Solved: Web Authentication Failure

ittechk4u1 · ‎04-25-2017

Guest user is not able to login. I am using LWA using ISE.

WLC 2112 with version 7.0.240.0, Cisco ISE 2.x

Client is getting the webauth page (Which is in WLC itself) but failing with error username/password invalid.

WLC logs:

(WLC1) >debug client 3C:BB:FD:60:BB:41

(WLC1) >*DHCP Proxy Task: Apr 25 14:26:36.135: 64:80:99:be:32:c8 DHCP   server id: 1.1.1.1 rcvd server id: 10.75.80.1
*emWeb: Apr 25 14:30:11.442: 3c:bb:fd:60:bb:41 apfMsDeleteByMscb Scheduling mobile for deletion with deleteReason 6, reasonCode 1

*emWeb: Apr 25 14:30:11.443: 3c:bb:fd:60:bb:41 Scheduling deletion of Mobile Station: (callerId: 30) in 1 seconds
*osapiBsnTimer: Apr 25 14:30:12.437: 3c:bb:fd:60:bb:41 apfMsExpireCallback (apf_ms.c:609) Expiring Mobile!
*apfReceiveTask: Apr 25 14:30:12.437: 3c:bb:fd:60:bb:41 apfMsExpireMobileStation (apf_ms.c:5021) Changing state for mobile 3c:bb:fd:60:bb:41 on AP 00:3a:99:b5:d9:70 from Associated to Disassociated

*apfReceiveTask: Apr 25 14:30:12.439: 3c:bb:fd:60:bb:41 Sent Deauthenticate to mobile on BSSID 00:3a:99:b5:d9:70 slot 0(caller apf_ms.c:5113)
*apfReceiveTask: Apr 25 14:30:12.439: 3c:bb:fd:60:bb:41 apfMsAssoStateDec
*apfReceiveTask: Apr 25 14:30:12.439: 3c:bb:fd:60:bb:41 apfMsExpireMobileStation (apf_ms.c:5151) Changing state for mobile 3c:bb:fd:60:bb:41 on AP 00:3a:99:b5:d9:70 from Disassociated to Idle

*apfReceiveTask: Apr 25 14:30:12.439: 3c:bb:fd:60:bb:41 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfReceiveTask: Apr 25 14:30:12.439: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Deleted mobile LWAPP rule on AP [00:3a:99:b5:d9:70]
*apfReceiveTask: Apr 25 14:30:12.439: 3c:bb:fd:60:bb:41 Deleting mobile on AP 00:3a:99:b5:d9:70(0)
*pemReceiveTask: Apr 25 14:30:12.461: 3c:bb:fd:60:bb:41 172.28.75.227 Removed NPU entry.
*apfMsConnTask_0: Apr 25 14:30:12.689: 3c:bb:fd:60:bb:41 Adding mobile on LWAPP AP 00:3a:99:b5:d9:70(0)
*apfMsConnTask_0: Apr 25 14:30:12.689: 3c:bb:fd:60:bb:41 Association received from mobile on AP 00:3a:99:b5:d9:70
*apfMsConnTask_0: Apr 25 14:30:12.689: 3c:bb:fd:60:bb:41 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Apr 25 14:30:12.689: 3c:bb:fd:60:bb:41 Applying site-specific IPv6 override for station 3c:bb:fd:60:bb:41 - vapId 4, site 'default-group', interface 'guest'
*apfMsConnTask_0: Apr 25 14:30:12.689: 3c:bb:fd:60:bb:41 Applying IPv6 Interface Policy for station 3c:bb:fd:60:bb:41 - vlan 172, interface id 7, interface 'guest'
*apfMsConnTask_0: Apr 25 14:30:12.689: 3c:bb:fd:60:bb:41 STA - rates (8): 130 132 139 12 18 150 24 36 0 0 0 0 0 0 0 0
*apfMsConnTask_0: Apr 25 14:30:12.690: 3c:bb:fd:60:bb:41 STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Apr 25 14:30:12.690: 3c:bb:fd:60:bb:41 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_0: Apr 25 14:30:12.690: 3c:bb:fd:60:bb:41 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)

*apfMsConnTask_0: Apr 25 14:30:12.690: 3c:bb:fd:60:bb:41 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)

