05-13-2024 11:22 PM
Hello all,
we are using 5520 wlc(8.10.190.0)and ap's in flex connect mode.
currently we have migrated to capptive portal for the guest authentication.
users are getting authenticated but they are not getting the ip address, in cisco ise the user is authenticated
*Dot1x_NW_MsgTask_5: May 14 06:10:20.422: [PA] oo:fc:93:ba:c5:4s 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255,URL ACL ID 255,URL ACL Action 0)
*Dot1x_NW_MsgTask_5: May 14 06:10:20.422: [PA] oo:fc:93:ba:c5:4s Updating info change db with CMX bitmap 0x0000
*Dot1x_NW_MsgTask_5: May 14 06:10:20.422: [PA] oo:fc:93:ba:c5:4s Successfully Plumbed PTK session Keysfor mobile d8:fc:93:ba:c5:4d
*apfReceiveTask: May 14 06:10:20.422: [PA] oo:fc:93:ba:c5:4s Setting Mobility ReasonCode from (0) to (147)
*apfReceiveTask: May 14 06:10:20.422: [PA] oo:fc:93:ba:c5:4s 0.0.0.0 DHCP_REQD (7) mobility role update request from Unassociated to Local
Peer = 0.0.0.0, Old Anchor = 0.0.0.0, New Anchor = 10.69.16.4
*apfReceiveTask: May 14 06:10:20.422: [PA] oo:fc:93:ba:c5:4s Resetting Mobility reasonCode
*apfReceiveTask: May 14 06:10:20.422: [PA] oo:fc:93:ba:c5:4s Resetting client reasonCode
*apfReceiveTask: May 14 06:10:20.422: [PA] oofc:93:ba:c5:4s pemAdvanceState2 (pem_api.c:6878) Changing state for mobile d8:fc:93:ba:c5:4d on AP c8:84:a1:3b:79:60 from Associated to Associated
*apfReceiveTask: May 14 06:10:20.422: [PA] oo:fc:93:ba:c5:4s 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*apfReceiveTask: May 14 06:10:20.422: [PA] oo:fc:93:ba:c5:4s Mobility peer ip is 0, failed to get session type
*apfReceiveTask: May 14 06:10:20.422: [PA] oo:fc:93:ba:c5:4s 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
type = Airespace AP - Learn IP address
on AP c8:84:a1:3b:79:60, slot 1, interface = 8, QOS = 3
Regards,
Anjana
05-13-2024 11:34 PM
- You can have the mentioned client debugs analyzed with : Wireless Debug Analyzer
Preferably take sufficient long snapshot (debugging output)
M.
05-13-2024 11:55 PM
i would cross check the config on the ISE authentication and Authorization settings ?
where is the DHCP Server you able to reach the DHCP Server from the WLC ?
how is authentication mechanism setup - check the settings.
check DHCP requirement :
05-14-2024 05:53 AM
Go through the guides and make sure you haven't missed anything.
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html
https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/108501-webauth-tshoot.html
https://community.cisco.com/t5/wireless-mobility-knowledge-base/central-web-authentication-cwa-for-guests-with-ise/ta-p/3121101
In particular - make sure you have CoA (RFC3576) enabled and any ACLs/firewalls allow the CoA packets from ISE to WLC.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide