Cisco 3850 WLC mac-filtering

Hi:
Cisco 3850 in WLC how to config mac-filtering
thanks

When you create a MAC address filter on WLCs, users are granted or       denied access to the WLAN network based on the MAC address of the client they       use.
There are two types of MAC authentication that are supported on       WLCs:
Local MAC authentication
MAC authentication using a RADIUS           server
With local MAC authentication, user MAC addresses are stored in a       database on the WLC. When a user tries to access the WLAN that is configured       for MAC filtering, the client MAC address is validated against the local       database on the WLC, and the client is granted access to the WLAN if the       authentication is successful.
By default, the WLC local database supports up to 512 user entries.
The local user database is limited to a maximum of 2048 entries. The       local database stores entries for these items:
Local management users, which includes lobby           ambassadors
Local network users, which includes guest users
MAC filter entries
Exclusion list entries
Access point authorization list           entries
Together, all of these types of users cannot exceed the configured       database size.
To Know how to configure Mac filtering please go to the below link.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008084f13b.shtml

Similar Messages

  • WLC MAC Filtering

    Hello
    One thing I am confused is if I set MAC filtering on a WLC but do not populate with any MAC addresses will it block all MAC addresses or allow all?
    Anyone can advise on this or please share information?
    Thanks

    When the database is empty then it will block all:
    MAC Address Filter (MAC Authentication) on WLCs
    When you create a MAC address filter on WLCs, users are granted or denied access to the WLAN network based on the MAC address of the client they use.
    There are two types of MAC authentication that are supported on WLCs:
    Local MAC authentication
    MAC authentication using a RADIUS server
    With local MAC authentication, user MAC addresses are stored in a database on the WLC. When a user tries to access the WLAN that is configured for MAC filtering, the client MAC address is validated against the local database on the WLC, and the client is granted access to the WLAN if the authentication is successful.
    By default, the WLC local database supports up to 512 user entries.
    The local user database is limited to a maximum of 2048 entries. The local database stores entries for these items:
    Local management users, which includes lobby ambassadors
    Local network users, which includes guest users
    MAC filter entries
    Exclusion list entries
    Access point authorization list entries
    Together, all of these types of users cannot exceed the configured database size.
    In order to increase the local database, use this command from the CLI:
    <Cisco Controller>config database size ?
    <count> Enter the maximum number of entries (512-2048)
    Alternatively, MAC address authentication can also be performed using a RADIUS server. The only difference is that the users MAC address database is stored in the RADIUS server instead of the WLC. When a user database is stored on a RADIUS server the WLC forwards the MAC address of the client to the RADIUS server for client validation. Then, the RADIUS server validates the MAC address based on the database it has. If the client authentication is successful, the client is granted access to the WLAN. Any RADIUS server which supports MAC address authentication can be used.

  • Cisco WLC 5508 Mac Filtering

    Hi Group, how are you?.
    I know as Mac filtering feature works, but I need the opposite. I need to filter some mac-address to a particular SSID and permit all the other mac-address.
    Please, has anyone any ideas?.
    Thanks.
    Andrés.

    Hi Andres,
    I think stephan was talking about vlan based access control via RADIUS:
    check this document:
    http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
    Regards
    Dont forget to rate helpful posts

  • About max local MAC filtering can be register in WLC 2504 and 5508

    Hi all
    My customer is considering to use WLC with MAC filtering feature (use local database not external Radius). So they are concerning about maximum local MAC filtering entries that can be register on WLC2504 and WLC5508 to buy (the number of APs is about 20, but the MAC is more than 200)
    I tried to search, but I could not find any specs mention it. If anyone knows, please help to answer
    Rgds

    I looked at this before. I want to say its maxed at 2048 regardless of the model ..
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html

  • Wlc 2006 mac filtering

    I would like to allow client to access wireless lan based on the client mac-address.
    How I config it on WLC 2006 locally (not using radius server)? If yes, How mnay mac-address can be configured on the wlc2006?
    Thanks.
    Douglas

    Hi Douglas,
    Just wanted to add a note to Ankurs good info;
    Maximum MAC Filter Entries
    The controller database can contain up to 2048 MAC filter entries for local netusers. The default value is 512. To support up to 2048 entries, you must enter this command in the controller CLI:
    config database size MAC_filter_entry
    where MAC_filter_entry is a value from 512 to 2048.
    From this good doc;
    http://www.cisco.com/en/US/products/ps6366/prod_release_note09186a0080813b1c.html#wp42756
    MAC Filtering
    http://www.cisco.com/en/US/products/ps6366/products_user_guide_chapter09186a00805a6ad0.html#wp1040588
    Hope this helps!
    Rob

  • WLC 4402 Web Authentication, Mac Filtering and Layer 2 Seciruty

    Hi All,
    I have configured web authentication and Mac filtering on WLC 4402 for my wireless network and its working fine. I wants to configure layer 2 security for the same Wireless network without pre shared key. Could you please advice how to configure layer 2 security with web authentication withour preshare key.
    Is there any security issue with web authentication and Mac FIltering only? My concern in my wireless network shows open.
    Thanks,
    Kashif

    Hi,
    if you have a ACS, then you can do Web auth Splash page!!! Please refer to the below doc!!
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080956185.shtml
    Lemme know if this answered ur question!!
    Regards
    Surendra

  • WLC 5760 multiple SSIDs with MAC filtering

    Dear All,
    I am implementing a wireless network with 5760 WLCs. The client requires a few SSIDs with MAC-based authentication. So I created different MAC filters using the commands "aaa authorization network MAC_FILTER01 local", "aaa authorization network MAC_FILTER02 local" etc
    These filters are bound to different SSIDs using the commands "mac-filtering MAC_FILTER01" "mac-filtering MAC_FILTER02" etc. and users are added to their required MAC filters using the commands "username <mac-address> mac aaa attribute list MAC_FILTER01", "username <mac-address> mac aaa attribute list MAC_FILTER02" etc.
    Now I am facing a serious issue - users belonging to any one MAC filter can connect to the all SSIDs. It seems like the MAC addresses added to the controller under different filter names are going to a common database, thereby providing access to users to all SSIDs irrespective of their MAC filter.
    Is it a limitation of local database of 5760? Has anyone faced the same issue? How can I implement independent MAC filters bound to different SSIDs?
    Thanks,
    Arun John

    Hi Arun,
    this feature currently does not exist on the  5760. it is due to release in one of the MR's of 3.6
    -Joseph

  • WLC 5760 - MAC Filtering wireless clients

    Hi,
    Does anyone ever deployed mac-filtering authentication to wireless clients in the WLC 5760?
    I've configured a WLAN for Mac-filtering authentication only (named it as "macauth"):
    wlan RNVDOS 4 RNVDOS
    aaa-override
    no broadcast-ssid
    client vlan RNVDOS
    mac-filtering macauth
    no security wpa
    no security wpa akm dot1x
    no security wpa wpa2
    no security wpa wpa2 ciphers aes
    session-timeout 1800
    no shutdown
    Then, below Configuration->Security->MAC Filtering I've added several MAC addresses i.e. :
    MAC Address: 88532e9ef70a  Attribute List: macauth
    Which turned out to be display in the CLI as:
    username 88532e9ef70a mac aaa attribute list macauth
    The problem is that whenever I try to associate the wireless client 88532e9ef70a, the client passes to the exclusion list.:
    Sep 16 10:54:55.603: 8853.2E9E.F70A Adding mobile on LWAPP AP  0C68.03EA.4070 (1)  1 wcm: E9E.F70A (.t^GwtSessionID: 0afe01fbtQ^GwH^Cnz^Gw00dd) was added to ^G$h\225v^K
    Sep 16 10:54:55.603: 8853.2E9E.F70A  Creating WL station entry for client -  rc 0 1 wcm:
    Sep 16 10:54:55.603: 8853.2E9E.F70A Association received from mobile on AP  0C68.03EA.4070  1 wcm: (.t^GwtSessionID: 0afe01fbtQ^GwH^Cnz^Gw00dd) was added to ^G$h\225v^K
    Sep 16 10:54:55.603: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: ssionID: 0afe01fbtQ^GwH^Cnz^Gw00dd) was added to ^G$h\225v^K
    Sep 16 10:54:55.603: 8853.2E9E.F70A apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: H^Cnz^Gw00dd) was added to ^G$h\225v^K
    Sep 16 10:54:55.603: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm:  ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:55.603: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm:  0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:55.603: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:55.603: 8853.2E9E.F70A Applying site-specific IPv6 override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm:  ^G$h\225v^K
    Sep 16 10:54:55.603: 8853.2E9E.F70A Applying local bridging Interface Policy for station  8853.2E9E.F70A  - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
    Sep 16 10:54:55.603: 8853.2E9E.F70A Applying site-specific override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
    Sep 16 10:54:55.603: 8853.2E9E.F70A STA - rates (8): 1 wcm:  140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
    Sep 16 10:54:55.603: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: - vapId 4, site 'renova', interface 'RNVDOS'
    Sep 16 10:54:55.603: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from Idle to AAA Pending
    Sep 16 10:54:55.603: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 20) in 10 seconds
    Sep 16 10:54:55.604: 8853.2E9E.F70A
    client incoming attribute size are 0 1 wcm:   (callerId: 20) in 10 seconds
    Sep 16 10:54:55.604: 8853.2E9E.F70A Sending Assoc Response to station on BSSID  0C68.03EA.4070  (status 256) ApVapId 2 Slot 1 1 wcm: 68.03EA.4070  from Idle to AAA Pending
    Sep 16 10:54:55.604: 8853.2E9E.F70A apfProcessRadiusAssocResp (apf_80211.c: 1 wcm: 2149) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from AAA Pending to Authenticated
    Sep 16 10:54:55.604: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 18) in 10 seconds
    Sep 16 10:54:55.813: 8853.2E9E.F70A Association received from mobile on AP  0C68.03EA.4070  1 wcm: n.t^Gwseconds
    Sep 16 10:54:55.813: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: onds
    Sep 16 10:54:55.813: 8853.2E9E.F70A apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: H^Cnz^Gw  0C68.03EA.4070  f^G$h\225v^K
    Sep 16 10:54:55.813: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm:  ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:55.813: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm:  0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:55.813: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:55.813: 8853.2E9E.F70A Applying site-specific IPv6 override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: f^G$h\225v^K
    Sep 16 10:54:55.813: 8853.2E9E.F70A Applying local bridging Interface Policy for station  8853.2E9E.F70A  - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
    Sep 16 10:54:55.813: 8853.2E9E.F70A Applying site-specific override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
    Sep 16 10:54:55.813: 8853.2E9E.F70A STA - rates (8): 1 wcm:  140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
    Sep 16 10:54:55.813: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: - vapId 4, site 'renova', interface 'RNVDOS'
    Sep 16 10:54:55.813: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from Authenticated to AAA Pending
    Sep 16 10:54:55.813: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 20) in 10 seconds
    Sep 16 10:54:55.814: 8853.2E9E.F70A
    client incoming attribute size are 0 1 wcm:   (callerId: 20) in 10 seconds
    Sep 16 10:54:55.814: 8853.2E9E.F70A Sending Assoc Response to station on BSSID  0C68.03EA.4070  (status 256) ApVapId 2 Slot 1 1 wcm: 68.03EA.4070  from Authenticated to AAA Pending
    Sep 16 10:54:55.814: 8853.2E9E.F70A apfProcessRadiusAssocResp (apf_80211.c: 1 wcm: 2149) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from AAA Pending to Authenticated
    Sep 16 10:54:55.814: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 18) in 10 seconds
    Sep 16 10:54:56.520: 8853.2E9E.F70A Association received from mobile on AP  0C68.03EA.4070  1 wcm: n.t^Gwseconds
    Sep 16 10:54:56.520: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: onds
    Sep 16 10:54:56.520: 8853.2E9E.F70A apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: H^Cnz^Gw  0C68.03EA.4070  f^G$h\225v^K
    Sep 16 10:54:56.520: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm:  ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:56.520: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm:  0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:56.520: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:56.520: 8853.2E9E.F70A Applying site-specific IPv6 override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: f^G$h\225v^K
    Sep 16 10:54:56.520: 8853.2E9E.F70A Applying local bridging Interface Policy for station  8853.2E9E.F70A  - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
    Sep 16 10:54:56.520: 8853.2E9E.F70A Applying site-specific override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
    Sep 16 10:54:56.520: 8853.2E9E.F70A STA - rates (8): 1 wcm:  140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
    Sep 16 10:54:56.520: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: - vapId 4, site 'renova', interface 'RNVDOS'
    Sep 16 10:54:56.520: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from Authenticated to AAA Pending
    Sep 16 10:54:56.520: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 20) in 10 seconds
    Sep 16 10:54:56.521: 8853.2E9E.F70A
    client incoming attribute size are 0 1 wcm:   (callerId: 20) in 10 seconds
    Sep 16 10:54:56.521: 8853.2E9E.F70A Sending Assoc Response to station on BSSID  0C68.03EA.4070  (status 256) ApVapId 2 Slot 1 1 wcm: 68.03EA.4070  from Authenticated to AAA Pending
    Sep 16 10:54:56.521: 8853.2E9E.F70A apfProcessRadiusAssocResp (apf_80211.c: 1 wcm: 2149) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from AAA Pending to Authenticated
    Sep 16 10:54:56.521: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 18) in 10 seconds
    Sep 16 10:54:56.729: 8853.2E9E.F70A Association received from mobile on AP  0C68.03EA.4070  1 wcm: n 10 seconds
    Sep 16 10:54:56.729: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: onds
    Sep 16 10:54:56.729: 8853.2E9E.F70A apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: A  on AP  0C68.03EA.4070  from AAA Pending to Authenticated
    Sep 16 10:54:56.729: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm:  ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:56.729: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm:  0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:56.729: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:56.729: 8853.2E9E.F70A Applying site-specific IPv6 override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: from AAA Pending to Authenticated
    Sep 16 10:54:56.729: 8853.2E9E.F70A Applying local bridging Interface Policy for station  8853.2E9E.F70A  - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
    Sep 16 10:54:56.729: 8853.2E9E.F70A Applying site-specific override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
    Sep 16 10:54:56.729: 8853.2E9E.F70A STA - rates (8): 1 wcm:  140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
    Sep 16 10:54:56.729: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: - vapId 4, site 'renova', interface 'RNVDOS'
    Sep 16 10:54:56.729: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from Authenticated to AAA Pending
    Sep 16 10:54:56.729: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 20) in 10 seconds
    Sep 16 10:54:56.730: 8853.2E9E.F70A
    client incoming attribute size are 0 1 wcm:   (callerId: 20) in 10 seconds
    Sep 16 10:54:56.730: 8853.2E9E.F70A Sending Assoc Response to station on BSSID  0C68.03EA.4070  (status 256) ApVapId 2 Slot 1 1 wcm: 68.03EA.4070  from Authenticated to AAA Pending
    Sep 16 10:54:56.730: 8853.2E9E.F70A apfProcessRadiusAssocResp (apf_80211.c: 1 wcm: 2149) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from AAA Pending to Authenticated
    Sep 16 10:54:56.730: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 18) in 10 seconds
    Sep 16 10:54:56.937: 8853.2E9E.F70A Association received from mobile on AP  0C68.03EA.4070  1 wcm: n.t^Gwseconds
    Sep 16 10:54:56.937: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: onds
    Sep 16 10:54:56.937: 8853.2E9E.F70A apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: H^Cnz^Gw  0C68.03EA.4070  f^G$h\225v^K
    Sep 16 10:54:56.937: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm:  ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:56.937: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm:  0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:56.937: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:56.937: 8853.2E9E.F70A Applying site-specific IPv6 override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: f^G$h\225v^K
    Sep 16 10:54:56.937: 8853.2E9E.F70A Applying local bridging Interface Policy for station  8853.2E9E.F70A  - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
    Sep 16 10:54:56.937: 8853.2E9E.F70A Applying site-specific override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
    Sep 16 10:54:56.937: 8853.2E9E.F70A STA - rates (8): 1 wcm:  140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
    Sep 16 10:54:56.937: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: - vapId 4, site 'renova', interface 'RNVDOS'
    Sep 16 10:54:56.937: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from Authenticated to AAA Pending
    Sep 16 10:54:56.937: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 20) in 10 seconds
    Sep 16 10:54:56.937: 8853.2E9E.F70A
    client incoming attribute size are 0 1 wcm:   (callerId: 20) in 10 seconds
    Sep 16 10:54:56.937: 8853.2E9E.F70A Sending Assoc Response to station on BSSID  0C68.03EA.4070  (status 256) ApVapId 2 Slot 1 1 wcm: 68.03EA.4070  from Authenticated to AAA Pending
    Sep 16 10:54:56.937: 8853.2E9E.F70A apfProcessRadiusAssocResp (apf_80211.c: 1 wcm: 2149) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from AAA Pending to Authenticated
    Sep 16 10:54:56.937: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 18) in 10 seconds
    Sep 16 10:54:57.143: 8853.2E9E.F70A Association received from mobile on AP  0C68.03EA.4070  1 wcm: n.t^Gwseconds
    Sep 16 10:54:57.143: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: onds
    Sep 16 10:54:57.143: 8853.2E9E.F70A apChanged 1 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: H^Cnz^Gw  0C68.03EA.4070  f^G$h\225v^K
    Sep 16 10:54:57.143: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm:  ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:57.143: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm:  0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:57.143: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:57.143: 8853.2E9E.F70A Applying site-specific IPv6 override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: f^G$h\225v^K
    Sep 16 10:54:57.143: 8853.2E9E.F70A Applying local bridging Interface Policy for station  8853.2E9E.F70A  - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
    Sep 16 10:54:57.143: 8853.2E9E.F70A Applying site-specific override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
    Sep 16 10:54:57.143: 8853.2E9E.F70A STA - rates (8): 1 wcm:  130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
    Sep 16 10:54:57.143: 8853.2E9E.F70A STA - rates (12): 1 wcm:  130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
    Sep 16 10:54:57.144:  8853.2E9E.F70A  0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [ 0C68.03EA.4070 ] 1 wcm:  site 'renova', interface 'RNVDOS'
    Sep 16 10:54:57.144: 8853.2E9E.F70A Updated location for station old AP  0C68.03EA.4070 -1, new AP  0C68.03EA.4070 -0 1 wcm: va', interface 'RNVDOS'
    Sep 16 10:54:57.144: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: P  0C68.03EA.4070 -0
    Sep 16 10:54:57.144: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from Authenticated to AAA Pending
    Sep 16 10:54:57.144: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 20) in 10 seconds
    Sep 16 10:54:57.144: 8853.2E9E.F70A
    client incoming attribute size are 0 1 wcm:   (callerId: 20) in 10 seconds
    Sep 16 10:54:57.145: 8853.2E9E.F70A Sending Assoc Response to station on BSSID  0C68.03EA.4070  (status 256) ApVapId 2 Slot 0 1 wcm: 68.03EA.4070  from Authenticated to AAA Pending
    Sep 16 10:54:57.145: 8853.2E9E.F70A apfBlacklistMobileStationEntry2 (apf_ms.c: 1 wcm: 6129) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from AAA Pending to Exclusion-list (1)
    Sep 16 10:54:57.145: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 44) in 10 seconds
    Sep 16 10:54:57.145: 8853.2E9E.F70A client is added to the exclusion list, reason 1 1 wcm: d: 44) in 10 seconds
    Sep 16 10:54:57.145: *apfReceiveTask: 1 wcm:  %APF-4-ADD_TO_BLACKLIST_REASON: Client 8853.2E9E.F70A (AuditSessionID: 0afe01fb5236e37f000000de) was added to exclusion list. Reason: 802.11 association failure 
    Sep 16 10:54:57.836: 8853.2E9E.F70A Ignoring assoc request due to mobile in exclusion list or marked for deletion  1 wcm: fbtQ^GwH^Cnz^Gw00de) was added to ^G$h\225v^K
    Sep 16 10:54:58.533: 8853.2E9E.F70A Ignoring assoc request due to mobile in exclusion list or marked for deletion  1 wcm: fbtQ^GwH^Cnz^Gw00de) was added to ^G$h\225v^K
    Sep 16 10:54:59.231: 8853.2E9E.F70A Ignoring assoc request due to mobile in exclusion list or marked for deletion  1 wcm: fbtQ^GwH^Cnz^Gw00de) was added to ^G$h\225v^K
    Sep 16 10:54:59.922: 8853.2E9E.F70A Ignoring assoc request due to mobile in exclusion list or marked for deletion  1 wcm: fbtQ^GwH^Cnz^Gw00de) was added to ^G$h\225v^K
    Sep 16 10:55:06.972: 8853.2E9E.F70A apfMsExpireCallback (apf_ms.c: 1 wcm: 664) Expiring Mobile!
    Sep 16 10:55:06.972: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 46) in 60 seconds
    Sep 16 10:55:06.972: 8853.2E9E.F70A apfMsExpireMobileStation (apf_ms.c: 1 wcm: 7067) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from Exclusion-list (1) to Exclusion-list (2)
    Sep 16 10:55:06.972:  8853.2E9E.F70A  0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [ 0C68.03EA.4070 ] 1 wcm: 3.2E9E.F70A  on AP  0C68.03EA.4070  from Exclusion-list (1) to Exclusion-list (2)
    Sep 16 10:55:06.972:  8853.2E9E.F70A  0.0.0.0 START (0) FastSSID for the client [ 0C68.03EA.4070 ] NOTENABLED 1 wcm: E9E.F70A  on AP  0C68.03EA.4070  from Exclusion-list (1) to Exclusion-list (2)
    Sep 16 10:55:06.972: 8853.2E9E.F70A Incrementing the Reassociation Count 1 for client (of interface RNVDOS) 1 wcm: D
    Sep 16 10:55:06.972: 8853.2E9E.F70A Clearing Dhcp state for station  ---  1 wcm:  for client (of interface RNVDOS)
    WLC1#
    WLC1#
    Kind Regards,
    Vasco

    Hi Patrick,
    Thank you for sharing your solution. It didn't solved entirely the problem but you pointed to the right direction!
    They are caused, because the system searches for an aaa authorization list, which is not configured.
    To resolve this configure the following
    aaa authorization network mac-filter local
    where mac-filter is the name you defined in the SSID.
    I've used your sugestion to create an aaa local authorization list but instead of naming it with the SSID, I've used the name of the attribute list ( macauth ) and it solved the problem:
    aaa authorization network macauth local
    username 88532e9ef70a mac aaa attribute list macauth
    wlan RNVDOS 4 RNVDOS
    client vlan RNVDOS
    mac-filtering macauth
    WLC1#sh wireless client summ
    Number of Local Clients : 1
    MAC Address    AP Name                          WLAN State              Protocol
    8853.2e9e.f70a APf872.ead7.31da                 4    UP                 11n(5)  
    Cheers,
    Vasco

  • Cisco 3850 and Licences for WLC??

    Hello
    We have a client who needs a new switch which is capable of intervlan routing and also a WLC.
    I am thinking a 48 port 3850 with IP Base which gives intervlan routing and WLC support.
    However I am not sure if we need to purchase additional AP licences or whether they are built in?
    Cheers

    In 3850 WLC functionality, your switch stack could act as MA (Mobiity Agengt) or MC (Mobility Controller). AP license required for your 3850, only if it is acting as MC. (for MA you do not require any AP licenses). Max 50 AP can handle by given 3850 switch stack. For MC functionality minimum you required IPbase image. (not LANbase)
    So it is based on your design you need to purchase 3850 AP license. In your case if it is for a single switch where client want WLC functionality (with no other controller available) then you have to go with AP license depend on how many AP they want to deploy.
    BRKCRS-2889 CiscoLive material will give you good overview of this new Converged Access Deployment model & MA/MC functionalilty & few design options.
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • MAC Filtering via Radius not working

    Hi Folks,
    I'm having problems with MAC filtering via RADIUS.  I have a combination of a local database on the controllers and remote MAC addresses provisioned on a Cisco ACS.  My problem is that even when I've set the controllers to use Radius and I've configured the order to be local and then radius the controllers never sent an auth request to the Radius servers.  I know that Radius can work because I have another WLAN (the guest WLAN) on the same hardware that is configured to authenticate first against the local database and then against Radius and this is working fine. 
    (WiSM-slot9-1) >debug aaa all enable
    *Oct 09 08:01:44.518:       AVP[14] Called-Station-Id........................X.X.X.X (9 bytes)
    *Oct 09 08:03:21.677: Unable to find requested user entry for 6cc26b5990e5
    *Oct 09 08:03:21.677: ReProcessAuthentication previous proto 8, next proto 40000001
    *Oct 09 08:03:21.677: AuthenticationRequest: 0x18cc933c
    *Oct 09 08:03:21.677:   Callback.....................................0x10112bc4
    *Oct 09 08:03:21.677:   protocolType.................................0x40000001
    *Oct 09 08:03:21.677:   proxyState...................................6C:C2:6B:59:90:E5-00:00
    *Oct 09 08:03:21.677:   Packet contains 14 AVPs (not shown)
    *Oct 09 08:03:21.678: 6c:c2:6b:59:90:e5 Returning AAA Error 'No Server' (-7) for mobile 6c:c2:6b:59:90:e5
    *Oct 09 08:03:21.678: AuthorizationResponse: 0x38f71958
    *Oct 09 08:03:21.678:   structureSize................................32
    *Oct 09 08:03:21.678:   resultCode...................................-7
    *Oct 09 08:03:21.678:   protocolUsed.................................0xffffffff
    *Oct 09 08:03:21.678:   proxyState...................................6C:C2:6B:59:90:E5-00:00
    *Oct 09 08:03:21.678:   Packet contains 0 AVPs:
    *Oct 09 08:03:21.680: Looking up local blacklist 98d6bbde785f
    *Oct 09 08:03:21.754: Looking up local blacklist 0013ce73a9e0
    *Oct 09 08:03:21.754: Looking up local blacklist 0013ce73a9e0
    *Oct 09 08:03:21.778: Looking up local blacklist 0013ce73a9e0
    *Oct 09 08:03:21.846: Unable to find requested user entry for 6cc26b5990e5
    *Oct 09 08:03:21.847: ReProcessAuthentication previous proto 8, next proto 40000001
    *Oct 09 08:03:21.847: AuthenticationRequest: 0x18c6dcc4
    *Oct 09 08:03:21.847:   Callback.....................................0x10112bc4
    *Oct 09 08:03:21.847:   protocolType.................................0x40000001
    *Oct 09 08:03:21.847:   proxyState...................................6C:C2:6B:59:90:E5-00:00
    *Oct 09 08:03:21.847:   Packet contains 14 AVPs (not shown)
    *Oct 09 08:03:21.847: 6c:c2:6b:59:90:e5 Returning AAA Error 'No Server' (-7) for mobile 6c:c2:6b:59:90:e5
    *Oct 09 08:03:21.847: AuthorizationResponse: 0x38f71958
    *Oct 09 08:03:21.847:   structureSize................................32
    *Oct 09 08:03:21.847:   resultCode...................................-7
    *Oct 09 08:03:21.847:   protocolUsed.................................0xffffffff
    *Oct 09 08:03:21.847:   proxyState...................................6C:C2:6B:59:90:E5-00:00
    *Oct 09 08:03:21.848:   Packet contains 0 AVPs:
    I'm assuming thaty the line - Returning AAA Error 'No Server' - is significant but I have configured the Radius servers correctly but a packet trace shows no auth requests whatsoever from the controllers.  Has anyone seen this?  Anything I should be looking at?
    Thanks in advance,
    Shane.

    The bug I ran into was CSCta53985 on the WLCs.  I upgraded to 7.0 and it fixed it. The fix is available in 6.0.188. Depending on your WLC hardware, I would go to at least 7.0.116 for newer AP support, and CleanAir support.

  • 2602i does not Join to 3850 WLC

    Trying to join 2602i to 3850 wlc but after join to WLC, the access point keeps rebooting
    AP Console log:
    APc067.afa7.1ee4#
    *Nov 29 23:32:55.027: %CAPWAP-3-ERRORLOG: Go join a capwap controller
    *Nov 29 23:32:55.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.129.0.254 peer_port: 5246
    *Nov 29 23:32:55.223: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.129.0.254 peer_port: 5246
    *Nov 29 23:32:55.223: %CAPWAP-5-SENDJOIN: sending Join Request to 10.129.0.254
    ., 1)29 23:33:13.415: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(UNKNOWN_MESSAGE_TYPE (5)
    *Nov 29 23:33:13.415: %CAPWAP-3-ERRORLOG: GOING BACK TO DISCOVER MODE
    *Nov 29 23:33:19.299: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
    *Nov 29 23:33:19.319: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
    *Nov 29 23:33:19.323: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
    *Nov 29 23:33:19.327: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Nov 29 23:33:19.347: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
    *Nov 29 23:33:20.323: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Nov 29 23:33:20.351: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
    *Nov 29 23:33:20.359: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
    *Nov 29 23:33:21.343: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    *Nov 29 23:33:21.351: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
    *Nov 29 23:33:21.379: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
    *Nov 29 23:33:21.387: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
    *Nov 29 23:33:21.395: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Nov 29 23:33:22.379: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
    *Nov 29 23:33:22.387: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Nov 29 23:33:22.415: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Nov 29 23:33:23.415: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    Not in Bound state.
    *Nov 29 23:34:14.847: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
    *Nov 29 23:34:19.847: %CAPWAP-3-ERRORLOG: Invalid event 40 & state 2 combination.
    *Nov 29 23:34:19.967: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.129.0.212, mask 255.255.255.128, hostname APc067.afa7.1ee4
    Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
    *Nov 29 23:34:25.847: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
    *Nov 29 23:34:34.847: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
    *Nov 29 23:35:04.847: %CAPWAP-3-ERRORLOG: Go join a capwap controller
    *Nov 29 23:35:04.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.129.0.254 peer_port: 5246
    *Nov 29 23:35:04.223: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.129.0.254 peer_port: 5246
    *Nov 29 23:35:04.223: %CAPWAP-5-SENDJOIN: sending Join Request to 10.129.0.254
    ., 1)29 23:35:22.411: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(UNKNOWN_MESSAGE_TYPE (5)
    *Nov 29 23:35:22.411: %CAPWAP-3-ERRORLOG: GOING BACK TO DISCOVER MODE
    *Nov 29 23:35:27.479: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
    *Nov 29 23:35:27.499: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
    *Nov 29 23:35:27.499: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
    *Nov 29 23:35:27.503: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Nov 29 23:35:27.527: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
    *Nov 29 23:35:28.503: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Nov 29 23:35:28.531: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
    *Nov 29 23:35:28.539: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
    *Nov 29 23:35:29.523: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    *Nov 29 23:35:29.531: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
    *Nov 29 23:35:29.559: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
    *Nov 29 23:35:29.567: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
    *Nov 29 23:35:29.575: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Nov 29 23:35:30.559: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
    *Nov 29 23:35:30.567: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Nov 29 23:35:30.595: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Nov 29 23:35:31.595: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    WLC Log:
    Nov 29 23:40:46.469: *%LWAPP-3-RD_ERR7: 1 wcm:  Invalid country code () for AP c0:25:5c:68:7f:10
    Nov 29 23:40:46.469: *%LWAPP-3-RD_ERR9: 1 wcm:  APs c0:25:5c:68:7f:10 country code changed from () to (GB )
    Nov 29 23:40:46.470: %CAPWAP-3-AP_PORT_CFG: AP connected port Gi1/0/24 is not an access port.
    Nov 29 23:40:46.471: *%LWAPP-3-RD_ERR7: 1 wcm:  Invalid country code () for AP c0:25:5c:68:7f:10
    Nov 29 23:40:46.471: *%LWAPP-3-RD_ERR9: 1 wcm:  APs c0:25:5c:68:7f:10 country code changed from () to (GB )
    Nov 29 23:40:46.471: *%LWAPP-3-VALIDATE_ERR: 1 wcm:  Validation of SPAM Vendor Specific Payload failed - AP  c0:25:5c:68:7f:10
    54C1BR01A01254#
    Nov 29 23:40:46.474: *%LOG-3-Q_IND: 1 wcm:  Validation of SPAM Vendor Specific Payload failed - AP  c0:25:5c:68:7f:10
    Nov 29 23:40:46.474: *%CAPWAP-3-DATA_TUNNEL_CREATE_ERR2: 1 wcm:  Failed to create CAPWAP data tunnel with interface id: 0xd670c00000002a for AP: c025.5c68.7f10 Error Reason: Capwap Data Tunnel create retry exceeded max retry count.
    Nov 29 23:41:09.584: *%CAPWAP-3-INVALID_STATE_EVENT: 1 wcm:  Invalid AP event (CAPWAP Discovery Request) and state (CAPWAP Join Response) combination
    Invalid AP event (CAPWAP Discovery Request) and state (CAPWAP Join Response) combination
    Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR7: 1 wcm:  Invalid country code () for AP c0:25:5c:68:7f:10
    Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR9: 1 wcm:  APs c0:25:5c:68:7f:10 country code changed from () to (GB )
    Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR7: 1 wcm:  Invalid country code () for AP c0:25:5c:68:7f:10
    Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR9: 1 wcm:  APs c0:25:5c:68:7f:10 country code changed from () to (GB )
    Nov 29 23:42:55.496: *%LWAPP-3-VALIDATE_ERR: 1 wcm:  Validation of SPAM Vendor Specific Payload failed - AP  c0:25:5c:68:7f:10
    54C1BR01A01254(config)#
    Nov 29 23:42:55.499: %CAPWAP-3-AP_PORT_CFG: AP connected port Gi1/0/24 is not an access port.
    Nov 29 23:42:55.499: *%LOG-3-Q_IND: 1 wcm:  Validation of SPAM Vendor Specific Payload failed - AP  c0:25:5c:68:7f:10
    Nov 29 23:42:55.500: *%CAPWAP-3-DATA_TUNNEL_CREATE_ERR2: 1 wcm:  Failed to create CAPWAP data tunnel with interface id: 0xcb73c00000002b for AP: c025.5c68.7f10 Error Reason: Capwap Data Tunnel create retry exceeded max retry count.
    GB  - United Kingdom : 802.11a Indoor,Outdoor/ 802.11b / 802.11g
    Invalid AP event (CAPWAP Discovery Request) and state (CAPWAP Join Response) combination
    Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR7: 1 wcm:  Invalid country code () for AP c0:25:5c:68:7f:10
    Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR9: 1 wcm:  APs c0:25:5c:68:7f:10 country code changed from () to (GB )
    Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR7: 1 wcm:  Invalid country code () for AP c0:25:5c:68:7f:10
    Nov 29 23:42:55.496: *%LWAPP-3-RD_ERR9: 1 wcm:  APs c0:25:5c:68:7f:10 country code changed from () to (GB )
    Nov 29 23:42:55.496: *%LWAPP-3-VALIDATE_ERR: 1 wcm:  Validation of SPAM Vendor Specific Payload failed - AP  c0:25:5c:68:7f:10
    Nov 29 23:42:55.499: %CAPWAP-3-AP_PORT_CFG: AP connected port Gi1/0/24 is not an access port.
    Nov 29 23:42:55.499: *%LOG-3-Q_IND: 1 wcm:  Validation of SPAM Vendor Specific Payload failed - AP  c0:25:5c:68:7f:10
    Nov 29 23:42:55.500: *%CAPWAP-3-DATA_TUNNEL_CREATE_ERR2: 1 wcm:  Failed to create CAPWAP data tunnel with interface id: 0xcb73c00000002b for AP: c025.5c68.7f10 Error Reason: Capwap Data Tunnel create retry exceeded max retry count.
    and sometimes:
    Nov 30 21:16:56.781: *%CAPWAP-3-ALREADY_IN_JOIN: 1 wcm:  Dropping join request from AP c025.5c68.7f10 - AP is already in joined state
    Nov 30 21:16:56.785: *%CAPWAP-3-DATA_TUNNEL_DELETE_ERR2: 1 wcm:  Failed to delete CAPWAP data tunnel with interface id: 0x0 from internal database. Reason: AVL database entry not found
    Sh Wirless Country Configured:
    GB  - United Kingdom : 802.11a Indoor,Outdoor/ 802.11b / 802.11g
    Sh version (AP):
    LWAPP image version 10.1.100.0
    1 Gigabit Ethernet interface
    2 802.11 Radios
    32K bytes of flash-simulated non-volatile configuration memory.
    Base ethernet MAC Address: C0:67:AF:A7:1E:E4
    Part Number                          : 73-14588-02
    PCA Assembly Number                  : 800-37899-01
    PCA Revision Number                  : A0
    PCB Serial Number                    : FOC17353HXS
    Top Assembly Part Number             : 800-38356-01
    Top Assembly Serial Number           : FCZ1743P1VC
    Top Revision Number                  : A0
    Product/Model Number                 : AIR-SAP2602I-E-K9
    Configuration register is 0xF
    APc067.afa7.1ee4#
    APc067.afa7.1ee4#^C
    Not in Bound state.
    *Nov 30 20:04:56.019: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
    *Nov 30 20:05:01.019: %CAPWAP-3-ERRORLOG: Invalid event 40 & state 2 combination.c
    *Nov 30 20:05:01.139: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.129.0.211, mask 255.255.255.128, hostname APc067.afa7.1ee4
    Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
    *Nov 30 20:05:07.019: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
    Sh ver (Switch):
    Base Ethernet MAC Address          : d0:c7:89:75:c3:00
    Motherboard Assembly Number        : 73-12238-06
    Motherboard Serial Number          : FOC172896LQ
    Model Revision Number              : B0
    Motherboard Revision Number        : D0
    Model Number                       : WS-C3850-24T
    System Serial Number               : FOC1729V133
    Switch Ports Model              SW Version        SW Image              Mode
    *    1 32    WS-C3850-24T       03.03.00SE        cat3k_caa-universalk9 INSTALL
         2 32    WS-C3850-24T       03.03.00SE        cat3k_caa-universalk9 INSTALL
    Switch 02
    Switch uptime                      : 5 days, 23 hours, 2 minutes
    Base Ethernet MAC Address          : ec:e1:a9:df:93:80
    Motherboard Assembly Number        : 73-12238-06
    Motherboard Serial Number          : FOC17236GD1
    Model Revision Number              : B0
    Motherboard Revision Number        : D0
    Model Number                       : WS-C3850-24T
    System Serial Number               : FOC1725V0FT
    Configuration register is 0x102

    Hi,
    3850 is in MC mode.
    The AP is connected to an access switch which is connected via trunk port to 3850. the access port is in a same vlan as wireless management VLAN.AP  is not connected directly to 3850 as this switch is not poe capable.
    Country code is set to GB as th AP is ion Europe domain.
    NTP has been configured
    1- show license right-to-use summary :
      ipservices   permanent   N/A      Lifetime
      apcount      base        0        Lifetime
      apcount      adder       4        Lifetime
    License Level In Use: ipservices
    License Level on Reboot: ipservices
    Evaluation AP-Count: Disabled
    Total AP Count Licenses: 4
    AP Count Licenses In-use: 1
    AP Count Licenses Remaining: 3
    the one which is in use is my AP which has issue. keeps rebooting:
    2. show wireless mobility summary
    Mobility Controller Summary:
    Mobility Role                                   : Mobility Controller
    Mobility Protocol Port                          : 16666
    Mobility Group Name                             : BSTAR
    Mobility Oracle IP Address                      : 0.0.0.0
    DTLS Mode                                       : Enabled
    Mobility Domain ID for 802.11r                  : 0x276d
    Mobility Keepalive Interval                     : 10
    Mobility Keepalive Count                        : 3
    Mobility Control Message DSCP Value             : 48
    Mobility Domain Member Count                    : 1
    Link Status is Control Link Status : Data Link Status
    Controllers configured in the Mobility Domain:
    IP               Public IP        Group Name       Multicast IP     Link Status
    10.129.0.254     -                BSTAR            0.0.0.0          UP   : UP
    3- Show run | in Wireless
    qos wireless-default-untrust
    wireless mobility controller
    wireless mobility group name BSTAR
    wireless management interface Vlan10
    wireless wps ap-authentication

  • 1552E MAC Filtering Question

    I have a number of  1552e APs connected to a 5508 WLC.  We are using local MAC filtering to enable  the 1552's to connect to the WLC.
    I have a several more 5508's in different locations, and can be used for back-up in the event the primary WLC fails.
    I have the primary WLC, a secondary WLC and a tertiary WLC loaded into each the 1552's HA tab.
    My question concerns the secondary and tertiary WLCs... do I have to load all the MAC addresses in each of those as well in order for the 1552's to connect  ?
    If yes, is there an easy way to copy the local mac filtering from the primary WLC and load it into the other WLCs ?
    If not, that's a lot of typing 

    Dennis,
    No your license is your license and doesnt impact MAC address. BUT, what you should know you have a limit as to how many mac addresses a controller can use. See my blog post on the subject
    http://www.my80211.com/cisco-wlc-cli-commands/2009/12/27/configure-local-mac-authentication-on-cisco-wlcs.html
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

  • E1200 - Ports not working and mac filtering problem

    If there was a way to give negative stars to this router, I would. As it is, the minimum rating I can give this product is one star, and that's one star too many.
    I was upgrading from the WRT54G, which is an ugly thing to look at, but a reliable workhorse nonetheless. I turned that in to a downstream switch in my comms hub.
    On the E1200, I flashed the latest firmware, used different Cat5 cables, and different laptops before committing to hating this product.
    The first time I reached out to Amazon, the Amazon rep gave me a Cisco number to call. Turns out, that's some shady mortgage refinance hotline. Try it for yourself! 1-800-666-1771.
    Now, the rant -
    1. Two out of four wired LAN ports don't work: What can be the fix for this?! The activity lights on ports 3 and 4 blink and suggest data transfer is taking place, but the wired laptop simply can't acquire an IP address and access the internet. Same result when I connect my Panasonic Blu-Ray player to ports 3 and 4. None of the Viera Cast features load.
    2. MAC filtering unreliable: The wireless routing works somewhat reliably, if and only if, one settles for the most basic security. If I only choose a password and WPA2 protocol, things work fine. If I add another layer of security (in my case, enabling MAC filtering and only PERMITTING gateway to listed MAC IDs), things break down. As soon as I disable MAC filtering, wireless access to authenticated clients is restored.
    3. Cisco customer service: The censored world we live in, compels me to criticize politely. TERRIBLE. Cisco website is unintuitive, and frustrating. There's no easy way to register your purchased product. The Cisco "registration" is intentionally misleading and deceptive. For all intents and purposes, it's just an information gathering tool for Cisco. Don't bother registering there, unless you love the idea of storing your personal information on their servers. Their phone-based customer service is apathetic and uninterested. My rep was so distrusting of my intelligence and motor control, that he simply wouldn't believe that I had selected "PERMIT" and not "PREVENT" as the option under MAC filtering. After he asked me the same question for the fourth time, I raised my voice, and he gave up the idea of checking for the fifth time.
    However, this review is a tale of two companies. I reached out to Amazon again. This time, I got a rockstar in the shape of Leanne C! She was incredibly helpful, and understanding. What's more, she set up my return without any hassle and this Cisco dud is on its way back. I'm a big fan of Leanne's and my confidence in Amazon is restored.
    I'm sure that i received a lemon. I've never had problems with Linksys products. Maybe others' experience is different from mine.

    In your case as port numbers 1 and 2 does not work, what you could have done a loop back test. To perform a loop back test you need to take an ethernet cable, connect one end of that cable to internet port and the other end to the non-working port on the router. If you get the led to glow on both internet and the respective ethernet port that indicates that the port is working fine.
    It could also be a sychronization issue between the above mentioned lan ports and the lan card of your computer. As a part of trouble shooting you can try to reduce the card speed of your lan card. Following are the steps to reduce the speed of your lan card.
    START--> right-click My Network Places and click Properties
    right-click on the device manager and click properties
    Click on the CONFIGURE button
    Select the ADVANCED tab and in the box under the header property select "speed and duplex" and change the value on the right to 10 mbps half duplex. A restart would be recommended after performing these steps.
    In the second half you said that after enabling the mac filter option the internet breaks down. Here, do you mean to say that the computer
    gets disconnected from the wireless network or it stays connected with a valid IP address but without an internet connection.
    Well, it is an unusual issue however you could have reset and reconfigure the router as you got the latest firmware upgraded on it.
    Steps to reset the router:
    Push the reset button on router for 30 seconds, turn off the router wait for 30 seconds and then power it on. Power light should blink when you perform the reset process.

  • Cisco 3850 Mobility Agent unable to connect clients

    Hi
    We are trying to use Cisco 3850 as Mobility agents with 5760. We can't seem to get the clients to authenticate to the radius server. We don't even see them appear in the radius logs.
    We have defined the radius server and the profile
    wlan Wireless 2 WAP
    aaa-override
    accounting-list Radius
    client vlan wireless
    security dot1x authentication-list Radius
    session-timeout 1800
    no shutdown
    radius server Primary
    address ipv4 x.x.x.x auth-port 1812 acct-port 1813
    timeout 5
    retransmit 2
    key 7 ........
    radius server Primary
    address ipv4 x.x.x.x port 1812 acct-port 1813
    timeout 5
    retransmit 2
    key 7 .........
    The client appears to connect to the AP but can't authenticate so gets kicked off
    If we do a test aaa group username password then it says that it's sucessful.
    In the debug we get 802.1X required but then it never seems to get any further.

    Alright, so I finally figured out the issue with this. I had a Mobility Anchor set on the guest WLAN and once I removed that all started working again.
    What is Mobility Anchor?
    A. Mobility Anchor, also referred to as Guest tunneling or Auto Anchor Mobility, is a feature where all the client traffic that belongs to a WLAN (Specially Guest WLAN) is tunneled to a predefined WLC or set of controllers that are configured as Anchor for that specific WLAN. This feature helps to restrict clients to a specific subnet and have more control over the user traffic. Refer to the Configuring Auto-Anchor Mobility section of Cisco Wireless LAN Controller Configuration Guide, Release 7.0 for more information on this feature.

  • AP1242AG WPA and MAC Filtering problem

    Hello,
    Presently I managed some AP1242AG in ofiice area
    I need implement WPA and MAC filtering.
    I found what :
    In IOS 12.2(13)JA branch IOS and before, MAC authentication was supported
    in conjunction with WPA.
    In 12.2(15)JA and above, configuring MAC authentication with WPA does not
    work. MAC Authentication passes everyone through.
    I can't found IOS 12.2(13) in Cisco site.
    Can anybody help me and give link to download 12.2(13)JA ?
    Thanks.

    Also when I acivete MAC filterring
    access-list 700 deny   0024.d7ed.2204   0000.0000.0000
    access-list 700 deny   0000.0000.0000   ffff.ffff.ffff
    dot11 association mac-list 700
    dot11 ssid zero!v
       vlan 390
       authentication open eap eap_methods
       authentication network-eap eap_methods
       authentication key-management wpa
       wpa-psk ascii 7 14531708030A2E1A3108212127015644
    The WPA is working but MAC filtering not reject
    IOS Ver.
    Cisco IOS Software, C1240 Software (C1240-K9W7-M), Version 12.3(11)JA1, RELEASE SOFTWARE (fc2)

Maybe you are looking for

  • File not showing in SharePoint (IE) but visible in Explorer

    I have a document library that has a single file not showing up that I can't seem to track down.  I am hoping someone here might be able to offer something I haven't thought of.  The document library is very much 'stock'.  Verisioning is turned on an

  • Officejet Pro 8600 won't remain available on network

    I only recently started TRYING to use my Officejet Pro 8600 via my home network to no avail; I previously had it directly wired via USB to my computer. The printer is accessible on my home network for a while, then becomes unavailable. This problem o

  • HT4818 bootcamp and windows 8?  what up with doenst work getting from 8 back to mac??

    No problem from Mac to Windows 8.. reverse is not true as in Win 7.  Have to restart with option button down then choose "unknown" to get back to mac. Also error message aright click on Bootcamp???  Any help appreciated ..  is there an update bootcam

  • Importing from Adobe Edge Animate to Existing Project

    Hello! So I have a project that I have been working on in iAd producer for a iBooks widget and its coming along great.  However I am starting to bump into some limitations on the animation side of things that I can easily do within Adobe Edge Animate

  • Two black spot in the screen

    Hello! I don't know what to do anymore! I have a Ipod video 30g. It has only 2 weeks old. I was very happy but now it does not turn on anymore. And there is 2 black spot on the screen. I do not know what to do, and I cannot talk to anyone. This websi