Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
587
Views
0
Helpful
4
Replies
Highlighted
duane2015
Beginner
Beginner
‎05-22-2019 05:19 AM
‎05-22-2019 05:19 AM

Users are not being authenticated on WLC 2504 anchor controller

Hi Guys,

 

I am currently busy with a project to implement a wlc 2504 anchor controller for guest wifi. The foreign controller is a wlc 5508 and the anchor controller is currently in the dmz behind a firewall. The tunnel is up up between the two controllers and we are using PSK authentication for testing.

 

The issue that we are currently experiencing, is when a user joins the guest wifi and enter the PSK, the users connection gets dropped after a few seconds. On the foreign controller, i can see the user joining the guest wiif ssid but on the anchor controller, theres no information on the connection.

 

Below is the logs for the users connectivity:

*Dot1x_NW_MsgTask_0: Jan 01 03:07:39.507: 30:07:4d:59:00:00 Anchor Export Request Recvd for mobile 30:07:4d:59:00:00 from 196.0.0.1 type : 16 subtype : 0 seq no : 65090 xid : 291588
*Dot1x_NW_MsgTask_0: Jan 01 03:07:39.507: 30:07:4d:59:00:00mmAnchorExportRcv: Extracting mmPayloadExportForeignLradMac
*Dot1x_NW_MsgTask_0: Jan 01 03:07:39.507: 30:07:4d:59:00:00IPv6 ACl Name is none

*Dot1x_NW_MsgTask_0: Jan 01 03:07:39.508: 30:07:4d:59:00:0Created Acct-Session-ID (386d6f7b/30:07:4d:59:00:00/79) for the mobile
*Dot1x_NW_MsgTask_0: Jan 01 03:07:39.508: 30:07:4d:59:00:00Adding mobile on Remote AP 00:00:00:00:00:00(0)
*Dot1x_NW_MsgTask_0: Jan 01 03:07:39.508: 30:07:4d:59:00:00 mmAnchorExportRcv:, Mobility role is Unassoc
.
*Dot1x_NW_MsgTask_0: Jan 01 03:07:39.508: 30:07:4d:59:00:00mmAnchorExportRcv Ssid=Guest_Wifi Security Policy=0x40006040

*Dot1x_NW_MsgTask_0: Jan 01 03:07:39.508: 30:07:4d:59:00:00Scheduling deletion of Mobile Station: (callerId: 69) in 1 seconds
*osapiBsnTimer: Jan 01 03:07:40.345: 30:07:4d:59:00:00 apfMsExpireCallback (apf_ms.c:639) Expiring Mobile!
*apfReceiveTask: Jan 01 03:07:40.345: 30:07:4d:59:00:00 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfReceiveTask: Jan 01 03:07:40.345: 30:07:4d:59:00:000.0.0.0 START (0) Deleted mobile LWAPP rule on AP [00:00:00:00:00:00]
*apfReceiveTask: Jan 01 03:07:40.345: 30:07:4d:59:00:00 Deleting mobile on AP 00:00:00:00:00:00(0)

 

Your assistance will be greatly appreciated.

 

 

Labels:
1 person had this problem
0 Helpful
Reply
4 REPLIES 4
Highlighted
pieterh
VIP Collaborator VIP Collaborator
VIP Collaborator
‎05-22-2019 06:15 AM
‎05-22-2019 06:15 AM

my first guess is the WLANs on the foreign and anchor controller do not match.

they need to be equally configured.

0 Helpful
Reply
Highlighted
duane2015
Beginner
Beginner
In response to pieterh
‎05-22-2019 11:58 AM
‎05-22-2019 11:58 AM

Hi Pieter,

 

That's the first thing I checked and even reconfigured the WLANs on both controllers. The debug logs were the same when we switched between layer 2 and layer 3 authentication methods.

0 Helpful
Reply
Highlighted
gpinero
Beginner
Beginner
In response to duane2015
‎05-25-2019 01:18 AM
‎05-25-2019 01:18 AM

I have the same problem...

First: We had aaa 802.1x auth in the anchor

For testing and avoid issues in aaa, now we change it to normal WPA2/PSK to test if the problem was the auth but same result

 

I think that we need to resolv the problem in WPA2/PSK first but then

L2 authentication dot1x is passed throught the EoIP tunnel to the anchor?

in other words:

L2 authentications occurs in the anchor or in the foreign? I read contradictory opinions about

CCNP R&S, CCNP Security, CCNA CyberOps
0 Helpful
Reply
Highlighted
duane2015
Beginner
Beginner
In response to gpinero
‎05-26-2019 11:07 PM
‎05-26-2019 11:07 PM

Hi GPinero,



That's correct. Upon further investigations (debug client mac-address) on both the Foreign-and-Anchor wlc. We realized that the Anchor controller receives the request from the client and is authenticated using a PSK but the client is dropped shortly afterwards.



I have logged a TAC call with Cisco. The logs have been sent and they currently investigating the fault. I will let you know the outcome of the investigation.


0 Helpful
Reply
Latest Contents
Cisco AP AIR-CAP702I-E-K9
Created by sahara101 on 02-18-2021 05:39 AM
0
0
0
0
 Hello Community, I have an issue where APs do not connect to the WLC. Connection is made over VPN. Until yesterday all 3 APfailed with below errors. We change the LAN connection to a cisco router and now one of the AP magically connected to the... view more
Wireless Config Analyzer Express v 0.5.9
Created by Javier Contreras on 02-15-2021 09:27 AM
3
15
3
15
Where to download Attached files on this post Alternatively, cloud version (only summaries) General information: New implementation for the WLC Config Analyzer. it is a new re-write of the application, with clean up and improved checks Support for IOS... view more
**New Episode** Cisco Champion Radio: S8|E6 Fastlane+ Optimi...
Created by aalesna on 02-09-2021 10:20 AM
0
0
0
0
Cisco Champion Radio · S8|E6: Fastlane+ Optimizes Network and Device Communication Cisco Fastlane+ is a co-developed solution with Apple that significantly improves the experience of any Wi-Fi 6 capable iPhone or iPad connected to a Cisco Catalyst 9130 A... view more
IOS-XE 17.4.1 Blog
Created by SAY on 01-26-2021 12:19 AM
1
10
1
10
We are pleased to announce the immediate availability of the IOS-XE release 17.4.1 for the Catalyst Wireless Controllers. The new code is now posted on the CCO and can be found at this link: https://software.cisco.com/download/home/286316412/type/28204647... view more
How to manually connect a Cisco WLC to Cisco DNA Center for ...
Created by Richard Jang on 01-14-2021 05:50 PM
0
15
0
15
Table of Contents   Overview The purpose of this document is to provide step-by-step instructions regarding how to connect your read-only Catalyst 9800 WLC or AireOS WLC with Cisco DNA Center for Assurance monitoring through manual configuration. I... view more
Content for Community-Ad