Re: Problems authenticating clients via LDAP authentication for WLAN 8

SAMM LEE · ‎08-29-2023

Problems authenticating clients via LDAP authentication for WLAN 802.1.

It is not possible to authenticate users directly to the DA via LDAP.

The steps of the guide are followed but the integration is not achieved. https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/211277-WLC-with-LDAP-Authentication-Configurati.html

On the client side, it connects via PEAP by any connect.

Aug 22 14:36:51.697	*apfMsConnTask_0	The WLC/AP has found from client association request Information Element that claims PMKID Caching support
Aug 22 14:36:51.697	*apfMsConnTask_0	The Reassociation Request from the client comes with 0 PMKID
Aug 22 14:36:51.697	*apfMsConnTask_0	The Reassociation Request from the client comes with 0 PMKID
Aug 22 14:36:51.697	*apfMsConnTask_0	Client is entering the 802.1x or PSK Authentication state
Aug 22 14:36:51.697	*apfMsConnTask_0	WLC/AP is sending an Association Response to the client with status code 0 = Successful association
Aug 22 14:36:51.711	*Dot1x_NW_MsgTask_2	WLC/AP is sending EAP-Identity-Request to the client
Aug 22 14:36:51.931	*Dot1x_NW_MsgTask_2	Client sent EAP-Identity-Response to WLC/AP
Aug 22 14:36:57.025	*Dot1x_NW_MsgTask_2	WLC/AP is sending EAP-Identity-Request to the client
Aug 22 14:37:02.146	*Dot1x_NW_MsgTask_2	WLC/AP is sending EAP-Identity-Request to the client
Aug 22 14:37:02.190	*Dot1x_NW_MsgTask_2	Client sent EAP-Identity-Response to WLC/AP
Aug 22 14:37:07.252	*Dot1x_NW_MsgTask_2	WLC/AP is sending EAP-Identity-Request to the client
Aug 22 14:37:07.305	*Dot1x_NW_MsgTask_2	Client sent EAP-Identity-Response to WLC/AP
Aug 22 14:37:12.368	*Dot1x_NW_MsgTask_2	WLC/AP is sending EAP-Identity-Request to the client
Aug 22 14:37:12.420	*Dot1x_NW_MsgTask_2	Client sent EAP-Identity-Response to WLC/AP
Aug 22 14:37:17.473	*Dot1x_NW_MsgTask_2	WLC/AP is sending EAP-Identity-Request to the client
Aug 22 14:37:17.525	*Dot1x_NW_MsgTask_2	Client sent EAP-Identity-Response to WLC/AP
Aug 22 14:37:22.579	*Dot1x_NW_MsgTask_2	WLC/AP is sending EAP-Identity-Request to the client
Aug 22 14:37:22.627	*Dot1x_NW_MsgTask_2	Client sent EAP-Identity-Response to WLC/AP
Aug 22 14:37:27.679	*Dot1x_NW_MsgTask_2	WLC/AP is sending EAP-Identity-Request to the client
Aug 22 14:37:27.731	*Dot1x_NW_MsgTask_2	Client sent EAP-Identity-Response to WLC/AP
Aug 22 14:37:32.768	*Dot1x_NW_MsgTask_2	WLC/AP is sending EAP-Identity-Request to the client
Aug 22 14:37:32.819	*Dot1x_NW_MsgTask_2	Client sent EAP-Identity-Response to WLC/AP
Aug 22 14:37:37.873	*Dot1x_NW_MsgTask_2	WLC/AP is sending EAP-Identity-Request to the client
Aug 22 14:37:37.923	*Dot1x_NW_MsgTask_2	Client sent EAP-Identity-Response to WLC/AP
Aug 22 14:37:42.965	*Dot1x_NW_MsgTask_2	WLC/AP is sending EAP-Identity-Request to the client
Aug 22 14:37:43.022	*Dot1x_NW_MsgTask_2	Client sent EAP-Identity-Response to WLC/AP
Aug 22 14:37:48.068	*Dot1x_NW_MsgTask_2	WLC/AP is sending EAP-Identity-Request to the client
Aug 22 14:37:48.118	*Dot1x_NW_MsgTask_2	Client sent EAP-Identity-Response to WLC/AP
Aug 22 14:37:53.168	*Dot1x_NW_MsgTask_2	WLC/AP is sending EAP-Identity-Request to the client
Aug 22 14:37:53.219	*Dot1x_NW_MsgTask_2	Client sent EAP-Identity-Response to WLC/AP
Aug 22 14:37:58.268	*Dot1x_NW_MsgTask_2	WLC/AP is sending EAP-Identity-Request to the client
Aug 22 14:37:58.316	*Dot1x_NW_MsgTask_2	Client sent EAP-Identity-Response to WLC/AP
Aug 22 14:38:03.374	*Dot1x_NW_MsgTask_2	WLC/AP is sending EAP-Identity-Request to the client
Aug 22 14:38:03.429	*Dot1x_NW_MsgTask_2	Client sent EAP-Identity-Response to WLC/AP
Aug 22 14:38:08.472	*Dot1x_NW_MsgTask_2	WLC/AP is sending EAP-Identity-Request to the client
Aug 22 14:38:08.524	*Dot1x_NW_MsgTask_2	Client sent EAP-Identity-Response to WLC/AP
Aug 22 14:38:13.569	*Dot1x_NW_MsgTask_2	WLC/AP is sending EAP-Identity-Request to the client
Aug 22 14:38:13.618	*Dot1x_NW_MsgTask_2	Client sent EAP-Identity-Response to WLC/AP
Aug 22 14:38:18.675	*Dot1x_NW_MsgTask_2	WLC/AP is sending EAP-Identity-Request to the client
Aug 22 14:38:18.729	*Dot1x_NW_MsgTask_2	Client sent EAP-Identity-Response to WLC/AP
Aug 22 14:38:23.781	*Dot1x_NW_MsgTask_2	WLC/AP is sending EAP-Identity-Request to the client
Aug 22 14:38:23.847	*Dot1x_NW_MsgTask_2	Client sent EAP-Identity-Response to WLC/AP
Aug 22 14:38:28.914	*Dot1x_NW_MsgTask_2	WLC/AP is sending EAP-Identity-Request to the client
Aug 22 14:38:34.020	*Dot1x_NW_MsgTask_2	WLC/AP is sending EAP-Identity-Request to the client
Aug 22 14:38:34.068	*Dot1x_NW_MsgTask_2	Client sent EAP-Identity-Response to WLC/AP
Aug 22 14:38:36.849	*apfMsConnTask_0	The WLC/AP has found from client association request Information Element that claims PMKID Caching support
Aug 22 14:38:36.849	*apfMsConnTask_0	The Reassociation Request from the client comes with 0 PMKID
Aug 22 14:38:36.849	*apfMsConnTask_0	The Reassociation Request from the client comes with 0 PMKID
Aug 22 14:38:36.849	*apfMsConnTask_0	Client is entering the 802.1x or PSK Authentication state
Aug 22 14:38:36.849	*apfMsConnTask_0	WLC/AP is sending an Association Response to the client with status code 0 = Successful association
Aug 22 14:38:36.865	*Dot1x_NW_MsgTask_2	WLC/AP is sending EAP-Identity-Request to the client
Aug 22 14:39:07.394	*Dot1x_NW_MsgTask_2	WLC/AP is sending EAP-Identity-Request to the client
Aug 22 14:40:07.489	*osapiBsnTimer	4-Way PTK Handshake, Client did not respond with M0
Aug 22 14:41:08.861	*osapiBsnTimer	4-Way PTK Handshake, Client did not respond with M0
Aug 22 14:41:08.862	*Dot1x_NW_MsgTask_2	Client has been deauthenticated
Aug 22 14:41:19.082	*apfReceiveTask	Client session has timed out
Aug 22 14:41:19.082	*apfReceiveTask	Client expiration timer code set for 10 seconds. The reason: Client was marked for deletion, and it was on associated, power save or blacklist state. Other message would provide reason for delete
Aug 22 14:41:29.302	*apfReceiveTask	Client session has timed out

Mark Elsen · ‎08-29-2023

- According to your controller model , verify : https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html and use a (the) recommended release. Check if that can help ,

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

SAMM LEE · ‎08-29-2023

Hi Marcel,

Thanks for you answer

It is a WLC 5520 in version 8.5.182

Mark Elsen · ‎08-29-2023

- As per my initial reply and looking at the mentioned document that would come down to upgrading to https://software.cisco.com/download/specialrelease/bf886285a767f2f159f9b4cf288fe1b4 ; note that these days as the aireos based platforms are getting older it becomes always recommended to use the last (recommended) release that they can run ,

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

SAMM LEE · ‎08-29-2023

Hi Marcel

I can't find anything indicating that WLC LDAP cannot be integrated for 802.1 in version 8.5.182.

I can't update, half of the ap's are left out.

Thanks.

Mark Elsen · ‎08-29-2023

- The upgrade is advices in earlier replies (reason for) and probably fixed numerous bugs too. If possible APs should be modernized in the same context ,

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)