Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1927
Views
0
Helpful
2
Replies

WLC to ISE guest sponsor portal, users not getting IP addresss

rayyaanfayker0006
Level 1
Level 1

‎05-26-2021 07:07 AM - edited ‎07-05-2021 01:21 PM

Hi 

 

I went thought the following guides to configure the WLAN sponsor portal but when i try to connect to the SSID i cant get an ip address and i notice only when i disable mac filtering then i get an IP but of cause this doesnt forward traffic to ISE as you need to disable ISE NAC. i have also tried disabling DHCP addr. assignment and configure the CWA to permit all but no luck. 

 

is there something i am missing.

 

i have a WLC 5520 running 8.10.151.0 and ISE 2.6 patch 8

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216330-ise-self-registered-guest-portal-configu.html

and 

https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475

 

 

 

 

Labels:
Preview file
51 KB
0 Helpful
2 Replies 2

rayyaanfayker0006
Level 1
Level 1

‎05-27-2021 03:23 AM

he is the current debug for the session. 

 

Cisco Controller) >debug client 8e:eb:17:c1:1d:46

(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >*apfOpenDtlSocket: May 27 11:50:55.693: 8e:eb:17:c1:1d:46 Received management frame ASSOCIATION REQUEST on BSSID 70:6d:15:3a:ad:00 destination addr 70:6d:15:3a:ad:00 slotid 0
*apfMsConnTask_7: May 27 11:50:55.693: 8e:eb:17:c1:1d:46 Updating the client capabiility as 5
*apfMsConnTask_7: May 27 11:50:55.693: 8e:eb:17:c1:1d:46 Processing assoc-req station:8e:eb:17:c1:1d:46 AP:70:6d:15:3a:ad:00-00 ssid : flywifi thread:843c3cc880
*apfMsConnTask_7: May 27 11:50:55.693: 8e:eb:17:c1:1d:46 apfCreateMobileStationEntryWrapper (apf_ms.c:4510) Changing state for mobile 8e:eb:17:c1:1d:46 on AP 70:6d:15:3a:ad:00 from Idle to Idle

*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Adding mobile on LWAPP AP 70:6d:15:3a:ad:00(0)
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Created Acct-Session-ID (60af5d6f/8e:eb:17:c1:1d:46/14806) for the mobile
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Setting hasApChnaged Flag as true. It is a fresh assoc request.

*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 req rcv on open Wlan
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Association received from mobile on BSSID 70:6d:15:3a:ad:09 AP I&J-Southarm-AP01
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Station: 8E:EB:17:C1:1D:46 trying to join WLAN with RSSI -62. Checking for XOR roam conditions on AP: 70:6D:15:3A:AD:00 Slot: 0
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Station: 8E:EB:17:C1:1D:46 is associating to AP 70:6D:15:3A:AD:00 which is not XOR roam capable
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Global 200 Clients are allowed to AP radio

*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Max Client Trap Threshold: 0 cur: 0

*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Updated local bridging VLAN to 2150 while applying WLAN policy
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Updated session timeout to 28800 and Sleep timeout to 720 while applying WLAN policy
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 override for default ap group, marking intgrp NULL
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0

*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 After applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0

*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:3498)
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 0.0.0.0 START (0) Changing Url ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255),Default action is '0' --- (caller apf_policy.c:3518)
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:3539)
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Values before applying NASID - interfacetype:0, ovrd:0, mscb nasid:, interface nasid:, APgrpset:0
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 apfApplyWlanPolicy: Retaining (ACL [255] / Flexconnect ACL IPV4 [65535] IPV6[65535]) recieved in AAA attributes on mobile
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 apf_policy.c:2783 Assigning the SGT 0 to mobile (earlier sgt 0)
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Increment the SGT 0 policy count reference by the clients 621
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Check the client SGT 0 policy and push it to AP 70:6d:15:3a:ad:00
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 In processSsidIE:7657 setting Central switched to FALSE
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Disabling flexconnect central association for the client
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Applying site-specific Local Bridging override for station 8e:eb:17:c1:1d:46 - vapId 10, site 'testing', interface 'management'
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Applying Local Bridging Interface Policy for station 8e:eb:17:c1:1d:46 - vlan 2150, interface id 0, interface 'management', nasId:''
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 override from ap group, removing intf group from mscb
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Applying site-specific override for station 8e:eb:17:c1:1d:46 - vapId 10, site 'testing', interface 'management'
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Not applying Local Bridge Policy because Site Specific Interface(management) Policy is already applied.

