Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5200
Views
5
Helpful
4
Replies

ACL received from RADIUS does not exist in WLC de-authenticating the client

Go to solution
Maarten Brok
Level 1
Level 1

‎11-28-2017 05:00 AM - edited ‎02-21-2020 10:40 AM

Dear,

 

We are trying to setup a self-registration portal using ISE 2.3 Patch1 and Cisco WLC 8.5.103.0.

 

On our customer side we have a same-like setup using the Guest Portal of ISE2.1 and Cisco WLC 8.2.161.0.

 

When any client connects to the WLAN, it will be redirected through the authorization profile configured in Cisco ISE.

 

I can see that that part should be working correctly, looking in the debug from WLC.

 

 

Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0

 

Being mandatory in the authorization profile, a ACL is called through RADIUS for the connecting client, but then i see the following error:

 

ACL received from RADIUS does not exist in WLC de-authenticating the client

From that moment my phone/laptop states the error it can't connect to this network.

 

 

I'm very very sure that everything is configured correctly and that there are no typos in my configuration or whatsoever. I have even tried multiple devices to see if it could be some issue relating to one of my devices.

 

What I have also done:
Test setup with WLC 8.2.151.0 & ISE 2.3 No patch

Then updated my ISE2.3 with Patch1 but still the same result. I expect ISE2.3 to be the cause but I can't confirm. Is anyone known with this possible bug?

 

Please also see the full debug:

 

(Cisco Controller) >*apfMsConnTask_6: Nov 28 12:55:10.830: iPhone Processing assoc-req station:iPhone AP:AccessPoint-00 thread:132f9ee0
*apfReceiveTask: Nov 28 12:55:10.877: iPhone Received SGT for this Client.
*apfReceiveTask: Nov 28 12:55:10.877: iPhone Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0
*apfReceiveTask: Nov 28 12:55:10.877: iPhone Resetting web IPv4 acl from 255 to 255

*apfReceiveTask: Nov 28 12:55:10.877: iPhone  ACL received from RADIUS does not exist in WLC de-authenticating the client
*apfReceiveTask: Nov 28 12:55:10.877: iPhone Sending assoc-resp with status 12 station:iPhone AP:AccessPoint-00 on apVapId 7
*apfReceiveTask: Nov 28 12:55:10.877: iPhone Sending Assoc Response to station on BSSID 44:ad:d9:56:f8:56 (status Assoc denied unspecified) ApVapId 7 Slot 0
*apfReceiveTask: Nov 28 12:55:10.877: iPhone apfProcessRadiusAssocResp (apf_80211.c:4809) Changing state for mobile iPhone on AP AccessPoint from AAA Pending to Authenticated

*apfReceiveTask: Nov 28 12:55:10.877: iPhone Scheduling deletion of Mobile Station:  (callerId: 18) in 10 seconds
*osapiBsnTimer: Nov 28 12:55:20.888: iPhone apfMsExpireCallback (apf_ms.c:638) Expiring Mobile!
*apfReceiveTask: Nov 28 12:55:20.889: iPhone apfMsExpireMobileStation (apf_ms.c:7528) Changing state for mobile iPhone on AP AccessPoint from Authenticated to Idle

*apfReceiveTask: Nov 28 12:55:20.889: iPhone pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfReceiveTask: Nov 28 12:55:20.889: iPhone 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [AccessPoint]
*apfReceiveTask: Nov 28 12:55:20.889: iPhone Deleting mobile on AP AccessPoint(0)
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone Processing assoc-req station:iPhone AP:AccessPoint-00 thread:132f9ee0
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone Created Acct-Session-ID (5a1d5cb9/iPhone/728) for the mobile
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone Adding mobile on LWAPP AP AccessPoint(0)
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone Association received from mobile on BSSID AccessPoint-otherMAC AP qcst-hq-nl-qct-003
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone Station:  38:71:DE:84:C8:5F  11v BSS Transition not enabled on the AP  44:AD:D9:56:F8:50
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone Global 200 Clients are allowed to AP radio

*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone Max Client Trap Threshold: 0  cur: 0

*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone Rf profile 600 Clients are allowed to AP wlan

*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone override for default ap group, marking intgrp NULL
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone Applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0

*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone Not re-applying interface policy for local switching Client

*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2710)
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2731)
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone apfApplyWlanPolicy: Retaining (ACL [255] / Flexconnect ACL [65535]) recieved in AAA attributes on mobile
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone Setting the NAS Id to WLAN specific Id 'LAB Guest'
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone In processSsidIE:6380 setting Central switched to FALSE
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone Set Clinet MSCB as Central Association Disabled
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone Applying site-specific Local Bridging override for station iPhone - vapId 4, site 'QCST-HQ', interface 'management'
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone Applying Local Bridging Interface Policy for station iPhone - vlan 0, interface id 0, interface 'management'
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone override from ap group, removing intf group from mscb
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone Applying site-specific override for station iPhone - vapId 4, site 'QCST-HQ', interface 'management'
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone Applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0

*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone Not re-applying interface policy for local switching Client

*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2710)
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2731)
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone Set Clinet Non AP specific apfMsAccessVlan = 104
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone This apfMsAccessVlan may be changed later from AAA after L2 Auth
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone processSsidIE  statusCode is 0 and status is 0
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone STA - rates (8): 130 132 139 150 36 48 72 108 0 0 0 0 0 0 0 0
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone suppRates  statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone STA - rates (12): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone extSuppRates  statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone apfProcessAssocReq (apf_80211.c:10375) Changing state for mobile iPhone on AP AccessPoint from Idle to AAA Pending

*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone Updating the Aid in case of flex mac-filtering

*apfMsConnTask_6: Nov 28 12:55:21.634: iPhone Updating AID for REAP AP Client AccessPoint - AID ===> 1
*apfReceiveTask: Nov 28 12:55:21.690: iPhone Received SGT for this Client.
*apfReceiveTask: Nov 28 12:55:21.690: iPhone Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0
*apfReceiveTask: Nov 28 12:55:21.690: iPhone Resetting web IPv4 acl from 255 to 255

*apfReceiveTask: Nov 28 12:55:21.690: iPhone Resetting web IPv4 Flex acl from 65535 to 65535

*apfReceiveTask: Nov 28 12:55:21.690: iPhone  ACL received from RADIUS does not exist in WLC de-authenticating the client
*apfReceiveTask: Nov 28 12:55:21.690: iPhone Sending assoc-resp with status 12 station:iPhone AP:AccessPoint-00 on apVapId 7
*apfReceiveTask: Nov 28 12:55:21.690: iPhone apfProcessRadiusAssocResp (apf_80211.c:4809) Changing state for mobile iPhone on AP AccessPoint from AAA Pending to Authenticated

*apfReceiveTask: Nov 28 12:55:21.690: iPhone Scheduling deletion of Mobile Station:  (callerId: 18) in 10 seconds
*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone Processing assoc-req station:iPhone AP:AccessPoint-00 thread:132f9ee0
*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone Station:  38:71:DE:84:C8:5F  11v BSS Transition not enabled on the AP  44:AD:D9:56:F8:50
*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone Association received from mobile on BSSID AccessPoint-otherMAC AP qcst-hq-nl-qct-003
*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone Station:  38:71:DE:84:C8:5F  11v BSS Transition not enabled on the AP  44:AD:D9:56:F8:50
*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone Global 200 Clients are allowed to AP radio

*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone Max Client Trap Threshold: 0  cur: 1

*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone Rf profile 600 Clients are allowed to AP wlan

*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone override for default ap group, marking intgrp NULL
*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone apfApplyWlanPolicy: Retaining (ACL [255] / Flexconnect ACL [65535]) recieved in AAA attributes on mobile
*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0
*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone Setting the NAS Id to WLAN specific Id 'LAB Guest'
*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone In processSsidIE:6380 setting Central switched to FALSE
*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone Set Clinet MSCB as Central Association Disabled
*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone Applying site-specific Local Bridging override for station iPhone - vapId 4, site 'QCST-HQ', interface 'management'
*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone Applying Local Bridging Interface Policy for station iPhone - vlan 0, interface id 0, interface 'management'
*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone override from ap group, removing intf group from mscb
*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone Applying site-specific override for station iPhone - vapId 4, site 'QCST-HQ', interface 'management'
*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone Applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 104

*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone Not re-applying interface policy for local switching Client

*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2710)
*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2731)
*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone Set Clinet Non AP specific apfMsAccessVlan = 104
*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone This apfMsAccessVlan may be changed later from AAA after L2 Auth
*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone processSsidIE  statusCode is 0 and status is 0
*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone processSsidIE  ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone STA - rates (8): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0
*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone suppRates  statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone STA - rates (12): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0
*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone extSuppRates  statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone apfProcessAssocReq (apf_80211.c:10375) Changing state for mobile iPhone on AP AccessPoint from Authenticated to AAA Pending

*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone Updating the Aid in case of flex mac-filtering

*apfMsConnTask_6: Nov 28 12:55:25.757: iPhone AID 1 in Assoc Req from flex AP AccessPoint is same as in mscb iPhone
*apfReceiveTask: Nov 28 12:55:25.793: iPhone Received SGT for this Client.
*apfReceiveTask: Nov 28 12:55:25.793: iPhone Resetting web IPv4 acl from 255 to 255

*apfReceiveTask: Nov 28 12:55:25.793: iPhone Resetting web IPv4 Flex acl from 65535 to 65535

*apfReceiveTask: Nov 28 12:55:25.793: iPhone  ACL received from RADIUS does not exist in WLC de-authenticating the client
*apfReceiveTask: Nov 28 12:55:25.793: iPhone Sending assoc-resp with status 12 station:iPhone AP:AccessPoint-00 on apVapId 7
*apfReceiveTask: Nov 28 12:55:25.793: iPhone Sending Assoc Response to station on BSSID 44:ad:d9:56:f8:56 (status Assoc denied unspecified) ApVapId 7 Slot 0
*apfReceiveTask: Nov 28 12:55:25.793: iPhone apfProcessRadiusAssocResp (apf_80211.c:4809) Changing state for mobile iPhone on AP AccessPoint from AAA Pending to Authenticated

*apfReceiveTask: Nov 28 12:55:25.793: iPhone Scheduling deletion of Mobile Station:  (callerId: 18) in 10 seconds
*osapiBsnTimer: Nov 28 12:55:35.789: iPhone apfMsExpireCallback (apf_ms.c:638) Expiring Mobile!
*apfReceiveTask: Nov 28 12:55:35.789: iPhone apfMsExpireMobileStation (apf_ms.c:7528) Changing state for mobile iPhone on AP AccessPoint from Authenticated to Idle

*apfReceiveTask: Nov 28 12:55:35.789: iPhone 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [AccessPoint]
*apfReceiveTask: Nov 28 12:55:35.789: iPhone Deleting mobile on AP AccessPoint(0)
*apfMsConnTask_6: Nov 28 12:56:06.002: iPhone Processing assoc-req station:iPhone AP:AccessPoint-00 thread:132f9ee0
*apfMsConnTask_6: Nov 28 12:56:06.002: iPhone Created Acct-Session-ID (5a1d5ce6/iPhone/729) for the mobile
*apfMsConnTask_6: Nov 28 12:56:06.002: iPhone Adding mobile on LWAPP AP AccessPoint(0)
*apfMsConnTask_6: Nov 28 12:56:06.002: iPhone Association received from mobile on BSSID AccessPoint-otherMAC AP qcst-hq-nl-qct-003
*apfMsConnTask_6: Nov 28 12:56:06.002: iPhone Station:  38:71:DE:84:C8:5F  11v BSS Transition not enabled on the AP  44:AD:D9:56:F8:50
*apfMsConnTask_6: Nov 28 12:56:06.002: iPhone Global 200 Clients are allowed to AP radio

*apfMsConnTask_6: Nov 28 12:56:06.002: iPhone Max Client Trap Threshold: 0  cur: 0

*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone Rf profile 600 Clients are allowed to AP wlan

*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone override for default ap group, marking intgrp NULL
*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone Applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0

*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone Not re-applying interface policy for local switching Client

*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2710)
*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2731)
*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone apfApplyWlanPolicy: Retaining (ACL [255] / Flexconnect ACL [65535]) recieved in AAA attributes on mobile
*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0
*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone Setting the NAS Id to WLAN specific Id 'LAB Guest'
*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone In processSsidIE:6380 setting Central switched to FALSE
*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone Set Clinet MSCB as Central Association Disabled
*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone Applying site-specific Local Bridging override for station iPhone - vapId 4, site 'QCST-HQ', interface 'management'
*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone Applying Local Bridging Interface Policy for station iPhone - vlan 0, interface id 0, interface 'management'
*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone override from ap group, removing intf group from mscb
*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone Applying site-specific override for station iPhone - vapId 4, site 'QCST-HQ', interface 'management'
*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone Applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0

*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone Not re-applying interface policy for local switching Client

*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2710)
*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2731)
*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone Set Clinet Non AP specific apfMsAccessVlan = 104
*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone This apfMsAccessVlan may be changed later from AAA after L2 Auth
*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone processSsidIE  statusCode is 0 and status is 0
*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone processSsidIE  ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone STA - rates (8): 130 132 139 150 36 48 72 108 0 0 0 0 0 0 0 0
*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone suppRates  statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone STA - rates (12): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0
*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone extSuppRates  statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone apfProcessAssocReq (apf_80211.c:10375) Changing state for mobile iPhone on AP AccessPoint from Idle to AAA Pending

*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone Updating the Aid in case of flex mac-filtering

*apfMsConnTask_6: Nov 28 12:56:06.003: iPhone Updating AID for REAP AP Client AccessPoint - AID ===> 1
*apfReceiveTask: Nov 28 12:56:06.038: iPhone Received SGT for this Client.
*apfReceiveTask: Nov 28 12:56:06.038: iPhone Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0
*apfReceiveTask: Nov 28 12:56:06.038: iPhone Resetting web IPv4 acl from 255 to 255

*apfReceiveTask: Nov 28 12:56:06.038: iPhone Resetting web IPv4 Flex acl from 65535 to 65535

*apfReceiveTask: Nov 28 12:56:06.038: iPhone  ACL received from RADIUS does not exist in WLC de-authenticating the client
*apfReceiveTask: Nov 28 12:56:06.038: iPhone Sending assoc-resp with status 12 station:iPhone AP:AccessPoint-00 on apVapId 7
*apfReceiveTask: Nov 28 12:56:06.038: iPhone Sending Assoc Response to station on BSSID 44:ad:d9:56:f8:56 (status Assoc denied unspecified) ApVapId 7 Slot 0
*apfReceiveTask: Nov 28 12:56:06.038: iPhone apfProcessRadiusAssocResp (apf_80211.c:4809) Changing state for mobile iPhone on AP AccessPoint from AAA Pending to Authenticated

*apfReceiveTask: Nov 28 12:56:06.038: iPhone Scheduling deletion of Mobile Station:  (callerId: 18) in 10 seconds
*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone Processing assoc-req station:iPhone AP:AccessPoint-00 thread:132f9ee0
*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone Station:  38:71:DE:84:C8:5F  11v BSS Transition not enabled on the AP  44:AD:D9:56:F8:50
*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone Association received from mobile on BSSID AccessPoint-otherMAC AP qcst-hq-nl-qct-003
*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone Station:  38:71:DE:84:C8:5F  11v BSS Transition not enabled on the AP  44:AD:D9:56:F8:50
*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone Global 200 Clients are allowed to AP radio

*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone Max Client Trap Threshold: 0  cur: 1

*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone Rf profile 600 Clients are allowed to AP wlan

*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone override for default ap group, marking intgrp NULL
*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone apfApplyWlanPolicy: Retaining (ACL [255] / Flexconnect ACL [65535]) recieved in AAA attributes on mobile
*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0
*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone Setting the NAS Id to WLAN specific Id 'LAB Guest'
*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone In processSsidIE:6380 setting Central switched to FALSE
*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone Set Clinet MSCB as Central Association Disabled
*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone Applying site-specific Local Bridging override for station iPhone - vapId 4, site 'QCST-HQ', interface 'management'
*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone Applying Local Bridging Interface Policy for station iPhone - vlan 0, interface id 0, interface 'management'
*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone override from ap group, removing intf group from mscb
*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone Applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 104

*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone Not re-applying interface policy for local switching Client

*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2731)
*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone Set Clinet Non AP specific apfMsAccessVlan = 104
*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone This apfMsAccessVlan may be changed later from AAA after L2 Auth
*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone processSsidIE  statusCode is 0 and status is 0
*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone processSsidIE  ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone STA - rates (8): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0
*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone suppRates  statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone STA - rates (12): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0
*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone extSuppRates  statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone apfProcessAssocReq (apf_80211.c:10375) Changing state for mobile iPhone on AP AccessPoint from Authenticated to AAA Pending

*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone Updating the Aid in case of flex mac-filtering

*apfMsConnTask_6: Nov 28 12:56:08.964: iPhone AID 1 in Assoc Req from flex AP AccessPoint is same as in mscb iPhone
*apfReceiveTask: Nov 28 12:56:08.999: iPhone Received SGT for this Client.
*apfReceiveTask: Nov 28 12:56:08.999: iPhone Resetting web IPv4 acl from 255 to 255

*apfReceiveTask: Nov 28 12:56:08.999: iPhone Resetting web IPv4 Flex acl from 65535 to 65535

*apfReceiveTask: Nov 28 12:56:08.999: iPhone Sending assoc-resp with status 12 station:iPhone AP:AccessPoint-00 on apVapId 7
*apfReceiveTask: Nov 28 12:56:08.999: iPhone Sending Assoc Response to station on BSSID 44:ad:d9:56:f8:56 (status Assoc denied unspecified) ApVapId 7 Slot 0
*apfReceiveTask: Nov 28 12:56:08.999: iPhone apfProcessRadiusAssocResp (apf_80211.c:4809) Changing state for mobile iPhone on AP AccessPoint from AAA Pending to Authenticated

*apfReceiveTask: Nov 28 12:56:08.999: iPhone Scheduling deletion of Mobile Station:  (callerId: 18) in 10 seconds
*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone Processing assoc-req station:iPhone AP:AccessPoint-00 thread:132f9ee0
*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone Station:  38:71:DE:84:C8:5F  11v BSS Transition not enabled on the AP  44:AD:D9:56:F8:50
*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone Association received from mobile on BSSID AccessPoint-otherMAC AP qcst-hq-nl-qct-003
*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone Station:  38:71:DE:84:C8:5F  11v BSS Transition not enabled on the AP  44:AD:D9:56:F8:50
*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone Global 200 Clients are allowed to AP radio

*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone Max Client Trap Threshold: 0  cur: 1

*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone Rf profile 600 Clients are allowed to AP wlan

*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone override for default ap group, marking intgrp NULL
*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone apfApplyWlanPolicy: Retaining (ACL [255] / Flexconnect ACL [65535]) recieved in AAA attributes on mobile
*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0
*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone Setting the NAS Id to WLAN specific Id 'LAB Guest'
*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone In processSsidIE:6380 setting Central switched to FALSE
*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone Set Clinet MSCB as Central Association Disabled
*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone Applying site-specific Local Bridging override for station iPhone - vapId 4, site 'QCST-HQ', interface 'management'
*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone Applying Local Bridging Interface Policy for station iPhone - vlan 0, interface id 0, interface 'management'
*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone override from ap group, removing intf group from mscb
*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone Applying site-specific override for station iPhone - vapId 4, site 'QCST-HQ', interface 'management'
*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone Applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 104

*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone Not re-applying interface policy for local switching Client

*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2710)
*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2731)
*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone Set Clinet Non AP specific apfMsAccessVlan = 104
*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone This apfMsAccessVlan may be changed later from AAA after L2 Auth
*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone processSsidIE  statusCode is 0 and status is 0
*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone processSsidIE  ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone STA - rates (8): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0
*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone suppRates  statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone STA - rates (12): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0
*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone apfProcessAssocReq (apf_80211.c:10375) Changing state for mobile iPhone on AP AccessPoint from Authenticated to AAA Pending

