Cisco ISE 1.2 single SSID
Hi there.
I wanna make a solution based on ONE ssid for BYOD non-corporate and the coporate endpoints. All BYOD devices will get limited internet access and corporate devices should get all access to the internal servers. How can I solve this one by one SSID?
Everything should be based on certificates. One for corporate device and one dedicated for BYOD devices.
Any design suggestions?
Please follow the design from
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_61_byod_provisioning.pdf
Similar Messages
-
I'm working on our ISE implementation and these are my two goals.
1. Single SSID for BYOD users and corporate managed systems.
Login to the NAC agent if not part of the domain (EX: windows laptop not part of the domain joins the SSID, goes through the self service portal, downloads NAC agent, must login to NAC agent whenever joining network with AD credentials)
AD login required to join this SSID, no guests allowed
2. Guest SSID
Guest login only - requires sponsor
web agent required for windows machine
AV required
Current AV definitions required
Are these goals attainable or am I better to go in a different direction is my first question.
Second, using the Cisco BYOD Smart Solution Guide (link at bottom of post) it mentions the single SSID as not being a complicated component but it only runs through the dual SSID solution, what settings are needed for a single SSID? I'm using Open + MAC Filtering but when the supplicant attempts to connect it doesn't work because it's looking for a WPA2 network with the same SSID name.
http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/byoddg.html
Single SSID is specifically mentioned here:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/byoddg.html#wp504735David,
What the documentation did was that it created a condition which does the check for the ssid in the access-request:
Guest_Authz is a user-defined simple authorization condition for guests accessing the Internet via Web authentication through the WLAN corresponding to the open guest SSID. It matches the following RADIUS AV pair from the Airespace dictionary:
Airespace-Wlan-Id - [1] EQUALS 1
So that when the user connects to the network they are connecting through the guest ssid in which this has the wlan id of 1. Either you can do that in your authorization rule right in the screenshot or you can create this condition under the policy elements tab.
Thanks,
Tarik Admani
*Please rate helpful posts* -
ISE Single SSID BYOD - Windows Endpoint user experience
We are implementing wireless BYOD using Cisco ISE 1.2 and WLC 7.4x. We are using PEAP / MS-CHAP v2 for wireless security. We are able to on-board iOS, Adroid, and MAC OS endpoints using single SSID and Native supplicant provisiong seems to work fine with these endpoints. We are having issues with Windows clients. On Windows client, when the user selects the SSID, it is prompting for userid/password, but never gets a pop-up for server certificate. We are using a third party public wildcard certificate on ISE for HTTP/EAP authentication. On ISE, we are getting: 12511 Unexpectedly received TLS alert message; treating as a rejection by the client.
12511
EAP
Unexpectedly received TLS alert message; treating as a rejection by the client
While trying to negotiate a TLS handshake with the client, ISE received an unexpected TLS alert message. This might be due to the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.
Warn -
ISE and Selfservice with single SSID
Hi, i have:
WLAN 2504 Controller with 7.2 Software
ISE 1.1.2
A single SSID with 802.1x Authentication
Today the wireless users are authenticated against an cisco acs. I want to switch to the ISE and make use of the mydevices portal. I want to re-use my single SSID and don't want to make any provisioning.
- The user connects to the single SSID
- The user configures peap authentication on his device
- The user authenticates to a ldap directory with username and password
- After successfull authentication the user will be redirected to the mydevices portal
- he logs in with his ldap credentials
- the mac address of his current device is listed in the mydevice portal
- user adds his device to the known devices list
- manual reconnect to my ssid
Is this possible with ISE? Is there a howto out there with exact this scenario?
Kind regardsHello Andreas,
WLC 2504 supports CWA, CoA & dACL.
This wireless controller also supports MAC filtering with RADIUS lookup. For WLCs that support version 7.2.103.0, there is support for session ID and COA with MAC filtering so it is more MAB-like. So it should fulfill your requirement and you can use single SSID.
For more detailed help review “Universal WLC Configuration Guide” & “ISE 1.1.x Network Component Compatibility” at the following location:
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_11_universal_wlc_config.pdf
http://www.cisco.com/en/US/partner/docs/security/ise/1.1.1/compatibility/ise_sdt.html
Regards,
Ashok -
Cisco ISE 1.2 AD Auth and Internal Auth on Same SSID?
Hello everyone... I'm fairly new to Cisco ISE 1.2 and am looking to try and setup a certain configuration. I'm trying to figure out how to create what amounts to a BYOD dmz'd wireless network that is PEAP based (or tls) but authenticates known users (employees from AD groups) but for users not found in those AD groups uses the internal user database and/or Web Auth? Make sense?
So, I of course can get the Authentication/Authorization policies configured for PEAPTLS and make to AD based on group and provide a VLAN number. No problem... I'm having trouble wrapping my head around how to combine the internal users or web auth users in this mix on the same ssid? I know by reading the ISE statement that the authentication policy if PEAP/TLS, ect is used, then a user not found is rejected and does not continue... Can someone provide an example as to how to accomplish this?
As a side note in 1.2, is there the ability to limit the number of consective logins as in ACS, outside of guess access only? What about in 1.3, which makes me nervous to upgrade in reading the instructions and the 'newness' of it.
Thank you for any help, it's greatly appreciated.I'd like to confirm if the required changes in the VM server were
made, as there are a few changes in the ISE OS. The changes required are
listed in the release notes, under "VMware Operating System to be
Changed to RHEL 5 (64-bit)". Here's a direct link to the relevant section:
http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.html#wp384531
Other causes can be :-
certificate issue on ISE or not enough disk space. -
Hi,
I have a weird problem; after a guest user account has been created on Cisco ise 1.1.4 patch 8; when the guest user is redirected to the ise guest portal; the first login is always unsuccessful. Upon entering the login credential and password correctly; the client would be redirected to the same login page. Upon retrying the process a few times; it would succeed after 2-3 times.
On the ise authentication; I see a guest authentication error; "Guest Authentication Failed : 86020: Unknown exception" with only a single step seen on the logs for troubleshooting "5431 Guest Authentication Failed"
I would like to check if anyone has seen such an issue/behaviour?
Any suggestions is appreciated.
Thanks.No it doesn't, you can test the same , while editing the wireless SSID profile, opting authentication method as smart card other than PEAP/EAP.
-
Multiple domains authentication on Cisco ISE
Hi,
Does the current Cisco ISE supports for authenticating on multiple Active Directories ?
I can only set Cisco ISE to join on single active directory and LDAP
Does anyone have set Cisco ISE to support EAP-FAST with WPAD or PAC provisioning ?
Thanks
PongsatornHi,
We are into a situation where we need to authenticate users of two domains and these two domains are completely independent (no common DNS server). ISE is not able to resolve one of the domain using the DNS server settings and Adding a host entry for the domain name is not sufficient since Kerberos, GC and LDAP SRVs need to be resolvable as well.
From what I know ISE 1.3 should supports disjointed domains and there is no requirement for ISE to have 2 way trust relationship with domains.
Please share your experience if someone has faced similar situation before.
Regards,
Akhtar -
Cisco ISE 1.2 - BYOD Guest Access Error with Certificate
Hi all !
I'm running on Cisco ISE 1.2. I'm trying to setup BYOD (dual SSID).
Here's a walkthrough of what's happening:
1. I connect to open SSID, enter username/password and register MAC
2. I download WinSPwizard, get trust root CA but WinSPwizard error
This is spwprofilelog
[Wed Oct 01 11:27:17 2014] Installed [pvgas-DC-CA, hash: d0 ad c2 1e 19 b0 8b 61 8a 2d 81 88 da 8a a2 ca
da d3 ab e8
] as rootCA
[Wed Oct 01 11:27:17 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Wed Oct 01 11:27:17 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
[Wed Oct 01 11:27:17 2014] HttpWrapper::SendScepRequest - Retrying: [1] time, after: [4] secs , Error: [2]
[Wed Oct 01 11:27:21 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Wed Oct 01 11:27:21 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
[Wed Oct 01 11:27:21 2014] HttpWrapper::SendScepRequest - Retrying: [2] time, after: [4] secs , Error: [2]
[Wed Oct 01 11:27:25 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Wed Oct 01 11:27:25 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
[Wed Oct 01 11:27:25 2014] HttpWrapper::SendScepRequest - Retrying: [3] time, after: [4] secs , Error: [2]
[Wed Oct 01 11:27:29 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Wed Oct 01 11:27:29 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
[Wed Oct 01 11:27:29 2014] Failed to get certificate from server - Error: [2]
[Wed Oct 01 11:27:29 2014] Failed to generate scep request. Error code:
[Wed Oct 01 11:27:29 2014] ApplyCert - End...
[Wed Oct 01 11:27:29 2014] Failed to configure the device.
[Wed Oct 01 11:27:29 2014] ApplyProfile - End...
[Wed Oct 01 11:27:32 2014] Cleaning up profile xml: success
This is SCEP RA profiles
Other Cert
ACL On WLC
and policy
Please help me fix error.
Thanks.you could create an ISE local user with a GUEST membership and provided you have your ISE password policy set so that it doesn't expire accounts, etc it would be a "permanent" guest account. we do something similiar. sponsors make temporary accounts while long-term or test guest accounts are created in the ise local identity store as guests and are processed the same way. you just have to ensure that the internal user store is part of your guest identity source sequence.
-
Cisco ISE 1.2 & Cisco WLC 5508 v7.6
Hi all,
we are planning to upgrade our WLC to 7.6 to fix a bug with FlexConnect Client ACLs but I have just seen on the Cisco ISE Compatibility table that the it only recommends up to v7.5 of the WLC 5508...
Cisco have told me to steer clear of 7.5 as it is in a defferred status, so does anyone know, or have running in a lab or production, ISE1.2 with a 5508 WLC v7.6 NAD ?
I would much rather know of any issues people are experiencing before hand than to have to go through a software upgrade and then rollback.
Thanks all
Mario De RosaHi Neno,
right I have this almost working now.
I have simplified the setup. I am not going to do any client provisioning at the moment.
So I can connect to the corporate SSID using EAP-TLS and I can successfully push the branch data VLAN upon successful authorisation.
Now I am trying to introduce the posture element & per user ACLs.
I have defined the redirect ACL & Flex ACL on the vWLC however the NAC agent will not pop-up. The client is in the right VLAN and the redirect ACL seems to be getting applied as the client does get an IP through DHCP. However, the client cannot ping the ISE or access the guest portal when I open the browser.
DNS resolution seems to be working fine.
VLAN220 is my datacentre VLAN which the Management Interface on the controller is plugged in to.
VLAN10 is the branch DATA VLAN.
below is some output to give you some more details...
(Cisco Controller) >show client detail 00:24:d6:97:b3:be
Client MAC Address............................... 00:24:d6:97:b3:be
Client Username ................................. [email protected]
AP MAC Address................................... 18:33:9d:f0:21:80
AP Name.......................................... test-flex-ap
AP radio slot Id................................. 0
Client State..................................... Associated
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 2
Hotspot (802.11u)................................ Not Supported
BSSID............................................ 18:33:9d:f0:21:81
Connected For ................................... 128 secs
Channel.......................................... 6
IP Address....................................... 10.130.130.120
Gateway Address.................................. 10.130.130.1
Netmask.......................................... 255.255.255.0
IPv6 Address..................................... fe80::f524:1910:69f0:9482
Association Id................................... 1
Authentication Algorithm......................... Open System
Reason Code...................................... 1
Status Code...................................... 0
Client CCX version............................... 4
Client E2E version............................... 1
--More-- or (q)uit
Re-Authentication Timeout........................ 1651
QoS Level........................................ Silver
Avg data Rate.................................... 0
Burst data Rate.................................. 0
Avg Real time data Rate.......................... 0
Burst Real Time data Rate........................ 0
802.1P Priority Tag.............................. disabled
CTS Security Group Tag........................... Not Applicable
KTS CAC Capability............................... No
WMM Support...................................... Enabled
APSD ACs....................................... BK BE VI VO
Power Save....................................... OFF
Current Rate..................................... m13
Supported Rates.................................. 1.0,2.0,5.5,11.0,6.0,9.0,
............................................. 12.0,18.0,24.0,36.0,48.0,
............................................. 54.0
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ No
Policy Manager State............................. POSTURE_REQD
Policy Manager Rule Created...................... Yes
AAA Override ACL Name............................ POSTURE_REDIRECT_ACL
AAA Override ACL Applied Status.................. Yes
--More-- or (q)uit
AAA Override Flex ACL Name....................... POSTURE_REDIRECT_ACL
AAA Override Flex ACL Applied Status............. Yes
AAA URL redirect................................. https://pdc-ise-man01.kier.group:8443/guestportal/gateway?sessionId=c8dc800a00000005b3e7e953&action=cpp
Audit Session ID................................. c8dc800a00000005b3e7e953
AAA Role Type.................................... none
Local Policy Applied............................. none
IPv4 ACL Name.................................... none
FlexConnect ACL Applied Status................... Yes
IPv4 ACL Applied Status.......................... Unavailable
IPv6 ACL Name.................................... none
IPv6 ACL Applied Status.......................... Unavailable
Layer2 ACL Name.................................. none
Layer2 ACL Applied Status........................ Unavailable
mDNS Status...................................... Disabled
mDNS Profile Name................................ none
No. of mDNS Services Advertised.................. 0
Policy Type...................................... WPA2
Authentication Key Management.................... 802.1x
Encryption Cipher................................ CCMP (AES)
Protected Management Frame ...................... No
Management Frame Protection...................... No
EAP Type......................................... EAP-TLS
FlexConnect Data Switching....................... Local
--More-- or (q)uit
FlexConnect Dhcp Status.......................... Local
FlexConnect Vlan Based Central Switching......... No
FlexConnect Authentication....................... Central
Quarantine VLAN.................................. 0
Access VLAN...................................... 220
Client Capabilities:
CF Pollable................................ Not implemented
CF Poll Request............................ Not implemented
Short Preamble............................. Implemented
PBCC....................................... Not implemented
Channel Agility............................ Not implemented
Listen Interval............................ 10
Fast BSS Transition........................ Not implemented
Client Wifi Direct Capabilities:
WFD capable................................ No
Manged WFD capable......................... No
Cross Connection Capable................... No
Support Concurrent Operation............... No
Fast BSS Transition Details:
Client Statistics:
Number of Bytes Received................... 33698
Number of Bytes Sent....................... 19397
Total Number of Bytes Sent................. 19397
--More-- or (q)uit
Total Number of Bytes Recv................. 33698
Number of Bytes Sent (last 90s)............ 19397
Number of Bytes Recv (last 90s)............ 33698
Number of Packets Received................. 283
Number of Packets Sent..................... 147
Number of Interim-Update Sent.............. 0
Number of EAP Id Request Msg Timeouts...... 0
Number of EAP Id Request Msg Failures...... 0
Number of EAP Request Msg Timeouts......... 0
Number of EAP Request Msg Failures......... 0
Number of EAP Key Msg Timeouts............. 0
Number of EAP Key Msg Failures............. 0
Number of Data Retries..................... 53
Number of RTS Retries...................... 0
Number of Duplicate Received Packets....... 2
Number of Decrypt Failed Packets........... 0
Number of Mic Failured Packets............. 0
Number of Mic Missing Packets.............. 0
Number of RA Packets Dropped............... 0
Number of Policy Errors.................... 0
Radio Signal Strength Indicator............ -42 dBm
Signal to Noise Ratio...................... 41 dB
Client Rate Limiting Statistics:
--More-- or (q)uit
Number of Data Packets Recieved............ 0
Number of Data Rx Packets Dropped.......... 0
Number of Data Bytes Recieved.............. 0
Number of Data Rx Bytes Dropped............ 0
Number of Realtime Packets Recieved........ 0
Number of Realtime Rx Packets Dropped...... 0
Number of Realtime Bytes Recieved.......... 0
Number of Realtime Rx Bytes Dropped........ 0
Number of Data Packets Sent................ 0
Number of Data Tx Packets Dropped.......... 0
Number of Data Bytes Sent.................. 0
Number of Data Tx Bytes Dropped............ 0
Number of Realtime Packets Sent............ 0
Number of Realtime Tx Packets Dropped...... 0
Number of Realtime Bytes Sent.............. 0
Number of Realtime Tx Bytes Dropped........ 0
Nearby AP Statistics:
test-flex-ap(slot 0)
antenna0: 14 secs ago.................... -51 dBm
antenna1: 14 secs ago.................... -37 dBm
test-flex-ap(slot 1)
antenna0: 14 secs ago.................... -51 dBm
antenna1: 14 secs ago.................... -54 dBm
--More-- or (q)uit
DNS Server details:
DNS server IP ............................. 10.0.17.31
DNS server IP ............................. 10.0.17.43
Assisted Roaming Prediction List details:
Client Dhcp Required: False
Allowed (URL)IP Addresses
(Cisco Controller) >
(Cisco Controller) >show wlan 2
WLAN Identifier.................................. 2
Profile Name..................................... Demo1x
Network Name (SSID).............................. Demo1x
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Enabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Enabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
--More-- or (q)uit
Number of Active Clients......................... 1
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 12 hours
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... mario-test-flex-vwlc
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
--More-- or (q)uit
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
--More-- or (q)uit
Radius Servers
Authentication................................ 10.0.16.111 1812
Accounting.................................... 10.131.16.111 1813
Interim Update............................. Disabled
Framed IPv6 Acct AVP ...................... Prefix
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Enabled
PSK..................................... Disabled
CCKM.................................... Disabled
--More-- or (q)uit
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Enabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
WAPI.......................................... Disabled
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Enabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
flexconnect PPPoE pass-through................ Disabled
--More-- or (q)uit
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Disabled
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Split Tunnel (Printers).......................... Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Disabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Disabled
--More-- or (q)uit
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Mobility Anchor List
WLAN ID IP Address Status
802.11u........................................ Disabled
MSAP Services.................................. Disabled
Local Policy
Priority Policy Name
(Cisco Controller) >
when debugging the client during redirect, this is the output and I cannot spot anything wrong here...
(Cisco Controller) >*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Adding mobile on LWAPP AP 18:33:9d:f0:21:80(1)
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Association received from mobile on BSSID 18:33:9d:f0:21:8e
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Global 200 Clients are allowed to AP radio
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Max Client Trap Threshold: 0 cur: 0
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Rf profile 600 Clients are allowed to AP wlan
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be override for default ap group, marking intgrp NULL
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Re-applying interface policy for client
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2219)
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2240)
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be In processSsidIE:4850 setting Central switched to FALSE
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Applying site-specific Local Bridging override for station 00:24:d6:97:b3:be - vapId 2, site 'default-group', interface 'management'
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Applying Local Bridging Interface Policy for station 00:24:d6:97:b3:be - vlan 220, interface id 0, interface 'management'
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Processing RSN IE type 48, length 22 for mobile 00:24:d6:97:b3:be
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Received RSN IE with 0 PMKIDs from mobile 00:24:d6:97:b3:be
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Setting active key cache index 8 ---> 8
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be unsetting PmkIdValidatedByAp
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Updating AID for REAP AP Client 18:33:9d:f0:21:80 - AID ===> 1
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Central switch is FALSE
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be 0.0.0.0 8021X_REQD (3) DHCP required on AP 18:33:9d:f0:21:80 vapId 2 apVapId 2for this client
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Not Using WMM Compliance code qosCap 00
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 18:33:9d:f0:21:80 vapId 2 apVapId 2 flex-acl-name:
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be apfMsAssoStateInc
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:24:d6:97:b3:be on AP 18:33:9d:f0:21:80 from Idle to Associated
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be apfPemAddUser2:session timeout forstation 00:24:d6:97:b3:be - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is 0
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Sending Assoc Response to station on BSSID 18:33:9d:f0:21:8e (status 0) ApVapId 2 Slot 1
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be apfProcessAssocReq (apf_80211.c:8294) Changing state for mobile 00:24:d6:97:b3:be on AP 18:33:9d:f0:21:80 from Associated to Associated
*spamApTask6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be Sent 1x initiate message to multi thread task for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be EAP-PARAM Debug - eap-params for Wlan-Id :2 is disabled - applying Global eap timers and retries
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be Station 00:24:d6:97:b3:be setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be dot1x - moving mobile 00:24:d6:97:b3:be into Connecting state
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be Sending EAP-Request/Identity to mobile 00:24:d6:97:b3:be (EAP Id 1)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.083: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.083: 00:24:d6:97:b3:be Received Identity Response (count=1) from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.083: 00:24:d6:97:b3:be Resetting reauth count 1 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.083: 00:24:d6:97:b3:be EAP State update from Connecting to Authenticating for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.083: 00:24:d6:97:b3:be dot1x - moving mobile 00:24:d6:97:b3:be into Authenticating state
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.083: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=214) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be WARNING: updated EAP-Identifier 1 ===> 214 for STA 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 214)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be Allocating EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.090: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.090: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 214, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.090: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.090: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.091: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.091: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=215) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.091: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 215)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.091: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.091: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.091: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.091: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.091: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.095: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.095: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 215, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.095: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.095: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.096: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.096: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=216) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.096: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 216)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.096: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.096: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.096: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.096: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.096: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.100: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.100: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 216, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.100: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.100: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.101: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.101: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=217) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.101: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 217)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.101: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.101: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.101: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.101: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.101: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.105: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.105: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 217, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.105: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.105: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.106: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.106: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=218) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.106: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 218)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.106: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.106: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.106: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.106: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.106: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.110: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.110: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 218, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.110: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.110: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.111: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.111: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=219) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.111: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 219)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.111: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.111: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.111: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.111: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.111: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.115: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.115: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 219, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.115: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.115: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.116: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.116: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=220) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.116: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 220)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.116: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.116: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.116: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.116: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.116: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.352: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.352: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 220, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.352: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.352: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.354: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.354: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=221) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.354: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 221)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.354: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.354: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.354: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.354: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.354: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.359: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.359: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 221, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.359: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.359: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.360: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.360: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=222) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.360: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 222)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.360: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.360: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.360: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.360: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.360: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.365: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.365: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 222, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.365: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.365: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.366: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.366: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=223) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.366: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 223)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.366: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.366: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.366: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.366: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.366: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.371: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.371: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 223, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.371: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.371: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.372: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.372: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=224) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.372: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 224)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.372: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.372: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.372: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.372: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.372: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.375: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.375: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 224, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.375: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.375: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.389: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.389: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=225) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.389: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 225)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.389: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.389: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.389: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.389: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.389: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.391: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.391: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 225, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.391: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.391: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Processing Access-Accept for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Resetting web IPv4 acl from 255 to 255
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Resetting web IPv4 Flex acl from 65535 to 65535
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Username entry ([email protected]) created for mobile, length = 253
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Username entry ([email protected]) created in mscb for mobile, length = 253
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be override for default ap group, marking intgrp NULL
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 220
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Re-applying interface policy for client
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2219)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2240)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 1 on mobile
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Inserting AAA Override struct for mobile
MAC: 00:24:d6:97:b3:be, source 4
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Setting re-auth timeout to 1800 seconds, got from WLAN config.
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Station 00:24:d6:97:b3:be setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Creating a PKC PMKID Cache entry for station 00:24:d6:97:b3:be (RSN 2)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Resetting MSCB PMK Cache Entry 0 for station 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Setting active key cache index 8 ---> 8
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Setting active key cache index 8 ---> 0
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Adding BSSID 18:33:9d:f0:21:8e to PMKID cache at index 0 for station 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: New PMKID: (16)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: [0000] 6f d1 ce 84 08 74 41 a5 06 6b 89 02 c9 e9 f8 c8
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Disabling re-auth since PMK lifetime can take care of same.
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be unsetting PmkIdValidatedByAp
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Client in Posture Reqd state. PMK cache not updated.
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Sending EAP-Success to mobile 00:24:d6:97:b3:be (EAP Id 225)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Freeing AAACB from Dot1xCB as AAA auth is done for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be EAPOL Header:
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00000000: 02 03 5f 00 .._.
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Found an cache entry for BSSID 18:33:9d:f0:21:8e in PMKID cache at index 0 of station 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Found an cache entry for BSSID 18:33:9d:f0:21:8e in PMKID cache at index 0 of station 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: Including PMKID in M1 (16)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: [0000] 6f d1 ce 84 08 74 41 a5 06 6b 89 02 c9 e9 f8 c8
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Starting key exchange to mobile 00:24:d6:97:b3:be, data packets will be dropped
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Sending EAPOL-Key Message to mobile 00:24:d6:97:b3:be
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Sending EAPOL-Key Message to mobile 00:24:d6:97:b3:be
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Entering Backend Auth Success state (id=225) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Received Auth Success while in Authenticating state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be dot1x - moving mobile 00:24:d6:97:b3:be into Authenticated state
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be Received EAPOL-Key from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be Received EAPOL-key in PTK_START state (message 2) from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be PMK: Sending cache add
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be Stopping retransmission timer for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be EAPOL Header:
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00000000: 02 03 5f 00 .._.
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be Sending EAPOL-Key Message to mobile 00:24:d6:97:b3:be
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be Sending EAPOL-Key Message to mobile 00:24:d6:97:b3:be
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be Received EAPOL-Key from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be Stopping retransmission timer for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be Freeing EAP Retransmit Bufer for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be apfMs1xStateInc
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state 8021X_REQD (3)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be Central switch is FALSE
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be Sending the Central Auth Info
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be Central Auth Info Allocated PMKLen = 32
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: EapolReplayCounter: 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: EapolReplayCounter: 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be PMK: pmkActiveIndex = 0
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be EapolReplayCounter: 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be msAssocTypeFlagsMsb = 0 msAssocTypeFlagsLsb = 2
apfMsEntryType = 0 apfMsEapType = 13
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 L2AUTHCOMPLETE (4) DHCP required on AP 18:33:9d:f0:21:80 vapId 2 apVapId 2for this client
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be Not Using WMM Compliance code qosCap 00
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 18:33:9d:f0:21:80 vapId 2 apVapId 2 flex-acl-name:POSTURE_REDIRECT_ACL
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 6166, Adding TMP rule
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP 18:33:9d:f0:21:80, slot 1, interface = 1, QOS = 0
IPv4 ACL ID = 255, IPv
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 64206 Local Bridging Vlan = 220, Local Bridging intf id = 0
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*apfReceiveTask: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*apfReceiveTask: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 5761, Adding TMP rule
*apfReceiveTask: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
type = Airespace AP - Learn IP address
on AP 18:33:9d:f0:21:80, slot 1, interface = 1, QOS = 0
IPv4 ACL ID = 255,
*apfReceiveTask: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 64206 Local Bridging Vlan = 220, Local Bridging intf id = 0
*apfReceiveTask: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*pemReceiveTask: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*pemReceiveTask: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*spamApTask6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be spamEncodeCentralAuthInoMsPayload: msAssocTypeFlagsMsb = 0 msAssocTypeFlagsLsb = 2
apfMsEntryType = 0 pmkLen = 32
*DHCP Socket Task: Aug 12 10:58:24.546: 00:24:d6:97:b3:be DHCP received op BOOTREPLY (2) (len 325,vlan 220, port 1, encap 0xec03)
*DHCP Socket Task: Aug 12 10:58:24.546: 00:24:d6:97:b3:be DHCP setting server from ACK (server 10.0.17.85, yiaddr 10.130.130.120)
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be 10.130.130.120 DHCP_REQD (7) Change state to WEBAUTH_REQD (8) last state DHCP_REQD (7)
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be 10.130.130.120 WEBAUTH_REQD (8) pemAdvanceState2 6671, Adding TMP rule
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be 10.130.130.120 WEBAUTH_REQD (8) Replacing Fast Path rule
type = Airespace AP Client - ACL passthru
on AP 18:33:9d:f0:21:80, slot 1, interface = 1, QOS = 0
IPv4 A
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be 10.130.130.120 WEBAUTH_REQD (8) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 64206 Local Bridging Vlan = 220, Local Bridging intf id = 0
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be 10.130.130.120 WEBAUTH_REQD (8) Successfully plumbed mobile rule (IPv4 ACL ID 1, IPv6 ACL ID 255, L2 ACL ID 255)
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be Plumbing web-auth redirect rule due to user logout
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be Assigning Address 10.130.130.120 to mobile
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be DHCP success event for client. Clearing dhcp failure count for interface management.
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be DHCP success event for client. Clearing dhcp failure count for interface management.
*pemReceiveTask: Aug 12 10:58:24.548: 00:24:d6:97:b3:be 10.130.130.120 Added NPU entry of type 2, dtlFlags 0x0
*IPv6_Msg_Task: Aug 12 10:58:25.330: 00:24:d6:97:b3:be Pushing IPv6 Vlan Intf ID 0: fe80:0000:0000:0000:f524:1910:69f0:9482 , and MAC: 00:24:D6:97:B3:BE , Binding to Data Plane. SUCCESS !! dhcpv6bitmap 0
*IPv6_Msg_Task: Aug 12 10:58:25.330: 00:24:d6:97:b3:be Link Local address fe80::f524:1910:69f0:9482 updated to mscb. Not Advancing pem state.Current state: mscb in apfMsMmInitial mobility state and client state APF_MS_STATE_A
*DHCP Socket Task: Aug 12 10:58:28.581: 00:24:d6:97:b3:be DHCP received op BOOTREPLY (2) (len 308,vlan 220, port 1, encap 0xec03)
*DHCP Socket Task: Aug 12 10:58:28.589: 00:24:d6:97:b3:be DHCP received op BOOTREPLY (2) (len 308,vlan 220, port 1, encap 0xec03)
*DHCP Socket Task: Aug 12 11:00:07.959: 00:24:d6:97:b3:be DHCP received op BOOTREPLY (2) (len 308,vlan 220, port 1, encap 0xec03)
*DHCP Socket Task: Aug 12 11:00:07.967: 00:24:d6:97:b3:be DHCP received op BOOTREPLY (2) (len 308,vlan 220, port 1, encap 0xec03)
*DHCP Socket Task: Aug 12 11:01:59.153: 00:24:d6:97:b3:be DHCP received op BOOTREPLY (2) (len 308,vlan 220, port 1, encap 0xec03)
Can you see any obvious reason why the NAC agent wont pop up?
Thanks
Mario -
Hi there.
I wanna setup Cisco ISE 1.2.1 solution for my wireless users.The solution will have 2 SSID.
SSID: Guest
This will be used with guest portal and self registration portal for guests. dedicated VLAN or dAcl will be applied
SSID:Employee
This will be used for all corporate devices with corporate machine certificates (EAP-TLS) corporate dAcl will be applied (permit ip any any)
This will also be used for BYOD devices. All devices that dosent have corporate machine certificate needs to authenticate by PEAP and MSCHAPv2. The device will go trough self provisiong process and gets BYOD certificate from dedicated BYOD CA server by SCEP. dAcl will be applied that only gives access to the internet.
I wanna hear about your experiences about this kind of setup. Pros and cons. What do you think?1. PEAP is definitely a protocol that is protected and secure. The difference from EAP-TLS is that it only requires a server-side certificate which is used to create the secure (TLS) tunnel. After the tunnel is build then credentials are passed via the inner method which is usually MS-CHAPv2:http://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol
2. Once authentication happens then wireless traffic encryption would be handled by the encryption method chosen on the WLC which is usually AES:
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard3. I don't have a configuration example that I can share since there are many different variables that can alter the configurations. For instance, certificate templates being used, AD structure, certificates used for PEAP, etc. Below are some sample documentations that I found on Cisco's site. They reference ACS but they should still give you a good idea on what is needed:http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113670-eap-authentication-00.html
https://supportforums.cisco.com/discussion/11567346/ise-and-eap-tlsI have also heard good things about Lab Minutes videos even though I have not watched them myself:http://www.labminutes.com/video/sec/ISE4. Yes, you can have ISE nodes communicate and sync over MPLS. You just need to make sure that you have enough bandwidth and that your round trip delay is less than 150ms5. I am not sure if it is possible NOT to show the guest credentials when registering for a guest account. I know they can be send via e-mail or sms but not aware of a way to prevent them from showing up on the screen.Thank you for rating helpful posts! -
Cisco ISE functionally and license
HI.
I wanna configure the following on Cisco ISE 1.2.1.
Self-registration portal for guests (SSID: guests)
802.1x user certificate check (Cisco NAM supplicant) for employees (SSID: Corporate) (EAP-TLS)
Self provisioning portal (to deploy BYOD certificate and give access for BYOD devices) for BYOD devices (SSID: Corporate) (PEAP, MSHAPv2)
Can I configure these things with PLUS license or do I need Adv or Wireless? I am not sure if one of these requires profiling functionally.With plus license all the above items should work.
Here is what plus license supports:
Bring Your Own Device (BYOD)
Profiling
Endpoint Protection Service (EPS)
TrustSec SGT
For more info, refer ISE license section:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_license.html#41012
Regards,
Jatin Katyal
**Do rate helpful posts** -
Strip @domain on LDAP Integration with Cisco ISE?
Hi there ,
I got a WLC conntect with a Cisco ISE. There are two SSID authenticated against the ISE.
One SSID has AD-Integration as External Identity Source, the other SSID is authenticated through LDAP.
Authentication ist working fine.
When an user authenticates through LDAP, he/she has to enter "username@domain". The protocol is EAP-GTC.
How can I change the ISE that the user has only to enter "username" and the "@domain" part ist already set on the ISE?
Thansk a lot,
NorbertFrom the user guide it seems that LDAP only allows you to strip the prefix/suffix and can't add the suffix.
http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1054421
Strip start of subject name up to the last occurrence of the separator
Strip end of subject name from the first occurrence of the separator
Regards,
Jatin
Do rate helpful posts- -
Good morning everyone,
I have some trouble to use my Cisco ISE to do Central Web Authentication. I followed this following configuration example : http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
But for the moment, clients can't seee the web portal. My WLC and my Cisco ISE are well configured as presented in the document, when clients connect to the AP, they are listed into the Cisco ISE with the good authorization profile but, the URL redirection doesn't work as well as I want, clients have to enter manually the IP address in the web browser to log-in trough the Cisco ISE.
If anyone already had this problem, maybe could tell me more about that.
Thanks in advance!Good news!
I have resolved my problem 15 minutes ago. For people who have the same problem, I have just changed my static route in my WLC. The issue was that I broadcast the same VLAN used for the management interface and in adding the network allowing admin to reach service-port, all traffic of my broadcasted VLAN was sent to the service-port. A simple netmask modification resolved the problem.
I have still a problem with CoA which doesn't work properly and I have to disconnect/reconnect to the SSID to have a complete access but I'm going to continue my research for that.
Thanks all for your help !!!! -
Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.
Hi to all,
I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID. The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
Error: Resource not found.
Resource: /guestportal/
Does anyone have any ideas why the portal is doing this?
Thanks
PaulHello,
As you are not able to get the guest portal, then you need to assure the following things:-
1) Ensure that the two Cisco av-pairs that are configured on the authorization profile should exactly match the example below. (Note: Do not replace the "IP" with the actual Cisco ISE IP address.)
