Problem with authentication and authorization dot1x on Cisco ISE - Page 2

ilya0693@yandex.ru · ‎03-06-2018

Good day.

I have a problem. I can't connect to Wi-Fi network through the Android device and other device. For authentication and authorization used Cisco ISE v2.2. Wireless controller WLC 5760 are manages the access points.

On WLC I configured the RADIUS SERVER, Server group and Method List. Also I created and configured WLAN. In the attachment screenshots with settings.

Policy Authentication created in the following way:

Standart rule 1 : if Airespace:Airespace-Wlan-id EQUALS 10 Allow protocols: Default Network Access and
Default :Use Internal users

Policy Authorization created in the following way:

Standart rule 1 : if LME_Guest AND (Airespace:Airespace-Wlan-id EQUALS 10) then: PermitAccess

When device is connected to the network, the device issues Authentication problem. Log WLC 5760 are here:

Mar 5 19:33:24.695: %PARSER-5-CFGLOG_LOGGEDCMD: User:vg logged command:shell processing

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Processing assoc-req station: 7423.4497.7706 AP: 84b8.02c0.9050 -00 thread:-110073160

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Association received from mobile on AP 84b8.02c0.9050

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 qos upstream policy is In_Client_LME_Guest and downstream policy is Eg_Client_LME_Guest

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 apChanged 0 wlanChanged 1 mscb ipAddr 192.168.111.151, apf RadiusOverride 0x0, numIPv6Addr=0

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Applying WLAN policy on MSCB.

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Disconnect client immediately due to WLANswitch from 3(LME_Guest) to 10(LME_Employee)

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Clean up Mscb after WLAN change

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Clear aaa attributes

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 dot1xapiCleanup Session Stop for dot1x/open client.iifid: 5095c0000f336e capwap id: 76f7000000005f old capwap id:76f7000000005f

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Clearing the audit session ID and AAA session id in MSCB

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Incrementing the Reassociation Count 1 for client (of interface VLAN311_LME_Guest)

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 MS got the IP, resetting the Reassociation Count 0 for client

Mar 5 19:33:25.223: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Clearing Address 192.168.111.151 on mobile

Mar 5 19:33:25.224: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 192.168.111.151 RUN (20) Skipping TMP rule add

Mar 5 19:33:25.224: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Change state to DHCP_REQD (7) last state RUN (20)

Mar 5 19:33:25.224: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_CHANGE: Client 1 vlan 311 m_vlan 311 Radio iif id 0x4d2ec000000075 bssid iif id 0x66a380000000fe, bssid 84b8.02c0.9050

Mar 5 19:33:25.224: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_AUTH: Adding opt82 len 0

Mar 5 19:33:25.224: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_CHANGE: Suppressing SPI (client pending deletion) pemstate 7 state LEARN_IP(2) vlan 311 client_id 0x5095c0000f336e mob=Local(1) ackflag 2 dropd 0, delete 1

Mar 5 19:33:25.224: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 0.0.0.0 DHCP_REQD (7) pemAdvanceState2: MOBILITY-INCOMPLETE with state 7.

Mar 5 19:33:25.225: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Complete to Mobility-Incomplete

Mar 5 19:33:25.225: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 0.0.0.0 DHCP_REQD (7) Reached FAILURE: from line 4334

Mar 5 19:33:25.225: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Reason code 1, Preset 1, AAA cause 1

Mar 5 19:33:25.225: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Scheduling deletion of Mobile Station: (callerId: 9) in 10 seconds

Mar 5 19:33:25.225: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Cannot delete client entry, IP address is 0

Mar 5 19:33:25.225: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [ 84b8.02c0.9050 ]

Mar 5 19:33:25.225: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Cannot delete client entry, IP address is 0

Mar 5 19:33:25.226: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Incrementing the Reassociation Count 1 for client (of interface VLAN311_LME_Guest)

Mar 5 19:33:25.226: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Clearing Dhcp state for station ---

Mar 5 19:33:25.226: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Sending SPI spi_epm_terminate_feature successfullifid: 5095c0000f336e capwap id: 76f7000000005f

Mar 5 19:33:25.226: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Deleting wireless client; Reason code 1, Preset 1, AAA cause 1

Mar 5 19:33:25.226: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_DEL: Successfully sent

Mar 5 19:33:25.227: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Challenge Fail, already scheduled for deletion

Mar 5 19:33:25.227: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 0.0.0.0 DHCP_REQD (7) Handling pemDelScb Event skipping delete

Mar 5 19:33:25.240: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB SPI response msg handler client code 1 mob state 1

Mar 5 19:33:25.240: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 apfProcessWcdbClientDelete: Delete ACK from WCDB.

Mar 5 19:33:25.240: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_DELACK: wcdbAckRecvdFlag updated

Mar 5 19:33:25.240: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_DELACK: Client IIF Id dealloc SUCCESS w/ 0x5095c0000f336e.

Mar 5 19:33:25.240: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Invoked platform delete and cleared handle

Mar 5 19:33:25.240: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Deleting mobile on AP 84b8.02c0.9050 (0)

Mar 5 19:33:25.240: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Calling SM stop unconditionally for dot1x/open ifid: 0 capwap id: 76f7000000005f old capwap id:76f7000000005f

Mar 5 19:33:25.240: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Unlinked and freed mscb

Mar 5 19:33:25.721: %AUTHMGR-4-UNAUTH_MOVE: (slow) MAC address (3084.5437.e218) from Ca60 to Ca2

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Processing assoc-req station: 7423.4497.7706 AP: 84b8.02c0.9050 -00 thread:-110073160

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Adding mobile on LWAPP AP 84b8.02c0.9050 (0)

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Creating WL station entry for client - rc 0

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Association received from mobile on AP 84b8.02c0.9050

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Applying WLAN policy on MSCB.

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Applying WLAN ACL policies to client

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 No Interface ACL used for Wireless client in WCM(NGWC)

Mar 5 19:33:25.753: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Applying site-specific IPv6 override for station 7423.4497.7706 - vapId 10, site 'default-group', interface 'VLAN311_LME_Guest'

Mar 5 19:33:25.754: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Applying local bridging Interface Policy for station 7423.4497.7706 - vlan 311, interface 'VLAN311_LME_Guest'

Mar 5 19:33:25.754: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 STA - rates (8): 2 4 11 22 12 18 24 36 0 0 0 0 0 0 0 0

Mar 5 19:33:25.754: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 STA - rates (12): 2 4 11 22 12 18 24 36 48 72 96 108 0 0 0 0

Mar 5 19:33:25.754: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Received 802.11i 802.1X key management suite, enabling dot1x Authentication

Mar 5 19:33:25.754: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 new capwap_wtp_iif_id 76f7000000005f, sm capwap_wtp_iif_id 0

Mar 5 19:33:25.754: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_ADD: Radio IIFID 0x4d2ec000000075, BSSID IIF Id 0x57a500000f31b8, COS 4

Mar 5 19:33:25.754: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_ADD: Anchor Sw 1, Doppler 1

Mar 5 19:33:25.754: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_ALLOCATE: Client IIF Id alloc SUCCESS w/ client 738540000f33e1 (state 0).

Mar 5 19:33:25.755: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 iifid Clearing Ack flag

Mar 5 19:33:25.755: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_ADD: Platform ID allocated successfully ID:3819

Mar 5 19:33:25.755: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_ADD: Adding opt82 len 0

Mar 5 19:33:25.755: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_ADD: Cleaering Ack flag

Mar 5 19:33:25.755: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_ADD: ssid LME_Employee bssid 84b8.02c0.9050 vlan 311 auth=ASSOCIATION(0) wlan(ap-group/global) 10/10 client 0 assoc 74 mob=Unassoc(0) radio 0

Mar 5 19:33:25.755: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 m_vlan 311 ip 0.0.0.0 src 0x76f7000000005f dst 0x0 cid 0x738540000f33e1 glob rsc id 3819 dhcpsrv 192.168.96.1 type 0 IPSG off

Mar 5 19:33:25.756: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 WCDB_ADD: mscb iifid 0x738540000f33e1 msinfo iifid 0x0

Mar 5 19:33:25.756: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 0.0.0.0 START (0) Initializing policy

Mar 5 19:33:25.756: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Change state to AUTHCHECK (2) last state START (0)

Mar 5 19:33:25.756: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Change state to 8021X_REQD (3) last state AUTHCHECK (2)

Mar 5 19:33:25.756: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 84b8.02c0.9050 vapId 10 apVapId 10for this client

Mar 5 19:33:25.756: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Not Using WMM Compliance code qosCap 00

Mar 5 19:33:25.757: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 84b8.02c0.9050 vapId 10 apVapId 10

Mar 5 19:33:25.757: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 apfPemAddUser2 (apf_policy.c:204) Changing state for mobile 7423.4497.7706 on AP 84b8.02c0.9050 from Idle to Associated

Mar 5 19:33:25.757: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Stopping deletion of Mobile Station: (callerId: 48)

Mar 5 19:33:25.757: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Ms Timeout = 0, Session Timeout = 300

Mar 5 19:33:25.757: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Sending assoc-resp station: 7423.4497.7706 AP: 84b8.02c0.9050 -00 thread:-110073160

Mar 5 19:33:25.758: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Sending Assoc Response to station on BSSID 84b8.02c0.9050 (status 0) ApVapId 10 Slot 0

Mar 5 19:33:25.758: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 apfProcessAssocReq (apf_80211.c:6359) Changing state for mobile 7423.4497.7706 on AP 84b8.02c0.9050 from Associated to Associated

Mar 5 19:33:25.762: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Session start for dot1x/open client. iifid: 738540000f33e1 capwap id: 76f7000000005f old capwap id:0

Mar 5 19:33:25.915: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Not comparing because the ACLs have not been sent yet.

Mar 5 19:33:25.915: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Final flag values are, epmSendAcl 1, epmSendAclDone 0

Mar 5 19:33:25.915: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 client incoming attribute size are 670

Mar 5 19:33:25.922: %IOSXE-7-PLATFORM: 1 process wcm: 7423.4497.7706 Session Update for dot1x/open client.iifid: 738540000f33e1 capwap id: 76f7000000005f old capwap id:76f7000000005f

Could you tell me please where to look for the problem? On ISE or WLC?

Francesco Molino · ‎03-08-2018

Did you tried also the DHCP snooping?
The config looks like good and the DHCP server is the same between working ssid and not working ssid.

Just for a quick test, can you modify the interface of not working ssid by setting the interface used in the working ssid and try again?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

ajc · ‎03-08-2018

I agree, change the vlan311 interface assigned to the non working SSID by the one that works and post the results.

Looks like you do not have the dhcp snooping as I mentioned in another post running on vlan 311.

ilya0693@yandex.ru · ‎03-09-2018

I changed the vlan 311 as you advised, but the result remains the same as I did before and published earlier. Client connects to the network and then immediately drops.
Configuration dhcp snooping on my WLC 5760 as follows:

no ip dhcp snooping

no ip dhcp snooping vlan 1-4094

no ip dhcp snooping wireless bootp-broadcast enable

no ip dhcp snooping information option

interface TenGigabitEthernet1/0/1

switchport trunk allowed vlan 100, 311-315

switchport mode trunk

ip dhcp snooping trust

If the reason in DHCP snooping, why then all these networks work when authenticating with a radius?

Thank you

ajc · ‎03-09-2018

You have a NO at the beginning of the ip dhcp command.

Francesco Molino · ‎03-09-2018

When you said you changed the vlan it means the interface on wlc or the dhcp snooping config?
I had a weird issue this morning not with the same wlc. The customer configured like you permit access and it wasn't working. When i created an acl on wlc permit IP any any and return that acl name on the authorisation profile everything works as expected.
I need to investigate more because permit access should work.
Can you do the same and test?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

ilya0693@yandex.ru · ‎03-12-2018

When you said you changed the vlan it means the interface on wlc or the dhcp snooping config?
I'm change interface on WLC, dhcp snooping I did not touch. At the moment, the configuration dhcp snooping as follows:

no ip dhcp snooping

no ip dhcp snooping vlan 1-4094

no ip dhcp snooping wireless bootp-broadcast enable

no ip dhcp snooping information option

interface TenGigabitEthernet1/0/1

switchport trunk allowed vlan 100, 311-315

switchport mode trunk

ip dhcp snooping trust

I created ACL permin ip any any on WLC, but result is the same.

ajc · ‎03-12-2018

Let's go back to the initial test. 802.1x is L2 authentication. So please connect again an enduser to the WIFI SSID and in parallel, check ISE logs and provide us the information. I want to confirm again Authentication is successful as I saw on your initials snapshots before going back to DHCP review. See next.

Assuming AUTHC is successful, your dhcp snooping is DISABLED as you showed us in the last post so you need to enable it.

ALSO, check if your vlan 3xx (WLC interface for this ISE-SSID test) can reach the DHCP server (enable ip-helper if needed on your local LAN). Based on my understanding the "working" SSID is running on a different VLAN to the 3xx (correct me if I am wrong) .

ajc · ‎03-08-2018

Taking into account you are using a 5760 WLC then probably you are missing something from the CLI configuration like the following below as indicated in the next link assuming you are using external DHCP.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/5700/software/release/ios_xe_33/5760_IOS_WLC_Configuration_Best_Practices.html#pgfId-44966

DHCP

It is recommended to use external DHCP server instead of internal DHCP server.

DHCP Snooping Configuration

DHCP snooping configuration is required on the controller for proper client join functionality. DHCP snooping needs to be enabled on each client VLAN including the override VLAN if override is applied on the WLAN.

Here is an example how to configure DHCP snooping.

Global DHCP Snooping Config:

WLC5760(config)#ip dhcp snooping

WLC5760(config)#ip dhcp snooping vlan 100

Enable bootp-broadcast command. It is needed for clients that send the DHCP messages with broadcast addresses and broadcast bit is set in the DHCP message.

WLC5760(config)#ip dhcp snooping wireless bootp-broadcast enable

On the Interface:

Note This command should not be used on a Guest Anchor.

Note If upstream is via a port channel, the trust Config should be on the port channel interface as well.

WLC5760(config)#interface TenGigabitEthernet1/0/1

WLC5760(config-if)#switchport trunk allowed vlan 100

WLC5760(config-if)#switchport mode trunk

WLC5760(config-if)#ip dhcp snooping trust