03-18-2022 01:34 AM
Hi Everyone,
I have implemented Dynamic Vlan assignment using FreeRadius, and Windows DHCP Server
I am using WLC 5508 Software Version 7.4.110.0
When a device connect to the SSID the first time, everything works. WLC talk to Freeradius and reply with the assigned VLAN, and DHCP Server give the correct IP Address. But if the device disconnect and then reconnect to the same SSID, it stucks on 'Obtaining IP Address'. It is fixed if I login to WLC -> WLANs -> Modify the WLAN (SSID) -> click Apply button.
I ran Freeradius -X command to see what happened when 'obtaining ip address' is happening, turns out WLC not talk to FreeRadius.
I have collected the debug using debug client <MAC Address> (attached).
From the log, it seems WLC caching the device mac address and can't relay to DHCP Server. And when I hit apply button on WLC, it seems force the WLC to Disassociate and Deauthenticate the device, hence it can get the correct IP Address and VLAN.
I have enabled Allow AAA Override on WLANs-> Advanced. DHCP Server = Override (Windows DHCP Server IP Address), DHCP Addr. Assignment = Required.
Someone can help me?
Thank you.
03-18-2022 02:59 AM
i will review the logs and let you know what was observed here :
mean time look at this thread and PDF to get some idea :
https://community.cisco.com/t5/wireless/wlc-5508-dynamic-vlan-assignment-by-radius/td-p/4140481
03-20-2022 05:58 PM
Thanks for the response. Do you have any observation after reviewing the logs?
I have check the docs and pdf (https://community.cisco.com/legacyfs/online/legacy/3/3/0/55033-AAA-overide-ACS52.pdf) and will try on my WLC to see if there is any differences
03-27-2022 07:49 PM
I have tried AAA Settings as suggested on the pdf document (image attached), but still have the same issue.
Do you have other suggestions?
Thanks.
03-18-2022 03:31 AM
- Note , your WLC software is very old , for 5508 being the same , it is usually advised these days to run the version that this controller can still support , besides being restrictions related to AP models being used. Below you will find output from your debug files when analyzed with : https://cway.cisco.com/wireless-debug-analyzer/
1) DHCP Success.txt
TimeTaskTranslated
Mar 18 14:08:01.832 | *apfMsConnTask_6 | Client made new Association to AP/BSSID BSSID d0:c7:89:e9:b1:b3 |
Mar 18 14:08:01.833 | *apfMsConnTask_6 | The WLC/AP has found from client association request Information Element that claims PMKID Caching support |
Mar 18 14:08:01.834 | *apfMsConnTask_6 | Client expiration timer code set for 10 seconds. The reason: No response from radius server for mac filtering request |
Mar 18 14:08:01.836 | *apfReceiveTask | Client is entering the 802.1x or PSK Authentication state |
Mar 18 14:08:01.836 | *apfReceiveTask | Client has successfully cleared AP association phase |
Mar 18 14:08:01.836 | *apfReceiveTask | Client expiration timer code set for 1800 seconds. The reason: Client is scheduled for session timeout deletion (wlan with webauth) |
Mar 18 14:08:01.837 | *apfReceiveTask | Client is trying to associate in 5 Ghz band |
Mar 18 14:08:01.840 | *dot1xMsgTask | 4-Way PTK Handshake, Sending M1 |
Mar 18 14:08:01.852 | *Dot1x_NW_MsgTask_0 | 4-Way PTK Handshake, Received M2 |
Mar 18 14:08:01.852 | *Dot1x_NW_MsgTask_0 | 4-Way PTK Handshake, Sending M3 |
Mar 18 14:08:01.856 | *Dot1x_NW_MsgTask_0 | 4-Way PTK Handshake, Received M4 |
Mar 18 14:08:01.856 | *Dot1x_NW_MsgTask_0 | Client has completed PSK Dot1x or WEP authentication phase |
Mar 18 14:08:01.856 | *Dot1x_NW_MsgTask_0 | Client has entered DHCP Required state |
Mar 18 14:08:01.942 | *DHCP Socket Task | Received DHCP request from client |
Mar 18 14:08:01.946 | *DHCP Socket Task | Received DHCP ACK from DHCP server |
Mar 18 14:08:01.947 | *DHCP Socket Task | Client has entered RUN state |
Mar 18 14:08:01.948 | *DHCP Socket Task | Received DHCP ACK, assigning IP Address 192.168.52.34 |
2) DHCP Failed.txt (note for that case Show All flag is checked)
Connection attempt #1 | |||
Mar 18 14:06:32.372 | *apfMsConnTask_6 | Client made new Association to AP/BSSID BSSID d0:c7:89:e9:b1:b3 | |
Connection attempt #2 | |||
Mar 18 14:06:32.372 | *apfMsConnTask_6 | Client made new Association to AP/BSSID BSSID d0:c7:89:e9:b1:b3 | |
Mar 18 14:06:32.373 | *apfMsConnTask_6 | The WLC/AP has found from client association request Information Element that claims PMKID Caching support | |
Mar 18 14:06:32.373 | *apfMsConnTask_6 | Client is entering the 802.1x or PSK Authentication state | |
Mar 18 14:06:32.374 | *apfMsConnTask_6 | Client expiration timer code set for 1800 seconds. The reason: Client is scheduled for session timeout deletion (wlan with webauth) | |
Mar 18 14:06:32.374 | *apfMsConnTask_6 | Client is trying to associate in 5 Ghz band | |
Mar 18 14:06:32.377 | *dot1xMsgTask | 4-Way PTK Handshake, Sending M1 | |
Mar 18 14:06:32.425 | *Dot1x_NW_MsgTask_0 | 4-Way PTK Handshake, Received M2 | |
Mar 18 14:06:32.425 | *Dot1x_NW_MsgTask_0 | 4-Way PTK Handshake, Sending M3 | |
Mar 18 14:06:32.428 | *Dot1x_NW_MsgTask_0 | 4-Way PTK Handshake, Received M4 | |
Mar 18 14:06:32.428 | *Dot1x_NW_MsgTask_0 | Client has completed PSK Dot1x or WEP authentication phase | |
Mar 18 14:06:32.428 | *Dot1x_NW_MsgTask_0 | Client has entered RUN state | |
Mar 18 14:06:32.523 | *DHCP Socket Task | Received DHCP request from client | |
Mar 18 14:06:32.523 | *DHCP Socket Task | Sending DHCP Request to DHCP Server CP through gateway 192.168.199.10 requesting 192.168.52.34 on VLAN 199 |
|
Mar 18 14:06:33.495 | *DHCP Socket Task | Received DHCP request from client | |
Mar 18 14:06:33.496 | *DHCP Socket Task | Sending DHCP Request to DHCP Server CP through gateway 192.168.199.10 requesting 192.168.52.34 on VLAN 199 |
|
Mar 18 14:06:35.691 | *DHCP Socket Task | Received DHCP request from client | |
Mar 18 14:06:35.691 | *DHCP Socket Task | Sending DHCP Request to DHCP Server CP through gateway 192.168.199.10 requesting 192.168.52.34 on VLAN 199 |
|
Mar 18 14:06:37.525 | *DHCP Socket Task | Received DHCP request from client | |
Mar 18 14:06:37.525 | *DHCP Socket Task | Sending DHCP Discover to DHCP Server CP through gateway 192.168.199.10 on VLAN selected relay 2 - NONE |
|
Mar 18 14:06:38.593 | *DHCP Socket Task | Received DHCP request from client | |
Mar 18 14:06:38.594 | *DHCP Socket Task | Sending DHCP Discover to DHCP Server CP through gateway 192.168.199.10 on VLAN selected relay 2 - NONE |
|
Mar 18 14:06:40.753 | *DHCP Socket Task | Received DHCP request from client | |
Mar 18 14:06:40.753 | *DHCP Socket Task | Sending DHCP Discover to DHCP Server CP through gateway 192.168.199.10 on VLAN selected relay 2 - NONE |
|
Mar 18 14:06:44.974 | *DHCP Socket Task | Received DHCP request from client | |
Mar 18 14:06:44.975 | *DHCP Socket Task | Sending DHCP Discover to DHCP Server CP through gateway 192.168.199.10 on VLAN selected relay 2 - NONE |
|
Connection attempt #3 | |||
Mar 18 14:06:51.571 | *apfMsConnTask_6 | Client made new Association to AP/BSSID BSSID d0:c7:89:e9:b1:b3 | |
Mar 18 14:06:51.574 | *apfMsConnTask_6 | The WLC/AP has found from client association request Information Element that claims PMKID Caching support | |
Mar 18 14:06:51.575 | *apfMsConnTask_6 | Client is entering the 802.1x or PSK Authentication state | |
Mar 18 14:06:51.576 | *apfMsConnTask_6 | Client expiration timer code set for 1800 seconds. The reason: Client is scheduled for session timeout deletion (wlan with webauth) | |
Mar 18 14:06:51.577 | *apfMsConnTask_6 | Client is trying to associate in 5 Ghz band | |
Mar 18 14:06:51.581 | *dot1xMsgTask | 4-Way PTK Handshake, Sending M1 | |
Mar 18 14:06:51.590 | *Dot1x_NW_MsgTask_0 | 4-Way PTK Handshake, Received M2 | |
Mar 18 14:06:51.590 | *Dot1x_NW_MsgTask_0 | 4-Way PTK Handshake, Sending M3 | |
Mar 18 14:06:51.595 | *Dot1x_NW_MsgTask_0 | 4-Way PTK Handshake, Received M4 | |
Mar 18 14:06:51.595 | *Dot1x_NW_MsgTask_0 | Client has completed PSK Dot1x or WEP authentication phase | |
Mar 18 14:06:51.595 | *Dot1x_NW_MsgTask_0 | Client has entered RUN state | |
Mar 18 14:06:51.671 | *DHCP Socket Task | Received DHCP request from client | |
Mar 18 14:06:51.671 | *DHCP Socket Task | Sending DHCP Request to DHCP Server CP through gateway 192.168.199.10 requesting 192.168.52.34 on VLAN 199 |
|
Mar 18 14:06:52.658 | *DHCP Socket Task | Received DHCP request from client | |
Mar 18 14:06:52.658 | *DHCP Socket Task | Sending DHCP Request to DHCP Server CP through gateway 192.168.199.10 requesting 192.168.52.34 on VLAN 199 |
|
Mar 18 14:06:54.615 | *DHCP Socket Task | Received DHCP request from client | |
Mar 18 14:06:54.615 | *DHCP Socket Task | Sending DHCP Request to DHCP Server CP through gateway 192.168.199.10 requesting 192.168.52.34 on VLAN 199 |
|
Mar 18 14:06:56.677 | *DHCP Socket Task | Received DHCP request from client | |
Mar 18 14:06:56.677 | *DHCP Socket Task | Sending DHCP Discover to DHCP Server CP through gateway 192.168.199.10 on VLAN selected relay 2 - NONE |
|
Mar 18 14:06:57.628 | *DHCP Socket Task | Received DHCP request from client | |
Mar 18 14:06:57.628 | *DHCP Socket Task | Sending DHCP Discover to DHCP Server CP through gateway 192.168.199.10 on VLAN selected relay 2 - NONE |
03-20-2022 06:00 PM
Hi, thanks for the reply and send the output from debug analyzer. Can you please elaborate what can we observe from those 2 logs?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide