Solved: Hi,

Arie -- · ‎04-18-2017

Hi,

I've found interesting issue when a client tries to connect to wireless system.

Here are the devices:

-. Cisco WLC 5520 running 8.2 code

-. AP 3802I

-. Laptop as a client (f4:8c:50:2b:c6:2c)

The SSID A is configured as below:

-. Flexconnect local switching, centralized auth

-. FT Support enable, over the DS

-. Re-association timeout in FT = 20 sec

-. WPA2, AES

-. 802.1X, CCKM, FT802.1x

-. AAA override

-. Session timeout= 36000 sec

-. Client exclusion= 330

-. NAC State= ISE NAC

-. optional MFP Client protection

EAP Advanced parameter:

EAP-Identity-Request Timeout (seconds)........... 30
EAP-Identity-Request Max Retries................. 20
EAP Key-Index for Dynamic WEP.................... 0
EAP Max-Login Ignore Identity Response........... enable
EAP-Request Timeout (seconds).................... 30
EAP-Request Max Retries.......................... 2
EAPOL-Key Timeout (milliseconds)................. 1000
EAPOL-Key Max Retries............................ 4
EAP-Broadcast Key Interval....................... 86400

The problem is, the client can't be in the RUN state and always stuck with 8021x_REQD.

I have done the debug client and debug AAA events, and I found this:

The client is associated: apfProcessAssocReq (apf_80211.c:10507) Changing state for mobile f4:8c:50:2b:c6:2c on AP 2c:5a:0f:3b:9d:20 from Associated to Associated
There is access-challenge: Access-Challenge received from RADIUS server 10.24.134.187 (qid:12) with port:1812, pktId:23 for mobile f4:8c:50:2b:c6:2c receiveId = 6
There are several access-challenge packets till access-accept: Access-Accept received from RADIUS server 10.24.134.187 (qid:12) with port:1812, pktId:31 for mobile f4:8c:50:2b:c6:2c receiveId = 6
Username is inputted, EAP Success: Sending EAP-Success to mobile f4:8c:50:2b:c6:2c (EAP Id 237)
Mobile in authenticated state: dot1x - moving mobile f4:8c:50:2b:c6:2c into Authenticated state
L2AUTH Complete:
Mobility query, PEM State: L2AUTHCOMPLETE
Building Mobile Announce :
Building Client Payload:
Client Ip: 10.21.244.177
Client Vlan Ip: 10.23.41.100, Vlan mask : 255.255.255.0
Client Vap Security: 278592
Virtual Ip: 1.1.1.1
ssid: Test
Building VlanIpPayload.
Until the client has received the RUN State:
10.21.244.177 L2AUTHCOMPLETE (4) Change state to RUN (20) last state L2AUTHCOMPLETE (4)
10.21.244.177 RUN (20) Reached PLUMBFASTPATH: from line 6760
10.21.244.177 RUN (20) Change state to RUN (20) last state RUN (20)
10.21.244.177 RUN (20) mobility role update request from Unassociated to Local
10.21.244.177 RUN (20) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
10.21.244.177 RUN (20) Reached PLUMBFASTPATH: from line 6324
Let say the RUN state occured at 18:20:09.668
And suddenly at 18:20:09.673, the client is DELETED: f4:8c:50:2b:c6:2c Received DELETE mobile, reason MN_AP_AUTH_STOP, from AP 2c:5a:0f:3b:9d:20, slot 1 ...cleaning up mscb
f4:8c:50:2b:c6:2c apfMsDeleteByMscb Scheduling mobile for deletion with deleteReason 15, reasonCode 1
f4:8c:50:2b:c6:2c Scheduling deletion of Mobile Station: (callerId: 30) in 1 seconds
f4:8c:50:2b:c6:2c Processing assoc-req station:f4:8c:50:2b:c6:2c AP:2c:5a:0f:3b:9d:20-01 thread:18d026e8
f4:8c:50:2b:c6:2c Processing assoc-req station:f4:8c:50:2b:c6:2c AP:2c:5a:0f:3b:9d:20-01 thread:18d026e8
f4:8c:50:2b:c6:2c Ignoring 802.11 assoc request from mobile pending deletion
f4:8c:50:2b:c6:2c Sending assoc-resp with status 12 station:f4:8c:50:2b:c6:2c AP:2c:5a:0f:3b:9d:20-01 on apVapId 1
f4:8c:50:2b:c6:2c Sending assoc-resp with status 12 station:f4:8c:50:2b:c6:2c AP:2c:5a:0f:3b:9d:20-01 on apVapId 1
f4:8c:50:2b:c6:2c VHT Operation IE: width 20/0 ch 161 freq0 0 freq1 0 msc0 0x3f msc1 0x3f
f4:8c:50:2b:c6:2c Sending Assoc Response to station on BSSID 2c:5a:0f:3b:9d:2f (status Assoc denied unspecified) ApVapId 1 Slot 1
f4:8c:50:2b:c6:2c apfMsExpireCallback (apf_ms.c:638) Expiring Mobile!
f4:8c:50:2b:c6:2c apfMsExpireMobileStation (apf_ms.c:7394) Changing state for mobile f4:8c:50:2b:c6:2c on AP 2c:5a:0f:3b:9d:20 from Associated to Disassociated
f4:8c:50:2b:c6:2c apfMsExpireMobileStation (apf_ms.c:7394) Changing state for mobile f4:8c:50:2b:c6:2c on AP 2c:5a:0f:3b:9d:20 from Associated to Disassociated
f4:8c:50:2b:c6:2c apfSendDisAssocMsgDebug (apf_80211.c:3459) Changing state for mobile f4:8c:50:2b:c6:2c on AP 2c:5a:0f:3b:9d:20 from Disassociated to Disassociated
f4:8c:50:2b:c6:2c apfSendDisAssocMsgDebug (apf_80211.c:3459) Changing state for mobile f4:8c:50:2b:c6:2c on AP 2c:5a:0f:3b:9d:20 from Disassociated to Disassociated
f4:8c:50:2b:c6:2c Sent Disassociate to mobile on AP 2c:5a:0f:3b:9d:20-1 (reason 1, caller apf_ms.c:7490)
f4:8c:50:2b:c6:2c Sent Deauthenticate to mobile on BSSID 2c:5a:0f:3b:9d:2f slot 1(caller apf_ms.c:7492)
f4:8c:50:2b:c6:2c Resetting MSCB PMK Cache Entry 0 for station f4:8c:50:2b:c6:2c
f4:8c:50:2b:c6:2c Resetting MSCB PMK Cache Entry 0 for station f4:8c:50:2b:c6:2c
f4:8c:50:2b:c6:2c Removing BSSID 2c:5a:0f:3b:9d:2f from PMKID cache of station f4:8c:50:2b:c6:2c
f4:8c:50:2b:c6:2c Removing BSSID 2c:5a:0f:3b:9d:2f from PMKID cache of station f4:8c:50:2b:c6:2c

The RADIUS-NAC is using Cisco ISE, but I don't have the detail about the version and configuration.

Do you think the problem is in the Cisco ISE when user profiling? Or in WLC? Or client device?

Any comments and answers are appreciated!

Thank you,

Arie

patoberli · ‎04-19-2017

It seems you run an interims (Beta) version currently on the controller. Because of this, I suggest you to upgrade to 8.2.151.0 (unless the bug isn't fixed in 8.2.141.0 and 8.2.151.0, because of which you installed 8.2.131.40). Release notes:

http://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn82mr5.html

It does have various fixed for the x8xx AP series. Also your beta release might contain other bugs, introduced in the beta.

You might find some information in the two following bugs: CSCvb26086 (for the 8260-AC) or CSCva52991 (for the 7265-AC). Both issues are fixed with a combination of 8.2.151.0 and Intel driver package 19.40 or newer.

View solution in original post

patoberli · ‎04-19-2017

Which version of 8.2? There were a LOT of issues fixed in the last three releases in combination with 3802 APs. Also if the client is containing an Intel Wi-Fi adapter which is 802.11ac capable, upgrade the driver to 19.40 or newer, as they also contain many bug fixes with 802.11ac Wave2 APs (like the 3802).

Arie -- · ‎04-19-2017

Hi,

The version is 8.2.131.40 and backup version is 8.1.102.0.

Yeah, I think the client adapter is Intel Wi-Fi adapter, since I looked at Cisco PI.

Do you have the useful link that contain information of Intel driver to support 802.11ac W2 AP?

Thank you

Arie

patoberli · ‎04-19-2017

It seems you run an interims (Beta) version currently on the controller. Because of this, I suggest you to upgrade to 8.2.151.0 (unless the bug isn't fixed in 8.2.141.0 and 8.2.151.0, because of which you installed 8.2.131.40). Release notes:

http://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn82mr5.html

It does have various fixed for the x8xx AP series. Also your beta release might contain other bugs, introduced in the beta.

You might find some information in the two following bugs: CSCvb26086 (for the 8260-AC) or CSCva52991 (for the 7265-AC). Both issues are fixed with a combination of 8.2.151.0 and Intel driver package 19.40 or newer.

Arie -- · ‎04-25-2017

Hi,

Thank you for your information. Very helpful.

Regards,

Arie

8021x_reqd Problem in WLC 5520 (8.2 code)