01-17-2021 01:40 PM - edited 07-05-2021 01:01 PM
Good Afternoon All,
I am currently having an issue with some of my hosts when they try to connect to a specific WLAN.
This WLAN is static mappings only, which is controlled through the firewall (IP reservation through MAC Address).
The Cisco 5504 is running 8.0.154.0
At the start I thought it was NAS ID issue, due to the WLC not assigning one. I have manually added it and the NAS ID appears on the debug, but didn't resolve issue.
*apfMsConnTask_0: Jan 17 14:24:32.847: dc:53:60:5c:e4:c8 Check before Setting the NAS Id to WLAN specific Id ''
The first line that makes me wonder is the following:
*apfMsConnTask_0: Jan 17 14:48:45.229: dc:53:60:5c:e4:c8 Applying Interface(crew) policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
Crew interface is on VLAN 21 and the role should be Local ( I assume as I am comparing from other WLANS).
The following line makes me think that this specific host has been blacklisted. However, connecting to the WLAN Crew is a bit erratic (sometimes tells me network not available or it takes several attempts to authenticate with the WLC) with other hosts.
*apfMsConnTask_4: Jan 17 14:24:56.360: dc:53:60:5c:e4:c8 Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_4: Jan 17 14:24:56.360: dc:53:60:5c:e4:c8 Sending client blacklist entry to roamed AP 64:f6:9d:9b:08:20 with remaining time to be excluded 51sec
*apfMsConnTask_4: Jan 17 14:24:56.892: dc:53:60:5c:e4:c8 Processing assoc-req station:dc:53:60:5c:e4:c8 AP:64:f6:9d:9b:08:20-00 thread:151c2c00
I have attached the full debug from when I try to connect to when it times out and gives me the "unable to connect".
Any help is greatly appreciated,
J
Solved! Go to Solution.
01-19-2021 06:26 AM
You seem to have WPA1 and also WPA2 active. Disable those two options for WPA1:
TKIP Cipher............................. Enabled
AES Cipher.............................. Enabled
In the gui disable the option "WPA Policy" on the SSID and make sure TKIP is not enabled either.
01-19-2021 12:00 AM
For cases like this, the debug analyzer is very useful:
https://cway.cisco.com/wireless-debug-analyzer/
In your case:
Jan 17 14:48:45.231 | *apfMsConnTask_0 | WLC/AP is sending an Association Response to the client with status code 0 = Successful association |
Jan 17 14:48:45.231 | *apfMsConnTask_0 | Client is trying to associate in 5 Ghz band |
Jan 17 14:48:45.237 | *Dot1x_NW_MsgTask_0 | 4-Way PTK Handshake, Sending M1 |
Jan 17 14:48:45.240 | *Dot1x_NW_MsgTask_0 | 4-Way PTK Handshake, Received M2 |
Jan 17 14:48:46.380 | *osapiBsnTimer | 4-Way PTK Handshake, Client did not respond with M2 |
Jan 17 14:48:46.380 | *dot1xMsgTask | 4-Way PTK Handshake, Retransmitting M1 retry #1 |
Jan 17 14:48:46.382 | *Dot1x_NW_MsgTask_0 | 4-Way PTK Handshake, Received M2 |
Jan 17 14:48:47.380 | *osapiBsnTimer | 4-Way PTK Handshake, Client did not respond with M2 |
Jan 17 14:48:47.380 | *dot1xMsgTask | 4-Way PTK Handshake, Retransmitting M1 retry #2 |
Jan 17 14:48:47.452 | *Dot1x_NW_MsgTask_0 | 4-Way PTK Handshake, Received M2 |
Jan 17 14:48:48.380 | *osapiBsnTimer | 4-Way PTK Handshake, Client did not respond with M2 |
Jan 17 14:48:48.381 | *dot1xMsgTask | Client has been deauthenticated |
So this might also be a driver/firmware issue of the client or a bug in the used WLC code.
Can you share your SSID configuration? I assume you might have enabled some fancy features like 802.11r, 802.11v or 802.11k. Try to disable those on the SSID if enabled (or if available in your firmware) and check again.
01-19-2021 05:14 AM
01-19-2021 06:26 AM
You seem to have WPA1 and also WPA2 active. Disable those two options for WPA1:
TKIP Cipher............................. Enabled
AES Cipher.............................. Enabled
In the gui disable the option "WPA Policy" on the SSID and make sure TKIP is not enabled either.
01-19-2021 10:46 AM
Hi Patoberli,
That did it! Thank you very much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide