cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1299
Views
0
Helpful
2
Replies

WLC to ISE guest sponsor portal, users not getting IP addresss

Hi 

 

I went thought the following guides to configure the WLAN sponsor portal but when i try to connect to the SSID i cant get an ip address and i notice only when i disable mac filtering then i get an IP but of cause this doesnt forward traffic to ISE as you need to disable ISE NAC. i have also tried disabling DHCP addr. assignment and configure the CWA to permit all but no luck. 

 

is there something i am missing.

 

i have a WLC 5520 running 8.10.151.0 and ISE 2.6 patch 8

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216330-ise-self-registered-guest-portal-configu.html

and 

https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475

 

 

 

 

2 Replies 2

he is the current debug for the session. 

 

Cisco Controller) >debug client 8e:eb:17:c1:1d:46

(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >*apfOpenDtlSocket: May 27 11:50:55.693: 8e:eb:17:c1:1d:46 Received management frame ASSOCIATION REQUEST on BSSID 70:6d:15:3a:ad:00 destination addr 70:6d:15:3a:ad:00 slotid 0
*apfMsConnTask_7: May 27 11:50:55.693: 8e:eb:17:c1:1d:46 Updating the client capabiility as 5
*apfMsConnTask_7: May 27 11:50:55.693: 8e:eb:17:c1:1d:46 Processing assoc-req station:8e:eb:17:c1:1d:46 AP:70:6d:15:3a:ad:00-00 ssid : flywifi thread:843c3cc880
*apfMsConnTask_7: May 27 11:50:55.693: 8e:eb:17:c1:1d:46 apfCreateMobileStationEntryWrapper (apf_ms.c:4510) Changing state for mobile 8e:eb:17:c1:1d:46 on AP 70:6d:15:3a:ad:00 from Idle to Idle

*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Adding mobile on LWAPP AP 70:6d:15:3a:ad:00(0)
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Created Acct-Session-ID (60af5d6f/8e:eb:17:c1:1d:46/14806) for the mobile
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Setting hasApChnaged Flag as true. It is a fresh assoc request.

*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 req rcv on open Wlan
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Association received from mobile on BSSID 70:6d:15:3a:ad:09 AP I&J-Southarm-AP01
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Station: 8E:EB:17:C1:1D:46 trying to join WLAN with RSSI -62. Checking for XOR roam conditions on AP: 70:6D:15:3A:AD:00 Slot: 0
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Station: 8E:EB:17:C1:1D:46 is associating to AP 70:6D:15:3A:AD:00 which is not XOR roam capable
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Global 200 Clients are allowed to AP radio

*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Max Client Trap Threshold: 0 cur: 0

*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Updated local bridging VLAN to 2150 while applying WLAN policy
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Updated session timeout to 28800 and Sleep timeout to 720 while applying WLAN policy
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 override for default ap group, marking intgrp NULL
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0

*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 After applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0

*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:3498)
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 0.0.0.0 START (0) Changing Url ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255),Default action is '0' --- (caller apf_policy.c:3518)
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:3539)
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Values before applying NASID - interfacetype:0, ovrd:0, mscb nasid:, interface nasid:, APgrpset:0
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 apfApplyWlanPolicy: Retaining (ACL [255] / Flexconnect ACL IPV4 [65535] IPV6[65535]) recieved in AAA attributes on mobile
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 apf_policy.c:2783 Assigning the SGT 0 to mobile (earlier sgt 0)
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Increment the SGT 0 policy count reference by the clients 621
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Check the client SGT 0 policy and push it to AP 70:6d:15:3a:ad:00
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 In processSsidIE:7657 setting Central switched to FALSE
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Disabling flexconnect central association for the client
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Applying site-specific Local Bridging override for station 8e:eb:17:c1:1d:46 - vapId 10, site 'testing', interface 'management'
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Applying Local Bridging Interface Policy for station 8e:eb:17:c1:1d:46 - vlan 2150, interface id 0, interface 'management', nasId:''
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 override from ap group, removing intf group from mscb
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Applying site-specific override for station 8e:eb:17:c1:1d:46 - vapId 10, site 'testing', interface 'management'
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Not applying Local Bridge Policy because Site Specific Interface(management) Policy is already applied.

*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0

*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Not re-applying interface policy for local switching Client

*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 After applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0

*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:3498)
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 0.0.0.0 START (0) Changing Url ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255),Default action is '0' --- (caller apf_policy.c:3518)
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:3539)
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Values before applying NASID - interfacetype:0, ovrd:0, mscb nasid:, interface nasid:, APgrpset:0
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Set Client Non AP specific WLAN apfMsAccessVlan = 130
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 This apfMsAccessVlan may be changed later from AAA after L2 Auth
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Cleared localSwitchingVlan, may be assigned later based on AAA override
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 STA - rates (8): 130 132 139 150 36 48 72 108 0 0 0 0 0 0 0 0
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Assigning flex webauth IPv4-ACL ID :65535, IPv6-ACL ID:65535 for AP WLAN ID : 1
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Assigned flex post-auth IPv4-ACL ID :65535, IPv6-ACL ID:65535 for AP WLAN ID : 1
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 WLAN flywifi has ISE-NAC security policy, using external RADIUS only for MacAuth-Request
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Created Cisco-Audit-Session-ID for the mobile: 0a96ca0a000036d66f5daf60 type: local
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Sent the MAC-Auth Request for the client (#ReqTokenId:9590) on SSID:flywifi BSSID: 70:6D:15:3A:AD:00
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Not re-starting Mobile Expire timer as radius request is pending for this client. state:Idle
*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 apfProcessAssocReq (apf_80211.c:12791) Changing state for mobile 8e:eb:17:c1:1d:46 on AP 70:6d:15:3a:ad:00 from Idle to AAA Pending

*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Updating the Aid in case of flex mac-filtering

*apfMsConnTask_7: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Updating AID for REAP AP Client 70:6d:15:3a:ad:00 - AID ===> 1
*aaaQueueReader: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 radiusServerFallbackPassiveStateUpdate: RADIUS server is ready 10.202.4.10 port 1812 index 0 active 1
*aaaQueueReader: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 radiusServerFallbackPassiveStateUpdate: RADIUS server is maybe-ready 10.201.4.10 port 1812 index 1 active 1
*aaaQueueReader: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Found a server : 10.202.4.10 from the WLAN server list of radius server index 1
*aaaQueueReader: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Send Radius Auth Request with pktId:172 into qid:6 of server at index:0
*aaaQueueReader: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Request Authenticator 43:8b:b8:4e:24:e7:09:83:64:a8:67:27:d3:4f:95:a2
*aaaQueueReader: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Sending the packet to v4 host 10.202.4.10:1812 of length 253
*aaaQueueReader: May 27 11:50:55.694: 8e:eb:17:c1:1d:46 Successful transmission of Authentication Packet (pktId 172) to 10.202.4.10:1812 from server queue 6, proxy state 8e:eb:17:c1:1d:46-00:00
*radiusTransportThread: May 27 11:50:55.703: 8e:eb:17:c1:1d:46 Invalid RADIUS message authenticator for mobile 8e:eb:17:c1:1d:46
*radiusTransportThread: May 27 11:50:55.703: 8e:eb:17:c1:1d:46 RADIUS message verification failed from server 10.202.4.10(qid:6) with pktId=172. Possible secret mismatch for mobile 8e:eb:17:c1:1d:46
*radiusTransportThread: May 27 11:50:55.703: 8e:eb:17:c1:1d:46 Error Response code for AAA Authentication : -4
*radiusTransportThread: May 27 11:50:55.703: 8e:eb:17:c1:1d:46 Returning AAA Error 'Authentication Failed' (-4) for mobile 8e:eb:17:c1:1d:46 serverIdx 0
*radiusTransportThread: May 27 11:50:55.703: 8e:eb:17:c1:1d:46 Received a MAC-Auth Response for the client (#Response TokenId:9590) BSSID: 70:6D:15:3A:AD:00 result:'Authentication Failed'
*apfMsConnTask_7: May 27 11:50:55.703: 8e:eb:17:c1:1d:46 Processing MAC-Auth response received for aaaReqTokenId#9590 on SSID:flywifi BSSID: 70:6D:15:3A:AD:00
*apfMsConnTask_7: May 27 11:50:55.703: 8e:eb:17:c1:1d:46 Received Mac Auth Type 1, sending Assoc Mesg
*apfMsConnTask_7: May 27 11:50:55.703: 8e:eb:17:c1:1d:46 Sending assoc-resp with status 1 station:8e:eb:17:c1:1d:46 AP:70:6d:15:3a:ad:00-00 on apVapId 1
*apfMsConnTask_7: May 27 11:50:55.703: 8e:eb:17:c1:1d:46 Sending Assoc Response (status: 'unspecified failure') to station on AP I&J-Southarm-AP01 on BSSID 70:6d:15:3a:ad:00 ApVapId 1 Slot 0, mobility role 0
*apfMsConnTask_7: May 27 11:50:55.703: 8e:eb:17:c1:1d:46 apfProcessRadiusMacAuthResp (apf_80211.c:5928) Changing state for mobile 8e:eb:17:c1:1d:46 on AP 70:6d:15:3a:ad:00 from AAA Pending to Authentication Fail