*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0

*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Not re-applying interface policy for local switching Client

*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 After applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0

*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:3498)
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 0.0.0.0 START (0) Changing Url ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255),Default action is '0' --- (caller apf_policy.c:3518)
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:3539)
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Values before applying NASID - interfacetype:0, ovrd:0, mscb nasid:, interface nasid:, APgrpset:0
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Set Client Non AP specific WLAN apfMsAccessVlan = 130
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 This apfMsAccessVlan may be changed later from AAA after L2 Auth
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Cleared localSwitchingVlan, may be assigned later based on AAA override
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 STA - rates (8): 130 132 139 150 36 48 72 108 0 0 0 0 0 0 0 0
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Assigning flex webauth IPv4-ACL ID :65535, IPv6-ACL ID:65535 for AP WLAN ID : 1
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Assigned flex post-auth IPv4-ACL ID :65535, IPv6-ACL ID:65535 for AP WLAN ID : 1
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 WLAN flywifi has ISE-NAC security policy, using external RADIUS only for MacAuth-Request
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Created Cisco-Audit-Session-ID for the mobile: 0a96ca0a000036d66f5daf60 type: local
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Sent the MAC-Auth Request for the client (#ReqTokenId:9590) on SSID:flywifi BSSID: 70:6D:15:3A:AD:00
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Not re-starting Mobile Expire timer as radius request is pending for this client. state:Idle
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 apfProcessAssocReq (apf_80211.c:12791) Changing state for mobile 8e:eb:17:c1:1d:46 on AP 70:6d:15:3a:ad:00 from Idle to AAA Pending

*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Updating the Aid in case of flex mac-filtering

*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Updating AID for REAP AP Client 70:6d:15:3a:ad:00 - AID ===> 1
*aaaQueueReader: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 radiusServerFallbackPassiveStateUpdate: RADIUS server is ready 10.202.4.10 port 1812 index 0 active 1
*aaaQueueReader: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 radiusServerFallbackPassiveStateUpdate: RADIUS server is maybe-ready 10.201.4.10 port 1812 index 1 active 1
*aaaQueueReader: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Found a server : 10.202.4.10 from the WLAN server list of radius server index 1
*aaaQueueReader: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Send Radius Auth Request with pktId:172 into qid:6 of server at index:0
*aaaQueueReader: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Request Authenticator 43:8b:b8:4e:24:e7:09:83:64:a8:67:27:d3:4f:95:a2
*aaaQueueReader: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Sending the packet to v4 host 10.202.4.10:1812 of length 253
*aaaQueueReader: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Successful transmission of Authentication Packet (pktId 172) to 10.202.4.10:1812 from server queue 6, proxy state 8e:eb:17:c1:1d:46-00:00
*radiusTransportThread: May 27 11:50:55.703: 8e:eb:17:c1:1d:46 Invalid RADIUS message authenticator for mobile 8e:eb:17:c1:1d:46
*radiusTransportThread: May 27 11:50:55.703: 8e:eb:17:c1:1d:46 RADIUS message verification failed from server 10.202.4.10(qid:6) with pktId=172. Possible secret mismatch for mobile 8e:eb:17:c1:1d:46
*radiusTransportThread: May 27 11:50:55.703: 8e:eb:17:c1:1d:46 Error Response code for AAA Authentication : -4
*radiusTransportThread: May 27 11:50:55.703: 8e:eb:17:c1:1d:46 Returning AAA Error 'Authentication Failed' (-4) for mobile 8e:eb:17:c1:1d:46 serverIdx 0
*radiusTransportThread: May 27 11:50:55.703: 8e:eb:17:c1:1d:46 Received a MAC-Auth Response for the client (#Response TokenId:9590) BSSID: 70:6D:15:3A:AD:00 result:'Authentication Failed'
*apfMsConnTask_7: May 27 11:50:55.703: 8e:eb:17:c1:1d:46 Processing MAC-Auth response received for aaaReqTokenId#9590 on SSID:flywifi BSSID: 70:6D:15:3A:AD:00
*apfMsConnTask_7: May 27 11:50:55.703: 8e:eb:17:c1:1d:46 Received Mac Auth Type 1, sending Assoc Mesg
*apfMsConnTask_7: May 27 11:50:55.703: 8e:eb:17:c1:1d:46 Sending assoc-resp with status 1 station:8e:eb:17:c1:1d:46 AP:70:6d:15:3a:ad:00-00 on apVapId 1
*apfMsConnTask_7: May 27 11:50:55.703: 8e:eb:17:c1:1d:46 Sending Assoc Response (status: 'unspecified failure') to station on AP I&J-Southarm-AP01 on BSSID 70:6d:15:3a:ad:00 ApVapId 1 Slot 0, mobility role 0
*apfMsConnTask_7: May 27 11:50:55.703: 8e:eb:17:c1:1d:46 apfProcessRadiusMacAuthResp (apf_80211.c:5928) Changing state for mobile 8e:eb:17:c1:1d:46 on AP 70:6d:15:3a:ad:00 from AAA Pending to Authentication Fail

*apfMsConnTask_7: May 27 11:50:55.703: 8e:eb:17:c1:1d:46 Scheduling deletion of Mobile Station: reasonCode 4 (callerId: 18) in 10 seconds
*apfOpenDtlSocket: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Received management frame ASSOCIATION REQUEST on BSSID 70:6d:15:3a:ad:0f destination addr 70:6d:15:3a:ad:0f slotid 1
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Updating the client capabiility as 5
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Processing assoc-req station:8e:eb:17:c1:1d:46 AP:70:6d:15:3a:ad:00-01 ssid : flywifi thread:843c3cc880
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Station: 8E:EB:17:C1:1D:46 trying to join WLAN with RSSI -67. Checking for XOR roam conditions on AP: 70:6D:15:3A:AD:00 Slot: 1
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Station: 8E:EB:17:C1:1D:46 is associating to AP 70:6D:15:3A:AD:00 which is not XOR roam capable
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Setting hasApChnaged Flag as true. It is a roam scenario.

*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Client AVC Roaming context transfer needed? NO
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 req rcv on open Wlan
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Association received from mobile on BSSID 70:6d:15:3a:ad:06 AP I&J-Southarm-AP01
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Station: 8E:EB:17:C1:1D:46 trying to join WLAN with RSSI -67. Checking for XOR roam conditions on AP: 70:6D:15:3A:AD:00 Slot: 1
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Station: 8E:EB:17:C1:1D:46 is associating to AP 70:6D:15:3A:AD:00 which is not XOR roam capable
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Global 200 Clients are allowed to AP radio

*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Max Client Trap Threshold: 0 cur: 0

*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Rf profile 600 Clients are allowed to AP wlan

*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Updated local bridging VLAN to 2150 while applying WLAN policy
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Updated session timeout to 28800 and Sleep timeout to 720 while applying WLAN policy
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 override for default ap group, marking intgrp NULL
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 apfApplyWlanPolicy: Retaining (ACL [255] / Flexconnect ACL IPV4 [65535] IPV6[65535]) recieved in AAA attributes on mobile
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Check the client SGT 0 policy and push it to AP 70:6d:15:3a:ad:00
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 In processSsidIE:7657 setting Central switched to FALSE
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Disabling flexconnect central association for the client
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Applying site-specific Local Bridging override for station 8e:eb:17:c1:1d:46 - vapId 10, site 'testing', interface 'management'
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Applying Local Bridging Interface Policy for station 8e:eb:17:c1:1d:46 - vlan 2150, interface id 0, interface 'management', nasId:''
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 override from ap group, removing intf group from mscb
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Applying site-specific override for station 8e:eb:17:c1:1d:46 - vapId 10, site 'testing', interface 'management'
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 130

*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Not re-applying interface policy for local switching Client

*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 After applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 130

