Buy or Renew
Buy or Renew
This forum is no longer in read-only mode. See this post for updates
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
558
Views
4
Helpful
9
Replies

problems with triple A and VLAN configuration on 150AX

PeterWan
Level 1
Level 1

‎05-14-2025 10:42 AM

I have experienced problem with Client associated with AP but not shown in the client section, and client could not get internet connection, after checking logs when issue occurred, I have found the following error messages: 

 

*apfReceiveTask: May 15 01:20:33.780: %APF-5-CLIENT_RUN_STATE: apf_foreignap.c:2253 Client Associated: Assigning Ip Address: (172.16.0.111) to Client MAC: aa:aa:aa:aa:aa:aa

*Dot1x_NW_MsgTask_0: May 15 01:20:33.628: %APF-6-USER_NAME_CREATED: apf_ms.c:9007 Username entry (Abc) with length (253) created for mobile aa:aa:aa:aa:aa:aa

*Dot1x_NW_MsgTask_0: May 15 01:20:32.032: %DOT1X-3-CLIENT_NOT_FOUND: dot1x_msg_task.c:1847 Unable to process 802.1X 1 msg - client aa:aa:aa:aa:aa:aa not foundMay 15 01:18:28.183: [ERROR] apf_policy.c 5215: Either Vlan Name id Template invalid or   no name to id mapping exist for interface '20'  

*Dot1x_NW_MsgTask_0: May 15 01:18:27.191: %APF-5-CLIENT_DEAUTHENTICATE: apf_80211.c:4071 Client Deauthenticated: Client MAC: bb:bb:bb:bb:bb:bb, Ip Address: (172.16.1.222), AP Name: MainAP, Radio: 5 GHz , WLAN Id: 2, Reason: 23.

*Dot1x_NW_MsgTask_0: May 15 01:18:27.191: %DOT1X-4-MAX_EAP_RETRIES: 1x_auth_pae.c:6729 Max EAP identity request retries (3) exceeded for client bb:bb:bb:bb:bb:bb

*apfReceiveTask: May 15 01:18:07.516: %APF-6-USER_NAME_DELETED: apf_ms.c:8809 Username entry (Abc) is deleted for mobile aa:aa:aa:aa:aa:aa 

*apfReceiveTask: May 15 01:17:57.488: %APF-5-CLIENT_DEAUTHENTICATE: apf_80211.c:4071 Client Deauthenticated: Client MAC: aa:aa:aa:aa:aa:aa, Ip Address: (172.16.0.111), AP Name: ExtenderAP, Radio: 5 GHz , WLAN Id: 2, Reason: 2.

*apfReceiveTask: May 15 01:17:57.488: %APF-5-CLIENT_DISASSOCIATE: apf_80211.c:4340 Client Disassociated: Client MAC: aa:aa:aa:aa:aa:aa, Ip Address: (172.16.0.111), AP Name: ExtenderAP, Radio: 5 GHz , WLAN Id: 2, Reason: 1.

*Dot1x_NW_MsgTask_0: May 15 01:17:37.426: %APF-5-CLIENT_DEAUTHENTICATE: apf_80211.c:4071 Client Deauthenticated: Client MAC: aa:aa:aa:aa:aa:aa, Ip Address: (172.16.0.111), AP Name: ExtenderAP, Radio: 5 GHz , WLAN Id: 2, Reason: 15.

*Dot1x_NW_MsgTask_0: May 15 01:17:37.425: %DOT1X-4-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:558 Max EAPOL-key M3 retransmissions exceeded for client aa:aa:aa:aa:aa:aa

*hotspotTask: May 15 01:17:16.375: %APF-3-SITE_NULL_WLAN: apf_site_override.c:4120 Invalid value 0 for WLAN

*hotspotTask: May 15 01:17:14.334: %APF-3-SITE_NULL_WLAN: apf_site_override.c:4120 Invalid value 0 for WLAN

May 15 01:10:19.546: [ERROR] apf_policy.c 5215: Either Vlan Name id Template invalid or   no name to id mapping exist for interface '20'  

The client seems to be forced disconnected, however, reenabling wifi on the device allow reconnection. could someone help me troubleshoot and figure out the underlying issue? as the radius server is working properly, is it problem with Cisco AP? this problem have not happened before this month, devices reboot not tried.

Best, Peter

Labels:
0 Helpful
9 Replies 9

pieterh
VIP
VIP

‎07-04-2025 10:44 AM

first to check is if the vlan20 exists on the switchport connected to the AP

PeterWan
Level 1
Level 1
In response to pieterh

‎07-04-2025 02:31 PM

Hi, it’s configured as a trunk port (General) that accept all configured VLANs, both APs have no problem connecting to the VLANs. The AP have a phantom WLAN with a VLAN 20 to allow AAA to assign VLAN 20. (I did not find any ways to add a VLAN to the CSB AP) this problem only exists the. The phone changes AP (roaming), (we have only 2 APs) we can confirm that it works fine and the connection was initiated to each AP. (This roaming issues happens to all users with different assigned VLAN ID) I hope this help further diagnosis. Thanks!

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎07-05-2025 03:37 AM - edited ‎07-05-2025 03:38 AM

what kind of clients, is this issue with all the clients ?

if this is mobile device try disable random mac and test it,.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

PeterWan
Level 1
Level 1
In response to balaji.bandi

‎07-05-2025 04:20 AM

Hi,

I have tried disabling random MAC address on my WLAN. I will try disabling optimized roaming again, but it didn’t help last time I tried. The radius server works fine as well. I will try to access its lag later anyway. The quickest way to resolve is re enabling WiFi on the mobile device.

Best regards,
Peter Wan
0 Helpful

pieterh
VIP
VIP

‎07-05-2025 09:33 AM

are the accesspoints stand-alone or is there some controller involved (physical/virtual/EWC )?
if stand-alone than this is expected behavior.
when autenticated on AP1 and roaming to AP2 the device must do a full authentication again
the client thinks it is already authenticated but AP2 knows nothing about the authentication from AP1
this can only be resolved by some form of central authentication as happens by a using a WLC

when using EWC then one AP may be disconnected from the master believing  itself is the master

PeterWan
Level 1
Level 1
In response to pieterh

‎07-07-2025 12:30 PM

Hi,

its not accepted to use a physical WLC in the SMB product line. Both APs are 150AX, primary capable, and is also running a on board controller to control other AP. from I can tell, I did not enable optimized roaming on the 5Ghz channel, which problem occurred on my phone. its connected to VLAN 1 instead of 20. The MAC address rolling has been disabled a long time ago. I have now disabled the RF optimization, see if it helps. as of roaming issue, it's pretty random honestly speaking. many devices roam every day, but not every devices have the same issue. I will look into the possibility of the issue related to roaming between self configured 5Ghz channel for the APs. 

Btw, no luck with accessing the log in free radius, it is empty somehow, unifi did not give me too much transparency on that. 

Thanks,

Peter

0 Helpful

pieterh
VIP
VIP

‎07-08-2025 01:20 AM

>>> Both APs are 150AX, primary capable, and is also running a on board controller to control other AP. from I can tell, <<<
please check if this is functioning correct -> one AP is running as primary, the other AP is registered to this primary

please check max session duration on both the controler and the authentiction server, and also check the DHCP lease time
if there is a mismatch in these timers that may contribute to your problem 
DHCP lease time must be shorter then session duration
this setting(s) may differ per WLAN?
 

>>> this problem have not happened before this month <<<
how long has this functioned without problems before this ?
did the mobile phone receive an update?

0 Helpful

PeterWan
Level 1
Level 1
In response to pieterh

‎07-08-2025 10:44 AM

Hi,

So I did extensive checking with the system. The system identified AP1 as primary AP, while AP2 is the preferred primary. There is no way to see if they are registered under which AP AFAIK. right now, I have changed the preferred settings and the meshing role. The problem seems to be resolved. Further monitoring is still on going.

Best,
Peter
0 Helpful

pieterh
VIP
VIP

‎07-09-2025 12:32 AM

can you find the screen below screen in the Cisco Business Wireless app? the asterix indicates the current primary AP.
https://www.cisco.com/c/en/us/support/docs/smb/wireless/CB-Wireless-Mesh/2084-Get-familiar-with-Cisco-Business-Mobile-App.html 
4. Devices tab allows you to view details of devices connected to your wireless network.

pieterh_1-1752046149023.png

 

 

 

0 Helpful
Customers Also Viewed These Support Documents