*apfMsConnTask_7: May 27 11:50:55.703: 8e:eb:17:c1:1d:46 Scheduling deletion of Mobile Station: reasonCode 4 (callerId: 18) in 10 seconds
*apfOpenDtlSocket: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Received management frame ASSOCIATION REQUEST on BSSID 70:6d:15:3a:ad:0f destination addr 70:6d:15:3a:ad:0f slotid 1
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Updating the client capabiility as 5
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Processing assoc-req station:8e:eb:17:c1:1d:46 AP:70:6d:15:3a:ad:00-01 ssid : flywifi thread:843c3cc880
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Station: 8E:EB:17:C1:1D:46 trying to join WLAN with RSSI -67. Checking for XOR roam conditions on AP: 70:6D:15:3A:AD:00 Slot: 1
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Station: 8E:EB:17:C1:1D:46 is associating to AP 70:6D:15:3A:AD:00 which is not XOR roam capable
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Setting hasApChnaged Flag as true. It is a roam scenario.

*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Client AVC Roaming context transfer needed? NO
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 req rcv on open Wlan
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Association received from mobile on BSSID 70:6d:15:3a:ad:06 AP I&J-Southarm-AP01
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Station: 8E:EB:17:C1:1D:46 trying to join WLAN with RSSI -67. Checking for XOR roam conditions on AP: 70:6D:15:3A:AD:00 Slot: 1
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Station: 8E:EB:17:C1:1D:46 is associating to AP 70:6D:15:3A:AD:00 which is not XOR roam capable
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Global 200 Clients are allowed to AP radio

*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Max Client Trap Threshold: 0 cur: 0

*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Rf profile 600 Clients are allowed to AP wlan

*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Updated local bridging VLAN to 2150 while applying WLAN policy
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Updated session timeout to 28800 and Sleep timeout to 720 while applying WLAN policy
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 override for default ap group, marking intgrp NULL
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 apfApplyWlanPolicy: Retaining (ACL [255] / Flexconnect ACL IPV4 [65535] IPV6[65535]) recieved in AAA attributes on mobile
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Check the client SGT 0 policy and push it to AP 70:6d:15:3a:ad:00
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 In processSsidIE:7657 setting Central switched to FALSE
*apfMsConnTask_7: May 27 11:50:59.186: 8e:eb:17:c1:1d:46 Disabling flexconnect central association for the client
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Applying site-specific Local Bridging override for station 8e:eb:17:c1:1d:46 - vapId 10, site 'testing', interface 'management'
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Applying Local Bridging Interface Policy for station 8e:eb:17:c1:1d:46 - vlan 2150, interface id 0, interface 'management', nasId:''
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 override from ap group, removing intf group from mscb
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Applying site-specific override for station 8e:eb:17:c1:1d:46 - vapId 10, site 'testing', interface 'management'
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 130

*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Not re-applying interface policy for local switching Client

*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 After applying Interface(management) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 130

