cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1676
Views
15
Helpful
5
Replies

Wireless Guest not getting assigned IP Address

hurricane05
Level 1
Level 1

We are using a Cisco Wireless Controller 5520 that is working with different WLANs to include a guest WLAN. However, recently
the guest WLAN is no longer able to get an ip addressed assigned to the user devices and just show up in the GUI with 0.0.0.0. All the other WLANs are working correctly but we haven't been able to determine at the moment why the guests are unable to obtain an ip address. Normally what happens is the user selects the guest SSID and gets redirected to a webpage to login to the portal for gaining network access. I have attached a debug file from a client I had attempted to connect.

 

Thx in advance for any help provided.

1 Accepted Solution

Accepted Solutions

saravlak
Spotlight
Spotlight

It doesn't appear to be DHCP-server related issue, rather its AAA server Auth related issue based on below logs -Check AAA/Radius and fix the issue for the associated clients.


*aaaQueueReader: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 Successful transmission of Authentication Packet (pktId 45) to x.x.x.140:1812 from server queue 3, proxy state 08:d4:0c:3a:4e:b3-00:00
*aaaQueueReader: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 User entry not found in the Local FileDB for the client.
*radiusTransportThread: Apr 29 15:18:47.552: 08:d4:0c:3a:4e:b3 Access-Reject received from RADIUS server x.x.x.140 (qid:3) with port:1812, pktId:45
*radiusTransportThread: Apr 29 15:18:47.552: 08:d4:0c:3a:4e:b3 Error Response code for AAA Authentication : -4

 

Note: If issue related to specific Radius server then point the to other specific radius-server only through the test wlan and give it a try. Also, check the MAB allow auth policy for the wlan in question, if something changed for all servers.

 

*****Config Detail*****
AP group: CORP-NET
ssid : Corp-Guest
Interface/Vlan: newguest/Vlan 205
Security: open/MAB
who's Radius server?: on-board WLC or External.
who's MAC DB server?: on-board WLC or External.

 

*****specific flow to Watch*****because of the Auth failure, its looping******
*apfMsConnTask_3: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 WLAN Corp-Guest has USE LOCALDB THEN RADIUS security policy for MAC-Auth Request
*apfMsConnTask_3: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 Created Cisco-Audit-Session-ID for the mobile: fe65fa0a000021b356ce8a60 type: local
*apfMsConnTask_3: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 Sent the MAC-Auth Request for the client (#ReqTokenId:8815) on SSID:Corp-Guest

*apfMsConnTask_3: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 apfProcessAssocReq (apf_80211.c:12111) Changing state for mobile 08:d4:0c:3a:4e:b3 on AP 00:78:88:ad:9e:10 from Idle to AAA Pending

*apfMsConnTask_3: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 Scheduling deletion of Mobile Station: (callerId: 20) in 10 seconds
*apfMsConnTask_3: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 Updating the Aid in case of flex mac-filtering

*aaaQueueReader: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 radiusServerFallbackPassiveStateUpdate: RADIUS server is ready x.x.x.140 port 1812 index 0 active 1
*aaaQueueReader: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 Found a server : x.x.x.140 from the WLAN server list of radius server index 1
*aaaQueueReader: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 Send Radius Auth Request with pktId:45 into qid:3 of server at index:0
*aaaQueueReader: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 Request Authenticator ab:64:08:07:28:67:fd:a4:bf:4c:1b:12:d0:3b:55:b3
*aaaQueueReader: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 Sending the packet to v4 host x.x.x.140:1812 of length 254
*aaaQueueReader: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 Successful transmission of Authentication Packet (pktId 45) to x.x.x.140:1812 from server queue 3, proxy state 08:d4:0c:3a:4e:b3-00:00
*aaaQueueReader: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 User entry not found in the Local FileDB for the client.
*radiusTransportThread: Apr 29 15:18:47.552: 08:d4:0c:3a:4e:b3 Access-Reject received from RADIUS server x.x.x.140 (qid:3) with port:1812, pktId:45
*radiusTransportThread: Apr 29 15:18:47.552: 08:d4:0c:3a:4e:b3 Error Response code for AAA Authentication : -4
*radiusTransportThread: Apr 29 15:18:47.552: 08:d4:0c:3a:4e:b3 Returning AAA Error 'Authentication Failed' (-4) for mobile 08:d4:0c:3a:4e:b3 serverIdx 0
*radiusTransportThread: Apr 29 15:18:47.552: 08:d4:0c:3a:4e:b3 Received a MAC-Auth Response for the client (#Response TokenId:8815)
*apfReceiveTask: Apr 29 15:18:47.552: 08:d4:0c:3a:4e:b3 Processing MAC-Auth response received for aaaReqTokenId#8815 on SSID:Corp-Guest
*apfReceiveTask: Apr 29 15:18:47.552: 08:d4:0c:3a:4e:b3 Received SGT for this Client.
*apfReceiveTask: Apr 29 15:18:47.552: 08:d4:0c:3a:4e:b3 SGT is not applied, sgtLen 0, sgt_stringp 0x7f07be344ccb
*apfReceiveTask: Apr 29 15:18:47.552: 08:d4:0c:3a:4e:b3 Received Mac Auth Type 1, sending Assoc Mesg
*apfReceiveTask: Apr 29 15:18:47.552: 08:d4:0c:3a:4e:b3 Sending assoc-resp with status 1 station:08:d4:0c:3a:4e:b3 AP:00:78:88:ad:9e:10-00 on apVapId 4
*apfReceiveTask: Apr 29 15:18:47.552: 08:d4:0c:3a:4e:b3 Sending Assoc Response (status: 'unspecified failure') to station on AP CORP-APAC-17 on BSSID 00:78:88:ad:9e:13 ApVapId 4 Slot 0, mobility role 0
*apfReceiveTask: Apr 29 15:18:47.552: 08:d4:0c:3a:4e:b3 apfProcessRadiusMacAuthResp (apf_80211.c:5462) Changing state for mobile 08:d4:0c:3a:4e:b3 on AP 00:78:88:ad:9e:10 from AAA Pending to Authenticated

*apfReceiveTask: Apr 29 15:18:47.553: 08:d4:0c:3a:4e:b3 Scheduling deletion of Mobile Station: (callerId: 18) in 10 seconds
*apfOpenDtlSocket: Apr 29 15:18:47.598: 08:d4:0c:3a:4e:b3 Received management frame REASSOCIATION REQUEST on BSSID 00:78:88:ad:9e:13 destination addr 00:78:88:ad:9e:13
*apfMsConnTask_3: Apr 29 15:18:47.598: 08:d4:0c:3a:4e:b3 Processing assoc-req station:08:d4:0c:3a:4e:b3 AP:00:78:88:ad:9e:10-00 ssid : Corp-Guest thread:6be8c47360
*********

View solution in original post

5 Replies 5

marce1000
VIP
VIP

 

                                  Ref : https://cway.cisco.com/wireless-debug-analyzer/

                  I have inputted your debug-file : (you may want to do that again, toggle the

available flags, to get more insights and or try different client/mac too , to determine the problem-pattern)


TimeTaskTranslated

Apr 29 15:18:46.543 *apfMsConnTask_3 Client made new Association to AP/BSSID BSSID 00:78:88:ad:9e:13 AP CORP-APAC-17
Apr 29 15:18:46.543 *apfMsConnTask_3 Client expiration timer code set for 10 seconds. The reason: No response from radius server for mac filtering request
Apr 29 15:18:46.543 *aaaQueueReader Radius request with ID 45 sent to x.x.x.140.
Apr 29 15:18:47.552 *radiusTransportThread AAA auth failure due to Possible reasons 1 Invalid user account and/or password 2 Computer not a member of domain, issue on AD side 3 Certificate services not working properly 4 Server Certificate expired or not in use 5 RADIUS incorrectly configured 6 Access key incorrectly entered - it IS case-sensitive (so is the SSID) update Microsoft patches 7 EAP timers 8 Incorrect eap method configured on client/server 9 Client certificate is expired or not in use
Apr 29 15:18:47.552 *apfReceiveTask WLC/AP is sending an Association Response to the client with status code 1 = Unspecified failure. For example, when there is no ssid specified in the association request
Apr 29 15:18:47.553 *apfReceiveTask Client expiration timer code set for 10 seconds. The reason: Delete request due to authentication error


-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Thx for quick response and recommended the tool. Will check that out to see what comes up.

 can we see the config of WLAN ?

saravlak
Spotlight
Spotlight

It doesn't appear to be DHCP-server related issue, rather its AAA server Auth related issue based on below logs -Check AAA/Radius and fix the issue for the associated clients.


*aaaQueueReader: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 Successful transmission of Authentication Packet (pktId 45) to x.x.x.140:1812 from server queue 3, proxy state 08:d4:0c:3a:4e:b3-00:00
*aaaQueueReader: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 User entry not found in the Local FileDB for the client.
*radiusTransportThread: Apr 29 15:18:47.552: 08:d4:0c:3a:4e:b3 Access-Reject received from RADIUS server x.x.x.140 (qid:3) with port:1812, pktId:45
*radiusTransportThread: Apr 29 15:18:47.552: 08:d4:0c:3a:4e:b3 Error Response code for AAA Authentication : -4

 

Note: If issue related to specific Radius server then point the to other specific radius-server only through the test wlan and give it a try. Also, check the MAB allow auth policy for the wlan in question, if something changed for all servers.

 

*****Config Detail*****
AP group: CORP-NET
ssid : Corp-Guest
Interface/Vlan: newguest/Vlan 205
Security: open/MAB
who's Radius server?: on-board WLC or External.
who's MAC DB server?: on-board WLC or External.

