Cisco 3504 WLC LDAP Integration issue

sridhar.rs · ‎01-11-2022

Hi,

Recently we have integrated Cisco 3504 WLC with AD Server which is running on windows server for WIFI services. Successfully integrated AD server and clients machines are getting authentication prompt after clicking on SSID to enter AD credentials. But after entering Windows credentials, it is reprompting for the same authentication. Please help on this request. As per the logs, WLC is sending requests to LDAP DB.

1. Configured L2 Security with Local EAP- PEAP

balaji.bandi · ‎01-11-2022

not sure what is the Logs show on both WLC and AD server.

worth looking below document and verify the config and troubleshoot :

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/211277-WLC-with-LDAP-Authentication-Configurati.html

https://networklessons.com/uncategorized/peap-and-eap-tls-on-server-2008-and-cisco-wlc

.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

sridhar.rs · ‎01-20-2022

i have followed the shared Cisco Document, but still getting the issue. Getting these logs from specific system debug. Can you please help on this where the issue.

(Cisco Controller) >*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.174: e8:6f:38:b4:2f:a7 Received EAPOL START from mobile in dot1x state = 3
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.174: e8:6f:38:b4:2f:a7 Reset the reauth counter since EAPOL START has been received!!!
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.231: e8:6f:38:b4:2f:a7 Received EAPOL EAPPKT from mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.231: e8:6f:38:b4:2f:a7 Received Identity Response (count=1) from mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.231: e8:6f:38:b4:2f:a7 Resetting reauth count 1 to 0 for mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.231: e8:6f:38:b4:2f:a7 EAP State update from Connecting to Authenticating for mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.231: e8:6f:38:b4:2f:a7 reauth_sm state transition 0 ---> 0 for mobile e8:6f:38:b4:2f:a7 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.231: e8:6f:38:b4:2f:a7 Entering Backend Auth Response state for mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.231: e8:6f:38:b4:2f:a7 reauth_sm state transition 0 ---> 0 for mobile e8:6f:38:b4:2f:a7 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.243: e8:6f:38:b4:2f:a7 Processing Access-Challenge for mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.243: e8:6f:38:b4:2f:a7 reauth_sm state transition 0 ---> 0 for mobile e8:6f:38:b4:2f:a7 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.243: e8:6f:38:b4:2f:a7 Entering Backend Auth Req state (id=52) for mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.243: e8:6f:38:b4:2f:a7 Sending EAP Request from AAA to mobile e8:6f:38:b4:2f:a7 (EAP Id 52)
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.243: e8:6f:38:b4:2f:a7 Reusing allocated memory for EAP Pkt for retransmission to mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.243: e8:6f:38:b4:2f:a7 reauth_sm state transition 0 ---> 0 for mobile e8:6f:38:b4:2f:a7 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.247: e8:6f:38:b4:2f:a7 Received EAPOL EAPPKT from mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.247: e8:6f:38:b4:2f:a7 Received EAP Response from mobile e8:6f:38:b4:2f:a7 (EAP Id 52, EAP Type 25)
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.247: e8:6f:38:b4:2f:a7 Resetting reauth count 0 to 0 for mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.247: e8:6f:38:b4:2f:a7 reauth_sm state transition 0 ---> 0 for mobile e8:6f:38:b4:2f:a7 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.247: e8:6f:38:b4:2f:a7 Entering Backend Auth Response state for mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.247: e8:6f:38:b4:2f:a7 reauth_sm state transition 0 ---> 0 for mobile e8:6f:38:b4:2f:a7 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.248: e8:6f:38:b4:2f:a7 Processing Access-Challenge for mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.248: e8:6f:38:b4:2f:a7 reauth_sm state transition 0 ---> 0 for mobile e8:6f:38:b4:2f:a7 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.248: e8:6f:38:b4:2f:a7 Entering Backend Auth Req state (id=53) for mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.248: e8:6f:38:b4:2f:a7 Sending EAP Request from AAA to mobile e8:6f:38:b4:2f:a7 (EAP Id 53)
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.248: e8:6f:38:b4:2f:a7 Reusing allocated memory for EAP Pkt for retransmission to mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.248: e8:6f:38:b4:2f:a7 reauth_sm state transition 0 ---> 0 for mobile e8:6f:38:b4:2f:a7 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.254: e8:6f:38:b4:2f:a7 Received EAPOL EAPPKT from mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.254: e8:6f:38:b4:2f:a7 Received EAP Response from mobile e8:6f:38:b4:2f:a7 (EAP Id 53, EAP Type 25)
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.254: e8:6f:38:b4:2f:a7 Resetting reauth count 0 to 0 for mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.254: e8:6f:38:b4:2f:a7 reauth_sm state transition 0 ---> 0 for mobile e8:6f:38:b4:2f:a7 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.254: e8:6f:38:b4:2f:a7 Entering Backend Auth Response state for mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.254: e8:6f:38:b4:2f:a7 reauth_sm state transition 0 ---> 0 for mobile e8:6f:38:b4:2f:a7 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.254: e8:6f:38:b4:2f:a7 Processing Access-Challenge for mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.254: e8:6f:38:b4:2f:a7 reauth_sm state transition 0 ---> 0 for mobile e8:6f:38:b4:2f:a7 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.254: e8:6f:38:b4:2f:a7 Entering Backend Auth Req state (id=54) for mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.254: e8:6f:38:b4:2f:a7 Sending EAP Request from AAA to mobile e8:6f:38:b4:2f:a7 (EAP Id 54)
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.254: e8:6f:38:b4:2f:a7 Reusing allocated memory for EAP Pkt for retransmission to mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.254: e8:6f:38:b4:2f:a7 reauth_sm state transition 0 ---> 0 for mobile e8:6f:38:b4:2f:a7 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.269: e8:6f:38:b4:2f:a7 Received EAPOL EAPPKT from mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.269: e8:6f:38:b4:2f:a7 Received EAP Response from mobile e8:6f:38:b4:2f:a7 (EAP Id 54, EAP Type 25)
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.269: e8:6f:38:b4:2f:a7 Resetting reauth count 0 to 0 for mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.269: e8:6f:38:b4:2f:a7 reauth_sm state transition 0 ---> 0 for mobile e8:6f:38:b4:2f:a7 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.269: e8:6f:38:b4:2f:a7 Entering Backend Auth Response state for mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:48.269: e8:6f:38:b4:2f:a7 reauth_sm state transition 0 ---> 0 for mobile e8:6f:38:b4:2f:a7 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_7: Jan 08 14:36:53.273: e8:6f:38:b4:2f:a7 Received EAPOL START from mobile in dot1x state = 3
*Dot1x_NW_MsgTask_7: Jan 08 14:36:53.273: e8:6f:38:b4:2f:a7 Reset the reauth counter since EAPOL START has been received!!!
*Dot1x_NW_MsgTask_7: Jan 08 14:36:53.273: e8:6f:38:b4:2f:a7 reauth_sm state transition 0 ---> 0 for mobile e8:6f:38:b4:2f:a7 at 1x_reauth_sm.c:53
*Dot1x_NW_MsgTask_7: Jan 08 14:36:53.273: e8:6f:38:b4:2f:a7 Received EAPOL START from mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:53.273: e8:6f:38:b4:2f:a7 dot1x - moving mobile e8:6f:38:b4:2f:a7 into Aborting state
*Dot1x_NW_MsgTask_7: Jan 08 14:36:53.273: e8:6f:38:b4:2f:a7 reauth_sm state transition 0 ---> 0 for mobile e8:6f:38:b4:2f:a7 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_7: Jan 08 14:36:53.273: e8:6f:38:b4:2f:a7 Client authentication has been aborted, clean up backend states.
*Dot1x_NW_MsgTask_7: Jan 08 14:36:53.273: e8:6f:38:b4:2f:a7 dot1x - moving mobile e8:6f:38:b4:2f:a7 into Connecting state
*Dot1x_NW_MsgTask_7: Jan 08 14:36:53.273: e8:6f:38:b4:2f:a7 Sending EAP-Request/Identity to mobile e8:6f:38:b4:2f:a7 (EAP Id 56)
*Dot1x_NW_MsgTask_7: Jan 08 14:36:53.273: e8:6f:38:b4:2f:a7 reauth_sm state transition 0 ---> 0 for mobile e8:6f:38:b4:2f:a7 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_7: Jan 08 14:36:53.273: e8:6f:38:b4:2f:a7 reauth_sm state transition 0 ---> 0 for mobile e8:6f:38:b4:2f:a7 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_7: Jan 08 14:36:53.349: e8:6f:38:b4:2f:a7 Received EAPOL EAPPKT from mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:53.349: e8:6f:38:b4:2f:a7 Received Identity Response (count=1) from mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:53.349: e8:6f:38:b4:2f:a7 Resetting reauth count 1 to 0 for mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:53.349: e8:6f:38:b4:2f:a7 EAP State update from Connecting to Authenticating for mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:53.349: e8:6f:38:b4:2f:a7 dot1x - moving mobile e8:6f:38:b4:2f:a7 into Authenticating state
*Dot1x_NW_MsgTask_7: Jan 08 14:36:53.349: e8:6f:38:b4:2f:a7 reauth_sm state transition 0 ---> 0 for mobile e8:6f:38:b4:2f:a7 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_7: Jan 08 14:36:53.349: e8:6f:38:b4:2f:a7 Entering Backend Auth Response state for mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:53.349: e8:6f:38:b4:2f:a7 reauth_sm state transition 0 ---> 0 for mobile e8:6f:38:b4:2f:a7 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_7: Jan 08 14:36:53.351: e8:6f:38:b4:2f:a7 Processing Access-Challenge for mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:53.351: e8:6f:38:b4:2f:a7 reauth_sm state transition 0 ---> 0 for mobile e8:6f:38:b4:2f:a7 at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_7: Jan 08 14:36:53.351: e8:6f:38:b4:2f:a7 Entering Backend Auth Req state (id=57) for mobile e8:6f:38:b4:2f:a7
*Dot1x_NW_MsgTask_7: Jan 08 14:36:53.351: e8:6f:38:b4:2f:a

Scott Fella · ‎01-20-2022

Have you looked at trying to implement a radius server? This gives you much more flexibility with rules and to me is much easier than ldap. Depending on what Windows Server version you have, you might be able to spin up the NPS service and run radius with that. There are other radius servers that cost money or open source, but not familiar with the open source radius.

I would follow the link BB posted and verify everything is correct. Keep in mind that there is only specific EAP types that are supported in the integration, which is documented in the link itself.

-Scott
*** Please rate helpful posts ***