*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:3498)
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 0.0.0.0 START (0) Changing Url ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255),Default action is '0' --- (caller apf_policy.c:3518)
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Values before applying NASID - interfacetype:0, ovrd:0, mscb nasid:, interface nasid:, APgrpset:0
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Set Client Non AP specific WLAN apfMsAccessVlan = 130
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 This apfMsAccessVlan may be changed later from AAA after L2 Auth
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Cleared localSwitchingVlan, may be assigned later based on AAA override
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 STA - rates (8): 140 18 152 36 176 72 96 108 12 18 24 96 0 0 0 0
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 the value of url acl preserve flag is 1 for mobile 8e:eb:17:c1:1d:46 (caller pem_api.c:5285)
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [70:6d:15:3a:ad:00]
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Succesfully freed AID 1, slot 0 on AP 70:6d:15:3a:ad:00, #client on this slot 0
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 New ctxOwnerMwarIp: 10.202.150.10 New ctxOwnerApMac: 70:6D:15:3A:AD:00 New ctxOwnerApEthMac: B0:8B:CF:B9:ED:44 New ctxOwnerApSlotId: 1
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Updated location for station old AP 70:6d:15:3a:ad:00 oldSlot 0, new AP 70:6d:15:3a:ad:00 newSlot 1, AID 0 MsType 0 MobilityRole 0
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Assigning flex webauth IPv4-ACL ID :65535, IPv6-ACL ID:65535 for AP WLAN ID : 1
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Assigned flex post-auth IPv4-ACL ID :65535, IPv6-ACL ID:65535 for AP WLAN ID : 1
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 WLAN flywifi has ISE-NAC security policy, using external RADIUS only for MacAuth-Request
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Sent the MAC-Auth Request for the client (#ReqTokenId:9591) on SSID:flywifi BSSID: 70:6D:15:3A:AD:00
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Not re-starting Mobile Expire timer as radius request is pending for this client. state:Authentication Fail
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 apfMsAssoStateDec
*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 apfProcessAssocReq (apf_80211.c:12791) Changing state for mobile 8e:eb:17:c1:1d:46 on AP 70:6d:15:3a:ad:00 from Authentication Fail to AAA Pending

*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Updating the Aid in case of flex mac-filtering

*apfMsConnTask_7: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Updating AID for REAP AP Client 70:6d:15:3a:ad:00 - AID ===> 1
*aaaQueueReader: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 radiusServerFallbackPassiveStateUpdate: RADIUS server is ready 10.202.4.10 port 1812 index 0 active 1
*aaaQueueReader: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 radiusServerFallbackPassiveStateUpdate: RADIUS server is maybe-ready 10.201.4.10 port 1812 index 1 active 1
*aaaQueueReader: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Found a server : 10.202.4.10 from the WLAN server list of radius server index 1
*aaaQueueReader: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Send Radius Auth Request with pktId:173 into qid:6 of server at index:0
*aaaQueueReader: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Request Authenticator f6:fe:33:f9:3c:68:0a:83:4c:3f:84:36:4c:14:6c:0f
*aaaQueueReader: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Sending the packet to v4 host 10.202.4.10:1812 of length 253
*aaaQueueReader: May 27 11:50:59.187: 8e:eb:17:c1:1d:46 Successful transmission of Authentication Packet (pktId 173) to 10.202.4.10:1812 from server queue 6, proxy state 8e:eb:17:c1:1d:46-00:00
*radiusTransportThread: May 27 11:50:59.195: 8e:eb:17:c1:1d:46 Invalid RADIUS message authenticator for mobile 8e:eb:17:c1:1d:46
*radiusTransportThread: May 27 11:50:59.195: 8e:eb:17:c1:1d:46 RADIUS message verification failed from server 10.202.4.10(qid:6) with pktId=173. Possible secret mismatch for mobile 8e:eb:17:c1:1d:46
*radiusTransportThread: May 27 11:50:59.195: 8e:eb:17:c1:1d:46 Error Response code for AAA Authentication : -4
*radiusTransportThread: May 27 11:50:59.195: 8e:eb:17:c1:1d:46 Returning AAA Error 'Authentication Failed' (-4) for mobile 8e:eb:17:c1:1d:46 serverIdx 0
*radiusTransportThread: May 27 11:50:59.195: 8e:eb:17:c1:1d:46 Received a MAC-Auth Response for the client (#Response TokenId:9591) BSSID: 70:6D:15:3A:AD:00 result:'Authentication Failed'
*apfMsConnTask_7: May 27 11:50:59.195: 8e:eb:17:c1:1d:46 Processing MAC-Auth response received for aaaReqTokenId#9591 on SSID:flywifi BSSID: 70:6D:15:3A:AD:00
*apfMsConnTask_7: May 27 11:50:59.195: 8e:eb:17:c1:1d:46 Received Mac Auth Type 1, sending Assoc Mesg
*apfMsConnTask_7: May 27 11:50:59.195: 8e:eb:17:c1:1d:46 Sending assoc-resp with status 1 station:8e:eb:17:c1:1d:46 AP:70:6d:15:3a:ad:00-01 on apVapId 1
*apfMsConnTask_7: May 27 11:50:59.195: 8e:eb:17:c1:1d:46 VHT Operation IE: width 80/1 ch 36 freq0 42 freq1 0 msc0 0xff msc1 0xff
*apfMsConnTask_7: May 27 11:50:59.195: 8e:eb:17:c1:1d:46 Sending Assoc Response (status: 'unspecified failure') to station on AP I&J-Southarm-AP01 on BSSID 70:6d:15:3a:ad:0f ApVapId 1 Slot 1, mobility role 0
*apfMsConnTask_7: May 27 11:50:59.195: 8e:eb:17:c1:1d:46 apfProcessRadiusMacAuthResp (apf_80211.c:5928) Changing state for mobile 8e:eb:17:c1:1d:46 on AP 70:6d:15:3a:ad:00 from AAA Pending to Authentication Fail

*apfMsConnTask_7: May 27 11:50:59.195: 8e:eb:17:c1:1d:46 Scheduling deletion of Mobile Station: reasonCode 4 (callerId: 18) in 10 seconds
*apfOpenDtlSocket: May 27 11:50:59.221: 8e:eb:17:c1:1d:46 Received management frame ACTION on BSSID 70:6d:15:3a:ad:0f destination addr 70:6d:15:3a:ad:0f slotid 1
*apfMsConnTask_7: May 27 11:50:59.221: 8e:eb:17:c1:1d:46 Got action frame from the client (ActionCategory:10), payloadLen:4
*apfOpenDtlSocket: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Received management frame ASSOCIATION REQUEST on BSSID 70:6d:15:3a:ad:0f destination addr 70:6d:15:3a:ad:0f slotid 1
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Updating the client capabiility as 5
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Processing assoc-req station:8e:eb:17:c1:1d:46 AP:70:6d:15:3a:ad:00-01 ssid : flywifi thread:843c3cc880
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Station: 8E:EB:17:C1:1D:46 trying to join WLAN with RSSI -68. Checking for XOR roam conditions on AP: 70:6D:15:3A:AD:00 Slot: 1
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Station: 8E:EB:17:C1:1D:46 is associating to AP 70:6D:15:3A:AD:00 which is not XOR roam capable
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Updating location for mobile on same AP 70:6d:15:3a:ad:00-1
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Client AVC Roaming context transfer needed? NO
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 req rcv on open Wlan
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Setting RTTS enabled to 0
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Association received from mobile on BSSID 70:6d:15:3a:ad:06 AP I&J-Southarm-AP01
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Station: 8E:EB:17:C1:1D:46 trying to join WLAN with RSSI -68. Checking for XOR roam conditions on AP: 70:6D:15:3A:AD:00 Slot: 1
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Station: 8E:EB:17:C1:1D:46 is associating to AP 70:6D:15:3A:AD:00 which is not XOR roam capable
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Global 200 Clients are allowed to AP radio

*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Max Client Trap Threshold: 0 cur: 1

*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Rf profile 600 Clients are allowed to AP wlan

*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Updated local bridging VLAN to 2150 while applying WLAN policy
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Updated session timeout to 28800 and Sleep timeout to 720 while applying WLAN policy
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 override for default ap group, marking intgrp NULL
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 apfApplyWlanPolicy: Retaining (ACL [255] / Flexconnect ACL IPV4 [65535] IPV6[65535]) recieved in AAA attributes on mobile
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Check before Setting the NAS Id to WLAN specific Id ''
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Check the client SGT 0 policy and push it to AP 70:6d:15:3a:ad:00
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 In processSsidIE:7657 setting Central switched to FALSE
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Disabling flexconnect central association for the client
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Applying site-specific Local Bridging override for station 8e:eb:17:c1:1d:46 - vapId 10, site 'testing', interface 'management'
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Applying Local Bridging Interface Policy for station 8e:eb:17:c1:1d:46 - vlan 2150, interface id 0, interface 'management', nasId:''
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 override from ap group, removing intf group from mscb
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Applying site-specific override for station 8e:eb:17:c1:1d:46 - vapId 10, site 'testing', interface 'management'
*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Not applying Local Bridge Policy because Site Specific Interface(management) Policy is already applied.

*apfMsConnTask_7: May 27 11:51:02.651: 8e:eb:17:c1:1d:46 Not re-applying interface policy for local switching Client

You will not get IP Address until you pass Layer 2 security and in this case the client is not passing the Layer 2 security (MAC Auth). Most likely your ISE config is wrong.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card