Cisco ISE 1.2, Clients not getting IP address in closed mode
Hello, I am running closed mode on my switchports. I have an issue where some clients come in in the morning, try to login, and will not get network access. I see that this is because they do not get an IP address. I am using MAB for authentication currently. They appear to MAB correctly and get Authorized in ISE, but they do not get an IP. Therefore, they also do not get the DACL of permit ANY. It's like the port gets de-authenticated during the night. Usually when the machine is rebooted it will come up with an IP address. Here is my switchport config...
switchport access vlan 32
switchport mode access
switchport voice vlan 64
logging event link-status
authentication event fail action next-method
authentication event server dead action authorize vlan 32
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 600
authentication timer reauthenticate 7200
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 300
dot1x timeout tx-period 10
dot1x timeout ratelimit-period 300
dot1x timeout held-period 300
service-policy input QoS-Input-Policy
service-policy output QoS-Host-Port-Output-Policy
end
Thanks, here is the requested output of an Unauthorized client. I had to configure authentication open so they could still get access...
SJ5051IDF1#show authen sess int g2/20 d
Interface: GigabitEthernet2/20
MAC Address: d4be.d94f.ab92
IPv6 Address: Unknown
IPv4 Address: 10.42.32.109
User-Name: D4-BE-D9-4F-AB-92
Status: Unauthorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A2A000B000034E367D4B998
Acct Session ID: Unknown
Handle: 0x21000508
Current Policy: POLICY_Gi2/20
Local Policies:
Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure
Method status list:
Method State
mab Authc Success
SJ5051IDF1#
SJ5051IDF1#
SJ5051IDF1#show ip access int g2/20
SJ5051IDF1#
SJ5051IDF1#
SJ5051IDF1#show access-list int g2/20
^
% Invalid input detected at '^' marker.
SJ5051IDF1#show access-list ?
<1-2799> ACL number
WORD ACL name
ipc Show access-list config download info
rate-limit Show rate-limit access lists
| Output modifiers
<cr>
SJ5051IDF1#show access-list g2/20
SJ5051IDF1#
SJ5051IDF1#
SJ5051IDF1#
Similar Messages
-
DHCP via Hyper-V VM, Server2012r2 Hyper-V host, clients not getting IP address
You have to authorize a dhcp server as Britv8 says. That's the only way it'll start dishing out leases. That's standard for Windows DHCP server in an AD Domain.
Also there's 0 reason to mention Hyper-V here. The whole point of virtualization is to do hardware level abstraction.I recently encountered this. Setup:
Initial setup of the system was at a different location from its final destination, with different network equipment (switches) between the two. No teaming is involved, however.
Set up the system at its final destination, with DHCP via a Hyper-V VM (Server2012r2), Server2012r2 Hyper-V host, physical clients on the lan were not getting IP address.
The physical server box has a 4-port Intel Gigabit ethernet card.
I moved the setup (Hyper-V Virtual Switch manager) so that the interface for the DHCP server VM was isntead using one of two built-in Broadcom adapters.
While this topic seemed promising,
http://community.spiceworks.com/topic/251317-hyper-v-vm-not-leasing-ip-s-dhcp
unfortunately, "fiddling about" was not what I was looking for as possible solution.
My notes for the resolution:
Hyper-V system running...
This topic first appeared in the Spiceworks Community -
Wifi clients not getting IP addresses
Hello Experts,
I have a Cisco 1140 AP, and using express setup I have cnofigured a IP address to it. This AP is connected to our public network and is configured with a public ip address. We want the guest users to connect to Wifi and gain access to Internet.
While the users connect to Wifi, I find their laptops getting IP address in series 169.x.x.x due to which they are unable to get to internet.
Can somebody guide to what all configuration required so that laptops would get ip address?
Thanks
ArvindHello George,
I do not have any DHCP server, I want the AP to allocate IP addresses to wifi clients.
Anshul,
Is there any way the AP distribute the IP addresses? I want to have the AP act as an DHCP server and allocate IP address of wifi clients.
If this is not possible in this AP model 1142N, any other Cisco AP model available, which can act as DHCP server?
My requirement basically is:
The AP should allocate IP in the range 192.168.x.x and I would connect the AP to the public network. The wifi clients should be able to get to Internet.
Please suggest any other model in Cisco which should meet my requirement.
Thanks
Arvind -
DHCP: Some clients not getting IP address
Recently setup a new DHCP server on Mac OS X Server 10.5.8 running on an Xserve. We migrated from a Linux server.
The Xserve was originally just a file server. So the only services currently running are: AFP, DHCP, NFS, and SMB. No additional software is running.
The DHCP server ran just fine for the first couple weeks. But then we found some computers just stopped getting IP addresses from the DHCP server. Some were new computers introduced to the network. Some were laptops that had left and come back. However, the DHCP server is definitely still giving out IP addresses and renewing them for most new and existing computers. There have been five computers that have not gotten IP addresses so far, and that had been the case both on the wireless and on a wired connection. Two were PC's, one running Windows 7 and one running Windows XP with Lenovo's ThinkVantage software. The other three were different models of MacBook Pros.
For those five computers, we managed to get them working in two ways. One, we can select to use DHCP with a manual address. When we do that, it manages to pick up all the other information from the DHCP server like DNS and gateway. The second thing we can do is configure the DHCP server to supply a static IP address by providing it with the MAC address of these machines. When we do that, the computers receive the IP address from the DHCP server.
So I guess you could say the problem I'm experiencing is for a few computers the DHCP server seems to only be able to provide static addresses, but not dynamic ones with a lease time.
