Solved: Flex Connect - Guest WLAN with local switching

ElwinMkanyika · ‎11-18-2013

Hi guys,

I seem to have run into a dead end here. Please help me get this up and running

So far, I have set up the corporate SSID and got it localy switched to the branch.

I know that guest wlan should be centrally switched but we have a dedicated line in the branch so i need to also get it locally switched. At some point, I was able to achieve that, but now I am having a problem. I see that some clients are able to autchnticate and receive address assignments but some are not. Including me.

Am guessing the problem is dhcp. But the funny thing is that dhcp for the corporate wlan is working fine.

This is my debug,

(Cisco Controller) >*apfLbsTask: Nov 18 12:24:58.543: 4c:b1:99:ad:30:38 Copy MobilityData LOCP status:1, anchorip:0x0

*apfMsConnTask_7: Nov 18 12:25:28.623: 4c:b1:99:ad:30:38 Association received from mobile on BSSID dc:a5:f4:1b:19:5c

*apfMsConnTask_7: Nov 18 12:25:28.623: 4c:b1:99:ad:30:38 Global 200 Clients are allowed to AP radio

*apfMsConnTask_7: Nov 18 12:25:28.623: 4c:b1:99:ad:30:38 Max Client Trap Threshold: 0 cur: 6

*apfMsConnTask_7: Nov 18 12:25:28.623: 4c:b1:99:ad:30:38 Rf profile 600 Clients are allowed to AP wlan

*apfMsConnTask_7: Nov 18 12:25:28.623: 4c:b1:99:ad:30:38 Applying Interface policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 15

*apfMsConnTask_7: Nov 18 12:25:28.623: 4c:b1:99:ad:30:38 Re-applying interface policy for client

*apfMsConnTask_7: Nov 18 12:25:28.623: 4c:b1:99:ad:30:38 0.0.0.0 DHCP_REQD (7) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)

*apfMsConnTask_7: Nov 18 12:25:28.623: 4c:b1:99:ad:30:38 0.0.0.0 DHCP_REQD (7) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)

*apfMsConnTask_7: Nov 18 12:25:28.623: 4c:b1:99:ad:30:38 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type

*apfMsConnTask_7: Nov 18 12:25:28.623: 4c:b1:99:ad:30:38 In processSsidIE:4619 setting Central switched to FALSE

*apfMsConnTask_7: Nov 18 12:25:28.623: 4c:b1:99:ad:30:38 Applying site-specific Local Bridging override for station 4c:b1:99:ad:30:38 - vapId 4, site 'MMO-MoscowMainOffice', interface 'wireless_users'

*apfMsConnTask_7: Nov 18 12:25:28.623: 4c:b1:99:ad:30:38 Applying Local Bridging Interface Policy for station 4c:b1:99:ad:30:38 - vlan 15, interface id 12, interface 'wireless_users'

*apfMsConnTask_7: Nov 18 12:25:28.624: 4c:b1:99:ad:30:38 Applying site-specific override for station 4c:b1:99:ad:30:38 - vapId 4, site 'MMO-MoscowMainOffice', interface 'wireless_users'

*apfMsConnTask_7: Nov 18 12:25:28.624: 4c:b1:99:ad:30:38 Applying Interface policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 15

*apfMsConnTask_7: Nov 18 12:25:28.624: 4c:b1:99:ad:30:38 Re-applying interface policy for client

*apfMsConnTask_7: Nov 18 12:25:28.624: 4c:b1:99:ad:30:38 0.0.0.0 DHCP_REQD (7) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)

*apfMsConnTask_7: Nov 18 12:25:28.624: 4c:b1:99:ad:30:38 0.0.0.0 DHCP_REQD (7) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)

*apfMsConnTask_7: Nov 18 12:25:28.624: 4c:b1:99:ad:30:38 processSsidIE statusCode is 0 and status is 0

*apfMsConnTask_7: Nov 18 12:25:28.624: 4c:b1:99:ad:30:38 processSsidIE ssid_done_flag is 0 finish_flag is 0

*apfMsConnTask_7: Nov 18 12:25:28.624: 4c:b1:99:ad:30:38 STA - rates (8): 130 132 139 150 36 48 72 108 0 0 0 0 0 0 0 0

*apfMsConnTask_7: Nov 18 12:25:28.624: 4c:b1:99:ad:30:38 suppRates statusCode is 0 and gotSuppRatesElement is 1

*apfMsConnTask_7: Nov 18 12:25:28.624: 4c:b1:99:ad:30:38 STA - rates (12): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0

*apfMsConnTask_7: Nov 18 12:25:28.624: 4c:b1:99:ad:30:38 extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1

*apfMsConnTask_7: Nov 18 12:25:28.624: 4c:b1:99:ad:30:38 Processing RSN IE type 48, length 20 for mobile 4c:b1:99:ad:30:38

*apfMsConnTask_7: Nov 18 12:25:28.624: 4c:b1:99:ad:30:38 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.

*apfMsConnTask_7: Nov 18 12:25:28.624: 4c:b1:99:ad:30:38 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [dc:a5:f4:1b:19:50]

*apfMsConnTask_7: Nov 18 12:25:28.624: 4c:b1:99:ad:30:38 Updated location for station old AP dc:a5:f4:1b:19:50-1, new AP dc:a5:f4:1b:19:50-0

*pemReceiveTask: Nov 18 12:25:28.624: 4c:b1:99:ad:30:38 0.0.0.0 Removed NPU entry.

*apfMsConnTask_7: Nov 18 12:25:28.624: 4c:b1:99:ad:30:38 apfMs1xStateDec

*apfMsConnTask_7: Nov 18 12:25:28.624: 4c:b1:99:ad:30:38 0.0.0.0 DHCP_REQD (7) Change state to START (0) last state DHCP_REQD (7)

*apfMsConnTask_7: Nov 18 12:25:28.624: 4c:b1:99:ad:30:38 pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.

*apfMsConnTask_7: Nov 18 12:25:28.624: 4c:b1:99:ad:30:38 0.0.0.0 START (0) Initializing policy

*apfMsConnTask_7: Nov 18 12:25:28.624: 4c:b1:99:ad:30:38 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)

*apfMsConnTask_7: Nov 18 12:25:28.625: 4c:b1:99:ad:30:38 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)

*apfMsConnTask_7: Nov 18 12:25:28.625: 4c:b1:99:ad:30:38 0.0.0.0 8021X_REQD (3) DHCP required on AP dc:a5:f4:1b:19:50 vapId 4 apVapId 2for this client

*apfMsConnTask_7: Nov 18 12:25:28.625: 4c:b1:99:ad:30:38 Not Using WMM Compliance code qosCap 00

*apfMsConnTask_7: Nov 18 12:25:28.625: 4c:b1:99:ad:30:38 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP dc:a5:f4:1b:19:50 vapId 4 apVapId 2 flex-acl-name:

*apfMsConnTask_7: Nov 18 12:25:28.625: 4c:b1:99:ad:30:38 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 4c:b1:99:ad:30:38 on AP dc:a5:f4:1b:19:50 from Associated to Associated

*apfMsConnTask_7: Nov 18 12:25:28.625: 4c:b1:99:ad:30:38 apfPemAddUser2:session timeout forstation 4c:b1:99:ad:30:38 - Session Tout 1800, apfMsTimeOut '1800' and sessionTimerRunning flag is 0

*apfMsConnTask_7: Nov 18 12:25:28.625: 4c:b1:99:ad:30:38 Scheduling deletion of Mobile Station: (callerId: 49) in 1800 seconds

*apfMsConnTask_7: Nov 18 12:25:28.625: 4c:b1:99:ad:30:38 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 1800

*apfMsConnTask_7: Nov 18 12:25:28.625: 4c:b1:99:ad:30:38 Sending Assoc Response to station on BSSID dc:a5:f4:1b:19:51 (status 0) ApVapId 2 Slot 0

*apfMsConnTask_7: Nov 18 12:25:28.625: 4c:b1:99:ad:30:38 apfProcessAssocReq (apf_80211.c:7957) Changing state for mobile 4c:b1:99:ad:30:38 on AP dc:a5:f4:1b:19:50 from Associated to Associated

*apfMsConnTask_7: Nov 18 12:25:28.627: 4c:b1:99:ad:30:38 Updating AID for REAP AP Client dc:a5:f4:1b:19:50 - AID ===> 5

*dot1xMsgTask: Nov 18 12:25:28.631: 4c:b1:99:ad:30:38 Creating a PKC PMKID Cache entry for station 4c:b1:99:ad:30:38 (RSN 2)

*dot1xMsgTask: Nov 18 12:25:28.631: 4c:b1:99:ad:30:38 Resetting MSCB PMK Cache Entry 0 for station 4c:b1:99:ad:30:38

*dot1xMsgTask: Nov 18 12:25:28.631: 4c:b1:99:ad:30:38 Removing BSSID dc:a5:f4:1b:19:5e from PMKID cache of station 4c:b1:99:ad:30:38

*dot1xMsgTask: Nov 18 12:25:28.631: 4c:b1:99:ad:30:38 Setting active key cache index 0 ---> 8

*dot1xMsgTask: Nov 18 12:25:28.631: 4c:b1:99:ad:30:38 Setting active key cache index 8 ---> 0

*dot1xMsgTask: Nov 18 12:25:28.631: 4c:b1:99:ad:30:38 Adding BSSID dc:a5:f4:1b:19:51 to PMKID cache at index 0 for station 4c:b1:99:ad:30:38

*dot1xMsgTask: Nov 18 12:25:28.631: New PMKID: (16)

*dot1xMsgTask: Nov 18 12:25:28.631: [0000] 7c b6 c1 a5 8e ef 32 09 40 07 e0 5f e3 ba e8 df

*dot1xMsgTask: Nov 18 12:25:28.631: 4c:b1:99:ad:30:38 Initiating RSN PSK to mobile 4c:b1:99:ad:30:38

*dot1xMsgTask: Nov 18 12:25:28.631: 4c:b1:99:ad:30:38 dot1x - moving mobile 4c:b1:99:ad:30:38 into Force Auth state

*dot1xMsgTask: Nov 18 12:25:28.631: 4c:b1:99:ad:30:38 Found an cache entry for BSSID dc:a5:f4:1b:19:51 in PMKID cache at index 0 of station 4c:b1:99:ad:30:38

*dot1xMsgTask: Nov 18 12:25:28.631: Including PMKID in M1 (16)

*dot1xMsgTask: Nov 18 12:25:28.631: [0000] 7c b6 c1 a5 8e ef 32 09 40 07 e0 5f e3 ba e8 df

*dot1xMsgTask: Nov 18 12:25:28.631: 4c:b1:99:ad:30:38 Starting key exchange to mobile 4c:b1:99:ad:30:38, data packets will be dropped

*dot1xMsgTask: Nov 18 12:25:28.631: 4c:b1:99:ad:30:38 Sending EAPOL-Key Message to mobile 4c:b1:99:ad:30:38

state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00

*Dot1x_NW_MsgTask_0: Nov 18 12:25:28.647: 4c:b1:99:ad:30:38 Received EAPOL-Key from mobile 4c:b1:99:ad:30:38

*Dot1x_NW_MsgTask_0: Nov 18 12:25:28.647: 4c:b1:99:ad:30:38 Received EAPOL-key in PTK_START state (message 2) from mobile 4c:b1:99:ad:30:38

*Dot1x_NW_MsgTask_0: Nov 18 12:25:28.647: 4c:b1:99:ad:30:38 Stopping retransmission timer for mobile 4c:b1:99:ad:30:38

*Dot1x_NW_MsgTask_0: Nov 18 12:25:28.648: 4c:b1:99:ad:30:38 Sending EAPOL-Key Message to mobile 4c:b1:99:ad:30:38

state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01

*Dot1x_NW_MsgTask_0: Nov 18 12:25:28.654: 4c:b1:99:ad:30:38 Received EAPOL-Key from mobile 4c:b1:99:ad:30:38

*Dot1x_NW_MsgTask_0: Nov 18 12:25:28.654: 4c:b1:99:ad:30:38 Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 4c:b1:99:ad:30:38

*Dot1x_NW_MsgTask_0: Nov 18 12:25:28.654: 4c:b1:99:ad:30:38 Stopping retransmission timer for mobile 4c:b1:99:ad:30:38

*Dot1x_NW_MsgTask_0: Nov 18 12:25:28.654: 4c:b1:99:ad:30:38 apfMs1xStateInc

*Dot1x_NW_MsgTask_0: Nov 18 12:25:28.654: 4c:b1:99:ad:30:38 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state 8021X_REQD (3)

*Dot1x_NW_MsgTask_0: Nov 18 12:25:28.654: 4c:b1:99:ad:30:38 0.0.0.0 L2AUTHCOMPLETE (4) DHCP required on AP dc:a5:f4:1b:19:50 vapId 4 apVapId 2for this client

*Dot1x_NW_MsgTask_0: Nov 18 12:25:28.654: 4c:b1:99:ad:30:38 Not Using WMM Compliance code qosCap 00

*Dot1x_NW_MsgTask_0: Nov 18 12:25:28.654: 4c:b1:99:ad:30:38 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP dc:a5:f4:1b:19:50 vapId 4 apVapId 2 flex-acl-name:

*Dot1x_NW_MsgTask_0: Nov 18 12:25:28.654: 4c:b1:99:ad:30:38 0.0.0.0 L2AUTHCOMPLETE (4) pemAdvanceState2 6063, Adding TMP rule

*Dot1x_NW_MsgTask_0: Nov 18 12:25:28.655: 4c:b1:99:ad:30:38 0.0.0.0 L2AUTHCOMPLETE (4) Adding Fast Path rule

type = Airespace AP - Learn IP address

on AP dc:a5:f4:1b:19:50, slot 0, interface = 13, QOS = 0

IPv4 ACL ID = 25

*Dot1x_NW_MsgTask_0: Nov 18 12:25:28.655: 4c:b1:99:ad:30:38 0.0.0.0 L2AUTHCOMPLETE (4) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 15, Local Bridging intf id = 12

*Dot1x_NW_MsgTask_0: Nov 18 12:25:28.655: 4c:b1:99:ad:30:38 0.0.0.0 L2AUTHCOMPLETE (4) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)

*Dot1x_NW_MsgTask_0: Nov 18 12:25:28.655: 4c:b1:99:ad:30:38 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)

*Dot1x_NW_MsgTask_0: Nov 18 12:25:28.655: 4c:b1:99:ad:30:38 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 6092, Adding TMP rule

*Dot1x_NW_MsgTask_0: Nov 18 12:25:28.655: 4c:b1:99:ad:30:38 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule

type = Airespace AP - Learn IP address

on AP dc:a5:f4:1b:19:50, slot 0, interface = 13, QOS = 0

IPv4 ACL ID = 255,

*Dot1x_NW_MsgTask_0: Nov 18 12:25:28.655: 4c:b1:99:ad:30:38 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 15, Local Bridging intf id = 12

*Dot1x_NW_MsgTask_0: Nov 18 12:25:28.655: 4c:b1:99:ad:30:38 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)

*pemReceiveTask: Nov 18 12:25:28.655: 4c:b1:99:ad:30:38 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0

*apfLbsTask: Nov 18 12:25:30.543: 4c:b1:99:ad:30:38 Copy AP LOCP - mode:2 slotId:128, apMac 0xdc:a5:f4:1b:19:50

*apfLbsTask: Nov 18 12:25:30.543: 4c:b1:99:ad:30:38 Copy WLAN LOCP EssIndex:4 aid:5 ssid:wings

*apfLbsTask: Nov 18 12:25:30.543: 4c:b1:99:ad:30:38 Copy Security LOCP ecypher:0x0 ptype:0x2, p:0x1, eaptype:0x6 w:0x1 aalg:0x0, PMState: DHCP_REQD

*apfLbsTask: Nov 18 12:25:30.543: 4c:b1:99:ad:30:38 Copy 802.11 LOCP a:0x0 b:0x0 c:0x0 d:0x0 e:0x1 protocol2:0x6 statuscode 0, reasoncode 99, status 3

Scott Fella · ‎11-18-2013

If your using 802.1x, then you shouldn't have the idle timer set that high. Only adjust the idle timer if your using webauth.

Leave the session timer set at 1800 and the idle timer at 300, change the DTIM to 2.

Give that a try.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

Scott Fella · ‎11-18-2013

Well try open authentication and see if that works... why do you have dhcp override enabled? Use an ip helper on your guest vlan for your FlexConnect setting. If your using local switching, you don't need to create an interface on the WLC. Those dynamic interfaces are for local mode ap's or centrally switching.

Your AP's are not in flexconnect mode?

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

View solution in original post

Scott Fella · ‎11-18-2013

I would open a new thread or else it's too confusing to try to answer multiple questions on a single thread.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

View solution in original post

Scott Fella · ‎11-18-2013

With local switching, are you defining the guest ssid to the vlan out at the remote site? If not, then the guest users will use the vlan that the access point is connected to. If you have a vlan, for example vlan 209 out at the remote site and that is for guest users, then you would have to setup your FlexConnect ap's like this.

This also means that your FlexConnect ap's must be on a trunk port which allows your ap vlan (native vlan) and the guest vlan which I use as 209.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎11-18-2013

Also post your show wlan

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

ElwinMkanyika · ‎11-18-2013

Oh, Scott you here ...thank God

(Cisco Controller) >show wlan silverwings

Incorrect input! Use 'show wlan [apgroups/summary/>/hotspot ]'

(Cisco Controller) >show wlan 4

WLAN Identifier.................................. 4

Profile Name..................................... wings

Network Name (SSID).............................. wings

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

AAA Policy Override.............................. Enabled

Network Admission Control

Client Profiling Status

Radius Profiling ............................ Disabled

DHCP ....................................... Disabled

HTTP ....................................... Disabled

Local Profiling ............................. Disabled

DHCP ....................................... Disabled

HTTP ....................................... Disabled

Radius-NAC State............................... Disabled

SNMP-NAC State................................. Disabled

Quarantine VLAN................................ 0

Maximum number of Associated Clients............. 0

Maximum number of Clients per AP Radio........... 200

--More or (q)uit current module or to abort

Number of Active Clients......................... 6

Exclusionlist Timeout............................ 60 seconds

Session Timeout.................................. 1800 seconds

User Idle Timeout................................ 86400 seconds

Sleep Client..................................... disable

Sleep Client Timeout............................. 12 hours

User Idle Threshold.............................. 0 Bytes

NAS-identifier................................... WLC100

CHD per WLAN..................................... Enabled

Webauth DHCP exclusion........................... Disabled

Interface........................................ management

Multicast Interface.............................. Not Configured

WLAN IPv4 ACL.................................... unconfigured

WLAN IPv6 ACL.................................... unconfigured

WLAN Layer2 ACL.................................. unconfigured

mDNS Status...................................... Disabled

mDNS Profile Name................................ unconfigured

DHCP Server...................................... 172.20.15.1

DHCP Address Assignment Required................. Disabled

Static IP client tunneling....................... Disabled

PMIPv6 Mobility Type............................. none

PMIPv6 MAG Profile........................... Unconfigured

PMIPv6 Default Realm......................... Unconfigured

--More or (q)uit current module or to abort

PMIPv6 NAI Type.............................. Hexadecimal

Quality of Service............................... Silver

Per-SSID Rate Limits............................. Upstream Downstream

Average Data Rate................................ 0 0

Average Realtime Data Rate....................... 0 0

Burst Data Rate.................................. 0 0

Burst Realtime Data Rate......................... 0 0

Per-Client Rate Limits........................... Upstream Downstream

Average Data Rate................................ 0 0

Average Realtime Data Rate....................... 0 0

Burst Data Rate.................................. 0 0

Burst Realtime Data Rate......................... 0 0

Scan Defer Priority.............................. 4,5,6

Scan Defer Time.................................. 100 milliseconds

WMM.............................................. Allowed

WMM UAPSD Compliant Client Support............... Disabled

Media Stream Multicast-direct.................... Disabled

CCX - AironetIe Support.......................... Enabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

Passive Client Feature........................... Disabled

--More or (q)uit current module or to abort

Peer-to-Peer Blocking Action..................... Disabled

Radio Policy..................................... All

DTIM period for 802.11a radio.................... 6

DTIM period for 802.11b radio.................... 6

Radius Servers

Authentication................................ 172.20.74.189 1812

Accounting.................................... Disabled

Dynamic Interface............................. Disabled

Dynamic Interface Priority.................... wlan

Local EAP Authentication......................... Disabled

Security

802.11 Authentication:........................ Open System

FT Support.................................... Disabled

Static WEP Keys............................... Disabled

802.1X........................................ Disabled

Wi-Fi Protected Access (WPA/WPA2)............. Enabled

WPA (SSN IE)............................... Disabled

WPA2 (RSN IE).............................. Enabled

TKIP Cipher............................. Disabled

AES Cipher.............................. Enabled

Auth Key Management

802.1x.................................. Disabled

--More or (q)uit current module or to abort

PSK..................................... Enabled

CCKM.................................... Disabled

FT-1X(802.11r).......................... Disabled

FT-PSK(802.11r)......................... Disabled

PMF-1X(802.11w)......................... Disabled

PMF-PSK(802.11w)........................ Disabled

FT Reassociation Timeout................... 20

FT Over-The-DS mode........................ Disabled

GTK Randomization.......................... Disabled

SKC Cache Support.......................... Disabled

CCKM TSF Tolerance......................... 1000

WAPI.......................................... Disabled

Wi-Fi Direct policy configured................ Disabled

EAP-Passthrough............................... Disabled

CKIP ......................................... Disabled

Web Based Authentication...................... Disabled

Web-Passthrough............................... Disabled

Conditional Web Redirect...................... Disabled

Splash-Page Web Redirect...................... Disabled

Auto Anchor................................... Disabled

FlexConnect Local Switching................... Enabled

flexconnect Central Dhcp Flag................. Disabled

flexconnect nat-pat Flag...................... Disabled

--More or (q)uit current module or to abort

flexconnect Dns Override Flag................. Disabled

flexconnect PPPoE pass-through................ Disabled

flexconnect local-switching IP-source-guar.... Disabled

FlexConnect Vlan based Central Switching ..... Enabled

FlexConnect Local Authentication.............. Disabled

FlexConnect Learn IP Address.................. Enabled

Client MFP.................................... Optional

PMF........................................... Disabled

PMF Association Comeback Time................. 1

PMF SA Query RetryTimeout..................... 200

Tkip MIC Countermeasure Hold-down Timer....... 60

AVC Visibilty.................................... Disabled

AVC Profile Name................................. None

Flow Monitor Name................................ None

Split Tunnel (Printers).......................... Disabled

Call Snooping.................................... Disabled

Roamed Call Re-Anchor Policy..................... Disabled

SIP CAC Fail Send-486-Busy Policy................ Enabled

SIP CAC Fail Send Dis-Association Policy......... Disabled

KTS based CAC Policy............................. Disabled

Assisted Roaming Prediction Optimization......... Disabled

802.11k Neighbor List............................ Disabled

802.11k Neighbor List Dual Band.................. Disabled

--More or (q)uit current module or to abort

Band Select...................................... Enabled

Load Balancing................................... Disabled

Multicast Buffer................................. Disabled

Mobility Anchor List

WLAN ID IP Address Status

------- --------------- ------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

Local Policy

----------------

Priority Policy Name

-------- ---------------

Scott Fella · ‎11-18-2013

If your using 802.1x, then you shouldn't have the idle timer set that high. Only adjust the idle timer if your using webauth.

Leave the session timer set at 1800 and the idle timer at 300, change the DTIM to 2.

Give that a try.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

ElwinMkanyika · ‎11-18-2013

I aint using 802.1x I want to use WPA2 PSK only

Was trying out vlan based central switching

Scott Fella · ‎11-18-2013

Well try open authentication and see if that works... why do you have dhcp override enabled? Use an ip helper on your guest vlan for your FlexConnect setting. If your using local switching, you don't need to create an interface on the WLC. Those dynamic interfaces are for local mode ap's or centrally switching.

Your AP's are not in flexconnect mode?

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

ElwinMkanyika · ‎11-18-2013

Scott,

Tried chenging the timer settings and the DTMI settings but unfortunately no luck

steelinquisitor · ‎11-18-2013

Hello,

I am not sure if I have to create a new thread, but I am getting a similar issues.

My WLC software version is 7.4.110.0. I have a branch office in my lab. The AP in my branch is configured as flexconnect with native VLAN of 700. The SSID that I have in the branch office is configured to do local switching. The WLAN configuration is very similar to ElwinMkanyika except for I have the "DHCP server" disabled.

My issue is last week I have the Flexconnect working with no problem, then this morning I can't connect to the SSID, and I'm not receiving IP addresses for my test wireless clients.

Thanks

Scott Fella · ‎11-18-2013

I would open a new thread or else it's too confusing to try to answer multiple questions on a single thread.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

ElwinMkanyika · ‎11-22-2013

Hi Guys,

Sorry I went silent, had to handle a different project for a while.

Anyway, I did find out what the issue was: believe it or not - switching. All clients on the 10th and 16th floor could connect but 12th floor could not because, i forgot to actually create the vlan on the switch.

So steelinquisitor, try bottom top approach.

Thank you Scott.