Cisco 3850 WLC mac-filtering
Hi:
Cisco 3850 in WLC how to config mac-filtering
thanks
When you create a MAC address filter on WLCs, users are granted or denied access to the WLAN network based on the MAC address of the client they use.
There are two types of MAC authentication that are supported on WLCs:
Local MAC authentication
MAC authentication using a RADIUS server
With local MAC authentication, user MAC addresses are stored in a database on the WLC. When a user tries to access the WLAN that is configured for MAC filtering, the client MAC address is validated against the local database on the WLC, and the client is granted access to the WLAN if the authentication is successful.
By default, the WLC local database supports up to 512 user entries.
The local user database is limited to a maximum of 2048 entries. The local database stores entries for these items:
Local management users, which includes lobby ambassadors
Local network users, which includes guest users
MAC filter entries
Exclusion list entries
Access point authorization list entries
Together, all of these types of users cannot exceed the configured database size.
To Know how to configure Mac filtering please go to the below link.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008084f13b.shtml
Similar Messages
-
Hello
One thing I am confused is if I set MAC filtering on a WLC but do not populate with any MAC addresses will it block all MAC addresses or allow all?
Anyone can advise on this or please share information?
ThanksWhen the database is empty then it will block all:
MAC Address Filter (MAC Authentication) on WLCs
When you create a MAC address filter on WLCs, users are granted or denied access to the WLAN network based on the MAC address of the client they use.
There are two types of MAC authentication that are supported on WLCs:
Local MAC authentication
MAC authentication using a RADIUS server
With local MAC authentication, user MAC addresses are stored in a database on the WLC. When a user tries to access the WLAN that is configured for MAC filtering, the client MAC address is validated against the local database on the WLC, and the client is granted access to the WLAN if the authentication is successful.
By default, the WLC local database supports up to 512 user entries.
The local user database is limited to a maximum of 2048 entries. The local database stores entries for these items:
Local management users, which includes lobby ambassadors
Local network users, which includes guest users
MAC filter entries
Exclusion list entries
Access point authorization list entries
Together, all of these types of users cannot exceed the configured database size.
In order to increase the local database, use this command from the CLI:
<Cisco Controller>config database size ?
<count> Enter the maximum number of entries (512-2048)
Alternatively, MAC address authentication can also be performed using a RADIUS server. The only difference is that the users MAC address database is stored in the RADIUS server instead of the WLC. When a user database is stored on a RADIUS server the WLC forwards the MAC address of the client to the RADIUS server for client validation. Then, the RADIUS server validates the MAC address based on the database it has. If the client authentication is successful, the client is granted access to the WLAN. Any RADIUS server which supports MAC address authentication can be used. -
Hi Group, how are you?.
I know as Mac filtering feature works, but I need the opposite. I need to filter some mac-address to a particular SSID and permit all the other mac-address.
Please, has anyone any ideas?.
Thanks.
Andrés.Hi Andres,
I think stephan was talking about vlan based access control via RADIUS:
check this document:
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
Regards
Dont forget to rate helpful posts -
About max local MAC filtering can be register in WLC 2504 and 5508
Hi all
My customer is considering to use WLC with MAC filtering feature (use local database not external Radius). So they are concerning about maximum local MAC filtering entries that can be register on WLC2504 and WLC5508 to buy (the number of APs is about 20, but the MAC is more than 200)
I tried to search, but I could not find any specs mention it. If anyone knows, please help to answer
RgdsI looked at this before. I want to say its maxed at 2048 regardless of the model ..
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html -
I would like to allow client to access wireless lan based on the client mac-address.
How I config it on WLC 2006 locally (not using radius server)? If yes, How mnay mac-address can be configured on the wlc2006?
Thanks.
DouglasHi Douglas,
Just wanted to add a note to Ankurs good info;
Maximum MAC Filter Entries
The controller database can contain up to 2048 MAC filter entries for local netusers. The default value is 512. To support up to 2048 entries, you must enter this command in the controller CLI:
config database size MAC_filter_entry
where MAC_filter_entry is a value from 512 to 2048.
From this good doc;
http://www.cisco.com/en/US/products/ps6366/prod_release_note09186a0080813b1c.html#wp42756
MAC Filtering
http://www.cisco.com/en/US/products/ps6366/products_user_guide_chapter09186a00805a6ad0.html#wp1040588
Hope this helps!
Rob -
WLC 4402 Web Authentication, Mac Filtering and Layer 2 Seciruty
Hi All,
I have configured web authentication and Mac filtering on WLC 4402 for my wireless network and its working fine. I wants to configure layer 2 security for the same Wireless network without pre shared key. Could you please advice how to configure layer 2 security with web authentication withour preshare key.
Is there any security issue with web authentication and Mac FIltering only? My concern in my wireless network shows open.
Thanks,
KashifHi,
if you have a ACS, then you can do Web auth Splash page!!! Please refer to the below doc!!
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080956185.shtml
Lemme know if this answered ur question!!
Regards
Surendra -
WLC 5760 multiple SSIDs with MAC filtering
Dear All,
I am implementing a wireless network with 5760 WLCs. The client requires a few SSIDs with MAC-based authentication. So I created different MAC filters using the commands "aaa authorization network MAC_FILTER01 local", "aaa authorization network MAC_FILTER02 local" etc
These filters are bound to different SSIDs using the commands "mac-filtering MAC_FILTER01" "mac-filtering MAC_FILTER02" etc. and users are added to their required MAC filters using the commands "username <mac-address> mac aaa attribute list MAC_FILTER01", "username <mac-address> mac aaa attribute list MAC_FILTER02" etc.
Now I am facing a serious issue - users belonging to any one MAC filter can connect to the all SSIDs. It seems like the MAC addresses added to the controller under different filter names are going to a common database, thereby providing access to users to all SSIDs irrespective of their MAC filter.
Is it a limitation of local database of 5760? Has anyone faced the same issue? How can I implement independent MAC filters bound to different SSIDs?
Thanks,
Arun JohnHi Arun,
this feature currently does not exist on the 5760. it is due to release in one of the MR's of 3.6
-Joseph -
WLC 5760 - MAC Filtering wireless clients
Hi,
Does anyone ever deployed mac-filtering authentication to wireless clients in the WLC 5760?
