cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
805
Views
0
Helpful
2
Replies
Highlighted

Cisco AnyConnect and NAM Key Caching

I wonder why Cisco AnyConnect's NAM module doesn't support ANY key caching methods available in the wild? I've gone through release notes for the latest version 4.5 and was susprised to find out this is still the case!

 

So, OKC is unavailable, CCKM is unavailable, now I've just tested 802.11r SSID on W10 and guess what? Yes, not connecting even though Native W10 supplicant has no issues with that...

 

Is it NAM or Fast Secure Roaming then? Can anyone from Cisco explain what's going on and what is the roadmap for key caching methods for NAM in the near future? We'd like to use EAP-Chaning with EAP-FAST, but we'd like to keep our seamless roaming experience, please....

 

Thanks

2 REPLIES 2
Highlighted

Re: Cisco AnyConnect and NAM Key Caching

Ping

 

I've collected some debug information on the WLC and got this

 

*Dot1x_NW_MsgTask_2: Sep 28 13:21:57.422: 98:5f:d3:e0:66:c2 Sending EAP-Request/Identity to mobile 98:5f:d3:e0:66:c2 (EAP Id 2)
*Dot1x_NW_MsgTask_2: Sep 28 13:22:05.943: 1x: EAPOL frame with dst MAC 00:00:00:00:00:00 and BSSID 00:2a:10:0d:70:e0 discarded
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Processing assoc-req station:98:5f:d3:e0:66:c2 AP:00:2a:10:0d:70:e0-01 thread:18cfbc80
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Station:  98:5F:D3:E0:66:C2  11v BSS Transition not enabled on the AP  00:2A:10:0D:70:E0
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Association received from mobile on BSSID 00:2a:10:0d:70:eb AP GBLDS2APF04-10
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Station:  98:5F:D3:E0:66:C2  11v BSS Transition not enabled on the AP  00:2A:10:0D:70:E0
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Rf profile 200 Clients are allowed to AP radio

*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Max Client Trap Threshold: 12  cur: 4

*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Rf profile 600 Clients are allowed to AP wlan

*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 override for default ap group, marking intgrp NULL
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 In processSsidIE:6380 setting Central switched to FALSE
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Set Clinet MSCB as Central Association Disabled
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Applying site-specific Local Bridging override for station 98:5f:d3:e0:66:c2 - vapId 5, site 'NG-Wireless', interface 'bogus'
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Applying Local Bridging Interface Policy for station 98:5f:d3:e0:66:c2 - vlan 999, interface id 10, interface 'bogus'
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 override from ap group, removing intf group from mscb
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Applying site-specific override for station 98:5f:d3:e0:66:c2 - vapId 5, site 'NG-Wireless', interface 'bogus'
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Applying Interface(bogus) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 170

*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Not re-applying interface policy for local switching Client

*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2710)
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Set Clinet Non AP specific apfMsAccessVlan = 170
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 This apfMsAccessVlan may be changed later from AAA after L2 Auth
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 processSsidIE  statusCode is 0 and status is 0
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 processSsidIE  ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 STA - rates (8): 12 18 24 36 48 72 96 108 0 0 0 0 0 0 0 0
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 suppRates  statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Marking this mobile as TGr capable.
*apfMsConnTask_7: Sep 28 13:22:06.601: RSNIE in Assoc. Req.: (20)

*apfMsConnTask_7: Sep 28 13:22:06.601:      [0000] 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f

*apfMsConnTask_7: Sep 28 13:22:06.601:      [0016] ac 03 00 00

*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Processing RSN IE type 48, length 20 for mobile 98:5f:d3:e0:66:c2
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 RSN Capabilities:  0
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Marking Mobile as non-11w Capable
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Updating AID for REAP AP Client 00:2a:10:0d:70:e0 - AID ===> 170
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 0.0.0.0 8021X_REQD (3) Initializing policy
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)

*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)

*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Encryption policy is set to 0x80000001
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 0.0.0.0 8021X_REQD (3) DHCP required on AP 00:2a:10:0d:70:e0 vapId 5 apVapId 4for this client
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:2a:10:0d:70:e0 vapId 5 apVapId 4 flex-acl-name:
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 apfPemAddUser2 (apf_policy.c:362) Changing state for mobile 98:5f:d3:e0:66:c2 on AP 00:2a:10:0d:70:e0 from Associated to Associated

*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 apfPemAddUser2:session timeout forstation 98:5f:d3:e0:66:c2 - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is  0
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0

*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Sending assoc-resp with status 0 station:98:5f:d3:e0:66:c2 AP:00:2a:10:0d:70:e0-01 on apVapId 4
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 VHT Operation IE: width 20/0 ch 52 freq0 0 freq1 0 msc0 0x3f msc1 0x3f
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Sending R0KH-ID as: X.X.X.X
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Sending R1KH-ID as 00:f6:63:d4:04:23
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Including FT IE (length 98) in Initial Assoc Resp to mobile
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Clearing the existing FT session data for mobile as we received a fresh Association.
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 Sending Assoc Response to station on BSSID 00:2a:10:0d:70:ec (status 0) ApVapId 4 Slot 1
*apfMsConnTask_7: Sep 28 13:22:06.601: 98:5f:d3:e0:66:c2 apfProcessAssocReq (apf_80211.c:10521) Changing state for mobile 98:5f:d3:e0:66:c2 on AP 00:2a:10:0d:70:e0 from Associated to Associated

*spamApTask6: Sep 28 13:22:06.605: 98:5f:d3:e0:66:c2 Sent dot1x auth initiate message for mobile 98:5f:d3:e0:66:c2
*Dot1x_NW_MsgTask_2: Sep 28 13:22:06.605: 98:5f:d3:e0:66:c2 reauth_sm state transition 0 ---> 0 for mobile 98:5f:d3:e0:66:c2 at 1x_reauth_sm.c:53
*Dot1x_NW_MsgTask_2: Sep 28 13:22:06.605: 98:5f:d3:e0:66:c2 EAP-PARAM Debug - eap-params for Wlan-Id :5 is disabled - applying Global eap timers and retries
*Dot1x_NW_MsgTask_2: Sep 28 13:22:06.605: 98:5f:d3:e0:66:c2 Disable re-auth, use PMK lifetime.
*Dot1x_NW_MsgTask_2: Sep 28 13:22:06.605: 98:5f:d3:e0:66:c2 dot1x - moving mobile 98:5f:d3:e0:66:c2 into Connecting state
*Dot1x_NW_MsgTask_2: Sep 28 13:22:06.605: 98:5f:d3:e0:66:c2 Sending EAP-Request/Identity to mobile 98:5f:d3:e0:66:c2 (EAP Id 1)

 

That's it. Client does not reply

I see the same over the air...

 

AC-802.11r.png

Auth, Assoc are the same if I use Native supplicant, but Native Supplicant replies to EAP Request, while AnyConnect doesn't... this is very strange. If I turn off FT for this WLAN, then AC associates without problems.

 

Is it an issue between AC and W10 API?

Cisco Employee

Re: Cisco AnyConnect and NAM Key Caching

Last I looked into it, the AnyConnect/NAM cannot support FSR today due to Microsoft blocking their access to the API’s required to support it.  At last check, Cisco had a case open with IBM and Microsoft submitted a DCR (design change request) #3708783 to track this.  no movement

CreatePlease to create content
Content for Community-Ad