–url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
–url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also defined on the access switch)
2) Ensure that the URL redirection portion of the ACL have been applied to the session by entering the show epm session ip command on the switch. (Where the session IP is the IP address that is passed to the client machine by the DHCP server.)
Admission feature : DOT1X
AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
URL Redirect ACL : ACL-WEBAUTH-REDIRECT
URL Redirect :
https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
0000A45A2444BFC2&action=cpp
3) Ensure that the preposture assessment DACL that is enforced from the Cisco ISE authorization profile contains the following command lines:
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark ping
permit icmp any any
permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
permit tcp any host 80.0.80.2 eq www --> Provides access to internet
permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
port
permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8906 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
deny ip any any
Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on the switch as follows:
ip access-list extended ACL-WEBAUTH-REDIRECT
deny ip any host 80.0.80.2
permit ip any any
5) Ensure that the http and https servers are running on the switch:
ip http server
ip http secure-server
6) Ensure that, if the client machine employs any kind of personal firewall, it is disabled.
7) Ensure that the client machine browser is not configured to use any proxies.
8) Verify connectivity between the client machine and the Cisco ISE IP address.
9) If Cisco ISE is deployed in a distributed environment, make sure that the client machines are aware of the Policy Service ISE node FQDN.
10) Ensure that the Cisco ISE FQDN is resolved and reachable from the client machine.
11) Or you need to do re-image again. -
Posture Assessment passed in Error using Cisco ISE
Hi all,
I would like some help trying to understand why a client that has not been connected to the network for just over a month was allowed full network access despite the AV definitions being over 28days old.
We have 2 mandatory posture requirements,
1. Symantec Av MUST be installed
2. the AV definitions MUST be LESS THAN 28 days out of date
Currently, the machine I have is showing the AV defs as being 25th March 2013.
When I produce the detailed posture report, it even shows me that the two mandatory requirements as described above were successfully meant meaning the endpoint is posture compliant. Clearly this is not the case though...!
Is there anything else I can check on the ISE to help debug this?
MarioHi,
You might have two problems:
1. In ISE you have a gobal setting regarding the unsupported NAC Agent clients (Android, etc) that specifies what is their default compliance status. If the default setting is "compliant" and you don't have a provisioning rule for that client or you simply don't have client provisioning rules, any machine that doesn't fit in the provisioning rule (ie ISE thinks that is not supported) will get a compliance status of compliant event though NAC Agent is installed and the rules are not satisfied.
2. NAC Agent version problem?
I've seen in logs that you're using NAC Agent 4.9.1.6 but the latest recommended version of NAC Agent to be used with (the latest) ISE is version 4.9.0.51.
Version 4.9.1.6 is a NAC Appliance release and Cisco offers no guarantee that is 100% compatible with ISE.
Check
http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp78131
Cisco NAC Agent Interoperability Between NAC Appliance and Identity Services Engine (ISE) Cisco supports different versions of the NAC Agent for integration with NAC Appliance and ISE. Current releases are developed to work in either environment, however, interoperability between deployments is not guaranteed. Therefore, there is no explicit interoperability support for a given NAC Agent version intended for one environment that will necessarily work in the other. If you require support for both NAC Appliance and ISE using a single NAC Agent, be sure to test NAC Agent in your specific environment to verify compatibility. Unless there is a specific defect or feature required for your NAC Appliance deployment, Cisco recommends deploying the most current agent certified for your ISE deployment. If an issue arises, Cisco recommends restricting the NAC Agent's use to its intended environment and contacting Cisco TAC for assistance. Cisco will be addressing this issue through the standard Cisco TAC support escalation process, but NAC Agent interoperability is not guaranteed. Cisco is working on an approach to address NAC Agent interoperability testing and support in an upcoming release.
Maybe you are looking for
-
Boot camp shows 'no bootable device...' on restart
Hi, have had my new Imac a week or so, late 2013 Intel based with new OS etc, working fine with the OS so decided to install Win7 using boot camp. The system in OS went fine, downloaded the drivers etc onto a USB stick, started the boot camp software
-
IDOC to Webservice (Async/Sync scenario)
Hi Experts, Can you please help me out need to design an SEnario IDOc to webservices useing SOAP. to External WEbservice, I need some step to design.and Need to validate VEndor Number in that. in External webservice. Reg's Raj
-
BIA_RegisterCalcValidationProgram Macro
I am using the BI Spreadsheet add-in for Oracle OLAP and I am able to write-back to my analytical workspace successfully but I have the following questions: Where is the BIA_RegisterCalcValidationProgram macro located and can this be used to compile
-
After installing the WCS upgrade to 7 to the wrong drive letter, I uninstalled it and reinstalled to the correct drive. I then restored the database backup and all looked ok. I noted that in the restore, I now had a System campus. Thought I would
-
Perfmon - Template use and WMI
Hi This post has two parts. 1. Perfmon allows you to save a datacollection set as a template, yet i could not find any place where this can be used / imported to be used again? Is there? What are they getting at ? (the reason relates to 2.) 2. WMI -