Hello everyone,,

 I have a Cisco 5508 WLC (8.3.150 release) with 25 WLAN SSID configured and 352 Acess Point.  In particular there is a WLAN SSID configured as Layer 2 Security as 802.1x (WEP). These 352 Access Point are installed in more location and each location communicate each other with MPLS. The WLAN SSID configured as 802.1x communicate with Windows 2012 R2 NPS and this WLAN SSID is enabled on 352 access point and works fine on 350 access point, on 2 access point doesn't work. In one location there are two access points AIR-CAP1702I-E-K9 that broadcast the WLAN SSID, but the Windows 10 clients when they try to connect it answer with "Can't connect the client". On the WLC the Policy Manager State associate with clients is DHCP_REQ. If I change the WLAN SSID in WPA, WPA2 or WEP it works on this location. It seems that the DHCP request from AP never seen by WLC. Here some rows about debug on MAC address in this location :

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 8021X_REQD (3) DHCP required on AP 00:c1:64:XX:XX:XX vapId 1 apVapId 1for this client

After some rows :

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.921: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 L2AUTHCOMPLETE (4) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255,URL ACL ID 255)

The debug end with :

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.922: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 DHCP_REQD (7) NO release MSCB

For troubleshooting the same scenario, I have configured the WLAN SSID only for that location and only for that 2 access point with WPA+WPA2 only without 802.1x, and it works. Here the same rows of the debug :

*Dot1x_NW_MsgTask_4: Sep 12 14:10:12.491: [PA] f0:d5:bf:XX:XX:XX0.0.0.0 L2AUTHCOMPLETE (4) DHCP required on AP 00:6c:bc:c2:d0:40 vapId 1 apVapId 1for this client

*Dot1x_NW_MsgTask_4: Sep 12 14:10:12.491: [PA] f0:d5:bf:XX:XX:XX 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255,URL ACL ID 255)

The WLC Policy Manager State at the end of this step is RUN

My opinion is that there is communication between NPS and WLC with some errors, but I haven't found they since I started with this issue. Other counters :

Authentication Servers:

Server Index..................................... 1

Server Address................................... XX.XX.XX.XXX

Msg Round Trip Time.............................. 2 (msec)

First Requests................................... 2389308

Retry Requests................................... 36742

Accept Responses................................. 365911

Reject Responses................................. 32449

Challenge Responses.............................. 1981628

Malformed Msgs................................... 0

Bad Authenticator Msgs........................... 2

Pending Requests................................. 2

Timeout Requests................................. 42987

Consecutive Drops ............................... 0

Unknowntype Msgs................................. 0

Other Drops...................................... 72

Server Index..................................... 2

Server Address................................... XX.XX.XX.XXX

Msg Round Trip Time.............................. 0 (msec)

First Requests................................... 1195

Retry Requests................................... 139

Accept Responses................................. 0

Reject Responses................................. 0

Challenge Responses.............................. 0

Malformed Msgs................................... 0

Bad Authenticator Msgs........................... 0

Pending Requests................................. 0

Timeout Requests................................. 253

Consecutive Drops ............................... 0

Unknowntype Msgs................................. 0

Other Drops...................................... 0

Server Index..................................... 3

Server Address................................... XX.XX.XX.XX

Msg Round Trip Time.............................. 0 (msec)

First Requests................................... 1828

Retry Requests................................... 1746

Accept Responses................................. 0

Reject Responses................................. 0

Challenge Responses.............................. 0

Malformed Msgs................................... 0

Bad Authenticator Msgs........................... 0

Pending Requests................................. 0

Timeout Requests................................. 2587

Consecutive Drops ............................... 5

Unknowntype Msgs................................. 0

Other Drops...................................... 0

show wlan ssid :

WLAN Identifier.................................. 1
Profile Name..................................... XXXXXXXXXXXXXXXXXXX
Network Name (SSID).............................. XXXXXXXXXXXXXXXXXXXXXX
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Enabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum Clients Allowed.......................... Unlimited
Maximum number of Clients per AP Radio........... 200

--More-- or (q)uit
ATF Policy....................................... 0
Number of Active Clients......................... 935
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 86400 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 720 minutes
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... none
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
WLAN URL ACL..................................... unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Tunnel Profile................................... Unconfigured

PMIPv6 Mobility Type............................. none
PMIPv6 MAG Profile........................... Unconfigured
PMIPv6 Default Realm......................... Unconfigured
PMIPv6 NAI Type.............................. Hexadecimal
PMIPv6 MAG location.......................... AP
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Disabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled

--More-- or (q)uit
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... 802.1P (Tag=0)
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 2
DTIM period for 802.11b radio.................... 2
Radius Servers
Authentication................................ 10.39.1.201 1645 *
Authentication................................ 10.39.1.203 1645 *
Accounting.................................... 10.39.1.201 1646 *
Accounting.................................... 10.39.1.203 1646 *
Interim Update............................. Enabled
Interim Update Interval.................... 0
Framed IPv6 Acct AVP ...................... Prefix
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Radius NAI-Realm................................. Disabled
Mu-Mimo.......................................... Enabled
Security

802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Enabled
Encryption:..................................... 104-bit WEP
802.1X on MAC Auth failure:..................... Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web Authentication Timeout.................... 300
Web-Passthrough............................... Disabled
Mac-auth-server............................... 0.0.0.0
Web-portal-server............................. 0.0.0.0
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Enabled
FlexConnect Central Association............... Disabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled

flexconnect PPPoE pass-through................ Disabled
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Disabled
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Enabled
EAP-Identity-Request Timeout (seconds)..... 40
EAP-Identity-Request Max Retries........... 2
EAP-Request Timeout (seconds).............. 30
EAP-Request Max Retries.................... 2
EAPOL-Key Timeout (milliseconds)........... 1000
EAPOL-Key Max Retries...................... 2
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flex Avc Profile Name............................ None
Flow Monitor Name................................ None
Split Tunnel Configuration
Split Tunnel................................. Disabled

--More-- or (q)uit
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
802.11v Directed Multicast Service............... Disabled
802.11v BSS Max Idle Service..................... Enabled
802.11v BSS Transition Service................... Disabled
802.11v BSS Transition Disassoc Imminent......... Disabled
802.11v BSS Transition Disassoc Timer............ 200
802.11v BSS Transition OpRoam Disassoc Timer..... 40
DMS DB is empty
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Universal Ap Admin............................... Disabled
Broadcast Tagging................................ Disabled