Solved: AP1702 as WGB with eap-tls gets excluded by wlc

snoc · ‎06-07-2019

Good morning!

I have an issue with a AP1702i configured as wgb. We use ISE for the authentication of our clients (with EAP-TLS).

The wgb is supposed to connect as client to another lightweight AP. Since the authentication is not even forwarded to the ISE by the WLC, I skiped the certifcate stuff from the config. The AP fails to connect untill it is excluded by the wlc.

AP config:

hostname AP-WGB
!
no aaa new-model
no ip source-route
no ip cef
ip domain name <domain>
ip name-server <DNS-server>
!
dot11 pause-time 100
dot11 syslog
!
dot11 ssid <my-ssid>
authentication network-eap eap-methods
authentication key-management wpa version 2
dot1x credentials EAP-TLS
dot1x eap profile EAP-TLS
!
eap profile EAP-TLS
method tls

!

dot1x credentials EAP-TLS
username AP-WGB
pki-trustpoint AP-WGB

!

interface Dot11Radio0
no ip address
!
encryption mode ciphers aes-ccm
!
ssid <my-ssid>
!
antenna gain 0
stbc
station-role workgroup-bridge
bridge-group 1
bridge-group 1 spanning-disabled

-------------------------------

On the WLC I see the following messages, wich are very confusing, since I have not set anything about web-auth...

debug client output:

*apfMsConnTask_3: Jun 07 08:43:32.066: 70:7d:b9:69:9a:e8 0.0.0.0 START (0) Web-auth is not supported for WGB, drop the association request!
*apfMsConnTask_3: Jun 07 08:43:32.066: 70:7d:b9:69:9a:e8 Scheduling deletion of Mobile Station: (callerId: 22) in 3 seconds
*osapiBsnTimer: Jun 07 08:43:35.025: 70:7d:b9:69:9a:e8 apfMsExpireCallback (apf_ms.c:632) Expiring Mobile!
*apfReceiveTask: Jun 07 08:43:35.025: 70:7d:b9:69:9a:e8 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfReceiveTask: Jun 07 08:43:35.025: 70:7d:b9:69:9a:e8 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [58:bf:ea:24:c2:00]
*apfReceiveTask: Jun 07 08:43:35.025: 70:7d:b9:69:9a:e8 Deleting mobile on AP 58:bf:ea:24:c2:00(0)
*apfMsConnTask_2: Jun 07 08:43:37.060: 70:7d:b9:69:9a:e8 Processing assoc-req station:70:7d:b9:69:9a:e8 AP:58:bf:ea:0f:78:e0-00 thread:15117bd0
*apfMsConnTask_2: Jun 07 08:43:37.061: 70:7d:b9:69:9a:e8 Adding mobile on LWAPP AP 58:bf:ea:0f:78:e0(0)
*apfMsConnTask_2: Jun 07 08:43:37.061: 70:7d:b9:69:9a:e8 Association received from mobile on BSSID 58:bf:ea:0f:78:f4 AP AP-06-04-01
*apfMsConnTask_2: Jun 07 08:43:37.061: 70:7d:b9:69:9a:e8 Global 200 Clients are allowed to AP radio

-------------------

AP SW:

ap3g2-k9w7-xx.153-3.JI4

WLC:

8.0.121.0

Google could find a discussion here, but it is not avilable anymore...

Any ideas are highly appreciated!

best regards

Matt

snoc · ‎06-20-2019

I had a talk with TAC, under the advanced tab of the wlan, I had the "NAC state" set to "radius nac"... after setting it to "none" it is working perfectly.

View solution in original post

superego · ‎06-07-2019

Did this work before or new?

Is Aironet IE enabled on the WLAN? If not, try enabling it and test.

Make sure AP has NTP config and clock is right.

Reference for config and troubleshoot:

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100864-wgb-eap-tls-cuwn.html

snoc · ‎06-17-2019

Aironet IE is enabled.

ntp is configured, but since there was no propper connection established, I set the time manually.

Thanks for the link, I will work through it tomorrow.

Scott Fella · ‎06-08-2019

Matt,

Here is a guide for EAP-TLS and WGB. Hope this helps:

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100864-wgb-eap-tls-cuwn.html

-Scott
*** Please rate helpful posts ***

snoc · ‎06-20-2019

I had a talk with TAC, under the advanced tab of the wlan, I had the "NAC state" set to "radius nac"... after setting it to "none" it is working perfectly.