I've configured a WLAN for Mac-filtering authentication only (named it as "macauth"):
wlan RNVDOS 4 RNVDOS
aaa-override
no broadcast-ssid
client vlan RNVDOS
mac-filtering macauth
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
session-timeout 1800
no shutdown
Then, below Configuration->Security->MAC Filtering I've added several MAC addresses i.e. :
MAC Address: 88532e9ef70a Attribute List: macauth
Which turned out to be display in the CLI as:
username 88532e9ef70a mac aaa attribute list macauth
The problem is that whenever I try to associate the wireless client 88532e9ef70a, the client passes to the exclusion list.:
Sep 16 10:54:55.603: 8853.2E9E.F70A Adding mobile on LWAPP AP 0C68.03EA.4070 (1) 1 wcm: E9E.F70A (.t^GwtSessionID: 0afe01fbtQ^GwH^Cnz^Gw00dd) was added to ^G$h\225v^K
Sep 16 10:54:55.603: 8853.2E9E.F70A Creating WL station entry for client - rc 0 1 wcm:
Sep 16 10:54:55.603: 8853.2E9E.F70A Association received from mobile on AP 0C68.03EA.4070 1 wcm: (.t^GwtSessionID: 0afe01fbtQ^GwH^Cnz^Gw00dd) was added to ^G$h\225v^K
Sep 16 10:54:55.603: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: ssionID: 0afe01fbtQ^GwH^Cnz^Gw00dd) was added to ^G$h\225v^K
Sep 16 10:54:55.603: 8853.2E9E.F70A apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: H^Cnz^Gw00dd) was added to ^G$h\225v^K
Sep 16 10:54:55.603: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm: ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
Sep 16 10:54:55.603: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm: 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
Sep 16 10:54:55.603: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
Sep 16 10:54:55.603: 8853.2E9E.F70A Applying site-specific IPv6 override for station 8853.2E9E.F70A - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: ^G$h\225v^K
Sep 16 10:54:55.603: 8853.2E9E.F70A Applying local bridging Interface Policy for station 8853.2E9E.F70A - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
Sep 16 10:54:55.603: 8853.2E9E.F70A Applying site-specific override for station 8853.2E9E.F70A - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
Sep 16 10:54:55.603: 8853.2E9E.F70A STA - rates (8): 1 wcm: 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
Sep 16 10:54:55.603: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: - vapId 4, site 'renova', interface 'RNVDOS'
Sep 16 10:54:55.603: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile 8853.2E9E.F70A on AP 0C68.03EA.4070 from Idle to AAA Pending
Sep 16 10:54:55.603: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm: (callerId: 20) in 10 seconds
Sep 16 10:54:55.604: 8853.2E9E.F70A
client incoming attribute size are 0 1 wcm: (callerId: 20) in 10 seconds
Sep 16 10:54:55.604: 8853.2E9E.F70A Sending Assoc Response to station on BSSID 0C68.03EA.4070 (status 256) ApVapId 2 Slot 1 1 wcm: 68.03EA.4070 from Idle to AAA Pending
Sep 16 10:54:55.604: 8853.2E9E.F70A apfProcessRadiusAssocResp (apf_80211.c: 1 wcm: 2149) Changing state for mobile 8853.2E9E.F70A on AP 0C68.03EA.4070 from AAA Pending to Authenticated
Sep 16 10:54:55.604: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm: (callerId: 18) in 10 seconds
Sep 16 10:54:55.813: 8853.2E9E.F70A Association received from mobile on AP 0C68.03EA.4070 1 wcm: n.t^Gwseconds
Sep 16 10:54:55.813: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: onds
Sep 16 10:54:55.813: 8853.2E9E.F70A apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: H^Cnz^Gw 0C68.03EA.4070 f^G$h\225v^K
Sep 16 10:54:55.813: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm: ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
Sep 16 10:54:55.813: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm: 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
Sep 16 10:54:55.813: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
Sep 16 10:54:55.813: 8853.2E9E.F70A Applying site-specific IPv6 override for station 8853.2E9E.F70A - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: f^G$h\225v^K
Sep 16 10:54:55.813: 8853.2E9E.F70A Applying local bridging Interface Policy for station 8853.2E9E.F70A - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
Sep 16 10:54:55.813: 8853.2E9E.F70A Applying site-specific override for station 8853.2E9E.F70A - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
Sep 16 10:54:55.813: 8853.2E9E.F70A STA - rates (8): 1 wcm: 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
Sep 16 10:54:55.813: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: - vapId 4, site 'renova', interface 'RNVDOS'
Sep 16 10:54:55.813: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile 8853.2E9E.F70A on AP 0C68.03EA.4070 from Authenticated to AAA Pending
Sep 16 10:54:55.813: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm: (callerId: 20) in 10 seconds
Sep 16 10:54:55.814: 8853.2E9E.F70A
client incoming attribute size are 0 1 wcm: (callerId: 20) in 10 seconds
Sep 16 10:54:55.814: 8853.2E9E.F70A Sending Assoc Response to station on BSSID 0C68.03EA.4070 (status 256) ApVapId 2 Slot 1 1 wcm: 68.03EA.4070 from Authenticated to AAA Pending
Sep 16 10:54:55.814: 8853.2E9E.F70A apfProcessRadiusAssocResp (apf_80211.c: 1 wcm: 2149) Changing state for mobile 8853.2E9E.F70A on AP 0C68.03EA.4070 from AAA Pending to Authenticated
Sep 16 10:54:55.814: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm: (callerId: 18) in 10 seconds
Sep 16 10:54:56.520: 8853.2E9E.F70A Association received from mobile on AP 0C68.03EA.4070 1 wcm: n.t^Gwseconds
Sep 16 10:54:56.520: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: onds
Sep 16 10:54:56.520: 8853.2E9E.F70A apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: H^Cnz^Gw 0C68.03EA.4070 f^G$h\225v^K
Sep 16 10:54:56.520: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm: ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
Sep 16 10:54:56.520: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm: 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
Sep 16 10:54:56.520: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
Sep 16 10:54:56.520: 8853.2E9E.F70A Applying site-specific IPv6 override for station 8853.2E9E.F70A - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: f^G$h\225v^K
Sep 16 10:54:56.520: 8853.2E9E.F70A Applying local bridging Interface Policy for station 8853.2E9E.F70A - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
Sep 16 10:54:56.520: 8853.2E9E.F70A Applying site-specific override for station 8853.2E9E.F70A - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
Sep 16 10:54:56.520: 8853.2E9E.F70A STA - rates (8): 1 wcm: 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
Sep 16 10:54:56.520: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: - vapId 4, site 'renova', interface 'RNVDOS'
Sep 16 10:54:56.520: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile 8853.2E9E.F70A on AP 0C68.03EA.4070 from Authenticated to AAA Pending
Sep 16 10:54:56.520: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm: (callerId: 20) in 10 seconds
Sep 16 10:54:56.521: 8853.2E9E.F70A
client incoming attribute size are 0 1 wcm: (callerId: 20) in 10 seconds
Sep 16 10:54:56.521: 8853.2E9E.F70A Sending Assoc Response to station on BSSID 0C68.03EA.4070 (status 256) ApVapId 2 Slot 1 1 wcm: 68.03EA.4070 from Authenticated to AAA Pending
Sep 16 10:54:56.521: 8853.2E9E.F70A apfProcessRadiusAssocResp (apf_80211.c: 1 wcm: 2149) Changing state for mobile 8853.2E9E.F70A on AP 0C68.03EA.4070 from AAA Pending to Authenticated
Sep 16 10:54:56.521: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm: (callerId: 18) in 10 seconds
Sep 16 10:54:56.729: 8853.2E9E.F70A Association received from mobile on AP 0C68.03EA.4070 1 wcm: n 10 seconds
Sep 16 10:54:56.729: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: onds
Sep 16 10:54:56.729: 8853.2E9E.F70A apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: A on AP 0C68.03EA.4070 from AAA Pending to Authenticated
Sep 16 10:54:56.729: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm: ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
Sep 16 10:54:56.729: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm: 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
Sep 16 10:54:56.729: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
Sep 16 10:54:56.729: 8853.2E9E.F70A Applying site-specific IPv6 override for station 8853.2E9E.F70A - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: from AAA Pending to Authenticated
Sep 16 10:54:56.729: 8853.2E9E.F70A Applying local bridging Interface Policy for station 8853.2E9E.F70A - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
Sep 16 10:54:56.729: 8853.2E9E.F70A Applying site-specific override for station 8853.2E9E.F70A - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
Sep 16 10:54:56.729: 8853.2E9E.F70A STA - rates (8): 1 wcm: 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
Sep 16 10:54:56.729: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: - vapId 4, site 'renova', interface 'RNVDOS'
Sep 16 10:54:56.729: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile 8853.2E9E.F70A on AP 0C68.03EA.4070 from Authenticated to AAA Pending
Sep 16 10:54:56.729: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm: (callerId: 20) in 10 seconds
Sep 16 10:54:56.730: 8853.2E9E.F70A
client incoming attribute size are 0 1 wcm: (callerId: 20) in 10 seconds
Sep 16 10:54:56.730: 8853.2E9E.F70A Sending Assoc Response to station on BSSID 0C68.03EA.4070 (status 256) ApVapId 2 Slot 1 1 wcm: 68.03EA.4070 from Authenticated to AAA Pending
Sep 16 10:54:56.730: 8853.2E9E.F70A apfProcessRadiusAssocResp (apf_80211.c: 1 wcm: 2149) Changing state for mobile 8853.2E9E.F70A on AP 0C68.03EA.4070 from AAA Pending to Authenticated
Sep 16 10:54:56.730: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm: (callerId: 18) in 10 seconds
Sep 16 10:54:56.937: 8853.2E9E.F70A Association received from mobile on AP 0C68.03EA.4070 1 wcm: n.t^Gwseconds
Sep 16 10:54:56.937: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: onds
Sep 16 10:54:56.937: 8853.2E9E.F70A apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: H^Cnz^Gw 0C68.03EA.4070 f^G$h\225v^K
Sep 16 10:54:56.937: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm: ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
Sep 16 10:54:56.937: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm: 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
Sep 16 10:54:56.937: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
Sep 16 10:54:56.937: 8853.2E9E.F70A Applying site-specific IPv6 override for station 8853.2E9E.F70A - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: f^G$h\225v^K
Sep 16 10:54:56.937: 8853.2E9E.F70A Applying local bridging Interface Policy for station 8853.2E9E.F70A - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
Sep 16 10:54:56.937: 8853.2E9E.F70A Applying site-specific override for station 8853.2E9E.F70A - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
Sep 16 10:54:56.937: 8853.2E9E.F70A STA - rates (8): 1 wcm: 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
Sep 16 10:54:56.937: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: - vapId 4, site 'renova', interface 'RNVDOS'
Sep 16 10:54:56.937: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile 8853.2E9E.F70A on AP 0C68.03EA.4070 from Authenticated to AAA Pending
Sep 16 10:54:56.937: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm: (callerId: 20) in 10 seconds
Sep 16 10:54:56.937: 8853.2E9E.F70A
client incoming attribute size are 0 1 wcm: (callerId: 20) in 10 seconds
Sep 16 10:54:56.937: 8853.2E9E.F70A Sending Assoc Response to station on BSSID 0C68.03EA.4070 (status 256) ApVapId 2 Slot 1 1 wcm: 68.03EA.4070 from Authenticated to AAA Pending
