Solved: They are connecting to WLAN

rm760 · ‎06-20-2015

I have just converted my home from (3) 3600 series autonomous APs to LWAPs with 802.11AC radios to take advantage of the 802.11AC radio spectrum.

I am using a WLC 2504 running version 8.1.102.0 software. All is working great except for my security cameras. They require a static IP address to communicate with the DVR. They are older and use WEP encryption (hex 128 bit). They cannot achieve the RUN state as the controller wants the IP address before allowing connection to the network. DHCP is not set to required for the WLAN or Interface. Here is the error I receive.

*apfMsConnTask_3: Jun 20 11:57:33.067: %APF-3-ASSOCREQ: apf_utils.c:1514 00:80:f0:58:14:b7 0.0.0.0 DHCP_REQD (7) Rejecting association attempt by ad-hoc client

I have even attempted to break down the communication to its most basic form (wide open), and still the same result.

Thoughts and suggestions would be greatly appreciated.

Attached is a copy of my configuration

Scott Fella · ‎06-20-2015

It can be because the device that has a static address isn't responding to ip information request. This means that you need to enable passive clients. Here is instructions that will walk you through what is needed to support these devices.

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_01100011.html

-Scott

-Scott
*** Please rate helpful posts ***

View solution in original post

ali aqrabawi · ‎06-24-2015

inorder to roam seemlessly between two flex APs , both APs should be in same flex group ,

create flexconnect group , and add the flex APs to it , make sure no load balance or band select is enabled on the SSID

View solution in original post

rm760 · ‎06-20-2015

On the monitor page I can see the MAC address and the static IP but still no RUN state

Freerk Terpstra · ‎06-20-2015

Are those clients trying to connect to WLAN ID 1? If that is the case the problem is that "DHCP Addr. Assignment" is actually enabled. Please go to the advanced tab of the WLAN and untick the "Required" checkbox. If the problem still occurs, please share the output of an "debug client MACADR".

Please rate useful posts :-)

rm760 · ‎06-20-2015

They are connecting to WLAN ID 5 which is set to not require DHCP. These cameras connected to the same access points just fine when the access points were in autonomous mode..

Scott Fella · ‎06-20-2015

It can be because the device that has a static address isn't responding to ip information request. This means that you need to enable passive clients. Here is instructions that will walk you through what is needed to support these devices.

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_01100011.html

-Scott

-Scott
*** Please rate helpful posts ***

rm760 · ‎06-20-2015

Scott

I did try enabling the passive client option. No joy. Two of the cameras did respond briefly. I had to send consistent pings to each to keep the session alive.

Scott Fella · ‎06-20-2015

The best workaround is to use DHCP reservations so the cameras always get the same IP address. There really isn't another workaround especially if you followed the doc step by step. Maybe configure a static arp entry on the L3 device for he cameras.

-Scott

-Scott
*** Please rate helpful posts ***

rm760 · ‎06-22-2015

After having added all of the input each of you have provided, I am making progress. Now the issue is the client ability to recover. For example: resetting an AP or making a change to the 802.11b/g/n configuration of the WLC requires that I power cycle each camera to reconnect. In the autonomous AP configuration the devices would reconnect automatically

rm760 · ‎06-24-2015

I took it upon myself to change the AP mode from local to flexconnect. All of the cameras are now working. No more seeing two MAC addresses for each of the cameras.

This change seems to have caused an issue for Apple devices. Apple devices no longer roam. They remain connected to the AP originating the wireless communication, even if there is a better signal from another AP with the same SSID and WLAN. And when an Apple device now goes to sleep I must go to the setting menu to view the wireless settings before it will reestablish.

ali aqrabawi · ‎06-24-2015

inorder to roam seemlessly between two flex APs , both APs should be in same flex group ,

create flexconnect group , and add the flex APs to it , make sure no load balance or band select is enabled on the SSID

rm760 · ‎06-24-2015

Ali

I did have the flexconnect grouping and configuration as you suggested. I just enabled the 11k features in the WLAN advanced settings and things appear to be working better. Thanks for leading me in the right direction.