*apfMsConnTask_0: Apr 25 14:30:12.690: 3c:bb:fd:60:bb:41 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 00:3a:99:b5:d9:70 vapId 4 apVapId 4for this client
*apfMsConnTask_0: Apr 25 14:30:12.690: 3c:bb:fd:60:bb:41 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Apr 25 14:30:12.690: 3c:bb:fd:60:bb:41 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:3a:99:b5:d9:70 vapId 4 apVapId 4
*apfMsConnTask_0: Apr 25 14:30:12.690: 3c:bb:fd:60:bb:41 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)

*apfMsConnTask_0: Apr 25 14:30:12.690: 3c:bb:fd:60:bb:41 apfMsAssoStateInc
*apfMsConnTask_0: Apr 25 14:30:12.690: 3c:bb:fd:60:bb:41 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 3c:bb:fd:60:bb:41 on AP 00:3a:99:b5:d9:70 from Idle to Associated

*apfMsConnTask_0: Apr 25 14:30:12.690: 3c:bb:fd:60:bb:41 Scheduling deletion of Mobile Station: (callerId: 49) in 65535 seconds
*apfMsConnTask_0: Apr 25 14:30:12.690: 3c:bb:fd:60:bb:41 Sending Assoc Response to station on BSSID 00:3a:99:b5:d9:70 (status 0) ApVapId 4 Slot 0
*apfMsConnTask_0: Apr 25 14:30:12.690: 3c:bb:fd:60:bb:41 apfProcessAssocReq (apf_80211.c:5276) Changing state for mobile 3c:bb:fd:60:bb:41 on AP 00:3a:99:b5:d9:70 from Associated to Associated

*apfReceiveTask: Apr 25 14:30:12.691: 3c:bb:fd:60:bb:41 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*apfReceiveTask: Apr 25 14:30:12.691: 3c:bb:fd:60:bb:41 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4499, Adding TMP rule
*apfReceiveTask: Apr 25 14:30:12.691: 3c:bb:fd:60:bb:41 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP 00:3a:99:b5:d9:70, slot 0, interface = 1, QOS = 0
ACL Id = 255, Jumbo Fr
*apfReceiveTask: Apr 25 14:30:12.691: 3c:bb:fd:60:bb:41 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 1506 IPv6 Vlan = 172, IPv6 intf id = 7
*apfReceiveTask: Apr 25 14:30:12.691: 3c:bb:fd:60:bb:41 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*pemReceiveTask: Apr 25 14:30:12.712: 3c:bb:fd:60:bb:41 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*pemReceiveTask: Apr 25 14:30:12.712: 3c:bb:fd:60:bb:41 Sent an XID frame
*DHCP Socket Task: Apr 25 14:30:13.332: 3c:bb:fd:60:bb:41 DHCP received op BOOTREQUEST (1) (len 322,vlan 80, port 1, encap 0xec03)
*DHCP Socket Task: Apr 25 14:30:13.333: 3c:bb:fd:60:bb:41 DHCP selecting relay 1 - control block settings:
                        dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
                        dhcpGateway: 0.0.0.0, dhcpRelay: 0.0.0.0 VLAN: 0
*DHCP Socket Task: Apr 25 14:30:13.333: 3c:bb:fd:60:bb:41 DHCP selected relay 1 - 10.75.80.1 (local address 172.28.75.1, gateway 172.28.75.254, VLAN 172, port 1)
*DHCP Socket Task: Apr 25 14:30:13.334: 3c:bb:fd:60:bb:41 DHCP transmitting DHCP REQUEST (3)
*DHCP Socket Task: Apr 25 14:30:13.334: 3c:bb:fd:60:bb:41 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
*DHCP Socket Task: Apr 25 14:30:13.334: 3c:bb:fd:60:bb:41 DHCP   xid: 0xf1377d30 (4046945584), secs: 0, flags: 0
*DHCP Socket Task: Apr 25 14:30:13.335: 3c:bb:fd:60:bb:41 DHCP   chaddr: 3c:bb:fd:60:bb:41
*DHCP Socket Task: Apr 25 14:30:13.335: 3c:bb:fd:60:bb:41 DHCP   ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Apr 25 14:30:13.336: 3c:bb:fd:60:bb:41 DHCP   siaddr: 0.0.0.0, giaddr: 172.28.75.1
*DHCP Socket Task: Apr 25 14:30:13.336: 3c:bb:fd:60:bb:41 DHCP   requested ip: 172.28.75.227
*DHCP Socket Task: Apr 25 14:30:13.337: 3c:bb:fd:60:bb:41 DHCP selecting relay 2 - control block settings:
                        dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
                        dhcpGateway: 0.0.0.0, dhcpRelay: 172.28.75.1 VLAN: 172
*DHCP Socket Task: Apr 25 14:30:13.337: 3c:bb:fd:60:bb:41 DHCP selected relay 2 - 10.75.80.3 (local address 172.28.75.1, gateway 172.28.75.254, VLAN 172, port 1)
*DHCP Socket Task: Apr 25 14:30:13.337: 3c:bb:fd:60:bb:41 DHCP transmitting DHCP REQUEST (3)
*DHCP Socket Task: Apr 25 14:30:13.337: 3c:bb:fd:60:bb:41 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 2
*DHCP Socket Task: Apr 25 14:30:13.338: 3c:bb:fd:60:bb:41 DHCP   xid: 0xf1377d30 (4046945584), secs: 0, flags: 0
*DHCP Socket Task: Apr 25 14:30:13.338: 3c:bb:fd:60:bb:41 DHCP   chaddr: 3c:bb:fd:60:bb:41
*DHCP Socket Task: Apr 25 14:30:13.339: 3c:bb:fd:60:bb:41 DHCP   ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Apr 25 14:30:13.339: 3c:bb:fd:60:bb:41 DHCP   siaddr: 10.75.80.1, giaddr: 172.28.75.1
*DHCP Socket Task: Apr 25 14:30:13.340: 3c:bb:fd:60:bb:41 DHCP   requested ip: 172.28.75.227
*DHCP Socket Task: Apr 25 14:30:13.340: 3c:bb:fd:60:bb:41 DHCP sending REQUEST to 172.28.75.254 (len 366, port 1, vlan 172)
*DHCP Proxy Task: Apr 25 14:30:13.340: 3c:bb:fd:60:bb:41 DHCP received op BOOTREPLY (2) (len 572,vlan 0, port 0, encap 0x0)
*DHCP Proxy Task: Apr 25 14:30:13.341: 3c:bb:fd:60:bb:41 DHCP setting server from ACK (server 10.75.80.1, yiaddr 172.28.75.227)
*DHCP Proxy Task: Apr 25 14:30:13.347: 3c:bb:fd:60:bb:41 Adding Web RuleID 18969 for mobile 3c:bb:fd:60:bb:41
*DHCP Proxy Task: Apr 25 14:30:13.347: 3c:bb:fd:60:bb:41 172.28.75.227 DHCP_REQD (7) Change state to WEBAUTH_REQD (8) last state WEBAUTH_REQD (8)

*DHCP Proxy Task: Apr 25 14:30:13.347: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) pemAdvanceState2 5253, Adding TMP rule
*DHCP Proxy Task: Apr 25 14:30:13.347: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Replacing Fast Path rule
type = Airespace AP Client - ACL passthru
on AP 00:3a:99:b5:d9:70, slot 0, interface = 1, QOS = 0
ACL Id
*DHCP Proxy Task: Apr 25 14:30:13.348: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 1506 IPv6 Vlan = 172, IPv6 intf id = 7
*DHCP Proxy Task: Apr 25 14:30:13.348: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Successfully plumbed mobile rule (ACL ID 255)
*DHCP Proxy Task: Apr 25 14:30:13.348: 3c:bb:fd:60:bb:41 Plumbing web-auth redirect rule due to user logout
*DHCP Proxy Task: Apr 25 14:30:13.348: 3c:bb:fd:60:bb:41 Assigning Address 172.28.75.227 to mobile
*DHCP Proxy Task: Apr 25 14:30:13.348: 3c:bb:fd:60:bb:41 DHCP success event for client. Clearing dhcp failure count for interface guest.
*DHCP Proxy Task: Apr 25 14:30:13.348: 3c:bb:fd:60:bb:41 DHCP sending REPLY to STA (len 418, port 1, vlan 80)
*DHCP Proxy Task: Apr 25 14:30:13.348: 3c:bb:fd:60:bb:41 DHCP transmitting DHCP ACK (5)
*DHCP Proxy Task: Apr 25 14:30:13.349: 3c:bb:fd:60:bb:41 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Proxy Task: Apr 25 14:30:13.349: 3c:bb:fd:60:bb:41 DHCP   xid: 0xf1377d30 (4046945584), secs: 0, flags: 0
*DHCP Proxy Task: Apr 25 14:30:13.349: 3c:bb:fd:60:bb:41 DHCP   chaddr: 3c:bb:fd:60:bb:41
*DHCP Proxy Task: Apr 25 14:30:13.349: 3c:bb:fd:60:bb:41 DHCP   ciaddr: 0.0.0.0, yiaddr: 172.28.75.227
*DHCP Proxy Task: Apr 25 14:30:13.349: 3c:bb:fd:60:bb:41 DHCP   siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Proxy Task: Apr 25 14:30:13.349: 3c:bb:fd:60:bb:41 DHCP   server id: 1.1.1.1 rcvd server id: 10.75.80.1
*pemReceiveTask: Apr 25 14:30:13.364: 3c:bb:fd:60:bb:41 172.28.75.227 Added NPU entry of type 2, dtlFlags 0x0
*pemReceiveTask: Apr 25 14:30:13.365: 3c:bb:fd:60:bb:41 Sent an XID frame
*pemReceiveTask: Apr 25 14:30:13.365: 3c:bb:fd:60:bb:41 Sending a gratuitous ARP for 172.28.75.227, VLAN Id 172
*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 Association received from mobile on AP 00:3a:99:b5:d9:70
*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 Applying site-specific IPv6 override for station 3c:bb:fd:60:bb:41 - vapId 4, site 'default-group', interface 'guest'
*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 Applying IPv6 Interface Policy for station 3c:bb:fd:60:bb:41 - vlan 172, interface id 7, interface 'guest'
*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 STA - rates (8): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 apfMs1xStateDec
*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Change state to START (0) last state WEBAUTH_REQD (8)

*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 172.28.75.227 START (0) Initializing policy
*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 172.28.75.227 START (0) Change state to AUTHCHECK (2) last state WEBAUTH_REQD (8)

*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 172.28.75.227 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state WEBAUTH_REQD (8)

*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 172.28.75.227 L2AUTHCOMPLETE (4) DHCP Not required on AP 00:3a:99:b5:d9:70 vapId 4 apVapId 4for this client
*apfMsConnTask_0: Apr 25 14:30:41.934: 3c:bb:fd:60:bb:41 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 172.28.75.227 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:3a:99:b5:d9:70 vapId 4 apVapId 4
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 172.28.75.227 L2AUTHCOMPLETE (4) Change state to WEBAUTH_REQD (8) last state WEBAUTH_REQD (8)

*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) pemApfAddMobileStation2 2844, Adding TMP rule
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Adding Fast Path rule
type = Airespace AP Client - ACL passthru
on AP 00:3a:99:b5:d9:70, slot 0, interface = 1, QOS = 0
ACL Id = 2
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 1506 IPv6 Vlan = 172, IPv6 intf id = 7
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Successfully plumbed mobile rule (ACL ID 255)
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Deleting mobile policy rule 18969
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 Adding Web RuleID 18971 for mobile 3c:bb:fd:60:bb:41
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) pemApfAddMobileStation2 2933, Adding TMP rule
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Replacing Fast Path rule
type = Airespace AP Client - ACL passthru
on AP 00:3a:99:b5:d9:70, slot 0, interface = 1, QOS = 0
ACL Id
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 1506 IPv6 Vlan = 172, IPv6 intf id = 7
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Successfully plumbed mobile rule (ACL ID 255)
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 3c:bb:fd:60:bb:41 on AP 00:3a:99:b5:d9:70 from Associated to Associated

*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 Scheduling deletion of Mobile Station: (callerId: 49) in 65535 seconds
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 Sending Assoc Response to station on BSSID 00:3a:99:b5:d9:70 (status 0) ApVapId 4 Slot 0
*apfMsConnTask_0: Apr 25 14:30:41.935: 3c:bb:fd:60:bb:41 apfProcessAssocReq (apf_80211.c:5276) Changing state for mobile 3c:bb:fd:60:bb:41 on AP 00:3a:99:b5:d9:70 from Associated to Associated

*pemReceiveTask: Apr 25 14:30:41.960: 3c:bb:fd:60:bb:41 172.28.75.227 Removed NPU entry.
*pemReceiveTask: Apr 25 14:30:41.974: 3c:bb:fd:60:bb:41 172.28.75.227 Added NPU entry of type 2, dtlFlags 0x0
*pemReceiveTask: Apr 25 14:30:41.974: 3c:bb:fd:60:bb:41 Sent an XID frame
*pemReceiveTask: Apr 25 14:30:41.991: 3c:bb:fd:60:bb:41 172.28.75.227 Added NPU entry of type 2, dtlFlags 0x0
*pemReceiveTask: Apr 25 14:30:41.993: 3c:bb:fd:60:bb:41 Sent an XID frame
*DHCP Socket Task: Apr 25 14:30:42.672: 3c:bb:fd:60:bb:41 DHCP received op BOOTREQUEST (1) (len 322,vlan 80, port 1, encap 0xec03)
*DHCP Socket Task: Apr 25 14:30:42.673: 3c:bb:fd:60:bb:41 DHCP selecting relay 1 - control block settings:
                        dhcpServer: 10.75.80.1, dhcpNetmask: 255.255.255.0,
                        dhcpGateway: 172.28.75.254, dhcpRelay: 172.28.75.1 VLAN: 172
*DHCP Socket Task: Apr 25 14:30:42.673: 3c:bb:fd:60:bb:41 DHCP selected relay 1 - 10.75.80.1 (local address 172.28.75.1, gateway 172.28.75.254, VLAN 172, port 1)
*DHCP Socket Task: Apr 25 14:30:42.673: 3c:bb:fd:60:bb:41 DHCP transmitting DHCP REQUEST (3)
*DHCP Socket Task: Apr 25 14:30:42.673: 3c:bb:fd:60:bb:41 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
*DHCP Socket Task: Apr 25 14:30:42.673: 3c:bb:fd:60:bb:41 DHCP   xid: 0xc5a80192 (3316122002), secs: 0, flags: 0
*DHCP Socket Task: Apr 25 14:30:42.673: 3c:bb:fd:60:bb:41 DHCP   chaddr: 3c:bb:fd:60:bb:41
*DHCP Socket Task: Apr 25 14:30:42.674: 3c:bb:fd:60:bb:41 DHCP   ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Apr 25 14:30:42.674: 3c:bb:fd:60:bb:41 DHCP   siaddr: 0.0.0.0, giaddr: 172.28.75.1
*DHCP Socket Task: Apr 25 14:30:42.674: 3c:bb:fd:60:bb:41 DHCP   requested ip: 172.28.75.227
*DHCP Socket Task: Apr 25 14:30:42.674: 3c:bb:fd:60:bb:41 DHCP selecting relay 2 - control block settings:
                        dhcpServer: 10.75.80.1, dhcpNetmask: 255.255.255.0,
                        dhcpGateway: 172.28.75.254, dhcpRelay: 172.28.75.1 VLAN: 172
*DHCP Socket Task: Apr 25 14:30:42.674: 3c:bb:fd:60:bb:41 DHCP selected relay 2 - NONE
*DHCP Proxy Task: Apr 25 14:30:42.677: 3c:bb:fd:60:bb:41 DHCP received op BOOTREPLY (2) (len 572,vlan 0, port 0, encap 0x0)
*DHCP Proxy Task: Apr 25 14:30:42.677: 3c:bb:fd:60:bb:41 DHCP sending REPLY to STA (len 418, port 1, vlan 80)
*DHCP Proxy Task: Apr 25 14:30:42.678: 3c:bb:fd:60:bb:41 DHCP transmitting DHCP ACK (5)
*DHCP Proxy Task: Apr 25 14:30:42.678: 3c:bb:fd:60:bb:41 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Proxy Task: Apr 25 14:30:42.678: 3c:bb:fd:60:bb:41 DHCP   xid: 0xc5a80192 (3316122002), secs: 0, flags: 0
*DHCP Proxy Task: Apr 25 14:30:42.678: 3c:bb:fd:60:bb:41 DHCP   chaddr: 3c:bb:fd:60:bb:41
*DHCP Proxy Task: Apr 25 14:30:42.678: 3c:bb:fd:60:bb:41 DHCP   ciaddr: 0.0.0.0, yiaddr: 172.28.75.227
*DHCP Proxy Task: Apr 25 14:30:42.678: 3c:bb:fd:60:bb:41 DHCP   siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Proxy Task: Apr 25 14:30:42.679: 3c:bb:fd:60:bb:41 DHCP   server id: 1.1.1.1 rcvd server id: 10.75.80.1
*emWeb: Apr 25 14:31:37.087: 3c:bb:fd:60:bb:41 Username entry (xyz) created for mobile, length = 7
*emWeb: Apr 25 14:31:37.088: 3c:bb:fd:60:bb:41 Username entry (xyz) created in mscb for mobile, length = 7
*emWeb: Apr 25 14:31:37.089: 3c:bb:fd:60:bb:41 Username entry deleted for mobile
*emWeb: Apr 25 14:31:37.089: 3c:bb:fd:60:bb:41 Plumbing web-auth redirect rule due to user logout
*emWeb: Apr 25 14:31:37.089: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Deleting mobile policy rule 18971
*emWeb: Apr 25 14:31:37.089: 3c:bb:fd:60:bb:41 Adding Web RuleID 18973 for mobile 3c:bb:fd:60:bb:41
*emWeb: Apr 25 14:31:37.089: 3c:bb:fd:60:bb:41 Web Authentication failure for station
*emWeb: Apr 25 14:31:37.090: 3c:bb:fd:60:bb:41 172.28.75.227 WEBAUTH_REQD (8) Reached ERROR: from line 5074

