Cisco ISE 1.2, Clients not getting IP address in closed mode

Similar Messages

• DHCP via Hyper-V VM, Server2012r2 Hyper-V host, clients not getting IP address

  You have to authorize a dhcp server as Britv8 says. That's the only way it'll start dishing out leases. That's standard for Windows DHCP server in an AD Domain.
  Also there's 0 reason to mention Hyper-V here. The whole point of virtualization is to do hardware level abstraction.

  I recently encountered this. Setup:
  Initial setup of the system was at a different location from its final destination, with different network equipment (switches) between the two. No teaming is involved, however.
  Set up the system at its final destination, with DHCP via a Hyper-V VM (Server2012r2), Server2012r2 Hyper-V host, physical clients on the lan were not getting IP address.
  The physical server box has a 4-port Intel Gigabit ethernet card.
  I moved the setup (Hyper-V Virtual Switch manager) so that the interface for the DHCP server VM was isntead using one of two built-in Broadcom adapters.
  While this topic seemed promising,
  http://community.spiceworks.com/topic/251317-hyper-v-vm-not-leasing-ip-s-dhcp
  unfortunately, "fiddling about" was not what I was looking for as possible solution.
  My notes for the resolution:
  Hyper-V system running...
  This topic first appeared in the Spiceworks Community

• Wifi clients not getting IP addresses

  Hello Experts,
  I have a Cisco 1140 AP, and using express setup I have cnofigured a IP address to it. This AP is connected to our public network and is configured with a public ip address. We want the guest users to connect to Wifi and gain access to Internet.
  While the users connect to Wifi, I find their laptops getting IP address in series 169.x.x.x due to which they are unable to get to internet.
  Can somebody guide to what all configuration required so that laptops would get ip address?
  Thanks
  Arvind

  Hello George,
  I do not have any DHCP server, I want the AP to allocate IP addresses to wifi clients.
  Anshul,
  Is there any way the AP distribute the IP addresses? I want to have the AP act as an DHCP server and allocate IP address of wifi clients.
  If this is not possible in this AP model 1142N, any other Cisco AP model available, which can act as DHCP server?
  My requirement basically is:
  The AP should allocate IP in the range 192.168.x.x and I would connect the AP to the public network. The wifi clients should be able to get to Internet.
  Please suggest any other model in Cisco which should meet my requirement.
  Thanks
  Arvind

• DHCP: Some clients not getting IP address

  Recently setup a new DHCP server on Mac OS X Server 10.5.8 running on an Xserve.  We migrated from a Linux server.
  The Xserve was originally just a file server.  So the only services currently running are: AFP, DHCP, NFS, and SMB.  No additional software is running.
  The DHCP server ran just fine for the first couple weeks.  But then we found some computers just stopped getting IP addresses from the DHCP server.  Some were new computers introduced to the network.  Some were laptops that had left and come back.  However, the DHCP server is definitely still giving out IP addresses and renewing them for most new and existing computers.  There have been five computers that have not gotten IP addresses so far, and that had been the case both on the wireless and on a wired connection.  Two were PC's, one running Windows 7 and one running Windows XP with Lenovo's ThinkVantage software.  The other three were different models of MacBook Pros.
  For those five computers, we managed to get them working in two ways.  One, we can select to use DHCP with a manual address.  When we do that, it manages to pick up all the other information from the DHCP server like DNS and gateway.  The second thing we can do is configure the DHCP server to supply a static IP address by providing it with the MAC address of these machines.  When we do that, the computers receive the IP address from the DHCP server.
  So I guess you could say the problem I'm experiencing is for a few computers the DHCP server seems to only be able to provide static addresses, but not dynamic ones with a lease time.
  I have logging set to the highest for the DHCP server.  Below is the first thing I noticed that keeps showing up.  Sometimes it shows a different MAC address than the one below.  None of the afflicted computers have that MAC address, though.  I have not seen any other errors in the logs for the DHCP server.
  Jan 24 12:09:47 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
  Jan 24 12:09:47 fileserver bootpd[73839]: service time 0.000304 seconds
  Jan 24 12:09:50 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
  Jan 24 12:09:50 fileserver bootpd[73839]: service time 0.000280 seconds
  Jan 24 12:09:54 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
  Jan 24 12:09:54 fileserver bootpd[73839]: service time 0.000264 seconds
  Jan 24 12:10:03 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
  Jan 24 12:10:03 fileserver bootpd[73839]: service time 0.000265 seconds
  Jan 24 12:10:11 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
  Jan 24 12:10:11 fileserver bootpd[73839]: service time 0.000283 seconds
  Jan 24 12:10:19 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
  Jan 24 12:10:19 fileserver bootpd[73839]: service time 0.000291 seconds
  Jan 24 12:10:28 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
  Jan 24 12:10:28 fileserver bootpd[73839]: service time 0.000324 seconds

  Recently setup a new DHCP server on Mac OS X Server 10.5.8 running on an Xserve.  We migrated from a Linux server.
  The Xserve was originally just a file server.  So the only services currently running are: AFP, DHCP, NFS, and SMB.  No additional software is running.
  The DHCP server ran just fine for the first couple weeks.  But then we found some computers just stopped getting IP addresses from the DHCP server.  Some were new computers introduced to the network.  Some were laptops that had left and come back.  However, the DHCP server is definitely still giving out IP addresses and renewing them for most new and existing computers.  There have been five computers that have not gotten IP addresses so far, and that had been the case both on the wireless and on a wired connection.  Two were PC's, one running Windows 7 and one running Windows XP with Lenovo's ThinkVantage software.  The other three were different models of MacBook Pros.
  For those five computers, we managed to get them working in two ways.  One, we can select to use DHCP with a manual address.  When we do that, it manages to pick up all the other information from the DHCP server like DNS and gateway.  The second thing we can do is configure the DHCP server to supply a static IP address by providing it with the MAC address of these machines.  When we do that, the computers receive the IP address from the DHCP server.
  So I guess you could say the problem I'm experiencing is for a few computers the DHCP server seems to only be able to provide static addresses, but not dynamic ones with a lease time.
  I have logging set to the highest for the DHCP server.  Below is the first thing I noticed that keeps showing up.  Sometimes it shows a different MAC address than the one below.  None of the afflicted computers have that MAC address, though.  I have not seen any other errors in the logs for the DHCP server.
  Jan 24 12:09:47 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
  Jan 24 12:09:47 fileserver bootpd[73839]: service time 0.000304 seconds
  Jan 24 12:09:50 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
  Jan 24 12:09:50 fileserver bootpd[73839]: service time 0.000280 seconds
  Jan 24 12:09:54 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
  Jan 24 12:09:54 fileserver bootpd[73839]: service time 0.000264 seconds
  Jan 24 12:10:03 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
  Jan 24 12:10:03 fileserver bootpd[73839]: service time 0.000265 seconds
  Jan 24 12:10:11 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
  Jan 24 12:10:11 fileserver bootpd[73839]: service time 0.000283 seconds
  Jan 24 12:10:19 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
  Jan 24 12:10:19 fileserver bootpd[73839]: service time 0.000291 seconds
  Jan 24 12:10:28 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
  Jan 24 12:10:28 fileserver bootpd[73839]: service time 0.000324 seconds

