Showing results for 
Search instead for 
Did you mean: 

Users are not being authenticated on WLC 2504 anchor controller

Hi Guys,


I am currently busy with a project to implement a wlc 2504 anchor controller for guest wifi. The foreign controller is a wlc 5508 and the anchor controller is currently in the dmz behind a firewall. The tunnel is up up between the two controllers and we are using PSK authentication for testing.


The issue that we are currently experiencing, is when a user joins the guest wifi and enter the PSK, the users connection gets dropped after a few seconds. On the foreign controller, i can see the user joining the guest wiif ssid but on the anchor controller, theres no information on the connection.


Below is the logs for the users connectivity:

*Dot1x_NW_MsgTask_0: Jan 01 03:07:39.507: 30:07:4d:59:00:00 Anchor Export Request Recvd for mobile 30:07:4d:59:00:00 from type : 16 subtype : 0 seq no : 65090 xid : 291588
*Dot1x_NW_MsgTask_0: Jan 01 03:07:39.507: 30:07:4d:59:00:00mmAnchorExportRcv: Extracting mmPayloadExportForeignLradMac
*Dot1x_NW_MsgTask_0: Jan 01 03:07:39.507: 30:07:4d:59:00:00IPv6 ACl Name is none

*Dot1x_NW_MsgTask_0: Jan 01 03:07:39.508: 30:07:4d:59:00:0Created Acct-Session-ID (386d6f7b/30:07:4d:59:00:00/79) for the mobile
*Dot1x_NW_MsgTask_0: Jan 01 03:07:39.508: 30:07:4d:59:00:00Adding mobile on Remote AP 00:00:00:00:00:00(0)
*Dot1x_NW_MsgTask_0: Jan 01 03:07:39.508: 30:07:4d:59:00:00 mmAnchorExportRcv:, Mobility role is Unassoc
*Dot1x_NW_MsgTask_0: Jan 01 03:07:39.508: 30:07:4d:59:00:00mmAnchorExportRcv Ssid=Guest_Wifi Security Policy=0x40006040

*Dot1x_NW_MsgTask_0: Jan 01 03:07:39.508: 30:07:4d:59:00:00Scheduling deletion of Mobile Station: (callerId: 69) in 1 seconds
*osapiBsnTimer: Jan 01 03:07:40.345: 30:07:4d:59:00:00 apfMsExpireCallback (apf_ms.c:639) Expiring Mobile!
*apfReceiveTask: Jan 01 03:07:40.345: 30:07:4d:59:00:00 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfReceiveTask: Jan 01 03:07:40.345: 30:07:4d:59:00: START (0) Deleted mobile LWAPP rule on AP [00:00:00:00:00:00]
*apfReceiveTask: Jan 01 03:07:40.345: 30:07:4d:59:00:00 Deleting mobile on AP 00:00:00:00:00:00(0)


Your assistance will be greatly appreciated.



VIP Collaborator

my first guess is the WLANs on the foreign and anchor controller do not match.

they need to be equally configured.


Hi Pieter,


That's the first thing I checked and even reconfigured the WLANs on both controllers. The debug logs were the same when we switched between layer 2 and layer 3 authentication methods.


I have the same problem...

First: We had aaa 802.1x auth in the anchor

For testing and avoid issues in aaa, now we change it to normal WPA2/PSK to test if the problem was the auth but same result


I think that we need to resolv the problem in WPA2/PSK first but then

L2 authentication dot1x is passed throught the EoIP tunnel to the anchor?

in other words:

L2 authentications occurs in the anchor or in the foreign? I read contradictory opinions about

CCNP R&S, CCNP Security, CCNA CyberOps

Hi GPinero,

That's correct. Upon further investigations (debug client mac-address) on both the Foreign-and-Anchor wlc. We realized that the Anchor controller receives the request from the client and is authenticated using a PSK but the client is dropped shortly afterwards.

I have logged a TAC call with Cisco. The logs have been sent and they currently investigating the fault. I will let you know the outcome of the investigation.

Content for Community-Ad