I have logging set to the highest for the DHCP server. Below is the first thing I noticed that keeps showing up. Sometimes it shows a different MAC address than the one below. None of the afflicted computers have that MAC address, though. I have not seen any other errors in the logs for the DHCP server.
Jan 24 12:09:47 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
Jan 24 12:09:47 fileserver bootpd[73839]: service time 0.000304 seconds
Jan 24 12:09:50 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
Jan 24 12:09:50 fileserver bootpd[73839]: service time 0.000280 seconds
Jan 24 12:09:54 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
Jan 24 12:09:54 fileserver bootpd[73839]: service time 0.000264 seconds
Jan 24 12:10:03 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
Jan 24 12:10:03 fileserver bootpd[73839]: service time 0.000265 seconds
Jan 24 12:10:11 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
Jan 24 12:10:11 fileserver bootpd[73839]: service time 0.000283 seconds
Jan 24 12:10:19 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
Jan 24 12:10:19 fileserver bootpd[73839]: service time 0.000291 seconds
Jan 24 12:10:28 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
Jan 24 12:10:28 fileserver bootpd[73839]: service time 0.000324 secondsRecently setup a new DHCP server on Mac OS X Server 10.5.8 running on an Xserve. We migrated from a Linux server.
The Xserve was originally just a file server. So the only services currently running are: AFP, DHCP, NFS, and SMB. No additional software is running.
The DHCP server ran just fine for the first couple weeks. But then we found some computers just stopped getting IP addresses from the DHCP server. Some were new computers introduced to the network. Some were laptops that had left and come back. However, the DHCP server is definitely still giving out IP addresses and renewing them for most new and existing computers. There have been five computers that have not gotten IP addresses so far, and that had been the case both on the wireless and on a wired connection. Two were PC's, one running Windows 7 and one running Windows XP with Lenovo's ThinkVantage software. The other three were different models of MacBook Pros.
For those five computers, we managed to get them working in two ways. One, we can select to use DHCP with a manual address. When we do that, it manages to pick up all the other information from the DHCP server like DNS and gateway. The second thing we can do is configure the DHCP server to supply a static IP address by providing it with the MAC address of these machines. When we do that, the computers receive the IP address from the DHCP server.
So I guess you could say the problem I'm experiencing is for a few computers the DHCP server seems to only be able to provide static addresses, but not dynamic ones with a lease time.
I have logging set to the highest for the DHCP server. Below is the first thing I noticed that keeps showing up. Sometimes it shows a different MAC address than the one below. None of the afflicted computers have that MAC address, though. I have not seen any other errors in the logs for the DHCP server.
Jan 24 12:09:47 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
Jan 24 12:09:47 fileserver bootpd[73839]: service time 0.000304 seconds
Jan 24 12:09:50 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
Jan 24 12:09:50 fileserver bootpd[73839]: service time 0.000280 seconds
Jan 24 12:09:54 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
Jan 24 12:09:54 fileserver bootpd[73839]: service time 0.000264 seconds
Jan 24 12:10:03 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
Jan 24 12:10:03 fileserver bootpd[73839]: service time 0.000265 seconds
Jan 24 12:10:11 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
Jan 24 12:10:11 fileserver bootpd[73839]: service time 0.000283 seconds
Jan 24 12:10:19 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
Jan 24 12:10:19 fileserver bootpd[73839]: service time 0.000291 seconds
Jan 24 12:10:28 fileserver bootpd[73839]: DHCP DISCOVER [en1]: 1,0:23:32:c1:31:c3
Jan 24 12:10:28 fileserver bootpd[73839]: service time 0.000324 seconds -
Clients not getting IP address
Hi, I have configured 5508 with multiple APs but clients on the internal SSID aren't getting an IP address. I have the IP helper address configured and I have also disabled DHCP proxy on the controller.
I get the following from the client debug, I don't know what the below mac address is, it's not one my APs or the clients, I am not seeing this mac address on the controller at all but it shows up in the debug.
type = Airespace AP - Learn IP address
on AP 6c:9c:ed:87:23:c0
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.579: 08:11:96:20:94:28 Entering Backend Auth Success state (id=29) for mobile 08:11:96:20:94:28
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.579: 08:11:96:20:94:28 Received Auth Success while in Authenticating state for mobile 08:11:96:20:94:28
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.579: 08:11:96:20:94:28 dot1x - moving mobile 08:11:96:20:94:28 into Authenticated state
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.589: 08:11:96:20:94:28 Received EAPOL-Key from mobile 08:11:96:20:94:28
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.590: 08:11:96:20:94:28 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 08:11:96:20:94:28
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.590: 08:11:96:20:94:28 Received EAPOL-key in PTK_START state (message 2) from mobile 08:11:96:20:94:28
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.590: 08:11:96:20:94:28 PMK: Sending cache add
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.590: 08:11:96:20:94:28 Stopping retransmission timer for mobile 08:11:96:20:94:28
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.590: 08:11:96:20:94:28 Sending EAPOL-Key Message to mobile 08:11:96:20:94:28
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 Received EAPOL-Key from mobile 08:11:96:20:94:28
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 08:11:96:20:94:28
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 08:11:96:20:94:28
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 apfMs1xStateInc
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state DHCP_REQD (7)
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 6c:9c:ed:87:23:c0 vapId 1 apVapId 1for this client
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 Not Using WMM Compliance code qosCap 00
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 6c:9c:ed:87:23:c0 vapId 1 apVapId 1
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 0.0.0.0 L2AUTHCOMPLETE (4) pemAdvanceState2 4793, Adding TMP rule
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.589: 08:11:96:20:94:28 0.0.0.0 L2AUTHCOMPLETE (4) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP 6c:9c:ed:87:23:c0, slot 0, interface = 1, QOS = 0
ACL Id = 255, Jum
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 0.0.0.0 L2AUTHCOMPLETE (4) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 7006 IPv6 Vlan = 100, IPv6 intf id = 0
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 0.0.0.0 L2AUTHCOMPLETE (4) Successfully plumbed mobile rule (ACL ID 255)
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4809, Adding TMP rule
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
type = Airespace AP - Learn IP address
on AP 6c:9c:ed:87:23:c0, slot 0, interface = 1, QOS = 0
ACL Id = 255, Jumbo
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 7006 IPv6 Vlan = 100, IPv6 intf id = 0
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.595: 08:11:96:20:94:28 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*Dot1x_NW_MsgTask_0: Nov 25 16:14:17.596: 08:11:96:20:94:28 Stopping retransmission timer for mobile 08:11:96:20:94:28
*pemReceiveTask: Nov 25 16:14:17.596: 08:11:96:20:94:28 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*pemReceiveTask: Nov 25 16:14:17.596: 08:11:96:20:94:28 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0Fair enough. That MAC address in the debug looks like exactyl what I'd expect to see..... It is either the Base Radio MAC address or the Ethernet MAC Address of the AP you are associated to. So when you say it doesn't exist on your WLC, are you sure you are comparing to the Radio MAC as well as the Ethernet MAC list?
As far as IP addressing goes, the WLC is not seeing anything at all regarding client doing dhcp. Nor is it seeing the client send packets with an IP address (as if it were static).
What version of code is this?
Every single client has this problem? On this one wlan or all wlans?
Was it ever working?
Better yet, if this is HREAP this becomes an entirely different story, so are you doing HREAP Local Switching? -
Guest Wireless client not getting IP addresses
WLC 5508 as anchor running 7.0.116.0 locally configured DHCP scope. Scope has been enabled. There are 2 Foreign controllers in different locations Mobility ggroups have been configured and there is communication between them I am able to ping , mping and eping. I have gone through my configuration but can't find what is missing.
I am pasting the debug and show wlan info below the first is for the foreign controller
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.09.23 07:51:16 =~=~=~=~=~=~=~=~=~=~=~=
*apfReceiveTask: Sep 22 23:30:29.265: 00:21:5d:a9:2b:a4 Deleting mobile on AP 08:17:35:31:1c:90(0)
*apfReceiveTask: Sep 23 12:51:08.488: 00:21:5d:a9:2b:a4 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout. Number of DHCP request 0 from client
*apfReceiveTask: Sep 23 12:51:08.488: 00:21:5d:a9:2b:a4 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.
*apfReceiveTask: Sep 23 12:51:08.488: 00:21:5d:a9:2b:a4 Scheduling deletion of Mobile Station: (callerId: 12) in 10 seconds
*osapiBsnTimer: Sep 23 12:51:18.488: 00:21:5d:a9:2b:a4 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Sep 23 12:51:18.488: 00:21:5d:a9:2b:a4 apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Associated to Disassociated
*apfReceiveTask: Sep 23 12:51:18.488: 00:21:5d:a9:2b:a4 Scheduling deletion of Mobile Station: (callerId: 45) in 10 seconds
*osapiBsnTimer: Sep 23 12:51:28.488: 00:21:5d:a9:2b:a4 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Sep 23 12:51:28.488: 00:21:5d:a9:2b:a4 apfMsAssoStateDec
*apfReceiveTask: Sep 23 12:51:28.488: 00:21:5d:a9:2b:a4 apfMsExpireMobileStation (apf_ms.c:5132) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Disassociated to Idle
*apfReceiveTask: Sep 23 12:51:28.489: 00:21:5d:a9:2b:a4 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [08:17:35:31:1c:90]
*apfReceiveTask: Sep 23 12:51:28.489: 00:21:5d:a9:2b:a4 Deleting mobile on AP 08:17:35:31:1c:90(0)
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Adding mobile on LWAPP AP 08:17:35:31:1c:90(0)
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Association received from mobile on AP 08:17:35:31:1c:90
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Applying site-specific IPv6 override for station 00:21:5d:a9:2b:a4 - vapId 1, site 'default-group', interface 'management'
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Applying IPv6 Interface Policy for station 00:21:5d:a9:2b:a4 - vlan 30, interface id 0, interface 'management'
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 STA - rates (8): 130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 08:17:35:31:1c:90 vapId 1 apVapId 1for this client
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 08:17:35:31:1c:90 vapId 1 apVapId 1
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 apfMsAssoStateInc
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Idle to Associated
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Scheduling deletion of Mobile Station: (callerId: 49) in 1800 seconds
*apfMsConnTask_7: Sep 23 12:51:30.796: 00:21:5d:a9:2b:a4 Sending Assoc Response to station on BSSID 08:17:35:31:1c:90 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_7: Sep 23 12:51:30.796: 00:21:5d:a9:2b:a4 apfProcessAssocReq (apf_80211.c:5241) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Associated to Associated
*DHCP Socket Task: Sep 23 12:51:30.920: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
*DHCP Socket Task: Sep 23 12:51:30.921: 00:21:5d:a9:2b:a4 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmQueryRequested'
*DHCP Socket Task: Sep 23 12:51:34.871: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
*DHCP Socket Task: Sep 23 12:51:34.871: 00:21:5d:a9:2b:a4 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmAnchorExportRequested'
*DHCP Socket Task: Sep 23 12:51:43.998: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
*DHCP Socket Task: Sep 23 12:51:43.998: 00:21:5d:a9:2b:a4 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmAnchorExportRequested'
*DHCP Socket Task: Sep 23 12:51:58.456: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
WLAN Identifier.................................. 1
Profile Name..................................... calguest
Network Name (SSID).............................. calguest
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 2
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Bronze (background)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers
Accounting.................................... Global Servers
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Enabled
H-REAP Local Switching........................ Disabled
H-REAP Local Authentication................... Disabled
H-REAP Learn IP Address....................... Enabled
Client MFP.................................... Optional but inactive (WPA2 not configured)
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Mobility Anchor List
WLAN ID IP Address Status
1 10.12.130.114 Up
Next is for the anchor
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.09.23 07:51:16 =~=~=~=~=~=~=~=~=~=~=~=
*apfReceiveTask: Sep 22 23:30:29.265: 00:21:5d:a9:2b:a4 Deleting mobile on AP 08:17:35:31:1c:90(0)
*apfReceiveTask: Sep 23 12:51:08.488: 00:21:5d:a9:2b:a4 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout. Number of DHCP request 0 from client
*apfReceiveTask: Sep 23 12:51:08.488: 00:21:5d:a9:2b:a4 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.