• Clients not getting IP address

  Hi, I have configured 5508 with multiple APs but clients on the internal SSID aren't getting an IP address. I have the IP helper address configured and I have also disabled DHCP proxy on the controller.
  I get the following from the client debug, I don't know what the below mac address is, it's not one my APs or the clients, I am not seeing this mac address on the controller at all but it shows up in the debug.
  type = Airespace AP - Learn IP address
     on AP 6c:9c:ed:87:23:c0
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.579: 08:11:96:20:94:28 Entering Backend Auth Success state (id=29) for mobile 08:11:96:20:94:28
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.579: 08:11:96:20:94:28 Received Auth Success while in Authenticating state for mobile 08:11:96:20:94:28
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.579: 08:11:96:20:94:28 dot1x - moving mobile 08:11:96:20:94:28 into Authenticated state
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.589: 08:11:96:20:94:28 Received EAPOL-Key from mobile 08:11:96:20:94:28
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.590: 08:11:96:20:94:28 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 08:11:96:20:94:28
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.590: 08:11:96:20:94:28 Received EAPOL-key in PTK_START state (message 2) from mobile 08:11:96:20:94:28
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.590: 08:11:96:20:94:28 PMK: Sending cache add
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.590: 08:11:96:20:94:28 Stopping retransmission timer for mobile 08:11:96:20:94:28
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.590: 08:11:96:20:94:28 Sending EAPOL-Key Message to mobile 08:11:96:20:94:28
                                                                                                                      state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 Received EAPOL-Key from mobile 08:11:96:20:94:28
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 08:11:96:20:94:28
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 08:11:96:20:94:28
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 apfMs1xStateInc
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state DHCP_REQD (7)
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 6c:9c:ed:87:23:c0 vapId 1 apVapId 1for this client
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 Not Using WMM Compliance code qosCap 00
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 6c:9c:ed:87:23:c0 vapId 1 apVapId 1
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 0.0.0.0 L2AUTHCOMPLETE (4) pemAdvanceState2 4793, Adding TMP rule
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.589: 08:11:96:20:94:28 0.0.0.0 L2AUTHCOMPLETE (4) Adding Fast Path rule
    type = Airespace AP - Learn IP address
    on AP 6c:9c:ed:87:23:c0, slot 0, interface = 1, QOS = 0
    ACL Id = 255, Jum
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 0.0.0.0 L2AUTHCOMPLETE (4) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 7006  IPv6 Vlan = 100, IPv6 intf id = 0
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 0.0.0.0 L2AUTHCOMPLETE (4) Successfully plumbed mobile rule (ACL ID 255)
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4809, Adding TMP rule
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
    type = Airespace AP - Learn IP address
    on AP 6c:9c:ed:87:23:c0, slot 0, interface = 1, QOS = 0
    ACL Id = 255, Jumbo
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 7006  IPv6 Vlan = 100, IPv6 intf id = 0
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
  *Dot1x_NW_MsgTask_0: Nov 25 16:14:17.596: 08:11:96:20:94:28 Stopping retransmission timer for mobile 08:11:96:20:94:28
  *pemReceiveTask: Nov 25 16:14:17.596: 08:11:96:20:94:28 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
  *pemReceiveTask: Nov 25 16:14:17.596: 08:11:96:20:94:28 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0

  Fair enough.  That MAC address in the debug looks like exactyl what I'd expect to see.....  It is either the Base Radio MAC address or the Ethernet MAC Address of the AP you are associated to.   So when you say it doesn't exist on your WLC, are you sure you are comparing to the Radio MAC as well as the Ethernet MAC list?
  As far as IP addressing goes, the WLC is not seeing anything at all regarding client doing dhcp. Nor is it seeing the client send packets with an IP address (as if it were static).
  What version of code is this?
  Every single client has this problem? On this one wlan or all wlans?
  Was it ever working?
  Better yet, if this is HREAP this becomes an entirely different story, so are you doing HREAP Local Switching?

• Guest Wireless client not getting IP addresses

  WLC 5508 as anchor  running 7.0.116.0  locally configured DHCP scope. Scope has been enabled.  There are 2 Foreign controllers in different locations Mobility ggroups have been configured   and there is communication between them  I am able to ping , mping and eping.  I have gone through my configuration but can't find what is missing.

  I am pasting the debug and show wlan  info below  the first is for the  foreign controller
  =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.09.23 07:51:16 =~=~=~=~=~=~=~=~=~=~=~=
  *apfReceiveTask: Sep 22 23:30:29.265: 00:21:5d:a9:2b:a4 Deleting mobile on AP 08:17:35:31:1c:90(0)
  *apfReceiveTask: Sep 23 12:51:08.488: 00:21:5d:a9:2b:a4 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout. Number of DHCP request 0 from client
  *apfReceiveTask: Sep 23 12:51:08.488: 00:21:5d:a9:2b:a4 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.
  *apfReceiveTask: Sep 23 12:51:08.488: 00:21:5d:a9:2b:a4 Scheduling deletion of Mobile Station: (callerId: 12) in 10 seconds
  *osapiBsnTimer: Sep 23 12:51:18.488: 00:21:5d:a9:2b:a4 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
  *apfReceiveTask: Sep 23 12:51:18.488: 00:21:5d:a9:2b:a4 apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Associated to Disassociated
  *apfReceiveTask: Sep 23 12:51:18.488: 00:21:5d:a9:2b:a4 Scheduling deletion of Mobile Station: (callerId: 45) in 10 seconds
  *osapiBsnTimer: Sep 23 12:51:28.488: 00:21:5d:a9:2b:a4 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
  *apfReceiveTask: Sep 23 12:51:28.488: 00:21:5d:a9:2b:a4 apfMsAssoStateDec
  *apfReceiveTask: Sep 23 12:51:28.488: 00:21:5d:a9:2b:a4 apfMsExpireMobileStation (apf_ms.c:5132) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Disassociated to Idle
  *apfReceiveTask: Sep 23 12:51:28.489: 00:21:5d:a9:2b:a4 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [08:17:35:31:1c:90]
  *apfReceiveTask: Sep 23 12:51:28.489: 00:21:5d:a9:2b:a4 Deleting mobile on AP 08:17:35:31:1c:90(0)
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Adding mobile on LWAPP AP 08:17:35:31:1c:90(0)
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Association received from mobile on AP 08:17:35:31:1c:90
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Applying site-specific IPv6 override for station 00:21:5d:a9:2b:a4 - vapId 1, site 'default-group', interface 'management'
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Applying IPv6 Interface Policy for station 00:21:5d:a9:2b:a4 - vlan 30, interface id 0, interface 'management'
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 STA - rates (8): 130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 START (0) Initializing policy
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 08:17:35:31:1c:90 vapId 1 apVapId 1for this client
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Not Using WMM Compliance code qosCap 00
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 08:17:35:31:1c:90 vapId 1 apVapId 1
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 apfMsAssoStateInc
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Idle to Associated
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Scheduling deletion of Mobile Station: (callerId: 49) in 1800 seconds
  *apfMsConnTask_7: Sep 23 12:51:30.796: 00:21:5d:a9:2b:a4 Sending Assoc Response to station on BSSID 08:17:35:31:1c:90 (status 0) ApVapId 1 Slot 0
  *apfMsConnTask_7: Sep 23 12:51:30.796: 00:21:5d:a9:2b:a4 apfProcessAssocReq (apf_80211.c:5241) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Associated to Associated
  *DHCP Socket Task: Sep 23 12:51:30.920: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
  *DHCP Socket Task: Sep 23 12:51:30.921: 00:21:5d:a9:2b:a4 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmQueryRequested'
  *DHCP Socket Task: Sep 23 12:51:34.871: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
  *DHCP Socket Task: Sep 23 12:51:34.871: 00:21:5d:a9:2b:a4 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmAnchorExportRequested'
  *DHCP Socket Task: Sep 23 12:51:43.998: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
  *DHCP Socket Task: Sep 23 12:51:43.998: 00:21:5d:a9:2b:a4 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmAnchorExportRequested'
  *DHCP Socket Task: Sep 23 12:51:58.456: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
  WLAN Identifier.................................. 1
  Profile Name..................................... calguest
  Network Name (SSID).............................. calguest
  Status........................................... Enabled
  MAC Filtering.................................... Disabled
  Broadcast SSID................................... Enabled
  AAA Policy Override.............................. Disabled
  Network Admission Control
  Radius-NAC State............................... Disabled
  SNMP-NAC State................................. Disabled
  Quarantine VLAN................................ 0
  Maximum number of Associated Clients............. 0
  Number of Active Clients......................... 2
  Exclusionlist Timeout............................ 60 seconds
  Session Timeout.................................. 1800 seconds
  CHD per WLAN..................................... Enabled
  Webauth DHCP exclusion........................... Disabled
  Interface........................................ management
  Multicast Interface.............................. Not Configured
  WLAN ACL......................................... unconfigured
  DHCP Server...................................... Default
  DHCP Address Assignment Required................. Disabled
  Static IP client tunneling....................... Disabled
  Quality of Service............................... Bronze (background)
  Scan Defer Priority.............................. 4,5,6
  Scan Defer Time.................................. 100 milliseconds
  WMM.............................................. Allowed
  WMM UAPSD Compliant Client Support............... Disabled
  Media Stream Multicast-direct.................... Disabled
  CCX - AironetIe Support.......................... Enabled
  CCX - Gratuitous ProbeResponse (GPR)............. Disabled
  CCX - Diagnostics Channel Capability............. Disabled
  Dot11-Phone Mode (7920).......................... Disabled
  Wired Protocol................................... None
  IPv6 Support..................................... Disabled
  Passive Client Feature........................... Disabled
  Peer-to-Peer Blocking Action..................... Disabled
  Radio Policy..................................... All
  DTIM period for 802.11a radio.................... 1
  DTIM period for 802.11b radio.................... 1
  Radius Servers
  Authentication................................ Global Servers
  Accounting.................................... Global Servers
  Dynamic Interface............................. Disabled
  Local EAP Authentication......................... Disabled
  Security
  802.11 Authentication:........................ Open System
  Static WEP Keys............................... Disabled
  802.1X........................................ Disabled
  Wi-Fi Protected Access (WPA/WPA2)............. Disabled
  CKIP ......................................... Disabled
  Web Based Authentication...................... Disabled
  Web-Passthrough............................... Disabled
  Conditional Web Redirect...................... Disabled
  Splash-Page Web Redirect...................... Disabled
  Auto Anchor................................... Enabled
  H-REAP Local Switching........................ Disabled
  H-REAP Local Authentication................... Disabled
  H-REAP Learn IP Address....................... Enabled
  Client MFP.................................... Optional but inactive (WPA2 not configured)
  Tkip MIC Countermeasure Hold-down Timer....... 60
  Call Snooping.................................... Disabled
  Roamed Call Re-Anchor Policy..................... Disabled
  SIP CAC Fail Send-486-Busy Policy................ Enabled
  SIP CAC Fail Send Dis-Association Policy......... Disabled
  Band Select...................................... Disabled
  Load Balancing................................... Disabled
  Mobility Anchor List
  WLAN ID IP Address Status
  1 10.12.130.114 Up
  Next is for the  anchor
  =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.09.23 07:51:16 =~=~=~=~=~=~=~=~=~=~=~=
  *apfReceiveTask: Sep 22 23:30:29.265: 00:21:5d:a9:2b:a4 Deleting mobile on AP 08:17:35:31:1c:90(0)
  *apfReceiveTask: Sep 23 12:51:08.488: 00:21:5d:a9:2b:a4 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout. Number of DHCP request 0 from client
  *apfReceiveTask: Sep 23 12:51:08.488: 00:21:5d:a9:2b:a4 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.
  *apfReceiveTask: Sep 23 12:51:08.488: 00:21:5d:a9:2b:a4 Scheduling deletion of Mobile Station: (callerId: 12) in 10 seconds
  *osapiBsnTimer: Sep 23 12:51:18.488: 00:21:5d:a9:2b:a4 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
  *apfReceiveTask: Sep 23 12:51:18.488: 00:21:5d:a9:2b:a4 apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Associated to Disassociated
  *apfReceiveTask: Sep 23 12:51:18.488: 00:21:5d:a9:2b:a4 Scheduling deletion of Mobile Station: (callerId: 45) in 10 seconds
  *osapiBsnTimer: Sep 23 12:51:28.488: 00:21:5d:a9:2b:a4 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
  *apfReceiveTask: Sep 23 12:51:28.488: 00:21:5d:a9:2b:a4 apfMsAssoStateDec
  *apfReceiveTask: Sep 23 12:51:28.488: 00:21:5d:a9:2b:a4 apfMsExpireMobileStation (apf_ms.c:5132) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Disassociated to Idle
  *apfReceiveTask: Sep 23 12:51:28.489: 00:21:5d:a9:2b:a4 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [08:17:35:31:1c:90]
  *apfReceiveTask: Sep 23 12:51:28.489: 00:21:5d:a9:2b:a4 Deleting mobile on AP 08:17:35:31:1c:90(0)
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Adding mobile on LWAPP AP 08:17:35:31:1c:90(0)
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Association received from mobile on AP 08:17:35:31:1c:90
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Applying site-specific IPv6 override for station 00:21:5d:a9:2b:a4 - vapId 1, site 'default-group', interface 'management'
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Applying IPv6 Interface Policy for station 00:21:5d:a9:2b:a4 - vlan 30, interface id 0, interface 'management'
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 STA - rates (8): 130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 START (0) Initializing policy
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 08:17:35:31:1c:90 vapId 1 apVapId 1for this client
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Not Using WMM Compliance code qosCap 00
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 08:17:35:31:1c:90 vapId 1 apVapId 1
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 apfMsAssoStateInc
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Idle to Associated
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Scheduling deletion of Mobile Station: (callerId: 49) in 1800 seconds
  *apfMsConnTask_7: Sep 23 12:51:30.796: 00:21:5d:a9:2b:a4 Sending Assoc Response to station on BSSID 08:17:35:31:1c:90 (status 0) ApVapId 1 Slot 0
  *apfMsConnTask_7: Sep 23 12:51:30.796: 00:21:5d:a9:2b:a4 apfProcessAssocReq (apf_80211.c:5241) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Associated to Associated
  *DHCP Socket Task: Sep 23 12:51:30.920: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
  *DHCP Socket Task: Sep 23 12:51:30.921: 00:21:5d:a9:2b:a4 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmQueryRequested'
  *DHCP Socket Task: Sep 23 12:51:34.871: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
  *DHCP Socket Task: Sep 23 12:51:34.871: 00:21:5d:a9:2b:a4 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmAnchorExportRequested'
  *DHCP Socket Task: Sep 23 12:51:43.998: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
  *DHCP Socket Task: Sep 23 12:51:43.998: 00:21:5d:a9:2b:a4 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmAnchorExportRequested'
  *DHCP Socket Task: Sep 23 12:51:58.456: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
  WLAN Identifier.................................. 1
  Profile Name..................................... calguest
  Network Name (SSID).............................. calguest
  Status........................................... Enabled
  MAC Filtering.................................... Disabled
  Broadcast SSID................................... Enabled
  AAA Policy Override.............................. Disabled
  Network Admission Control
  Radius-NAC State............................... Disabled
  SNMP-NAC State................................. Disabled
  Quarantine VLAN................................ 0
  Maximum number of Associated Clients............. 0
  Number of Active Clients......................... 2
  Exclusionlist Timeout............................ 60 seconds
  Session Timeout.................................. 1800 seconds
  CHD per WLAN..................................... Enabled
  Webauth DHCP exclusion........................... Disabled
  Interface........................................ management
  Multicast Interface.............................. Not Configured
  WLAN ACL......................................... unconfigured
  DHCP Server...................................... Default
  DHCP Address Assignment Required................. Disabled
  Static IP client tunneling....................... Disabled
  Quality of Service............................... Bronze (background)
  Scan Defer Priority.............................. 4,5,6
  Scan Defer Time.................................. 100 milliseconds
  WMM.............................................. Allowed
  WMM UAPSD Compliant Client Support............... Disabled
  Media Stream Multicast-direct.................... Disabled
  CCX - AironetIe Support.......................... Enabled
  CCX - Gratuitous ProbeResponse (GPR)............. Disabled
  CCX - Diagnostics Channel Capability............. Disabled
  Dot11-Phone Mode (7920).......................... Disabled
  Wired Protocol................................... None
  IPv6 Support..................................... Disabled
  Passive Client Feature........................... Disabled
  Peer-to-Peer Blocking Action..................... Disabled
  Radio Policy..................................... All
  DTIM period for 802.11a radio.................... 1
  DTIM period for 802.11b radio.................... 1
  Radius Servers
  Authentication................................ Global Servers
  Accounting.................................... Global Servers
  Dynamic Interface............................. Disabled
  Local EAP Authentication......................... Disabled
  Security
  802.11 Authentication:........................ Open System
  Static WEP Keys............................... Disabled
  802.1X........................................ Disabled
  Wi-Fi Protected Access (WPA/WPA2)............. Disabled
  CKIP ......................................... Disabled
  Web Based Authentication...................... Disabled
  Web-Passthrough............................... Disabled
  Conditional Web Redirect...................... Disabled
  Splash-Page Web Redirect...................... Disabled
  Auto Anchor................................... Enabled
  H-REAP Local Switching........................ Disabled
  H-REAP Local Authentication................... Disabled
  H-REAP Learn IP Address....................... Enabled
  Client MFP.................................... Optional but inactive (WPA2 not configured)
  Tkip MIC Countermeasure Hold-down Timer....... 60
  Call Snooping.................................... Disabled
  Roamed Call Re-Anchor Policy..................... Disabled
  SIP CAC Fail Send-486-Busy Policy................ Enabled
  SIP CAC Fail Send Dis-Association Policy......... Disabled
  Band Select...................................... Disabled
  Load Balancing................................... Disabled
  Mobility Anchor List
  WLAN ID IP Address Status
  1 10.12.130.114 Up

• Guest users not getting IP address

  I am setting up Cisco wireless along with ISE 1.3 for guest wireless.  The client is going to use the self-registration portal for guest wireless users.  I followed this Cisco doc to configure the self-registration portal:
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/118742-configure-ise-00.html
  I tested this in my home lab and everything works fine.  However, at the client users are not getting IP addresses from the DHCP server.  This is the same DHCP server that is used for corporate wireless and if you connect that SSID, you get an IP address.  I have looked what I configured at home and the client and everything looks the same.  In the back of my mind, I feel something is missing, but I can't figure out what it is.  
  Edit: Not sure if this makes a difference or not, but they are using a Nexus 5K for their core switch and it hosts the SVI for this network.  
  Let me know what information you need and I will post it.
  TIA,
  Dan

  Hello,
  Some verifications below :
  Did you verify if DHCP Proxy is enabled in wlc's wlan interface ? Case DHCP proxy is disabled, did you verify if the ip helper address is enabled in Nexus SVI ?
  DHCP Scope is enabled in the DHCP Server or is enabled in the WLC ?
  Verify if Trunk in the switch is enabled correctly passing all VLANs to WLANs ?
  Verify if ACL to redirect configured in the WLC is allowing DHCP Server and DHCP Client to client receive IP Address and ports 8443 to Cisco ISE and DNS to resolve some address and get access to ISE Portal ?
  The scenario is Local Switching or Central Switching ?
  Regards

• WLC 5760 with internal DHCP server, clients no get IP address

  Hi all,
  I have  2  Cisco 5760 WLC (active-standby)  IOS-Xe 03.03.03SE  with  one WLAN.
   sh wlan summary 
  Number of WLANs: 1
  WLAN Profile Name                     SSID                           VLAN Status 
  1    Invitados_ADSL                   Guest                          905  UP
  sh vlan         
  VLAN Name                             Status    Ports
  1    default                          active    Te1/0/3, Te1/0/4, Te1/0/5, Te1/0/6, Te2/0/3
                                                  Te2/0/4, Te2/0/5, Te2/0/6
  100  VLAN0100                         active    Te1/0/1, Te2/0/1
  101  Planta_1                         active    
  905  Internet                         active    Te1/0/2, Te2/0/2
  The DHCP server is internal.
  Sometimes the clients no get IP address and the DHCP pool has IP addresses available.
  The workaround done by me to solve the issue is “clear  ip dhcp  binding *”.
  Some days later the problem appears again.
  I see this bug with a similar problem:
  NGWC blocks DHCP traffic if wireless broadcast disabled
  CSCun88928
  Description
  Symptom:
  Some clients set the BROADCAST flag on the DHCP Discover packet. This requires the DHCP server to reply with a broadcast.
  In that case and if you are not using DHCP snooping on the 5760/3850, then the controller will block the return traffic unless you enable "wireless broadcast" which enables broadcast globally (and is thus not always desirable)
  Conditions:
  Seen on 3.3.2 IOS-XE
  Workaround:
  Use DHCP snooping with the "ip dhcp snooping wireless bootp-broadcast command"
  OR
  Enable "wireless broadcast" globally
  My DHCP configuration is:
  ip dhcp relay information trust-all
  ip dhcp snooping vlan 905
  ip dhcp snooping
  ip dhcp excluded-address 172.16.0.1 172.16.0.19
  ip dhcp excluded-address 172.16.1.250 172.16.1.254
  ip dhcp pool Invitados
   network 172.16.0.0 255.255.254.0
   default-router 172.16.0.1 
   dns-server 212.66.160.2 212.49.128.65 
   lease 0 8
  I see in Cisco documentation (http://www.cisco.com/en/US/docs/wireless/technology/5760_deploy/CT5760_Centralized_Configuration_eg.html) this configuration:
  DHCP Snooping and Trust Configuration on CT5760
  ip dhcp snooping vlan 100, 200
  ip dhcp snooping wireless bootp-broadcast enable
  ip dhcp snooping
  interface TenGigabitEthernet1/0/1
  description Connection to Core Switch
  switchport trunk allowed vlan 100, 200
  switchport mode trunk
  ip dhcp relay information trusted ip dhcp snooping trust
  interface Vlan100
  description Client Vlan
  ip dhcp relay information trusted
  My question is,Do I have to add the command "ip dhcp snooping wireless bootp-broadcast enable" to solve the issue?
  Thanks in advance.
  Regards.
  D

  Yes, test it with the command you mentioned
  ip dhcp snooping wireless bootp-broadcast enable
  HTH
  Rasika
  **** Pls rate all useful responses *****

• Multiple SSID With Multiple VLANs configuration on Cisco Aironet APs: Assotiated clients cannot obtain IP addresses

  Hi Surendra,
  I was just given this task to see how i can configure a second ssid for guest access in our environment.
  this is our network setup prior to this request: Internet----Firewall (not ASA)---ce520---C1131AG and CME router is also connecting to the ce520 switch. we only have two vlans: one for voice and two for data.
  Presently, there is no vlan configured on the AP because it on broadcasting ont ssid and wireless users gets IP from a windows DHCP server on the LAN. the configuration on the ce520 switch port for the AP and other switches say access vlan is the DATA vlan which automatically becomes the native vlan for all trunk port connecting the AP and other Stiches to the network.
  Now with this new requirement, i have made my research and i have configured the AP to broadcast both the production and the guest Vlans. The two vlans are 20-DATA and 60-Guest. I made the DATA vlan on the AP the native vlan since the poe switch is using the DATA vlan as native on the trunk ports. I configured the firewall to serve as DHCP server for the guest ssid and i have added the ip helper-address on the guest vlan interface on all switches while the windows server remains the dhcp server for the production DATA Vlan. I have confirmed that the AP, switches can ping the default gateway of the guest dhcp server which is another interface on the firewall. I can now see and connect to all broadcasted ssids but the problem is I am not getting IP addresses from both the production dhcp server and guest dhcp server when i connected to the ssid one at a time.
  My AP config is attached below.
  Please tell me what am I doing wrong.
  Do i need to redesign the whole network to have a native vlan other nthan the data vlan?
  Does the access point need to be aware of the voice vlan?
  Do the native Vlan on the AP need to be in Bridge-group 1 or can i leave it in bridge-group 20?
  I will greatly appreciate your urgent response.
  Thanks in advanced.

  Hi,
  As far as i know we dont set the ip helper address on the radio interface. It should be on the L3 interface of corresposding VLANs i.e.
  int vlan 20
  ip helper-address 192.168.33.xxx
  int vlan 60
  ip helper-address 130.20.1.xxx
  I'm assuming that your using SVI's (int Vlan 20 and int Vlan 60) rahter than physical interfaces. Also hope you have configured switch port as trunk where this AP is connected.
  Modify the AP config as below since you are using data vlan as the native vlan
  interface Dot11Radio0.20
  encapsulation dot1Q 20 native
  interface FastEthernet0.20
  encapsulation dot1Q 20 native
  Ideally your AP fastethernet configuration should looks like below and not sure how you missed this as this comes by default when you have multiple vlans for multiple ssids.
  interface FastEthernet0.20
  encapsulation dot1Q 20 native
  no ip route-cache
  bridge-group 20
  no bridge-group 20 source-learning
  bridge-group 20 spanning-disabled
  interface FastEthernet0.60
  encapsulation dot1Q 60
  no ip route-cache
  bridge-group 60
  no bridge-group 60 source-learning
  bridge-group 60 spanning-disabled
  Hope this helps.
  Regards
  Najaf

• Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.

  Hi to all,
  I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
  I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID.  The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
  Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
  Error: Resource not found.
  Resource: /guestportal/
  Does anyone have any ideas why the portal is doing this?
  Thanks
  Paul

  Hello,
  As you are not able to  get the guest portal, then you need to assure the following things:-
  1) Ensure that the  two  Cisco av-pairs that are configured on the  authorization profile should  exactly match the example below. (Note: Do  not replace the "IP" with the  actual Cisco ISE IP address.)
  –url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
  –url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also  defined on the access switch)
  2) Ensure that the URL redirection portion of the ACL have been  applied  to the session by entering the show epm session ip   command on the switch. (Where the session IP is the IP address  that is  passed to the client machine by the DHCP server.)
  Admission feature : DOT1X
  AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
  URL Redirect ACL : ACL-WEBAUTH-REDIRECT
  URL Redirect :
  https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
  0000A45A2444BFC2&action=cpp
  3) Ensure that the preposture assessment DACL that is enforced from  the  Cisco ISE authorization profile contains the following command  lines:
  remark Allow DHCP
  permit udp any eq bootpc any eq bootps
  remark Allow DNS
  permit udp any any eq domain
  remark ping
  permit icmp any any
  permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
  permit tcp any host 80.0.80.2 eq www --> Provides access to internet
  permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
  port
  permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8906 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  deny ip any any
  Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
  4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on  the switch as follows:
  ip access-list extended ACL-WEBAUTH-REDIRECT
  deny ip any host 80.0.80.2
  permit ip any any
  5) Ensure that the http and https servers are running on the switch:
  ip http server
  ip http secure-server
  6) Ensure that, if the client machine employs any kind of personal  firewall, it is disabled.
  7) Ensure that the client machine browser is not configured to use any  proxies.
  8) Verify connectivity between the client machine and the Cisco ISE IP  address.
  9) If Cisco ISE is deployed in a distributed environment, make sure  that  the client machines are aware of the Policy Service ISE node FQDN.
  10) Ensure that the Cisco ISE FQDN is resolved and reachable from the  client machine.
  11) Or you need to do re-image again.

• Added a Northbound SNMP Trap Receiver in Cisco PI 1.3, but not getting traps

  Hi;
  I tried going into the Administration, System Settings, Notification Receivers menu and adding a receiver. The receiver was our  Zenoss 4.2.3 Resource Manager system. Zenoss has no problems  receiving traps from  IOS devices such as switches; that is routine for us. For example, we  see snmpTrap_Linkdown events from 2960s,etc.
  However, even with all the possible events and severities checked in the PI GUI for the receiver, we did not get anything.
  As a quick test I added my desktop computer as a receiver and ran Wireshark. Nothing comes through from Cisco PI. 
  This is supposed to be UDP 162 stuff, so there ought not be a need for a handshake or need  to permit anything on the receiver side. I would expect to  see a total  fire-hose of traps after the receiver is added. But that reasoning conflicts with the need to set the SNMP Community string for the Notification Receiver...
  I downloaded the logs from Cisco PI and grepped through all of them for the IPs & names of the test receivers, but found no messages.
  Any idea what might be wrong? Do I need to restart something after adding the receiver?
  I did notice that even if I supply a ficticious IP and name for the receiver, after it is added the "Operational Status" still says "Up" ...
  I sure wish NCS came with a better help system - I can't find anything in the Cisco config guides that explains what a "Northbound" receiver is.
  So confused,
  Steve

  Hi Matt, thanks for taking the time to reply.
  >> Not sure why you are trying to do this with PI, this is really more of an ISE function
  We don't have ISE and won't be getting it ... still trying to afford the > $100K for PI licenses. Our Content Filter vendor suggested using PI.
  >>Is PI set to forward traps for client authentication?
  I have all traps and severities checked. Not sure last week nothing showed up in Wireshark. Today I am seeing some UDP info from PI hitting my test workstation. However, when I associate and dissassociate my laptop, nothing comes through. Most of what I see are rogue notifications.
  >> Are the controllers that PI is managing also set to forward the same traps?
  In Configure,Controllers, , Management, TrapControl, all possible boxes are checked.
  >> Is PI configured correctly to forward the traps you want?
  Please see answer above.
  >> Does your content filter have the right MIBs to decipher the traps correctly?
  The content filter vendor says they will customize their software as needed, but the first step is to see traps getting forwarded, and right now, it appeards that PI is not forwarding what I would expect from the GUI settings. Let's worry about MIB stuff after we are getting the raw trap data.
  Thanks,
  Steve
  Message was edited by: Stephen Crye, elaborated & provided latest info.

• Cisco ISE - Reauthentication of client if server becomes alive again

  Dears,
  I have this case where Cisco ISE server is used to authenticate & authorize clients on the network.
  I configured the switch port to authorize the client in case the ISE server is dead (or not reachable).
  The thing is that I want to reauthenticate the client once the ISE server becomes alive again but I am not able to.. ("Additional Information is needed to connect to this network" bullet is not appearing and the client PC remains authenticated and assigned to the VLAN.
  Below is the switch port configuration:
  interface FastEthernet0/5
  switchport access vlan 240
  switchport mode access
  switchport voice vlan 156
  authentication event server dead action authorize vlan 240
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority mab
  authentication port-control auto
  mab
  dot1x pae authenticator
  spanning-tree portfast
  Anyone can help?
  Regards,

  Please check whether the switch is dropping the connection or the server.
  Symptoms or Issue
   802.1X and MAB authentication and authorization are successful, but the switch is dropping active sessions and the epm session summary command does not display any active sessions.
  Conditions
   This applies to user sessions that have logged in successfully and are then being terminated by the switch.
  Possible Causes
   •The preauthentication ACL (and the subsequent DACL enforcement from Cisco ISE) on the NAD may not be configured correctly for that session.  
  •The preauthentication ACL is configured and the DACL is downloaded from Cisco ISE, but the switch brings the session down.  
  •Cisco ISE may be enforcing a preposture VLAN assignment rather than the (correct) postposture VLAN, which can also bring down the session.
  Resolution
   •Ensure the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE.  
  •Check to see whether or not the DACL name in Cisco ISE contains a blank space (possibly around or near a hyphen "-"). There should be no space in the DACL name. Then ensure that the DACL syntax is correct and that it contains no extra spaces.  
  •Ensure that the following configuration exists on the switch to interpret the DACL properly (if not enabled, the switch may terminate the session):  
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server vsa send accounting
  radius-server vsa send authentication

• Clients not getting DHCP in VRF

  Good morning -
  We have devices in the global routing table (not in a VRF) getting DHCP addresses without issue. The SVI is configured as such:
  interface Vlan2301
  description BLUE
  ip address 172.19.68.1 255.255.255.0
  ip helper-address 10.4.16.222
  interface Vlan2512
  description RED
  vrf forwarding RED
  ip address 10.217.5.1 255.255.255.0
  ip helper-address 10.4.16.222
  Clients in BLUE are getting DHCP but clients in RED are not. If I statically assign an address I have connectivity and can reach the DHCP server (which is also DNS server; with a static IP in VLAN 2512 I can do name resolutions for example).
  I am at a bit of a loss. Is there anything special I need to do for VRF IP HELPER-ADDRESS configuration? A capture on my firewall interface shows the DHCP server is trying to reply - it is like the helper-address is not forwarding the dhcp reply (or is not getting it)
  11:11:52.915180 IP (tos 0x0, ttl 254, id 17478, offset 0, flags [none], proto UDP (17), length 337)
      10.217.5.1.67 > 10.4.16.222.67: BOOTP/DHCP, Request from xx, length 309, hops 1, xid 0xb53a220c, Flags [none]
            Gateway-IP 10.217.5.1
            Client-Ethernet-Address xx [|bootp]
  11:11:52.918761 IP (tos 0x0, ttl 124, id 28096, offset 0, flags [none], proto UDP (17), length 344)
      10.4.16.222.67 > 10.217.5.1.67: BOOTP/DHCP, Reply, length 316, xid 0xb53a220c, Flags [none]
            Your-IP 10.217.5.12
            Server-IP 10.4.16.222
            Gateway-IP 10.217.5.1
            Client-Ethernet-Address xx [|bootp]
  Any ideas?

  Good morning -
  I have a pair of 6513 in a VS40 (VSS quad sup) connected via L3 MEC to a VSS pair of 4500X. Active to Active and Standby to Standby connected in a L3 MEC port-channel that is also a vnet trunk:
  (Core)
  interface Port-channel5
  description Distribution Uplink
  no switchport
  vnet trunk
  ip dhcp snooping limit rate 100
  ip address 172.20.68.1 255.255.255.252
  ip ospf message-digest-key 1 md5 XXX
  spanning-tree guard root
  (4500 Distribution)
  interface Port-channel1
  description Core Uplink
  vnet trunk
  ip arp inspection trust
  ip address 172.20.68.2 255.255.255.252
  ip ospf message-digest-key 1 md5 XXX
  The interfaces are all using LACP mode Active inside the channels
  On the 4500 we have a global routing table and a vrf. Both have helper addresses pointing to the DHCP server which is extranet service behind the 6513 Core.
  interface Vlan2301
  description Global Routing Table
  ip address 172.19.68.1 255.255.255.0
  ip helper-address 10.4.16.222
  interface Vlan2512
  description VRF
  vrf forwarding RED
  ip address 10.217.5.1 255.255.255.0
  ip helper-address 10.4.16.222
  DHCP for the Global Routing Table subnet works. DHCP for the VRF does not.
  What is interesting is if we shut down the link that is connected to the standby 4500 (Te2/1/1) DHCP starts to work for the VRF.
  Using <debug ip dhcp server packet detail> at the 4500 here is what I am seeing.
  When both links are up and DHCP is failing for the VRF:
  Mar 10 20:02:02.419: DHCPD: BOOTREQUEST from 0100.1a6b.3a56.13 forwarded to 10.4.16.222.
  Mar 10 20:02:10.473: DHCPD: Reload workspace interface Vlan2512 tableid 3.
  Mar 10 20:02:10.473: DHCPD: tableid for 10.217.5.1 on Vlan2512 is 3
  Mar 10 20:02:10.474: DHCPD: client's VPN is RED.
  Mar 10 20:02:10.474: DHCPD: using received relay info.
  When I shut the Te2/1/1 link down in the L3 MEC at the 4500 DHCP starts to work for the VRF RED:
  Mar 10 20:04:41.354: DHCPD: BOOTREQUEST from 0100.1a6b.3a56.13 forwarded to 10.4.16.222.
  Mar 10 20:04:41.369: DHCPD: Reload workspace interface Port-channel1.2002 tableid 3.
  Mar 10 20:04:41.369: DHCPD: tableid for 172.20.68.2 on Port-channel1.2002 is 3
  Mar 10 20:04:41.369: DHCPD: client's VPN is .
  Mar 10 20:04:41.369: DHCPD: forwarding BOOTREPLY to client 001a.6b3a.5613.
  Mar 10 20:04:41.369: DHCPD: no option 125
  Mar 10 20:04:41.369: DHCPD: broadcasting BOOTREPLY to client 001a.6b3a.5613.
  Mar 10 20:04:41.369: DHCPD: no option 125
  Mar 10 20:04:44.808: DHCPD: Reload workspace interface Vlan2512 tableid 3.
  Mar 10 20:04:44.808: DHCPD: tableid for 10.217.5.1 on Vlan2512 is 3
  Mar 10 20:04:44.808: DHCPD: client's VPN is RED.
  It is like there is a bug that is treating the L3 MEC as a L2 MEC when both links are present; or the VNET trunk is not being processed correctly.
  Has anyone else used a L3 MEC with a VRF and a DHCP helper with success? Is this a bug?
  03.05.01.E is the code we are running on the 4500X-32(SPF+)
  This is also with TAC but I thought I would share with the community in case anyone else has a similar environment or if Cisco experts want to comment.

• Cisco 891 not getting IP address with DHCP with latest IOS

  Hi,
  I have a few Cisco 891 routers that are configured as DHCP clients on the WAN interface.
  For some reason when I boot the router with a late IOS, the router is not receiving an address.
  It works just as expected with the older IOSes.
  Any ideas of what changed?
  This is how the interface is configured:
  interface FastEthernet8
   ip address dhcp
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   duplex auto
   speed auto
   no cdp enable
  This IOS does not work:
  c890-universalk9-mz.154-3.M2.bin
  While these do work:
  c890-universalk9-mz.150-1.M7.bin
  c890-universalk9-mz.151-2.T2.bin
  c890-universalk9-mz.152-1.T1.bin
  Doing a "show ip interface brief" shows that FastEthernet8 is unassigned with the affected IOS.
  With the older IOSes there is an IP address.
  I had to downgrade two routers due to this issue, and did not have  plenty of time to troubleshoot.
  Both of the routers are connected to DSL from the same ISP...
  Anyone seen anything like this  before?

  Add another one to the list.
  I have a MacBookPro3,1 that connects to WIFI no problem. It used to connect to ethernet when I originally bought it, however I've been using WIFI exclusively for the past 2 years.
  Recently I had a need to connect via ethernet and it wouldn't work at home (apple airport router). I next tried connecting via ethernet at a friends house using a linksys WRT54G, no dice either. I have the computer in the lab today (University Network) and I get the same error. 3 different locations, 3 different routers, all same problem. It used to connect to home and university networks ethernet right away.
  IP address assigned is 169.xxx.xxx.xxx - subnet - 255.255.0.0
  no other info. It's showing up as connecting to the network, but unable to communicate with DHCP. It does work if I enter all of the information in manually.
  At first I thought I had messed something up in networking preferences as I tend to play around with things alot. However I did a complete system format, and fresh install of OSX Lion and I still have the same problem, without any of my meddling around to confuse things.
  What gives?

• IOS 8.x Apple users and CISCO ISE native supplicant provisioning not working

  Hi there guys ,
  I was wondering if anybody else have the following problem:
  Apple iOS 8.x users are not able to register their devices on the ISE portal (native supplicant provisioning).
  After they receive the redirection from the WLC, they freeze. Apple 7.x users have no problem.
  ISE is version 1.2.1.198 patch 2.  WLC is running 8.0.102.14.
  Anybody experienced the same?
  MB

  I am also running ISE 1.2.1.198 patch 2 with 8.0.100.  I am testing with an iPad running IOS 8.1.  The device will register in the registration portal, but is not being classified as an IOS device within client provisioning, I believe.  It is getting profiled as a workstation even though all apple device profiles are enabled.  I have an authorization policy for registered devices, and ipad, iphone, ios devices to gain access to the network without going through posture assessment.  I then have my posture assessment authorization rules with apple IOS devices set for a ssid native supplicant profile.  I keep getting an error page on the iPad when connecting to the ISE SSID saying "Client Provisioning Portal     ISE is not able to apply an access policy to your log-in session at this time.  Please close this browser, wait approximately one minute, and try to connect again".  It gives this message over and over.  If I turn off the posture checking authorization profiles, the IOS device is selected as a rule further down which tells me that ISE does not recognize it as an IOS device in the profiling or client provisioning.