Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2086
Views
0
Helpful
5
Replies

Cisco WLC 5508 WLAN SSID 802.1x

Walter Astori
Level 1
Level 1

‎09-17-2019 12:13 AM - edited ‎07-05-2021 11:00 AM

Hi, I have a Cisco 5508 WLC (8.3.150 release) with 25 WLAN SSID configured and 352 Acess Point.  In particular there is a WLAN SSID configured as Layer 2 Security as 802.1x (WEP). These 352 Access Point are installed in more location and each location communicate each other with MPLS. The WLAN SSID configured as 802.1x communicate with Windows 2012 R2 NPS and this WLAN SSID is enabled on 352 access point and works fine on 350 access point, on 2 access point doesn't work. In one location there are two access points AIR-CAP1702I-E-K9 that broadcast the WLAN SSID, but the Windows 10 clients when they try to connect it answer with "Can't connect the client". On the WLC the Policy Manager State associate with clients is DHCP_REQ. If I change the WLAN SSID in WPA, WPA2 or WEP it works on this location. It seems that the DHCP request from AP never seen by WLC. Here some rows about debug on MAC address in this location :

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 8021X_REQD (3) DHCP required on AP 00:c1:64:XX:XX:XX vapId 1 apVapId 1for this client

After some rows :

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.921: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 L2AUTHCOMPLETE (4) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255,URL ACL ID 255)

The debug end with :

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.922: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 DHCP_REQD (7) NO release MSCB

For troubleshooting the same scenario, I have configured the WLAN SSID only for that location and only for that 2 access point with WPA+WPA2 only without 802.1x, and it works. Here the same rows of the debug :

*Dot1x_NW_MsgTask_4: Sep 12 14:10:12.491: [PA] f0:d5:bf:XX:XX:XX0.0.0.0 L2AUTHCOMPLETE (4) DHCP required on AP 00:6c:bc:c2:d0:40 vapId 1 apVapId 1for this client

*Dot1x_NW_MsgTask_4: Sep 12 14:10:12.491: [PA] f0:d5:bf:XX:XX:XX 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255,URL ACL ID 255)

The WLC Policy Manager State at the end of this step is RUN

My opinion is that there is communication between NPS and WLC with some errors, but I haven't found they since I started with this issue. Other counters :

Authentication Servers:

Server Index..................................... 1

Server Address................................... XX.XX.XX.XXX

Msg Round Trip Time.............................. 2 (msec)

First Requests................................... 2389308

Retry Requests................................... 36742

Accept Responses................................. 365911

Reject Responses................................. 32449

Challenge Responses.............................. 1981628

Malformed Msgs................................... 0

Bad Authenticator Msgs........................... 2

Pending Requests................................. 2

Timeout Requests................................. 42987

Consecutive Drops ............................... 0

Unknowntype Msgs................................. 0

Other Drops...................................... 72

 

Server Index..................................... 2

Server Address................................... XX.XX.XX.XXX

Msg Round Trip Time.............................. 0 (msec)

First Requests................................... 1195

Retry Requests................................... 139

Accept Responses................................. 0

Reject Responses................................. 0

Challenge Responses.............................. 0

Malformed Msgs................................... 0

Bad Authenticator Msgs........................... 0

Pending Requests................................. 0

Timeout Requests................................. 253

Consecutive Drops ............................... 0

Unknowntype Msgs................................. 0

Other Drops...................................... 0

 

 

Server Index..................................... 3

Server Address................................... XX.XX.XX.XX

Msg Round Trip Time.............................. 0 (msec)

First Requests................................... 1828

Retry Requests................................... 1746

Accept Responses................................. 0

Reject Responses................................. 0

Challenge Responses.............................. 0

Malformed Msgs................................... 0

Bad Authenticator Msgs........................... 0

Pending Requests................................. 0

Timeout Requests................................. 2587

Consecutive Drops ............................... 5

Unknowntype Msgs................................. 0

Other Drops...................................... 0

show wlan ssid :

 

WLAN Identifier.................................. 1
Profile Name..................................... XXXXXXXXXXXXXXXXXXX
Network Name (SSID).............................. XXXXXXXXXXXXXXXXXXXXXX
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Enabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum Clients Allowed.......................... Unlimited
Maximum number of Clients per AP Radio........... 200

--More-- or (q)uit
ATF Policy....................................... 0
Number of Active Clients......................... 935
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 86400 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 720 minutes
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... none
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
WLAN URL ACL..................................... unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Tunnel Profile................................... Unconfigured

PMIPv6 Mobility Type............................. none
PMIPv6 MAG Profile........................... Unconfigured
PMIPv6 Default Realm......................... Unconfigured
PMIPv6 NAI Type.............................. Hexadecimal
PMIPv6 MAG location.......................... AP
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Disabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled

--More-- or (q)uit
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... 802.1P (Tag=0)
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 2
DTIM period for 802.11b radio.................... 2
Radius Servers
Authentication................................ 10.39.1.201 1645 *
Authentication................................ 10.39.1.203 1645 *
Accounting.................................... 10.39.1.201 1646 *
Accounting.................................... 10.39.1.203 1646 *
Interim Update............................. Enabled
Interim Update Interval.................... 0
Framed IPv6 Acct AVP ...................... Prefix
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Radius NAI-Realm................................. Disabled
Mu-Mimo.......................................... Enabled
Security