I appreciate everyone's help. Is there a way for me to mark multiples of the answers as correct?

ali aqrabawi · ‎06-24-2015

you welcome , not sure if this is possible , but you can try

ali aqrabawi · ‎06-20-2015

can you please share :

show wlan 5

show client details <client MAC>

debug client <cleint MAC> while the camera is trying to connect to the WLAN .

rm760 · ‎06-22-2015

Here is the output of Show WLAN 5

(Cisco Controller) >show wlan 5

WLAN Identifier.................................. 5
Profile Name..................................... Cameras
Network Name (SSID).............................. HOUNDS
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Disabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status
    Radius Profiling ............................ Disabled
     DHCP ....................................... Disabled
     HTTP ....................................... Disabled
    Local Profiling ............................. Disabled
     DHCP ....................................... Disabled
     HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200

--More-- or (q)uit
Number of Active Clients......................... 15
Exclusionlist.................................... Disabled
Session Timeout.................................. 86400 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 720 minutes
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... wlc.consulteron.local
CHD per WLAN..................................... Disabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ wlan 192
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Tunnel Profile................................... Unconfigured
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream

--More-- or (q)uit
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Per-Client Rate Limits........................... Upstream      Downstream
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Scan Defer Priority..............................
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Disabled
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Disabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Enabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... 802.11g only
DTIM period for 802.11a radio.................... 1

--More-- or (q)uit
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ Disabled
   Accounting.................................... Disabled
   Dynamic Interface............................. Disabled
   Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Radius NAI-Realm................................. Disabled
Security

   802.11 Authentication:........................ Open System
   FT Support.................................... Disabled
   Static WEP Keys............................... Enabled
        Key Index:...................................... 1
        Encryption:..................................... 104-bit WEP
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Disabled
   WAPI.......................................... Disabled
   Wi-Fi Direct policy configured................ Disabled
   EAP-Passthrough............................... Disabled
   CKIP ......................................... Disabled
   Web Based Authentication...................... Disabled
   Web Authentication Timeout.................... 300

--More-- or (q)uit
   Web-Passthrough............................... Disabled
   Mac-auth-server............................... 0.0.0.0
   Web-portal-server............................. 0.0.0.0
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   FlexConnect Local Switching................... Enabled
   FlexConnect Central Association............... Disabled
   flexconnect Central Dhcp Flag................. Disabled
   flexconnect nat-pat Flag...................... Disabled
   flexconnect Dns Override Flag................. Disabled
   flexconnect PPPoE pass-through................ Disabled
   flexconnect local-switching IP-source-guar.... Disabled
   FlexConnect Vlan based Central Switching ..... Disabled
   FlexConnect Local Authentication.............. Disabled
   FlexConnect Learn IP Address.................. Enabled
   Client MFP.................................... Disabled
   PMF........................................... Disabled
   PMF Association Comeback Time................. 1
   PMF SA Query RetryTimeout..................... 200
   Tkip MIC Countermeasure Hold-down Timer....... 60
   Eap-params.................................... Not Applicable
AVC Visibilty.................................... Disabled

--More-- or (q)uit
AVC Profile Name................................. None
Flow Monitor Name................................ None
Split Tunnel Configuration
Split Tunnel................................. Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
802.11v Directed Multicast Service............... Disabled
802.11v BSS Max Idle Service..................... Enabled
802.11v BSS Transition Service................... Disabled
802.11v BSS Transition Disassoc Imminent......... Disabled
802.11v BSS Transition Disassoc Timer............ 200
802.11v BSS Transition OpRoam Disassoc Timer..... 40
DMS DB is empty
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Universal Ap Admin............................... Disabled

--More-- or (q)uit

Mobility Anchor List
WLAN ID IP Address Status Priority
------- --------------- ------ --------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

Local Policy
----------------
Priority Policy Name
-------- ---------------

(Cisco Controller) >

ali aqrabawi · ‎06-22-2015

ok this is local switching WLAN , (interesting) ,

+even if the cleint is not in Run state on the WLC , are you able to ping it from it's local gateway ?

+as per configuration guide "For the FlexConnect local switching, central authentication deployments, if there is a passive client with a static IP address, it is recommended to disable the Learn Client IP Address feature under the WLAN > Advanced tab."

so can you disable the flexconnect learn ip address ,

for your reference :

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/flexconnect.html

Statically addressed devices cannot achive RUN state