*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone Updating the Aid in case of flex mac-filtering

*apfMsConnTask_6: Nov 28 12:56:09.361: iPhone AID 1 in Assoc Req from flex AP AccessPoint is same as in mscb iPhone
*apfReceiveTask: Nov 28 12:56:09.385: iPhone Received SGT for this Client.
*apfReceiveTask: Nov 28 12:56:09.385: iPhone Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0
*apfReceiveTask: Nov 28 12:56:09.385: iPhone Resetting web IPv4 acl from 255 to 255

*apfReceiveTask: Nov 28 12:56:09.385: iPhone Resetting web IPv4 Flex acl from 65535 to 65535

*apfReceiveTask: Nov 28 12:56:09.385: iPhone  ACL received from RADIUS does not exist in WLC de-authenticating the client
*apfReceiveTask: Nov 28 12:56:09.385: iPhone Sending assoc-resp with status 12 station:iPhone AP:AccessPoint-00 on apVapId 7
*apfReceiveTask: Nov 28 12:56:09.385: iPhone Sending Assoc Response to station on BSSID 44:ad:d9:56:f8:56 (status Assoc denied unspecified) ApVapId 7 Slot 0
*apfReceiveTask: Nov 28 12:56:09.385: iPhone apfProcessRadiusAssocResp (apf_80211.c:4809) Changing state for mobile iPhone on AP AccessPoint from AAA Pending to Authenticated

*apfReceiveTask: Nov 28 12:56:09.385: iPhone Scheduling deletion of Mobile Station:  (callerId: 18) in 10 seconds
*osapiBsnTimer: Nov 28 12:56:19.528: iPhone apfMsExpireCallback (apf_ms.c:638) Expiring Mobile!
*apfReceiveTask: Nov 28 12:56:19.528: iPhone apfMsExpireMobileStation (apf_ms.c:7528) Changing state for mobile iPhone on AP AccessPoint from Authenticated to Idle

*apfReceiveTask: Nov 28 12:56:19.528: iPhone pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfReceiveTask: Nov 28 12:56:19.528: iPhone 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [AccessPoint]

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Maarten Brok
Level 1
Level 1

‎12-06-2017 01:57 AM

After opening a TAC case I found out that you need to configure the Flexconnect ACL's also in order to have this working correctly.

 

Luckily the Cisco documentation doesn't explicitly mention this in their 1001 manuals for these configurations.

 

For the person having the same issue:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html

View solution in original post

4 Replies 4

Go to solution
ajc
Level 7
Level 7

‎11-28-2017 12:44 PM

Check the name of the ACL on the AUTHZ Profile for the redirect AND the WLC Preauth ACL. The name on both sides MUST be the same.

0 Helpful

Go to solution
Maarten Brok
Level 1
Level 1
In response to ajc

‎11-28-2017 11:53 PM

Dear Abraham,

 

Thanks for the response.

 

I have checked the correct names multiple times, in both setups.

 

I even have deleted and re-made the ACLs multiple times.

 

Any other ideas, I do think this issue is related to ISE2.3 as I don't have this issue on the customer side which is using ISE 2.0.

0 Helpful

Go to solution
Maarten Brok
Level 1
Level 1

‎12-06-2017 01:57 AM

After opening a TAC case I found out that you need to configure the Flexconnect ACL's also in order to have this working correctly.

 

Luckily the Cisco documentation doesn't explicitly mention this in their 1001 manuals for these configurations.

 

For the person having the same issue:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html

Go to solution
fouriej02
Level 1
Level 1
In response to Maarten Brok

‎04-21-2018 08:53 PM

Maarten

 

Just to say thanks. I tried to get this running for 4 weeks now in the lab. Sorted straight away. I knew it was something I miss on the WLC. Spend allot of hours on this.  Thanks for the link. 

0 Helpful
Customers Also Viewed These Support Documents