802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Enabled
Encryption:..................................... 104-bit WEP
802.1X on MAC Auth failure:..................... Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web Authentication Timeout.................... 300
Web-Passthrough............................... Disabled
Mac-auth-server............................... 0.0.0.0
Web-portal-server............................. 0.0.0.0
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Enabled
FlexConnect Central Association............... Disabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled

flexconnect PPPoE pass-through................ Disabled
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Disabled
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Enabled
EAP-Identity-Request Timeout (seconds)..... 40
EAP-Identity-Request Max Retries........... 2
EAP-Request Timeout (seconds).............. 30
EAP-Request Max Retries.................... 2
EAPOL-Key Timeout (milliseconds)........... 1000
EAPOL-Key Max Retries...................... 2
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flex Avc Profile Name............................ None
Flow Monitor Name................................ None
Split Tunnel Configuration
Split Tunnel................................. Disabled

--More-- or (q)uit
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
802.11v Directed Multicast Service............... Disabled
802.11v BSS Max Idle Service..................... Enabled
802.11v BSS Transition Service................... Disabled
802.11v BSS Transition Disassoc Imminent......... Disabled
802.11v BSS Transition Disassoc Timer............ 200
802.11v BSS Transition OpRoam Disassoc Timer..... 40
DMS DB is empty
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Universal Ap Admin............................... Disabled
Broadcast Tagging................................ Disabled

Mobility Anchor List
WLAN ID IP Address Status Priority

802.11u........................................ Disabled

MSAP Services.................................. Disabled

Local Policy
----------------
Priority Policy Name
-------- ---------------

Lync State ...................................... Disabled
Audio QoS Policy................................. Silver
Video QoS Policy................................. Silver
App-Share QoS Policy............................. Silver
File Transfer QoS Policy......................... Silver
QoS Fastlane Status.............................. Disable
Selective Reanchoring Status..................... Disable

The DHCP on the WLC is configured global on the management interface 

the show arp stats output command :

ARP counts:

Max number of entries...............7724

ARP switchdriver entries............2459

Max kernel ARP cache entries........8024

ARP kernel entries..................148

ARP statistics:

Dup Additions       947686

Bad Additions            0

Bad Deletions            0

ARP statistics for Passive client Arp:

Total Arp Packets received               0

Total Arp Packets Forwarded              0

Arp Breached upper limit packets/sec             0

 

Labels:
0 Helpful
5 Replies 5

Flavio Miranda
VIP
VIP

‎09-18-2019 06:22 AM

Hi

If you client can´t connect using radius but it can using PSK, then, there´s a commucation problem between clients and radius. 

 In 802.1x authentication, you need to fully authenticate before you get an ip address "...If I change the WLAN SSID in WPA, WPA2 or WEP it works on this location. It seems that the DHCP request from AP never seen by WLC. "

That´s why clients remains in DHCP_REQUEST because they are not authenticated. When tou change to WPA and rip the radius off, they are able to authenticate and get an IP address.

It is difficult to say where the problem is exactly but it is related with clients and NPS communication/configuration.

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

Walter Astori
Level 1
Level 1
In response to Flavio Miranda

‎09-19-2019 03:10 AM

HI, here there is the complete Debug made on WLC with debug MAC .... . This is the reply for you help on my post "Cisco WLC 5508 WLAN SSID 802.1x. Thank you in advance for your help

68:ec:c5:XX:XX:XX = MAC ADDRESS CLIENT

00:c1:64:XX:XX:XX = BSSID MAC ADDRESS

00:C1:64:YY:YY:YY = MAC ADDRESS Base Radio of AP

(ITSSG-X-WLC0003) >debug mac addr 68:ec:c5:XX:XX:XX

(ITSSG-X-WLC0003) >*dot1xSocketTask: Sep 06 16:42:31.615: [PA] 1x: frame too short (dataLen 82) - min size 7374

*apfOpenDtlSocket: Sep 06 16:43:07.716: [PA] 68:ec:c5:XX:XX:XX Recevied management frame ASSOCIATION REQUEST on BSSID 00:c1:64:XX:XX:XX destination addr 00:c1:64:XX:XX:XX

*apfMsConnTask_0: Sep 06 16:43:07.717: [PA] 68:ec:c5:XX:XX:XX Station: 68:ec:c5:XX:XX:XX 11v BSS Transition not enabled on the AP 00:C1:64:YY:YY:YY

*apfMsConnTask_0: Sep 06 16:43:07.717: [PA] 68:ec:c5:XX:XX:XX Association received from mobile on BSSID 00:c1:64:XX:XX:XX AP ITVNT-LAP2

*apfMsConnTask_0: Sep 06 16:43:07.717: [PA] 68:ec:c5:XX:XX:XX Station: 68:ec:c5:XX:XX:XX 11v BSS Transition not enabled on the AP 00:C1:64:YY:YY:YY

*apfMsConnTask_0: Sep 06 16:43:07.717: [PA] 68:ec:c5:XX:XX:XX Global 200 Clients are allowed to AP radio

*apfMsConnTask_0: Sep 06 16:43:07.717: [PA] 68:ec:c5:XX:XX:XX Max Client Trap Threshold: 0 cur: 7

*apfMsConnTask_0: Sep 06 16:43:07.717: [PA] 68:ec:c5:XX:XX:XX Rf profile 600 Clients are allowed to AP wlan

*apfMsConnTask_0: Sep 06 16:43:07.717: [PA] 68:ec:c5:XX:XX:XX override for default ap group, marking intgrp NULL

*apfMsConnTask_0: Sep 06 16:43:07.717: [PA] 68:ec:c5:XX:XX:XX apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0

*apfMsConnTask_0: Sep 06 16:43:07.717: [PA] 68:ec:c5:XX:XX:XX In processSsidIE:6609 setting Central switched to FALSE

*apfMsConnTask_0: Sep 06 16:43:07.717: [PA] 68:ec:c5:XX:XX:XX Set Clinet MSCB as Central Association Disabled

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX Applying site-specific Local Bridging override for station 68:ec:c5:XX:XX:XX - vapId 1, site 'Vignate', interface 'management'

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX Applying Local Bridging Interface Policy for station 68:ec:c5:XX:XX:XX - vlan 202, interface id 0, interface 'management'

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX override from ap group, removing intf group from mscb

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX Applying site-specific override for station 68:ec:c5:XX:XX:XX - vapId 1, site 'Vignate', interface 'management'

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX Applying Interface(management) policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 7

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX Not re-applying interface policy for local switching Client

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 DHCP_REQD (7) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2922)

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 DHCP_REQD (7) Changing Url ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2942)

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 DHCP_REQD (7) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2963)

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX Setting the NAS Id to AP group specific Id 'ITSSG-X-WLC0003'

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX Set Clinet AP specific apfMsAccessVlan = 7

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX This apfMsAccessVlan may be changed later from AAA after L2 Auth

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX Cleared localSwitchingVlan, may be assigned later based on AAA override

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX processSsidIE statusCode is 0 and status is 0

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX processSsidIE ssid_done_flag is 0 finish_flag is 0

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX AID 5 in Assoc Req from flex AP 00:C1:64:YY:YY:YY is same as in mscb 68:ec:c5:XX:XX:XX

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX apfMs1xStateDec

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 DHCP_REQD (7) Change state to START (0) last state DHCP_REQD (7)

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 START (0) Initializing policy

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX apfVapSecurity=0x2 L2=2 SkipWeb=0

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX AuthenticationRequired = 1

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX Encryption policy is set to 0x80000001

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 8021X_REQD (3) DHCP required on AP 00:C1:64:YY:YY:YY vapId 1 apVapId 1for this client

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX Vlan while overriding the policy = -1

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX sending to spamAddMobile vlanId -1 flex aclName = , flexAclId 65535

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:C1:64:YY:YY:YY vapId 1 apVapId 1 flex-acl-name:

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX apfPemAddUser2 (apf_policy.c:416) Changing state for mobile 68:ec:c5:XX:XX:XX on AP 00:C1:64:YY:YY:YY from Associated to Associated

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX apfPemAddUser2:session timeout forstation 68:ec:c5:XX:XX:XX - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is 0

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX Stopping deletion of Mobile Station: (callerId: 48)

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX Sending assoc-resp with status 0 station:68:ec:c5:XX:XX:XX AP:00:C1:64:YY:YY:YY-01 on apVapId 1

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX Sending Assoc Response (status: '0') to station on AP ITVNT-LAP2 on BSSID 00:c1:64:XX:XX:XX ApVapId 1 Slot 1, mobility role 1

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX apfProcessAssocReq (apf_80211.c:11039) Changing state for mobile 68:ec:c5:XX:XX:XX on AP 00:C1:64:YY:YY:YY from Associated to Associated

*spamApTask6: Sep 06 16:43:07.720: [PA] 68:ec:c5:XX:XX:XX Successful transmission of LWAPP Add-Mobile to AP 00:C1:64:YY:YY:YY

*spamApTask6: Sep 06 16:43:07.726: [PA] 68:ec:c5:XX:XX:XX Received ADD_MOBILE ack - Initiating 1x to STA 68:ec:c5:XX:XX:XX (idx 2)

*spamApTask6: Sep 06 16:43:07.726: [PA] 68:ec:c5:XX:XX:XX Sent dot1x auth initiate message for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.726: [PA] 68:ec:c5:XX:XX:XX reauth_sm state transition 1 ---> 0 for mobile 68:ec:c5:XX:XX:XX at 1x_reauth_sm.c:53

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.726: [PA] 68:ec:c5:XX:XX:XX EAP-PARAM Debug - eap-params for Wlan-Id :1 is disabled - applying Global eap timers and retries

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.726: [PA] 68:ec:c5:XX:XX:XX Disable re-auth, use PMK lifetime.

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.726: [PA] 68:ec:c5:XX:XX:XX dot1x - moving mobile 68:ec:c5:XX:XX:XX into Connecting state

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.821: [PA] 68:ec:c5:XX:XX:XX Received EAPOL START, dot1x state = 2

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.821: [PA] 68:ec:c5:XX:XX:XX Reset the reauth counter since EAPOL START has been received!!!

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.821: [PA] 68:ec:c5:XX:XX:XX reauth_sm state transition 0 ---> 1 for mobile 68:ec:c5:XX:XX:XX at 1x_reauth_sm.c:47

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.821: [PA] 68:ec:c5:XX:XX:XX Received EAPOL START from mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.821: [PA] 68:ec:c5:XX:XX:XX dot1x - moving mobile 68:ec:c5:XX:XX:XX into Connecting state

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.821: [PA] 68:ec:c5:XX:XX:XX Sending EAP-Request/Identity to mobile 68:ec:c5:XX:XX:XX (EAP Id 2)

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.872: [PA] 68:ec:c5:XX:XX:XX Received EAPOL EAPPKT from mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.872: [PA] 68:ec:c5:XX:XX:XX Received Identity Response (count=1) from mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.872: [PA] 68:ec:c5:XX:XX:XX Resetting reauth count 1 to 0 for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.872: [PA] 68:ec:c5:XX:XX:XX EAP State update from Connecting to Authenticating for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.872: [PA] 68:ec:c5:XX:XX:XX dot1x - moving mobile 68:ec:c5:XX:XX:XX into Authenticating state

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.872: [PA] 68:ec:c5:XX:XX:XX Entering Backend Auth Response state for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.882: [PA] 68:ec:c5:XX:XX:XX Processing Access-Challenge for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.882: [PA] 68:ec:c5:XX:XX:XX Entering Backend Auth Req state (id=3) for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.882: [PA] 68:ec:c5:XX:XX:XX Sending EAP Request from AAA to mobile 68:ec:c5:XX:XX:XX (EAP Id 3)

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.882: [PA] 68:ec:c5:XX:XX:XX Allocating EAP Pkt for retransmission to mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.889: [PA] 68:ec:c5:XX:XX:XX Received EAPOL EAPPKT from mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.889: [PA] 68:ec:c5:XX:XX:XX Received EAP Response from mobile 68:ec:c5:XX:XX:XX (EAP Id 3, EAP Type 25)

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.889: [PA] 68:ec:c5:XX:XX:XX Resetting reauth count 0 to 0 for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.889: [PA] 68:ec:c5:XX:XX:XX Entering Backend Auth Response state for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.891: [PA] 68:ec:c5:XX:XX:XX Processing Access-Challenge for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.891: [PA] 68:ec:c5:XX:XX:XX Entering Backend Auth Req state (id=4) for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.891: [PA] 68:ec:c5:XX:XX:XX Sending EAP Request from AAA to mobile 68:ec:c5:XX:XX:XX (EAP Id 4)

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.891: [PA] 68:ec:c5:XX:XX:XX Reusing allocated memory for EAP Pkt for retransmission to mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.905: [PA] 68:ec:c5:XX:XX:XX Received EAPOL EAPPKT from mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.905: [PA] 68:ec:c5:XX:XX:XX Received EAP Response from mobile 68:ec:c5:XX:XX:XX (EAP Id 4, EAP Type 25)

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.905: [PA] 68:ec:c5:XX:XX:XX Resetting reauth count 0 to 0 for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.905: [PA] 68:ec:c5:XX:XX:XX Entering Backend Auth Response state for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.907: [PA] 68:ec:c5:XX:XX:XX Processing Access-Challenge for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.907: [PA] 68:ec:c5:XX:XX:XX Entering Backend Auth Req state (id=7) for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.907: [PA] 68:ec:c5:XX:XX:XX WARNING: updated EAP-Identifier 4 ===> 7 for STA 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.907: [PA] 68:ec:c5:XX:XX:XX Sending EAP Request from AAA to mobile 68:ec:c5:XX:XX:XX (EAP Id 7)

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.908: [PA] 68:ec:c5:XX:XX:XX Reusing allocated memory for EAP Pkt for retransmission to mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.914: [PA] 68:ec:c5:XX:XX:XX Received EAPOL EAPPKT from mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.914: [PA] 68:ec:c5:XX:XX:XX Received EAP Response from mobile 68:ec:c5:XX:XX:XX (EAP Id 7, EAP Type 25)

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.914: [PA] 68:ec:c5:XX:XX:XX Resetting reauth count 0 to 0 for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.914: [PA] 68:ec:c5:XX:XX:XX Entering Backend Auth Response state for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Processing Access-Accept for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Resetting web IPv4 acl from 255 to 255

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Resetting web IPv4 Flex acl from 65535 to 65535

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Received MPPE_SEND_KEY: KeyLen: 32

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Received MPPE_RECV_KEY: KeyLen: 32

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX override for default ap group, marking intgrp NULL

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Inserting AAA Override struct for mobile

MAC: 68:ec:c5:XX:XX:XX, source 4

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Setting re-auth timeout to 0 seconds, got from WLAN config.

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Station 68:ec:c5:XX:XX:XX setting dot1x reauth timeout = 0

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Stopping reauth timeout for 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Creating a PKC PMKID Cache entry for station 68:ec:c5:XX:XX:XX (RSN 0)

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Setting active key cache index 0 ---> 8

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Setting active key cache index 8 ---> 0

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Sending EAP-Success to mobile 68:ec:c5:XX:XX:XX (EAP Id 7)

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Freeing AAACB from Dot1xCB as AAA auth is done for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.918: [PA] 68:ec:c5:XX:XX:XX Sending default RC4 key to mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.918: [PA] 68:ec:c5:XX:XX:XX Sending Key-Mapping RC4 key to mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.918: [PA] 68:ec:c5:XX:XX:XX Freeing EAP Retransmit Bufer for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.918: [PA] 68:ec:c5:XX:XX:XX apfMs1xStateInc

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.918: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state 8021X_REQD (3)

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.919: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 L2AUTHCOMPLETE (4) DHCP required on AP 00:C1:64:YY:YY:YY vapId 1 apVapId 1for this client

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.919: [PA] 68:ec:c5:XX:XX:XX Not Using WMM Compliance code qosCap 00

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.919: [PA] 68:ec:c5:XX:XX:XX Vlan while overriding the policy = -1

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.919: [PA] 68:ec:c5:XX:XX:XX sending to spamAddMobile vlanId -1 flex aclName = , flexAclId 65535

*spamApTask6: Sep 06 16:43:07.919: [PA] 68:ec:c5:XX:XX:XX Successful transmission of LWAPP Add-Mobile to AP 00:C1:64:YY:YY:YY

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.919: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:C1:64:YY:YY:YY vapId 1 apVapId 1 flex-acl-name:

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.920: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 L2AUTHCOMPLETE (4) pemAdvanceState2 6728, Adding TMP rule

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.920: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 L2AUTHCOMPLETE (4) Adding Fast Path rule

type = Airespace AP - Learn IP address

on AP 00:C1:64:YY:YY:YY, slot 1, interface = 13, QOS = 0

IPv4 ACL ID = 25

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.920: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 L2AUTHCOMPLETE (4) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206, IntfId = 0 Local Bridging Vlan = 202, Local Bridging intf id = 0

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.920: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 L2AUTHCOMPLETE (4) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 0, AppToken = 15206 AverageRate = 0, BurstRate = 0

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.920: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 L2AUTHCOMPLETE (4) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 0, AppToken = 15206 AverageRate = 0, BurstRate = 0

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.921: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 L2AUTHCOMPLETE (4) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 0, AppToken = 15206 AverageRate = 0, BurstRate = 0

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.921: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 L2AUTHCOMPLETE (4) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255,URL ACL ID 255)

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.921: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.921: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 6757, Adding TMP rule

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.921: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule

type = Airespace AP - Learn IP address

on AP 00:C1:64:YY:YY:YY, slot 1, interface = 13, QOS = 0

IPv4 ACL ID = 255,

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.921: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206, IntfId = 0 Local Bridging Vlan = 202, Local Bridging intf id = 0

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.922: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 0, AppToken = 15206 AverageRate = 0, BurstRate = 0

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.922: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 0, AppToken = 15206 AverageRate = 0, BurstRate = 0

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.922: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 0, AppToken = 15206 AverageRate = 0, BurstRate = 0

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.922: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255,URL ACL ID 255)

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.922: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 DHCP_REQD (7) NO release MSCB

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.922: [PA] 68:ec:c5:XX:XX:XX Entering Backend Auth Success state (id=7) for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.922: [PA] 68:ec:c5:XX:XX:XX Received Auth Success while in Authenticating state for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.922: [PA] 68:ec:c5:XX:XX:XX dot1x - moving mobile 68:ec:c5:XX:XX:XX into Authenticated state

*pemReceiveTask: Sep 06 16:43:07.922: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
0 Helpful

RaffyLindogan
Spotlight
Spotlight

‎09-18-2019 07:36 PM

Hi mate,

 

Based on the WLAN detail that you have sent.

It is showing that you have Flexconnect enabled.

However I don't see any local or central switching enabled.

Your status on the debug would not show DHCP_REQD unless it has passed the authentication.

You should be able to see previous message that says Authentication successful and also log on the NPS of succcessful authentication.

Only then that you will move to the DHCP discovery, reply, acknowledgement and assignment process.

So with that, can you please check the 2 APs if:

 

  1. You have the right wlan-vlan mapping for that site (If local switching)

  2. If the vlan has ip helper enabled (if using an external DHCP server)

  3. Also confirm if you can reach the DHCP server from that location sourcing from the SVI (layer 3 interface)

  4. APs are assigned to correct flexconnect group

  5. Ensure that if you have Flex ACL or any ACL on WLC is not dropping that traffic.

  4. Run a wireshark to see if which process of DHCP is not showing, it could be that the client is sending the DHCP discover and not receiving any reply from the DHCP server..etc

 

Cheers,

 

Raffy

0 Helpful

Walter Astori
Level 1
Level 1
In response to RaffyLindogan

‎09-19-2019 03:09 AM

Here there is the debug complete made on the WLC with the command debug mac ...

 1. You have the right wlan-vlan mapping for that site (If local switching)

      Yes it's correct

  2. If the vlan has ip helper enabled (if using an external DHCP server)

      Yes, we have an external DHCP and ip helper configured

  3. Also confirm if you can reach the DHCP server from that location sourcing from the SVI (layer 3 interface)

       Yes, I can reach the DHCP from SVI 

  4. APs are assigned to correct flexconnect group

      Yes

  5. Ensure that if you have Flex ACL or any ACL on WLC is not dropping that traffic.

      There is no ACL configured

68:ec:c5:XX:XX:XX  = MAC ADDRESS CLIENT

00:c1:64:XX:XX:XX  = BSSID MAC ADDRESS

00:C1:64:YY:YY:YY  = MAC ADDRESS Base Radio of AP

(ITSSG-X-WLC0003) >debug mac addr 68:ec:c5:XX:XX:XX

(ITSSG-X-WLC0003) >*dot1xSocketTask: Sep 06 16:42:31.615: [PA] 1x: frame too short (dataLen 82) - min size 7374

*apfOpenDtlSocket: Sep 06 16:43:07.716: [PA] 68:ec:c5:XX:XX:XX Recevied management frame ASSOCIATION REQUEST  on BSSID 00:c1:64:XX:XX:XX destination addr 00:c1:64:XX:XX:XX

*apfMsConnTask_0: Sep 06 16:43:07.717: [PA] 68:ec:c5:XX:XX:XX Station:  68:ec:c5:XX:XX:XX  11v BSS Transition not enabled on the AP  00:C1:64:YY:YY:YY

*apfMsConnTask_0: Sep 06 16:43:07.717: [PA] 68:ec:c5:XX:XX:XX Association received from mobile on BSSID 00:c1:64:XX:XX:XX AP ITVNT-LAP2

*apfMsConnTask_0: Sep 06 16:43:07.717: [PA] 68:ec:c5:XX:XX:XX Station:  68:ec:c5:XX:XX:XX  11v BSS Transition not enabled on the AP  00:C1:64:YY:YY:YY

*apfMsConnTask_0: Sep 06 16:43:07.717: [PA] 68:ec:c5:XX:XX:XX Global 200 Clients are allowed to AP radio

*apfMsConnTask_0: Sep 06 16:43:07.717: [PA] 68:ec:c5:XX:XX:XX Max Client Trap Threshold: 0  cur: 7

*apfMsConnTask_0: Sep 06 16:43:07.717: [PA] 68:ec:c5:XX:XX:XX Rf profile 600 Clients are allowed to AP wlan

*apfMsConnTask_0: Sep 06 16:43:07.717: [PA] 68:ec:c5:XX:XX:XX override for default ap group, marking intgrp NULL

*apfMsConnTask_0: Sep 06 16:43:07.717: [PA] 68:ec:c5:XX:XX:XX apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0

*apfMsConnTask_0: Sep 06 16:43:07.717: [PA] 68:ec:c5:XX:XX:XX In processSsidIE:6609 setting Central switched to FALSE

*apfMsConnTask_0: Sep 06 16:43:07.717: [PA] 68:ec:c5:XX:XX:XX Set Clinet MSCB as Central Association Disabled

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX Applying site-specific Local Bridging override for station 68:ec:c5:XX:XX:XX - vapId 1, site 'Vignate', interface 'management'

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX Applying Local Bridging Interface Policy for station 68:ec:c5:XX:XX:XX - vlan 202, interface id 0, interface 'management'

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX override from ap group, removing intf group from mscb

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX Applying site-specific override for station 68:ec:c5:XX:XX:XX - vapId 1, site 'Vignate', interface 'management'

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX Applying Interface(management) policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 7

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX Not re-applying interface policy for local switching Client

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 DHCP_REQD (7) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2922)

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 DHCP_REQD (7) Changing Url ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2942)

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 DHCP_REQD (7) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2963)

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX Setting the NAS Id to AP group specific Id 'ITSSG-X-WLC0003'

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX Set Clinet AP specific apfMsAccessVlan = 7

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX This apfMsAccessVlan may be changed later from AAA after L2 Auth

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX Cleared localSwitchingVlan, may be assigned later based on AAA override

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX processSsidIE  statusCode is 0 and status is 0

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX processSsidIE  ssid_done_flag is 0 finish_flag is 0

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX AID 5 in Assoc Req from flex AP 00:C1:64:YY:YY:YY is same as in mscb 68:ec:c5:XX:XX:XX

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX apfMs1xStateDec

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 DHCP_REQD (7) Change state to START (0) last state DHCP_REQD (7)

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 START (0) Initializing policy

*apfMsConnTask_0: Sep 06 16:43:07.718: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX  apfVapSecurity=0x2 L2=2 SkipWeb=0

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX  AuthenticationRequired = 1

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX Encryption policy is set to 0x80000001

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 8021X_REQD (3) DHCP required on AP 00:C1:64:YY:YY:YY vapId 1 apVapId 1for this client

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX Vlan while overriding the policy = -1

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX sending to spamAddMobile vlanId -1 flex aclName = , flexAclId 65535

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:C1:64:YY:YY:YY vapId 1 apVapId 1 flex-acl-name:

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX apfPemAddUser2 (apf_policy.c:416) Changing state for mobile 68:ec:c5:XX:XX:XX on AP 00:C1:64:YY:YY:YY from Associated to Associated

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX apfPemAddUser2:session timeout forstation 68:ec:c5:XX:XX:XX - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is  0

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX Stopping deletion of Mobile Station: (callerId: 48)

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX Sending assoc-resp with status 0 station:68:ec:c5:XX:XX:XX AP:00:C1:64:YY:YY:YY-01 on apVapId 1

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX Sending Assoc Response (status: '0') to station on AP ITVNT-LAP2 on BSSID 00:c1:64:XX:XX:XX ApVapId 1 Slot 1, mobility role 1

*apfMsConnTask_0: Sep 06 16:43:07.719: [PA] 68:ec:c5:XX:XX:XX apfProcessAssocReq (apf_80211.c:11039) Changing state for mobile 68:ec:c5:XX:XX:XX on AP 00:C1:64:YY:YY:YY from Associated to Associated

*spamApTask6: Sep 06 16:43:07.720: [PA] 68:ec:c5:XX:XX:XX Successful transmission of LWAPP Add-Mobile to AP 00:C1:64:YY:YY:YY

*spamApTask6: Sep 06 16:43:07.726: [PA] 68:ec:c5:XX:XX:XX Received ADD_MOBILE ack - Initiating 1x to STA 68:ec:c5:XX:XX:XX (idx 2)

*spamApTask6: Sep 06 16:43:07.726: [PA] 68:ec:c5:XX:XX:XX Sent dot1x auth initiate message for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.726: [PA] 68:ec:c5:XX:XX:XX reauth_sm state transition 1 ---> 0 for mobile 68:ec:c5:XX:XX:XX at 1x_reauth_sm.c:53

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.726: [PA] 68:ec:c5:XX:XX:XX EAP-PARAM Debug - eap-params for Wlan-Id :1 is disabled - applying Global eap timers and retries

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.726: [PA] 68:ec:c5:XX:XX:XX Disable re-auth, use PMK lifetime.

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.726: [PA] 68:ec:c5:XX:XX:XX dot1x - moving mobile 68:ec:c5:XX:XX:XX into Connecting state

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.821: [PA] 68:ec:c5:XX:XX:XX Received EAPOL START, dot1x state = 2

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.821: [PA] 68:ec:c5:XX:XX:XX Reset the reauth counter since EAPOL START has been received!!!

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.821: [PA] 68:ec:c5:XX:XX:XX reauth_sm state transition 0 ---> 1 for mobile 68:ec:c5:XX:XX:XX at 1x_reauth_sm.c:47

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.821: [PA] 68:ec:c5:XX:XX:XX Received EAPOL START from mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.821: [PA] 68:ec:c5:XX:XX:XX dot1x - moving mobile 68:ec:c5:XX:XX:XX into Connecting state

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.821: [PA] 68:ec:c5:XX:XX:XX Sending EAP-Request/Identity to mobile 68:ec:c5:XX:XX:XX (EAP Id 2)

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.872: [PA] 68:ec:c5:XX:XX:XX Received EAPOL EAPPKT from mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.872: [PA] 68:ec:c5:XX:XX:XX Received Identity Response (count=1) from mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.872: [PA] 68:ec:c5:XX:XX:XX Resetting reauth count 1 to 0 for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.872: [PA] 68:ec:c5:XX:XX:XX EAP State update from Connecting to Authenticating for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.872: [PA] 68:ec:c5:XX:XX:XX dot1x - moving mobile 68:ec:c5:XX:XX:XX into Authenticating state

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.872: [PA] 68:ec:c5:XX:XX:XX Entering Backend Auth Response state for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.882: [PA] 68:ec:c5:XX:XX:XX Processing Access-Challenge for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.882: [PA] 68:ec:c5:XX:XX:XX Entering Backend Auth Req state (id=3) for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.882: [PA] 68:ec:c5:XX:XX:XX Sending EAP Request from AAA to mobile 68:ec:c5:XX:XX:XX (EAP Id 3)

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.882: [PA] 68:ec:c5:XX:XX:XX Allocating EAP Pkt for retransmission to mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.889: [PA] 68:ec:c5:XX:XX:XX Received EAPOL EAPPKT from mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.889: [PA] 68:ec:c5:XX:XX:XX Received EAP Response from mobile 68:ec:c5:XX:XX:XX (EAP Id 3, EAP Type 25)

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.889: [PA] 68:ec:c5:XX:XX:XX Resetting reauth count 0 to 0 for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.889: [PA] 68:ec:c5:XX:XX:XX Entering Backend Auth Response state for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.891: [PA] 68:ec:c5:XX:XX:XX Processing Access-Challenge for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.891: [PA] 68:ec:c5:XX:XX:XX Entering Backend Auth Req state (id=4) for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.891: [PA] 68:ec:c5:XX:XX:XX Sending EAP Request from AAA to mobile 68:ec:c5:XX:XX:XX (EAP Id 4)

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.891: [PA] 68:ec:c5:XX:XX:XX Reusing allocated memory for  EAP Pkt for retransmission to mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.905: [PA] 68:ec:c5:XX:XX:XX Received EAPOL EAPPKT from mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.905: [PA] 68:ec:c5:XX:XX:XX Received EAP Response from mobile 68:ec:c5:XX:XX:XX (EAP Id 4, EAP Type 25)

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.905: [PA] 68:ec:c5:XX:XX:XX Resetting reauth count 0 to 0 for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.905: [PA] 68:ec:c5:XX:XX:XX Entering Backend Auth Response state for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.907: [PA] 68:ec:c5:XX:XX:XX Processing Access-Challenge for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.907: [PA] 68:ec:c5:XX:XX:XX Entering Backend Auth Req state (id=7) for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.907: [PA] 68:ec:c5:XX:XX:XX WARNING: updated EAP-Identifier 4 ===> 7 for STA 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.907: [PA] 68:ec:c5:XX:XX:XX Sending EAP Request from AAA to mobile 68:ec:c5:XX:XX:XX (EAP Id 7)

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.908: [PA] 68:ec:c5:XX:XX:XX Reusing allocated memory for  EAP Pkt for retransmission to mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.914: [PA] 68:ec:c5:XX:XX:XX Received EAPOL EAPPKT from mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.914: [PA] 68:ec:c5:XX:XX:XX Received EAP Response from mobile 68:ec:c5:XX:XX:XX (EAP Id 7, EAP Type 25)

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.914: [PA] 68:ec:c5:XX:XX:XX Resetting reauth count 0 to 0 for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.914: [PA] 68:ec:c5:XX:XX:XX Entering Backend Auth Response state for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Processing Access-Accept for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Resetting web IPv4 acl from 255 to 255

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Resetting web IPv4 Flex acl from 65535 to 65535

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Received MPPE_SEND_KEY: KeyLen: 32

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Received MPPE_RECV_KEY: KeyLen: 32

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX override for default ap group, marking intgrp NULL

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Inserting AAA Override struct for mobile

        MAC: 68:ec:c5:XX:XX:XX, source 4

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Setting re-auth timeout to 0 seconds, got from WLAN config.

