Re: Users are not being authenticated on WLC 2504 anchor controller

DuaBell · ‎05-22-2019

Hi Guys,

I am currently busy with a project to implement a wlc 2504 anchor controller for guest wifi. The foreign controller is a wlc 5508 and the anchor controller is currently in the dmz behind a firewall. The tunnel is up up between the two controllers and we are using PSK authentication for testing.

The issue that we are currently experiencing, is when a user joins the guest wifi and enter the PSK, the users connection gets dropped after a few seconds. On the foreign controller, i can see the user joining the guest wiif ssid but on the anchor controller, theres no information on the connection.

Below is the logs for the users connectivity:

*Dot1x_NW_MsgTask_0: Jan 01 03:07:39.507: 30:07:4d:59:00:00 Anchor Export Request Recvd for mobile 30:07:4d:59:00:00 from 196.0.0.1 type : 16 subtype : 0 seq no : 65090 xid : 291588
*Dot1x_NW_MsgTask_0: Jan 01 03:07:39.507: 30:07:4d:59:00:00mmAnchorExportRcv: Extracting mmPayloadExportForeignLradMac
*Dot1x_NW_MsgTask_0: Jan 01 03:07:39.507: 30:07:4d:59:00:00IPv6 ACl Name is none

*Dot1x_NW_MsgTask_0: Jan 01 03:07:39.508: 30:07:4d:59:00:0Created Acct-Session-ID (386d6f7b/30:07:4d:59:00:00/79) for the mobile
*Dot1x_NW_MsgTask_0: Jan 01 03:07:39.508: 30:07:4d:59:00:00Adding mobile on Remote AP 00:00:00:00:00:00(0)
*Dot1x_NW_MsgTask_0: Jan 01 03:07:39.508: 30:07:4d:59:00:00 mmAnchorExportRcv:, Mobility role is Unassoc
.
*Dot1x_NW_MsgTask_0: Jan 01 03:07:39.508: 30:07:4d:59:00:00mmAnchorExportRcv Ssid=Guest_Wifi Security Policy=0x40006040

*Dot1x_NW_MsgTask_0: Jan 01 03:07:39.508: 30:07:4d:59:00:00Scheduling deletion of Mobile Station: (callerId: 69) in 1 seconds
*osapiBsnTimer: Jan 01 03:07:40.345: 30:07:4d:59:00:00 apfMsExpireCallback (apf_ms.c:639) Expiring Mobile!
*apfReceiveTask: Jan 01 03:07:40.345: 30:07:4d:59:00:00 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfReceiveTask: Jan 01 03:07:40.345: 30:07:4d:59:00:000.0.0.0 START (0) Deleted mobile LWAPP rule on AP [00:00:00:00:00:00]
*apfReceiveTask: Jan 01 03:07:40.345: 30:07:4d:59:00:00 Deleting mobile on AP 00:00:00:00:00:00(0)

Your assistance will be greatly appreciated.

pieterh · ‎05-22-2019

my first guess is the WLANs on the foreign and anchor controller do not match.

they need to be equally configured.

DuaBell · ‎05-22-2019

Hi Pieter,

That's the first thing I checked and even reconfigured the WLANs on both controllers. The debug logs were the same when we switched between layer 2 and layer 3 authentication methods.

gpinero · ‎05-25-2019

I have the same problem...

First: We had aaa 802.1x auth in the anchor

For testing and avoid issues in aaa, now we change it to normal WPA2/PSK to test if the problem was the auth but same result

I think that we need to resolv the problem in WPA2/PSK first but then

L2 authentication dot1x is passed throught the EoIP tunnel to the anchor?

in other words:

L2 authentications occurs in the anchor or in the foreign? I read contradictory opinions about

CCNP R&S, CCNP Security, CCNA CyberOps

DuaBell · ‎05-26-2019

Hi GPinero,

That's correct. Upon further investigations (debug client mac-address) on both the Foreign-and-Anchor wlc. We realized that the Anchor controller receives the request from the client and is authenticated using a PSK but the client is dropped shortly afterwards.

I have logged a TAC call with Cisco. The logs have been sent and they currently investigating the fault. I will let you know the outcome of the investigation.