BugZero | Cisco BugID CSCwo06609 - Client is not able to associate to WLAN when only ...

Cisco - Defect ID: CSCwo06609

Client is not able to associate to WLAN when only the Flex IPv4 Preauth ACL is added in flex AP

Cisco - Defect ID: CSCwo06609

Client is not able to associate to WLAN when only the Flex IPv4 Preauth ACL is added in flex AP

Last updated on December 26th, 2025

BugZero Risk Score
6.1 Medium

Overall: 6.1

Severity: 6.4

Lifecycle: 9.1

Popularity: 4.6

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Description

Symptom

The client is unable to associate with the Wireless Local Area Network (WLAN) when the Flex IPv4 Preauthentication Access Control List (ACL) is only configured on a Flex Access Point (AP), and the corresponding IPv6 Preauthentication ACL is not configured. Steps to reproduce: 1. Configure the controller with LWA security or EWA using a Preauthentication ACL for IPv4 only. Create a policy profile with local switching, central authentication, and Virtual Local Area Network (VLAN) settings. Apply the policy tag to AP1 and create a flex site tag, applying it to AP1. 2. Attempt to connect a client to the WLAN. The client fails to connect, and the following log is observed repeatedly on the AP: 'CLSM: IP6 pre-auth ACL IP-Adm-V6-Int-ACL-global does not exist, removing client'.

Conditions

The defect occurs when the client attempts to associate with the WLAN using a Flex Access Point configured with only an IPv4 Preauthentication ACL, lacking the corresponding IPv6 Preauthentication ACL.

Workaround

Create a dummy IPv6 ACL and apply it under the flex profile and the wlan profile. i.e ipv6 access-list Dummy sequence 10 permit ipv6 any any ! wireless profile flex default-flex-profile acl-policy Dummy ! wlan WLAN_profile 18 WLAN ipv6 traffic-filter web Dummy !

Further Problem Description

PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and determined it does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Change history

2025-12-26 Added: 17.12.4

Relevant Products

Click on a version to see all relevant bugs

Affected versions:17.12.4

Fixed versions: 17.12.6, 17.12.6a, 17.15.4, 17.15.4a, 17.15.4b, 17.15.4c, 17.15.4d, 17.15.4s1, 17.18.1, 17.18.1a, 17.18.1w, 17.18.2

Relevant Products

Click on a version to see all relevant bugs

Affected versions:17.12.4

Fixed versions: 17.12.6, 17.12.6a, 17.15.4, 17.15.4a, 17.15.4b, 17.15.4c, 17.15.4d, 17.15.4s1, 17.18.1, 17.18.1a, 17.18.1w, 17.18.2

Top Cisco Defects

No bugs this month

Ready to prevent the next vendor outage?

Get a demo

Cisco - Defect ID: CSCwo06609

Client is not able to associate to WLAN when only the Flex IPv4 Preauth ACL is added in flex AP

Cisco - Defect ID: CSCwo06609

Client is not able to associate to WLAN when only the Flex IPv4 Preauth ACL is added in flex AP

Last updated on December 26th, 2025

BugZero Risk Score6.1 Medium

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Top Cisco Defects

Ready to prevent the next vendor outage?

Links

BugZero Risk Score
6.1 Medium