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Station 68:ec:c5:XX:XX:XX setting dot1x reauth timeout = 0

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Stopping reauth timeout for 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Creating a PKC PMKID Cache entry for station 68:ec:c5:XX:XX:XX (RSN 0)

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Setting active key cache index 0 ---> 8

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Setting active key cache index 8 ---> 0

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Sending EAP-Success to mobile 68:ec:c5:XX:XX:XX (EAP Id 7)

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.917: [PA] 68:ec:c5:XX:XX:XX Freeing AAACB from Dot1xCB as AAA auth is done for  mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.918: [PA] 68:ec:c5:XX:XX:XX Sending default RC4 key to mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.918: [PA] 68:ec:c5:XX:XX:XX Sending Key-Mapping RC4 key to mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.918: [PA] 68:ec:c5:XX:XX:XX Freeing EAP Retransmit Bufer for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.918: [PA] 68:ec:c5:XX:XX:XX apfMs1xStateInc

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.918: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state 8021X_REQD (3)

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.919: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 L2AUTHCOMPLETE (4) DHCP required on AP 00:C1:64:YY:YY:YY vapId 1 apVapId 1for this client

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.919: [PA] 68:ec:c5:XX:XX:XX Not Using WMM Compliance code qosCap 00

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.919: [PA] 68:ec:c5:XX:XX:XX Vlan while overriding the policy = -1

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.919: [PA] 68:ec:c5:XX:XX:XX sending to spamAddMobile vlanId -1 flex aclName = , flexAclId 65535

*spamApTask6: Sep 06 16:43:07.919: [PA] 68:ec:c5:XX:XX:XX Successful transmission of LWAPP Add-Mobile to AP 00:C1:64:YY:YY:YY

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.919: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:C1:64:YY:YY:YY vapId 1 apVapId 1 flex-acl-name:

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.920: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 L2AUTHCOMPLETE (4) pemAdvanceState2 6728, Adding TMP rule

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.920: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 L2AUTHCOMPLETE (4) Adding Fast Path rule

  type = Airespace AP - Learn IP address

  on AP 00:C1:64:YY:YY:YY, slot 1, interface = 13, QOS = 0

  IPv4 ACL ID = 25

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.920: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 L2AUTHCOMPLETE (4) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206, IntfId = 0  Local Bridging Vlan = 202, Local Bridging intf id = 0

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.920: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 L2AUTHCOMPLETE (4) Fast Path rule (contd...) AVC Ratelimit:  AppID = 0 ,AppAction = 0, AppToken = 15206  AverageRate = 0, BurstRate = 0

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.920: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 L2AUTHCOMPLETE (4) Fast Path rule (contd...) AVC Ratelimit:  AppID = 0 ,AppAction = 0, AppToken = 15206  AverageRate = 0, BurstRate = 0

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.921: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 L2AUTHCOMPLETE (4) Fast Path rule (contd...) AVC Ratelimit:  AppID = 0 ,AppAction = 0, AppToken = 15206  AverageRate = 0, BurstRate = 0

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.921: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 L2AUTHCOMPLETE (4) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255,URL ACL ID 255)

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.921: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.921: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 6757, Adding TMP rule

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.921: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule

  type = Airespace AP - Learn IP address

  on AP 00:C1:64:YY:YY:YY, slot 1, interface = 13, QOS = 0

  IPv4 ACL ID = 255,

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.921: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206, IntfId = 0  Local Bridging Vlan = 202, Local Bridging intf id = 0

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.922: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) AVC Ratelimit:  AppID = 0 ,AppAction = 0, AppToken = 15206  AverageRate = 0, BurstRate = 0

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.922: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) AVC Ratelimit:  AppID = 0 ,AppAction = 0, AppToken = 15206  AverageRate = 0, BurstRate = 0

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.922: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) AVC Ratelimit:  AppID = 0 ,AppAction = 0, AppToken = 15206  AverageRate = 0, BurstRate = 0

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.922: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255,URL ACL ID 255)

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.922: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 DHCP_REQD (7) NO release MSCB

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.922: [PA] 68:ec:c5:XX:XX:XX Entering Backend Auth Success state (id=7) for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.922: [PA] 68:ec:c5:XX:XX:XX Received Auth Success while in Authenticating state for mobile 68:ec:c5:XX:XX:XX

*Dot1x_NW_MsgTask_1: Sep 06 16:43:07.922: [PA] 68:ec:c5:XX:XX:XX dot1x - moving mobile 68:ec:c5:XX:XX:XX into Authenticated state

*pemReceiveTask: Sep 06 16:43:07.922: [PA] 68:ec:c5:XX:XX:XX 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0

0 Helpful

RaffyLindogan
Spotlight
Spotlight
In response to Walter Astori

‎09-19-2019 03:28 AM

Hi mate,

 

Can you please share the config of the switchport where AP is plugged in. 

Also provide me the SVI for both vlan 202 and 7.

can you also provide screenshot for the following:

 

 1. AP group for this AP

  2. Flexgroup

  3. flex ACL

  4. Flexconnect Wlan- vlan mapping

 

also what’s your dhcp server? Are you able to ping it sourcing from both vlan 202 and 7?

 

 

Cheers,

 

 

raffy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card