*apfReceiveTask: Sep 23 12:51:08.488: 00:21:5d:a9:2b:a4 Scheduling deletion of Mobile Station: (callerId: 12) in 10 seconds
*osapiBsnTimer: Sep 23 12:51:18.488: 00:21:5d:a9:2b:a4 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Sep 23 12:51:18.488: 00:21:5d:a9:2b:a4 apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Associated to Disassociated
*apfReceiveTask: Sep 23 12:51:18.488: 00:21:5d:a9:2b:a4 Scheduling deletion of Mobile Station: (callerId: 45) in 10 seconds
*osapiBsnTimer: Sep 23 12:51:28.488: 00:21:5d:a9:2b:a4 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Sep 23 12:51:28.488: 00:21:5d:a9:2b:a4 apfMsAssoStateDec
*apfReceiveTask: Sep 23 12:51:28.488: 00:21:5d:a9:2b:a4 apfMsExpireMobileStation (apf_ms.c:5132) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Disassociated to Idle
*apfReceiveTask: Sep 23 12:51:28.489: 00:21:5d:a9:2b:a4 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [08:17:35:31:1c:90]
*apfReceiveTask: Sep 23 12:51:28.489: 00:21:5d:a9:2b:a4 Deleting mobile on AP 08:17:35:31:1c:90(0)
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Adding mobile on LWAPP AP 08:17:35:31:1c:90(0)
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Association received from mobile on AP 08:17:35:31:1c:90
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Applying site-specific IPv6 override for station 00:21:5d:a9:2b:a4 - vapId 1, site 'default-group', interface 'management'
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Applying IPv6 Interface Policy for station 00:21:5d:a9:2b:a4 - vlan 30, interface id 0, interface 'management'
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 STA - rates (8): 130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 08:17:35:31:1c:90 vapId 1 apVapId 1for this client
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 08:17:35:31:1c:90 vapId 1 apVapId 1
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 apfMsAssoStateInc
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Idle to Associated
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Scheduling deletion of Mobile Station: (callerId: 49) in 1800 seconds
*apfMsConnTask_7: Sep 23 12:51:30.796: 00:21:5d:a9:2b:a4 Sending Assoc Response to station on BSSID 08:17:35:31:1c:90 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_7: Sep 23 12:51:30.796: 00:21:5d:a9:2b:a4 apfProcessAssocReq (apf_80211.c:5241) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Associated to Associated
*DHCP Socket Task: Sep 23 12:51:30.920: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
*DHCP Socket Task: Sep 23 12:51:30.921: 00:21:5d:a9:2b:a4 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmQueryRequested'
*DHCP Socket Task: Sep 23 12:51:34.871: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
*DHCP Socket Task: Sep 23 12:51:34.871: 00:21:5d:a9:2b:a4 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmAnchorExportRequested'
*DHCP Socket Task: Sep 23 12:51:43.998: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
*DHCP Socket Task: Sep 23 12:51:43.998: 00:21:5d:a9:2b:a4 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmAnchorExportRequested'
*DHCP Socket Task: Sep 23 12:51:58.456: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
WLAN Identifier.................................. 1
Profile Name..................................... calguest
Network Name (SSID).............................. calguest
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 2
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Bronze (background)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers
Accounting.................................... Global Servers
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Enabled
H-REAP Local Switching........................ Disabled
H-REAP Local Authentication................... Disabled
H-REAP Learn IP Address....................... Enabled
Client MFP.................................... Optional but inactive (WPA2 not configured)
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Mobility Anchor List
WLAN ID IP Address Status
1 10.12.130.114 Up -
Guest users not getting IP address
I am setting up Cisco wireless along with ISE 1.3 for guest wireless. The client is going to use the self-registration portal for guest wireless users. I followed this Cisco doc to configure the self-registration portal:
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/118742-configure-ise-00.html
I tested this in my home lab and everything works fine. However, at the client users are not getting IP addresses from the DHCP server. This is the same DHCP server that is used for corporate wireless and if you connect that SSID, you get an IP address. I have looked what I configured at home and the client and everything looks the same. In the back of my mind, I feel something is missing, but I can't figure out what it is.
Edit: Not sure if this makes a difference or not, but they are using a Nexus 5K for their core switch and it hosts the SVI for this network.
Let me know what information you need and I will post it.
TIA,
DanHello,
Some verifications below :
Did you verify if DHCP Proxy is enabled in wlc's wlan interface ? Case DHCP proxy is disabled, did you verify if the ip helper address is enabled in Nexus SVI ?
DHCP Scope is enabled in the DHCP Server or is enabled in the WLC ?
Verify if Trunk in the switch is enabled correctly passing all VLANs to WLANs ?
Verify if ACL to redirect configured in the WLC is allowing DHCP Server and DHCP Client to client receive IP Address and ports 8443 to Cisco ISE and DNS to resolve some address and get access to ISE Portal ?
The scenario is Local Switching or Central Switching ?
Regards -
WLC 5760 with internal DHCP server, clients no get IP address
Hi all,
I have 2 Cisco 5760 WLC (active-standby) IOS-Xe 03.03.03SE with one WLAN.
sh wlan summary
Number of WLANs: 1
WLAN Profile Name SSID VLAN Status
1 Invitados_ADSL Guest 905 UP
sh vlan
VLAN Name Status Ports
1 default active Te1/0/3, Te1/0/4, Te1/0/5, Te1/0/6, Te2/0/3
Te2/0/4, Te2/0/5, Te2/0/6
100 VLAN0100 active Te1/0/1, Te2/0/1
101 Planta_1 active
905 Internet active Te1/0/2, Te2/0/2
The DHCP server is internal.
Sometimes the clients no get IP address and the DHCP pool has IP addresses available.
The workaround done by me to solve the issue is “clear ip dhcp binding *”.
Some days later the problem appears again.
I see this bug with a similar problem:
NGWC blocks DHCP traffic if wireless broadcast disabled
CSCun88928
Description
Symptom:
Some clients set the BROADCAST flag on the DHCP Discover packet. This requires the DHCP server to reply with a broadcast.
In that case and if you are not using DHCP snooping on the 5760/3850, then the controller will block the return traffic unless you enable "wireless broadcast" which enables broadcast globally (and is thus not always desirable)
Conditions:
Seen on 3.3.2 IOS-XE
Workaround:
Use DHCP snooping with the "ip dhcp snooping wireless bootp-broadcast command"
OR
Enable "wireless broadcast" globally
My DHCP configuration is:
ip dhcp relay information trust-all
ip dhcp snooping vlan 905
ip dhcp snooping
ip dhcp excluded-address 172.16.0.1 172.16.0.19
ip dhcp excluded-address 172.16.1.250 172.16.1.254
ip dhcp pool Invitados
network 172.16.0.0 255.255.254.0
default-router 172.16.0.1
dns-server 212.66.160.2 212.49.128.65
lease 0 8
I see in Cisco documentation (http://www.cisco.com/en/US/docs/wireless/technology/5760_deploy/CT5760_Centralized_Configuration_eg.html) this configuration:
DHCP Snooping and Trust Configuration on CT5760
ip dhcp snooping vlan 100, 200
ip dhcp snooping wireless bootp-broadcast enable
ip dhcp snooping
interface TenGigabitEthernet1/0/1
description Connection to Core Switch
switchport trunk allowed vlan 100, 200
switchport mode trunk
ip dhcp relay information trusted ip dhcp snooping trust
interface Vlan100
description Client Vlan
ip dhcp relay information trusted
My question is,Do I have to add the command "ip dhcp snooping wireless bootp-broadcast enable" to solve the issue?
Thanks in advance.
Regards.
DYes, test it with the command you mentioned
ip dhcp snooping wireless bootp-broadcast enable
HTH
Rasika
**** Pls rate all useful responses ***** -
Hi Surendra,
I was just given this task to see how i can configure a second ssid for guest access in our environment.
this is our network setup prior to this request: Internet----Firewall (not ASA)---ce520---C1131AG and CME router is also connecting to the ce520 switch. we only have two vlans: one for voice and two for data.
Presently, there is no vlan configured on the AP because it on broadcasting ont ssid and wireless users gets IP from a windows DHCP server on the LAN. the configuration on the ce520 switch port for the AP and other switches say access vlan is the DATA vlan which automatically becomes the native vlan for all trunk port connecting the AP and other Stiches to the network.
Now with this new requirement, i have made my research and i have configured the AP to broadcast both the production and the guest Vlans. The two vlans are 20-DATA and 60-Guest. I made the DATA vlan on the AP the native vlan since the poe switch is using the DATA vlan as native on the trunk ports. I configured the firewall to serve as DHCP server for the guest ssid and i have added the ip helper-address on the guest vlan interface on all switches while the windows server remains the dhcp server for the production DATA Vlan. I have confirmed that the AP, switches can ping the default gateway of the guest dhcp server which is another interface on the firewall. I can now see and connect to all broadcasted ssids but the problem is I am not getting IP addresses from both the production dhcp server and guest dhcp server when i connected to the ssid one at a time.
My AP config is attached below.
Please tell me what am I doing wrong.
Do i need to redesign the whole network to have a native vlan other nthan the data vlan?
Does the access point need to be aware of the voice vlan?
Do the native Vlan on the AP need to be in Bridge-group 1 or can i leave it in bridge-group 20?
I will greatly appreciate your urgent response.
Thanks in advanced.Hi,
As far as i know we dont set the ip helper address on the radio interface. It should be on the L3 interface of corresposding VLANs i.e.
int vlan 20
ip helper-address 192.168.33.xxx
int vlan 60
ip helper-address 130.20.1.xxx
I'm assuming that your using SVI's (int Vlan 20 and int Vlan 60) rahter than physical interfaces. Also hope you have configured switch port as trunk where this AP is connected.
Modify the AP config as below since you are using data vlan as the native vlan
interface Dot11Radio0.20
encapsulation dot1Q 20 native
interface FastEthernet0.20
encapsulation dot1Q 20 native
Ideally your AP fastethernet configuration should looks like below and not sure how you missed this as this comes by default when you have multiple vlans for multiple ssids.
interface FastEthernet0.20
encapsulation dot1Q 20 native
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
bridge-group 20 spanning-disabled
interface FastEthernet0.60
encapsulation dot1Q 60
no ip route-cache
bridge-group 60
no bridge-group 60 source-learning
bridge-group 60 spanning-disabled
Hope this helps.
Regards
Najaf -
Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.
Hi to all,
I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID. The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
Error: Resource not found.
Resource: /guestportal/
Does anyone have any ideas why the portal is doing this?
Thanks
PaulHello,
As you are not able to get the guest portal, then you need to assure the following things:-
1) Ensure that the two Cisco av-pairs that are configured on the authorization profile should exactly match the example below. (Note: Do not replace the "IP" with the actual Cisco ISE IP address.)
–url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
–url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also defined on the access switch)
2) Ensure that the URL redirection portion of the ACL have been applied to the session by entering the show epm session ip command on the switch. (Where the session IP is the IP address that is passed to the client machine by the DHCP server.)
Admission feature : DOT1X
AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
URL Redirect ACL : ACL-WEBAUTH-REDIRECT
URL Redirect :
https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
0000A45A2444BFC2&action=cpp
3) Ensure that the preposture assessment DACL that is enforced from the Cisco ISE authorization profile contains the following command lines:
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark ping
permit icmp any any
permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
permit tcp any host 80.0.80.2 eq www --> Provides access to internet
permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
port
permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8906 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
deny ip any any
Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on the switch as follows:
ip access-list extended ACL-WEBAUTH-REDIRECT
deny ip any host 80.0.80.2
permit ip any any
5) Ensure that the http and https servers are running on the switch:
ip http server
ip http secure-server
6) Ensure that, if the client machine employs any kind of personal firewall, it is disabled.
7) Ensure that the client machine browser is not configured to use any proxies.
8) Verify connectivity between the client machine and the Cisco ISE IP address.
9) If Cisco ISE is deployed in a distributed environment, make sure that the client machines are aware of the Policy Service ISE node FQDN.
10) Ensure that the Cisco ISE FQDN is resolved and reachable from the client machine.
11) Or you need to do re-image again. -
Added a Northbound SNMP Trap Receiver in Cisco PI 1.3, but not getting traps
Hi;
I tried going into the Administration, System Settings, Notification Receivers menu and adding a receiver. The receiver was our Zenoss 4.2.3 Resource Manager system. Zenoss has no problems receiving traps from IOS devices such as switches; that is routine for us. For example, we see snmpTrap_Linkdown events from 2960s,etc.
However, even with all the possible events and severities checked in the PI GUI for the receiver, we did not get anything.
As a quick test I added my desktop computer as a receiver and ran Wireshark. Nothing comes through from Cisco PI.
This is supposed to be UDP 162 stuff, so there ought not be a need for a handshake or need to permit anything on the receiver side. I would expect to see a total fire-hose of traps after the receiver is added. But that reasoning conflicts with the need to set the SNMP Community string for the Notification Receiver...
I downloaded the logs from Cisco PI and grepped through all of them for the IPs & names of the test receivers, but found no messages.
Any idea what might be wrong? Do I need to restart something after adding the receiver?
I did notice that even if I supply a ficticious IP and name for the receiver, after it is added the "Operational Status" still says "Up" ...
I sure wish NCS came with a better help system - I can't find anything in the Cisco config guides that explains what a "Northbound" receiver is.
So confused,
SteveHi Matt, thanks for taking the time to reply.
>> Not sure why you are trying to do this with PI, this is really more of an ISE function
We don't have ISE and won't be getting it ... still trying to afford the > $100K for PI licenses. Our Content Filter vendor suggested using PI.
>>Is PI set to forward traps for client authentication?
I have all traps and severities checked. Not sure last week nothing showed up in Wireshark. Today I am seeing some UDP info from PI hitting my test workstation. However, when I associate and dissassociate my laptop, nothing comes through. Most of what I see are rogue notifications.
>> Are the controllers that PI is managing also set to forward the same traps?
In Configure,Controllers, , Management, TrapControl, all possible boxes are checked.
>> Is PI configured correctly to forward the traps you want?
Please see answer above.
>> Does your content filter have the right MIBs to decipher the traps correctly?
The content filter vendor says they will customize their software as needed, but the first step is to see traps getting forwarded, and right now, it appeards that PI is not forwarding what I would expect from the GUI settings. Let's worry about MIB stuff after we are getting the raw trap data.
Thanks,
Steve
Message was edited by: Stephen Crye, elaborated & provided latest info. -
Cisco ISE - Reauthentication of client if server becomes alive again
Dears,
I have this case where Cisco ISE server is used to authenticate & authorize clients on the network.
I configured the switch port to authorize the client in case the ISE server is dead (or not reachable).
The thing is that I want to reauthenticate the client once the ISE server becomes alive again but I am not able to.. ("Additional Information is needed to connect to this network" bullet is not appearing and the client PC remains authenticated and assigned to the VLAN.
Below is the switch port configuration:
interface FastEthernet0/5
switchport access vlan 240
switchport mode access
switchport voice vlan 156
authentication event server dead action authorize vlan 240
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
Anyone can help?
Regards,Please check whether the switch is dropping the connection or the server.
Symptoms or Issue
802.1X and MAB authentication and authorization are successful, but the switch is dropping active sessions and the epm session summary command does not display any active sessions.
Conditions
This applies to user sessions that have logged in successfully and are then being terminated by the switch.
Possible Causes
•The preauthentication ACL (and the subsequent DACL enforcement from Cisco ISE) on the NAD may not be configured correctly for that session.
•The preauthentication ACL is configured and the DACL is downloaded from Cisco ISE, but the switch brings the session down.
•Cisco ISE may be enforcing a preposture VLAN assignment rather than the (correct) postposture VLAN, which can also bring down the session.
Resolution
•Ensure the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE.
•Check to see whether or not the DACL name in Cisco ISE contains a blank space (possibly around or near a hyphen "-"). There should be no space in the DACL name. Then ensure that the DACL syntax is correct and that it contains no extra spaces.
•Ensure that the following configuration exists on the switch to interpret the DACL properly (if not enabled, the switch may terminate the session):
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server vsa send accounting
radius-server vsa send authentication -
Clients not getting DHCP in VRF
Good morning -
We have devices in the global routing table (not in a VRF) getting DHCP addresses without issue. The SVI is configured as such:
interface Vlan2301
description BLUE
ip address 172.19.68.1 255.255.255.0
ip helper-address 10.4.16.222
interface Vlan2512
description RED
vrf forwarding RED
ip address 10.217.5.1 255.255.255.0
ip helper-address 10.4.16.222
Clients in BLUE are getting DHCP but clients in RED are not. If I statically assign an address I have connectivity and can reach the DHCP server (which is also DNS server; with a static IP in VLAN 2512 I can do name resolutions for example).
I am at a bit of a loss. Is there anything special I need to do for VRF IP HELPER-ADDRESS configuration? A capture on my firewall interface shows the DHCP server is trying to reply - it is like the helper-address is not forwarding the dhcp reply (or is not getting it)
11:11:52.915180 IP (tos 0x0, ttl 254, id 17478, offset 0, flags [none], proto UDP (17), length 337)
10.217.5.1.67 > 10.4.16.222.67: BOOTP/DHCP, Request from xx, length 309, hops 1, xid 0xb53a220c, Flags [none]
Gateway-IP 10.217.5.1
Client-Ethernet-Address xx [|bootp]
11:11:52.918761 IP (tos 0x0, ttl 124, id 28096, offset 0, flags [none], proto UDP (17), length 344)
10.4.16.222.67 > 10.217.5.1.67: BOOTP/DHCP, Reply, length 316, xid 0xb53a220c, Flags [none]
Your-IP 10.217.5.12
Server-IP 10.4.16.222
Gateway-IP 10.217.5.1
Client-Ethernet-Address xx [|bootp]
Any ideas?Good morning -
I have a pair of 6513 in a VS40 (VSS quad sup) connected via L3 MEC to a VSS pair of 4500X. Active to Active and Standby to Standby connected in a L3 MEC port-channel that is also a vnet trunk:
(Core)
interface Port-channel5
description Distribution Uplink
no switchport
vnet trunk
ip dhcp snooping limit rate 100
ip address 172.20.68.1 255.255.255.252
ip ospf message-digest-key 1 md5 XXX
spanning-tree guard root
(4500 Distribution)
interface Port-channel1
description Core Uplink
vnet trunk
ip arp inspection trust
ip address 172.20.68.2 255.255.255.252
ip ospf message-digest-key 1 md5 XXX
The interfaces are all using LACP mode Active inside the channels
On the 4500 we have a global routing table and a vrf. Both have helper addresses pointing to the DHCP server which is extranet service behind the 6513 Core.
interface Vlan2301
description Global Routing Table
ip address 172.19.68.1 255.255.255.0
ip helper-address 10.4.16.222
interface Vlan2512
description VRF
vrf forwarding RED
ip address 10.217.5.1 255.255.255.0
ip helper-address 10.4.16.222
DHCP for the Global Routing Table subnet works. DHCP for the VRF does not.
What is interesting is if we shut down the link that is connected to the standby 4500 (Te2/1/1) DHCP starts to work for the VRF.
Using <debug ip dhcp server packet detail> at the 4500 here is what I am seeing.
When both links are up and DHCP is failing for the VRF:
Mar 10 20:02:02.419: DHCPD: BOOTREQUEST from 0100.1a6b.3a56.13 forwarded to 10.4.16.222.
Mar 10 20:02:10.473: DHCPD: Reload workspace interface Vlan2512 tableid 3.
Mar 10 20:02:10.473: DHCPD: tableid for 10.217.5.1 on Vlan2512 is 3
Mar 10 20:02:10.474: DHCPD: client's VPN is RED.
Mar 10 20:02:10.474: DHCPD: using received relay info.
When I shut the Te2/1/1 link down in the L3 MEC at the 4500 DHCP starts to work for the VRF RED:
Mar 10 20:04:41.354: DHCPD: BOOTREQUEST from 0100.1a6b.3a56.13 forwarded to 10.4.16.222.
Mar 10 20:04:41.369: DHCPD: Reload workspace interface Port-channel1.2002 tableid 3.
Mar 10 20:04:41.369: DHCPD: tableid for 172.20.68.2 on Port-channel1.2002 is 3
Mar 10 20:04:41.369: DHCPD: client's VPN is .
Mar 10 20:04:41.369: DHCPD: forwarding BOOTREPLY to client 001a.6b3a.5613.
Mar 10 20:04:41.369: DHCPD: no option 125
Mar 10 20:04:41.369: DHCPD: broadcasting BOOTREPLY to client 001a.6b3a.5613.
Mar 10 20:04:41.369: DHCPD: no option 125
Mar 10 20:04:44.808: DHCPD: Reload workspace interface Vlan2512 tableid 3.
Mar 10 20:04:44.808: DHCPD: tableid for 10.217.5.1 on Vlan2512 is 3
Mar 10 20:04:44.808: DHCPD: client's VPN is RED.
It is like there is a bug that is treating the L3 MEC as a L2 MEC when both links are present; or the VNET trunk is not being processed correctly.
Has anyone else used a L3 MEC with a VRF and a DHCP helper with success? Is this a bug?
03.05.01.E is the code we are running on the 4500X-32(SPF+)
This is also with TAC but I thought I would share with the community in case anyone else has a similar environment or if Cisco experts want to comment. -
Cisco 891 not getting IP address with DHCP with latest IOS
Hi,
I have a few Cisco 891 routers that are configured as DHCP clients on the WAN interface.
For some reason when I boot the router with a late IOS, the router is not receiving an address.
It works just as expected with the older IOSes.
Any ideas of what changed?
This is how the interface is configured:
interface FastEthernet8
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no cdp enable
This IOS does not work:
c890-universalk9-mz.154-3.M2.bin
While these do work:
c890-universalk9-mz.150-1.M7.bin
c890-universalk9-mz.151-2.T2.bin
c890-universalk9-mz.152-1.T1.bin
Doing a "show ip interface brief" shows that FastEthernet8 is unassigned with the affected IOS.
With the older IOSes there is an IP address.
I had to downgrade two routers due to this issue, and did not have plenty of time to troubleshoot.
Both of the routers are connected to DSL from the same ISP...
Anyone seen anything like this before?Add another one to the list.
I have a MacBookPro3,1 that connects to WIFI no problem. It used to connect to ethernet when I originally bought it, however I've been using WIFI exclusively for the past 2 years.
Recently I had a need to connect via ethernet and it wouldn't work at home (apple airport router). I next tried connecting via ethernet at a friends house using a linksys WRT54G, no dice either. I have the computer in the lab today (University Network) and I get the same error. 3 different locations, 3 different routers, all same problem. It used to connect to home and university networks ethernet right away.
IP address assigned is 169.xxx.xxx.xxx - subnet - 255.255.0.0
no other info. It's showing up as connecting to the network, but unable to communicate with DHCP. It does work if I enter all of the information in manually.
At first I thought I had messed something up in networking preferences as I tend to play around with things alot. However I did a complete system format, and fresh install of OSX Lion and I still have the same problem, without any of my meddling around to confuse things.
What gives? -
IOS 8.x Apple users and CISCO ISE native supplicant provisioning not working
Hi there guys ,
I was wondering if anybody else have the following problem:
Apple iOS 8.x users are not able to register their devices on the ISE portal (native supplicant provisioning).
After they receive the redirection from the WLC, they freeze. Apple 7.x users have no problem.
ISE is version 1.2.1.198 patch 2. WLC is running 8.0.102.14.
Anybody experienced the same?
MBI am also running ISE 1.2.1.198 patch 2 with 8.0.100. I am testing with an iPad running IOS 8.1. The device will register in the registration portal, but is not being classified as an IOS device within client provisioning, I believe. It is getting profiled as a workstation even though all apple device profiles are enabled. I have an authorization policy for registered devices, and ipad, iphone, ios devices to gain access to the network without going through posture assessment. I then have my posture assessment authorization rules with apple IOS devices set for a ssid native supplicant profile. I keep getting an error page on the iPad when connecting to the ISE SSID saying "Client Provisioning Portal ISE is not able to apply an access policy to your log-in session at this time. Please close this browser, wait approximately one minute, and try to connect again". It gives this message over and over. If I turn off the posture checking authorization profiles, the IOS device is selected as a rule further down which tells me that ISE does not recognize it as an IOS device in the profiling or client provisioning.
Maybe you are looking for
-
How do I make use of my Internatio​nal Warranty??​?
To whom it may concern, I am consulting ths forum in the hope to receive an answer in how to make use of my International Warranty. I am a proudly user of a Blackberry Curve 9300, which I purchased in the second half of 2011 in South Africa. I am how
-
Legal worries with iBooks Author
Hi, I saw the advertisement for iBooks Author and it works perfectly for my situation as a writer. This will be my first book ever and I was amazed by the possibility of using pictures in the text. My only concern with it is in terms of copy rights
-
Re: Distinguish different sales in report
Hi all, Assuming I have different type of sales process within a company. Company purchases Product A to process and manufacture Product B. However, there will be a scenario where manufacturing capacity has reached its peak or when factory is down et
-
I am thinking of buying a 2nd-hand Mac that is under a year old and registered with Apple. Will I be able to register it in my name, using the online registration service? Thanks.
-
IMac vertical slot scratching discs?
Lately, after installing software on dvds, I have noticed that the discs have become scratched, in some cases scratched so badly that they are useless. Could it be that the iMac vertical slot exposes the disks to damage from contact with the aluminum