DACL format fo cisco ISE&ACS

Hi, could anyone direct me where can I fine DACL format fo cisco ISE?
Bacause when I use simple ACL like
permit tcp any 10.8.26.0 0.0.0.255 eq 3389
My ASA says in log:
Unable to install ACL '#ACSACL#-IP-standart_vpn-50fa79e7', downloaded for user krasnoperov_as; Error in ACE: 'permit tcp any 10.8.26.0 0.0.0.255 eq 3389'
But when I use
permit tcp any host 10.8.26.1 eq 3389
It Install it corrctly, why it happens?
thanks

Hi,
Because that is not correct extended access-list for ASA (bad mask), example:
ciscoasa(config)# access-list test extended permit tcp any 10.8.26.0 0.0.0.255 eq 3389
ERROR: IP address,mask <10.8.26.0,0.0.0.255> doesn't pair
You need to type correct extended ACL without "access-list name extended".
This should work fine:
ciscoasa(config)# access-list test extended permit tcp any 10.8.26.0 255.255.255.0 eq 3389
Remember about wildcard/netmask - it's not a router
More info with examples:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_fwaaa.html#wp1150860
Michal

Similar Messages

Cisco ISE - Reauthentication of client if server becomes alive again

Dears,
I have this case where Cisco ISE server is used to authenticate & authorize clients on the network.
I configured the switch port to authorize the client in case the ISE server is dead (or not reachable).
The thing is that I want to reauthenticate the client once the ISE server becomes alive again but I am not able to.. ("Additional Information is needed to connect to this network" bullet is not appearing and the client PC remains authenticated and assigned to the VLAN.
Below is the switch port configuration:
interface FastEthernet0/5
switchport access vlan 240
switchport mode access
switchport voice vlan 156
authentication event server dead action authorize vlan 240
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
Anyone can help?
Regards,

Please check whether the switch is dropping the connection or the server.
Symptoms or Issue
802.1X and MAB authentication and authorization are successful, but the switch is dropping active sessions and the epm session summary command does not display any active sessions.
Conditions
This applies to user sessions that have logged in successfully and are then being terminated by the switch.
Possible Causes
•The preauthentication ACL (and the subsequent DACL enforcement from Cisco ISE) on the NAD may not be configured correctly for that session.
•The preauthentication ACL is configured and the DACL is downloaded from Cisco ISE, but the switch brings the session down.
•Cisco ISE may be enforcing a preposture VLAN assignment rather than the (correct) postposture VLAN, which can also bring down the session.
Resolution
•Ensure the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE.
•Check to see whether or not the DACL name in Cisco ISE contains a blank space (possibly around or near a hyphen "-"). There should be no space in the DACL name. Then ensure that the DACL syntax is correct and that it contains no extra spaces.
•Ensure that the following configuration exists on the switch to interpret the DACL properly (if not enabled, the switch may terminate the session):
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server vsa send accounting
radius-server vsa send authentication

Strip multiple @domain used in username on AD Integration with Cisco ISE?

Hi there ,
How to strip multiple domain suffixes from username through ISE with AD being used as external Identity Source. Username is being used in username@domain format.
Cisco ISE 1.2 patch 4 introduced strip prefix or suffix @domain realm from username through ISE with AD being used as external Identity Source. But the documentation is not updated for this feature. I am able to strip 1 domain suffix successfully but subsequent ones listed in the suffix list fails to get stripped.
Any thoughts on the same.
Thanks Kumar

In the ISE Under Administration > Identity Management > External Identity Sources
Choose Active Directory on the Left, Select your AD Server and select Advanced Settings
Under Identity Suffix Strip, Make sure Strip prefixes listed below: is selected (I know, it says prefix).
In the List of Suffixes box, enter your list of domain suffixes to strip. The separating character is a comma (,).
If this doesn't fix your issue, then I am afraid that a call to TAC may be in order.
*****UPDATE*****
Spaces are significant characters. When listing domains, do so as such:
@domain.com,@domain.local,@testdomain.com
*****END UPDATE*****
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton
Message was edited by: Charles Moreton

Cisco ISE 1.2 and Cisco ACS 5.4 patch 6 and support for snmp version 3

does anyone know if cisco ISE version 1.2 patch 8 and Cisco ACS 5.4 patch 6 support snmp version 3?
ciscoISE/admin(config)# snmp-server ?
community Set community string
contact    Text for mib object sysContact
host       Specify hosts to receive SNMP notifications
location   Text for mib object sysLocation
ciscoISE/admin(config)# snmp-server
Ciscoacs/admin(config)# snmp-server ?
community Set community string
contact    Text for mib object sysContact
host       Specify hosts to receive SNMP notifications
location   Text for mib object sysLocation
Ciscoacs/admin(config)# snmp-server

No support SNMP v3 on ISE v1.2 and 1.3 except for profilling
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#12768
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/cli_ref_guide/b_ise_CLIReferenceGuide/b_ise_CLIReferenceGuide_chapter_0100.html#ID-1364-00000d30

Cisco ISE Date Format mm/dd/yyyy

We have implemented Cisco ISE Guest Portal and when we create a new account for a visitor the date format is mm/dd/yyyy.See attached file.
We have tried to change it through Administration/Settings/Language Template/English/Configure Time/Date Formats unfortunately with no results.
Is this a bug or i am not looking in the right place?
We are running Cisco ISE 1.2.

check CSCuj86793

Mac-Address Different format for Authorization on Cisco ISE

Dear All,
I have problem with my Cisco ISE,
This is the design :
ISE ---- Core Switch ---- 3Com Switch --- PC User
My Case:
Authorization is based on Mac-address and Active Directory,
But user with PC that connect to 3Com swtich is Deny by ISE because the Format Mac-address is different with Cisco,
Mac-address Cisco format : XX:XX:XX:XX:XX:XX
Mac-address 3Com format : XXXX-XXXX-XXXX
3Com Switch type is TRICOM 4210 26-PORT.
Anyone have experience with this? and how change the mac-address format in 3Com so user can authorized by Cisco ISE.
note:
authorization based on Active Directory is not problem with 3Com Switch.
Based on my experience, Different product is different format mac-address, so this case not only for 3Com Switch.
Thanks,
Arika Wahyono

I do not think Cisco will add these vendors to the supported switch matrix because then it would be a support issue that cisco would have to deal with, much like most of the AD issues I experienced when I worked in TAC. Your best bet would be to run the evaluation license instance in a lab and have a 3com switch point against that.
Other than that I do not recommend upgrading to 1.2 without validating that the new "multi-vendor" MAB support will work on your switch.
PS- Keep in mind that my comments is just my opinion so you may need to open a TAC case for an official answer.
Tarik Admani
*Please rate helpful posts*

Does Cisco ISE-3315-K9 with ise version: Service Engine: 1.0.4.573 support command accouting like ACS

Hi
Can Anybody can update whether ISE-3315-K9 with ise version: Service Engine: 1.0.4.573 , supports the command level accounting
Bascially , we have integrated Cisco Switches with Cisco ISE for Device Authentication using Radius , we are able get the authentication logs on to the devices , but for any command changes or update done on Cisco devices we are not able to get the command accounting ..
has succeed in command level accounting on Cisco ISE ..
Please update
Cisco ISE doesn't have TACACS feature ...

Command Accounting is a TACACS+ feature so not for ISE....yet.
However, you can do the following to send commands to syslog and not including passwords (hidekeys). I just picked 200 commands/lines to store in the local command buffer/log. increase or decrease as you have memory. The notify syslog is what sends it via syslog.
conf t
archive
log config
logging enable
logging size 200
hidekeys
notify syslog
end
wr mem
Remember, syslog is clear text :-) log away from user traffic when possible. Or use TLS based syslog when possible.
I hope you find this answer useful, if it was satisfactory for you, please mark the question as Answered.
Please rate post you consider useful.
-James

Cisco ISE 1.2.1 solution BYOD

Hi there.
I wanna setup Cisco ISE 1.2.1 solution for my wireless users.The solution will have 2 SSID.
SSID: Guest
This will be used with guest portal and self registration portal for guests. dedicated VLAN or dAcl will be applied
SSID:Employee
This will be used for all corporate devices with corporate machine certificates (EAP-TLS) corporate dAcl will be applied (permit ip any any)
This will also be used for BYOD devices. All devices that dosent have corporate machine certificate needs to authenticate by PEAP and MSCHAPv2. The device will go trough self provisiong process and gets BYOD certificate from dedicated BYOD CA server by SCEP. dAcl will be applied that only gives access to the internet.
I wanna hear about your experiences about this kind of setup. Pros and cons. What do you think?

1. PEAP is definitely a protocol that is protected and secure. The difference from EAP-TLS is that it only requires a server-side certificate which is used to create the secure (TLS) tunnel. After the tunnel is build then credentials are passed via the inner method which is usually MS-CHAPv2:http://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol
2. Once authentication happens then wireless traffic encryption would be handled by the encryption method chosen on the WLC which is usually AES:
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard3. I don't have a configuration example that I can share since there are many different variables that can alter the configurations. For instance, certificate templates being used, AD structure, certificates used for PEAP, etc. Below are some sample documentations that I found on Cisco's site. They reference ACS but they should still give you a good idea on what is needed:http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113670-eap-authentication-00.html
https://supportforums.cisco.com/discussion/11567346/ise-and-eap-tlsI have also heard good things about Lab Minutes videos even though I have not watched them myself:http://www.labminutes.com/video/sec/ISE4. Yes, you can have ISE nodes communicate and sync over MPLS. You just need to make sure that you have enough bandwidth and that your round trip delay is less than 150ms5. I am not sure if it is possible NOT to show the guest credentials when registering for a guest account. I know they can be send via e-mail or sms but not aware of a way to prevent them from showing up on the screen.Thank you for rating helpful posts!

Cisco ISE 1.2.1 deplyomet issue with Anyconnect and Profiling

Hi All,
We are running cisco ise box in 1.2.1 version wherein I am facing below issue while deployment. We are having two ISE boxes where One box act as Primary Admin,Secondary MNT and Policy Service and Second Box act as Secondary Admin,Primary MNT and Policy Service
1) Profiling of Endpoints - HP Laster jet printer 55XX series and scanner profiling are not happing in Cisco ISE 1.2.1 wherein I have enabled below probes in ISE for profiling
RADIUS Probe
SNMP Probe SNMP Trap HTTP Prob and DNS
2) Any-connect issue - We are using any-connect supplicant 3.0.11042 for wired and wireless user profile in windows 7 enterprises 32 bit machine
- Yellow mark issue -  Once authentication , posturing completed we are getting yellow mark on network drive but still we are able to connect to network
- Network Map Drive issue -  Once authentication , posturing completed we are getting red cross mark on Network map drive and if we double click on that drive then its get accessible and red mark turns in to green.
For that we have already allowed Ip level access to all domain in before logon dacl ( Machine authentication )
That would be really great if any one can help me on the same.
Thanks & Regards
Pranav

Hi Pablo ,
Please find below solutions
Yellow mark issue - - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet. This Service is by default disabled on Windows XP and Widows 8.X operating system. This is only enabled by default on Windows 7 and Windows Vista operating system.
Network Map Drive issue   - Create logon script and deploy it using group policy. Script will check full network connectivity and then map network drives
Regards
Pranav

Cisco ISE 1.2 AD Auth and Internal Auth on Same SSID?

Hello everyone... I'm fairly new to Cisco ISE 1.2 and am looking to try and setup a certain configuration. I'm trying to figure out how to create what amounts to a BYOD dmz'd wireless network that is PEAP based (or tls) but authenticates known users (employees from AD groups) but for users not found in those AD groups uses the internal user database and/or Web Auth? Make sense?
So, I of course can get the Authentication/Authorization policies configured for PEAPTLS and make to AD based on group and provide a VLAN number. No problem... I'm having trouble wrapping my head around how to combine the internal users or web auth users in this mix on the same ssid? I know by reading the ISE statement that the authentication policy if PEAP/TLS, ect is used, then a user not found is rejected and does not continue... Can someone provide an example as to how to accomplish this?
As a side note in 1.2, is there the ability to limit the number of consective logins as in ACS, outside of guess access only? What about in 1.3, which makes me nervous to upgrade in reading the instructions and the 'newness' of it.
Thank you for any help, it's greatly appreciated.

I'd like to confirm if the required changes in the VM server were
made, as there are a few changes in the ISE OS. The changes required are
listed in the release notes, under "VMware Operating System to be
Changed to RHEL 5 (64-bit)". Here's a direct link to the relevant section:
http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.html#wp384531
Other causes can be :-
certificate issue on ISE or not enough disk space.

Cisco ISE 1.2 & Cisco WLC 5508 v7.6

Hi all,
we are planning to upgrade our WLC to 7.6 to fix a bug with FlexConnect Client ACLs but I have just seen on the Cisco ISE Compatibility table that the it only recommends up to v7.5 of the WLC 5508...
Cisco have told me to steer clear of 7.5 as it is in a defferred status, so does anyone know, or have running in a lab or production, ISE1.2 with a 5508 WLC v7.6 NAD ?
I would much rather know of any issues people are experiencing before hand than to have to go through a software upgrade and then rollback.
Thanks all
Mario De Rosa

Hi Neno,
right I have this almost working now.
I have simplified the setup. I am not going to do any client provisioning at the moment.
So I can connect to the corporate SSID using EAP-TLS and I can successfully push the branch data VLAN upon successful authorisation.
Now I am trying to introduce the posture element & per user ACLs.
I have defined the redirect ACL & Flex ACL on the vWLC however the NAC agent will not pop-up. The client is in the right VLAN and the redirect ACL seems to be getting applied as the client does get an IP through DHCP. However, the client cannot ping the ISE or access the guest portal when I open the browser.
DNS resolution seems to be working fine.
VLAN220 is my datacentre VLAN which the Management Interface on the controller is plugged in to.
VLAN10 is the branch DATA VLAN.
below is some output to give you some more details...
(Cisco Controller) >show client detail 00:24:d6:97:b3:be
Client MAC Address............................... 00:24:d6:97:b3:be
Client Username ................................. [email protected]
AP MAC Address................................... 18:33:9d:f0:21:80
AP Name.......................................... test-flex-ap
AP radio slot Id................................. 0
Client State..................................... Associated
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 2
Hotspot (802.11u)................................ Not Supported
BSSID............................................ 18:33:9d:f0:21:81
Connected For ................................... 128 secs
Channel.......................................... 6
IP Address....................................... 10.130.130.120
Gateway Address.................................. 10.130.130.1
Netmask.......................................... 255.255.255.0
IPv6 Address..................................... fe80::f524:1910:69f0:9482
Association Id................................... 1
Authentication Algorithm......................... Open System
Reason Code...................................... 1
Status Code...................................... 0
Client CCX version............................... 4
Client E2E version............................... 1
--More-- or (q)uit
Re-Authentication Timeout........................ 1651
QoS Level........................................ Silver
Avg data Rate.................................... 0
Burst data Rate.................................. 0
Avg Real time data Rate.......................... 0
Burst Real Time data Rate........................ 0
802.1P Priority Tag.............................. disabled
CTS Security Group Tag........................... Not Applicable
KTS CAC Capability............................... No
WMM Support...................................... Enabled
APSD ACs....................................... BK BE VI VO
Power Save....................................... OFF
Current Rate..................................... m13
Supported Rates.................................. 1.0,2.0,5.5,11.0,6.0,9.0,
............................................. 12.0,18.0,24.0,36.0,48.0,
............................................. 54.0
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ No
Policy Manager State............................. POSTURE_REQD
Policy Manager Rule Created...................... Yes
AAA Override ACL Name............................ POSTURE_REDIRECT_ACL
AAA Override ACL Applied Status.................. Yes
--More-- or (q)uit
AAA Override Flex ACL Name....................... POSTURE_REDIRECT_ACL
AAA Override Flex ACL Applied Status............. Yes
AAA URL redirect................................. https://pdc-ise-man01.kier.group:8443/guestportal/gateway?sessionId=c8dc800a00000005b3e7e953&action=cpp
Audit Session ID................................. c8dc800a00000005b3e7e953
AAA Role Type.................................... none
Local Policy Applied............................. none
IPv4 ACL Name.................................... none
FlexConnect ACL Applied Status................... Yes
IPv4 ACL Applied Status.......................... Unavailable
IPv6 ACL Name.................................... none
IPv6 ACL Applied Status.......................... Unavailable
Layer2 ACL Name.................................. none
Layer2 ACL Applied Status........................ Unavailable
mDNS Status...................................... Disabled
mDNS Profile Name................................ none
No. of mDNS Services Advertised.................. 0
Policy Type...................................... WPA2
Authentication Key Management.................... 802.1x
Encryption Cipher................................ CCMP (AES)
Protected Management Frame ...................... No
Management Frame Protection...................... No
EAP Type......................................... EAP-TLS
FlexConnect Data Switching....................... Local
--More-- or (q)uit
FlexConnect Dhcp Status.......................... Local
FlexConnect Vlan Based Central Switching......... No
FlexConnect Authentication....................... Central
Quarantine VLAN.................................. 0
Access VLAN...................................... 220
Client Capabilities:
CF Pollable................................ Not implemented
CF Poll Request............................ Not implemented
Short Preamble............................. Implemented
PBCC....................................... Not implemented
Channel Agility............................ Not implemented
Listen Interval............................ 10
Fast BSS Transition........................ Not implemented
Client Wifi Direct Capabilities:
WFD capable................................ No
Manged WFD capable......................... No
Cross Connection Capable................... No
Support Concurrent Operation............... No
Fast BSS Transition Details:
Client Statistics:
Number of Bytes Received................... 33698
Number of Bytes Sent....................... 19397
Total Number of Bytes Sent................. 19397
--More-- or (q)uit
Total Number of Bytes Recv................. 33698
Number of Bytes Sent (last 90s)............ 19397
Number of Bytes Recv (last 90s)............ 33698
Number of Packets Received................. 283
Number of Packets Sent..................... 147
Number of Interim-Update Sent.............. 0
Number of EAP Id Request Msg Timeouts...... 0
Number of EAP Id Request Msg Failures...... 0
Number of EAP Request Msg Timeouts......... 0
Number of EAP Request Msg Failures......... 0
Number of EAP Key Msg Timeouts............. 0
Number of EAP Key Msg Failures............. 0
Number of Data Retries..................... 53
Number of RTS Retries...................... 0
Number of Duplicate Received Packets....... 2
Number of Decrypt Failed Packets........... 0
Number of Mic Failured Packets............. 0
Number of Mic Missing Packets.............. 0
Number of RA Packets Dropped............... 0
Number of Policy Errors.................... 0
Radio Signal Strength Indicator............ -42 dBm
Signal to Noise Ratio...................... 41 dB
Client Rate Limiting Statistics:
--More-- or (q)uit
Number of Data Packets Recieved............ 0
Number of Data Rx Packets Dropped.......... 0
Number of Data Bytes Recieved.............. 0
Number of Data Rx Bytes Dropped............ 0
Number of Realtime Packets Recieved........ 0
Number of Realtime Rx Packets Dropped...... 0
Number of Realtime Bytes Recieved.......... 0
Number of Realtime Rx Bytes Dropped........ 0
Number of Data Packets Sent................ 0
Number of Data Tx Packets Dropped.......... 0
Number of Data Bytes Sent.................. 0
Number of Data Tx Bytes Dropped............ 0
Number of Realtime Packets Sent............ 0
Number of Realtime Tx Packets Dropped...... 0
Number of Realtime Bytes Sent.............. 0
Number of Realtime Tx Bytes Dropped........ 0
Nearby AP Statistics:
test-flex-ap(slot 0)
antenna0: 14 secs ago.................... -51 dBm
antenna1: 14 secs ago.................... -37 dBm
test-flex-ap(slot 1)
antenna0: 14 secs ago.................... -51 dBm
antenna1: 14 secs ago.................... -54 dBm
--More-- or (q)uit
DNS Server details:
DNS server IP ............................. 10.0.17.31
DNS server IP ............................. 10.0.17.43
Assisted Roaming Prediction List details:
Client Dhcp Required: False
Allowed (URL)IP Addresses
(Cisco Controller) >
(Cisco Controller) >show wlan 2
WLAN Identifier.................................. 2
Profile Name..................................... Demo1x
Network Name (SSID).............................. Demo1x
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Enabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Enabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
--More-- or (q)uit
Number of Active Clients......................... 1
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 12 hours
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... mario-test-flex-vwlc
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
--More-- or (q)uit
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
--More-- or (q)uit
Radius Servers
Authentication................................ 10.0.16.111 1812
Accounting.................................... 10.131.16.111 1813
Interim Update............................. Disabled
Framed IPv6 Acct AVP ...................... Prefix
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Enabled
PSK..................................... Disabled
CCKM.................................... Disabled
--More-- or (q)uit
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Enabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
WAPI.......................................... Disabled
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Enabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
flexconnect PPPoE pass-through................ Disabled
--More-- or (q)uit
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Disabled
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Split Tunnel (Printers).......................... Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Disabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Disabled
--More-- or (q)uit
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Mobility Anchor List
WLAN ID IP Address Status
802.11u........................................ Disabled
MSAP Services.................................. Disabled
Local Policy
Priority Policy Name
(Cisco Controller) >
when debugging the client during redirect, this is the output and I cannot spot anything wrong here...
(Cisco Controller) >*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Adding mobile on LWAPP AP 18:33:9d:f0:21:80(1)
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Association received from mobile on BSSID 18:33:9d:f0:21:8e
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Global 200 Clients are allowed to AP radio
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Max Client Trap Threshold: 0 cur: 0
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Rf profile 600 Clients are allowed to AP wlan
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be override for default ap group, marking intgrp NULL
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Re-applying interface policy for client
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2219)
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2240)
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be In processSsidIE:4850 setting Central switched to FALSE
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Applying site-specific Local Bridging override for station 00:24:d6:97:b3:be - vapId 2, site 'default-group', interface 'management'
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Applying Local Bridging Interface Policy for station 00:24:d6:97:b3:be - vlan 220, interface id 0, interface 'management'
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Processing RSN IE type 48, length 22 for mobile 00:24:d6:97:b3:be
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Received RSN IE with 0 PMKIDs from mobile 00:24:d6:97:b3:be
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Setting active key cache index 8 ---> 8
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be unsetting PmkIdValidatedByAp
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Updating AID for REAP AP Client 18:33:9d:f0:21:80 - AID ===> 1
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Central switch is FALSE
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be 0.0.0.0 8021X_REQD (3) DHCP required on AP 18:33:9d:f0:21:80 vapId 2 apVapId 2for this client
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Not Using WMM Compliance code qosCap 00
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 18:33:9d:f0:21:80 vapId 2 apVapId 2 flex-acl-name:
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be apfMsAssoStateInc
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:24:d6:97:b3:be on AP 18:33:9d:f0:21:80 from Idle to Associated
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be apfPemAddUser2:session timeout forstation 00:24:d6:97:b3:be - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is 0
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be Sending Assoc Response to station on BSSID 18:33:9d:f0:21:8e (status 0) ApVapId 2 Slot 1
*apfMsConnTask_7: Aug 12 10:58:24.013: 00:24:d6:97:b3:be apfProcessAssocReq (apf_80211.c:8294) Changing state for mobile 00:24:d6:97:b3:be on AP 18:33:9d:f0:21:80 from Associated to Associated
*spamApTask6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be Sent 1x initiate message to multi thread task for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be EAP-PARAM Debug - eap-params for Wlan-Id :2 is disabled - applying Global eap timers and retries
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be Station 00:24:d6:97:b3:be setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be dot1x - moving mobile 00:24:d6:97:b3:be into Connecting state
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be Sending EAP-Request/Identity to mobile 00:24:d6:97:b3:be (EAP Id 1)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.016: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.083: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.083: 00:24:d6:97:b3:be Received Identity Response (count=1) from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.083: 00:24:d6:97:b3:be Resetting reauth count 1 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.083: 00:24:d6:97:b3:be EAP State update from Connecting to Authenticating for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.083: 00:24:d6:97:b3:be dot1x - moving mobile 00:24:d6:97:b3:be into Authenticating state
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.083: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=214) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be WARNING: updated EAP-Identifier 1 ===> 214 for STA 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 214)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be Allocating EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.086: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.090: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.090: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 214, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.090: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.090: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.091: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.091: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=215) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.091: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 215)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.091: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.091: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.091: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.091: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.091: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.095: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.095: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 215, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.095: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.095: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.096: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.096: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=216) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.096: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 216)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.096: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.096: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.096: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.096: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.096: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.100: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.100: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 216, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.100: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.100: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.101: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.101: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=217) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.101: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 217)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.101: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.101: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.101: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.101: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.101: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.105: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.105: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 217, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.105: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.105: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.106: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.106: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=218) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.106: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 218)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.106: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.106: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.106: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.106: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.106: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.110: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.110: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 218, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.110: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.110: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.111: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.111: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=219) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.111: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 219)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.111: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.111: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.111: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.111: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.111: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.115: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.115: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 219, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.115: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.115: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.116: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.116: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=220) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.116: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 220)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.116: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.116: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.116: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.116: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.116: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.352: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.352: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 220, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.352: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.352: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.354: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.354: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=221) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.354: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 221)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.354: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.354: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.354: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.354: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.354: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.359: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.359: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 221, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.359: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.359: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.360: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.360: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=222) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.360: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 222)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.360: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.360: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.360: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.360: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.360: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.365: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.365: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 222, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.365: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.365: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.366: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.366: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=223) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.366: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 223)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.366: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.366: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.366: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.366: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.366: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.371: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.371: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 223, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.371: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.371: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.372: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.372: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=224) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.372: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 224)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.372: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.372: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.372: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.372: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.372: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.375: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.375: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 224, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.375: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.375: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.389: 00:24:d6:97:b3:be Processing Access-Challenge for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.389: 00:24:d6:97:b3:be Entering Backend Auth Req state (id=225) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.389: 00:24:d6:97:b3:be Sending EAP Request from AAA to mobile 00:24:d6:97:b3:be (EAP Id 225)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.389: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.389: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.389: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.389: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.389: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.391: 00:24:d6:97:b3:be Received EAPOL EAPPKT from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.391: 00:24:d6:97:b3:be Received EAP Response from mobile 00:24:d6:97:b3:be (EAP Id 225, EAP Type 13)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.391: 00:24:d6:97:b3:be Resetting reauth count 0 to 0 for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.391: 00:24:d6:97:b3:be Entering Backend Auth Response state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Processing Access-Accept for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Resetting web IPv4 acl from 255 to 255
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Resetting web IPv4 Flex acl from 65535 to 65535
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Username entry ([email protected]) created for mobile, length = 253
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Username entry ([email protected]) created in mscb for mobile, length = 253
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be override for default ap group, marking intgrp NULL
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 220
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Re-applying interface policy for client
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2219)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2240)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 1 on mobile
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Inserting AAA Override struct for mobile
MAC: 00:24:d6:97:b3:be, source 4
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Setting re-auth timeout to 1800 seconds, got from WLAN config.
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Station 00:24:d6:97:b3:be setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Creating a PKC PMKID Cache entry for station 00:24:d6:97:b3:be (RSN 2)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Resetting MSCB PMK Cache Entry 0 for station 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Setting active key cache index 8 ---> 8
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Setting active key cache index 8 ---> 0
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Adding BSSID 18:33:9d:f0:21:8e to PMKID cache at index 0 for station 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: New PMKID: (16)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: [0000] 6f d1 ce 84 08 74 41 a5 06 6b 89 02 c9 e9 f8 c8
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Disabling re-auth since PMK lifetime can take care of same.
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be unsetting PmkIdValidatedByAp
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Client in Posture Reqd state. PMK cache not updated.
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Sending EAP-Success to mobile 00:24:d6:97:b3:be (EAP Id 225)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Freeing AAACB from Dot1xCB as AAA auth is done for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be EAPOL Header:
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00000000: 02 03 5f 00 .._.
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Found an cache entry for BSSID 18:33:9d:f0:21:8e in PMKID cache at index 0 of station 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Found an cache entry for BSSID 18:33:9d:f0:21:8e in PMKID cache at index 0 of station 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: Including PMKID in M1 (16)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: [0000] 6f d1 ce 84 08 74 41 a5 06 6b 89 02 c9 e9 f8 c8
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Starting key exchange to mobile 00:24:d6:97:b3:be, data packets will be dropped
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Sending EAPOL-Key Message to mobile 00:24:d6:97:b3:be
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Sending EAPOL-Key Message to mobile 00:24:d6:97:b3:be
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Entering Backend Auth Success state (id=225) for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be Received Auth Success while in Authenticating state for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.410: 00:24:d6:97:b3:be dot1x - moving mobile 00:24:d6:97:b3:be into Authenticated state
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be Received EAPOL-Key from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be Received EAPOL-key in PTK_START state (message 2) from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be PMK: Sending cache add
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be Stopping retransmission timer for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be EAPOL Header:
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00000000: 02 03 5f 00 .._.
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be Sending EAPOL-Key Message to mobile 00:24:d6:97:b3:be
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be Sending EAPOL-Key Message to mobile 00:24:d6:97:b3:be
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be Reusing allocated memory for EAP Pkt for retransmission to mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:dc mscb->apfMsLradSlotId = 1 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be mscb->apfMsBssid = 18:33:9d:f0:21:80 mscb->apfMsAddress = 00:24:d6:97:b3:be mscb->apfMsApVapId = 2
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 220 mscb->apfMsLwappMwarInet.ipv4.addr = 176217288
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.414: 00:24:d6:97:b3:be mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 176325157 mscb->apfMsLwappLradPort = 9385
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be Received EAPOL-Key from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be Stopping retransmission timer for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be Freeing EAP Retransmit Bufer for mobile 00:24:d6:97:b3:be
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be apfMs1xStateInc
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state 8021X_REQD (3)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be Central switch is FALSE
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be Sending the Central Auth Info
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be Central Auth Info Allocated PMKLen = 32
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: EapolReplayCounter: 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: EapolReplayCounter: 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be PMK: pmkActiveIndex = 0
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be EapolReplayCounter: 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be msAssocTypeFlagsMsb = 0 msAssocTypeFlagsLsb = 2
apfMsEntryType = 0 apfMsEapType = 13
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 L2AUTHCOMPLETE (4) DHCP required on AP 18:33:9d:f0:21:80 vapId 2 apVapId 2for this client
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be Not Using WMM Compliance code qosCap 00
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 18:33:9d:f0:21:80 vapId 2 apVapId 2 flex-acl-name:POSTURE_REDIRECT_ACL
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 6166, Adding TMP rule
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP 18:33:9d:f0:21:80, slot 1, interface = 1, QOS = 0
IPv4 ACL ID = 255, IPv
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 64206 Local Bridging Vlan = 220, Local Bridging intf id = 0
*Dot1x_NW_MsgTask_6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*apfReceiveTask: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*apfReceiveTask: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 5761, Adding TMP rule
*apfReceiveTask: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
type = Airespace AP - Learn IP address
on AP 18:33:9d:f0:21:80, slot 1, interface = 1, QOS = 0
IPv4 ACL ID = 255,
*apfReceiveTask: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 64206 Local Bridging Vlan = 220, Local Bridging intf id = 0
*apfReceiveTask: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*pemReceiveTask: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*pemReceiveTask: Aug 12 10:58:24.418: 00:24:d6:97:b3:be 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*spamApTask6: Aug 12 10:58:24.418: 00:24:d6:97:b3:be spamEncodeCentralAuthInoMsPayload: msAssocTypeFlagsMsb = 0 msAssocTypeFlagsLsb = 2
apfMsEntryType = 0 pmkLen = 32
*DHCP Socket Task: Aug 12 10:58:24.546: 00:24:d6:97:b3:be DHCP received op BOOTREPLY (2) (len 325,vlan 220, port 1, encap 0xec03)
*DHCP Socket Task: Aug 12 10:58:24.546: 00:24:d6:97:b3:be DHCP setting server from ACK (server 10.0.17.85, yiaddr 10.130.130.120)
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be 10.130.130.120 DHCP_REQD (7) Change state to WEBAUTH_REQD (8) last state DHCP_REQD (7)
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be 10.130.130.120 WEBAUTH_REQD (8) pemAdvanceState2 6671, Adding TMP rule
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be 10.130.130.120 WEBAUTH_REQD (8) Replacing Fast Path rule
type = Airespace AP Client - ACL passthru
on AP 18:33:9d:f0:21:80, slot 1, interface = 1, QOS = 0
IPv4 A
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be 10.130.130.120 WEBAUTH_REQD (8) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 64206 Local Bridging Vlan = 220, Local Bridging intf id = 0
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be 10.130.130.120 WEBAUTH_REQD (8) Successfully plumbed mobile rule (IPv4 ACL ID 1, IPv6 ACL ID 255, L2 ACL ID 255)
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be Plumbing web-auth redirect rule due to user logout
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be Assigning Address 10.130.130.120 to mobile
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be DHCP success event for client. Clearing dhcp failure count for interface management.
*DHCP Socket Task: Aug 12 10:58:24.548: 00:24:d6:97:b3:be DHCP success event for client. Clearing dhcp failure count for interface management.
*pemReceiveTask: Aug 12 10:58:24.548: 00:24:d6:97:b3:be 10.130.130.120 Added NPU entry of type 2, dtlFlags 0x0
*IPv6_Msg_Task: Aug 12 10:58:25.330: 00:24:d6:97:b3:be Pushing IPv6 Vlan Intf ID 0: fe80:0000:0000:0000:f524:1910:69f0:9482 , and MAC: 00:24:D6:97:B3:BE , Binding to Data Plane. SUCCESS !! dhcpv6bitmap 0
*IPv6_Msg_Task: Aug 12 10:58:25.330: 00:24:d6:97:b3:be Link Local address fe80::f524:1910:69f0:9482 updated to mscb. Not Advancing pem state.Current state: mscb in apfMsMmInitial mobility state and client state APF_MS_STATE_A
*DHCP Socket Task: Aug 12 10:58:28.581: 00:24:d6:97:b3:be DHCP received op BOOTREPLY (2) (len 308,vlan 220, port 1, encap 0xec03)
*DHCP Socket Task: Aug 12 10:58:28.589: 00:24:d6:97:b3:be DHCP received op BOOTREPLY (2) (len 308,vlan 220, port 1, encap 0xec03)
*DHCP Socket Task: Aug 12 11:00:07.959: 00:24:d6:97:b3:be DHCP received op BOOTREPLY (2) (len 308,vlan 220, port 1, encap 0xec03)
*DHCP Socket Task: Aug 12 11:00:07.967: 00:24:d6:97:b3:be DHCP received op BOOTREPLY (2) (len 308,vlan 220, port 1, encap 0xec03)
*DHCP Socket Task: Aug 12 11:01:59.153: 00:24:d6:97:b3:be DHCP received op BOOTREPLY (2) (len 308,vlan 220, port 1, encap 0xec03)
Can you see any obvious reason why the NAC agent wont pop up?
Thanks
Mario

Cisco ISE and SecurID Integration Questions

I'm looking for some clarity trying to understand something conceptually. I want to integrate Cisco ISE with RSA SecurID, the idea being that if the user authenticates with RSA SecurID they end up on one VLAN, however, if they don't authenticate with (or don't use, or don't have) SecurID they'll end up on another VLAN. Note that I'm not using SecurID for wireless access...all PCs are wired to Ethernet.
We have been using RSA SecurID for a while and are currently on version 8.0. Our users are authenticating via the RSA Agent typically on Windows 8.1. Instead of the usual Windows login prompt, the RSA Agent first prompts for the username and passcode (they use an app on their smartphones to get the passcode), then after a moment or two, it prompts for their Windows domain password.
We have recently installed Cisco ISE version 1.3. With the help of a local Cisco engineer and going through the "Cisco Identity Services Engine User Guide", I have it set up and running along with a few 'test' ports on our Cisco 6809 switch, it basically works...as a test it's simply set up that if they authenticate they're on one VLAN, if not, they end up on another (this is currently without using RSA...just out-of-the-box Windows authentication).
The Cisco engineer was unable to help me with RSA SecurID, so pressing on without him, out of the same user guide I have followed the directions for "RSA Identity Sources" under the "Managing Users and External Identity Sources", and that went well as far as ISE is concerned; I am now ready to get serious about getting ISE and SecurID working together.
My mistake in this design so far was assuming that the RSA agent on the Windows client PCs would communicate with Cisco ISE...there doesn't seem to be a way to have them point to a non-RSA SecurID server for authentication. The concept I'm missing is what, or how, the end-user machine is supposed to authenticate taking advantage of both ISE and SecurID.
I have dug deeper into the Cisco ISE documentation but it seems heavily biased towards Wi-Fi and BYOD implementations and it's not clear to me what applies to wired vs wireless. Perhaps it's a case that I'm not seeing the forest for the trees, but I'm not understanding what the end-user authentication looks like. It apears that as I learn more about ISE, it should become the primary SSO source, that SecurID becomes just an identity source and the PC clients would no-longer directly communicate with the SecurID servers. That being the case, do I need to replace the SecurID client on the PCs and something else Cisco-ish fills this role? An agent for ISE? How do they continue to use their passcode without the RSA agent?
Thanks!

The external db not operation indicates that there is no communication between ACS and RSA. Did you fetch the package.cab file to analyse the auth.log file?
Have you already gone through the below listed link?
http://www.security-solutions.co.za/cisco-CSACS-1113-SE-4.2-RSA-Authentication-Manager-Integration-Configuration-Example.html
Regards,
Jatin Katyal
- Do rate helpful posts -

Cisco ISE AD (Windows Server 2013) Authentication Problem

Background:
Deployed two Cisco ISE 1.1.3. ISE will be used to authenticate wireless users, admin access to WLC and switches. Backend database is Microsoft AD running on Windows Server 2012. Existing Cisco ACS 4.2 still running and authenticating users. There are two Cisco WLCs version 7.2.111.3.
Wireless users authenticates to AD through ACS 4.2 works. Admin access to WLC and switches to AD through ISE works. Wireless authentication using PEAP-MSCHAPv2 and admin access wtih PAP/ASCII.
Problem:
Wireless users cannot authenticate to AD through ISE. The below is the error message "11051 RADIUS packet contains invalid state attribute" & "24444 Active Directory operation has failed because of an unspecified error in the ISE".
Conducted a detailed test of AD from ISE. The test was successful and the output seems all right except for the below:
xxdc01.xx.com (10.21.3.1)
Pinged:0 Mins Ago
State:down
xxdc02.xx.com (10.21.3.2)
Pinged:0 Mins Ago
State:down
xxdc01.xx.com
Last Success:Thu Jan 1 10:00:00 1970
Last Failure:Mon Mar 11 11:18:04 2013
Successes:0
Failures:11006
xxdc02.xx.com
Last Success:Mon Mar 11 09:43:31 2013
Last Failure:Mon Mar 11 11:18:04 2013
Successes:25
Failures:11006
Domain Controller: xxdc02.xx.com:389
    Domain Controller Type: Unknown DC Functional Level: 5
    Domain Name:            xx.COM
    IsGlobalCatalogReady:   TRUE
    DomainFunctionality:           2 = (DS_BEHAVIOR_WIN2003)
    ForestFunctionality:           2 = (DS_BEHAVIOR_WIN2003)
Action Taken:
Log on to Cisco ISE and WLC using AD credentials. This rules out AD connection, clock and AAA shared secret as the problem.
2)     Tested wireless authentication using EAP-FAST but same problem occurs.
3)     Detailed error message shows the below. This rules out any authentication and authorization polices. Before even hitting the authentication policy, the AD lookup fails.
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - AD1
24430 Authenticating user against Active Directory
24444 Active Directory operation has failed because of an unspecified error in the ISE
4)     Enabled AD debugging logging and had a look at the logging. Nothing significant and no clues to the problem.
5)     Tested wireless on different laptos and mobile phones with same error
6)     Delete and add again AAA Client/Devices on both Cisco ISE and WLC
7)     Restarted ISE services
8)     Rejoin domain on Cisco ISE
9)     Checked release notes of ISE 1.1.3 and WLC 7.2.111.3 for any open caveats. Nothing found related to this problem.
10)    There are two ISE and two WLC deployed. Tested different combination of ISE1 to WLC1, ISE1 to WLC2 etc. This rules out hardware issue of WLC.
Other possibilities/action:
1)     Test it out on a different WLC version. Will have to wait outage approval to upgrade WLC software.
2)     Incompatibility of Cisco ISE and AD running on Microsoft Windows Server 2012
Anyone out there experienced something similar of have any ideas on why this is happening?
Thanks.
Update:
1) Built another Cisco ISE 1.1.3 sever in another datacentre that uses the same domain but different domain controller. Thais domain controller is running Windows Server 2008. This works and authentication successful.
2) My colleague tested out in a lab environment of Cisco ISE 1.1.2 with Windows Server 2012. He got the same problem as described.
This leads me to think there is a compatibility issue of Cisco ISE with Windows Server 2012.

Does anyone know if ISE 1.1.3 p1 supports AD DCs running 2012, if not which patch is required ot version?
Worryingly when ISE joins a 2012 DC it states it's connected successfully, and if another 2003 DC is available in that datacentre it will perform the auths against that DC whilst actually advertising (Connections in the GUI) that it's connected to the 2012 DC. We ended up mapping 8 PSN IP’s to another datacentre which has one Win2003 servers whilst the old 2003 DC is being promoted back, the 8 ISE servers started working, even though they still advertised they were connected to the 2012 DCs in the original datacentre - I performed a leave and join on one PSN and only then did it advertise that the node was connected to a DC in a different datacentre

Cisco ISE 1.2 - NFS Backup

I'm trying to use NFS to backup Cisco ISE on a schedule but I'm having difficulty. I'm not sure what the settings should be or the proper syntax.

Hello David,
Please share your ISE running configuration to find and verify syntex.
Source or destination URL for an NFS network server. Use url nfs://server:path1.
Server is the server name and path refers to /subdir/subsubdir. Remember that a colon (:) is required after the server for an NFS network server.
Also please reverify below required format:
The path must be valid and must exist at the time you create the repository. The following three fields are required depending on the protocol that you have chosen.
–ServerName—(Required for TFTP, HTTP, HTTPS, FTP, SFTP, and NFS) Enter the hostname or IPv4 address of the server where you want to create the repository.
–Username—(Required for FTP, SFTP, and NFS) Enter the username that has write permission to the specified server. Only alphanumeric characters are allowed.
–Password—(Required for FTP, SFTP, and NFS) Enter the password that will be used to access the specified server. Passwords can consist of the following characters: 0 through 9, a through z, A through Z, -, ., |, @, #,$, %, ^, &, *, (, ), +, and =.

Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.

Hi to all,
I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID. The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
Error: Resource not found.
Resource: /guestportal/
Does anyone have any ideas why the portal is doing this?
Thanks
Paul

Hello,
As you are not able to get the guest portal, then you need to assure the following things:-
1) Ensure that the two Cisco av-pairs that are configured on the authorization profile should exactly match the example below. (Note: Do not replace the "IP" with the actual Cisco ISE IP address.)
–url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
–url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also defined on the access switch)
2) Ensure that the URL redirection portion of the ACL have been applied to the session by entering the show epm session ip command on the switch. (Where the session IP is the IP address that is passed to the client machine by the DHCP server.)
Admission feature : DOT1X
AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
URL Redirect ACL : ACL-WEBAUTH-REDIRECT
URL Redirect :
https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
0000A45A2444BFC2&action=cpp
3) Ensure that the preposture assessment DACL that is enforced from the Cisco ISE authorization profile contains the following command lines:
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark ping
permit icmp any any
permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
permit tcp any host 80.0.80.2 eq www --> Provides access to internet
permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
port
permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8906 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
deny ip any any
Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on the switch as follows:
ip access-list extended ACL-WEBAUTH-REDIRECT
deny ip any host 80.0.80.2
permit ip any any
5) Ensure that the http and https servers are running on the switch:
ip http server
ip http secure-server
6) Ensure that, if the client machine employs any kind of personal firewall, it is disabled.
7) Ensure that the client machine browser is not configured to use any proxies.
8) Verify connectivity between the client machine and the Cisco ISE IP address.
9) If Cisco ISE is deployed in a distributed environment, make sure that the client machines are aware of the Policy Service ISE node FQDN.
10) Ensure that the Cisco ISE FQDN is resolved and reachable from the client machine.
11) Or you need to do re-image again.

DACL format fo cisco ISE&ACS

Similar Messages

Maybe you are looking for