:c3:f0:11:22:33 starting authentication
%DOT11-3-AUTH_FAILED: Client a4:c3:f0:11:22:33 Authentication Failed
    Reason: MIC Failure in 4-way handshake
%CLIENT-3-EXCLUDED: Client a4:c3:f0:11:22:33 excluded
    Reason: Auth_Failure_Threshold (3 consecutive failures)
"MIC Failure in 4-way handshake" is the definitive PSK mismatch message. MIC stands for Message Integrity Code — it is computed using the PMK derived from the passphrase. If the client and WLC derive different PMKs (because their passphrases differ), the MIC values do not match and the handshake fails. After three consecutive failures the WLC places the client in the exclusion list — it will refuse all connection attempts from that MAC for the configured exclusion timeout (default 60 seconds).

Check Exclusion List

NetsTuts_WLC#show wireless exclusionlist
                    Excluded Clients
MAC Address         Exclusion Reason                  Time Remaining
-----------         ----------------                  --------------
a4:c3:f0:11:22:33   Auth failure                      00:00:47
A client in the exclusion list will not be allowed to attempt reconnection until the timer expires. After correcting the PSK on either the WLC or the client, manually clear the exclusion entry so the client can retry immediately without waiting: wireless client mac-address [MAC] deauthenticate followed by clearing the exclusion if needed. On the GUI: Security → Wireless Protection Policies → Client Exclusion Policies.

Fix — Correct the PSK

! ── Option 1: Reset WLC PSK back to the value all clients expect ─
NetsTuts_WLC(config)#wlan Corp-Staff 1 Corp-Staff
NetsTuts_WLC(config-wlan)#security wpa psk set-key ascii 0 C0rpP@ssw0rd!
NetsTuts_WLC(config-wlan)#exit

! ── Option 2: Update the client's saved network profile with the new PSK ──
! (Done on the client OS — forget network and reconnect with N3wP@ssw0rd!)

! ── Clear exclusion so client can retry immediately ──────
NetsTuts_WLC#wireless client mac-address a4:c3:f0:11:22:33 deauthenticate
802.1X vs PSK failures: For WPA2-Enterprise (802.1X) authentication, the failure message differs. Instead of "MIC Failure" you will see "RADIUS server unreachable," "EAP timeout," or "RADIUS authentication rejected." Check AAA RADIUS Configuration to verify the shared secret between the WLC and RADIUS server matches, and that the RADIUS server IP and port are correctly configured on the WLC. An aaa authentication mismatch produces the same client symptom — authentication failure — but the fix is entirely different from a PSK correction.

6. Scenario C — VLAN Mapping Error

The client fully authenticates and associates — from the wireless perspective everything is fine — but the WLC pushes the client into the wrong VLAN on the wired side. The client gets an IP address from the wrong subnet (or no IP at all if the wrong VLAN has no DHCP server), cannot reach its intended gateway, and appears "connected" with no internet access. This is one of the most deceptive wireless faults because the client OS reports full connectivity.

Introducing the Fault

! ── WLAN 1 (Corp-Staff) accidentally mapped to VLAN 20 interface ──
NetsTuts_WLC(config)#wlan Corp-Staff 1 Corp-Staff
NetsTuts_WLC(config-wlan)#client-vlan vlan20-interface
! ── Staff clients now land in Guest VLAN (192.168.20.0/24) ────────

Symptom — show wireless client detail

NetsTuts_WLC#show wireless client detail mac-address a4:c3:f0:11:22:33

Client State                     : Associated
Wireless LAN Network Name (SSID) : Corp-Staff
VLAN                             : 20         ← should be 10
IP Address                       : 192.168.20.156  ← Guest subnet — wrong
Gateway                          : 192.168.20.1
The VLAN field is the definitive check for mapping faults. WLAN "Corp-Staff" should place clients in VLAN 10 (192.168.10.0/24) — the output shows VLAN 20 (192.168.20.0/24). The client has received a valid IP address, which is why it appears "connected" — but it is on the Guest VLAN, cannot reach Staff-only resources, and may have incorrect firewall policies applied. The client OS has no way to detect this — it sees an IP address and a gateway.

Diagnosis — show wlan id 1

NetsTuts_WLC#show wlan id 1
WLAN Profile Name                : Corp-Staff
================================================
SSID                             : Corp-Staff
Status                           : Enabled
Interface/Interface Group(G)     : vlan20-interface   ← WRONG — should be vlan10
Security
  802.11 Authentication          : Open System
  Static WEP Keys                : Disabled
  WPA                            : Enabled
    WPA2                         : Enabled
      WPA2 Encryption            : CCMP (AES)
      Authentication Key Mgmt    : PSK

Diagnosis — Verify the Trunk (on NetsTuts_SW1)

NetsTuts_SW1#show interfaces GigabitEthernet0/2 trunk
Port        Mode         Encapsulation  Status        Native vlan
Gi0/2       on           802.1q         trunking      99

Port        Vlans allowed on trunk
Gi0/2       10,20,99

Port        Vlans allowed and active in management domain
Gi0/2       10,20,99
Even after correcting the VLAN mapping on the WLC, the VLAN must be allowed on the trunk between the switch and the WLC, and between the switch and the AP. If VLAN 10 is missing from the trunk's allowed list, clients mapped to VLAN 10 will never receive a DHCP offer even after the WLC mapping is fixed. Both ends of the trunk (switch port and WLC uplink) must allow the VLAN.

Fix — Correct the WLAN Interface Mapping

! ── Re-map WLAN 1 to the correct VLAN 10 interface ──────
NetsTuts_WLC(config)#wlan Corp-Staff 1 Corp-Staff
NetsTuts_WLC(config-wlan)#client-vlan vlan10-interface
NetsTuts_WLC(config-wlan)#exit

! ── Verify fix ───────────────────────────────────────────
NetsTuts_WLC#show wlan id 1 | include Interface
  Interface/Interface Group(G)     : vlan10-interface
After correcting the interface mapping, existing associated clients will continue to use their incorrect VLAN assignment until they reconnect — the WLC does not forcibly re-assign running sessions. To push clients to reconnect immediately, deauthenticate them: wireless client mac-address [MAC] deauthenticate. On the next association, they will be mapped to the correct VLAN and receive a DHCP address from the correct scope.

7. Scenario D — DHCP Failure

The client authenticates, associates, and is placed on the correct VLAN — but no DHCP server responds to its DHCPDISCOVER broadcast. The client either self-assigns an APIPA address (169.254.x.x) after the DHCP timeout, or shows IP address 0.0.0.0 with "Limited Connectivity." DHCP failures have several root causes that must be diagnosed in order: Is the DHCP server reachable? Does a scope exist for this VLAN? Is the scope active and does it have free addresses? Is the DHCP relay configured if the server is on a different subnet?

Symptom — show wireless client detail (DHCP Failure)

NetsTuts_WLC#show wireless client detail mac-address a4:c3:f0:11:22:33

Client State                     : IP Learn    ← stuck here — no IP yet
Wireless LAN Network Name (SSID) : Corp-Staff
VLAN                             : 10          ← correct VLAN
IP Address                       : 0.0.0.0     ← no address obtained
Gateway                          : 0.0.0.0
DHCP Status                      : DHCP Required
DHCP Server IP                   : 0.0.0.0     ← no DHCP server seen
"IP Learn" state means the wireless association and authentication completed successfully, but the client has not yet received an IP address. The WLC is waiting for DHCP to complete. VLAN 10 is correct — so the problem is not a mapping fault. The DHCP server field showing 0.0.0.0 confirms no DHCP offer has been seen by the WLC. This could mean the DHCP server is down, the scope is exhausted, or the relay is not forwarding the broadcast.

Check DHCP Pool on the Router

! ── On NetsTuts_R1 (DHCP server for VLAN 10) ────────────
NetsTuts_R1#show ip dhcp pool
Pool VLAN10-POOL :
 Network         : 192.168.10.0/24
 Broadcast       : 192.168.10.255
 Lease time (secs) : 86400 (1 day)
 Utilization mark (high/low) : 100 / 0
 Subnet size (first/next)    : 0 / 0
 Total addresses : 253
 Leased addresses : 253
 Pending event   : none

NetsTuts_R1#show ip dhcp pool VLAN10-POOL | include leased
 Leased addresses : 253
253 leased out of 253 total addresses — the pool is exhausted. No free addresses remain. Every new wireless client requesting an IP from VLAN 10 will receive no response — the DHCP server has nothing to offer. This is a common fault in dense wireless environments where the DHCP lease time is too long relative to the number of devices. Check for stale leases from devices that no longer exist.

Check for Stale Leases

NetsTuts_R1#show ip dhcp binding | include 192.168.10
IP address       Client-ID                  Lease expiration         Type
192.168.10.101   0100.1a2b.3c4d.5e          Mar 12 2026 09:14:22     Automatic
192.168.10.102   0100.aabb.ccdd.eeff        Mar 11 2026 09:14:22     Automatic
...

! ── Clear all stale bindings to free the pool ────────────
NetsTuts_R1#clear ip dhcp binding *

! ── Or clear a single expired binding ────────────────────
NetsTuts_R1#clear ip dhcp binding 192.168.10.102

Fix — Expand the Scope or Reduce Lease Time

! ── Option 1: Reduce lease time so addresses recycle faster ──
NetsTuts_R1(config)#ip dhcp pool VLAN10-POOL
NetsTuts_R1(dhcp-config)#lease 0 4    ! 4-hour lease instead of 24-hour
NetsTuts_R1(dhcp-config)#exit

! ── Option 2: Expand the DHCP scope to a larger subnet ───
! Requires re-addressing VLAN 10 to use /23 (510 addresses)
NetsTuts_R1(config)#no ip dhcp pool VLAN10-POOL
NetsTuts_R1(config)#ip dhcp pool VLAN10-POOL
NetsTuts_R1(dhcp-config)#network 192.168.10.0 255.255.254.0
NetsTuts_R1(dhcp-config)#default-router 192.168.10.1
NetsTuts_R1(dhcp-config)#dns-server 8.8.8.8
NetsTuts_R1(dhcp-config)#exit

DHCP Relay — Server on a Different Subnet

! ── If DHCP server is on a separate subnet from the client VLAN ──
! ── A relay (ip helper-address) is required on the VLAN SVI ──────

NetsTuts_R1(config)#interface GigabitEthernet0/1.10
NetsTuts_R1(config-subif)#ip helper-address 192.168.99.10
! ── 192.168.99.10 is the DHCP server address ─────────────

! ── Verify relay is configured ───────────────────────────
NetsTuts_R1#show ip interface GigabitEthernet0/1.10 | include Helper
  Helper address is 192.168.99.10
DHCP DISCOVER is a broadcast — it does not cross router boundaries without a relay agent. If the DHCP server lives on a different subnet from the wireless client VLAN, every sub-interface (or SVI) for that VLAN must have ip helper-address pointing to the DHCP server. Without it, broadcasts are absorbed at the router and never reach the DHCP server. Verify the sub-interface IP is correct with show ip interface brief and test reachability with ping. For a full walkthrough see DHCP Relay Agent Configuration.

8. Scenario E — RF Interference and Channel Overlap

RF interference is the only wireless fault category that cannot be fixed purely through IOS or WLC configuration — it requires physical or radio parameter changes. A client experiencing interference can associate successfully, get an IP address, and still suffer near-zero throughput, constant retransmissions, and intermittent disconnections. The symptoms mimic application-level faults, making RF issues the hardest category to identify without the right tools.

RF Signal Quality Thresholds

RSSI (dBm) SNR (dB) Quality Expected Behaviour
-30 to -55 > 40 Excellent Maximum throughput, very reliable, full rate selection
-55 to -65 25–40 Good High throughput, reliable for voice and video
-65 to -75 15–25 Fair Reduced throughput, occasional retransmissions
-75 to -85 10–15 Poor Low throughput, frequent retransmissions, VoIP unusable
Below -85 < 10 Unusable Association may succeed but effective throughput near zero

Check RSSI and SNR — show wireless client detail

NetsTuts_WLC#show wireless client detail mac-address a4:c3:f0:11:22:33
...
RSSI                             : -78 dBm     ← Poor — below -75 threshold
SNR                              : 11 dB       ← Poor — below 15 dB threshold
Data Rate                        : 6.0 Mb/s    ← Client fell back to lowest rate
Tx Retries                       : 847
Rx Retries                       : 1203
RSSI of -78 dBm with SNR of 11 dB confirms poor RF conditions. The client and AP have negotiated down to 6 Mb/s — the lowest 802.11 data rate — as both sides reduce speed to maintain a connection at marginal signal levels. The high retry counts (847 Tx, 1203 Rx) indicate heavy frame retransmissions, which consume airtime and reduce effective throughput for all clients sharing the same channel.

Check AP Channel and Co-Channel Interference

NetsTuts_WLC#show ap dot11 24ghz summary
AP Name            Oper State  Channel  TxPower  Clients
-----------        ----------  -------  -------  -------
NetsTuts_AP1       Up          6        17 dBm   8
NeighbourAP        Up          6        20 dBm   4

! ── Both APs on channel 6 — co-channel interference ─────
! ── Move NetsTuts_AP1 to a non-overlapping channel ───────

NetsTuts_WLC#show ap dot11 24ghz summary
! ── Non-overlapping 2.4 GHz channels: 1, 6, 11 ──────────
Two APs on the same channel within radio range of each other creates co-channel interference (CCI) — the single most common RF performance problem in enterprise WLANs. Every transmission by one AP is heard as interference by clients of the other AP. In the 2.4 GHz band there are only three non-overlapping channels: 1, 6, and 11. In 5 GHz, many more non-overlapping channels are available (36, 40, 44, 48, 52, 56, etc.), which is why 5 GHz generally performs better in dense environments. For a full breakdown of channel plans see Frequency Channels & Channel Plans.

Fix — Change AP Channel

! ── Manually assign channel 11 to AP1 (IOS-XE WLC) ──────
NetsTuts_WLC(config)#ap name NetsTuts_AP1
NetsTuts_WLC(config-ap)#dot11 24ghz channel 11
NetsTuts_WLC(config-ap)#exit

! ── Or enable RRM (Radio Resource Management) — auto channel ──
NetsTuts_WLC(config)#ap dot11 24ghz rrm channel cleanair-event
NetsTuts_WLC(config)#ap dot11 24ghz rrm channel dca
Manual channel assignment is deterministic but requires manual maintenance as the RF environment changes. Radio Resource Management (RRM) with DCA (Dynamic Channel Assignment) allows the WLC to automatically reassign channels based on real-time interference measurements — preferred in environments with many APs. For coverage gaps causing low RSSI, increase AP transmit power or add an additional AP rather than simply increasing power on an existing AP (which can increase interference rather than helping). For full RF planning guidance see Wireless RF Channel and Power Planning.

Common RF Interference Sources

Source Frequency Symptom Mitigation
Neighbouring APs (same channel) 2.4 or 5 GHz High retransmissions, low throughput across all clients on that channel Use non-overlapping channels; enable RRM/DCA
Microwave ovens 2.45 GHz (2.4 GHz band) Intermittent drops near kitchen/break room during microwave use Move WLAN to 5 GHz band; increase channel width to 40 MHz in 5 GHz
Bluetooth devices 2.4 GHz (frequency hopping) Slightly elevated noise floor; minor throughput impact Use 5 GHz for latency-sensitive applications
Rogue APs (same channel) 2.4 or 5 GHz Unexpected interference pattern; client deauthentication if rogue sends deauth frames Enable rogue AP detection on WLC; investigate with site survey tools
Physical obstructions All frequencies Low RSSI, high path loss in certain areas Reposition APs; use 2.4 GHz (longer range) for distant clients; add APs

9. Structured Troubleshooting Workflow

Step Command What to Check If Found
1 show ap summary Are all APs registered and in "Registered" state? Unregistered AP → CAPWAP tunnel down. Check AP IP, WLC IP, and CAPWAP UDP 5246/5247 reachability first — client issues cannot be fixed if the AP is not connected to the WLC
2 show wlan summary Does the SSID name match exactly? Is the WLAN enabled? SSID typo → fix WLAN profile name. WLAN disabled → no shutdown in WLAN config
3 show wireless client summary Is the client MAC visible? What state is it in? Not visible → RF or SSID fault. "Authenticating" stuck → PSK/802.1X fault. "IP Learn" stuck → DHCP fault
4 show logging | include [MAC] What reason codes appear? Auth_Failed? MIC Failure? Excluded? MIC Failure → PSK mismatch on client or WLC. RADIUS rejected → 802.1X credential or shared secret fault. Excluded → clear exclusion list after fixing root cause
5 show wireless client detail mac-address [MAC] Is VLAN correct? Is IP address correct subnet? RSSI/SNR acceptable? Wrong VLAN → fix WLAN interface mapping on WLC. IP 0.0.0.0 → DHCP fault. RSSI below -75 dBm → RF fault
6 show interfaces trunk (on switch) Is the client's VLAN in the allowed and active list on the WLC uplink trunk? VLAN missing → switchport trunk allowed vlan add [vlan-id] on both ends
7 show ip dhcp pool (on DHCP server) Is the scope active? Are leases available (not 100% allocated)? Pool exhausted → clear stale bindings, reduce lease time, or expand scope. No pool → create DHCP pool for the VLAN subnet
8 show ap dot11 24ghz summary Are multiple APs on the same channel within range of each other? Co-channel interference → reassign to non-overlapping channels (1, 6, 11 for 2.4 GHz) or enable RRM/DCA

Key Points & Exam Tips

  • Wireless faults span six stages — RF, SSID discovery, 802.11 authentication, security authentication (PSK/802.1X), VLAN mapping, and DHCP. Identify which stage is failing before applying a fix.
  • show wireless client summary is the first command — it tells you whether the client is visible to the WLC at all and what state it is stuck in (Associated, Authenticating, IP Learn, Excluded, Probing).
  • show wireless client detail mac-address [MAC] is the deepest single-client command — always check Client State, VLAN, IP Address, RSSI, and SNR.
  • A client in "IP Learn" state has completed wireless authentication successfully — the problem is DHCP (scope exhausted, relay missing, server unreachable) or VLAN (VLAN not on trunk).
  • "MIC Failure in 4-way handshake" in the WLC log is the definitive PSK mismatch indicator — the passphrase on the client does not match the WLC. After fixing the PSK, clear the exclusion list so the client can retry immediately.
  • A client showing the correct "Associated" state but an IP address on the wrong subnet indicates a VLAN mapping error — the WLAN is bound to the wrong WLC interface. Fix with client-vlan [interface-name] in the WLAN config, then deauthenticate existing clients to force re-association.
  • The trunk between the switch and WLC must allow every VLAN that WLANs map clients into — a VLAN missing from the trunk's allowed list causes DHCP failures even when every other configuration is correct.
  • RSSI should be better than -70 dBm and SNR above 20 dB for reliable operation. Below -75 dBm RSSI or below 15 dB SNR causes rate reduction, high retransmission counts, and VoIP failure.
  • In 2.4 GHz there are only three non-overlapping channels: 1, 6, and 11. Co-channel interference from overlapping channel assignments is the single most common RF performance problem.
  • On the CCNA exam: know the five WLAN failure categories, the meaning of Client State values (especially "IP Learn" and "Excluded"), what "MIC Failure" means for PSK troubleshooting, and the role of the WLC interface in VLAN mapping.
Next Steps: For the initial WLC and SSID configuration this lab troubleshoots, see WLC SSID VLAN Mapping and WLC Getting Started. For 802.1X wireless authentication using RADIUS, see AAA RADIUS Configuration and AAA Overview. For DHCP relay configuration when the DHCP server is on a separate subnet, see DHCP Relay Agent Configuration. For RF channel and power planning to prevent interference, see Wireless RF Channel and Power Planning.

TEST WHAT YOU LEARNED

A wireless client can see the SSID in the available networks list and enters the correct passphrase, but connection fails every time. show wireless client summary shows the client never appears. The WLC log shows "MIC Failure in 4-way handshake." What is the most likely cause?

Correct answer is C. "MIC Failure in 4-way handshake" is the WLC's explicit message for a PSK mismatch. In WPA2-Personal, both the client and the WLC independently derive a PMK (Pairwise Master Key) from the passphrase and the SSID. They then use the PMK to derive a PTK (Pairwise Transient Key) and compute a MIC to verify they hold the same key. If the passphrases differ by even one character, the MICs do not match and the handshake fails. The client sees this as "wrong password." The fix is to ensure the passphrase entered on the client exactly matches the PSK configured on the WLC — including case, spaces, and special characters. After fixing, clear the WLC exclusion list to allow the client to retry immediately.

A client successfully associates to a WLAN and shows "Connected" in its OS. show wireless client detail shows Client State: Associated, VLAN: 20, IP: 192.168.20.145. The client should be on VLAN 10 (192.168.10.0/24). The SSID and PSK are correct. What is wrong?

Correct answer is A. The VLAN field in show wireless client detail is authoritative — it shows exactly which VLAN the WLC placed the client on after association. The value comes directly from the WLC's WLAN interface binding. If the WLAN is mapped to the VLAN 20 interface, every client connecting to that WLAN will be placed in VLAN 20 regardless of what DHCP server they reach. The DHCP server is working correctly — it is serving addresses for the VLAN it is scoped for. The root cause is the WLAN-to-interface mapping on the WLC. Fix: enter the WLAN configuration, change the interface to the VLAN 10 interface, then deauthenticate existing clients so they re-associate and receive a new VLAN assignment.

show wireless client detail shows a client in "IP Learn" state with VLAN 10 and IP address 0.0.0.0. The WLAN configuration and trunk are verified correct. What should be checked next?

Correct answer is D. "IP Learn" is a specific WLC client state that indicates the 802.11 association and the security authentication (PSK exchange) both completed successfully. The WLC is now waiting for the client to obtain an IP address via DHCP. The fact that the client is in this state — not "Authenticating" or "Excluded" — proves the PSK and SSID are correct. The next layer to investigate is DHCP: Is the pool for VLAN 10 active and not exhausted? If the DHCP server is on a different subnet, does the router sub-interface for VLAN 10 have an ip helper-address pointing to the DHCP server? Without a relay, the DHCP broadcast never leaves the VLAN and the client times out with no address.

After correcting a PSK mismatch on the WLC, the client still cannot connect and does not appear in show wireless client summary. What step was likely skipped?

Correct answer is B. When a client fails WPA2 authentication three consecutive times (configurable threshold), the WLC places that client's MAC address in the exclusion list and blocks all further connection attempts for the exclusion timeout period (default 60 seconds, configurable). Even after the PSK is corrected on the WLC, the excluded client's connection attempts are silently dropped until the exclusion expires or is manually cleared. Use show wireless exclusionlist to see all currently excluded clients and their remaining timers. Clear a specific entry with wireless client mac-address [MAC] deauthenticate or clear all exclusions. The PSK change itself takes effect immediately — no reboot or WLAN disable/enable is required.

A user in a far corner of an office reports very slow Wi-Fi — pages take many seconds to load. show wireless client detail shows RSSI: -80 dBm, SNR: 8 dB, Data Rate: 6.0 Mb/s, Tx Retries: 2341. What is the best diagnosis?

Correct answer is D. The combination of three RF indicators tells the complete story: RSSI -80 dBm (below the -75 dBm minimum reliable threshold), SNR 8 dB (far below the 20 dB good threshold), and data rate fallback to 6 Mb/s (the lowest 802.11 rate, used only when the link is too marginal to support higher rates). 2341 Tx Retries confirms the AP is repeatedly re-sending frames because acknowledgements are not being received — this consumes airtime not just for this client but for all clients sharing the channel. VLAN faults and PSK issues produce different symptoms — VLAN faults show a wrong IP address, PSK failures prevent association entirely and produce "MIC Failure" in logs. This is purely an RF coverage problem.

In the 2.4 GHz band, an AP is configured on channel 6. A neighbour's AP is on channel 8. Will there be interference between them, and why?

Correct answer is A. In the 2.4 GHz 802.11 channel plan (IEEE 802.11b/g/n), each channel centre is 5 MHz apart — channel 1 is at 2412 MHz, channel 6 at 2437 MHz, channel 11 at 2462 MHz. However, each channel occupies 20 MHz of bandwidth (±10 MHz from centre). This means channel 6 spans from approximately 2427 to 2447 MHz, and channel 8 (at 2447 MHz) overlaps significantly with the edge of channel 6's spectrum. The result is adjacent-channel interference (ACI) — arguably worse than co-channel interference because ACI cannot be mitigated by CSMA/CA (which only operates within the same channel). The only non-overlapping channels in the 2.4 GHz band are 1, 6, and 11 — always use these three exclusively for AP channel assignment.

A DHCP pool for VLAN 10 has 253 addresses and all 253 are leased. New wireless clients cannot get an IP address. What is the recommended first fix before considering expanding the subnet?

Correct answer is C. When a DHCP pool is exhausted, the immediate triage step is to identify stale leases — bindings for devices that have left the network but whose lease has not yet expired. In a wireless environment this is extremely common: laptops connect, get a lease, roam to a different location, and the old lease sits in the table for the full 24-hour default period. show ip dhcp binding lists all current leases with expiration times — leases with past expiration times or associated with MAC addresses no longer present can be cleared individually with clear ip dhcp binding [IP] or all at once with clear ip dhcp binding *. Reducing the lease time prevents this from recurring. Rebooting the server (Option A) clears all leases including active ones — legitimate devices lose connectivity until they can renew.

A wireless client successfully associates and receives IP address 192.168.10.50 from VLAN 10. However, it cannot ping the default gateway 192.168.10.1 or reach anything on the wired network. show wireless client detail shows correct VLAN, IP, and good RSSI. What should be investigated on the switch?

Correct answer is B. This scenario is notable because DHCP worked — the client received a correct IP. DHCP working implies VLAN 10 is at least partially reachable. However, DHCP uses broadcast (which the WLC can proxy or relay) while regular IP communication requires the full VLAN to be active on the trunk end-to-end. A common scenario is that VLAN 10 is allowed on the trunk but VLAN pruning or a trunk misconfiguration (e.g. native VLAN mismatch or a partial allowed-vlan list) allows DHCP but drops unicast traffic. Run show interfaces trunk on the switch port connected to the WLC and verify VLAN 10 appears in all three sections: allowed, active, and STP forwarding. Also check the sub-interface or SVI for VLAN 10 on the router to confirm it is up.

What is the key difference between a client showing "Authenticating" state versus "IP Learn" state in show wireless client detail, and what does each state indicate about where the fault lies?

Correct answer is D. Client state is the first triage indicator in wireless troubleshooting because it precisely identifies which stage of the connection process has stalled. "Authenticating" means the client and WLC completed 802.11 probe and association but are stuck in the security layer — the WPA2 four-way handshake or 802.1X EAP exchange is not completing. This points to PSK mismatch, RADIUS server unreachable, or a credential fault. "IP Learn" means all of the above completed successfully — the client is fully authenticated and associated from a wireless perspective, but has not received an IP address. This points exclusively to Layer 3 issues: DHCP server down, pool exhausted, relay missing, or VLAN not propagated through the trunk. Treating an "IP Learn" fault as a PSK problem, or vice versa, leads to wasted diagnostic effort.

An engineer configures a new WLAN "Corp-Staff-5G" on the WLC with WPA2-PSK, binds it to the VLAN 10 interface, and verifies the SSID appears correctly in show wlan summary. Clients can see the SSID and enter the correct passphrase but cannot get an IP address. show wireless client detail shows correct VLAN 10 and state "IP Learn." VLAN 10 DHCP pool on the router has free leases. What is the most likely remaining fault?

Correct answer is C. This scenario describes a very common "new WLAN, VLAN not on trunk" fault. When a new WLAN is created on the WLC and mapped to a new VLAN, the network administrator often forgets to update the trunk configuration on the physical switch port connecting to the WLC. The WLC is correctly configured — it knows VLAN 10 should be used for this WLAN. But when the WLC tries to send DHCP traffic or client data over VLAN 10 out its uplink to the switch, the switch drops it because VLAN 10 is not in the trunk's allowed VLAN list. The fix is always to check the trunk: show interfaces [trunk-port] trunk on the switch, then add the missing VLAN with switchport trunk allowed vlan add 10. This must be done on both the switch port facing the WLC and the switch port facing the AP (if using FlexConnect or local switching).

Related Topics & Step-by-Step Tutorials

Related concepts and next steps:

Back to Home