Sep 16 10:54:56.937: 8853.2E9E.F70A apfProcessRadiusAssocResp (apf_80211.c: 1 wcm: 2149) Changing state for mobile 8853.2E9E.F70A on AP 0C68.03EA.4070 from AAA Pending to Authenticated
Sep 16 10:54:56.937: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm: (callerId: 18) in 10 seconds
Sep 16 10:54:57.143: 8853.2E9E.F70A Association received from mobile on AP 0C68.03EA.4070 1 wcm: n.t^Gwseconds
Sep 16 10:54:57.143: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: onds
Sep 16 10:54:57.143: 8853.2E9E.F70A apChanged 1 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: H^Cnz^Gw 0C68.03EA.4070 f^G$h\225v^K
Sep 16 10:54:57.143: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm: ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
Sep 16 10:54:57.143: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm: 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
Sep 16 10:54:57.143: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
Sep 16 10:54:57.143: 8853.2E9E.F70A Applying site-specific IPv6 override for station 8853.2E9E.F70A - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: f^G$h\225v^K
Sep 16 10:54:57.143: 8853.2E9E.F70A Applying local bridging Interface Policy for station 8853.2E9E.F70A - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
Sep 16 10:54:57.143: 8853.2E9E.F70A Applying site-specific override for station 8853.2E9E.F70A - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
Sep 16 10:54:57.143: 8853.2E9E.F70A STA - rates (8): 1 wcm: 130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
Sep 16 10:54:57.143: 8853.2E9E.F70A STA - rates (12): 1 wcm: 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
Sep 16 10:54:57.144: 8853.2E9E.F70A 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [ 0C68.03EA.4070 ] 1 wcm: site 'renova', interface 'RNVDOS'
Sep 16 10:54:57.144: 8853.2E9E.F70A Updated location for station old AP 0C68.03EA.4070 -1, new AP 0C68.03EA.4070 -0 1 wcm: va', interface 'RNVDOS'
Sep 16 10:54:57.144: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: P 0C68.03EA.4070 -0
Sep 16 10:54:57.144: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile 8853.2E9E.F70A on AP 0C68.03EA.4070 from Authenticated to AAA Pending
Sep 16 10:54:57.144: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm: (callerId: 20) in 10 seconds
Sep 16 10:54:57.144: 8853.2E9E.F70A
client incoming attribute size are 0 1 wcm: (callerId: 20) in 10 seconds
Sep 16 10:54:57.145: 8853.2E9E.F70A Sending Assoc Response to station on BSSID 0C68.03EA.4070 (status 256) ApVapId 2 Slot 0 1 wcm: 68.03EA.4070 from Authenticated to AAA Pending
Sep 16 10:54:57.145: 8853.2E9E.F70A apfBlacklistMobileStationEntry2 (apf_ms.c: 1 wcm: 6129) Changing state for mobile 8853.2E9E.F70A on AP 0C68.03EA.4070 from AAA Pending to Exclusion-list (1)
Sep 16 10:54:57.145: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm: (callerId: 44) in 10 seconds
Sep 16 10:54:57.145: 8853.2E9E.F70A client is added to the exclusion list, reason 1 1 wcm: d: 44) in 10 seconds
Sep 16 10:54:57.145: *apfReceiveTask: 1 wcm: %APF-4-ADD_TO_BLACKLIST_REASON: Client 8853.2E9E.F70A (AuditSessionID: 0afe01fb5236e37f000000de) was added to exclusion list. Reason: 802.11 association failure
Sep 16 10:54:57.836: 8853.2E9E.F70A Ignoring assoc request due to mobile in exclusion list or marked for deletion 1 wcm: fbtQ^GwH^Cnz^Gw00de) was added to ^G$h\225v^K
Sep 16 10:54:58.533: 8853.2E9E.F70A Ignoring assoc request due to mobile in exclusion list or marked for deletion 1 wcm: fbtQ^GwH^Cnz^Gw00de) was added to ^G$h\225v^K
Sep 16 10:54:59.231: 8853.2E9E.F70A Ignoring assoc request due to mobile in exclusion list or marked for deletion 1 wcm: fbtQ^GwH^Cnz^Gw00de) was added to ^G$h\225v^K
Sep 16 10:54:59.922: 8853.2E9E.F70A Ignoring assoc request due to mobile in exclusion list or marked for deletion 1 wcm: fbtQ^GwH^Cnz^Gw00de) was added to ^G$h\225v^K
Sep 16 10:55:06.972: 8853.2E9E.F70A apfMsExpireCallback (apf_ms.c: 1 wcm: 664) Expiring Mobile!
Sep 16 10:55:06.972: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm: (callerId: 46) in 60 seconds
Sep 16 10:55:06.972: 8853.2E9E.F70A apfMsExpireMobileStation (apf_ms.c: 1 wcm: 7067) Changing state for mobile 8853.2E9E.F70A on AP 0C68.03EA.4070 from Exclusion-list (1) to Exclusion-list (2)
Sep 16 10:55:06.972: 8853.2E9E.F70A 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [ 0C68.03EA.4070 ] 1 wcm: 3.2E9E.F70A on AP 0C68.03EA.4070 from Exclusion-list (1) to Exclusion-list (2)
Sep 16 10:55:06.972: 8853.2E9E.F70A 0.0.0.0 START (0) FastSSID for the client [ 0C68.03EA.4070 ] NOTENABLED 1 wcm: E9E.F70A on AP 0C68.03EA.4070 from Exclusion-list (1) to Exclusion-list (2)
Sep 16 10:55:06.972: 8853.2E9E.F70A Incrementing the Reassociation Count 1 for client (of interface RNVDOS) 1 wcm: D
Sep 16 10:55:06.972: 8853.2E9E.F70A Clearing Dhcp state for station --- 1 wcm: for client (of interface RNVDOS)
WLC1#
WLC1#
Kind Regards,
VascoHi Patrick,
Thank you for sharing your solution. It didn't solved entirely the problem but you pointed to the right direction!
They are caused, because the system searches for an aaa authorization list, which is not configured.
To resolve this configure the following
aaa authorization network mac-filter local
where mac-filter is the name you defined in the SSID.
I've used your sugestion to create an aaa local authorization list but instead of naming it with the SSID, I've used the name of the attribute list ( macauth ) and it solved the problem:
aaa authorization network macauth local
username 88532e9ef70a mac aaa attribute list macauth
wlan RNVDOS 4 RNVDOS
client vlan RNVDOS
mac-filtering macauth
WLC1#sh wireless client summ
Number of Local Clients : 1
MAC Address AP Name WLAN State Protocol
8853.2e9e.f70a APf872.ead7.31da 4 UP 11n(5)
Cheers,
Vasco -
Cisco 3850 and Licences for WLC??
Hello
We have a client who needs a new switch which is capable of intervlan routing and also a WLC.
I am thinking a 48 port 3850 with IP Base which gives intervlan routing and WLC support.
However I am not sure if we need to purchase additional AP licences or whether they are built in?
CheersIn 3850 WLC functionality, your switch stack could act as MA (Mobiity Agengt) or MC (Mobility Controller). AP license required for your 3850, only if it is acting as MC. (for MA you do not require any AP licenses). Max 50 AP can handle by given 3850 switch stack. For MC functionality minimum you required IPbase image. (not LANbase)
So it is based on your design you need to purchase 3850 AP license. In your case if it is for a single switch where client want WLC functionality (with no other controller available) then you have to go with AP license depend on how many AP they want to deploy.
BRKCRS-2889 CiscoLive material will give you good overview of this new Converged Access Deployment model & MA/MC functionalilty & few design options.
HTH
Rasika
**** Pls rate all useful responses **** -
MAC Filtering via Radius not working
Hi Folks,
I'm having problems with MAC filtering via RADIUS. I have a combination of a local database on the controllers and remote MAC addresses provisioned on a Cisco ACS. My problem is that even when I've set the controllers to use Radius and I've configured the order to be local and then radius the controllers never sent an auth request to the Radius servers. I know that Radius can work because I have another WLAN (the guest WLAN) on the same hardware that is configured to authenticate first against the local database and then against Radius and this is working fine.
(WiSM-slot9-1) >debug aaa all enable
*Oct 09 08:01:44.518: AVP[14] Called-Station-Id........................X.X.X.X (9 bytes)
*Oct 09 08:03:21.677: Unable to find requested user entry for 6cc26b5990e5
*Oct 09 08:03:21.677: ReProcessAuthentication previous proto 8, next proto 40000001
*Oct 09 08:03:21.677: AuthenticationRequest: 0x18cc933c
*Oct 09 08:03:21.677: Callback.....................................0x10112bc4
*Oct 09 08:03:21.677: protocolType.................................0x40000001
*Oct 09 08:03:21.677: proxyState...................................6C:C2:6B:59:90:E5-00:00
*Oct 09 08:03:21.677: Packet contains 14 AVPs (not shown)
*Oct 09 08:03:21.678: 6c:c2:6b:59:90:e5 Returning AAA Error 'No Server' (-7) for mobile 6c:c2:6b:59:90:e5
*Oct 09 08:03:21.678: AuthorizationResponse: 0x38f71958
*Oct 09 08:03:21.678: structureSize................................32
*Oct 09 08:03:21.678: resultCode...................................-7
*Oct 09 08:03:21.678: protocolUsed.................................0xffffffff
*Oct 09 08:03:21.678: proxyState...................................6C:C2:6B:59:90:E5-00:00
*Oct 09 08:03:21.678: Packet contains 0 AVPs:
*Oct 09 08:03:21.680: Looking up local blacklist 98d6bbde785f
*Oct 09 08:03:21.754: Looking up local blacklist 0013ce73a9e0
*Oct 09 08:03:21.754: Looking up local blacklist 0013ce73a9e0
*Oct 09 08:03:21.778: Looking up local blacklist 0013ce73a9e0
*Oct 09 08:03:21.846: Unable to find requested user entry for 6cc26b5990e5
*Oct 09 08:03:21.847: ReProcessAuthentication previous proto 8, next proto 40000001
*Oct 09 08:03:21.847: AuthenticationRequest: 0x18c6dcc4
*Oct 09 08:03:21.847: Callback.....................................0x10112bc4
*Oct 09 08:03:21.847: protocolType.................................0x40000001
*Oct 09 08:03:21.847: proxyState...................................6C:C2:6B:59:90:E5-00:00
*Oct 09 08:03:21.847: Packet contains 14 AVPs (not shown)
*Oct 09 08:03:21.847: 6c:c2:6b:59:90:e5 Returning AAA Error 'No Server' (-7) for mobile 6c:c2:6b:59:90:e5
*Oct 09 08:03:21.847: AuthorizationResponse: 0x38f71958
*Oct 09 08:03:21.847: structureSize................................32
*Oct 09 08:03:21.847: resultCode...................................-7
*Oct 09 08:03:21.847: protocolUsed.................................0xffffffff
*Oct 09 08:03:21.847: proxyState...................................6C:C2:6B:59:90:E5-00:00
*Oct 09 08:03:21.848: Packet contains 0 AVPs:
I'm assuming thaty the line - Returning AAA Error 'No Server' - is significant but I have configured the Radius servers correctly but a packet trace shows no auth requests whatsoever from the controllers. Has anyone seen this? Anything I should be looking at?
Thanks in advance,
Shane.The bug I ran into was CSCta53985 on the WLCs. I upgraded to 7.0 and it fixed it. The fix is available in 6.0.188. Depending on your WLC hardware, I would go to at least 7.0.116 for newer AP support, and CleanAir support.
-
2602i does not Join to 3850 WLC
Trying to join 2602i to 3850 wlc but after join to WLC, the access point keeps rebooting
AP Console log:
APc067.afa7.1ee4#
*Nov 29 23:32:55.027: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Nov 29 23:32:55.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.129.0.254 peer_port: 5246
*Nov 29 23:32:55.223: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.129.0.254 peer_port: 5246
*Nov 29 23:32:55.223: %CAPWAP-5-SENDJOIN: sending Join Request to 10.129.0.254
., 1)29 23:33:13.415: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(UNKNOWN_MESSAGE_TYPE (5)
*Nov 29 23:33:13.415: %CAPWAP-3-ERRORLOG: GOING BACK TO DISCOVER MODE
*Nov 29 23:33:19.299: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
*Nov 29 23:33:19.319: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Nov 29 23:33:19.323: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Nov 29 23:33:19.327: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Nov 29 23:33:19.347: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Nov 29 23:33:20.323: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Nov 29 23:33:20.351: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Nov 29 23:33:20.359: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Nov 29 23:33:21.343: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Nov 29 23:33:21.351: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Nov 29 23:33:21.379: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Nov 29 23:33:21.387: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Nov 29 23:33:21.395: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Nov 29 23:33:22.379: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Nov 29 23:33:22.387: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Nov 29 23:33:22.415: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Nov 29 23:33:23.415: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
Not in Bound state.