 

*****specific flow to Watch*****because of the Auth failure, its looping******
*apfMsConnTask_3: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 WLAN Corp-Guest has USE LOCALDB THEN RADIUS security policy for MAC-Auth Request
*apfMsConnTask_3: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 Created Cisco-Audit-Session-ID for the mobile: fe65fa0a000021b356ce8a60 type: local
*apfMsConnTask_3: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 Sent the MAC-Auth Request for the client (#ReqTokenId:8815) on SSID:Corp-Guest

*apfMsConnTask_3: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 apfProcessAssocReq (apf_80211.c:12111) Changing state for mobile 08:d4:0c:3a:4e:b3 on AP 00:78:88:ad:9e:10 from Idle to AAA Pending

*apfMsConnTask_3: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 Scheduling deletion of Mobile Station: (callerId: 20) in 10 seconds
*apfMsConnTask_3: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 Updating the Aid in case of flex mac-filtering

*aaaQueueReader: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 radiusServerFallbackPassiveStateUpdate: RADIUS server is ready x.x.x.140 port 1812 index 0 active 1
*aaaQueueReader: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 Found a server : x.x.x.140 from the WLAN server list of radius server index 1
*aaaQueueReader: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 Send Radius Auth Request with pktId:45 into qid:3 of server at index:0
*aaaQueueReader: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 Request Authenticator ab:64:08:07:28:67:fd:a4:bf:4c:1b:12:d0:3b:55:b3
*aaaQueueReader: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 Sending the packet to v4 host x.x.x.140:1812 of length 254
*aaaQueueReader: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 Successful transmission of Authentication Packet (pktId 45) to x.x.x.140:1812 from server queue 3, proxy state 08:d4:0c:3a:4e:b3-00:00
*aaaQueueReader: Apr 29 15:18:46.543: 08:d4:0c:3a:4e:b3 User entry not found in the Local FileDB for the client.
*radiusTransportThread: Apr 29 15:18:47.552: 08:d4:0c:3a:4e:b3 Access-Reject received from RADIUS server x.x.x.140 (qid:3) with port:1812, pktId:45
*radiusTransportThread: Apr 29 15:18:47.552: 08:d4:0c:3a:4e:b3 Error Response code for AAA Authentication : -4
*radiusTransportThread: Apr 29 15:18:47.552: 08:d4:0c:3a:4e:b3 Returning AAA Error 'Authentication Failed' (-4) for mobile 08:d4:0c:3a:4e:b3 serverIdx 0
*radiusTransportThread: Apr 29 15:18:47.552: 08:d4:0c:3a:4e:b3 Received a MAC-Auth Response for the client (#Response TokenId:8815)
*apfReceiveTask: Apr 29 15:18:47.552: 08:d4:0c:3a:4e:b3 Processing MAC-Auth response received for aaaReqTokenId#8815 on SSID:Corp-Guest
*apfReceiveTask: Apr 29 15:18:47.552: 08:d4:0c:3a:4e:b3 Received SGT for this Client.
*apfReceiveTask: Apr 29 15:18:47.552: 08:d4:0c:3a:4e:b3 SGT is not applied, sgtLen 0, sgt_stringp 0x7f07be344ccb
*apfReceiveTask: Apr 29 15:18:47.552: 08:d4:0c:3a:4e:b3 Received Mac Auth Type 1, sending Assoc Mesg
*apfReceiveTask: Apr 29 15:18:47.552: 08:d4:0c:3a:4e:b3 Sending assoc-resp with status 1 station:08:d4:0c:3a:4e:b3 AP:00:78:88:ad:9e:10-00 on apVapId 4
*apfReceiveTask: Apr 29 15:18:47.552: 08:d4:0c:3a:4e:b3 Sending Assoc Response (status: 'unspecified failure') to station on AP CORP-APAC-17 on BSSID 00:78:88:ad:9e:13 ApVapId 4 Slot 0, mobility role 0
*apfReceiveTask: Apr 29 15:18:47.552: 08:d4:0c:3a:4e:b3 apfProcessRadiusMacAuthResp (apf_80211.c:5462) Changing state for mobile 08:d4:0c:3a:4e:b3 on AP 00:78:88:ad:9e:10 from AAA Pending to Authenticated

*apfReceiveTask: Apr 29 15:18:47.553: 08:d4:0c:3a:4e:b3 Scheduling deletion of Mobile Station: (callerId: 18) in 10 seconds
*apfOpenDtlSocket: Apr 29 15:18:47.598: 08:d4:0c:3a:4e:b3 Received management frame REASSOCIATION REQUEST on BSSID 00:78:88:ad:9e:13 destination addr 00:78:88:ad:9e:13
*apfMsConnTask_3: Apr 29 15:18:47.598: 08:d4:0c:3a:4e:b3 Processing assoc-req station:08:d4:0c:3a:4e:b3 AP:00:78:88:ad:9e:10-00 ssid : Corp-Guest thread:6be8c47360
*********

Thx everyone for responding. Using the information you have provided, I was able to trace down to the AAA server that is used for the guest network is different from the corporate and found the service was failing to start. After finally getting it to start, the guest wlan is operational again.

 

Have a great week!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: