ā04-25-2017 05:43 AM - edited ā07-05-2021 06:56 AM
Guest user is not able to login. I am using LWA using ISE.
WLC 2112 with version 7.0.240.0, Cisco ISE 2.x
Client is getting the webauth page (Which is in WLC itself) but failing with error username/password invalid.
WLC logs:
(WLC1) >debug client 3C:BB:FD:60:BB:41
(WLC1) >*DHCP Proxy Task: Apr 25 14:26:36.135: 64:80:99:be:32:c8 DHCP server id: 1.1.1.1 rcvd server id: 10.75.80.1
*emWeb: Apr 25 14:30:11.442: 3c:bb:fd:60:bb:41 apfMsDeleteByMscb Scheduling mobile for deletion with deleteReason 6, reasonCode 1
*emWeb: Apr 25 14:30:11.443: 3c:bb:fd:60:bb:41 Scheduling deletion of Mobile Station: (callerId: 30) in 1 seconds
*osapiBsnTimer: Apr 25 14:30:12.437: 3c:bb:fd:60:bb:41 apfMsExpireCallback (apf_ms.c:609) Expiring Mobile!
*apfReceiveTask: Apr 25 14:30:12.437: 3c:bb:fd:60:bb:41 apfMsExpireMobileStation (apf_ms.c:5021) Changing state for mobile 3c:bb:fd:60:bb:41 on AP 00:3a:99:b5:d9:70 from Associated to Disassociated
*apfReceiveTask: Apr 25 14:30:12.439: 3c:bb:fd:60:bb:41 Sent Deauthenticate to mobile on BSSID 00:3a:99:b5:d9:70 slot 0(caller apf_ms.c:5113)
*apfReceiveTask: Apr 25 14:30:12.439: 3c:bb:fd:60:bb:41 apfMsAssoStateDec
*apfReceiveTask: Apr 25 14:30:12.439: 3c:bb:fd:60:bb:41 apfMsExpireMobileStation (apf_ms.c:5151) Changing state for mobile 3c:bb:fd:60:bb:41 on AP 00:3a:99:b5:d9:70 from Disassociated to Idle
*apfReceiveTask: Apr 25 14:30:12.439: 3c:bb:fd:60:bb:41 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfReceiveTask: Apr 25 14:30:12.439: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Deleted mobile LWAPP rule on AP [00:3a:99:b5:d9:70]
*apfReceiveTask: Apr 25 14:30:12.439: 3c:bb:fd:60:bb:41 Deleting mobile on AP 00:3a:99:b5:d9:70(0)
*pemReceiveTask: Apr 25 14:30:12.461: 3c:bb:fd:60:bb:41 172.28.75.227 Removed NPU entry.
*apfMsConnTask_0: Apr 25 14:30:12.689: 3c:bb:fd:60:bb:41 Adding mobile on LWAPP AP 00:3a:99:b5:d9:70(0)
*apfMsConnTask_0: Apr 25 14:30:12.689: 3c:bb:fd:60:bb:41 Association received from mobile on AP 00:3a:99:b5:d9:70
*apfMsConnTask_0: Apr 25 14:30:12.689: 3c:bb:fd:60:bb:41 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Apr 25 14:30:12.689: 3c:bb:fd:60:bb:41 Applying site-specific IPv6 override for station 3c:bb:fd:60:bb:41 - vapId 4, site 'default-group', interface 'guest'
*apfMsConnTask_0: Apr 25 14:30:12.689: 3c:bb:fd:60:bb:41 Applying IPv6 Interface Policy for station 3c:bb:fd:60:bb:41 - vlan 172, interface id 7, interface 'guest'
*apfMsConnTask_0: Apr 25 14:30:12.689: 3c:bb:fd:60:bb:41 STA - rates (8): 130 132 139 12 18 150 24 36 0 0 0 0 0 0 0 0
*apfMsConnTask_0: Apr 25 14:30:12.690: 3c:bb:fd:60:bb:41 STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Apr 25 14:30:12.690: 3c:bb:fd:60:bb:41 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_0: Apr 25 14:30:12.690: 3c:bb:fd:60:bb:41 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*apfMsConnTask_0: Apr 25 14:30:12.690: 3c:bb:fd:60:bb:41 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
*apfMsConnTask_0: Apr 25 14:30:12.690: 3c:bb:fd:60:bb:41 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 00:3a:99:b5:d9:70 vapId 4 apVapId 4for this client
*apfMsConnTask_0: Apr 25 14:30:12.690: 3c:bb:fd:60:bb:41 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Apr 25 14:30:12.690: 3c:bb:fd:60:bb:41 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:3a:99:b5:d9:70 vapId 4 apVapId 4
*apfMsConnTask_0: Apr 25 14:30:12.690: 3c:bb:fd:60:bb:41 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
*apfMsConnTask_0: Apr 25 14:30:12.690: 3c:bb:fd:60:bb:41 apfMsAssoStateInc
*apfMsConnTask_0: Apr 25 14:30:12.690: 3c:bb:fd:60:bb:41 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 3c:bb:fd:60:bb:41 on AP 00:3a:99:b5:d9:70 from Idle to Associated
*apfMsConnTask_0: Apr 25 14:30:12.690: 3c:bb:fd:60:bb:41 Scheduling deletion of Mobile Station: (callerId: 49) in 65535 seconds
*apfMsConnTask_0: Apr 25 14:30:12.690: 3c:bb:fd:60:bb:41 Sending Assoc Response to station on BSSID 00:3a:99:b5:d9:70 (status 0) ApVapId 4 Slot 0
*apfMsConnTask_0: Apr 25 14:30:12.690: 3c:bb:fd:60:bb:41 apfProcessAssocReq (apf_80211.c:5276) Changing state for mobile 3c:bb:fd:60:bb:41 on AP 00:3a:99:b5:d9:70 from Associated to Associated
*apfReceiveTask: Apr 25 14:30:12.691: 3c:bb:fd:60:bb:41 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*apfReceiveTask: Apr 25 14:30:12.691: 3c:bb:fd:60:bb:41 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4499, Adding TMP rule
*apfReceiveTask: Apr 25 14:30:12.691: 3c:bb:fd:60:bb:41 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP 00:3a:99:b5:d9:70, slot 0, interface = 1, QOS = 0
ACL Id = 255, Jumbo Fr
*apfReceiveTask: Apr 25 14:30:12.691: 3c:bb:fd:60:bb:41 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 1506 IPv6 Vlan = 172, IPv6 intf id = 7
*apfReceiveTask: Apr 25 14:30:12.691: 3c:bb:fd:60:bb:41 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*pemReceiveTask: Apr 25 14:30:12.712: 3c:bb:fd:60:bb:41 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*pemReceiveTask: Apr 25 14:30:12.712: 3c:bb:fd:60:bb:41 Sent an XID frame
*DHCP Socket Task: Apr 25 14:30:13.332: 3c:bb:fd:60:bb:41 DHCP received op BOOTREQUEST (1) (len 322,vlan 80, port 1, encap 0xec03)
*DHCP Socket Task: Apr 25 14:30:13.333: 3c:bb:fd:60:bb:41 DHCP selecting relay 1 - control block settings:
dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
dhcpGateway: 0.0.0.0, dhcpRelay: 0.0.0.0 VLAN: 0
*DHCP Socket Task: Apr 25 14:30:13.333: 3c:bb:fd:60:bb:41 DHCP selected relay 1 - 10.75.80.1 (local address 172.28.75.1, gateway 172.28.75.254, VLAN 172, port 1)
*DHCP Socket Task: Apr 25 14:30:13.334: 3c:bb:fd:60:bb:41 DHCP transmitting DHCP REQUEST (3)
*DHCP Socket Task: Apr 25 14:30:13.334: 3c:bb:fd:60:bb:41 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
*DHCP Socket Task: Apr 25 14:30:13.334: 3c:bb:fd:60:bb:41 DHCP xid: 0xf1377d30 (4046945584), secs: 0, flags: 0
*DHCP Socket Task: Apr 25 14:30:13.335: 3c:bb:fd:60:bb:41 DHCP chaddr: 3c:bb:fd:60:bb:41
*DHCP Socket Task: Apr 25 14:30:13.335: 3c:bb:fd:60:bb:41 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Apr 25 14:30:13.336: 3c:bb:fd:60:bb:41 DHCP siaddr: 0.0.0.0, giaddr: 172.28.75.1
*DHCP Socket Task: Apr 25 14:30:13.336: 3c:bb:fd:60:bb:41 DHCP requested ip: 172.28.75.227
*DHCP Socket Task: Apr 25 14:30:13.337: 3c:bb:fd:60:bb:41 DHCP selecting relay 2 - control block settings:
dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
dhcpGateway: 0.0.0.0, dhcpRelay: 172.28.75.1 VLAN: 172
*DHCP Socket Task: Apr 25 14:30:13.337: 3c:bb:fd:60:bb:41 DHCP selected relay 2 - 10.75.80.3 (local address 172.28.75.1, gateway 172.28.75.254, VLAN 172, port 1)
*DHCP Socket Task: Apr 25 14:30:13.337: 3c:bb:fd:60:bb:41 DHCP transmitting DHCP REQUEST (3)
*DHCP Socket Task: Apr 25 14:30:13.337: 3c:bb:fd:60:bb:41 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 2
*DHCP Socket Task: Apr 25 14:30:13.338: 3c:bb:fd:60:bb:41 DHCP xid: 0xf1377d30 (4046945584), secs: 0, flags: 0
*DHCP Socket Task: Apr 25 14:30:13.338: 3c:bb:fd:60:bb:41 DHCP chaddr: 3c:bb:fd:60:bb:41
*DHCP Socket Task: Apr 25 14:30:13.339: 3c:bb:fd:60:bb:41 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Apr 25 14:30:13.339: 3c:bb:fd:60:bb:41 DHCP siaddr: 10.75.80.1, giaddr: 172.28.75.1
*DHCP Socket Task: Apr 25 14:30:13.340: 3c:bb:fd:60:bb:41 DHCP requested ip: 172.28.75.227
*DHCP Socket Task: Apr 25 14:30:13.340: 3c:bb:fd:60:bb:41 DHCP sending REQUEST to 172.28.75.254 (len 366, port 1, vlan 172)
*DHCP Proxy Task: Apr 25 14:30:13.340: 3c:bb:fd:60:bb:41 DHCP received op BOOTREPLY (2) (len 572,vlan 0, port 0, encap 0x0)
*DHCP Proxy Task: Apr 25 14:30:13.341: 3c:bb:fd:60:bb:41 DHCP setting server from ACK (server 10.75.80.1, yiaddr 172.28.75.227)
*DHCP Proxy Task: Apr 25 14:30:13.347: 3c:bb:fd:60:bb:41 Adding Web RuleID 18969 for mobile 3c:bb:fd:60:bb:41
*DHCP Proxy Task: Apr 25 14:30:13.347: 3c:bb:fd:60:bb:41 172.28.75.227 DHCP_REQD (7) Change state to WEBAUTH_REQD (8) last state WEBAUTH_REQD (8)
*DHCP Proxy Task: Apr 25 14:30:13.347: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) pemAdvanceState2 5253, Adding TMP rule
*DHCP Proxy Task: Apr 25 14:30:13.347: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Replacing Fast Path rule
type = Airespace AP Client - ACL passthru
on AP 00:3a:99:b5:d9:70, slot 0, interface = 1, QOS = 0
ACL Id
*DHCP Proxy Task: Apr 25 14:30:13.348: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 1506 IPv6 Vlan = 172, IPv6 intf id = 7
*DHCP Proxy Task: Apr 25 14:30:13.348: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Successfully plumbed mobile rule (ACL ID 255)
*DHCP Proxy Task: Apr 25 14:30:13.348: 3c:bb:fd:60:bb:41 Plumbing web-auth redirect rule due to user logout
*DHCP Proxy Task: Apr 25 14:30:13.348: 3c:bb:fd:60:bb:41 Assigning Address 172.28.75.227 to mobile
*DHCP Proxy Task: Apr 25 14:30:13.348: 3c:bb:fd:60:bb:41 DHCP success event for client. Clearing dhcp failure count for interface guest.
*DHCP Proxy Task: Apr 25 14:30:13.348: 3c:bb:fd:60:bb:41 DHCP sending REPLY to STA (len 418, port 1, vlan 80)
*DHCP Proxy Task: Apr 25 14:30:13.348: 3c:bb:fd:60:bb:41 DHCP transmitting DHCP ACK (5)
*DHCP Proxy Task: Apr 25 14:30:13.349: 3c:bb:fd:60:bb:41 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Proxy Task: Apr 25 14:30:13.349: 3c:bb:fd:60:bb:41 DHCP xid: 0xf1377d30 (4046945584), secs: 0, flags: 0
*DHCP Proxy Task: Apr 25 14:30:13.349: 3c:bb:fd:60:bb:41 DHCP chaddr: 3c:bb:fd:60:bb:41
*DHCP Proxy Task: Apr 25 14:30:13.349: 3c:bb:fd:60:bb:41 DHCP ciaddr: 0.0.0.0, yiaddr: 172.28.75.227
*DHCP Proxy Task: Apr 25 14:30:13.349: 3c:bb:fd:60:bb:41 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Proxy Task: Apr 25 14:30:13.349: 3c:bb:fd:60:bb:41 DHCP server id: 1.1.1.1 rcvd server id: 10.75.80.1
*pemReceiveTask: Apr 25 14:30:13.364: 3c:bb:fd:60:bb:41 172.28.75.227 Added NPU entry of type 2, dtlFlags 0x0
*pemReceiveTask: Apr 25 14:30:13.365: 3c:bb:fd:60:bb:41 Sent an XID frame
*pemReceiveTask: Apr 25 14:30:13.365: 3c:bb:fd:60:bb:41 Sending a gratuitous ARP for 172.28.75.227, VLAN Id 172
*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 Association received from mobile on AP 00:3a:99:b5:d9:70
*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 Applying site-specific IPv6 override for station 3c:bb:fd:60:bb:41 - vapId 4, site 'default-group', interface 'guest'
*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 Applying IPv6 Interface Policy for station 3c:bb:fd:60:bb:41 - vlan 172, interface id 7, interface 'guest'
*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 STA - rates (8): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 apfMs1xStateDec
*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Change state to START (0) last state WEBAUTH_REQD (8)
*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 172.28.75.227 START (0) Initializing policy
*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 172.28.75.227 START (0) Change state to AUTHCHECK (2) last state WEBAUTH_REQD (8)
*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 172.28.75.227 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state WEBAUTH_REQD (8)
*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 172.28.75.227 L2AUTHCOMPLETE (4) DHCP Not required on AP 00:3a:99:b5:d9:70 vapId 4 apVapId 4for this client
*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 172.28.75.227 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:3a:99:b5:d9:70 vapId 4 apVapId 4
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 172.28.75.227 L2AUTHCOMPLETE (4) Change state to WEBAUTH_REQD (8) last state WEBAUTH_REQD (8)
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) pemApfAddMobileStation2 2844, Adding TMP rule
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Adding Fast Path rule
type = Airespace AP Client - ACL passthru
on AP 00:3a:99:b5:d9:70, slot 0, interface = 1, QOS = 0
ACL Id = 2
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 1506 IPv6 Vlan = 172, IPv6 intf id = 7
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Successfully plumbed mobile rule (ACL ID 255)
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Deleting mobile policy rule 18969
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 Adding Web RuleID 18971 for mobile 3c:bb:fd:60:bb:41
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) pemApfAddMobileStation2 2933, Adding TMP rule
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Replacing Fast Path rule
type = Airespace AP Client - ACL passthru
on AP 00:3a:99:b5:d9:70, slot 0, interface = 1, QOS = 0
ACL Id
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 1506 IPv6 Vlan = 172, IPv6 intf id = 7
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Successfully plumbed mobile rule (ACL ID 255)
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 3c:bb:fd:60:bb:41 on AP 00:3a:99:b5:d9:70 from Associated to Associated
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 Scheduling deletion of Mobile Station: (callerId: 49) in 65535 seconds
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 Sending Assoc Response to station on BSSID 00:3a:99:b5:d9:70 (status 0) ApVapId 4 Slot 0
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 apfProcessAssocReq (apf_80211.c:5276) Changing state for mobile 3c:bb:fd:60:bb:41 on AP 00:3a:99:b5:d9:70 from Associated to Associated
*pemReceiveTask: Apr 25 14:30:41.960: 3c:bb:fd:60:bb:41 172.28.75.227 Removed NPU entry.
*pemReceiveTask: Apr 25 14:30:41.974: 3c:bb:fd:60:bb:41 172.28.75.227 Added NPU entry of type 2, dtlFlags 0x0
*pemReceiveTask: Apr 25 14:30:41.974: 3c:bb:fd:60:bb:41 Sent an XID frame
*pemReceiveTask: Apr 25 14:30:41.991: 3c:bb:fd:60:bb:41 172.28.75.227 Added NPU entry of type 2, dtlFlags 0x0
*pemReceiveTask: Apr 25 14:30:41.993: 3c:bb:fd:60:bb:41 Sent an XID frame
*DHCP Socket Task: Apr 25 14:30:42.672: 3c:bb:fd:60:bb:41 DHCP received op BOOTREQUEST (1) (len 322,vlan 80, port 1, encap 0xec03)
*DHCP Socket Task: Apr 25 14:30:42.673: 3c:bb:fd:60:bb:41 DHCP selecting relay 1 - control block settings:
dhcpServer: 10.75.80.1, dhcpNetmask: 255.255.255.0,
dhcpGateway: 172.28.75.254, dhcpRelay: 172.28.75.1 VLAN: 172
*DHCP Socket Task: Apr 25 14:30:42.673: 3c:bb:fd:60:bb:41 DHCP selected relay 1 - 10.75.80.1 (local address 172.28.75.1, gateway 172.28.75.254, VLAN 172, port 1)
*DHCP Socket Task: Apr 25 14:30:42.673: 3c:bb:fd:60:bb:41 DHCP transmitting DHCP REQUEST (3)
*DHCP Socket Task: Apr 25 14:30:42.673: 3c:bb:fd:60:bb:41 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
*DHCP Socket Task: Apr 25 14:30:42.673: 3c:bb:fd:60:bb:41 DHCP xid: 0xc5a80192 (3316122002), secs: 0, flags: 0
*DHCP Socket Task: Apr 25 14:30:42.673: 3c:bb:fd:60:bb:41 DHCP chaddr: 3c:bb:fd:60:bb:41
*DHCP Socket Task: Apr 25 14:30:42.674: 3c:bb:fd:60:bb:41 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Apr 25 14:30:42.674: 3c:bb:fd:60:bb:41 DHCP siaddr: 0.0.0.0, giaddr: 172.28.75.1
*DHCP Socket Task: Apr 25 14:30:42.674: 3c:bb:fd:60:bb:41 DHCP requested ip: 172.28.75.227
*DHCP Socket Task: Apr 25 14:30:42.674: 3c:bb:fd:60:bb:41 DHCP selecting relay 2 - control block settings:
dhcpServer: 10.75.80.1, dhcpNetmask: 255.255.255.0,
dhcpGateway: 172.28.75.254, dhcpRelay: 172.28.75.1 VLAN: 172
*DHCP Socket Task: Apr 25 14:30:42.674: 3c:bb:fd:60:bb:41 DHCP selected relay 2 - NONE
*DHCP Proxy Task: Apr 25 14:30:42.677: 3c:bb:fd:60:bb:41 DHCP received op BOOTREPLY (2) (len 572,vlan 0, port 0, encap 0x0)
*DHCP Proxy Task: Apr 25 14:30:42.677: 3c:bb:fd:60:bb:41 DHCP sending REPLY to STA (len 418, port 1, vlan 80)
*DHCP Proxy Task: Apr 25 14:30:42.678: 3c:bb:fd:60:bb:41 DHCP transmitting DHCP ACK (5)
*DHCP Proxy Task: Apr 25 14:30:42.678: 3c:bb:fd:60:bb:41 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Proxy Task: Apr 25 14:30:42.678: 3c:bb:fd:60:bb:41 DHCP xid: 0xc5a80192 (3316122002), secs: 0, flags: 0
*DHCP Proxy Task: Apr 25 14:30:42.678: 3c:bb:fd:60:bb:41 DHCP chaddr: 3c:bb:fd:60:bb:41
*DHCP Proxy Task: Apr 25 14:30:42.678: 3c:bb:fd:60:bb:41 DHCP ciaddr: 0.0.0.0, yiaddr: 172.28.75.227
*DHCP Proxy Task: Apr 25 14:30:42.678: 3c:bb:fd:60:bb:41 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Proxy Task: Apr 25 14:30:42.679: 3c:bb:fd:60:bb:41 DHCP server id: 1.1.1.1 rcvd server id: 10.75.80.1
*emWeb: Apr 25 14:31:37.087: 3c:bb:fd:60:bb:41 Username entry (xyz) created for mobile, length = 7
*emWeb: Apr 25 14:31:37.088: 3c:bb:fd:60:bb:41 Username entry (xyz) created in mscb for mobile, length = 7
*emWeb: Apr 25 14:31:37.089: 3c:bb:fd:60:bb:41 Username entry deleted for mobile
*emWeb: Apr 25 14:31:37.089: 3c:bb:fd:60:bb:41 Plumbing web-auth redirect rule due to user logout
*emWeb: Apr 25 14:31:37.089: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Deleting mobile policy rule 18971
*emWeb: Apr 25 14:31:37.089: 3c:bb:fd:60:bb:41 Adding Web RuleID 18973 for mobile 3c:bb:fd:60:bb:41
*emWeb: Apr 25 14:31:37.089: 3c:bb:fd:60:bb:41 Web Authentication failure for station
*emWeb: Apr 25 14:31:37.090: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Reached ERROR: from line 5074
What could be the issue. Please experts help me to resolve the issue!!
Thanks
Solved! Go to Solution.
ā04-26-2017 01:59 AM
1. Upgrade the wlc to 7.0.252 version
2. can you paste the Authentication /authorization policy ?
3. WLC and ISE has same shared secret ?
Regards
Dont forget to rate helpful posts
ā04-26-2017 03:00 AM
so you are using called station id as well to auth.
paste the screenshot of called station ID type from wlc !!!
1. I would try without called station id in policy..
2. Check what is selected call station ID type under Security > AAA > Radius > Authentication .,: you must select the AP MAC Address: SSID
Regards
Dont forget to rate helpful posts
ā04-26-2017 01:59 AM
1. Upgrade the wlc to 7.0.252 version
2. can you paste the Authentication /authorization policy ?
3. WLC and ISE has same shared secret ?
Regards
Dont forget to rate helpful posts
ā04-26-2017 02:48 AM
1. Tried the new SW 7.0.252 as well - No Success
2. here is the rule:
Authentication:
Guest > WLC_Web_Authentication > Default network access
Default > Use: Guest Users
Authorization:
Guest > WLC_Web_Authentication AND Radius:Called-Station-ID CONTAINS Guest >
PermitAccess
3. Yes shared secret is configured correctly.
Thanks
ā04-26-2017 03:00 AM
so you are using called station id as well to auth.
paste the screenshot of called station ID type from wlc !!!
1. I would try without called station id in policy..
2. Check what is selected call station ID type under Security > AAA > Radius > Authentication .,: you must select the AP MAC Address: SSID
Regards
Dont forget to rate helpful posts
ā04-26-2017 03:32 AM
Thanks.
1. Removed the Called Station ID from policy and work like a charm.
2. It is set to AP Mac address. (I dont see any option as you mentioned: AP MAC Address: SSID )
Thanks again.
ā04-26-2017 03:39 AM
Glad that it worked for you.
ohhh sorry I forgot you are running old WLC SW (7.0.252.0). it is not available on GUI, may be you can try via CLI:
(WLAN1) >config radius callstationIdtype ?
ap-macaddr-only Sets Call Station Id Type to the AP's MAC Address
ap-macaddr-ssid Sets Call Station Id Type to the format <AP MAC address>:<SSID>
ipaddr Sets Call Station Id Type to the system's IP Address
macaddr Sets Call Station Id Type to the system's MAC Address
Regards
Dont forget to rate helpful posts
ā04-26-2017 03:47 AM
Thank you very much.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: