Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
794
Views
0
Helpful
6
Replies

Flexconnect with 802.1x

Shawn Purdy
Level 1
Level 1

‎02-06-2013 09:32 AM - edited ‎07-03-2021 11:29 PM

Hello all,

I'll working on a configuration problem to see if anyone has seen this.  I'm working on deploying a Cisco 7500 controller.  The controller will broadcast 3 SSID's.  Two GUEST ssid's and one for corporate access.  

The two GUEST SSID's work however whenever I enable Flexconnect in a Central Auth/Local Switching mode (for my corporate devices)  it does not pass the 802.1x credentials.   My log on the controller will show authentication errors as we try to connect with our corporate laptops.  WHen I turn off Flexconnect mode and go into local mode it works.  I was able to replicate this on 5508 controller as well so I know its not just the 7500. 

The only way I have gotten flexconnect to work was to put the AP in radius and however I do not want to add 300 AP's to our radius servers.

Has anyone ran into this problem?                    

Labels:
0 Helpful
6 Replies 6

Stephen Rodriguez
Cisco Employee
Cisco Employee

‎02-06-2013 10:57 AM

that sounds weird.  I have a couple of hundred sites running FlexConnect and I'm not seeing that issue.

Under the WLAN config, Advanced Tab...Do you have FlexConnect Local Auth checked?

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Shawn Purdy
Level 1
Level 1
In response to Stephen Rodriguez

‎02-06-2013 11:09 AM

Yeah it is weird. Especially when I was able to reproduce it from scratch. I wonder if has to do with the 7.0 code. To answer your question yes, I did check local switching. I even unchecked it to do central/central but no luck. Weird.

Sent from Cisco Technical Support iPad App

0 Helpful

David Watkins
Level 4
Level 4
In response to Shawn Purdy

‎02-06-2013 11:38 AM

Can you post your WLAN config showing your WLAN set to Local Switching and no Local Auth set?

>config paging disable

>show wlan

So "Local Mode" / WLC as authenticator all works fine for guest

You simply change to FlexConnect using Central Auth and Local Switching / WLC still authenticator and it stops working?

However, you then add the AP to RADIUS and it "does" work.  Seems like you're doing "local auth" for sure. As Steve mentioned, there shouldn't be any known issues with this type of configuration.

Can you put back to FlexConnect with WLAN still set for Local Switching and "Central Auth" and capture a client debug?
>debug client

0 Helpful

Shawn Purdy
Level 1
Level 1
In response to David Watkins

‎02-08-2013 03:51 AM

Sorry guys I've been tied up the past couple of days. I'll be back in the lab today to do more tests on this. Ill let you guys know the results.

Sent from Cisco Technical Support iPad App

0 Helpful

Shawn Purdy
Level 1
Level 1
In response to Shawn Purdy

‎02-08-2013 07:27 AM

Here is the debug I ran.

(Cisco Controller) >debug client 00:0b:6b:b3:8d:4e

(Cisco Controller) >*Dot1x_NW_MsgTask_6: Feb 08 09:10:57.508: 00:0b:6b:b3:8d:4e dot1x - moving mobile 00:0b:6b:b3:8d:4e into Unknown state
*osapiBsnTimer: Feb 08 09:15:29.214: 00:0b:6b:b3:8d:4e 802.1x 'quiteWhile' Timer expired for station 00:0b:6b:b3:8d:4e and for message = M0
*dot1xMsgTask: Feb 08 09:15:29.214: 00:0b:6b:b3:8d:4e quiet timer completed for mobile 00:0b:6b:b3:8d:4e
*dot1xMsgTask: Feb 08 09:15:29.214: 00:0b:6b:b3:8d:4e dot1x - moving mobile 00:0b:6b:b3:8d:4e into Connecting state
*dot1xMsgTask: Feb 08 09:15:29.214: 00:0b:6b:b3:8d:4e Sending EAP-Request/Identity to mobile 00:0b:6b:b3:8d:4e (EAP Id 12)
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.230: 00:0b:6b:b3:8d:4e Received EAPOL EAPPKT from mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.230: 00:0b:6b:b3:8d:4e Received Identity Response (count=2) from mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.230: 00:0b:6b:b3:8d:4e EAP State update from Connecting to Authenticating for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.230: 00:0b:6b:b3:8d:4e dot1x - moving mobile 00:0b:6b:b3:8d:4e into Authenticating state
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.230: 00:0b:6b:b3:8d:4e Entering Backend Auth Response state for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.299: 00:0b:6b:b3:8d:4e Processing Access-Challenge for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.299: 00:0b:6b:b3:8d:4e Entering Backend Auth Req state (id=13) for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.299: 00:0b:6b:b3:8d:4e Sending EAP Request from AAA to mobile 00:0b:6b:b3:8d:4e (EAP Id 13)
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.314: 00:0b:6b:b3:8d:4e Received EAPOL EAPPKT from mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.314: 00:0b:6b:b3:8d:4e Received EAP Response from mobile 00:0b:6b:b3:8d:4e (EAP Id 13, EAP Type 13)
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.314: 00:0b:6b:b3:8d:4e Entering Backend Auth Response state for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.316: 00:0b:6b:b3:8d:4e Processing Access-Challenge for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.316: 00:0b:6b:b3:8d:4e Entering Backend Auth Req state (id=14) for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.316: 00:0b:6b:b3:8d:4e Sending EAP Request from AAA to mobile 00:0b:6b:b3:8d:4e (EAP Id 14)
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.328: 00:0b:6b:b3:8d:4e Received EAPOL EAPPKT from mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.328: 00:0b:6b:b3:8d:4e Received EAP Response from mobile 00:0b:6b:b3:8d:4e (EAP Id 14, EAP Type 13)
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.328: 00:0b:6b:b3:8d:4e Entering Backend Auth Response state for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.328: 00:0b:6b:b3:8d:4e Processing Access-Challenge for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.328: 00:0b:6b:b3:8d:4e Entering Backend Auth Req state (id=15) for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.328: 00:0b:6b:b3:8d:4e Sending EAP Request from AAA to mobile 00:0b:6b:b3:8d:4e (EAP Id 15)
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.340: 00:0b:6b:b3:8d:4e Received EAPOL EAPPKT from mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.340: 00:0b:6b:b3:8d:4e Received EAP Response from mobile 00:0b:6b:b3:8d:4e (EAP Id 15, EAP Type 13)
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.340: 00:0b:6b:b3:8d:4e Entering Backend Auth Response state for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.341: 00:0b:6b:b3:8d:4e Processing Access-Challenge for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.341: 00:0b:6b:b3:8d:4e Entering Backend Auth Req state (id=16) for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.341: 00:0b:6b:b3:8d:4e Sending EAP Request from AAA to mobile 00:0b:6b:b3:8d:4e (EAP Id 16)
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.353: 00:0b:6b:b3:8d:4e Received EAPOL EAPPKT from mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.353: 00:0b:6b:b3:8d:4e Received EAP Response from mobile 00:0b:6b:b3:8d:4e (EAP Id 16, EAP Type 13)
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.353: 00:0b:6b:b3:8d:4e Entering Backend Auth Response state for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.353: 00:0b:6b:b3:8d:4e Processing Access-Challenge for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.353: 00:0b:6b:b3:8d:4e Entering Backend Auth Req state (id=17) for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.353: 00:0b:6b:b3:8d:4e Sending EAP Request from AAA to mobile 00:0b:6b:b3:8d:4e (EAP Id 17)
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.365: 00:0b:6b:b3:8d:4e Received EAPOL EAPPKT from mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.365: 00:0b:6b:b3:8d:4e Received EAP Response from mobile 00:0b:6b:b3:8d:4e (EAP Id 17, EAP Type 13)
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.365: 00:0b:6b:b3:8d:4e Entering Backend Auth Response state for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.366: 00:0b:6b:b3:8d:4e Processing Access-Challenge for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.366: 00:0b:6b:b3:8d:4e Entering Backend Auth Req state (id=18) for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.366: 00:0b:6b:b3:8d:4e Sending EAP Request from AAA to mobile 00:0b:6b:b3:8d:4e (EAP Id 18)
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.378: 00:0b:6b:b3:8d:4e Received EAPOL EAPPKT from mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.378: 00:0b:6b:b3:8d:4e Received EAP Response from mobile 00:0b:6b:b3:8d:4e (EAP Id 18, EAP Type 13)
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.378: 00:0b:6b:b3:8d:4e Entering Backend Auth Response state for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.379: 00:0b:6b:b3:8d:4e Processing Access-Challenge for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.379: 00:0b:6b:b3:8d:4e Entering Backend Auth Req state (id=19) for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.379: 00:0b:6b:b3:8d:4e Sending EAP Request from AAA to mobile 00:0b:6b:b3:8d:4e (EAP Id 19)
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.390: 00:0b:6b:b3:8d:4e Received EAPOL EAPPKT from mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.390: 00:0b:6b:b3:8d:4e Received EAP Response from mobile 00:0b:6b:b3:8d:4e (EAP Id 19, EAP Type 13)
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.390: 00:0b:6b:b3:8d:4e Entering Backend Auth Response state for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.391: 00:0b:6b:b3:8d:4e Processing Access-Challenge for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.391: 00:0b:6b:b3:8d:4e Entering Backend Auth Req state (id=20) for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.391: 00:0b:6b:b3:8d:4e Sending EAP Request from AAA to mobile 00:0b:6b:b3:8d:4e (EAP Id 20)
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.403: 00:0b:6b:b3:8d:4e Received EAPOL EAPPKT from mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.403: 00:0b:6b:b3:8d:4e Received EAP Response from mobile 00:0b:6b:b3:8d:4e (EAP Id 20, EAP Type 13)
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.403: 00:0b:6b:b3:8d:4e Entering Backend Auth Response state for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.403: 00:0b:6b:b3:8d:4e Processing Access-Challenge for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.404: 00:0b:6b:b3:8d:4e Entering Backend Auth Req state (id=21) for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.404: 00:0b:6b:b3:8d:4e Sending EAP Request from AAA to mobile 00:0b:6b:b3:8d:4e (EAP Id 21)
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.442: 00:0b:6b:b3:8d:4e Received EAPOL EAPPKT from mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.442: 00:0b:6b:b3:8d:4e Received EAP Response from mobile 00:0b:6b:b3:8d:4e (EAP Id 21, EAP Type 13)
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.442: 00:0b:6b:b3:8d:4e Entering Backend Auth Response state for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.443: 00:0b:6b:b3:8d:4e Processing Access-Reject for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.443: 00:0b:6b:b3:8d:4e Sending EAP-Failure to mobile 00:0b:6b:b3:8d:4e (EAP Id 21)
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.443: 00:0b:6b:b3:8d:4e Entering Backend Auth Failure state (id=21) for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.443: 00:0b:6b:b3:8d:4e Setting quiet timer for 5 seconds for mobile 00:0b:6b:b3:8d:4e
*Dot1x_NW_MsgTask_6: Feb 08 09:15:29.443: 00:0b:6b:b3:8d:4e dot1x - moving mobile 00:0b:6b:b3:8d:4e into Unknown state
*osapiBsnTimer: Feb 08 09:15:34.518: 00:0b:6b:b3:8d:4e 802.1x 'quiteWhile' Timer expired for station 00:0b:6b:b3:8d:4e and for message = M0
*dot1xMsgTask: Feb 08 09:15:34.518: 00:0b:6b:b3:8d:4e quiet timer completed for mobile 00:0b:6b:b3:8d:4e
*dot1xMsgTask: Feb 08 09:15:34.518: 00:0b:6b:b3:8d:4e dot1x - moving mobile 00:0b:6b:b3:8d:4e into Connecting state
*dot1xMsgTask: Feb 08 09:15:34.518: 00:0b:6b:b3:8d:4e Sending EAP-Request/Identity to mobile 00:0b:6b:b3:8d:4e (EAP Id 23)
*dot1xMsgTask: Feb 08 09:15:34.518: 00:0b:6b:b3:8d:4e Reached Max EAP-Identity Request retries (3) for STA 00:0b:6b:b3:8d:4e
*dot1xMsgTask: Feb 08 09:15:34.518: 00:0b:6b:b3:8d:4e Sent Deauthenticate to mobile on BSSID b4:14:89:1b:84:e0 slot 1(caller 1x_auth_pae.c:3203)
*dot1xMsgTask: Feb 08 09:15:34.518: 00:0b:6b:b3:8d:4e Scheduling deletion of Mobile Station:  (callerId: 6) in 10 seconds
*dot1xMsgTask: Feb 08 09:15:34.518: 00:0b:6b:b3:8d:4e dot1x - moving mobile 00:0b:6b:b3:8d:4e into Disconnected state
*dot1xMsgTask: Feb 08 09:15:34.518: 00:0b:6b:b3:8d:4e Not sending EAP-Failure for STA 00:0b:6b:b3:8d:4e
*apfMsConnTask_6: Feb 08 09:15:37.420: 00:0b:6b:b3:8d:4e Reassociation received from mobile on AP b4:14:89:1b:84:e0
*apfMsConnTask_6: Feb 08 09:15:37.420: 00:0b:6b:b3:8d:4e Global 200 Clients are allowed to AP radio

*apfMsConnTask_6: Feb 08 09:15:37.420: 00:0b:6b:b3:8d:4e Max Client Trap Threshold: 0  cur: 1

*apfMsConnTask_6: Feb 08 09:15:37.420: 00:0b:6b:b3:8d:4e Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0

*apfMsConnTask_6: Feb 08 09:15:37.420: 00:0b:6b:b3:8d:4e Re-applying interface policy for client

*apfMsConnTask_6: Feb 08 09:15:37.420: 00:0b:6b:b3:8d:4e 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1839)
*apfMsConnTask_6: Feb 08 09:15:37.420: 00:0b:6b:b3:8d:4e 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2006)
*apfMsConnTask_6: Feb 08 09:15:37.421: 00:0b:6b:b3:8d:4e In processSsidIE:3937 setting Central switched to FALSE
*apfMsConnTask_6: Feb 08 09:15:37.421: 00:0b:6b:b3:8d:4e Applying site-specific Local Bridging override for station 00:0b:6b:b3:8d:4e - vapId 1, site 'Test', interface 'management'
*apfMsConnTask_6: Feb 08 09:15:37.421: 00:0b:6b:b3:8d:4e Applying Local Bridging Interface Policy for station 00:0b:6b:b3:8d:4e - vlan 0, interface id 0, interface 'management'
*apfMsConnTask_6: Feb 08 09:15:37.421: 00:0b:6b:b3:8d:4e Applying site-specific override for station 00:0b:6b:b3:8d:4e - vapId 1, site 'Test', interface 'management'
*apfMsConnTask_6: Feb 08 09:15:37.421: 00:0b:6b:b3:8d:4e Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0

*apfMsConnTask_6: Feb 08 09:15:37.421: 00:0b:6b:b3:8d:4e Re-applying interface policy for client

*apfMsConnTask_6: Feb 08 09:15:37.421: 00:0b:6b:b3:8d:4e 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1839)
*apfMsConnTask_6: Feb 08 09:15:37.421: 00:0b:6b:b3:8d:4e 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2006)
*apfMsConnTask_6: Feb 08 09:15:37.421: 00:0b:6b:b3:8d:4e processSsidIE  statusCode is 0 and status is 0
*apfMsConnTask_6: Feb 08 09:15:37.421: 00:0b:6b:b3:8d:4e processSsidIE  ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_6: Feb 08 09:15:37.421: 00:0b:6b:b3:8d:4e STA - rates (8): 12 146 24 36 48 72 96 108 0 0 0 0 0 0 0 0
*apfMsConnTask_6: Feb 08 09:15:37.421: 00:0b:6b:b3:8d:4e suppRates  statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_6: Feb 08 09:15:37.421: 00:0b:6b:b3:8d:4e 0.0.0.0 8021X_REQD (3) Initializing policy
*apfMsConnTask_6: Feb 08 09:15:37.421: 00:0b:6b:b3:8d:4e 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)

*apfMsConnTask_6: Feb 08 09:15:37.421: 00:0b:6b:b3:8d:4e 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)

*apfMsConnTask_6: Feb 08 09:15:37.421: 00:0b:6b:b3:8d:4e 0.0.0.0 8021X_REQD (3) DHCP required on AP b4:14:89:1b:84:e0 vapId 1 apVapId 1for this client
*apfMsConnTask_6: Feb 08 09:15:37.421: 00:0b:6b:b3:8d:4e Not Using WMM Compliance code qosCap 00
*apfMsConnTask_6: Feb 08 09:15:37.421: 00:0b:6b:b3:8d:4e 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP b4:14:89:1b:84:e0 vapId 1 apVapId 1 flex-acl-name:
*apfMsConnTask_6: Feb 08 09:15:37.421: 00:0b:6b:b3:8d:4e apfPemAddUser2 (apf_policy.c:273) Changing state for mobile 00:0b:6b:b3:8d:4e on AP b4:14:89:1b:84:e0 from Associated to Associated

*apfMsConnTask_6: Feb 08 09:15:37.421: 00:0b:6b:b3:8d:4e Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_6: Feb 08 09:15:37.421: 00:0b:6b:b3:8d:4e Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0

*apfMsConnTask_6: Feb 08 09:15:37.421: 00:0b:6b:b3:8d:4e Sending Assoc Response to station on BSSID b4:14:89:1b:84:e0 (status 0) ApVapId 1 Slot 1
*apfMsConnTask_6: Feb 08 09:15:37.421: 00:0b:6b:b3:8d:4e apfProcessAssocReq (apf_80211.c:6704) Changing state for mobile 00:0b:6b:b3:8d:4e on AP b4:14:89:1b:84:e0 from Associated to Associated

0 Helpful

Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to Shawn Purdy

‎02-08-2013 07:35 AM

So there is a 'Processing Access-Reject' coming from the AAA server.

Can you check the logs, and see why it failed? 

For FlexConnect, so long as teh AP is joined to the WLC, i.e. not standalone mode, the NAS should be the WLC management IP address.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card