What could be the issue. Please experts help me to resolve the issue!!

Thanks

Sandeep Choudhary · ‎04-26-2017

1. Upgrade the wlc to 7.0.252 version

2. can you paste the Authentication /authorization policy ?

3. WLC and ISE has same shared secret ?

Regards

Dont forget to rate helpful posts

View solution in original post

Sandeep Choudhary · ‎04-26-2017

so you are using called station id as well to auth.

paste the screenshot of called station ID type from wlc !!!

1. I would try without called station id in policy..

2. Check what is selected call station ID type under Security > AAA > Radius > Authentication .,: you must select the AP MAC Address: SSID

Regards

Dont forget to rate helpful posts

View solution in original post

Sandeep Choudhary · ‎04-26-2017

1. Upgrade the wlc to 7.0.252 version

2. can you paste the Authentication /authorization policy ?

3. WLC and ISE has same shared secret ?

Regards

Dont forget to rate helpful posts

ittechk4u1 · ‎04-26-2017

1. Tried the new SW 7.0.252 as well - No Success

2. here is the rule:

Authentication:

Guest    > WLC_Web_Authentication >    Default network access
    Default   > Use: Guest Users

Authorization:

Guest >    WLC_Web_Authentication AND Radius:Called-Station-ID CONTAINS Guest >

PermitAccess

3. Yes shared secret is configured correctly.

Thanks

Sandeep Choudhary · ‎04-26-2017

so you are using called station id as well to auth.

paste the screenshot of called station ID type from wlc !!!

1. I would try without called station id in policy..

2. Check what is selected call station ID type under Security > AAA > Radius > Authentication .,: you must select the AP MAC Address: SSID

Regards

Dont forget to rate helpful posts

ittechk4u1 · ‎04-26-2017

Thanks.

1. Removed the Called Station ID from policy and work like a charm.

2. It is set to AP Mac address. (I dont see any option as you mentioned: AP MAC Address: SSID )

Thanks again.

Sandeep Choudhary · ‎04-26-2017

Glad that it worked for you.

ohhh sorry I forgot you are running old WLC SW (7.0.252.0). it is not available on GUI, may be you can try via CLI:

(WLAN1) >config radius callstationIdtype ?

ap-macaddr-only Sets Call Station Id Type to the AP's MAC Address
ap-macaddr-ssid Sets Call Station Id Type to the format <AP MAC address>:<SSID>
ipaddr Sets Call Station Id Type to the system's IP Address
macaddr Sets Call Station Id Type to the system's MAC Address

Regards

Dont forget to rate helpful posts

ittechk4u1 · ‎04-26-2017

Thank you very much.