*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:3498)
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 0.0.0.0 START (0) Changing Url ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255),Default action is '0' --- (caller apf_policy.c:3518)
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Values before applying NASID - interfacetype:0, ovrd:0, mscb nasid:, interface nasid:, APgrpset:0
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Set Client Non AP specific WLAN apfMsAccessVlan = 130
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 This apfMsAccessVlan may be changed later from AAA after L2 Auth
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Cleared localSwitchingVlan, may be assigned later based on AAA override
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 STA - rates (8): 140 18 152 36 176 72 96 108 12 18 24 96 0 0 0 0
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 the value of url acl preserve flag is 1 for mobile 8e:eb:17:c1:1d:46 (caller pem_api.c:5285)
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [70:6d:15:3a:ad:00]
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Succesfully freed AID 1, slot 0 on AP 70:6d:15:3a:ad:00, #client on this slot 0
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 New ctxOwnerMwarIp: 10.202.150.10 New ctxOwnerApMac: 70:6D:15:3A:AD:00 New ctxOwnerApEthMac: B0:8B:CF:B9:ED:44 New ctxOwnerApSlotId: 1
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Updated location for station old AP 70:6d:15:3a:ad:00 oldSlot 0, new AP 70:6d:15:3a:ad:00 newSlot 1, AID 0 MsType 0 MobilityRole 0
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Assigning flex webauth IPv4-ACL ID :65535, IPv6-ACL ID:65535 for AP WLAN ID : 1
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Assigned flex post-auth IPv4-ACL ID :65535, IPv6-ACL ID:65535 for AP WLAN ID : 1
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 WLAN flywifi has ISE-NAC security policy, using external RADIUS only for MacAuth-Request
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Sent the MAC-Auth Request for the client (#ReqTokenId:9591) on SSID:flywifi BSSID: 70:6D:15:3A:AD:00
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Not re-starting Mobile Expire timer as radius request is pending for this client. state:Authentication Fail
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 apfMsAssoStateDec
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 apfProcessAssocReq (apf_80211.c:12791) Changing state for mobile 8e:eb:17:c1:1d:46 on AP 70:6d:15:3a:ad:00 from Authentication Fail to AAA Pending

*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Updating the Aid in case of flex mac-filtering

*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Updating AID for REAP AP Client 70:6d:15:3a:ad:00 - AID ===> 1
*aaaQueueReader: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 radiusServerFallbackPassiveStateUpdate: RADIUS server is ready 10.202.4.10 port 1812 index 0 active 1
*aaaQueueReader: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 radiusServerFallbackPassiveStateUpdate: RADIUS server is maybe-ready 10.201.4.10 port 1812 index 1 active 1
*aaaQueueReader: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Found a server : 10.202.4.10 from the WLAN server list of radius server index 1
*aaaQueueReader: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Send Radius Auth Request with pktId:173 into qid:6 of server at index:0
*aaaQueueReader: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Request Authenticator f6:fe:33:f9:3c:68:0a:83:4c:3f:84:36:4c:14:6c:0f
*aaaQueueReader: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Sending the packet to v4 host 10.202.4.10:1812 of length 253
*aaaQueueReader: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Successful transmission of Authentication Packet (pktId 173) to 10.202.4.10:1812 from server queue 6, proxy state 8e:eb:17:c1:1d:46-00:00
*radiusTransportThread: May 27 11:50:59.195: 8e:eb:17:c1:1d:46 Invalid RADIUS message authenticator for mobile 8e:eb:17:c1:1d:46
*radiusTransportThread: May 27 11:50:59.195: 8e:eb:17:c1:1d:46 RADIUS message verification failed from server 10.202.4.10(qid:6) with pktId=173. Possible secret mismatch for mobile 8e:eb:17:c1:1d:46
*radiusTransportThread: May 27 11:50:59.195: 8e:eb:17:c1:1d:46 Error Response code for AAA Authentication : -4
*radiusTransportThread: May 27 11:50:59.195: 8e:eb:17:c1:1d:46 Returning AAA Error 'Authentication Failed' (-4) for mobile 8e:eb:17:c1:1d:46 serverIdx 0
*radiusTransportThread: May 27 11:50:59.195: 8e:eb:17:c1:1d:46 Received a MAC-Auth Response for the client (#Response TokenId:9591) BSSID: 70:6D:15:3A:AD:00 result:'Authentication Failed'
*apfMsConnTask_7: May 27 11:50:59.195: 8e:eb:17:c1:1d:46 Processing MAC-Auth response received for aaaReqTokenId#9591 on SSID:flywifi BSSID: 70:6D:15:3A:AD:00
*apfMsConnTask_7: May 27 11:50:59.195: 8e:eb:17:c1:1d:46 Received Mac Auth Type 1, sending Assoc Mesg
*apfMsConnTask_7: May 27 11:50:59.195: 8e:eb:17:c1:1d:46 Sending assoc-resp with status 1 station:8e:eb:17:c1:1d:46 AP:70:6d:15:3a:ad:00-01 on apVapId 1
*apfMsConnTask_7: May 27 11:50:59.195: 8e:eb:17:c1:1d:46 VHT Operation IE: width 80/1 ch 36 freq0 42 freq1 0 msc0 0xff msc1 0xff
*apfMsConnTask_7: May 27 11:50:59.195: 8e:eb:17:c1:1d:46 Sending Assoc Response (status: 'unspecified failure') to station on AP I&J-Southarm-AP01 on BSSID 70:6d:15:3a:ad:0f ApVapId 1 Slot 1, mobility role 0
*apfMsConnTask_7: May 27 11:50:59.195: 8e:eb:17:c1:1d:46 apfProcessRadiusMacAuthResp (apf_80211.c:5928) Changing state for mobile 8e:eb:17:c1:1d:46 on AP 70:6d:15:3a:ad:00 from AAA Pending to Authentication Fail

*apfMsConnTask_7: May 27 11:50:59.195: 8e:eb:17:c1:1d:46 Scheduling deletion of Mobile Station: reasonCode 4 (callerId: 18) in 10 seconds
*apfOpenDtlSocket: May 27 11:50:59.221: 8e:eb:17:c1:1d:46 Received management frame ACTION on BSSID 70:6d:15:3a:ad:0f destination addr 70:6d:15:3a:ad:0f slotid 1
*apfMsConnTask_7: May 27 11:50:59.221: 8e:eb:17:c1:1d:46 Got action frame from the client (ActionCategory:10), payloadLen:4
*apfOpenDtlSocket: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Received management frame ASSOCIATION REQUEST on BSSID 70:6d:15:3a:ad:0f destination addr 70:6d:15:3a:ad:0f slotid 1
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Updating the client capabiility as 5
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Processing assoc-req station:8e:eb:17:c1:1d:46 AP:70:6d:15:3a:ad:00-01 ssid : flywifi thread:843c3cc880
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Station: 8E:EB:17:C1:1D:46 trying to join WLAN with RSSI -68. Checking for XOR roam conditions on AP: 70:6D:15:3A:AD:00 Slot: 1
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Station: 8E:EB:17:C1:1D:46 is associating to AP 70:6D:15:3A:AD:00 which is not XOR roam capable
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Updating location for mobile on same AP 70:6d:15:3a:ad:00-1
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Client AVC Roaming context transfer needed? NO
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 req rcv on open Wlan
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Setting RTTS enabled to 0
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Association received from mobile on BSSID 70:6d:15:3a:ad:06 AP I&J-Southarm-AP01
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Station: 8E:EB:17:C1:1D:46 trying to join WLAN with RSSI -68. Checking for XOR roam conditions on AP: 70:6D:15:3A:AD:00 Slot: 1
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Station: 8E:EB:17:C1:1D:46 is associating to AP 70:6D:15:3A:AD:00 which is not XOR roam capable
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Global 200 Clients are allowed to AP radio

*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Max Client Trap Threshold: 0 cur: 1

*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Rf profile 600 Clients are allowed to AP wlan

*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Updated local bridging VLAN to 2150 while applying WLAN policy
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Updated session timeout to 28800 and Sleep timeout to 720 while applying WLAN policy
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 override for default ap group, marking intgrp NULL
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 apfApplyWlanPolicy: Retaining (ACL [255] / Flexconnect ACL IPV4 [65535] IPV6[65535]) recieved in AAA attributes on mobile
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Check before Setting the NAS Id to WLAN specific Id ''
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Check the client SGT 0 policy and push it to AP 70:6d:15:3a:ad:00
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 In processSsidIE:7657 setting Central switched to FALSE
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Disabling flexconnect central association for the client
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Applying site-specific Local Bridging override for station 8e:eb:17:c1:1d:46 - vapId 10, site 'testing', interface 'management'
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Applying Local Bridging Interface Policy for station 8e:eb:17:c1:1d:46 - vlan 2150, interface id 0, interface 'management', nasId:''
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 override from ap group, removing intf group from mscb
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Applying site-specific override for station 8e:eb:17:c1:1d:46 - vapId 10, site 'testing', interface 'management'
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Not applying Local Bridge Policy because Site Specific Interface(management) Policy is already applied.

*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Not re-applying interface policy for local switching Client

0 Helpful

Grendizer
Cisco Employee
Cisco Employee
In response to rayyaanfayker0006

‎05-28-2021 10:05 AM

You will not get IP Address until you pass Layer 2 security and in this case the client is not passing the Layer 2 security (MAC Auth). Most likely your ISE config is wrong.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card