Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
716
Views
0
Helpful
10
Replies

Regarding EAP-PEAP Lab

jain.manish94
Spotlight
Spotlight

‎03-29-2022 04:57 AM

Hello Team, 

i have one lab setup and there i want to configure EAP-PEAP setup for one of my SSID corporates users. 

can any one help me to setup in the lab. 

we can connect over the zoom. 

 

Thanks

Manish Jain 

Labels:
0 Helpful
10 Replies 10

Flavio Miranda
VIP
VIP

‎03-29-2022 05:38 AM

Hi

 This is not necessary and I dont think this is the objective of this forum. The idea here is share knowledge and learn.

You can easily setup EAP on you lab but following this document:

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/201044-802-1x-authentication-with-PEAP-ISE-2-1.html 

 

And then ask for specifics in case you didn´t undertand something.

 

 

0 Helpful

jain.manish94
Spotlight
Spotlight
In response to Flavio Miranda

‎03-29-2022 06:53 AM

i am doing same but no success it is saying can not connect to this network. 

 

on the wlc it is showing Policy manager state -- Start 

 

from wlc i can ping my ise ip address successfully. 

 

i have domain join system in my lab still facing issue. 

 

could you please help me to complete this. 

 

 

0 Helpful

Flavio Miranda
VIP
VIP
In response to jain.manish94

‎03-29-2022 07:05 AM

Alright, we can help you.

Tell me more about your lab:

Which WLC you are using and version.

Which ISE version.

 

 Some step you had to accomplish  just to make sure:

 Did you created the SSID already?The clients can see it?

If you try to connect, do you get any error message?

 

 

0 Helpful

jain.manish94
Spotlight
Spotlight
In response to Flavio Miranda

‎03-29-2022 07:21 AM

see this. 

(Cisco Controller) >*apfMsConnTask_0: Mar 29 15:04:28.721: bc:62:ce:54:30:c5 Adding mobile on LWAPP AP 58:97:1e:ec:ff:a0(1)
*apfMsConnTask_0: Mar 29 15:04:28.721: bc:62:ce:54:30:c5 Association received from mobile on AP 58:97:1e:ec:ff:a0
*apfMsConnTask_0: Mar 29 15:04:28.722: bc:62:ce:54:30:c5 0.0.0.0 START (0) Changing ACL 'TKRM-AD-LOGIN' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Mar 29 15:04:28.722: bc:62:ce:54:30:c5 Applying site-specific IPv6 override for station bc:62:ce:54:30:c5 - vapId 1, site 'Prague', interface 'management'
*apfMsConnTask_0: Mar 29 15:04:28.722: bc:62:ce:54:30:c5 Applying IPv6 Interface Policy for station bc:62:ce:54:30:c5 - vlan 0, interface id 0, interface 'management'
*apfMsConnTask_0: Mar 29 15:04:28.722: bc:62:ce:54:30:c5 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
*apfMsConnTask_0: Mar 29 15:04:28.722: bc:62:ce:54:30:c5 Processing RSN IE type 48, length 20 for mobile bc:62:ce:54:30:c5
*apfMsConnTask_0: Mar 29 15:04:28.722: bc:62:ce:54:30:c5 Received RSN IE with 0 PMKIDs from mobile bc:62:ce:54:30:c5
*apfMsConnTask_0: Mar 29 15:04:28.722: bc:62:ce:54:30:c5 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_0: Mar 29 15:04:28.722: bc:62:ce:54:30:c5 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)

*apfMsConnTask_0: Mar 29 15:04:28.722: bc:62:ce:54:30:c5 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)

*apfMsConnTask_0: Mar 29 15:04:28.722: bc:62:ce:54:30:c5 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 58:97:1e:ec:ff:a0 vapId 1 apVapId 1for this client
*apfMsConnTask_0: Mar 29 15:04:28.722: bc:62:ce:54:30:c5 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Mar 29 15:04:28.722: bc:62:ce:54:30:c5 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 58:97:1e:ec:ff:a0 vapId 1 apVapId 1
*apfMsConnTask_0: Mar 29 15:04:28.722: bc:62:ce:54:30:c5 apfMsAssoStateInc
*apfMsConnTask_0: Mar 29 15:04:28.722: bc:62:ce:54:30:c5 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile bc:62:ce:54:30:c5 on AP 58:97:1e:ec:ff:a0 from Idle to Associated

*apfMsConnTask_0: Mar 29 15:04:28.722: bc:62:ce:54:30:c5 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_0: Mar 29 15:04:28.722: bc:62:ce:54:30:c5 Sending Assoc Response to station on BSSID 58:97:1e:ec:ff:a0 (status 0) ApVapId 1 Slot 1
*apfMsConnTask_0: Mar 29 15:04:28.722: bc:62:ce:54:30:c5 apfProcessAssocReq (apf_80211.c:5272) Changing state for mobile bc:62:ce:54:30:c5 on AP 58:97:1e:ec:ff:a0 from Associated to Associated

*dot1xMsgTask: Mar 29 15:04:28.725: bc:62:ce:54:30:c5 Station bc:62:ce:54:30:c5 setting dot1x reauth timeout = 36000
*dot1xMsgTask: Mar 29 15:04:28.726: bc:62:ce:54:30:c5 dot1x - moving mobile bc:62:ce:54:30:c5 into Connecting state
*dot1xMsgTask: Mar 29 15:04:28.726: bc:62:ce:54:30:c5 Sending EAP-Request/Identity to mobile bc:62:ce:54:30:c5 (EAP Id 1)
*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.747: bc:62:ce:54:30:c5 Received EAPOL START from mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.747: bc:62:ce:54:30:c5 dot1x - moving mobile bc:62:ce:54:30:c5 into Connecting state
*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.747: bc:62:ce:54:30:c5 Sending EAP-Request/Identity to mobile bc:62:ce:54:30:c5 (EAP Id 2)
*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.751: bc:62:ce:54:30:c5 Received EAPOL EAPPKT from mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.751: bc:62:ce:54:30:c5 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.754: bc:62:ce:54:30:c5 Received EAPOL EAPPKT from mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.755: bc:62:ce:54:30:c5 Received Identity Response (count=2) from mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.755: bc:62:ce:54:30:c5 EAP State update from Connecting to Authenticating for mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.755: bc:62:ce:54:30:c5 dot1x - moving mobile bc:62:ce:54:30:c5 into Authenticating state
*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.755: bc:62:ce:54:30:c5 Entering Backend Auth Response state for mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.755: bc:62:ce:54:30:c5 Adding AAA_ATT_USER_NAME(1) index=0

*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.755: bc:62:ce:54:30:c5 Adding AAA_ATT_CALLING_STATION_ID(31) index=1

*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.755: bc:62:ce:54:30:c5 Adding AAA_ATT_CALLED_STATION_ID(30) index=2

*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.755: bc:62:ce:54:30:c5 Adding AAA_ATT_NAS_PORT(5) index=3

*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.755: bc:62:ce:54:30:c5 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4

*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.755: bc:62:ce:54:30:c5 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5

*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.756: bc:62:ce:54:30:c5 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6

*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.756: bc:62:ce:54:30:c5 Adding AAA_ATT_VAP_ID(1) index=7

*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.756: bc:62:ce:54:30:c5 Adding AAA_ATT_SERVICE_TYPE(6) index=8

*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.756: bc:62:ce:54:30:c5 Adding AAA_ATT_FRAMED_MTU(12) index=9

*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.756: bc:62:ce:54:30:c5 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10

*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.756: bc:62:ce:54:30:c5 Adding AAA_ATT_EAP_MESSAGE(79) index=11

*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.756: bc:62:ce:54:30:c5 Adding AAA_ATT_MESS_AUTH(80) index=12

*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.756: bc:62:ce:54:30:c5 AAA EAP Packet created request = 0x1a1bf1c4.. !!!!

*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.756: bc:62:ce:54:30:c5 Sending EAP Attribute (code=2, length=11, id=2) for mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.756: 00000000: 02 02 00 0b 01 6d 61 6e 69 73 68 .....manish
*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.757: bc:62:ce:54:30:c5 [BE-req] Radius EAP/Local WLAN 1.
*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.757: bc:62:ce:54:30:c5 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
*radiusTransportThread: Mar 29 15:04:28.758: bc:62:ce:54:30:c5 [BE-resp] AAA response 'Authentication Failed'
*radiusTransportThread: Mar 29 15:04:28.758: bc:62:ce:54:30:c5 [BE-resp] Returning AAA response
*radiusTransportThread: Mar 29 15:04:28.758: bc:62:ce:54:30:c5 AAA Message 'Authentication Failed' received for mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.759: bc:62:ce:54:30:c5 Processing Access-Reject for mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.760: bc:62:ce:54:30:c5 Removing PMK cache due to EAP-Failure for mobile bc:62:ce:54:30:c5 (EAP Id -1)
*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.760: bc:62:ce:54:30:c5 Sending EAP-Failure to mobile bc:62:ce:54:30:c5 (EAP Id -1)
*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.760: bc:62:ce:54:30:c5 Entering Backend Auth Failure state (id=-1) for mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.760: bc:62:ce:54:30:c5 Setting quiet timer for 5 seconds for mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:28.760: bc:62:ce:54:30:c5 dot1x - moving mobile bc:62:ce:54:30:c5 into Unknown state
*apfMsConnTask_0: Mar 29 15:04:29.452: bc:62:ce:54:30:c5 Association received from mobile on AP 58:97:1e:ec:ff:a0
*apfMsConnTask_0: Mar 29 15:04:29.452: bc:62:ce:54:30:c5 0.0.0.0 8021X_REQD (3) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Mar 29 15:04:29.452: bc:62:ce:54:30:c5 Applying site-specific IPv6 override for station bc:62:ce:54:30:c5 - vapId 1, site 'Prague', interface 'management'
*apfMsConnTask_0: Mar 29 15:04:29.452: bc:62:ce:54:30:c5 Applying IPv6 Interface Policy for station bc:62:ce:54:30:c5 - vlan 0, interface id 0, interface 'management'
*apfMsConnTask_0: Mar 29 15:04:29.452: bc:62:ce:54:30:c5 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
*apfMsConnTask_0: Mar 29 15:04:29.452: bc:62:ce:54:30:c5 Processing RSN IE type 48, length 20 for mobile bc:62:ce:54:30:c5
*apfMsConnTask_0: Mar 29 15:04:29.452: bc:62:ce:54:30:c5 Received RSN IE with 0 PMKIDs from mobile bc:62:ce:54:30:c5
*apfMsConnTask_0: Mar 29 15:04:29.452: bc:62:ce:54:30:c5 0.0.0.0 8021X_REQD (3) Initializing policy
*apfMsConnTask_0: Mar 29 15:04:29.452: bc:62:ce:54:30:c5 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)

*apfMsConnTask_0: Mar 29 15:04:29.452: bc:62:ce:54:30:c5 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)

*apfMsConnTask_0: Mar 29 15:04:29.452: bc:62:ce:54:30:c5 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 58:97:1e:ec:ff:a0 vapId 1 apVapId 1for this client
*apfMsConnTask_0: Mar 29 15:04:29.452: bc:62:ce:54:30:c5 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Mar 29 15:04:29.452: bc:62:ce:54:30:c5 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 58:97:1e:ec:ff:a0 vapId 1 apVapId 1
*apfMsConnTask_0: Mar 29 15:04:29.452: bc:62:ce:54:30:c5 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile bc:62:ce:54:30:c5 on AP 58:97:1e:ec:ff:a0 from Associated to Associated

*apfMsConnTask_0: Mar 29 15:04:29.452: bc:62:ce:54:30:c5 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_0: Mar 29 15:04:29.453: bc:62:ce:54:30:c5 Sending Assoc Response to station on BSSID 58:97:1e:ec:ff:a0 (status 0) ApVapId 1 Slot 1
*apfMsConnTask_0: Mar 29 15:04:29.453: bc:62:ce:54:30:c5 apfProcessAssocReq (apf_80211.c:5272) Changing state for mobile bc:62:ce:54:30:c5 on AP 58:97:1e:ec:ff:a0 from Associated to Associated

*dot1xMsgTask: Mar 29 15:04:29.455: bc:62:ce:54:30:c5 dot1x - moving mobile bc:62:ce:54:30:c5 into Connecting state
*dot1xMsgTask: Mar 29 15:04:29.456: bc:62:ce:54:30:c5 Sending EAP-Request/Identity to mobile bc:62:ce:54:30:c5 (EAP Id 1)
*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.478: bc:62:ce:54:30:c5 Received EAPOL START from mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.478: bc:62:ce:54:30:c5 dot1x - moving mobile bc:62:ce:54:30:c5 into Connecting state
*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.478: bc:62:ce:54:30:c5 Sending EAP-Request/Identity to mobile bc:62:ce:54:30:c5 (EAP Id 2)
*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.481: bc:62:ce:54:30:c5 Received EAPOL EAPPKT from mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.481: bc:62:ce:54:30:c5 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.483: bc:62:ce:54:30:c5 Received EAPOL EAPPKT from mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.484: bc:62:ce:54:30:c5 Received Identity Response (count=2) from mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.484: bc:62:ce:54:30:c5 EAP State update from Connecting to Authenticating for mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.484: bc:62:ce:54:30:c5 dot1x - moving mobile bc:62:ce:54:30:c5 into Authenticating state
*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.484: bc:62:ce:54:30:c5 Entering Backend Auth Response state for mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.484: bc:62:ce:54:30:c5 Adding AAA_ATT_USER_NAME(1) index=0

*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.484: bc:62:ce:54:30:c5 Adding AAA_ATT_CALLING_STATION_ID(31) index=1

*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.484: bc:62:ce:54:30:c5 Adding AAA_ATT_CALLED_STATION_ID(30) index=2

*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.484: bc:62:ce:54:30:c5 Adding AAA_ATT_NAS_PORT(5) index=3

*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.484: bc:62:ce:54:30:c5 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4

*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.484: bc:62:ce:54:30:c5 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5

*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.484: bc:62:ce:54:30:c5 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6

*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.485: bc:62:ce:54:30:c5 Adding AAA_ATT_VAP_ID(1) index=7

*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.485: bc:62:ce:54:30:c5 Adding AAA_ATT_SERVICE_TYPE(6) index=8

*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.485: bc:62:ce:54:30:c5 Adding AAA_ATT_FRAMED_MTU(12) index=9

*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.485: bc:62:ce:54:30:c5 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10

*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.485: bc:62:ce:54:30:c5 Adding AAA_ATT_EAP_MESSAGE(79) index=11

*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.485: bc:62:ce:54:30:c5 Adding AAA_ATT_MESS_AUTH(80) index=12

*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.485: bc:62:ce:54:30:c5 AAA EAP Packet created request = 0x1a1bf1c4.. !!!!

*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.485: bc:62:ce:54:30:c5 Sending EAP Attribute (code=2, length=11, id=2) for mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.485: 00000000: 02 02 00 0b 01 6d 61 6e 69 73 68 .....manish
*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.485: bc:62:ce:54:30:c5 [BE-req] Radius EAP/Local WLAN 1.
*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.486: bc:62:ce:54:30:c5 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
*radiusTransportThread: Mar 29 15:04:29.487: bc:62:ce:54:30:c5 [BE-resp] AAA response 'Authentication Failed'
*radiusTransportThread: Mar 29 15:04:29.487: bc:62:ce:54:30:c5 [BE-resp] Returning AAA response
*radiusTransportThread: Mar 29 15:04:29.487: bc:62:ce:54:30:c5 AAA Message 'Authentication Failed' received for mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.488: bc:62:ce:54:30:c5 Processing Access-Reject for mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.488: bc:62:ce:54:30:c5 Removing PMK cache due to EAP-Failure for mobile bc:62:ce:54:30:c5 (EAP Id -1)
*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.488: bc:62:ce:54:30:c5 Sending EAP-Failure to mobile bc:62:ce:54:30:c5 (EAP Id -1)
*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.488: bc:62:ce:54:30:c5 Entering Backend Auth Failure state (id=-1) for mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.488: bc:62:ce:54:30:c5 Setting quiet timer for 5 seconds for mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:29.489: bc:62:ce:54:30:c5 dot1x - moving mobile bc:62:ce:54:30:c5 into Unknown state
*osapiBsnTimer: Mar 29 15:04:34.336: bc:62:ce:54:30:c5 802.1x 'quiteWhile' Timer expired for station bc:62:ce:54:30:c5 and for message = M0
*dot1xMsgTask: Mar 29 15:04:34.336: bc:62:ce:54:30:c5 quiet timer completed for mobile bc:62:ce:54:30:c5
*dot1xMsgTask: Mar 29 15:04:34.336: bc:62:ce:54:30:c5 dot1x - moving mobile bc:62:ce:54:30:c5 into Connecting state
*dot1xMsgTask: Mar 29 15:04:34.336: bc:62:ce:54:30:c5 Sending EAP-Request/Identity to mobile bc:62:ce:54:30:c5 (EAP Id 1)
*apfMsConnTask_0: Mar 29 15:04:37.504: bc:62:ce:54:30:c5 Association received from mobile on AP 58:97:1e:ec:ff:a0
*apfMsConnTask_0: Mar 29 15:04:37.504: bc:62:ce:54:30:c5 0.0.0.0 8021X_REQD (3) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Mar 29 15:04:37.504: bc:62:ce:54:30:c5 Applying site-specific IPv6 override for station bc:62:ce:54:30:c5 - vapId 1, site 'Prague', interface 'management'
*apfMsConnTask_0: Mar 29 15:04:37.504: bc:62:ce:54:30:c5 Applying IPv6 Interface Policy for station bc:62:ce:54:30:c5 - vlan 0, interface id 0, interface 'management'
*apfMsConnTask_0: Mar 29 15:04:37.504: bc:62:ce:54:30:c5 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
*apfMsConnTask_0: Mar 29 15:04:37.504: bc:62:ce:54:30:c5 Processing RSN IE type 48, length 20 for mobile bc:62:ce:54:30:c5
*apfMsConnTask_0: Mar 29 15:04:37.504: bc:62:ce:54:30:c5 Received RSN IE with 0 PMKIDs from mobile bc:62:ce:54:30:c5
*apfMsConnTask_0: Mar 29 15:04:37.504: bc:62:ce:54:30:c5 0.0.0.0 8021X_REQD (3) Initializing policy
*apfMsConnTask_0: Mar 29 15:04:37.504: bc:62:ce:54:30:c5 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)

*apfMsConnTask_0: Mar 29 15:04:37.504: bc:62:ce:54:30:c5 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)

*apfMsConnTask_0: Mar 29 15:04:37.504: bc:62:ce:54:30:c5 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 58:97:1e:ec:ff:a0 vapId 1 apVapId 1for this client
*apfMsConnTask_0: Mar 29 15:04:37.504: bc:62:ce:54:30:c5 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Mar 29 15:04:37.504: bc:62:ce:54:30:c5 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 58:97:1e:ec:ff:a0 vapId 1 apVapId 1
*apfMsConnTask_0: Mar 29 15:04:37.505: bc:62:ce:54:30:c5 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile bc:62:ce:54:30:c5 on AP 58:97:1e:ec:ff:a0 from Associated to Associated

*apfMsConnTask_0: Mar 29 15:04:37.505: bc:62:ce:54:30:c5 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_0: Mar 29 15:04:37.505: bc:62:ce:54:30:c5 Sending Assoc Response to station on BSSID 58:97:1e:ec:ff:a0 (status 0) ApVapId 1 Slot 1
*apfMsConnTask_0: Mar 29 15:04:37.505: bc:62:ce:54:30:c5 apfProcessAssocReq (apf_80211.c:5272) Changing state for mobile bc:62:ce:54:30:c5 on AP 58:97:1e:ec:ff:a0 from Associated to Associated

*dot1xMsgTask: Mar 29 15:04:37.507: bc:62:ce:54:30:c5 dot1x - moving mobile bc:62:ce:54:30:c5 into Connecting state
*dot1xMsgTask: Mar 29 15:04:37.508: bc:62:ce:54:30:c5 Sending EAP-Request/Identity to mobile bc:62:ce:54:30:c5 (EAP Id 1)
*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.546: bc:62:ce:54:30:c5 Received EAPOL START from mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.546: bc:62:ce:54:30:c5 dot1x - moving mobile bc:62:ce:54:30:c5 into Connecting state
*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.546: bc:62:ce:54:30:c5 Sending EAP-Request/Identity to mobile bc:62:ce:54:30:c5 (EAP Id 2)
*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.550: bc:62:ce:54:30:c5 Received EAPOL EAPPKT from mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.550: bc:62:ce:54:30:c5 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.552: bc:62:ce:54:30:c5 Received EAPOL EAPPKT from mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.552: bc:62:ce:54:30:c5 Received Identity Response (count=2) from mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.552: bc:62:ce:54:30:c5 EAP State update from Connecting to Authenticating for mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.553: bc:62:ce:54:30:c5 dot1x - moving mobile bc:62:ce:54:30:c5 into Authenticating state
*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.553: bc:62:ce:54:30:c5 Entering Backend Auth Response state for mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.553: bc:62:ce:54:30:c5 Adding AAA_ATT_USER_NAME(1) index=0

*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.553: bc:62:ce:54:30:c5 Adding AAA_ATT_CALLING_STATION_ID(31) index=1

*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.553: bc:62:ce:54:30:c5 Adding AAA_ATT_CALLED_STATION_ID(30) index=2

*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.553: bc:62:ce:54:30:c5 Adding AAA_ATT_NAS_PORT(5) index=3

*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.553: bc:62:ce:54:30:c5 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4

*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.553: bc:62:ce:54:30:c5 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5

*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.553: bc:62:ce:54:30:c5 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6

*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.553: bc:62:ce:54:30:c5 Adding AAA_ATT_VAP_ID(1) index=7

*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.553: bc:62:ce:54:30:c5 Adding AAA_ATT_SERVICE_TYPE(6) index=8

*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.554: bc:62:ce:54:30:c5 Adding AAA_ATT_FRAMED_MTU(12) index=9

*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.554: bc:62:ce:54:30:c5 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10

*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.554: bc:62:ce:54:30:c5 Adding AAA_ATT_EAP_MESSAGE(79) index=11

*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.554: bc:62:ce:54:30:c5 Adding AAA_ATT_MESS_AUTH(80) index=12

*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.554: bc:62:ce:54:30:c5 AAA EAP Packet created request = 0x1a1bf1c4.. !!!!

*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.554: bc:62:ce:54:30:c5 Sending EAP Attribute (code=2, length=11, id=2) for mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.554: 00000000: 02 02 00 0b 01 6d 61 6e 69 73 68 .....manish
*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.554: bc:62:ce:54:30:c5 [BE-req] Radius EAP/Local WLAN 1.
*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.554: bc:62:ce:54:30:c5 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
*radiusTransportThread: Mar 29 15:04:37.556: bc:62:ce:54:30:c5 [BE-resp] AAA response 'Authentication Failed'
*radiusTransportThread: Mar 29 15:04:37.556: bc:62:ce:54:30:c5 [BE-resp] Returning AAA response
*radiusTransportThread: Mar 29 15:04:37.556: bc:62:ce:54:30:c5 AAA Message 'Authentication Failed' received for mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.556: bc:62:ce:54:30:c5 Processing Access-Reject for mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.557: bc:62:ce:54:30:c5 Removing PMK cache due to EAP-Failure for mobile bc:62:ce:54:30:c5 (EAP Id -1)
*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.557: bc:62:ce:54:30:c5 Sending EAP-Failure to mobile bc:62:ce:54:30:c5 (EAP Id -1)
*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.557: bc:62:ce:54:30:c5 Entering Backend Auth Failure state (id=-1) for mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.557: bc:62:ce:54:30:c5 apfBlacklistMobileStationEntry2 (apf_ms.c:4296) Changing state for mobile bc:62:ce:54:30:c5 on AP 58:97:1e:ec:ff:a0 from Associated to Exclusion-list (1)

*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.557: bc:62:ce:54:30:c5 Scheduling deletion of Mobile Station: (callerId: 44) in 10 seconds
*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.558: bc:62:ce:54:30:c5 0.0.0.0 8021X_REQD (3) Change state to START (0) last state 8021X_REQD (3)

*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.558: bc:62:ce:54:30:c5 0.0.0.0 START (0) Reached FAILURE: from line 4049
*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.559: bc:62:ce:54:30:c5 Scheduling deletion of Mobile Station: (callerId: 9) in 10 seconds
*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.559: bc:62:ce:54:30:c5 Max AAA failure for mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.559: bc:62:ce:54:30:c5 Setting quiet timer for 5 seconds for mobile bc:62:ce:54:30:c5
*Dot1x_NW_MsgTask_0: Mar 29 15:04:37.559: bc:62:ce:54:30:c5 dot1x - moving mobile bc:62:ce:54:30:c5 into Unknown state
*apfMsConnTask_0: Mar 29 15:04:38.121: bc:62:ce:54:30:c5 Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_0: Mar 29 15:04:38.426: bc:62:ce:54:30:c5 Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_0: Mar 29 15:04:38.739: bc:62:ce:54:30:c5 Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_0: Mar 29 15:04:39.051: bc:62:ce:54:30:c5 Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_0: Mar 29 15:04:39.408: bc:62:ce:54:30:c5 Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_0: Mar 29 15:04:39.709: bc:62:ce:54:30:c5 Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_0: Mar 29 15:04:40.022: bc:62:ce:54:30:c5 Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_0: Mar 29 15:04:40.335: bc:62:ce:54:30:c5 Ignoring assoc request due to mobile in exclusion list or marked for deletion
*osapiBsnTimer: Mar 29 15:04:42.535: bc:62:ce:54:30:c5 802.1x 'quiteWhile' Timer expired for station bc:62:ce:54:30:c5 and for message = M0
*apfMsConnTask_0: Mar 29 15:04:44.702: bc:62:ce:54:30:c5 Ignoring assoc request due to mobile in exclusion list or marked for deletion
*osapiBsnTimer: Mar 29 15:04:47.536: bc:62:ce:54:30:c5 apfMsExpireCallback (apf_ms.c:609) Expiring Mobile!
*apfReceiveTask: Mar 29 15:04:47.536: bc:62:ce:54:30:c5 Scheduling deletion of Mobile Station: (callerId: 46) in 60 seconds
*apfReceiveTask: Mar 29 15:04:47.536: bc:62:ce:54:30:c5 apfMsExpireMobileStation (apf_ms.c:5143) Changing state for mobile bc:62:ce:54:30:c5 on AP 58:97:1e:ec:ff:a0 from Exclusion-list (1) to Exclusion-list (2)

*apfReceiveTask: Mar 29 15:04:47.536: bc:62:ce:54:30:c5 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfReceiveTask: Mar 29 15:04:47.536: bc:62:ce:54:30:c5 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [58:97:1e:ec:ff:a0]
*spamReceiveTask: Mar 29 15:04:57.682: bc:62:ce:54:30:c5 Received Idle-Timeout from AP 58:97:1e:ec:ff:a0, slot 1 for STA bc:62:ce:54:30:c5
*spamReceiveTask: Mar 29 15:04:57.682: bc:62:ce:54:30:c5 Ignoring delete request from AP due to mobile in exclusion list or marked for deletion already

(Cisco Controller) >

 

 

--------------------------------------------------------------------------------------------------------

Which WLC you are using and version.   ---- model 4402 / 7.0 version

Which ISE version.   --- 3.0

 

 Some step you had to accomplish  just to make sure:

 Did you created the SSID already?The clients can see it?  it is already there. 

If you try to connect, do you get any error message?  -- pasted. 

 

0 Helpful

Flavio Miranda
VIP
VIP
In response to jain.manish94

‎03-29-2022 07:48 AM

Hummm.. it seems to me that ISE 3.0 does not support this WLC version 

 

https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/compatibility_doc/b_ise_sdt_30.html 

 

 

0 Helpful

jain.manish94
Spotlight
Spotlight
In response to Flavio Miranda

‎03-29-2022 08:05 AM

Really, are you sure 

Because in that case i can discuss with my manager and can tell that this is not my fault and this is ise behaviour

0 Helpful

Flavio Miranda
VIP
VIP
In response to jain.manish94

‎03-29-2022 08:27 AM

Yes, I am sure.  Cisco WLC 4400 is a pretty old stuff, pretty old. If you are working in a Lab environment, I recommend you to consider a Virtual WLC which will require you no cost and you can use newer version.

Dont waste your time doing a Lab with 4400 and 7.0 version, does not worth it. 

0 Helpful

jain.manish94
Spotlight
Spotlight
In response to Flavio Miranda

‎03-29-2022 09:54 AM

Wheather it is virtually or physical appliance it will not work correct?

Mean to say 2 4400 wlc and 1 Ise with 3.0 version

0 Helpful

Flavio Miranda
VIP
VIP
In response to jain.manish94

‎03-29-2022 10:00 AM

I suggest virtual cause you can use a newer version and for lab environment you dont need to buy anything up front.

 

But you can also downgrade the ISE and use your physical WLC, which is bad idea in my opinion.

0 Helpful

jain.manish94
Spotlight
Spotlight
In response to Flavio Miranda

‎03-29-2022 10:17 AM

I am totally agree with you but there are some limitations at the site where we are going to use two wlc 4400 and one Cisco ise 3.0 , so here what will u suggest. You mean to say we can use if i downgrade my Cisco ise on 2.7 ? For some time ?

If u don't mind can you plz give me your WhatsApp no. In case ask anything.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card