Flexconnect and 802.1X Problems

ppaskowsky · ‎02-07-2013

I've set up a test network using a 5500 WC, Aironet 3502i AP, and a Windows AD server. I have local WLAN clients using 802.1x which is working great.

Now I am testing Fleconnect. The AP is set in flexconnect mode. The AP is on a trunk assigned with VLAN 300 (native vlan) and it had access to VLAN 400 and 500, which are used by my two flexconnect WLANs.

When my Flexconnect WLANs are using a PSK, they work fine. They authenticate and have network access as they should. However, when I set them to 802.1X Authentication, my clients get an AD login prompt but the request always times out. The AD servers are set correctly for the WLANs, so what could be the problem?

Thanks!

grabonlee · ‎02-07-2013

Hi

Could you run a debug aaa and debug client mac addr and post the result. What EAP method are you using? Did you set the authentication to 802.1X with AES or TKIP only on the WLAN SSID?

If 802.1X worked when the WLAN was set to local, it should also work with Flexconnect. The client has to authenticate successfully before Flexconnect kicks in and switches frames locally.

Thanks

ppaskowsky · ‎02-08-2013

What is the correct syntax for debug aaa? I have many choices (all, detail, events, etc) and they all seem to give me too much info.

When I tried "debug client mac addr" with the mac addr of my client, nothing is showing up. Even when connecting.

My flexconnect is strangely working fine now, but it seems to work intermittently. These debug commands could help me out.

Thanks,

David Watkins · ‎02-08-2013

While you're using FlexConnect to locally switch, do you know if you have marked your WLAN to perform "Local Auth" as well? If so, then you will need to make sure to add your AP to a FlexConnect group; define your backup RADIUS servers and add the "AP" to your RADIUS server as a RADIUS client.

If you do "not" have Local Auth selected, then go ahead and just take a normal client debug

>debug client

Start the debug and connect the client. After a couple attempts stop the debug and attach to your post. This will give us enough information to determine if we're communicating with RADIUS properly and whether we're being accepted or rejected. The other AAA debugs are not necessary as of yet. Client debug will give us enough info.

Edit: I see you're saying you do "not see anything" when debugging the client. It's possible you're data plane to the FlexConnect AP (UDP 5247) is not up and running and/or we've transitioned to stand-alone mode

I don't have an AP where I'm at to help you with specific debugs. We could see if the association request of the client cannot even be forwarded to the WLC (indication data path is down)

I believe

#debug reap mgmt

or

#debug reap client

Go ahead and send a "show log" from the Flex AP so we can see if it's transitioning. An AP in stand-alone will not be able to centrally 802.1x authenticate.

grabonlee · ‎02-08-2013

Hi ppaskowsky

You can use debug aaa all or events. If your client connected, then the debug client mac addr should've reported something. Could you also show the config of your ssid. Flexconnect group is not necessary, if flexconnect is not working properly.