AP to WLC

Similar Messages

• Web Authentication on HTTP Instead of HTTPS in WLC 5700 and WS-C3650-48PD (IOS XE)

  Hello,
  I have configured a Guest SSID with web authentication (captive portal).
  wlan XXXXXXX 2 Guest
   aaa-override
   client vlan YYYYYYYYY
   no exclusionlist
   ip access-group ACL-Usuarios-WIFI
   ip flow monitor wireless-avc-basic input
   ip flow monitor wireless-avc-basic output
   mobility anchor 10.181.8.219
   no security wpa
   no security wpa akm dot1x
   no security wpa wpa2
   no security wpa wpa2 ciphers aes
   security web-auth
   security web-auth parameter-map global
   session-timeout 65535
   no shutdown
  The configuration of webauth parameter map  is :
  service-template webauth-global-inactive
   inactivity-timer 3600 
  service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
   voice vlan
  parameter-map type webauth global
   type webauth
   virtual-ip ipv4 1.1.1.1
   redirect on-success http://www.google.es
  I need to  login on web authentication on HTTP instead of HTTPS.
  If I  login on HTTP, I will not receive certificate alerts that prevent the users connections.
  I saw how to configure it with 7.x relesae but I have IOS XE Version 03.03.05SE and I don´t know how to configure it.
  Web Authentication on HTTP Instead of HTTPS
  You can login on web authentication on HTTP instead of HTTPS. If you login on HTTP, you do not receive certificate alerts.
  For earlier than WLC Release 7.2 code, you must disable HTTPS management of the WLC and leave HTTP management. However, this only allows the web management of the WLC over HTTP.
  For WLC Release 7.2 code, use the config network web-auth secureweb disable command to disable. This only disables HTTPS for the web authentication and not the management. Note that this requires a reboot of the controller !
  On WLC Release 7.3 and later code, you can enable/disable HTTPS for WebAuth only via GUI and CLI.
  Can anyone tell me how to configure web authentication on HTTP instead of HTTPS with IOS XE?
  Thanks in advance.
  Regards.

  The documentation doesn't provide very clear direction, does it?
  To download the WLC's default webauth page, browse to the controller's Security > Web Login Page. Make sure the web authentication type is Internal (Default). Hit the Preview button. Then use your browser's File > Save As... menu item to save the HTML into a file. Edit this to your liking and bundle it and any graphics images up into a TAR archive, then upload via the controller's COMMAND page.

• ISE 1.2 - WLC 5508 (7.5x) - Windows 7 802.1X

  Hi ,
  We deployed ISE 1.2 (patch 3) with 5580 WLC to authenticate machines and users using 802.1x .
  We are experiencing a strange issue - randomly some machines authenticate fine over wireless and we are able to see logs on ISE and nexst day the same machine stops authenticating itself and ISE doesnt generate any log.. seems like somehow no request is coming to ISE.
  we have checked all the settings including wireless settings ,services, 802.1x settings on the laptop but struggling to find the a reason why randomly machine would work and then not work.
  whenever a machine works we see all the logs but when a machine doesnt work no log is generated in ise.
  has anyone experienced a similar issue?
  Thanks

  Thanks, we have figured it out.
  Machine Auth timer would expire after 12 hours and ISE had another setting where it would blacklist the client and supress logs for an hour if it sees more then certain amount of failed authentication attempts.
  Thanks

• ISE 1.2 and WLC 7.4 Stability

  We are deploying ISE 1.2 for wireless only and have been experiencing a lot of issues with central web auth on controllers on version 7.4MR2. It appears we are hitting a bug, but I am curious what others on ISE 1.2 have found as the best stable WLC code to use? Has anyone been experiencing issues on 7.4 specific to CWA and web redirect? We are encountering a problem where users are getting constantly thrown back to the guest portal page after about 5 to 10 minutes after successfully logging in. Thanks.

  Hi,
  I have been running 7.4.115.0 on a production system for over 6 months with no visible issues.  The 7.4.115.0 patch is a special release to fix Apple iOS7 captive portal bypass. Other than that, 7.4.110.0 was pretty stable.
  You might consider changing the Guest WLAN session timeout on the advanced page on the WLAN in the WLC to a higher number which may fix your re-authentication issue every 5-10 minutes.

• Does WCS come with the 5508 WLC?

  Forum
  I am providing a quote to a client for a wireless installation.  I have two 5508 boxes and about 40 AP's on the quote, as well as associated SmartNet.
  I was reading how the Cisco Unified Wireless Network is comprised of:
  Controllers
  Access Points
  The Cisco Wireless Control System (WCS)
  Cisco Mobility Services Engine
  My questions are:
  1.  Does WCS come installed on the Controller?  Is this something that the customer receives simply by virtue of the fact that they are purchasing the Controller?  Or is this a separate piece of software with a cost?
  2.  What exactly is the Cisco Mobility Services Engine?  What does it do that the Controller will not?  How would I sell one to a customer?
  Thank You
  Kevin

  WCS is a Windows 2003 application (so not "on the controller") that is completely separate and has to be purchased separately with different levels of licensing for different feature sets.
  WCS is most useful when having several WLCs to manage and is offered when you buy a lot of stuff I think.
  WCS alone brings better reporting features (graphs, pdf reports, ...) and maps to visualize everything.
  MSE is a kind of "calculation appliance" that you link to your WCS to locate all clients and rogues in real-time on the map. Only that. But it's a cool enough feature :-) Without MSE you can only view one client at a time (when entering its mac address in the search field) on WCS maps.
  Nicolas

• Issue with 2504 WLC and 2602 AP. need help please.

  Somehow the AP does not associates with the 2504 controller.
  What could possibily be the issue.
  Thanks in advance.
  Anyway,  Here is the log from the AP.
  AP log
  ===========================================================
  *Mar  1 00:30:35.551: %CAPWAP-5-DHCP_OPTION_43: Controller address 192.168.120.4 obtained through DHCP
  *Mar  1 00:30:35.551: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
  *Mar  1 00:30:44.551: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
  *Mar  1 00:30:44.551: %CAPWAP-3-ERRORLOG: Discovery response from MWAR 'SNGNY-WLC1'running version 7.0.220.0 is rejected.
  *Mar  1 00:30:44.551: %CAPWAP-3-ERRORLOG: Failed to decode discovery response.
  *Mar  1 00:30:44.551: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 2 state 2.
  *Mar  1 00:30:44.551: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
  *Mar  1 00:30:44.551: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.120.4
  ===========================================================
  show version output from the Access Point
  =========================================================
  AP0006.f6ec.be2a#show ver
  Cisco IOS Software, C2600 Software (AP3G2-RCVK9W8-M), Version 15.2(2)JB, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2012 by Cisco Systems, Inc.
  Compiled Tue 11-Dec-12 00:07 by prod_rel_team
  ROM: Bootstrap program is C2600 boot loader
  BOOTLDR: C2600 Boot Loader (AP3G2-BOOT-M) LoaderVersion 12.4(25e)JA1, RELEASE SOFTWARE (fc1)
  AP0006.f6ec.be2a uptime is 33 minutes
  System returned to ROM by power-on
  System image file is "flash:/ap3g2-rcvk9w8-mx/ap3g2-rcvk9w8-xx"
  Last reload reason:
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  --More--
  *Mar  1 00:33:46.071: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination.
  *Mar  1 00:33:46.171: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 192.168.120.98, mask 255.255.255.0, hostname AP0006.f6ec.be2a
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  cisco AIR-CAP2602I-A-K9    (PowerPC) processor (revision A0) with 180214K/81920K bytes of memory.
  Processor board ID FGL1704ZC0Q
  PowerPC CPU at 800Mhz, revision number 0x2151
  Last reset from power-on
  LWAPP image version 7.4.1.37
  1 Gigabit Ethernet interface
  32K bytes of flash-simulated non-volatile configuration memory.
  Base ethernet MAC Address: 00:06:F6:EC:BE:2A
  Part Number                          : 73-14588-02
  PCA Assembly Number                  : 800-37899-01
  PCA Revision Number                  : A0
  PCB Serial Number                    : FOC165188Y4
  Top Assembly Part Number             : 800-38356-01
  Top Assembly Serial Number           : FGL1704ZC0Q
  Top Revision Number                  : A0
  Product/Model Number                 : AIR-CAP2602I-A-K9  
  Configuration register is 0xF
  ========================================================

  Blake's right.  Your WLC is running 7.0.X code which does not support the AP2600.  Check the Release Notes and look under Software Release Support for Access Points to determine what suitable firmware your WLC can support your AP.

• Problem with certificate authentication at wlc 4402

  Hi,
  we have a problem to get a connection from the client to the WLC. 
  we  are using Cisco Aironet 1130 AG and a Cisco 4402 WLC in our network. The certificate service is installed on a Windows 2008 R2 server. We use a standalone Root CA with a Enterprise Sub CA hierarchy. Issueing certificates to clients works fine. The vendor and ca certificates are installed on the WLC and the user have his user certificate. During implementation we used following document: "http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml#wlc". Instead of Anonymous Bind, we use a service user to read in AD (works fine, too).
  We use the Intel/PRO wireless utility on our Testclient and configured it for EAP-FAST and TLS. We can select the installed certificate in the utility, but when we try to connect, the utility throw the message: "Authentication failed due to an invalid certificate".
  We´ve logged the WLC and thats a part of the logfile (i´ve greyed out all enterprise data):
  *EAP Framework: Jan 18 12:08:21.921: EAP-AUTH-EVENT: Waiting for asynchronous reply from LL
  *LDAP DB Task 1: Jan 18 12:08:21.921: ldapTask [1] received msg 'REQUEST' (2) in state 'IDLE' (1)
  *LDAP DB Task 1: Jan 18 12:08:21.922: LDAP server 1 changed state to INIT
  *LDAP DB Task 1: Jan 18 12:08:21.922: LDAP_OPT_REFERRALS = -1*LDAP DB Task 1: Jan 18 12:08:21.925: LDAP_CLIENT: UID Search (...)))
  *LDAP DB Task 1: Jan 18 12:08:21.926: LDAP_CLIENT: ldap_search_ext_s returns 0 85
  *LDAP DB Task 1: Jan 18 12:08:21.926: LDAP_CLIENT: Returned 2 msgs including 0 references
  *LDAP DB Task 1: Jan 18 12:08:21.926: LDAP_CLIENT: Returned msg 1 type 0x64
  *LDAP DB Task 1: Jan 18 12:08:21.926: LDAP_CLIENT: Received 1 attributes in search entry msg
  *LDAP DB Task 1: Jan 18 12:08:21.927: LDAP_CLIENT: Returned msg 2 type 0x65
  *LDAP DB Task 1: Jan 18 12:08:21.927: LDAP_CLIENT : No matched DN
  *LDAP DB Task 1: Jan 18 12:08:21.927: LDAP_CLIENT : Check result error 0 rc 1013
  *LDAP DB Task 1: Jan 18 12:08:21.927: LDAP_CLIENT: Received no referrals in search result msg
  *LDAP DB Task 1: Jan 18 12:08:21.927: ldapAuthRequest [1] called lcapi_query base="..." (rc = 0 - Success)
  *LDAP DB Task 1: Jan 18 12:08:21.927: LDAP ATTR> dn = CN=... (size 76)
  *LDAP DB Task 1: Jan 18 12:08:21.927: Handling LDAP response Success
  *LDAP DB Task 1: Jan 18 12:08:21.927: 18:3d:a2:0a:ec:bc [Response] Client requested no retries for mobile 18:3D:A2:0A:EC:BC
  *LDAP DB Task 1: Jan 18 12:08:21.927: 18:3d:a2:0a:ec:bc Returning AAA Success for mobile 18:3d:a2:0a:ec:bc
  *LDAP DB Task 1: Jan 18 12:08:21.927: AuthorizationResponse: 0x33a5affc*LDAP DB Task 1: Jan 18 12:08:21.928: LOCAL_AUTH: Found context matching MAC address - 319
  *LDAP DB Task 1: Jan 18 12:08:21.928: LOCAL_AUTH: (EAP:319) User credential callback invoked
  *LDAP DB Task 1: Jan 18 12:08:21.928: LOCAL_AUTH: EAP Unable to find password in credentials. Skipped
  *LDAP DB Task 1: Jan 18 12:08:21.928: LOCAL_AUTH: EAP Unable to find wlan in credentials. Skipped
  *LDAP DB Task 1: Jan 18 12:08:21.928: Authenticated bind : Closing the binded session*LDAP DB Task 1: Jan 18 12:08:21.928: ldapClose [1] called lcapi_close (rc = 0 - Success)
  *LDAP DB Task 1: Jan 18 12:08:21.929: LDAP server 1 changed state to IDLE
  *EAP Framework: Jan 18 12:08:21.930: EAP-EVENT: Received event 'EAP_LL_REPLY' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:21.930: EAP-AUTH-EVENT: Using credential profile name: ...(0x78000041)
  *EAP Framework: Jan 18 12:08:21.930: EAP-AUTH-EVENT: Maximum EAP packet size: 1000
  *EAP Framework: Jan 18 12:08:21.930: EAP-AUTH-EVENT: Sending method new context directive for EAP context 0x78000041
  *EAP Framework: Jan 18 12:08:21.930: EAP-EVENT: Sending method directive 'New Context' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:21.930: eap_fast.c-EVENT: New context (EAP handle = 0x78000041)
  *EAP Framework: Jan 18 12:08:21.931: id_manager.c-AUTH-SM: Got new ID f700000e - id_get
  *EAP Framework: Jan 18 12:08:21.931: eap_fast.c-EVENT: Allocated new EAP-FAST context (handle = 0xF700000E)
  *EAP Framework: Jan 18 12:08:21.931: EAP-AUTH-EVENT: Sending method data for context 0x78000041
  *EAP Framework: Jan 18 12:08:21.931: EAP-EVENT: Sending method directive 'Receive Packet' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:21.931: eap_fast_auth.c-AUTH-EVENT: Process Response (EAP handle = 0x78000041)
  *EAP Framework: Jan 18 12:08:21.931: eap_fast_auth.c-AUTH-EVENT: Received Identity
  *EAP Framework: Jan 18 12:08:21.931: eap_fast_tlv.c-AUTH-EVENT: Adding PAC A-ID TLV (436973636f0000000000000000000000)
  *EAP Framework: Jan 18 12:08:21.931: eap_fast_auth.c-AUTH-EVENT: Sending Start
  *EAP Framework: Jan 18 12:08:21.931: eap_fast_auth.c-AUTH-SM: Changing state: Reset -> Start
  *EAP Framework: Jan 18 12:08:21.931: eap_fast.c:2367: eap-fast tx packet:
  *EAP Framework: Jan 18 12:08:21.931: eap_fast.c:138: Version: 1  Flags:S  Length:0x0014
  *EAP Framework: Jan 18 12:08:21.931: eap_core.c:1422:     Payload:  00040010436973636F00000000000000 ...
  *EAP Framework: Jan 18 12:08:21.931: eap_fast.c-TX-AUTH-PAK:
  *EAP Framework: Jan 18 12:08:21.931: eap_core.c:1484: Code:REQUEST  ID:0x 0  Length:0x001a  Type:FAST
  *EAP Framework: Jan 18 12:08:21.932: eap_core.c:1422:     Payload:  2100040010436973636F000000000000 ...
  *EAP Framework: Jan 18 12:08:21.932: EAP-AUTH-EVENT: EAP method state: Continue
  *EAP Framework: Jan 18 12:08:21.932: EAP-AUTH-EVENT: EAP method decision: Unknown
  *EAP Framework: Jan 18 12:08:21.932: EAP-AUTH-EVENT: Current method = 43
  *EAP Framework: Jan 18 12:08:21.932: EAP-AUTH-EVENT: Sending packet to lower layer for context 0x78000041
  *EAP Framework: Jan 18 12:08:21.932: EAP-AUTH-TX-PAK:
  *EAP Framework: Jan 18 12:08:21.932: eap_core.c:1484: Code:REQUEST  ID:0x 2  Length:0x001a  Type:FAST
  *EAP Framework: Jan 18 12:08:21.932: eap_core.c:1422:     Payload:  2100040010436973636F000000000000 ...
  *EAP Framework: Jan 18 12:08:21.932: EAP-EVENT: Started 'Authenticator Retransmit' timer (60) for EAP session handle 0x78000041
  *EAP Framework: Jan 18 12:08:21.932: EAP-EVENT: Started EAP tick timer
  *EAP Framework: Jan 18 12:08:21.932: EAP-EVENT: Sending lower layer event 'EAP_TX_PACKET' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:21.932: LOCAL_AUTH: Found matching context for id - 319
  *EAP Framework: Jan 18 12:08:21.932: LOCAL_AUTH: (EAP:319) transmit event
  *EAP Framework: Jan 18 12:08:21.932: AuthorizationResponse: 0x13c713fc*EAP Framework: Jan 18 12:08:21.934: LOCAL_AUTH: AAA LOCAL AUTH EAP PKT AVP attribute 4f length 1a
  *EAP Framework: Jan 18 12:08:21.934: LOCAL_AUTH: AAA LOCAL AUTH TX PKT DUMP code cc id 00 type 2b
  *aaaQueueReader: Jan 18 12:08:22.290: LOCAL_AUTH: EAP: Received an auth request
  *aaaQueueReader: Jan 18 12:08:22.290: LOCAL_AUTH: Found context matching MAC address - 319
  *aaaQueueReader: Jan 18 12:08:22.290: LOCAL_AUTH: (EAP:319) Sending the Rxd EAP packet (id 2) to EAP subsys
  *EAP Framework: Jan 18 12:08:22.291: EAP-EVENT: Received event 'EAP_RX_PACKET' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.291: EAP-AUTH-RX-PAK:
  *EAP Framework: Jan 18 12:08:22.291: eap_core.c:1484: Code:RESPONSE  ID:0x 2  Length:0x0042  Type:FAST
  *EAP Framework: Jan 18 12:08:22.291: eap_core.c:1422:     Payload:  810000003816030100330100002F0301 ...
  *EAP Framework: Jan 18 12:08:22.291: EAP-EVENT: Stopping 'Authenticator Retransmit' timer for EAP session handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.291: EAP-AUTH-EVENT: EAP Response received by context 0x78000041
  *EAP Framework: Jan 18 12:08:22.291: EAP-AUTH-EVENT: EAP Response type = Method (43)
  *EAP Framework: Jan 18 12:08:22.291: EAP-AUTH-EVENT: Sending method data for context 0x78000041
  *EAP Framework: Jan 18 12:08:22.292: EAP-EVENT: Sending method directive 'Receive Packet' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.292: eap_fast.c-AUTH-EVENT: Process Response, type: 0x2b
  *EAP Framework: Jan 18 12:08:22.292: eap_fast_auth.c-AUTH-EVENT: Process Response (EAP handle = 0x78000041)
  *EAP Framework: Jan 18 12:08:22.292: eap_fast_auth.c-RX-AUTH-PAK:
  *EAP Framework: Jan 18 12:08:22.292: eap_core.c:1484: Code:RESPONSE  ID:0x 2  Length:0x0042  Type:FAST
  *EAP Framework: Jan 18 12:08:22.292: eap_core.c:1422:     Payload:  810000003816030100330100002F0301 ...
  *EAP Framework: Jan 18 12:08:22.292: eap_fast_auth.c-AUTH-EVENT: Received TLS record type: Handshake in state: Start
  *EAP
  Framework: Jan 18 12:08:22.292: EAP-EVENT: Sending lower layer event
  'EAP_GET_CREDENTIAL_PROFILE_FROM_PROFILE_NAME' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.292: LOCAL_AUTH: Found matching context for id - 319
  *EAP
  Framework: Jan 18 12:08:22.292: LOCAL_AUTH: (EAP:319) Returning profile
  *EAP Framework: Jan 18 12:08:22.293: IOS_PKI_SHIM: [StartSession] - New session 0x335ee108 started (TP = 'vendor')
  *EAP Framework: Jan 18 12:08:22.293: IOS_PKI_SHIM: [StartSession] - Trustpoint identity (cert) set to 'Vendor'
  *EAP
  Framework: Jan 18 12:08:22.297: IOS_PKI_SHIM: [ID-CERT] Subject : ...
  *EAP Framework: Jan 18
  12:08:22.297: IOS_PKI_SHIM: [ID-CERT] Issuer : ...
  *EAP Framework: Jan 18
  12:08:22.297: IOS_PKI_SHIM: [ID-CERT] Valid from '2012 Jan 12th,
  17:06:50 GMT' to '2016 Jan 11th, 17:06:50 GMT'
  *EAP Framework: Jan 18 12:08:22.297: IOS_PKI_SHIM: [ID-CERT] Is not a CA cert
  *EAP Framework: Jan 18 12:08:22.297: IOS_PKI_SHIM: Added cert (type 1) to chain (1 present on chain)
  *EAP
  Framework: Jan 18 12:08:22.300: IOS_PKI_SHIM: [CA-CERT] Subject :
  *EAP Framework: Jan 18 12:08:22.301: IOS_PKI_SHIM: [CA-CERT] Issuer : CN=...
  *EAP
  Framework: Jan 18 12:08:22.301: IOS_PKI_SHIM: [CA-CERT] Valid from
  '2012 Jan 12th, 16:54:49 GMT' to '2020 Jan 12th, 17:04:49 GMT'
  *EAP Framework: Jan 18 12:08:22.301: IOS_PKI_SHIM: [CA-CERT] Is a CA cert
  *EAP Framework: Jan 18 12:08:22.301: IOS_PKI_SHIM: Added cert (type 2) to chain (2 present on chain)
  *EAP Framework: Jan 18 12:08:22.301: IOS_PKI_SHIM: [StartSession] - Getting older style priv key
  *EAP Framework: Jan 18 12:08:22.338: IOS_PKI_SHIM: Session 0x335ee108 init'd OK
  *EAP Framework: Jan 18 12:08:22.338: eap_fast_auth.c-AUTH-EVENT: Local certificate found
  *EAP Framework: Jan 18 12:08:22.339: eap_fast_auth.c-AUTH-EVENT: Reading Client Hello handshake
  *EAP Framework: Jan 18 12:08:22.339: eap_fast.c:286: EAP-FAST-AUTH-RX-TLS-RECORD:
  *EAP Framework: Jan 18 12:08:22.339: eap_fast.c:255: Content:Handshake  Version:0301  Length:0x0033
  *EAP Framework: Jan 18 12:08:22.339: eap_core.c:1422:     Payload:  0100002F03014F16A8262631FC9DC042 ...
  *EAP Framework: Jan 18 12:08:22.340: eap_fast.c:202: Handshake type:Client Hello  Length:0x002F
  *EAP Framework: Jan 18 12:08:22.340: eap_core.c:1422:     Payload:  03014F16A8262631FC9DC042253D3E24 ...
  *EAP Framework: Jan 18 12:08:22.340: eap_fast_auth.c-AUTH-EVENT: TLS_RSA_WITH_AES_128 proposed...
  *EAP Framework: Jan 18 12:08:22.341: eap_fast_auth.c-AUTH-EVENT: TLS_DHE_RSA_WITH_AES_128_CBC_SHA proposed...
  *EAP Framework: Jan 18 12:08:22.341: eap_fast_auth.c-AUTH-EVENT: TLS_RSA_WITH_RC4_128 proposed...
  *EAP Framework: Jan 18 12:08:22.341: eap_fast_auth.c-AUTH-EVENT: TLS_DH_anon_WITH_AES_128_CBC_SHA proposed...
  *EAP Framework: Jan 18 12:08:22.342: eap_fast.c-EVENT: Proposed ciphersuite(s):
  *EAP Framework: Jan 18 12:08:22.342: eap_fast.c-EVENT:     TLS_RSA_WITH_AES_128_CBC_SHA
  *EAP Framework: Jan 18 12:08:22.342: eap_fast.c-EVENT:     TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  *EAP Framework: Jan 18 12:08:22.342: eap_fast.c-EVENT:     TLS_RSA_WITH_RC4_128_SHA
  *EAP Framework: Jan 18 12:08:22.343: eap_fast.c-EVENT:     TLS_DH_anon_WITH_AES_128_CBC_SHA
  *EAP Framework: Jan 18 12:08:22.343: eap_fast.c-EVENT: Selected ciphersuite:
  *EAP Framework: Jan 18 12:08:22.343: eap_fast.c-EVENT:     TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  *EAP Framework: Jan 18 12:08:22.343: eap_fast_auth.c-AUTH-EVENT: Building Provisioning Server Hello
  *EAP Framework: Jan 18 12:08:22.344: eap_fast.c:286: EAP-FAST-AUTH-TX-TLS-RECORD:
  *EAP Framework: Jan 18 12:08:22.344: eap_fast.c:255: Content:Handshake  Version:0301  Length:0x002A
  *EAP Framework: Jan 18 12:08:22.344: eap_core.c:1422:     Payload:  0200002603015F3325EADF12E6296F91 ...
  *EAP Framework: Jan 18 12:08:22.344: eap_fast.c:202: Handshake type:Server Hello  Length:0x0026
  *EAP Framework: Jan 18 12:08:22.345: eap_core.c:1422:     Payload:  03015F3325EADF12E6296F91530FE67F ...
  *EAP Framework: Jan 18 12:08:22.345: eap_fast.c:286: EAP-FAST-AUTH-TX-TLS-RECORD:
  *EAP Framework: Jan 18 12:08:22.345: eap_fast.c:255: Content:Handshake  Version:0301  Length:0x0B54
  *EAP Framework: Jan 18 12:08:22.346: eap_core.c:1422:     Payload:  0B000B50000B4D00059F3082059B3082 ...
  *EAP Framework: Jan 18 12:08:22.346: eap_fast.c:202: Handshake type:Certificate  Length:0x0B50
  *EAP Framework: Jan 18 12:08:22.346: eap_core.c:1422:     Payload:  000B4D00059F3082059B30820483A003 ...
  *EAP Framework: Jan 18 12:08:22.347: eap_fast_crypto.c-EVENT: Starting Diffie Hellman phase 1 ...
  *EAP Framework: Jan 18 12:08:22.661: eap_fast_crypto.c-EVENT: Diffie Hellman phase 1 complete
  *EAP Framework: Jan 18 12:08:22.677: IOS_PKI_SHIM: PKI_SignMessage PostHashEncrypt ret SUCCESS.. op_len 128
  *EAP Framework: Jan 18 12:08:22.678: eap_fast_auth.c-AUTH-EVENT: DH signature length = 128
  *EAP Framework: Jan 18 12:08:22.678: eap_fast.c:286: EAP-FAST-AUTH-TX-TLS-RECORD:
  *EAP Framework: Jan 18 12:08:22.678: eap_fast.c:255: Content:Handshake  Version:0301  Length:0x028D
  *EAP Framework: Jan 18 12:08:22.679: eap_core.c:1422:     Payload:  0C0002890100FFFFFFFFFFFFFFFFC90F ...
  *EAP Framework: Jan 18 12:08:22.679: eap_fast.c:202: Handshake type:Server Key Exchange  Length:0x0289
  *EAP Framework: Jan 18 12:08:22.679: eap_core.c:1422:     Payload:  0100FFFFFFFFFFFFFFFFC90FDAA22168 ...
  *EAP Framework: Jan 18 12:08:22.679: eap_fast.c:286: EAP-FAST-AUTH-TX-TLS-RECORD:
  *EAP Framework: Jan 18 12:08:22.680: eap_fast.c:255: Content:Handshake  Version:0301  Length:0x000B
  *EAP Framework: Jan 18 12:08:22.680: eap_core.c:1422:     Payload:  0D00000704030401020000
  *EAP Framework: Jan 18 12:08:22.680: eap_fast.c:202: Handshake type:Certificate Request  Length:0x0007
  *EAP Framework: Jan 18 12:08:22.680: eap_core.c:1422:     Payload:  04030401020000
  *EAP Framework: Jan 18 12:08:22.681: eap_fast.c:286: EAP-FAST-AUTH-TX-TLS-RECORD:
  *EAP Framework: Jan 18 12:08:22.681: eap_fast.c:255: Content:Handshake  Version:0301  Length:0x0004
  *EAP Framework: Jan 18 12:08:22.681: eap_core.c:1422:     Payload:  0E000000
  *EAP Framework: Jan 18 12:08:22.681: eap_fast.c:202: Handshake type:Server Done  Length:0x0000
  *EAP Framework: Jan 18 12:08:22.682: eap_fast_auth.c-AUTH-EVENT: Sending Provisioning Serving Hello
  *EAP Framework: Jan 18 12:08:22.682: eap_fast_auth.c-AUTH-SM: Changing state: Start -> Sent provisioning Server Hello
  *EAP Framework: Jan 18 12:08:22.682: eap_fast.c-EVENT: Tx packet fragmentation required
  *EAP Framework: Jan 18 12:08:22.683: eap_fast.c:2367: eap-fast tx packet:
  *EAP Framework: Jan 18 12:08:22.683: eap_fast.c:138: Version: 1  Flags:LM  Length:0x03DE
  *EAP Framework: Jan 18 12:08:22.683: eap_core.c:1422:     Payload:  160301002A0200002603015F3325EADF ...
  *EAP Framework: Jan 18 12:08:22.684: eap_fast.c-TX-AUTH-PAK:
  *EAP Framework: Jan 18 12:08:22.684: eap_core.c:1484: Code:REQUEST  ID:0x 0  Length:0x03e8  Type:FAST
  *EAP Framework: Jan 18 12:08:22.684: eap_core.c:1422:     Payload:  C100000E33160301002A020000260301 ...
  *EAP Framework: Jan 18 12:08:22.684: EAP-AUTH-EVENT: EAP method state: Continue
  *EAP Framework: Jan 18 12:08:22.685: EAP-AUTH-EVENT: EAP method decision: Unknown
  *EAP Framework: Jan 18 12:08:22.685: EAP-AUTH-EVENT: Current method = 43
  *EAP Framework: Jan 18 12:08:22.685: EAP-AUTH-EVENT: Sending packet to lower layer for context 0x78000041
  *EAP Framework: Jan 18 12:08:22.685: EAP-AUTH-TX-PAK:
  *EAP Framework: Jan 18 12:08:22.685: eap_core.c:1484: Code:REQUEST  ID:0x 3  Length:0x03e8  Type:FAST
  *EAP Framework: Jan 18 12:08:22.686: eap_core.c:1422:     Payload:  C100000E33160301002A020000260301 ...
  *EAP Framework: Jan 18 12:08:22.686: EAP-EVENT: Started 'Authenticator Retransmit' timer (60) for EAP session handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.686: EAP-EVENT: Started EAP tick timer
  *EAP Framework: Jan 18 12:08:22.686: EAP-EVENT: Sending lower layer event 'EAP_TX_PACKET' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.686: LOCAL_AUTH: Found matching context for id - 319
  *EAP Framework: Jan 18 12:08:22.687: LOCAL_AUTH: (EAP:319) transmit event
  *EAP Framework: Jan 18 12:08:22.687: AuthorizationResponse: 0x13c713fc*EAP Framework: Jan 18 12:08:22.755: LOCAL_AUTH: AAA LOCAL AUTH EAP PKT AVP attribute 4f length 297
  *EAP Framework: Jan 18 12:08:22.755: LOCAL_AUTH: AAA LOCAL AUTH TX PKT DUMP code cc id 00 type 2b
  *aaaQueueReader: Jan 18 12:08:22.830: LOCAL_AUTH: EAP: Received an auth request
  *aaaQueueReader: Jan 18 12:08:22.830: LOCAL_AUTH: Found context matching MAC address - 319
  *aaaQueueReader: Jan 18 12:08:22.830: LOCAL_AUTH: (EAP:319) Sending the Rxd EAP packet (id 6) to EAP subsys
  *EAP Framework: Jan 18 12:08:22.831: EAP-EVENT: Received event 'EAP_RX_PACKET' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.831: EAP-AUTH-RX-PAK:
  *EAP Framework: Jan 18 12:08:22.831: eap_core.c:1484: Code:RESPONSE  ID:0x 6  Length:0x015c  Type:FAST
  *EAP Framework: Jan 18 12:08:22.831: eap_core.c:1422:     Payload:  810000015216030100070B0000030000 ...
  *EAP Framework: Jan 18 12:08:22.831: EAP-EVENT: Stopping 'Authenticator Retransmit' timer for EAP session handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.831: EAP-AUTH-EVENT: EAP Response received by context 0x78000041
  *EAP Framework: Jan 18 12:08:22.832: EAP-AUTH-EVENT: EAP Response type = Method (43)
  *EAP Framework: Jan 18 12:08:22.832: EAP-AUTH-EVENT: Sending method data for context 0x78000041
  *EAP Framework: Jan 18 12:08:22.832: EAP-EVENT: Sending method directive 'Receive Packet' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.832: eap_fast.c-AUTH-EVENT: Process Response, type: 0x2b
  *EAP Framework: Jan 18 12:08:22.832: eap_fast_auth.c-AUTH-EVENT: Process Response (EAP handle = 0x78000041)
  *EAP Framework: Jan 18 12:08:22.832: eap_fast_auth.c-RX-AUTH-PAK:
  *EAP Framework: Jan 18 12:08:22.832: eap_core.c:1484: Code:RESPONSE  ID:0x 6  Length:0x015c  Type:FAST
  *EAP Framework: Jan 18 12:08:22.832: eap_core.c:1422:     Payload:  810000015216030100070B0000030000 ...
  *EAP
  Framework: Jan 18 12:08:22.832: eap_fast_auth.c-AUTH-EVENT: Received
  TLS record type: Handshake in state: Sent provisioning Server Hello
  *EAP Framework: Jan 18 12:08:22.832: eap_fast_auth.c-AUTH-EVENT: Reading Client Certificate handshake
  *EAP Framework: Jan 18 12:08:22.832: eap_fast.c:286: EAP-FAST-AUTH-RX-TLS-RECORD:
  *EAP Framework: Jan 18 12:08:22.832: eap_fast.c:255: Content:Handshake  Version:0301  Length:0x0007
  *EAP Framework: Jan 18 12:08:22.832: eap_core.c:1422:     Payload:  0B000003000000
  *EAP Framework: Jan 18 12:08:22.832: eap_fast.c:202: Handshake type:Certificate  Length:0x0003
  *EAP Framework: Jan 18 12:08:22.832: eap_core.c:1422:     Payload:  000000
  *EAP Framework: Jan 18 12:08:22.833: eap_fast.c-EVENT: Client Certificate handshake empty
  *EAP Framework: Jan 18 12:08:22.833: eap_fast_auth.c-AUTH-EVENT: Rx'd I-ID: "EAP-FAST I-ID" from Peer Cert
  *EAP Framework: Jan 18 12:08:22.833: eap_fast_auth.c-AUTH-ERROR: Required cert not provided by client
  *EAP Framework: Jan 18 12:08:22.833: eap_fast.c:286: EAP-FAST-AUTH-TX-TLS-RECORD:
  *EAP Framework: Jan 18 12:08:22.833: eap_fast.c:255: Content:Alert  Version:0301  Length:0x0002
  *EAP Framework: Jan 18 12:08:22.833: eap_core.c:1422:     Payload:  0228
  *EAP Framework: Jan 18 12:08:22.833: eap_fast_auth.c-AUTH-SM: Changing state: Sent provisioning Server Hello -> Alert
  *EAP Framework: Jan 18 12:08:22.833: eap_fast.c:2367: eap-fast tx packet:
  *EAP Framework: Jan 18 12:08:22.833: eap_fast.c:138: Version: 1  Flags:L  Length:0x0007
  *EAP Framework: Jan 18 12:08:22.833: eap_core.c:1422:     Payload:  15030100020228
  *EAP Framework: Jan 18 12:08:22.833: eap_fast.c-TX-AUTH-PAK:
  *EAP Framework: Jan 18 12:08:22.833: eap_core.c:1484: Code:REQUEST  ID:0x 0  Length:0x0011  Type:FAST
  *EAP Framework: Jan 18 12:08:22.833: eap_core.c:1422:     Payload:  810000000715030100020228
  *EAP Framework: Jan 18 12:08:22.833: EAP-AUTH-EVENT: EAP method state: Continue
  *EAP Framework: Jan 18 12:08:22.834: EAP-AUTH-EVENT: EAP method decision: Fail
  *EAP Framework: Jan 18 12:08:22.834: EAP-AUTH-EVENT: Current method = 43
  *EAP Framework: Jan 18 12:08:22.834: EAP-AUTH-EVENT: Sending packet to lower layer for context 0x78000041
  *EAP Framework: Jan 18 12:08:22.834: EAP-AUTH-TX-PAK:
  *EAP Framework: Jan 18 12:08:22.834: eap_core.c:1484: Code:REQUEST  ID:0x 7  Length:0x0011  Type:FAST
  *EAP Framework: Jan 18 12:08:22.834: eap_core.c:1422:     Payload:  810000000715030100020228
  *EAP Framework: Jan 18 12:08:22.834: EAP-EVENT: Started 'Authenticator Retransmit' timer (60) for EAP session handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.834: EAP-EVENT: Started EAP tick timer
  *EAP Framework: Jan 18 12:08:22.834: EAP-EVENT: Sending lower layer event 'EAP_TX_PACKET' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.834: LOCAL_AUTH: Found matching context for id - 319
  *EAP Framework: Jan 18 12:08:22.834: LOCAL_AUTH: (EAP:319) transmit event
  *EAP Framework: Jan 18 12:08:22.834: AuthorizationResponse: 0x13c713fc
  We think that the reason why it didn´t work, is the part:
  *EAP Framework: Jan 18 12:08:22.833: eap_fast.c-EVENT: Client Certificate handshake empty
  *EAP Framework: Jan 18 12:08:22.833: eap_fast_auth.c-AUTH-EVENT: Rx'd I-ID: "EAP-FAST I-ID" from Peer Cert
  *EAP Framework: Jan 18 12:08:22.833: eap_fast_auth.c-AUTH-ERROR: Required cert not provided by client
  But we aren´t sure.
  Maybe anyone can help us. Many thanks in advance.
  =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.01.18 12:08:18 =~=~=~=~=~=~=~=~=~=~=~=
  debug aaa all disable                     debug aaa all enable(Cisco Controller) >*Dot1x_NW_MsgTask_0: Jan 18 12:08:21.917: 18:3d:a2:0a:ec:bc Audit Session ID added to the mscb: 0a63081e000000994f16a825
  *Dot1x_NW_MsgTask_0: Jan 18 12:08:21.917: Creating audit session ID (dot1x_aaa_eapresp_supp) and Radius Request
  *aaaQueueReader: Jan 18 12:08:21.917: AuthenticationRequest: 0x30b52e90
  *aaaQueueReader: Jan 18 12:08:21.917: Callback.....................................0x10b7803c*aaaQueueReader: Jan 18 12:08:21.917: protocolType.................................0x00140001*aaaQueueReader: Jan 18 12:08:21.917: proxyState...................................18:3D:A2:0A:EC:BC-02:00*aaaQueueReader: Jan 18 12:08:21.917: Packet contains 16 AVPs (not shown)*aaaQueueReader: Jan 18 12:08:21.917: 18:3d:a2:0a:ec:bc [Error] Client requested no retries for mobile 18:3D:A2:0A:EC:BC
  *aaaQueueReader: Jan 18 12:08:21.918: 18:3d:a2:0a:ec:bc Returning AAA Error 'No Server' (-7) for mobile 18:3d:a2:0a:ec:bc
  *aaaQueueReader: Jan 18 12:08:21.918: AuthorizationResponse: 0x3e04bd08
  *aaaQueueReader: Jan 18 12:08:21.918: structureSize................................32*aaaQueueReader: Jan 18 12:08:21.918: resultCode...................................-7*aaaQueueReader: Jan 18 12:08:21.918: protocolUsed.................................0xffffffff*aaaQueueReader: Jan 18 12:08:21.918: proxyState...................................18:3D:A2:0A:EC:BC-02:00*aaaQueueReader: Jan 18 12:08:21.918: Packet contains 0 AVPs:*aaaQueueReader: Jan 18 12:08:21.918: LOCAL_AUTH: EAP: Received an auth request
  *aaaQueueReader: Jan 18 12:08:21.918: LOCAL_AUTH: Creating new context
  *aaaQueueReader: Jan 18 12:08:21.918: EAP-EVENT: Received context create from lower layer (0x0000013F)
  *aaaQueueReader: Jan 18 12:08:21.918: id_manager.c-AUTH-SM: Got new ID 78000041 - id_get
  *aaaQueueReader: Jan 18 12:08:21.918: EAP-EVENT: Received credential profile name: "(null)" from LL
  *aaaQueueReader: Jan 18 12:08:21.918: EAP-EVENT: Allocated new EAP context (handle = 0x78000041)
  *aaaQueueReader: Jan 18 12:08:21.919: LOCAL_AUTH: Created new context eap session handle 78000041
  *aaaQueueReader: Jan 18 12:08:21.919: LOCAL_AUTH: (EAP:319) Sending the Rxd EAP packet (id 1) to EAP subsys
  *EAP Framework: Jan 18 12:08:21.919: EAP-EVENT: Received event 'EAP_RX_PACKET' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:21.920: EAP-AUTH-RX-PAK:
  *EAP Framework: Jan 18 12:08:21.920: eap_core.c:1484: Code:RESPONSE  ID:0x 1  Length:0x002b  Type:IDENTITY
  *EAP Framework: Jan 18 12:08:21.920: eap_core.c:1422:     Payload:  416E6472652E54736368656E74736368 ...
  *EAP Framework: Jan 18 12:08:21.920: EAP-AUTH-EVENT: EAP Response received by context 0x78000041
  *EAP Framework: Jan 18 12:08:21.920: EAP-AUTH-EVENT: EAP Response type = Identity
  *EAP Framework: Jan 18 12:08:21.920: EAP-AUTH-EVENT: Received peer identity: [email protected]
  *EAP Framework: Jan 18 12:08:21.920: EAP-EVENT: Sending lower layer event 'EAP_GET_CREDENTIAL_PROFILE_FROM_USERNAME' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:21.920: LOCAL_AUTH: Found matching context for id - 319
  *EAP Framework: Jan 18 12:08:21.921: LOCAL_AUTH: (EAP) Sending user credential request username '[email protected]' to LDAP
  *aaaQueueReader: Jan 18 12:08:21.921: AuthenticationRequest: 0x33a6ae18
  *aaaQueueReader: Jan 18 12:08:21.921: Callback.....................................0x10765234*aaaQueueReader: Jan 18 12:08:21.921: protocolType.................................0x00100002*aaaQueueReader: Jan 18 12:08:21.921: proxyState...................................18:3D:A2:0A:EC:BC-00:00*aaaQueueReader: Jan 18 12:08:21.921: Packet contains 2 AVPs (not shown)*EAP Framework: Jan 18 12:08:21.921: EAP-AUTH-EVENT: Waiting for asynchronous reply from LL
  *LDAP DB Task 1: Jan 18 12:08:21.921: ldapTask [1] received msg 'REQUEST' (2) in state 'IDLE' (1)
  *LDAP DB Task 1: Jan 18 12:08:21.922: LDAP server 1 changed state to INIT
  *LDAP DB Task 1: Jan 18 12:08:21.922: LDAP_OPT_REFERRALS = -1*LDAP DB Task 1: Jan 18 12:08:21.922: ldapInitAndBind [1] called lcapi_init (rc = 0 - Success)
  *LDAP DB Task 1: Jan 18 12:08:21.925: ldapInitAndBind [1] configured Method Authenticated lcapi_bind (rc = 0 - Success)
  *LDAP DB Task 1: Jan 18 12:08:21.925: LDAP server 1 changed state to CONNECTED
  *LDAP DB Task 1: Jan 18 12:08:21.925: disabled LDAP_OPT_REFERRALS*LDAP DB Task 1: Jan 18 12:08:21.925: LDAP_CLIENT: UID Search (base=DC=group,DC=jenoptik,DC=corp, pattern=(&(objectclass=Person)([email protected])))
  *LDAP DB Task 1: Jan 18 12:08:21.926: LDAP_CLIENT: ldap_search_ext_s returns 0 85
  *LDAP DB Task 1: Jan 18 12:08:21.926: LDAP_CLIENT: Returned 2 msgs including 0 references
  *LDAP DB Task 1: Jan 18 12:08:21.926: LDAP_CLIENT: Returned msg 1 type 0x64
  *LDAP DB Task 1: Jan 18 12:08:21.926: LDAP_CLIENT: Received 1 attributes in search entry msg
  *LDAP DB Task 1: Jan 18 12:08:21.927: LDAP_CLIENT: Returned msg 2 type 0x65
  *LDAP DB Task 1: Jan 18 12:08:21.927: LDAP_CLIENT : No matched DN
  *LDAP DB Task 1: Jan 18 12:08:21.927: LDAP_CLIENT : Check result error 0 rc 1013
  *LDAP DB Task 1: Jan 18 12:08:21.927: LDAP_CLIENT: Received no referrals in search result msg
  *LDAP DB Task 1: Jan 18 12:08:21.927: ldapAuthRequest [1] called lcapi_query base="DC=group,DC=jenoptik,DC=corp" type="Person" attr="userPrincipalName" user="[email protected]" (rc = 0 - Success)
  *LDAP DB Task 1: Jan 18 12:08:21.927: LDAP ATTR> dn = CN=Tschentscher\, Andre,OU=Users,OU=SSC,OU=JOAG,DC=group,DC=jenoptik,DC=corp (size 76)
  *LDAP DB Task 1: Jan 18 12:08:21.927: Handling LDAP response Success
  *LDAP DB Task 1: Jan 18 12:08:21.927: 18:3d:a2:0a:ec:bc [Response] Client requested no retries for mobile 18:3D:A2:0A:EC:BC
  *LDAP DB Task 1: Jan 18 12:08:21.927: 18:3d:a2:0a:ec:bc Returning AAA Success for mobile 18:3d:a2:0a:ec:bc
  *LDAP DB Task 1: Jan 18 12:08:21.927: AuthorizationResponse: 0x33a5affc
  *LDAP DB Task 1: Jan 18 12:08:21.927: structureSize................................180*LDAP DB Task 1: Jan 18 12:08:21.927: resultCode...................................0*LDAP DB Task 1: Jan 18 12:08:21.927: protocolUsed.................................0x00000002*LDAP DB Task 1: Jan 18 12:08:21.927: proxyState...................................18:3D:A2:0A:EC:BC-00:00*LDAP DB Task 1: Jan 18 12:08:21.928: Packet contains 2 AVPs:*LDAP DB Task 1: Jan 18 12:08:21.928:     AVP[01] Unknown Attribute 0......................CN=Tschentscher\, Andre,OU=Users,OU=SSC,OU=JOAG,DC=group,DC=jenoptik,DC=corp (76 bytes)*LDAP DB Task 1: Jan 18 12:08:21.928:     AVP[02] User-Name................................Andre.Tschentscher@group.jenoptik.corp (38 bytes)*LDAP DB Task 1: Jan 18 12:08:21.928: LOCAL_AUTH: Found context matching MAC address - 319
  *LDAP DB Task 1: Jan 18 12:08:21.928: LOCAL_AUTH: (EAP:319) User credential callback invoked
  *LDAP DB Task 1: Jan 18 12:08:21.928: LOCAL_AUTH: EAP Unable to find password in credentials. Skipped
  *LDAP DB Task 1: Jan 18 12:08:21.928: LOCAL_AUTH: EAP Unable to find wlan in credentials. Skipped
  *LDAP DB Task 1: Jan 18 12:08:21.928: Authenticated bind : Closing the binded session*LDAP DB Task 1: Jan 18 12:08:21.928: ldapClose [1] called lcapi_close (rc = 0 - Success)
  *LDAP DB Task 1: Jan 18 12:08:21.929: LDAP server 1 changed state to IDLE
  *EAP Framework: Jan 18 12:08:21.930: EAP-EVENT: Received event 'EAP_LL_REPLY' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:21.930: EAP-AUTH-EVENT: Using credential profile name: [email protected] (0x78000041)
  *EAP Framework: Jan 18 12:08:21.930: EAP-AUTH-EVENT: Maximum EAP packet size: 1000
  *EAP Framework: Jan 18 12:08:21.930: EAP-AUTH-EVENT: Sending method new context directive for EAP context 0x78000041
  *EAP Framework: Jan 18 12:08:21.930: EAP-EVENT: Sending method directive 'New Context' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:21.930: eap_fast.c-EVENT: New context (EAP handle = 0x78000041)
  *EAP Framework: Jan 18 12:08:21.931: id_manager.c-AUTH-SM: Got new ID f700000e - id_get
  *EAP Framework: Jan 18 12:08:21.931: eap_fast.c-EVENT: Allocated new EAP-FAST context (handle = 0xF700000E)
  *EAP Framework: Jan 18 12:08:21.931: EAP-AUTH-EVENT: Sending method data for context 0x78000041
  *EAP Framework: Jan 18 12:08:21.931: EAP-EVENT: Sending method directive 'Receive Packet' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:21.931: eap_fast_auth.c-AUTH-EVENT: Process Response (EAP handle = 0x78000041)
  *EAP Framework: Jan 18 12:08:21.931: eap_fast_auth.c-AUTH-EVENT: Received Identity
  *EAP Framework: Jan 18 12:08:21.931: eap_fast_tlv.c-AUTH-EVENT: Adding PAC A-ID TLV (436973636f0000000000000000000000)
  *EAP Framework: Jan 18 12:08:21.931: eap_fast_auth.c-AUTH-EVENT: Sending Start
  *EAP Framework: Jan 18 12:08:21.931: eap_fast_auth.c-AUTH-SM: Changing state: Reset -> Start
  *EAP Framework: Jan 18 12:08:21.931: eap_fast.c:2367: eap-fast tx packet:
  *EAP Framework: Jan 18 12:08:21.931: eap_fast.c:138: Version: 1  Flags:S  Length:0x0014
  *EAP Framework: Jan 18 12:08:21.931: eap_core.c:1422:     Payload:  00040010436973636F00000000000000 ...
  *EAP Framework: Jan 18 12:08:21.931: eap_fast.c-TX-AUTH-PAK:
  *EAP Framework: Jan 18 12:08:21.931: eap_core.c:1484: Code:REQUEST  ID:0x 0  Length:0x001a  Type:FAST
  *EAP Framework: Jan 18 12:08:21.932: eap_core.c:1422:     Payload:  2100040010436973636F000000000000 ...
  *EAP Framework: Jan 18 12:08:21.932: EAP-AUTH-EVENT: EAP method state: Continue
  *EAP Framework: Jan 18 12:08:21.932: EAP-AUTH-EVENT: EAP method decision: Unknown
  *EAP Framework: Jan 18 12:08:21.932: EAP-AUTH-EVENT: Current method = 43
  *EAP Framework: Jan 18 12:08:21.932: EAP-AUTH-EVENT: Sending packet to lower layer for context 0x78000041
  *EAP Framework: Jan 18 12:08:21.932: EAP-AUTH-TX-PAK:
  *EAP Framework: Jan 18 12:08:21.932: eap_core.c:1484: Code:REQUEST  ID:0x 2  Length:0x001a  Type:FAST
  *EAP Framework: Jan 18 12:08:21.932: eap_core.c:1422:     Payload:  2100040010436973636F000000000000 ...
  *EAP Framework: Jan 18 12:08:21.932: EAP-EVENT: Started 'Authenticator Retransmit' timer (60) for EAP session handle 0x78000041
  *EAP Framework: Jan 18 12:08:21.932: EAP-EVENT: Started EAP tick timer
  *EAP Framework: Jan 18 12:08:21.932: EAP-EVENT: Sending lower layer event 'EAP_TX_PACKET' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:21.932: LOCAL_AUTH: Found matching context for id - 319
  *EAP Framework: Jan 18 12:08:21.932: LOCAL_AUTH: (EAP:319) transmit event
  *EAP Framework: Jan 18 12:08:21.932: AuthorizationResponse: 0x13c713fc
  *EAP Framework: Jan 18 12:08:21.933: structureSize................................74*EAP Framework: Jan 18 12:08:21.933: resultCode...................................255*EAP Framework: Jan 18 12:08:21.933: protocolUsed.................................0x00000080*EAP Framework: Jan 18 12:08:21.933: proxyState...................................18:3D:A2:0A:EC:BC-02:00*EAP Framework: Jan 18 12:08:21.934: Packet contains 1 AVPs (not shown)*EAP Framework: Jan 18 12:08:21.934: LOCAL_AUTH: AAA LOCAL AUTH EAP PKT AVP attribute 4f length 1a
  *EAP Framework: Jan 18 12:08:21.934: LOCAL_AUTH: AAA LOCAL AUTH TX PKT DUMP code cc id 00 type 2b
  *aaaQueueReader: Jan 18 12:08:22.290: LOCAL_AUTH: EAP: Received an auth request
  *aaaQueueReader: Jan 18 12:08:22.290: LOCAL_AUTH: Found context matching MAC address - 319
  *aaaQueueReader: Jan 18 12:08:22.290: LOCAL_AUTH: (EAP:319) Sending the Rxd EAP packet (id 2) to EAP subsys
  *EAP Framework: Jan 18 12:08:22.291: EAP-EVENT: Received event 'EAP_RX_PACKET' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.291: EAP-AUTH-RX-PAK:
  *EAP Framework: Jan 18 12:08:22.291: eap_core.c:1484: Code:RESPONSE  ID:0x 2  Length:0x0042  Type:FAST
  *EAP Framework: Jan 18 12:08:22.291: eap_core.c:1422:     Payload:  810000003816030100330100002F0301 ...
  *EAP Framework: Jan 18 12:08:22.291: EAP-EVENT: Stopping 'Authenticator Retransmit' timer for EAP session handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.291: EAP-AUTH-EVENT: EAP Response received by context 0x78000041
  *EAP Framework: Jan 18 12:08:22.291: EAP-AUTH-EVENT: EAP Response type = Method (43)
  *EAP Framework: Jan 18 12:08:22.291: EAP-AUTH-EVENT: Sending method data for context 0x78000041
  *EAP Framework: Jan 18 12:08:22.292: EAP-EVENT: Sending method directive 'Receive Packet' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.292: eap_fast.c-AUTH-EVENT: Process Response, type: 0x2b
  *EAP Framework: Jan 18 12:08:22.292: eap_fast_auth.c-AUTH-EVENT: Process Response (EAP handle = 0x78000041)
  *EAP Framework: Jan 18 12:08:22.292: eap_fast_auth.c-RX-AUTH-PAK:
  *EAP Framework: Jan 18 12:08:22.292: eap_core.c:1484: Code:RESPONSE  ID:0x 2  Length:0x0042  Type:FAST
  *EAP Framework: Jan 18 12:08:22.292: eap_core.c:1422:     Payload:  810000003816030100330100002F0301 ...
  *EAP Framework: Jan 18 12:08:22.292: eap_fast_auth.c-AUTH-EVENT: Received TLS record type: Handshake in state: Start
  *EAP Framework: Jan 18 12:08:22.292: EAP-EVENT: Sending lower layer event 'EAP_GET_CREDENTIAL_PROFILE_FROM_PROFILE_NAME' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.292: LOCAL_AUTH: Found matching context for id - 319
  *EAP Framework: Jan 18 12:08:22.292: LOCAL_AUTH: (EAP:319) Returning profile '[email protected]' (username '[email protected]')
  *EAP Framework: Jan 18 12:08:22.293: IOS_PKI_SHIM: [StartSession] - New session 0x335ee108 started (TP = 'vendor')
  *EAP Framework: Jan 18 12:08:22.293: IOS_PKI_SHIM: [StartSession] - Trustpoint identity (cert) set to 'Vendor'
  *EAP Framework: Jan 18 12:08:22.297: IOS_PKI_SHIM: [ID-CERT] Subject : C=DE, ST=Thuringia, L=Jena, O=Jenoptik AG, OU=Jenoptik SSC GmbH, CN=Cisco WLC 1st, [email protected]
  *EAP Framework: Jan 18 12:08:22.297: IOS_PKI_SHIM: [ID-CERT] Issuer : DC=corp, DC=jenoptik, CN=Jenoptik WLAN Certificate Authority
  *EAP Framework: Jan 18 12:08:22.297: IOS_PKI_SHIM: [ID-CERT] Valid from '2012 Jan 12th, 17:06:50 GMT' to '2016 Jan 11th, 17:06:50 GMT'
  *EAP Framework: Jan 18 12:08:22.297: IOS_PKI_SHIM: [ID-CERT] Is not a CA cert
  *EAP Framework: Jan 18 12:08:22.297: IOS_PKI_SHIM: Added cert (type 1) to chain (1 present on chain)
  *EAP Framework: Jan 18 12:08:22.300: IOS_PKI_SHIM: [CA-CERT] Subject : DC=corp, DC=jenoptik, CN=Jenoptik WLAN Certificate Authority
  *EAP Framework: Jan 18 12:08:22.301: IOS_PKI_SHIM: [CA-CERT] Issuer : CN=Jenoptik Certificate Authority
  *EAP Framework: Jan 18 12:08:22.301: IOS_PKI_SHIM: [CA-CERT] Valid from '2012 Jan 12th, 16:54:49 GMT' to '2020 Jan 12th, 17:04:49 GMT'
  *EAP Framework: Jan 18 12:08:22.301: IOS_PKI_SHIM: [CA-CERT] Is a CA cert
  *EAP Framework: Jan 18 12:08:22.301: IOS_PKI_SHIM: Added cert (type 2) to chain (2 present on chain)
  *EAP Framework: Jan 18 12:08:22.301: IOS_PKI_SHIM: [StartSession] - Getting older style priv key
  *EAP Framework: Jan 18 12:08:22.338: IOS_PKI_SHIM: Session 0x335ee108 init'd OK
  *EAP Framework: Jan 18 12:08:22.338: eap_fast_auth.c-AUTH-EVENT: Local certificate found
  *EAP Framework: Jan 18 12:08:22.339: eap_fast_auth.c-AUTH-EVENT: Reading Client Hello handshake
  *EAP Framework: Jan 18 12:08:22.339: eap_fast.c:286: EAP-FAST-AUTH-RX-TLS-RECORD:
  *EAP Framework: Jan 18 12:08:22.339: eap_fast.c:255: Content:Handshake  Version:0301  Length:0x0033
  *EAP Framework: Jan 18 12:08:22.339: eap_core.c:1422:     Payload:  0100002F03014F16A8262631FC9DC042 ...
  *EAP Framework: Jan 18 12:08:22.340: eap_fast.c:202: Handshake type:Client Hello  Length:0x002F
  *EAP Framework: Jan 18 12:08:22.340: eap_core.c:1422:     Payload:  03014F16A8262631FC9DC042253D3E24 ...
  *EAP Framework: Jan 18 12:08:22.340: eap_fast_auth.c-AUTH-EVENT: TLS_RSA_WITH_AES_128 proposed...
  *EAP Framework: Jan 18 12:08:22.341: eap_fast_auth.c-AUTH-EVENT: TLS_DHE_RSA_WITH_AES_128_CBC_SHA proposed...
  *EAP Framework: Jan 18 12:08:22.341: eap_fast_auth.c-AUTH-EVENT: TLS_RSA_WITH_RC4_128 proposed...
  *EAP Framework: Jan 18 12:08:22.341: eap_fast_auth.c-AUTH-EVENT: TLS_DH_anon_WITH_AES_128_CBC_SHA proposed...
  *EAP Framework: Jan 18 12:08:22.342: eap_fast.c-EVENT: Proposed ciphersuite(s):
  *EAP Framework: Jan 18 12:08:22.342: eap_fast.c-EVENT:     TLS_RSA_WITH_AES_128_CBC_SHA
  *EAP Framework: Jan 18 12:08:22.342: eap_fast.c-EVENT:     TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  *EAP Framework: Jan 18 12:08:22.342: eap_fast.c-EVENT:     TLS_RSA_WITH_RC4_128_SHA
  *EAP Framework: Jan 18 12:08:22.343: eap_fast.c-EVENT:     TLS_DH_anon_WITH_AES_128_CBC_SHA
  *EAP Framework: Jan 18 12:08:22.343: eap_fast.c-EVENT: Selected ciphersuite:
  *EAP Framework: Jan 18 12:08:22.343: eap_fast.c-EVENT:     TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  *EAP Framework: Jan 18 12:08:22.343: eap_fast_auth.c-AUTH-EVENT: Building Provisioning Server Hello
  *EAP Framework: Jan 18 12:08:22.344: eap_fast.c:286: EAP-FAST-AUTH-TX-TLS-RECORD:
  *EAP Framework: Jan 18 12:08:22.344: eap_fast.c:255: Content:Handshake  Version:0301  Length:0x002A
  *EAP Framework: Jan 18 12:08:22.344: eap_core.c:1422:     Payload:  0200002603015F3325EADF12E6296F91 ...
  *EAP Framework: Jan 18 12:08:22.344: eap_fast.c:202: Handshake type:Server Hello  Length:0x0026
  *EAP Framework: Jan 18 12:08:22.345: eap_core.c:1422:     Payload:  03015F3325EADF12E6296F91530FE67F ...
  *EAP Framework: Jan 18 12:08:22.345: eap_fast.c:286: EAP-FAST-AUTH-TX-TLS-RECORD:
  *EAP Framework: Jan 18 12:08:22.345: eap_fast.c:255: Content:Handshake  Version:0301  Length:0x0B54
  *EAP Framework: Jan 18 12:08:22.346: eap_core.c:1422:     Payload:  0B000B50000B4D00059F3082059B3082 ...
  *EAP Framework: Jan 18 12:08:22.346: eap_fast.c:202: Handshake type:Certificate  Length:0x0B50
  *EAP Framework: Jan 18 12:08:22.346: eap_core.c:1422:     Payload:  000B4D00059F3082059B30820483A003 ...
  *EAP Framework: Jan 18 12:08:22.347: eap_fast_crypto.c-EVENT: Starting Diffie Hellman phase 1 ...
  *EAP Framework: Jan 18 12:08:22.661: eap_fast_crypto.c-EVENT: Diffie Hellman phase 1 complete
  *EAP Framework: Jan 18 12:08:22.677: IOS_PKI_SHIM: PKI_SignMessage PostHashEncrypt ret SUCCESS.. op_len 128
  *EAP Framework: Jan 18 12:08:22.678: eap_fast_auth.c-AUTH-EVENT: DH signature length = 128
  *EAP Framework: Jan 18 12:08:22.678: eap_fast.c:286: EAP-FAST-AUTH-TX-TLS-RECORD:
  *EAP Framework: Jan 18 12:08:22.678: eap_fast.c:255: Content:Handshake  Version:0301  Length:0x028D
  *EAP Framework: Jan 18 12:08:22.679: eap_core.c:1422:     Payload:  0C0002890100FFFFFFFFFFFFFFFFC90F ...
  *EAP Framework: Jan 18 12:08:22.679: eap_fast.c:202: Handshake type:Server Key Exchange  Length:0x0289
  *EAP Framework: Jan 18 12:08:22.679: eap_core.c:1422:     Payload:  0100FFFFFFFFFFFFFFFFC90FDAA22168 ...
  *EAP Framework: Jan 18 12:08:22.679: eap_fast.c:286: EAP-FAST-AUTH-TX-TLS-RECORD:
  *EAP Framework: Jan 18 12:08:22.680: eap_fast.c:255: Content:Handshake  Version:0301  Length:0x000B
  *EAP Framework: Jan 18 12:08:22.680: eap_core.c:1422:     Payload:  0D00000704030401020000
  *EAP Framework: Jan 18 12:08:22.680: eap_fast.c:202: Handshake type:Certificate Request  Length:0x0007
  *EAP Framework: Jan 18 12:08:22.680: eap_core.c:1422:     Payload:  04030401020000
  *EAP Framework: Jan 18 12:08:22.681: eap_fast.c:286: EAP-FAST-AUTH-TX-TLS-RECORD:
  *EAP Framework: Jan 18 12:08:22.681: eap_fast.c:255: Content:Handshake  Version:0301  Length:0x0004
  *EAP Framework: Jan 18 12:08:22.681: eap_core.c:1422:     Payload:  0E000000
  *EAP Framework: Jan 18 12:08:22.681: eap_fast.c:202: Handshake type:Server Done  Length:0x0000
  *EAP Framework: Jan 18 12:08:22.682: eap_fast_auth.c-AUTH-EVENT: Sending Provisioning Serving Hello
  *EAP Framework: Jan 18 12:08:22.682: eap_fast_auth.c-AUTH-SM: Changing state: Start -> Sent provisioning Server Hello
  *EAP Framework: Jan 18 12:08:22.682: eap_fast.c-EVENT: Tx packet fragmentation required
  *EAP Framework: Jan 18 12:08:22.683: eap_fast.c:2367: eap-fast tx packet:
  *EAP Framework: Jan 18 12:08:22.683: eap_fast.c:138: Version: 1  Flags:LM  Length:0x03DE
  *EAP Framework: Jan 18 12:08:22.683: eap_core.c:1422:     Payload:  160301002A0200002603015F3325EADF ...
  *EAP Framework: Jan 18 12:08:22.684: eap_fast.c-TX-AUTH-PAK:
  *EAP Framework: Jan 18 12:08:22.684: eap_core.c:1484: Code:REQUEST  ID:0x 0  Length:0x03e8  Type:FAST
  *EAP Framework: Jan 18 12:08:22.684: eap_core.c:1422:     Payload:  C100000E33160301002A020000260301 ...
  *EAP Framework: Jan 18 12:08:22.684: EAP-AUTH-EVENT: EAP method state: Continue
  *EAP Framework: Jan 18 12:08:22.685: EAP-AUTH-EVENT: EAP method decision: Unknown
  *EAP Framework: Jan 18 12:08:22.685: EAP-AUTH-EVENT: Current method = 43
  *EAP Framework: Jan 18 12:08:22.685: EAP-AUTH-EVENT: Sending packet to lower layer for context 0x78000041
  *EAP Framework: Jan 18 12:08:22.685: EAP-AUTH-TX-PAK:
  *EAP Framework: Jan 18 12:08:22.685: eap_core.c:1484: Code:REQUEST  ID:0x 3  Length:0x03e8  Type:FAST
  *EAP Framework: Jan 18 12:08:22.686: eap_core.c:1422:     Payload:  C100000E33160301002A020000260301 ...
  *EAP Framework: Jan 18 12:08:22.686: EAP-EVENT: Started 'Authenticator Retransmit' timer (60) for EAP session handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.686: EAP-EVENT: Started EAP tick timer
  *EAP Framework: Jan 18 12:08:22.686: EAP-EVENT: Sending lower layer event 'EAP_TX_PACKET' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.686: LOCAL_AUTH: Found matching context for id - 319
  *EAP Framework: Jan 18 12:08:22.687: LOCAL_AUTH: (EAP:319) transmit event
  *EAP Framework: Jan 18 12:08:22.687: AuthorizationResponse: 0x13c713fc
  *EAP Framework: Jan 18 12:08:22.687: structureSize................................1048*EAP Framework: Jan 18 12:08:22.687: resultCode...................................255*EAP Framework: Jan 18 12:08:22.687: protocolUsed.................................0x00000080*EAP Framework: Jan 18 12:08:22.688: proxyState...................................18:3D:A2:0A:EC:BC-02:01*EAP Framework: Jan 18 12:08:22.688: Packet contains 1 AVPs (not shown)*EAP Framework: Jan 18 12:08:22.688: LOCAL_AUTH: AAA LOCAL AUTH EAP PKT AVP attribute 4f length 3e8
  *EAP Framework: Jan 18 12:08:22.688: LOCAL_AUTH: AAA LOCAL AUTH TX PKT DUMP code cc id 00 type 2b
  *aaaQueueReader: Jan 18 12:08:22.700: LOCAL_AUTH: EAP: Received an auth request
  *aaaQueueReader: Jan 18 12:08:22.701: LOCAL_AUTH: Found context matching MAC address - 319
  *aaaQueueReader: Jan 18 12:08:22.701: LOCAL_AUTH: (EAP:319) Sending the Rxd EAP packet (id 3) to EAP subsys
  *EAP Framework: Jan 18 12:08:22.701: EAP-EVENT: Received event 'EAP_RX_PACKET' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.701: EAP-AUTH-RX-PAK:
  *EAP Framework: Jan 18 12:08:22.702: eap_core.c:1484: Code:RESPONSE  ID:0x 3  Length:0x0006  Type:FAST
  *EAP Framework: Jan 18 12:08:22.702: eap_core.c:1422:     Payload:  01
  *EAP Framework: Jan 18 12:08:22.702: EAP-EVENT: Stopping 'Authenticator Retransmit' timer for EAP session handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.703: EAP-AUTH-EVENT: EAP Response received by context 0x78000041
  *EAP Framework: Jan 18 12:08:22.703: EAP-AUTH-EVENT: EAP Response type = Method (43)
  *EAP Framework: Jan 18 12:08:22.703: EAP-AUTH-EVENT: Sending method data for context 0x78000041
  *EAP Framework: Jan 18 12:08:22.704: EAP-EVENT: Sending method directive 'Receive Packet' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.704: eap_fast.c-AUTH-EVENT: eap_fast_rx_packet(): EAP Fast NoData (0x2b)
  *EAP Framework: Jan 18 12:08:22.704: eap_fast.c:2367: eap-fast tx packet:
  *EAP Framework: Jan 18 12:08:22.704: eap_fast.c:138: Version: 1  Flags:M  Length:0x03E2
  *EAP Framework: Jan 18 12:08:22.705: eap_core.c:1422:     Payload:  3A2F2F2F434E3D4A656E6F7074696B25 ...
  *EAP Framework: Jan 18 12:08:22.705: eap_fast.c-TX-AUTH-PAK:
  *EAP Framework: Jan 18 12:08:22.705: eap_core.c:1484: Code:REQUEST  ID:0x 0  Length:0x03e8  Type:FAST
  *EAP Framework: Jan 18 12:08:22.705: eap_core.c:1422:     Payload:  413A2F2F2F434E3D4A656E6F7074696B ...
  *EAP Framework: Jan 18 12:08:22.706: EAP-AUTH-EVENT: EAP method state: Continue
  *EAP Framework: Jan 18 12:08:22.706: EAP-AUTH-EVENT: EAP method decision: Unknown
  *EAP Framework: Jan 18 12:08:22.706: EAP-AUTH-EVENT: Current method = 43
  *EAP Framework: Jan 18 12:08:22.706: EAP-AUTH-EVENT: Sending packet to lower layer for context 0x78000041
  *EAP Framework: Jan 18 12:08:22.707: EAP-AUTH-TX-PAK:
  *EAP Framework: Jan 18 12:08:22.707: eap_core.c:1484: Code:REQUEST  ID:0x 4  Length:0x03e8  Type:FAST
  *EAP Framework: Jan 18 12:08:22.707: eap_core.c:1422:     Payload:  413A2F2F2F434E3D4A656E6F7074696B ...
  *EAP Framework: Jan 18 12:08:22.707: EAP-EVENT: Started 'Authenticator Retransmit' timer (60) for EAP session handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.708: EAP-EVENT: Started EAP tick timer
  *EAP Framework: Jan 18 12:08:22.708: EAP-EVENT: Sending lower layer event 'EAP_TX_PACKET' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.708: LOCAL_AUTH: Found matching context for id - 319
  *EAP Framework: Jan 18 12:08:22.708: LOCAL_AUTH: (EAP:319) transmit event
  *EAP Framework: Jan 18 12:08:22.709: AuthorizationResponse: 0x13c713fc
  *EAP Framework: Jan 18 12:08:22.709: structureSize................................1048*EAP Framework: Jan 18 12:08:22.709: resultCode...................................255*EAP Framework: Jan 18 12:08:22.709: protocolUsed.................................0x00000080*EAP Framework: Jan 18 12:08:22.710: proxyState...................................18:3D:A2:0A:EC:BC-02:02*EAP Framework: Jan 18 12:08:22.710: Packet contains 1 AVPs (not shown)*EAP Framework: Jan 18 12:08:22.710: LOCAL_AUTH: AAA LOCAL AUTH EAP PKT AVP attribute 4f length 3e8
  *EAP Framework: Jan 18 12:08:22.711: LOCAL_AUTH: AAA LOCAL AUTH TX PKT DUMP code cc id 00 type 2b
  *aaaQueueReader: Jan 18 12:08:22.723: LOCAL_AUTH: EAP: Received an auth request
  *aaaQueueReader: Jan 18 12:08:22.723: LOCAL_AUTH: Found context matching MAC address - 319
  *aaaQueueReader: Jan 18 12:08:22.724: LOCAL_AUTH: (EAP:319) Sending the Rxd EAP packet (id 4) to EAP subsys
  *EAP Framework: Jan 18 12:08:22.724: EAP-EVENT: Received event 'EAP_RX_PACKET' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.725: EAP-AUTH-RX-PAK:
  *EAP Framework: Jan 18 12:08:22.725: eap_core.c:1484: Code:RESPONSE  ID:0x 4  Length:0x0006  Type:FAST
  *EAP Framework: Jan 18 12:08:22.725: eap_core.c:1422:     Payload:  01
  *EAP Framework: Jan 18 12:08:22.725: EAP-EVENT: Stopping 'Authenticator Retransmit' timer for EAP session handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.726: EAP-AUTH-EVENT: EAP Response received by context 0x78000041
  *EAP Framework: Jan 18 12:08:22.726: EAP-AUTH-EVENT: EAP Response type = Method (43)
  *EAP Framework: Jan 18 12:08:22.726: EAP-AUTH-EVENT: Sending method data for context 0x78000041
  *EAP Framework: Jan 18 12:08:22.726: EAP-EVENT: Sending method directive 'Receive Packet' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.727: eap_fast.c-AUTH-EVENT: eap_fast_rx_packet(): EAP Fast NoData (0x2b)
  *EAP Framework: Jan 18 12:08:22.727: eap_fast.c:2367: eap-fast tx packet:
  *EAP Framework: Jan 18 12:08:22.727: eap_fast.c:138: Version: 1  Flags:M  Length:0x03E2
  *EAP Framework: Jan 18 12:08:22.728: eap_core.c:1422:     Payload:  BD84CC4BF49A766267DA94429BEBE087 ...
  *EAP Framework: Jan 18 12:08:22.728: eap_fast.c-TX-AUTH-PAK:
  *EAP Framework: Jan 18 12:08:22.728: eap_core.c:1484: Code:REQUEST  ID:0x 0  Length:0x03e8  Type:FAST
  *EAP Framework: Jan 18 12:08:22.728: eap_core.c:1422:     Payload:  41BD84CC4BF49A766267DA94429BEBE0 ...
  *EAP Framework: Jan 18 12:08:22.729: EAP-AUTH-EVENT: EAP method state: Continue
  *EAP Framework: Jan 18 12:08:22.729: EAP-AUTH-EVENT: EAP method decision: Unknown
  *EAP Framework: Jan 18 12:08:22.729: EAP-AUTH-EVENT: Current method = 43
  *EAP Framework: Jan 18 12:08:22.729: EAP-AUTH-EVENT: Sending packet to lower layer for context 0x78000041
  *EAP Framework: Jan 18 12:08:22.730: EAP-AUTH-TX-PAK:
  *EAP Framework: Jan 18 12:08:22.730: eap_core.c:1484: Code:REQUEST  ID:0x 5  Length:0x03e8  Type:FAST
  *EAP Framework: Jan 18 12:08:22.730: eap_core.c:1422:     Payload:  41BD84CC4BF49A766267DA94429BEBE0 ...
  *EAP Framework: Jan 18 12:08:22.731: EAP-EVENT: Started 'Authenticator Retransmit' timer (60) for EAP session handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.731: EAP-EVENT: Started EAP tick timer
  *EAP Framework: Jan 18 12:08:22.731: EAP-EVENT: Sending lower layer event 'EAP_TX_PACKET' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.731: LOCAL_AUTH: Found matching context for id - 319
  *EAP Framework: Jan 18 12:08:22.732: LOCAL_AUTH: (EAP:319) transmit event
  *EAP Framework: Jan 18 12:08:22.732: AuthorizationResponse: 0x13c713fc
  *EAP Framework: Jan 18 12:08:22.732: structureSize................................1048*EAP Framework: Jan 18 12:08:22.732: resultCode...................................255*EAP Framework: Jan 18 12:08:22.733: protocolUsed.................................0x00000080*EAP Framework: Jan 18 12:08:22.733: proxyState...................................18:3D:A2:0A:EC:BC-02:03*EAP Framework: Jan 18 12:08:22.733: Packet contains 1 AVPs (not shown)*EAP Framework: Jan 18 12:08:22.734: LOCAL_AUTH: AAA LOCAL AUTH EAP PKT AVP attribute 4f length 3e8
  *EAP Framework: Jan 18 12:08:22.734: LOCAL_AUTH: AAA LOCAL AUTH TX PKT DUMP code cc id 00 type 2b
  *aaaQueueReader: Jan 18 12:08:22.746: LOCAL_AUTH: EAP: Received an auth request
  *aaaQueueReader: Jan 18 12:08:22.747: LOCAL_AUTH: Found context matching MAC address - 319
  *aaaQueueReader: Jan 18 12:08:22.747: LOCAL_AUTH: (EAP:319) Sending the Rxd EAP packet (id 5) to EAP subsys
  *EAP Framework: Jan 18 12:08:22.747: EAP-EVENT: Received event 'EAP_RX_PACKET' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.747: EAP-AUTH-RX-PAK:
  *EAP Framework: Jan 18 12:08:22.748: eap_core.c:1484: Code:RESPONSE  ID:0x 5  Length:0x0006  Type:FAST
  *EAP Framework: Jan 18 12:08:22.748: eap_core.c:1422:     Payload:  01
  *EAP Framework: Jan 18 12:08:22.748: EAP-EVENT: Stopping 'Authenticator Retransmit' timer for EAP session handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.749: EAP-AUTH-EVENT: EAP Response received by context 0x78000041
  *EAP Framework: Jan 18 12:08:22.749: EAP-AUTH-EVENT: EAP Response type = Method (43)
  *EAP Framework: Jan 18 12:08:22.749: EAP-AUTH-EVENT: Sending method data for context 0x78000041
  *EAP Framework: Jan 18 12:08:22.750: EAP-EVENT: Sending method directive 'Receive Packet' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.750: eap_fast.c-AUTH-EVENT: eap_fast_rx_packet(): EAP Fast NoData (0x2b)
  *EAP Framework: Jan 18 12:08:22.750: eap_fast.c:2367: eap-fast tx packet:
  *EAP Framework: Jan 18 12:08:22.750: eap_fast.c:138: Version: 1  Flags:  Length:0x0291
  *EAP Framework: Jan 18 12:08:22.751: eap_core.c:1422:     Payload:  34C4C6628B80DC1CD129024E088A67CC ...
  *EAP Framework: Jan 18 12:08:22.751: eap_fast.c-TX-AUTH-PAK:
  *EAP Framework: Jan 18 12:08:22.751: eap_core.c:1484: Code:REQUEST  ID:0x 0  Length:0x0297  Type:FAST
  *EAP Framework: Jan 18 12:08:22.751: eap_core.c:1422:     Payload:  0134C4C6628B80DC1CD129024E088A67 ...
  *EAP Framework: Jan 18 12:08:22.751: EAP-AUTH-EVENT: EAP method state: Continue
  *EAP Framework: Jan 18 12:08:22.751: EAP-AUTH-EVENT: EAP method decision: Unknown
  *EAP Framework: Jan 18 12:08:22.752: EAP-AUTH-EVENT: Current method = 43
  *EAP Framework: Jan 18 12:08:22.752: EAP-AUTH-EVENT: Sending packet to lower layer for context 0x78000041
  *EAP Framework: Jan 18 12:08:22.752: EAP-AUTH-TX-PAK:
  *EAP Framework: Jan 18 12:08:22.752: eap_core.c:1484: Code:REQUEST  ID:0x 6  Length:0x0297  Type:FAST
  *EAP Framework: Jan 18 12:08:22.752: eap_core.c:1422:     Payload:  0134C4C6628B80DC1CD129024E088A67 ...
  *EAP Framework: Jan 18 12:08:22.753: EAP-EVENT: Started 'Authenticator Retransmit' timer (60) for EAP session handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.753: EAP-EVENT: Started EAP tick timer
  *EAP Framework: Jan 18 12:08:22.753: EAP-EVENT: Sending lower layer event 'EAP_TX_PACKET' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.753: LOCAL_AUTH: Found matching context for id - 319
  *EAP Framework: Jan 18 12:08:22.753: LOCAL_AUTH: (EAP:319) transmit event
  *EAP Framework: Jan 18 12:08:22.754: AuthorizationResponse: 0x13c713fc
  *EAP Framework: Jan 18 12:08:22.754: structureSize................................711*EAP Framework: Jan 18 12:08:22.754: resultCode...................................255*EAP Framework: Jan 18 12:08:22.754: protocolUsed.................................0x00000080*EAP Framework: Jan 18 12:08:22.754: proxyState...................................18:3D:A2:0A:EC:BC-02:04*EAP Framework: Jan 18 12:08:22.754: Packet contains 1 AVPs (not shown)*EAP Framework: Jan 18 12:08:22.755: LOCAL_AUTH: AAA LOCAL AUTH EAP PKT AVP attribute 4f length 297
  *EAP Framework: Jan 18 12:08:22.755: LOCAL_AUTH: AAA LOCAL AUTH TX PKT DUMP code cc id 00 type 2b
  *aaaQueueReader: Jan 18 12:08:22.830: LOCAL_AUTH: EAP: Received an auth request
  *aaaQueueReader: Jan 18 12:08:22.830: LOCAL_AUTH: Found context matching MAC address - 319
  *aaaQueueReader: Jan 18 12:08:22.830: LOCAL_AUTH: (EAP:319) Sending the Rxd EAP packet (id 6) to EAP subsys
  *EAP Framework: Jan 18 12:08:22.831: EAP-EVENT: Received event 'EAP_RX_PACKET' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.831: EAP-AUTH-RX-PAK:
  *EAP Framework: Jan 18 12:08:22.831: eap_core.c:1484: Code:RESPONSE  ID:0x 6  Length:0x015c  Type:FAST
  *EAP Framework: Jan 18 12:08:22.831: eap_core.c:1422:     Payload:  810000015216030100070B0000030000 ...
  *EAP Framework: Jan 18 12:08:22.831: EAP-EVENT: Stopping 'Authenticator Retransmit' timer for EAP session handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.831: EAP-AUTH-EVENT: EAP Response received by context 0x78000041
  *EAP Framework: Jan 18 12:08:22.832: EAP-AUTH-EVENT: EAP Response type = Method (43)
  *EAP Framework: Jan 18 12:08:22.832: EAP-AUTH-EVENT: Sending method data for context 0x78000041
  *EAP Framework: Jan 18 12:08:22.832: EAP-EVENT: Sending method directive 'Receive Packet' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.832: eap_fast.c-AUTH-EVENT: Process Response, type: 0x2b
  *EAP Framework: Jan 18 12:08:22.832: eap_fast_auth.c-AUTH-EVENT: Process Response (EAP handle = 0x78000041)
  *EAP Framework: Jan 18 12:08:22.832: eap_fast_auth.c-RX-AUTH-PAK:
  *EAP Framework: Jan 18 12:08:22.832: eap_core.c:1484: Code:RESPONSE  ID:0x 6  Length:0x015c  Type:FAST
  *EAP Framework: Jan 18 12:08:22.832: eap_core.c:1422:     Payload:  810000015216030100070B0000030000 ...
  *EAP Framework: Jan 18 12:08:22.832: eap_fast_auth.c-AUTH-EVENT: Received TLS record type: Handshake in state: Sent provisioning Server Hello
  *EAP Framework: Jan 18 12:08:22.832: eap_fast_auth.c-AUTH-EVENT: Reading Client Certificate handshake
  *EAP Framework: Jan 18 12:08:22.832: eap_fast.c:286: EAP-FAST-AUTH-RX-TLS-RECORD:
  *EAP Framework: Jan 18 12:08:22.832: eap_fast.c:255: Content:Handshake  Version:0301  Length:0x0007
  *EAP Framework: Jan 18 12:08:22.832: eap_core.c:1422:     Payload:  0B000003000000
  *EAP Framework: Jan 18 12:08:22.832: eap_fast.c:202: Handshake type:Certificate  Length:0x0003
  *EAP Framework: Jan 18 12:08:22.832: eap_core.c:1422:     Payload:  000000
  *EAP Framework: Jan 18 12:08:22.833: eap_fast.c-EVENT: Client Certificate handshake empty
  *EAP Framework: Jan 18 12:08:22.833: eap_fast_auth.c-AUTH-EVENT: Rx'd I-ID: "EAP-FAST I-ID" from Peer Cert
  *EAP Framework: Jan 18 12:08:22.833: eap_fast_auth.c-AUTH-ERROR: Required cert not provided by client
  *EAP Framework: Jan 18 12:08:22.833: eap_fast.c:286: EAP-FAST-AUTH-TX-TLS-RECORD:
  *EAP Framework: Jan 18 12:08:22.833: eap_fast.c:255: Content:Alert  Version:0301  Length:0x0002
  *EAP Framework: Jan 18 12:08:22.833: eap_core.c:1422:     Payload:  0228
  *EAP Framework: Jan 18 12:08:22.833: eap_fast_auth.c-AUTH-SM: Changing state: Sent provisioning Server Hello -> Alert
  *EAP Framework: Jan 18 12:08:22.833: eap_fast.c:2367: eap-fast tx packet:
  *EAP Framework: Jan 18 12:08:22.833: eap_fast.c:138: Version: 1  Flags:L  Length:0x0007
  *EAP Framework: Jan 18 12:08:22.833: eap_core.c:1422:     Payload:  15030100020228
  *EAP Framework: Jan 18 12:08:22.833: eap_fast.c-TX-AUTH-PAK:
  *EAP Framework: Jan 18 12:08:22.833: eap_core.c:1484: Code:REQUEST  ID:0x 0  Length:0x0011  Type:FAST
  *EAP Framework: Jan 18 12:08:22.833: eap_core.c:1422:     Payload:  810000000715030100020228
  *EAP Framework: Jan 18 12:08:22.833: EAP-AUTH-EVENT: EAP method state: Continue
  *EAP Framework: Jan 18 12:08:22.834: EAP-AUTH-EVENT: EAP method decision: Fail
  *EAP Framework: Jan 18 12:08:22.834: EAP-AUTH-EVENT: Current method = 43
  *EAP Framework: Jan 18 12:08:22.834: EAP-AUTH-EVENT: Sending packet to lower layer for context 0x78000041
  *EAP Framework: Jan 18 12:08:22.834: EAP-AUTH-TX-PAK:
  *EAP Framework: Jan 18 12:08:22.834: eap_core.c:1484: Code:REQUEST  ID:0x 7  Length:0x0011  Type:FAST
  *EAP Framework: Jan 18 12:08:22.834: eap_core.c:1422:     Payload:  810000000715030100020228
  *EAP Framework: Jan 18 12:08:22.834: EAP-EVENT: Started 'Authenticator Retransmit' timer (60) for EAP session handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.834: EAP-EVENT: Started EAP tick timer
  *EAP Framework: Jan 18 12:08:22.834: EAP-EVENT: Sending lower layer event 'EAP_TX_PACKET' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.834: LOCAL_AUTH: Found matching context for id - 319
  *EAP Framework: Jan 18 12:08:22.834: LOCAL_AUTH: (EAP:319) transmit event
  *EAP Framework: Jan 18 12:08:22.834: AuthorizationResponse: 0x13c713fc
  *EAP Framework: Jan 18 12:08:22.834: structureSize................................65*EAP Framework: Jan 18 12:08:22.834: resultCode...................................255*EAP Framework: Jan 18 12:08:22.835: protocolUsed.................................0x00000080*EAP Framework: Jan 18 12:08:22.835: proxyState...................................18:3D:A2:0A:EC:BC-02:05*EAP Framework: Jan 18 12:08:22.835: Packet contains 1 AVPs (not shown)*EAP Framework: Jan 18 12:08:22.835: LOCAL_AUTH: AAA LOCAL AUTH EAP PKT AVP attribute 4f length 11
  *EAP Framework: Jan 18 12:08:22.835: LOCAL_AUTH: AAA LOCAL AUTH TX PKT DUMP code cc id 00 type 2b
  *aaaQueueReader: Jan 18 12:08:22.838: LOCAL_AUTH: EAP: Received an auth request
  *aaaQueueReader: Jan 18 12:08:22.838: LOCAL_AUTH: Found context matching MAC address - 319
  *aaaQueueReader: Jan 18 12:08:22.838: LOCAL_AUTH: (EAP:319) Sending the Rxd EAP packet (id 7) to EAP subsys
  *EAP Framework: Jan 18 12:08:22.838: EAP-EVENT: Received event 'EAP_RX_PACKET' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.839: EAP-AUTH-RX-PAK:
  *EAP Framework: Jan 18 12:08:22.839: eap_core.c:1484: Code:RESPONSE  ID:0x 7  Length:0x0006  Type:FAST
  *EAP Framework: Jan 18 12:08:22.839: eap_core.c:1422:     Payload:  01
  *EAP Framework: Jan 18 12:08:22.839: EAP-EVENT: Stopping 'Authenticator Retransmit' timer for EAP session handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.839: EAP-AUTH-EVENT: EAP Response received by context 0x78000041
  *EAP Framework: Jan 18 12:08:22.839: EAP-AUTH-EVENT: EAP Response type = Method (43)
  *EAP Framework: Jan 18 12:08:22.839: EAP-AUTH-EVENT: Sending method data for context 0x78000041
  *EAP Framework: Jan 18 12:08:22.839: EAP-EVENT: Sending method directive 'Receive Packet' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.839: eap_fast.c-AUTH-EVENT: eap_fast_rx_packet(): EAP Fast NoData (0x2b)
  *EAP Framework: Jan 18 12:08:22.840: eap_fast.c-AUTH-EVENT: Process Response, type: 0x2b
  *EAP Framework: Jan 18 12:08:22.840: eap_fast_auth.c-AUTH-EVENT: Process Response (EAP handle = 0x78000041)
  *EAP Framework: Jan 18 12:08:22.840: eap_fast_auth.c-RX-AUTH-PAK:
  *EAP Framework: Jan 18 12:08:22.840: eap_core.c:1484: Code:RESPONSE  ID:0x 7  Length:0x0006  Type:FAST
  *EAP Framework: Jan 18 12:08:22.840: eap_core.c:1422:     Payload:  01
  *EAP Framework: Jan 18 12:08:22.840: eap_fast_auth.c-AUTH-EVENT: Received ACK from peer
  *EAP Framework: Jan 18 12:08:22.840: EAP-AUTH-EVENT: EAP method state: Done
  *EAP Framework: Jan 18 12:08:22.840: EAP-AUTH-EVENT: EAP method decision: Fail
  *EAP Framework: Jan 18 12:08:22.840: EAP-EVENT: Received get canned status from lower layer (0x78000041)
  *EAP Framework: Jan 18 12:08:22.840: EAP-EVENT: Sending method directive 'Free Context' on handle 0x78000041
  *EAP Framework: Jan 18 12:08:22.840: eap_fast.c-EVENT: Free context (EAP handle = 0x78000041)
  *EAP Framework: Jan 18 12:08:22.840: id_manager.c-AUTH-SM: Entry deleted fine id f700000e - id_delete
  *EAP Framework: Jan 18 12:08:22.840: IOS_PKI_SHIM: Session 0x335ee108 deleted
  *EAP Framework: Jan 18 12:08:2

  Now we found the reason.
  The WLC doesn´t work with the Sub CA respectively with chain certificates for device authentication.
  "Support for Chained Certificate
  In controller versions earlier than 5.1.151.0, web authentication  certificates can be only device certificates and should not contain the  CA roots chained to the device certificate (no chained certificates).
  With controller version 5.1.151.0 and later, the controller allows  for the device certificate to be downloaded as a chained certificate for  web authentication.
  Certificate Levels
  Level 0—Use of only a server certificate on WLC.
  Level 1—Use of server certificate on WLC and a CA root certificate.
  Level 2—Use of server certificate on WLC, one single CA intermediate certificate, and a CA root certificate.
  Level 3—Use of server certificate on WLC, two CA intermediate certificates, and a CA root certificate.
  WLC does not support chained certificates more than 10KB size on the WLC.
  Note: Chained certificates are supported for web authentication only; they are not supported for the management certificate."
  So the WLC can´t decode the peer certificate.

• WLC, ISE certificate authentication issue

  Hi Folks,
  This is the setup:
  Redundant pair of WLC 5508 (version 7.5.102.0)
  Redundant Pair of ISE (Version 1.2.0.899)
       The ISE servers are connected to the corporate Active Directory (the AD servers are configured as external identity sources)
       There is a rule based authentication profile which queries the AD identity source when it receives wireless 802.1x authentication requests.
  A corporate WLAN is configured on the WLC:
  L2 security WPA+WPA2 (AES Encryption), ISE server 1 and 2 configured as the AAA Authentication servers.
  This is all working correctly - I associate to the Corp WLAN (Authentication WPA2 enterprise, encryption AES CCMP, 802.1x auth MS-CHAPv2 using AD credentials) ... I can see the authentication request being processed correctly by the ISE, and I get access to the network.
  The client I am working for wants to restrict access to the WLAN to users who have been allocated a certificate from the corporate CA, and this is where I am having issues.
  I took a test laptop, and requested a new certificate (mmc, add snapin, certificates, current user, personal, request new cert).   
  The cert that was issued was signed only by a Corporate AD server with CA services (there is nothing in the certification path above the cert I was issued, apart from the issuing server itself).   I changed the security settings of my connection to the corp wlan (using TLS instead of mschapv2, and pointing to the certificate I requested)
  Initally authentication failed because the ISE did not trust the CA that provided my certificate (the ISE radius authentication troubleshooting tool had this entry: '12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain').
  I exported the issuing CA's root certificate (followed this process http://support.microsoft.com/kb/555252), and imported the cert into ISE (administration, system, certificates, certificate store, import) - status of the cert is enabled, and it is trusted for client auth.
  After I did this, I could no longer associate to the Corp WLAN.  
  My laptop's wireless management software logs were filled with messages saying that the authentication server did not respond.   
  The ISE troubleshooting tool reported no new failed or successful authentication attempts.   
  Strangely though, the WLC log had a lot of entries like this: 'AAA Authentication Failure for UserName:host/laptop_asset_tag.corp.com User Type: WLAN USER'.
  It looks like the WLC is trying to locally authenticate my session when I use TLS, rather than hand off the authentication request to the ISE.    Other users who authenticate using their AD credentials only (as I described above) can still authenticate ok.
  Anyone able to shed some light on where I have gone wrong or what additional troubleshooting I can do?
  Thanks in advance,
  Darragh

  Hi,
  I had the same issue with microsoft CA and running ISE 1.1.4. The CA file was "corrupted", but you didn't see it at first glance. You can verify if the client CA matches the root CA via openssl.
  Try to export the root CA and the issuing CA in a different format (Base64), import both root and issuing into ise and check if that works. Also check if "Trust for client authentication or Secure Syslog services" in the Certificate Store -> CA -> Edit, is set.
  If this does not work, try to import the CA into another system and export it, then import into ISE.
  Regards,

• Help adding new WLC to existing ACS

  Hi All,
  I need help with this.
  This network has a working WLC that authenticates wireless users against an ACS by MAC address. It works fine.
  I need to add a new WLC.
  I added the WLC, the APs connect to the WLC fine, but the users get limited connectivity and we've found out that is because the new WLC is getting authentication errors against the ACS.
  The configuration of the new WLC is exactly the same as the current working WLC and both controllers show as AAA clients on the ACS.
  I want to know if somebody can point me out in the right direction to solve this.
  There's connectivity fine between all devices (as far as PING goes), and there's no Firewall or filters in between.
  The difference I see on both WLCs is that on the working one (WLC1), under Security - AP Policies, we see the AP Authorization List with the MAC addresses/cert type/hash.  We don't get this information on the non-working WLC (attached document shows both)
  Also in the attached document, I'm sending the errors I get no the WLC2 controller.
  Any help is greatly appreciated.
  Federico.

  Federico,
  I didn't get you when you say that you see only One WLC under groupsetup/Mac address. Could you please elaborate this?
  Also, if you don't know see any NAR configured under shared profile component then check inside the group/user setup there must be either ip based or CLI/DNIS based NAR configured for WLC's and looking at failed attempts it seem that action is denied.
  HTH
  Regds,
  JK
  Do rate helpful posts-

• I have a Problem with Romming Between SSIDs withing the same WLC but with deferent VLAN .

  HI All,
  I have a Problem with Romming Between SSIDs withing the same WLC but with deferent VLAN . the WLC are providing the HQ and one of the Branches the Wireless services .
  Am using all the available 9 SSIDs at the HQ , and am using only 4 of it at the Brnche.
  The problem that i have are happening only at the Branch office as i cant room between the SSIDs within Diferent VLANs but i can do it with the one that pointing to the same VLAN. Once the client ( Laptop/Phone ) connected to one of the SSIDs. it imposiible to have him connected to the other ones with Different VLAN. meanwhile, It says its connected to the other SSID but its not getting IP from that pool.
  here is the Show Run-Config from my WLC .. and the Problem happening between the SSID AMOBILE and ASTAFF. i have the Debug while am switching between the SSIDs if needed .
  =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.11.04 10:20:47 =~=~=~=~=~=~=~=~=~=~=~=
  show run-config
  Press Enter to continue...
  System Inventory
  NAME: "Chassis"   , DESCR: "Cisco 5500 Series Wireless LAN Controller"
  PID: AIR-CT5508-K9, VID: V01, SN: FCW1535L01G
  Burned-in MAC Address............................ 30:E4:DB:1B:99:80
  Power Supply 1................................... Present, OK
  Power Supply 2................................... Absent
  Maximum number of APs supported.................. 12
  Press Enter to continue or <ctrl-z> to abort
  System Information
  Manufacturer's Name.............................. Cisco Systems Inc.
  Product Name..................................... Cisco Controller
  Product Version.................................. 7.0.235.0
  Bootloader Version............................... 1.0.1
  Field Recovery Image Version..................... 6.0.182.0
  Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
  Build Type....................................... DATA + WPS
  System Name...................................... WLAN Controller 5508
  System Location..................................
  System Contact...................................
  System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
  IP Address....................................... 10.125.18.15
  Last Reset....................................... Software reset
  System Up Time................................... 41 days 5 hrs 14 mins 42 secs
  System Timezone Location......................... (GMT -5:00) Eastern Time (US and Canada)
  Current Boot License Level....................... base
  Current Boot License Type........................ Permanent
  Next Boot License Level.......................... base
  Next Boot License Type........................... Permanent
  Configured Country............................... US - United States
  --More or (q)uit current module or <ctrl-z> to abort
  Operating Environment............................ Commercial (0 to 40 C)
  Internal Temp Alarm Limits....................... 0 to 65 C
  Internal Temperature............................. +36 C
  External Temperature............................. +20 C
  Fan Status....................................... OK
  State of 802.11b Network......................... Enabled
  State of 802.11a Network......................... Enabled
  Number of WLANs.................................. 10
  Number of Active Clients......................... 61
  Burned-in MAC Address............................ 30:E4:DB:1B:99:80
  Power Supply 1................................... Present, OK
  Power Supply 2................................... Absent
  Maximum number of APs supported.................. 12
  Press Enter to continue or <ctrl-z> to abort
  AP Bundle Information
  Primary AP Image  Size
  ap3g1             5804
  ap801             5192
  ap802             5232
  c1100             3096
  c1130             4972
  c1140             4992
  c1200             3364
  c1240             4812
  c1250             5512
  c1310             3136
  c1520             6412
  c3201             4324
  c602i             3716
  Secondary AP Image      Size
  ap801             4964
  c1100             3036
  --More or (q)uit current module or <ctrl-z> to abort
  c1130             4884
  c1140             4492
  c1200             3316
  c1240             4712
  c1250             5064
  c1310             3084
  c1520             5244
  c3201             4264
  Press Enter to continue or <ctrl-z> to abort
  Switch Configuration
  802.3x Flow Control Mode......................... Disable
  FIPS prerequisite features....................... Disabled
  secret obfuscation............................... Enabled
  Strong Password Check Features:
         case-check ...........Enabled
         consecutive-check ....Enabled
         default-check .......Enabled
         username-check ......Enabled
  Press Enter to continue or <ctrl-z> to abort
  Network Information
  RF-Network Name............................. OGR
  Web Mode.................................... Disable
  Secure Web Mode............................. Enable
  Secure Web Mode Cipher-Option High.......... Disable
  Secure Web Mode Cipher-Option SSLv2......... Enable
  OCSP........................................ Disabled
  OCSP responder URL..........................
  Secure Shell (ssh).......................... Enable
  Telnet...................................... Disable
  Ethernet Multicast Forwarding............... Disable
  Ethernet Broadcast Forwarding............... Disable
  AP Multicast/Broadcast Mode................. Unicast
  IGMP snooping............................... Disabled
  IGMP timeout................................ 60 seconds
  IGMP Query Interval......................... 20 seconds
  User Idle Timeout........................... 300 seconds
  ARP Idle Timeout............................ 300 seconds
  Cisco AP Default Master..................... Enabled
  AP Join Priority............................ Disable
  Mgmt Via Wireless Interface................. Disable
  Mgmt Via Dynamic Interface.................. Disable
  --More or (q)uit current module or <ctrl-z> to abort
  Bridge MAC filter Config.................... Enable
  Bridge Security Mode........................ EAP
  Mesh Full Sector DFS........................ Enable
  AP Fallback ................................ Enable
  Web Auth Redirect Ports .................... 80
  Web Auth Proxy Redirect ................... Disable
  Fast SSID Change ........................... Enabled
  AP Discovery - NAT IP Only ................. Enabled
  IP/MAC Addr Binding Check .................. Enabled
  Press Enter to continue or <ctrl-z> to abort
  Port Summary
             STP   Admin   Physical   Physical   Link   Link
  Pr Type   Stat   Mode     Mode     Status   Status Trap    POE   SFPType  
  1 Normal Forw Enable Auto       1000 Full Up     Enable N/A     1000BaseTX
  2 Normal Disa Enable Auto       Auto       Down   Enable N/A     Not Present
  3 Normal Disa Enable Auto       Auto       Down   Enable N/A     Not Present
  4 Normal Disa Enable Auto       Auto       Down   Enable N/A     Not Present
  5 Normal Disa Enable Auto       Auto       Down   Enable N/A     Not Present
  6 Normal Disa Enable Auto       Auto       Down   Enable N/A     Not Present
  7 Normal Disa Enable Auto       Auto       Down   Enable N/A     Not Present
  8 Normal Disa Enable Auto       Auto       Down   Enable N/A     Not Present
  Press Enter to continue or <ctrl-z> to abort
  AP Summary
  Number of APs.................................... 8
  Global AP User Name.............................. Not Configured
  Global AP Dot1x User Name........................ Not Configured
  AP Name             Slots AP Model             Ethernet MAC       Location         Port Country Priority
  KNOWLOGY_DC01       2     AIR-LAP1131AG-A-K9   00:1d:45:86:ed:4e KNOWLOGY_DC_Serv 1       US       1
  KNOWLOGY_DC02       2     AIR-LAP1131AG-A-K9   00:21:d8:36:c5:c4 KNOWLOGY_DC_Serv 1       US       1
  KN1252_AP01         2     AIR-LAP1252AG-A-K9   00:21:d8:ef:06:50 Knowlogy Confere 1       US       1
  KN1252_AP02         2     AIR-LAP1252AG-A-K9   00:22:55:8e:2e:d4 Server Room Side 1       US       1
  Anham_AP03           2     AIR-LAP1142N-A-K9     70:81:05:88:15:b5 default location 1       US       1
  ANHAM_AP01          2     AIR-LAP1142N-A-K9     70:81:05:b0:e4:62 Small Conference 1       US       1
  ANHAM_AP04           2     AIR-LAP1131AG-A-K9   00:1d:45:86:e1:b8   Conference room 1       US       1
  ANHAM_AP02           2     AIR-LAP1142N-A-K9     70:81:05:96:7a:49         Copy Room 1       US       1
  AP Tcp-Mss-Adjust Info
  AP Name             TCP State MSS Size
  KNOWLOGY_DC01       disabled   -
  KNOWLOGY_DC02       disabled   -
  --More or (q)uit current module or <ctrl-z> to abort
  KN1252_AP01         disabled   -
  KN1252_AP02         disabled   -
  Anham_AP03           disabled   -
  ANHAM_AP01           disabled   -
  ANHAM_AP04           disabled   -
  ANHAM_AP02           disabled   -
  Press Enter to continue or <ctrl-z> to abort
  AP Location
  Total Number of AP Groups........................ 3  
  Site Name........................................ ANHAM8075
  Site Description................................. ANHAM 8075 Location
  WLAN ID         Interface         Network Admission Control         Radio Policy
  1               knowlogy_ogr         Disabled                         None
  6               knowlogy_ogr         Disabled                         None
  9               knowlogy_ogr         Disabled                         None
  7               knowlogy_ogr         Disabled                         None
  AP Name             Slots AP Model             Ethernet MAC       Location         Port Country Priority
  Anham_AP03           2     AIR-LAP1142N-A-K9   70:81:05:88:15:b5 default location 1     US       1
  ANHAM_AP01           2     AIR-LAP1142N-A-K9   70:81:05:b0:e4:62 Small Conference 1     US       1
  ANHAM_AP04           2     AIR-LAP1131AG-A-K9   00:1d:45:86:e1:b8   Conference room 1     US       1
  ANHAM_AP02           2     AIR-LAP1142N-A-K9   70:81:05:96:7a:49         Copy Room 1     US       1
  Site Name........................................ Knowlogy_DC
  --More or (q)uit current module or <ctrl-z> to abort
  Site Description................................. DC Center Access points
  WLAN ID         Interface         Network Admission Control         Radio Policy
  2               knowlogy_ogr         Disabled                         None
  4               knowlogy_ogr         Disabled                         None
  3               knowlogy_ogr         Disabled                         None
  AP Name             Slots AP Model             Ethernet MAC       Location         Port Country Priority
  KNOWLOGY_DC01       2     AIR-LAP1131AG-A-K9   00:1d:45:86:ed:4e KNOWLOGY_DC_Serv 1     US       1
  KNOWLOGY_DC02       2     AIR-LAP1131AG-A-K9   00:21:d8:36:c5:c4 KNOWLOGY_DC_Serv 1     US       1
  Site Name........................................ OGR
  Site Description................................. 1934 OGR Office
  WLAN ID         Interface         Network Admission Control         Radio Policy
  1               knowlogy_ogr         Disabled                         None
  2               knowlogy_ogr         Disabled                        None
  4               knowlogy_ogr         Disabled                         None
  6               knowlogy_ogr         Disabled                         None
  --More or (q)uit current module or <ctrl-z> to abort
  7               knowlogy_ogr        Disabled                         None
  9               knowlogy_ogr         Disabled                         None
  8               knowlogy_ogr         Disabled                         None
  AP Name             Slots AP Model             Ethernet MAC       Location         Port Country Priority
  KN1252_AP01         2     AIR-LAP1252AG-A-K9   00:21:d8:ef:06:50 Knowlogy Confere 1    US       1
  KN1252_AP02         2     AIR-LAP1252AG-A-K9   00:22:55:8e:2e:d4 Server Room Side 1     US       1
  Site Name........................................ default-group
  Site Description................................. <none>
  WLAN ID        Interface         Network Admission Control         Radio Policy
  1               knowlogy_ogr         Disabled                         None
  2               knowlogy_ogr         Disabled                         None
  3               knowlogy_ogr         Disabled                         None
  4               knowlogy_ogr         Disabled                         None
  5               knowlogy_ogr         Disabled                         None
  6               knowlogy_ogr         Disabled                         None
  7               knowlogy_ogr         Disabled                         None
  8               knowlogy_ogr         Disabled                          None
  --More or (q)uit current module or <ctrl-z> to abort
  9               knowlogy_ogr         Disabled                         None
  10             management           Disabled                         None
  AP Name             Slots AP Model             Ethernet MAC       Location         Port Country Priority
  Press Enter to continue or <ctrl-z> to abort
  AP Config
  Cisco AP Identifier.............................. 6
  Cisco AP Name.................................... KNOWLOGY_DC01
  Country code..................................... US - United States
  Regulatory Domain allowed by Country............. 802.11bg:-A     802.11a:-A
  AP Country code.................................. US - United States
  AP Regulatory Domain............................. -A
  Switch Port Number .............................. 1
  MAC Address...................................... 00:1d:45:86:ed:4e
  IP Address Configuration......................... DHCP
  IP Address....................................... 10.22.1.100
  Gateway IP Addr.................................. 10.22.1.1
  NAT External IP Address.......................... None
  CAPWAP Path MTU.................................. 1485
  Telnet State..................................... Disabled
  Ssh State........................................ Disabled
  Cisco AP Location................................ KNOWLOGY_DC_ServerRoom
  Cisco AP Group Name.............................. Knowlogy_DC
  Primary Cisco Switch Name........................ wireless.knowlogy.com
  Primary Cisco Switch IP Address.................. 10.125.18.15
  Secondary Cisco Switch Name......................
  Secondary Cisco Switch IP Address................ Not Configured
  --More or (q)uit current module or <ctrl-z> to abortIP Address.................. 10.125.18.15
  Tertiary Cisco Switch Name.......................
  Tertiary Cisco Switch IP Address................. Not Configured
  Administrative State ............................ ADMIN_ENABLED
  Operation State ................................. REGISTERED
  Mirroring Mode .................................. Disabled
  AP Mode ......................................... H-Reap
  Public Safety ................................... Disabled
  AP SubMode ...................................... Not Configured
  Remote AP Debug ................................. Disabled
  Logging trap severity level ..................... informational
  Logging syslog facility ......................... kern
  S/W Version .................................... 7.0.235.0
  Boot Version ................................... 12.3.8.0
  Mini IOS Version ................................ 3.0.51.0
  Stats Reporting Period .......................... 180
  LED State........................................ Enabled
  PoE Pre-Standard Switch.......................... Disabled
  PoE Power Injector MAC Addr...................... Disabled
  Power Type/Mode.................................. Power injector / Normal mode
  Number Of Slots.................................. 2
  AP Model......................................... AIR-LAP1131AG-A-K9
  AP Image......................................... C1130-K9W8-M
  IOS Version...................................... 12.4(23c)JA5
  --More or (q)uit current module or <ctrl-z> to abort
  Reset Button..................................... Enabled
  AP Serial Number................................. FTX1134T0QG
  AP Certificate Type.............................. Manufacture Installed
  H-REAP Vlan mode :............................... Enabled
        Native ID :..................................... 22
        WLAN 2 :........................................ 21
        WLAN 4 :........................................ 25
        WLAN 3 :........................................ 25
  H-REAP Backup Auth Radius Servers :
  Static Primary Radius Server.................... Disabled
  Static Secondary Radius Server.................. Disabled
  Group Primary Radius Server..................... Disabled
  Group Secondary Radius Server................... Disabled
  AP User Mode..................................... AUTOMATIC
  AP User Name..................................... Not Configured
  AP Dot1x User Mode............................... Not Configured
  AP Dot1x User Name............................... Not Configured
  Cisco AP system logging host..................... 255.255.255.255
  AP Up Time....................................... 48 days, 20 h 19 m 18 s
  AP LWAPP Up Time................................. 40 days, 13 h 58 m 18 s
  Join Date and Time............................... Tue Sep 24 21:24:33 2013
  Join Taken Time.................................. 0 days, 00 h 10 m 47 s
  --More or (q)uit current module or <ctrl-z> to abort
  Attributes for Slot 0
      Radio Type................................... RADIO_TYPE_80211b
     Administrative State ........................ ADMIN_ENABLED
     Operation State ............................. UP
     Radio Role .................................. ACCESS
     CellId ...................................... 0
     Station Configuration
       Configuration ............................. AUTOMATIC
       Number Of WLANs ........................... 3
       Medium Occupancy Limit .................... 100
       CFP Period ................................ 4
       CFP MaxDuration ........................... 60
       BSSID ..................................... 00:1d:71:09:8f:90
       Operation Rate Set
         1000 Kilo Bits........................... MANDATORY
         2000 Kilo Bits........................... MANDATORY
         5500 Kilo Bits........................... MANDATORY
         11000 Kilo Bits.......................... MANDATORY
       Beacon Period ............................. 100
       Fragmentation Threshold ................... 2346
       Multi Domain Capability Implemented ....... TRUE
  --More or (q)uit current module or <ctrl-z> to abort
       Multi Domain Capability Enabled ........... TRUE
       Country String ............................ US
      Multi Domain Capability
       Configuration ............................. AUTOMATIC
       First Chan Num ............................ 1
       Number Of Channels ........................ 11
     MAC Operation Parameters
       Configuration ............................. AUTOMATIC
       Fragmentation Threshold ................... 2346
       Packet Retry Limit ........................ 64
     Tx Power
       Num Of Supported Power Levels ............. 8
       Tx Power Level 1 .......................... 20 dBm
       Tx Power Level 2 .......................... 17 dBm
       Tx Power Level 3 .......................... 14 dBm
       Tx Power Level 4 .......................... 11 dBm
       Tx Power Level 5 .......................... 8 dBm
       Tx Power Level 6 .......................... 5 dBm
       Tx Power Level 7 .......................... 2 dBm
       Tx Power Level 8 .......................... -1 dBm
  --More or (q)uit current module or <ctrl-z> to abort
       Tx Power Configuration .................... AUTOMATIC
       Current Tx Power Level .................... 1
     Phy DSSS parameters
       Configuration ............................. AUTOMATIC
       Current Channel ........................... 11
       Extension Channel ......................... NONE
       Channel Width.............................. 20 Mhz
       Allowed Channel List....................... 1,2,3,4,5,6,7,8,9,10,11
       Current CCA Mode .......................... 0
       ED Threshold .............................. -50
       Antenna Type............................... INTERNAL_ANTENNA
       Internal Antenna Gain (in .5 dBi units).... 8
       Diversity.................................. DIVERSITY_ENABLED
     Performance Profile Parameters
       Configuration ............................. AUTOMATIC
       Interference threshold..................... 10 %
       Noise threshold............................ -70 dBm
       RF utilization threshold................... 80 %
       Data-rate threshold........................ 1000000 bps
       Client threshold........................... 12 clients
       Coverage SNR threshold..................... 12 dB
  --More or (q)uit current module or <ctrl-z> to abort
       Coverage exception level................... 25 %
       Client minimum exception level............. 3 clients
     Rogue Containment Information
     Containment Count............................ 0
     CleanAir Management Information
         CleanAir Capable......................... No
  Cisco AP Identifier.............................. 6
  Cisco AP Name.................................... KNOWLOGY_DC01
  Country code..................................... US - United States
  Regulatory Domain allowed by Country............. 802.11bg:-A     802.11a:-A
  AP Country code.................................. US - United States
  AP Regulatory Domain............................. -A
  Switch Port Number .............................. 1
  MAC Address...................................... 00:1d:45:86:ed:4e
  IP Address Configuration......................... DHCP
  IP Address....................................... 10.22.1.100
  Gateway IP Addr.................................. 10.22.1.1
  NAT External IP Address.......................... None
  CAPWAP Path MTU.................................. 1485
  Telnet State..................................... Disabled
  Ssh State........................................ Disabled
  --More or (q)uit current module or <ctrl-z> to abort
  Cisco AP Location................................ KNOWLOGY_DC_ServerRoom
  Cisco AP Group Name.............................. Knowlogy_DC
  Primary Cisco Switch Name........................ wireless.knowlogy.com
  Primary Cisco Switch Secondary Cisco Switch Name......................
  Secondary Cisco Switch IP Address................ Not Configured
  Tertiary Cisco Switch Name.......................
  Tertiary Cisco Switch IP Address................. Not Configured
  Administrative State ............................ ADMIN_ENABLED
  Operation State ................................. REGISTERED
  Mirroring Mode .................................. Disabled
  AP Mode ......................................... H-Reap
  Public Safety ................................... Disabled
  AP SubMode ...................................... Not Configured
  Remote AP Debug ................................. Disabled
  Logging trap severity level ..................... informational
  Logging syslog facility ......................... kern
  S/W Version .................................... 7.0.235.0
  Boot Version ................................... 12.3.8.0
  Mini IOS Version ................................ 3.0.51.0
  Stats Reporting Period .......................... 180
  LED State........................................ Enabled
  PoE Pre-Standard Switch.......................... Disabled
  PoE Power Injector MAC Addr...................... Disabled
  --More or (q)uit current module or <ctrl-z> to abort
  Power Type/Mode.................................. Power injector / Normal mode
  Number Of Slots.................................. 2
  AP Model......................................... AIR-LAP1131AG-A-K9
  AP Image......................................... C1130-K9W8-M
  IOS Version...................................... 12.4(23c)JA5
  Reset Button..................................... Enabled
  AP Serial Number................................. FTX1134T0QG
  AP Certificate Type.............................. Manufacture Installed
  H-REAP Vlan mode :............................... Enabled
        Native ID :..................................... 22
        WLAN 2 :........................................ 21
        WLAN 4 :........................................ 25
        WLAN 3 :........................................ 25
  H-REAP Backup Auth Radius Servers :
  Static Primary Radius Server.................... Disabled
  Static Secondary Radius Server.................. Disabled
  Group Primary Radius Server..................... Disabled
  Group Secondary Radius Server................... Disabled
  AP User Mode..................................... AUTOMATIC
  AP User Name..................................... Not Configured
  AP Dot1x User Mode............................... Not Configured
  AP Dot1x User Name............................... Not Configured
  Cisco AP system logging host..................... 255.255.255.255
  --More or (q)uit current module or <ctrl-z> to abort
  AP Up Time....................................... 48 days, 20 h 19 m 18 s
  AP LWAPP Up Time................................. 40 days, 13 h 58 m 18 s
  Join Date and Time............................... Tue Sep 24 21:24:33 2013
  Join Taken Time.................................. 0 days, 00 h 10 m 47 s
  Attributes for Slot 1
     Radio Type................................... RADIO_TYPE_80211a
     Radio Subband................................ RADIO_SUBBAND_ALL
     Administrative State ........................ ADMIN_ENABLED
     Operation State ............................. UP
     Radio Role .................................. ACCESS
     CellId ...................................... 0
     Station Configuration
       Configuration ............................. AUTOMATIC
       Number Of WLANs ........................... 3
       Medium Occupancy Limit .................... 100
       CFP Period ................................ 4
        CFP MaxDuration ........................... 60
       BSSID ..................................... 00:1d:71:09:8f:90
       Operation Rate Set
         6000 Kilo Bits........................... MANDATORY
  --More or (q)uit current module or <ctrl-z> to abort
         9000 Kilo Bits........................... SUPPORTED
         12000 Kilo Bits.......................... MANDATORY
         18000 Kilo Bits.......................... SUPPORTED
         24000 Kilo Bits.......................... MANDATORY
        36000 Kilo Bits.......................... SUPPORTED
         48000 Kilo Bits.......................... SUPPORTED
         54000 Kilo Bits.......................... SUPPORTED
       Beacon Period ............................. 100
       Fragmentation Threshold ................... 2346
       Multi Domain Capability Implemented ....... TRUE
       Multi Domain Capability Enabled ........... TRUE
       Country String ............................ US
     Multi Domain Capability
       Configuration ............................. AUTOMATIC
       First Chan Num ............................ 36
       Number Of Channels ........................ 20
     MAC Operation Parameters
       Configuration ............................. AUTOMATIC
       Fragmentation Threshold ................... 2346
       Packet Retry Limit ........................ 64
  --More or (q)uit current module or <ctrl-z> to abort
     Tx Power
       Num Of Supported Power Levels ............. 7
       Tx Power Level 1 .......................... 15 dBm
       Tx Power Level 2 .......................... 14 dBm
       Tx Power Level 3 .......................... 11 dBm
       Tx Power Level 4 .......................... 8 dBm
       Tx Power Level 5 .......................... 5 dBm
       Tx Power Level 6 .......................... 2 dBm
       Tx Power Level 7 .......................... -1 dBm
       Tx Power Configuration .................... AUTOMATIC
       Current Tx Power Level .................... 1
     Phy OFDM parameters
       Configuration ............................. AUTOMATIC
       Current Channel ........................... 44
       Extension Channel ......................... NONE
       Channel Width.............................. 20 Mhz
       Allowed Channel List....................... 36,40,44,48,52,56,60,64,100,
         ......................................... 104,108,112,116,132,136,140,
         ......................................... 149,153,157,161
       TI Threshold .............................. -50
       Antenna Type............................... INTERNAL_ANTENNA
       Internal Antenna Gain (in .5 dBi units).... 8
  --More or (q)uit current module or <ctrl-z> to abort
       Diversity.................................. DIVERSITY_ENABLED
     Performance Profile Parameters
       Configuration ............................. AUTOMATIC
       Interference threshold..................... 10 %
       Noise threshold............................ -70 dBm
       RF utilization threshold................... 80 %
        Data-rate threshold........................ 1000000 bps
       Client threshold........................... 12 clients
       Coverage SNR threshold..................... 16 dB
       Coverage exception level................... 25 %
       Client minimum exception level............. 3 clients
     Rogue Containment Information
     Containment Count............................ 0
     CleanAir Management Information
         CleanAir Capable......................... No
  Press Enter to continue or <ctrl-z> to abort
  Cisco AP Identifier.............................. 3
  Cisco AP Name.................................... KNOWLOGY_DC02
  Country code..................................... US - United States
  Regulatory Domain allowed by Country............. 802.11bg:-A     802.11a:-A
  AP Country code.................................. US - United States
  AP Regulatory Domain............................. -A
  Switch Port Number .............................. 1
  MAC Address...................................... 00:21:d8:36:c5:c4
  IP Address Configuration......................... DHCP
  IP Address....................................... 10.22.1.101
  Gateway IP Addr.................................. 10.22.1.1
  NAT External IP Address.......................... None
  CAPWAP Path MTU.................................. 1485
  Telnet State..................................... Disabled
  Ssh State........................................ Disabled
  Cisco AP Location................................ KNOWLOGY_DC_ServerRoom
  Cisco AP Group Name.............................. Knowlogy_DC
  Primary Cisco Switch Name........................
  Primary Cisco Switch IP Address.................. Not Configured
  Secondary Cisco Switch Name......................
  Secondary Cisco Switch IP Address................ Not Configured
  Tertiary Cisco Switch Name.......................
  --More or (q)uit current module or <ctrl-z> to abort
  Tertiary Cisco Switch IP Address................. Not Configured
  Administrative State ............................ ADMIN_ENABLED
  Operation State ................................. REGISTERED
  Mirroring Mode .................................. Disabled
  AP Mode ......................................... H-Reap
  Public Safety ................................... Disabled
  AP SubMode ...................................... Not Configured
  Remote AP Debug ................................. Disabled
  Logging trap severity level ..................... informational
  Logging syslog facility ......................... kern
  S/W  Version .................................... 7.0.235.0
  Boot Version ................................... 12.3.8.0
  Mini IOS Version ................................ 3.0.51.0
  Stats Reporting Period .......................... 180
  LED State........................................ Enabled
  PoE Pre-Standard Switch.......................... Enabled
  PoE Power Injector MAC Addr...................... Disabled
  Power Type/Mode.................................. Power injector / Normal mode
  Number Of Slots.................................. 2
  AP Model......................................... AIR-LAP1131AG-A-K9
  AP Image......................................... C1130-K9W8-M
  IOS Version...................................... 12.4(23c)JA5
  Reset Button..................................... Enabled
  --More or (q)uit current module or <ctrl-z> to abort
  AP Serial Number................................. FTX1230T24F
  AP Certificate Type.............................. Manufacture Installed
  H-REAP Vlan mode :............................... Enabled
        Native ID :..................................... 22
        WLAN 2 :........................................ 21
        WLAN 4 :........................................ 25
        WLAN 3 :........................................ 25
  H-REAP Backup Auth Radius Servers :
  Static Primary Radius Server.................... Disabled
  Static Secondary Radius Server.................. Disabled
  Group Primary Radius Server..................... Disabled
  Group Secondary Radius Server................... Disabled
  AP User Mode..................................... AUTOMATIC
  AP User Name..................................... Not Configured
  AP Dot1x User Mode............................... Not Configured
  AP Dot1x User Name............................... Not Configured
  Cisco AP system logging host..................... 255.255.255.255
  AP Up Time....................................... 48 days, 20 h 24 m 41 s
  AP LWAPP Up Time................................. 40 days, 13 h 58 m 18 s
  Join Date and Time............................... Tue Sep 24 21:24:35 2013
  Join Taken Time.................................. 0 days, 00 h 10 m 48 s
  --More or (q)uit current module or <ctrl-z> to abort
  Attributes for Slot 0
     Radio Type................................... RADIO_TYPE_80211b
     Administrative State ........................ ADMIN_ENABLED
     Operation State ............................. UP
     Radio Role .................................. ACCESS
     CellId ...................................... 0
      Station Configuration
       Configuration ............................. AUTOMATIC
       Number Of WLANs ........................... 3
       Medium Occupancy Limit .................... 100
       CFP Period ................................ 4
       CFP MaxDuration ........................... 60
       BSSID ..................................... 00:22:55:a5:0c:30
       Operation Rate Set
         1000 Kilo Bits........................... MANDATORY
         2000 Kilo Bits........................... MANDATORY
         5500 Kilo Bits........................... MANDATORY
         11000 Kilo Bits.......................... MANDATORY
       Beacon Period ............................. 100
       Fragmentation Threshold ................... 2346
       Multi Domain Capability Implemented ....... TRUE
       Multi Domain Capability Enabled ........... TRUE
  --More or (q)uit current module or <ctrl-z> to abort
       Country String ............................ US
     Multi Domain Capability
       Configuration ............................. AUTOMATIC
       First Chan Num ............................ 1
       Number Of Channels ........................ 11
     MAC Operation Parameters
       Configuration ............................. AUTOMATIC
       Fragmentation Threshold ................... 2346
       Packet Retry Limit ........................ 64
     Tx Power
       Num Of Supported Power Levels ............. 8
       Tx Power Level 1 .......................... 20 dBm
       Tx Power Level 2 .......................... 17 dBm
       Tx Power Level 3 .......................... 14 dBm
       Tx Power Level 4 .......................... 11 dBm
       Tx Power Level 5 .......................... 8 dBm
       Tx Power Level 6 .......................... 5 dBm
       Tx Power Level 7 .......................... 2 dBm
       Tx Power Level 8 .......................... -1 dBm
       Tx Power Configuration .................... AUTOMATIC
  --More or (q)uit current module or <ctrl-z> to abort
       Current Tx Power Level .................... 1
     Phy DSSS parameters
       Configuration ............................. AUTOMATIC
       Current Channel ........................... 1
       Extension Channel ......................... NONE
       Channel Width.............................. 20 Mhz
       Allowed Channel List....................... 1,2,3,4,5,6,7,8,9,10,11
       Current CCA Mode .......................... 0
       ED Threshold .............................. -50
       Antenna Type............................... INTERNAL_ANTENNA
       Internal Antenna Gain (in .5 dBi units).... 8
       Diversity.................................. DIVERSITY_ENABLED
     Performance Profile Parameters
       Configuration ............................. AUTOMATIC
       Interference threshold..................... 10 %
       Noise threshold............................ -70 dBm
       RF utilization threshold................... 80 %
       Data-rate threshold........................ 1000000 bps
       Client threshold........................... 12 clients
       Coverage SNR threshold..................... 12 dB
       Coverage exception level................... 25 %
  --More or (q)uit current module or <ctrl-z> to abort
       Client minimum exception level............. 3 clients
     Rogue Containment Information
     Containment Count............................ 0
     CleanAir Management Information
         CleanAir Capable......................... No
  Cisco AP Identifier.............................. 3
  Cisco AP Name.................................... KNOWLOGY_DC02
  Country code..................................... US - United States
  Regulatory Domain allowed by Country............. 802.11bg:-A     802.11a:-A
  AP Country code.................................. US - United States
  AP Regulatory Domain............................. -A
  Switch Port Number .............................. 1
  MAC Address...................................... 00:21:d8:36:c5:c4
  IP Address Configuration......................... DHCP
  IP Address....................................... 10.22.1.101
  Gateway IP Addr.................................. 10.22.1.1
  NAT External IP Address.......................... None
  CAPWAP Path MTU.................................. 1485
  Telnet State..................................... Disabled
  Ssh State........................................ Disabled
  Cisco AP Location................................ KNOWLOGY_DC_ServerRoom
  --More or (q)uit current module or <ctrl-z> to abort
  Cisco AP Group Name.............................. Knowlogy_DC
  Primary Cisco Switch Name........................
  Primary Cisco Switch IP Address.................. Not Configured
  Secondary Cisco Switch Name......................
  Secondary Cisco Switch IP Address................ Not Configured
  Tertiary Cisco Switch Name.......................
  Tertiary Cisco Switch IP Address................. Not Configured
  Administrative State ............................ ADMIN_ENABLED
  Operation State ................................. REGISTERED
  Mirroring Mode .................................. Disabled
  AP Mode ......................................... H-Reap
  Public Safety ................................... Disabled
  AP SubMode ...................................... Not Configured
  Remote AP Debug ................................. Disabled
  Logging trap severity level ..................... informational
  Logging syslog facility ......................... kern
  S/W Version .................................... 7.0.235.0
  Boot Version ................................... 12.3.8.0
  Mini IOS Version ................................ 3.0.51.0
  Stats Reporting Period .......................... 180
  LED State........................................ Enabled
  PoE Pre-Standard Switch.......................... Enabled
  PoE Power Injector MAC Addr...................... Disabled
  --More or (q)uit current module or <ctrl-z> to abort
  Power Type/Mode.................................. Power injector / Normal mode
  Number Of Slots.................................. 2
  AP Model......................................... AIR-LAP1131AG-A-K9
  AP Image......................................... C1130-K9W8-M
  IOS Version...................................... 12.4(23c)JA5
  Reset Button..................................... Enabled
  AP Serial Number................................. FTX1230T24F
  AP Certificate Type.............................. Manufacture Installed
  H-REAP Vlan mode :............................... Enabled
        Native ID :..................................... 22
        WLAN 2 :........................................ 21
        WLAN 4 :........................................ 25
        WLAN 3 :........................................ 25
  H-REAP Backup Auth Radius Servers :
  Static Primary Radius Server.................... Disabled
  Static Secondary Radius Server.................. Disabled
  Group Primary Radius Server..................... Disabled
  Group Secondary Radius Server................... Disabled
  AP User Mode..................................... AUTOMATIC
  AP User Name..................................... Not Configured
  AP Dot1x User Mode............................... Not Configured
  AP Dot1x User Name............................... Not Configured
  Cisco AP system logging host..................... 255.255.255.255
  --More or (q)uit current module or <ctrl-z> to abort
  AP Up Time....................................... 48 days, 20 h 24 m 41 s
  AP LWAPP Up Time................................. 40 days, 13 h 58 m 18 s
  Join Date and Time............................... Tue Sep 24 21:24:35 2013
  Join Taken Time.................................. 0 days, 00 h 10 m 48 s
  Attributes for Slot 1
     Radio Type................................... RADIO_TYPE_80211a
     Radio Subband................................ RADIO_SUBBAND_ALL
     Administrative State ........................ ADMIN_ENABLED
     Operation State ............................. UP
     Radio Role .................................. ACCESS
     CellId ...................................... 0
     Station Configuration
       Configuration ............................. AUTOMATIC
       Number Of WLANs ........................... 3
       Medium Occupancy Limit .................... 100
       CFP Period ................................ 4
       CFP MaxDuration ........................... 60
       BSSID ..................................... 00:22:55:a5:0c:30
       Operation Rate Set
         6000 Kilo Bits........................... MANDATORY
  --More or (q)uit current module or <ctrl-z> to abort
         9000 Kilo Bits........................... SUPPORTED
         12000 Kilo Bits.......................... MANDATORY
         18000 Kilo Bits.......................... SUPPORTED
         24000 Kilo Bits.......................... MANDATORY
         36000 Kilo Bits.......................... SUPPORTED
         48000 Kilo Bits.......................... SUPPORTED
         54000 Kilo Bits.......................... SUPPORTED
       Beacon Period ............................. 100
       Fragmentation Threshold ................... 2346
       Multi Domain Capability Implemented ....... TRUE
       Multi Domain Capability Enabled ........... TRUE
       Country String ............................ US
     Multi Domain Capability
       Configuration ............................. AUTOMATIC
       First Chan Num ............................ 36
       Number Of Channels ........................ 20
     MAC Operation Parameters
       Configuration ............................. AUTOMATIC
       Fragmentation Threshold ................... 2346
       Packet Retry Limit ........................ 64
  --More or (q)uit current module or <ctrl-z> to abort
     Tx Power
       Num Of Supported Power Levels ............. 7
       Tx Power Level 1 .......................... 15 dBm
      Tx Power Level 2 .......................... 14 dBm
       Tx Power Level 3 .......................... 11 dBm
       Tx Power Level 4 .......................... 8 dBm
       Tx Power Level 5 .......................... 5 dBm
       Tx Power Level 6 .......................... 2 dBm
       Tx Power Level 7 .......................... -1 dBm
       Tx Power Configuration .................... AUTOMATIC
       Current Tx Power Level .................... 1
     Phy OFDM parameters
       Configuration ............................. AUTOMATIC
       Current Channel ........................... 36
       Extension Channel ......................... NONE
       Channel Width.............................. 20 Mhz
       Allowed Channel List....................... 36,40,44,48,52,56,60,64,100,
         ......................................... 104,108,112,116,132,136,140,
         ......................................... 149,153,157,161
       TI Threshold .............................. -50
       Antenna Type............................... INTERNAL_ANTENNA
       Internal Antenna Gain (in .5 dBi units).... 8
  --More or (q)uit current module or <ctrl-z> to abort
       Diversity.................................. DIVERSITY_ENABLED
     Performance Profile Parameters
        Configuration ............................. AUTOMATIC
       Interference threshold..................... 10 %
       Noise threshold............................ -70 dBm
       RF utilization threshold................... 80 %
       Data-rate threshold........................ 1000000 bps
       Client threshold........................... 12 clients
       Coverage SNR threshold..................... 16 dB
       Coverage exception level................... 25 %
       Client minimum exception level............. 3 clients
     Rogue Containment Information
     Containment Count............................ 0
     CleanAir Management Information
         CleanAir Capable......................... No
  Press Enter to continue or <ctrl-z> to abort
  Cisco AP Identifier.............................. 5
  Cisco AP Name.................................... KN1252_AP01
  Country code..................................... US - United States
  Regulatory Domain allowed by Country............. 802.11bg:-A     802.11a:-A
  AP Country code.................................. US - United States
  AP Regulatory Domain............................. -A
  Switch Port Number .............................. 1
  MAC Address...................................... 00:21:d8:ef:06:50
  IP Address Configuration......................... DHCP
  IP Address....................................... 10.125.18.101
  IP NetMask....................................... 255.255.255.0
  Gateway IP Addr.................................. 10.125.18.1
  NAT External IP Address.......................... None
  CAPWAP Path MTU.................................. 1485
  Telnet State..................................... Enabled
  Ssh State........................................ Disabled
  Cisco AP Location................................ Knowlogy Conference Rooms Side
  Cisco AP Group Name.............................. OGR
  Primary Cisco Switch Name........................
  Primary Cisco Switch IP Address.................. Not Configured
  Secondary Cisco Switch Name......................
  Secondary Cisco Switch IP Address................ Not Configured
  --More or (q)uit current module or <ctrl-z> to abort
  Tertiary Cisco Switch Name.......................
  Tertiary Cisco Switch IP Address................. Not Configured
  Administrative State ............................ ADMIN_ENABLED
  Operation State ................................. REGISTERED
  Mirroring Mode .................................. Disabled
  AP Mode ......................................... H-Reap
  Public Safety ................................... Disabled
  AP SubMode ...................................... Not Configured
  Remote AP Debug ................................. Disabled
  Logging trap severity level ..................... informational
  Logging syslog facility ......................... kern
  S/W Version .................................... 7.0.235.0
  Boot Version ................................... 12.4.10.0
  Mini IOS Version ................................ 3.0.51.0
  Stats Reporting Period .......................... 180
  LED State........................................ Enabled
  PoE Pre-Standard Switch.......................... Disabled
  PoE Power Injector MAC Addr...................... Disabled
  Power Type/Mode.................................. PoE/Medium Power (15.4 W)
  Number Of Slots.................................. 2
  AP Model......................................... AIR-LAP1252AG-A-K9
  AP Image......................................... C1250-K9W8-M
  IOS Version...................................... 12.4(23c)JA5
  --More or (q)uit current module or <ctrl-z> to abort
  Reset Button..................................... Enabled
  AP Serial Number................................. FTX122990L5
  AP Certificate Type.............................. Manufacture Installed
  H-REAP Vlan mode :............................... Enabled
        Native ID :..................................... 118
        WLAN 1 :........................................ 111
        WLAN 2 :........................................ 111
        WLAN 4 :........................................ 112
        WLAN 6 :........................................ 112
        WLAN 7 :........................................ 111
        WLAN 9 :........................................ 112
        WLAN 8 :........................................ 112
  H-REAP Backup Auth Radius Servers :
  Static Primary Radius Server.................... Disabled
  Static Secondary Radius Server.................. Disabled
  Group Primary Radius Server..................... Disabled
  Group Secondary Radius Server................... Disabled
  AP User Mode..................................... AUTOMATIC
  AP User Name..................................... Not Configured
  AP Dot1x User Mode............................... Not Configured
  AP Dot1x User Name............................... Not Configured
  Cisco AP system logging host..................... 255.255.255.255
  AP Up Time....................................... 26 days, 00 h 24 m 39 s
  --More or (q)uit current module or <ctrl-z> to abort
  AP LWAPP Up Time................................. 26 days, 00 h 23 m 48 s
  Join Date and Time............................... Wed Oct 9 10:59:07 2013
  Join Taken Time.................................. 0 days, 00 h 00 m 50 s
  Attributes for Slot 0
     Radio Type................................... RADIO_TYPE_80211n-2.4
     Administrative State ........................ ADMIN_ENABLED
     Operation State ............................. UP
     Radio Role .................................. ACCESS
     CellId ...................................... 0
     Station Configuration
       Configuration ............................. AUTOMATIC
       Number Of WLANs ........................... 7
       Medium Occupancy Limit .................... 100
       CFP Period ................................ 4
       CFP MaxDuration ........................... 60
       BSSID ..................................... 00:22:55:df:a5:90
       Operation Rate Set
         1000 Kilo Bits........................... MANDATORY
         2000 Kilo Bits........................... MANDATORY
         5500 Kilo Bits........................... MANDATORY
  --More or (q)uit current module or <ctrl-z> to abort
         11000 Kilo Bits.......................... MANDATORY
       MCS Set
         MCS 0.................................... SUPPORTED
         MCS 1.................................... SUPPORTED
         MCS 2.................................... SUPPORTED
         MCS 3.................................... SUPPORTED
         MCS 4.................................... SUPPORTED
         MCS 5.................................... SUPPORTED
         MCS 6.................................... SUPPORTED
         MCS 7.................................... SUPPORTED
         MCS 8.................................... SUPPORTED
          MCS 9.................................... SUPPORTED
         MCS 10................................... SUPPORTED
         MCS 11................................... SUPPORTED
         MCS 12................................... SUPPORTED
         MCS 13................................... SUPPORTED
         MCS 14................................... SUPPORTED
         MCS 15................................... SUPPORTED
       Beacon Period ............................. 100
       Fragmentation Threshold ................... 2346
       Multi Domain Capability Implemented ....... TRUE
       Multi Domain Capability Enabled ........... TRUE
       Country String ............................ US
  --More or (q)uit current module or <ctrl-z> to abort
     Multi Domain Capability
       Configuration ............................. AUTOMATIC
       First Chan Num ............................ 1
       Number Of Channels ........................ 11
     MAC Operation Parameters
       Configuration ............................. AUTOMATIC
       Fragmentation Threshold ................... 2346
       Packet Retry Limit ........................ 64
     Tx Power
       Num Of Supported Power Levels ............. 8
       Tx Power Level 1 .......................... 20 dBm
       Tx Power Level 2 .......................... 17 dBm
       Tx Power Level 3 .......................... 14 dBm
       Tx Power Level 4 ..........

  Well you need to understand the behavior of h-reap or what it's called now, FlexConnect. In this mode, the clients are still remembers on the WLC until the session timer/idle timer expires. So switching between SSID's in h-reap will not be the same when switching when the AP's are in local mode.
  Take a look at the client when connected in FlexConnect in the WLC GUI monitor tab. Thus will show you what ssid and vlan the client is on. Now switch to a different ssid and compare this. It's probably the same because the client has not timed out. Now go back to the other ssid and look again. Now on the WLC, remove or delete the client and then switch to the other ssid at the same time. Or switch SSID's and then remove the client. The client will join the new ssid and in the monitor tab, you should see the info.
  There is no need to have clients have multiple SSID's unless your testing. Devices should only have one ssid profile configured to eliminate any connectivity issues from the device wanting to switch SSID's.
  Sent from Cisco Technical Support iPhone App

• Acs 5.3 and wlc 2504 config with restricted network access

  Hello,
  i submit you the following issue that i'm actually facing:
  i must configure a secured wireless network with access restriction based on SSID. the equipements are : cisco wlc 2504 (soft 7.3) cisco secure acs aplliance 1121 (soft 5.4) .
  the users that will connect to the network are regrouped by identity groups, each identity group having it's own SSID. Clearly each group of users must access only one SSID.
  i followed the procedure below to configure it:
  -- creating user identity groups;
  -- creating users and assigning them to the groups;
  --- creating authorization profiles for each SSID under policy element/ authorization and permission/network access/authorization profiles and putting the Airespace-Wlan-Id(the SSID number) in the radius tab.
  --- assigning the authorization profiles to the identity groups under access policies.
  after all these config the users can access the network using there userid/password configured. But the problem is Every user can access every SSID, seems like the restriction is so not very well configured.
  i found some documentation on this kind of config but the version of ACS used seems older than the one that i use, so menu are very different.
  Please can someone provide with the right steps to follow to achieve this kind of config.
  tkx in advance

  Yes.. you only have to add the end filter like what I posted... as far as the calling station id in the WLC security tab, it doesn't matter because that is not used when using 802.1x.  I would also try to not enable everything that you have just to start from the basic and make sure it works first.  The WAP Authentication Method might or might not work for you.  Uncheck that for now and when you have a successful authentication, look at the monitor log and see what radius attributes are being sent, because those attributes is what you can use to build your policies.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Can't ping, telnet, SSH or find APs in ARP, but associated to WLC & has clients

  Hi All,
  I have an interesting problem. I have a Cisco 2504 WLC, and six Access Points that are associated to it.  I can reach 4 of the access points, which are connected to Cisco 300 POE switches, but the other 2 I cannot ping, telnet, SSH or find in the ARP table on the network.  However, they are both associated to the WLC and as far as I can tell, they have clients associated to them.  If I reboot them from the WLC, they find their way back to the correct WLC, and the WLC sees them in CDP, but I still can't access them in any way.
  The two problem APs appear to be connected to ports 3 & 4 on the WLC, which are the POE ports. I read some documentation that says that those ports don't support Access Points but basically that you can still connect them and have it work, but don't expect any help from Cisco if you run into problems.  I've confirmed that POE is being supplied in the port configs, and I have other sites with WLC's that are configured identically with APs on ports 3 & 4 that are up and not having any issues.
  Wondering if anyone has had similar issues and if so, can you shed any light on this strange behavior?
  Thanks.

  please
  https://supportforums.cisco.com/discussion/11288621/2500-wlc-attach-ap

• Can I use ASA to be a DHCP Server use in WLC wireless Client

  I want to use ASA to be a DHCP Server for Wireless Client not it can't.
  I check the debug log in WLC, I confirm the WLC have send the request to ASA.
  In the ASA, it don't have any hits in the rule when the WLC send the DHCP relay request.
  I have try don't use dhcp relay in WLC but don't success. Anybody have the same case with me? And Is the ASA can't support DHCP relay agent to request to get the IP Addr.
  P.S. In the Network Design limitation so I can't use WLC to be DHCP Server.
  Equipment:
  ASA5510
  WLC4402
  How can I fix it.
  Thank you very much

  The issue is that the ASA doesn't accept DHCP requests from a relay agent, only broadcast DHCP requests. In the 4.2 version for the controllers there is now an option so you can change the way the controller forwards DHCP requests so that it is sent as a broadcast and not from a relay agent.

• How can I use Windows IAS to validate WLC management users?

  I am having a problem using my Windows IAS radius server to validate management users for my 2112 Wireless Lan Controller.
  I have defined the radius server and it works ok with the policy for validating wireless clients but not for WLC management users.
  The Remote access policy seems to be set up correctly as the event viewer on the server shows:-
  Event Type: Information
  Event Source: IAS
  Event Category: None
  Event ID: 1
  Date:  09/02/2011
  Time:  11:06:06
  User:  N/A
  Computer: UK01DC07
  Description:
  User xxxxxx was granted access.
  Fully-Qualified-User-Name = TRAVEL.OAG.com/Dunstable Admins/xxxxxx
  NAS-IP-Address = 10.10.45.210
  NAS-Identifier = UK03NM01
  Client-Friendly-Name = UK03NM01
  Client-IP-Address = 10.10.45.210
  Calling-Station-Identifier = <not present>
  NAS-Port-Type = <not present>
  NAS-Port = <not present>
  Proxy-Policy-Name = Use Windows authentication for all users
  Authentication-Provider = Windows
  Authentication-Server = <undetermined>
  Policy-Name = UK03NM01 - login
  Authentication-Type = PAP
  EAP-Type = <undetermined>
  But, the WLC log shows:
  *Feb 09 11:06:06.612: %EMWEB-1-LOGIN_FAILED: ews_auth.c:2104 Login failed. User:xxxxxx. Service-Type is not present or it doesn't allow READ/WRITE permission..
  The WLC just returns the login screen
  Any thoughts?
  Thanks in advance
  Richard

  Event viewer shows :
  Event Type: Information
  Event Source: IAS
  Event Category: None
  Event ID: 1
  Date:  10/02/2011
  Time:  08:49:39
  User:  N/A
  Computer: UK01DC07
  Description:
  User xxxxxxxx was granted access.
  Fully-Qualified-User-Name = TRAVEL.OAG.com/Dunstable Admins/xxxxxxxx
  NAS-IP-Address = 10.10.45.210
  NAS-Identifier = UK03NM01
  Client-Friendly-Name = UK03NM01
  Client-IP-Address = 10.10.45.210
  Calling-Station-Identifier =
  NAS-Port-Type =
  NAS-Port =
  Proxy-Policy-Name = Use Windows authentication for all users
  Authentication-Provider = Windows
  Authentication-Server =
  Policy-Name = UK03NM01 - login
  Authentication-Type = PAP
  EAP-Type =
  For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
  Data:
  0000: 00 00 00 00               ....   
  and IAS log shows:
  "UK01DC07","IAS",02/10/2011,08:49:39,1,"xxxxxxxx","TRAVEL.OAG.com/Dunstable Admins/xxxxxxxx",,,,,"UK03NM01","10.10.45.210",,0,"10.10.45.210","UK03NM01",,,,,,7,1,"UK03NM01 - login",0,"311 1 10.10.45.254 12/04/2010 23:56:59 1987",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
  "UK01DC07","IAS",02/10/2011,08:49:39,2,,"TRAVEL.OAG.com/Dunstable Admins/xxxxxxxx",,,,,,,,0,"10.10.45.210","UK03NM01",,,,,,2,1,"UK03NM01 - login",0,"311 1 10.10.45.254 12/04/2010 23:56:59 1987",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all users",1,,,,
  It appears to me that IAS checks and passes the username/password as being valid but this response is ignored by the WLC
  Richard

• Questions on WLC 4400

  I am looking for a wireless LAN controller tha can do the following:
  1) Need to able to work with existing cisco AP AIR-AP1242AG-E-K9 (x 4) , AIR-AP1242AG-S-K9 (x 3) , AIR-AP1242AG-C-K9 (x 1) and in future to be added Aironet 1250 ( 802.11n) devices which are spread across various offices both local and oversea and connected via a Wide Area Network
  2) A single Wireless LAN controller will be in head office to intercept guest authentication traffic but internet traffic will either go via the branch office internet gateway or head office internet gateway. Staff access authentication traffic is via MS ISA radius sever working in conjuction with AD, PEAP and Certificate service(already set this up and is it working in a test environment).
  3)Guest access is control by issuing a time expiration login credentials from the WLAN controller. A web https login page will be presented to guest for authentication upon launching the web browser (similar to some hotel hot spot concept) .This mean that a single SSID is broadcast which depending on whether the client is a staff or a guest, the setup must be able to response appropriately to authenticate these 2 group of users.
  4)In head office, I am using a L3 4948 switch as a core switch connnecting a few L2 2960 edge switches without having any VLAN to segregate my subnet.I am turning on some of the port to a router interface.
  In the branch office only L2 switches and one single subnet. Wireless network and wired network are shared in the same network for each subnet.
  Based on these requirements, I think Cisco 4404 or Cisco 4402 WLAN controller can do the job. The question is do I need to have L2 VLAN in my environment to work to fufill the above requirement as I read from the cisco config example that there is some VLAN to be set in the initial config of WLAN controller.

  Hi Scott,
  I may be wrong here (that would be no surprise ;-) but didn't this change in WLC 4.1.x.x
  Version 4.1 or higher;
  Configuring Country Codes
  Controllers and access points are designed for use in many countries with varying regulatory requirements. The radios within the access points are assigned to a specific regulatory domain at the factory (such as -E for Europe), but the country code enables you to specify a particular country of operation (such as FR for France or ES for Spain). Configuring a country code ensures that each radio's broadcast frequency bands, interfaces, channels, and transmit power levels are compliant with country-specific regulations.
  Generally, you configure one country code per controller, the one matching the physical location of the controller and its access points. However, controller software release 4.1 or later allows you to configure up to 20 country codes per controller. This multiple-country support enables you to manage access points in various countries from a single controller.
  Note Although the controller supports different access points in different regulatory domains (countries), it requires all radios in a single access point to be configured for the same regulatory domain. For example, you should not configure a Cisco 1231 access point's 802.11b/g radio for the US (-A) regulatory domain and its 802.11a radio for the Great Britain (-E) regulatory domain. Otherwise, the controller allows only one of the access point's radios to turn on, depending on which regulatory domain you selected for the access point on the controller. Therefore, make sure that the same country code is configured for both of the access point's radios.
  From this good doc;
  http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/c42lwap.html#wp1147748
  What do you think?
  Rob

• WLC AireOS 8.0 - how to set font-color for integrated webauth/weblogin?

  Hello,
  up to AireOS 7.6 I was able to set the font-color of the internal webauth/weblogin page using html-codes, for example like this:
  Headline: Welcome to our <font color="red">guest</font>-network!
  Message: You need a valid <font color="blue">user</font> to login.
  Now with AireOS 8.0 this doesn't work anymore. When I try to set a headline or message with font-tags I get "Error while setting headline." (or "...message.") when I hit apply. I have to remove the font-tag to save the weblogin page.
  #CLIWEB-6-CLIWEB_INVALID_HTML_TAGS_USED: [PA] cli_web_api.c:1748 The Customization message field has invalid html tags
  #CLIWEB-6-CLIWEB_INVALID_HTML_TAGS_USED: [PA] cli_web_api.c:1663 The Headline field has invalid html tags
  So, how can we now set different font colors/styles like in previous releases? Using external or uploading selfmade pages is not an option.
  Thanks,
  Chris

  Since your using code to change the default internal portal page look, its better for you just to create a custom webauth and upload that to the WLC.  That is how I do my implementations as its easier for me to create a new page than trying to mess around with the internal page.  As you can see, Cisco can change the way things work in every version.  It might just be the fact that they no longer are allowing html code to be inserted in the default webauth/passthrough page.
  Scott