*Nov 29 23:34:14.847: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
*Nov 29 23:34:19.847: %CAPWAP-3-ERRORLOG: Invalid event 40 & state 2 combination.
*Nov 29 23:34:19.967: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.129.0.212, mask 255.255.255.128, hostname APc067.afa7.1ee4
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Nov 29 23:34:25.847: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Nov 29 23:34:34.847: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
*Nov 29 23:35:04.847: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Nov 29 23:35:04.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.129.0.254 peer_port: 5246
*Nov 29 23:35:04.223: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.129.0.254 peer_port: 5246
*Nov 29 23:35:04.223: %CAPWAP-5-SENDJOIN: sending Join Request to 10.129.0.254
., 1)29 23:35:22.411: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(UNKNOWN_MESSAGE_TYPE (5)
*Nov 29 23:35:22.411: %CAPWAP-3-ERRORLOG: GOING BACK TO DISCOVER MODE
*Nov 29 23:35:27.479: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
*Nov 29 23:35:27.499: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Nov 29 23:35:27.499: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Nov 29 23:35:27.503: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Nov 29 23:35:27.527: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Nov 29 23:35:28.503: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Nov 29 23:35:28.531: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Nov 29 23:35:28.539: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Nov 29 23:35:29.523: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Nov 29 23:35:29.531: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Nov 29 23:35:29.559: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Nov 29 23:35:29.567: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Nov 29 23:35:29.575: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Nov 29 23:35:30.559: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Nov 29 23:35:30.567: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Nov 29 23:35:30.595: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Nov 29 23:35:31.595: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
WLC Log:
Nov 29 23:40:46.469: *%LWAPP-3-RD_ERR7: 1 wcm: Invalid country code () for AP c0:25:5c:68:7f:10
Nov 29 23:40:46.469: *%LWAPP-3-RD_ERR9: 1 wcm: APs c0:25:5c:68:7f:10 country code changed from () to (GB )
Nov 29 23:40:46.470: %CAPWAP-3-AP_PORT_CFG: AP connected port Gi1/0/24 is not an access port.
Nov 29 23:40:46.471: *%LWAPP-3-RD_ERR7: 1 wcm: Invalid country code () for AP c0:25:5c:68:7f:10
Nov 29 23:40:46.471: *%LWAPP-3-RD_ERR9: 1 wcm: APs c0:25:5c:68:7f:10 country code changed from () to (GB )
Nov 29 23:40:46.471: *%LWAPP-3-VALIDATE_ERR: 1 wcm: Validation of SPAM Vendor Specific Payload failed - AP c0:25:5c:68:7f:10
54C1BR01A01254#
Nov 29 23:40:46.474: *%LOG-3-Q_IND: 1 wcm: Validation of SPAM Vendor Specific Payload failed - AP c0:25:5c:68:7f:10
Nov 29 23:40:46.474: *%CAPWAP-3-DATA_TUNNEL_CREATE_ERR2: 1 wcm: Failed to create CAPWAP data tunnel with interface id: 0xd670c00000002a for AP: c025.5c68.7f10 Error Reason: Capwap Data Tunnel create retry exceeded max retry count.
Nov 29 23:41:09.584: *%CAPWAP-3-INVALID_STATE_EVENT: 1 wcm: Invalid AP event (CAPWAP Discovery Request) and state (CAPWAP Join Response) combination
Invalid AP event (CAPWAP Discovery Request) and state (CAPWAP Join Response) combination
Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR7: 1 wcm: Invalid country code () for AP c0:25:5c:68:7f:10
Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR9: 1 wcm: APs c0:25:5c:68:7f:10 country code changed from () to (GB )
Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR7: 1 wcm: Invalid country code () for AP c0:25:5c:68:7f:10
Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR9: 1 wcm: APs c0:25:5c:68:7f:10 country code changed from () to (GB )
Nov 29 23:42:55.496: *%LWAPP-3-VALIDATE_ERR: 1 wcm: Validation of SPAM Vendor Specific Payload failed - AP c0:25:5c:68:7f:10
54C1BR01A01254(config)#
Nov 29 23:42:55.499: %CAPWAP-3-AP_PORT_CFG: AP connected port Gi1/0/24 is not an access port.
Nov 29 23:42:55.499: *%LOG-3-Q_IND: 1 wcm: Validation of SPAM Vendor Specific Payload failed - AP c0:25:5c:68:7f:10
Nov 29 23:42:55.500: *%CAPWAP-3-DATA_TUNNEL_CREATE_ERR2: 1 wcm: Failed to create CAPWAP data tunnel with interface id: 0xcb73c00000002b for AP: c025.5c68.7f10 Error Reason: Capwap Data Tunnel create retry exceeded max retry count.
GB - United Kingdom : 802.11a Indoor,Outdoor/ 802.11b / 802.11g
Invalid AP event (CAPWAP Discovery Request) and state (CAPWAP Join Response) combination
Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR7: 1 wcm: Invalid country code () for AP c0:25:5c:68:7f:10
Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR9: 1 wcm: APs c0:25:5c:68:7f:10 country code changed from () to (GB )
Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR7: 1 wcm: Invalid country code () for AP c0:25:5c:68:7f:10
Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR9: 1 wcm: APs c0:25:5c:68:7f:10 country code changed from () to (GB )
Nov 29 23:42:55.496: *%LWAPP-3-VALIDATE_ERR: 1 wcm: Validation of SPAM Vendor Specific Payload failed - AP c0:25:5c:68:7f:10
Nov 29 23:42:55.499: %CAPWAP-3-AP_PORT_CFG: AP connected port Gi1/0/24 is not an access port.
Nov 29 23:42:55.499: *%LOG-3-Q_IND: 1 wcm: Validation of SPAM Vendor Specific Payload failed - AP c0:25:5c:68:7f:10
Nov 29 23:42:55.500: *%CAPWAP-3-DATA_TUNNEL_CREATE_ERR2: 1 wcm: Failed to create CAPWAP data tunnel with interface id: 0xcb73c00000002b for AP: c025.5c68.7f10 Error Reason: Capwap Data Tunnel create retry exceeded max retry count.
and sometimes:
Nov 30 21:16:56.781: *%CAPWAP-3-ALREADY_IN_JOIN: 1 wcm: Dropping join request from AP c025.5c68.7f10 - AP is already in joined state
Nov 30 21:16:56.785: *%CAPWAP-3-DATA_TUNNEL_DELETE_ERR2: 1 wcm: Failed to delete CAPWAP data tunnel with interface id: 0x0 from internal database. Reason: AVL database entry not found
Sh Wirless Country Configured:
GB - United Kingdom : 802.11a Indoor,Outdoor/ 802.11b / 802.11g
Sh version (AP):
LWAPP image version 10.1.100.0
1 Gigabit Ethernet interface
2 802.11 Radios
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: C0:67:AF:A7:1E:E4
Part Number : 73-14588-02
PCA Assembly Number : 800-37899-01
PCA Revision Number : A0
PCB Serial Number : FOC17353HXS
Top Assembly Part Number : 800-38356-01
Top Assembly Serial Number : FCZ1743P1VC
Top Revision Number : A0
Product/Model Number : AIR-SAP2602I-E-K9
Configuration register is 0xF
APc067.afa7.1ee4#
APc067.afa7.1ee4#^C
Not in Bound state.
*Nov 30 20:04:56.019: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
*Nov 30 20:05:01.019: %CAPWAP-3-ERRORLOG: Invalid event 40 & state 2 combination.c
*Nov 30 20:05:01.139: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.129.0.211, mask 255.255.255.128, hostname APc067.afa7.1ee4
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Nov 30 20:05:07.019: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
Sh ver (Switch):
Base Ethernet MAC Address : d0:c7:89:75:c3:00
Motherboard Assembly Number : 73-12238-06
Motherboard Serial Number : FOC172896LQ
Model Revision Number : B0
Motherboard Revision Number : D0
Model Number : WS-C3850-24T
System Serial Number : FOC1729V133
Switch Ports Model SW Version SW Image Mode
* 1 32 WS-C3850-24T 03.03.00SE cat3k_caa-universalk9 INSTALL
2 32 WS-C3850-24T 03.03.00SE cat3k_caa-universalk9 INSTALL
Switch 02
Switch uptime : 5 days, 23 hours, 2 minutes
Base Ethernet MAC Address : ec:e1:a9:df:93:80
Motherboard Assembly Number : 73-12238-06
Motherboard Serial Number : FOC17236GD1
Model Revision Number : B0
Motherboard Revision Number : D0
Model Number : WS-C3850-24T
System Serial Number : FOC1725V0FT
Configuration register is 0x102Hi,
3850 is in MC mode.
The AP is connected to an access switch which is connected via trunk port to 3850. the access port is in a same vlan as wireless management VLAN.AP is not connected directly to 3850 as this switch is not poe capable.
Country code is set to GB as th AP is ion Europe domain.
NTP has been configured
1- show license right-to-use summary :
ipservices permanent N/A Lifetime
apcount base 0 Lifetime
apcount adder 4 Lifetime
License Level In Use: ipservices
License Level on Reboot: ipservices
Evaluation AP-Count: Disabled
Total AP Count Licenses: 4
AP Count Licenses In-use: 1
AP Count Licenses Remaining: 3
the one which is in use is my AP which has issue. keeps rebooting:
2. show wireless mobility summary
Mobility Controller Summary:
Mobility Role : Mobility Controller
Mobility Protocol Port : 16666
Mobility Group Name : BSTAR
Mobility Oracle IP Address : 0.0.0.0
DTLS Mode : Enabled
Mobility Domain ID for 802.11r : 0x276d
Mobility Keepalive Interval : 10
Mobility Keepalive Count : 3
Mobility Control Message DSCP Value : 48
Mobility Domain Member Count : 1
Link Status is Control Link Status : Data Link Status
Controllers configured in the Mobility Domain:
IP Public IP Group Name Multicast IP Link Status
10.129.0.254 - BSTAR 0.0.0.0 UP : UP
3- Show run | in Wireless
qos wireless-default-untrust
wireless mobility controller
wireless mobility group name BSTAR
wireless management interface Vlan10
wireless wps ap-authentication -
I have a number of 1552e APs connected to a 5508 WLC. We are using local MAC filtering to enable the 1552's to connect to the WLC.
I have a several more 5508's in different locations, and can be used for back-up in the event the primary WLC fails.
I have the primary WLC, a secondary WLC and a tertiary WLC loaded into each the 1552's HA tab.
My question concerns the secondary and tertiary WLCs... do I have to load all the MAC addresses in each of those as well in order for the 1552's to connect ?
If yes, is there an easy way to copy the local mac filtering from the primary WLC and load it into the other WLCs ?
If not, that's a lot of typingDennis,
No your license is your license and doesnt impact MAC address. BUT, what you should know you have a limit as to how many mac addresses a controller can use. See my blog post on the subject
http://www.my80211.com/cisco-wlc-cli-commands/2009/12/27/configure-local-mac-authentication-on-cisco-wlcs.html
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection." -
E1200 - Ports not working and mac filtering problem
If there was a way to give negative stars to this router, I would. As it is, the minimum rating I can give this product is one star, and that's one star too many.
I was upgrading from the WRT54G, which is an ugly thing to look at, but a reliable workhorse nonetheless. I turned that in to a downstream switch in my comms hub.
On the E1200, I flashed the latest firmware, used different Cat5 cables, and different laptops before committing to hating this product.
The first time I reached out to Amazon, the Amazon rep gave me a Cisco number to call. Turns out, that's some shady mortgage refinance hotline. Try it for yourself! 1-800-666-1771.
Now, the rant -
1. Two out of four wired LAN ports don't work: What can be the fix for this?! The activity lights on ports 3 and 4 blink and suggest data transfer is taking place, but the wired laptop simply can't acquire an IP address and access the internet. Same result when I connect my Panasonic Blu-Ray player to ports 3 and 4. None of the Viera Cast features load.
2. MAC filtering unreliable: The wireless routing works somewhat reliably, if and only if, one settles for the most basic security. If I only choose a password and WPA2 protocol, things work fine. If I add another layer of security (in my case, enabling MAC filtering and only PERMITTING gateway to listed MAC IDs), things break down. As soon as I disable MAC filtering, wireless access to authenticated clients is restored.
3. Cisco customer service: The censored world we live in, compels me to criticize politely. TERRIBLE. Cisco website is unintuitive, and frustrating. There's no easy way to register your purchased product. The Cisco "registration" is intentionally misleading and deceptive. For all intents and purposes, it's just an information gathering tool for Cisco. Don't bother registering there, unless you love the idea of storing your personal information on their servers. Their phone-based customer service is apathetic and uninterested. My rep was so distrusting of my intelligence and motor control, that he simply wouldn't believe that I had selected "PERMIT" and not "PREVENT" as the option under MAC filtering. After he asked me the same question for the fourth time, I raised my voice, and he gave up the idea of checking for the fifth time.
However, this review is a tale of two companies. I reached out to Amazon again. This time, I got a rockstar in the shape of Leanne C! She was incredibly helpful, and understanding. What's more, she set up my return without any hassle and this Cisco dud is on its way back. I'm a big fan of Leanne's and my confidence in Amazon is restored.
I'm sure that i received a lemon. I've never had problems with Linksys products. Maybe others' experience is different from mine.In your case as port numbers 1 and 2 does not work, what you could have done a loop back test. To perform a loop back test you need to take an ethernet cable, connect one end of that cable to internet port and the other end to the non-working port on the router. If you get the led to glow on both internet and the respective ethernet port that indicates that the port is working fine.
It could also be a sychronization issue between the above mentioned lan ports and the lan card of your computer. As a part of trouble shooting you can try to reduce the card speed of your lan card. Following are the steps to reduce the speed of your lan card.
START--> right-click My Network Places and click Properties
right-click on the device manager and click properties
Click on the CONFIGURE button
Select the ADVANCED tab and in the box under the header property select "speed and duplex" and change the value on the right to 10 mbps half duplex. A restart would be recommended after performing these steps.
In the second half you said that after enabling the mac filter option the internet breaks down. Here, do you mean to say that the computer
gets disconnected from the wireless network or it stays connected with a valid IP address but without an internet connection.
Well, it is an unusual issue however you could have reset and reconfigure the router as you got the latest firmware upgraded on it.
Steps to reset the router:
Push the reset button on router for 30 seconds, turn off the router wait for 30 seconds and then power it on. Power light should blink when you perform the reset process. -
Cisco 3850 Mobility Agent unable to connect clients
Hi
We are trying to use Cisco 3850 as Mobility agents with 5760. We can't seem to get the clients to authenticate to the radius server. We don't even see them appear in the radius logs.
We have defined the radius server and the profile
wlan Wireless 2 WAP
aaa-override
accounting-list Radius
client vlan wireless
security dot1x authentication-list Radius
session-timeout 1800
no shutdown
radius server Primary
address ipv4 x.x.x.x auth-port 1812 acct-port 1813
timeout 5
retransmit 2
key 7 ........
radius server Primary
address ipv4 x.x.x.x port 1812 acct-port 1813
timeout 5
retransmit 2
key 7 .........
The client appears to connect to the AP but can't authenticate so gets kicked off
If we do a test aaa group username password then it says that it's sucessful.
In the debug we get 802.1X required but then it never seems to get any further.Alright, so I finally figured out the issue with this. I had a Mobility Anchor set on the guest WLAN and once I removed that all started working again.
What is Mobility Anchor?
A. Mobility Anchor, also referred to as Guest tunneling or Auto Anchor Mobility, is a feature where all the client traffic that belongs to a WLAN (Specially Guest WLAN) is tunneled to a predefined WLC or set of controllers that are configured as Anchor for that specific WLAN. This feature helps to restrict clients to a specific subnet and have more control over the user traffic. Refer to the Configuring Auto-Anchor Mobility section of Cisco Wireless LAN Controller Configuration Guide, Release 7.0 for more information on this feature. -
AP1242AG WPA and MAC Filtering problem
Hello,
Presently I managed some AP1242AG in ofiice area
I need implement WPA and MAC filtering.
I found what :
In IOS 12.2(13)JA branch IOS and before, MAC authentication was supported
in conjunction with WPA.
In 12.2(15)JA and above, configuring MAC authentication with WPA does not
work. MAC Authentication passes everyone through.
I can't found IOS 12.2(13) in Cisco site.
Can anybody help me and give link to download 12.2(13)JA ?
Thanks.Also when I acivete MAC filterring
access-list 700 deny 0024.d7ed.2204 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
dot11 association mac-list 700
dot11 ssid zero!v
vlan 390
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
wpa-psk ascii 7 14531708030A2E1A3108212127015644
The WPA is working but MAC filtering not reject
IOS Ver.
Cisco IOS Software, C1240 Software (C1240-K9W7-M), Version 12.3(11)JA1, RELEASE SOFTWARE (fc2)
Maybe you are looking for
-
File not showing in SharePoint (IE) but visible in Explorer
I have a document library that has a single file not showing up that I can't seem to track down. I am hoping someone here might be able to offer something I haven't thought of. The document library is very much 'stock'. Verisioning is turned on an
-
Officejet Pro 8600 won't remain available on network
I only recently started TRYING to use my Officejet Pro 8600 via my home network to no avail; I previously had it directly wired via USB to my computer. The printer is accessible on my home network for a while, then becomes unavailable. This problem o
-
No problem from Mac to Windows 8.. reverse is not true as in Win 7. Have to restart with option button down then choose "unknown" to get back to mac. Also error message aright click on Bootcamp??? Any help appreciated .. is there an update bootcam
-
Importing from Adobe Edge Animate to Existing Project
Hello! So I have a project that I have been working on in iAd producer for a iBooks widget and its coming along great. However I am starting to bump into some limitations on the animation side of things that I can easily do within Adobe Edge Animate
-
Hello! I don't know what to do anymore! I have a Ipod video 30g. It has only 2 weeks old. I was very happy but now it does not turn on anymore. And there is 2 black spot on the screen. I do not know what to do, and I cannot talk to anyone. This websi