Frequent reauthentications with 4402 WLC

We're having an odd problem with web authentication on a 4402 WLC. Users have to reauthenticate several times before it seems to "stick." After logging in, they'll have to log in again after 2-5 minutes, and then possibly a few more times in the same kind of intervals (sometimes as few as 2-3 reauthentications, once as many as nine times).
Here's an odd wrinkle: we also have a 2106 controller, identically configured (as far as I can verify. They should have the same configuration, except for IP addresses of course). It's rock solid.
Both controllers are pointing to a Cisco ACS (the same one for both) for authentication, which in turn does an LDAP lookup.
Has anyone seen something like this? Digging into the WLC logs shows messages that the user failed authentication (note that the user never gives a bad username/password combo, so it looks as if something internal is forgetting the previous auth). Here's a sample line:
Apr 17 10:03:32.564 aaa.c:1184 AAA-5-AAA_AUTH_NETWORK_USER: Authentication failed for network user '<redacted>'
I also see a lot of messages like this, but again I have no idea if they're connected to my problem:
Apr 17 10:04:13.563 apf_foreignap.c:1278 APF-4-REGISTER_IPADD_ON_MSCB_FAILED: Could not Register IP Add on MSCB. MSCB still in init state. Address:<redacted>
Apr 17 10:03:14.090 apf_foreignap.c:1285 APF-1-CHANGE_ORPHAN_PKT_IP: Changing orphan packet IP address for station00:<redacted> from <redacted> ---><redacted>
Apr 17 10:03:14.090 apf_foreignap.c:1278 APF-4-REGISTER_IPADD_ON_MSCB_FAILED: Could not Register IP Add on MSCB. MSCB still in init state. Address:<redacted>
Any insights would be appreciated. Like I said, the fact that this setup is working fine on one WLC but not on the other is creating much head-scratching.
Thanks.

I'll bet your 2106 is not running 5.148 code. My first suggestion is to not use the 5.x code in a production environment. If that is not feasible then find out why the session is failing to move into the RUN state. Is there some other requirement for the client ? For example, did you enable the DHCP REQUIRED checkbox in the advanced wlan setting?

Similar Messages

  • WCS with 4402 WLC?

    Is the WCS software necessary to manage a single 4402 WLC or is it just additional bells and whistles?
    Thanks - RV

    Hi Ron,
    You do NOT need the WCS to manage the WLC. We are running 3 WLC 4402-25's without the WCS. The WCS does add some nice funtionality but it is not a must.
    Hope this helps!
    Rob

  • Hellp on Nokia E61i associating with Cisco WLC 4402

    I met some problem with associate Nokia's dual mode mobile phone E61i with Cisco WLC 4402, hope someone can help me on it:
    I setup a VOICE WLAN in 4402(v5.0.148), Layer2 security is WPA1+WPA2, Key management using 802.1x, WPA1 policy enable both TKIP and AES, Radius server using ACS engine(v4.1.1.23)(enable PEAP-MSCHAPv2);
    I can use my laptop to join this WLAN(my laptop configure with PEAP/MSCHAPv2, WPA-TKIP, not validate server certificate), but can't let E61i join it, each time it will remind me “unable to connect, WPA authenticate failed).
    In E61i, I select WPA/WPA2 as WLAN security mode, enable EAP-PEAP, under EAP-PEAP, I enable EAP-MSCHAPv2; however under Cipher, there's a lot of options such as “RSA,3EDS,SHA”, “RSA,AES,SHA”, but there's no TKIP, I have tried to enable all of them and tried only enable those items which include AES, but I failed each time with the same reminder “unable to connect, WPA authenticate failed”. I checked ACS's failed log, there's no record; In 4402, there also have no record.
    If I change the security to open or static WEP for VOICE WLAN, then the E61i can connect to the WLAN.
    I think the problem maybe relate to encryption or certificate, right now I just do the test in lab, not in customer's real environment, so I use ACS to generate a self signed certificate and installed it in ACS.
    Pls. help to point me what I need to adjust to make it work. Thanks!

    Hello,
    CCKM Key Management mode on Nokia E61i phone can be used
    against Cisco LWAPP AP's with TKIP encryption
    Nokia E61i (and other E-series WLAN enabled phones) are supporting CCKM key management method with both dynamic WEP and TKIP ciphers.
    On the phone configuration, 802.1X security mode needs to be in use in order to enable CCKM support. WPA/WPA2 security mode on the phone is dedicated to standards based WPA and WPA2 methods and it does not allow usage of proprietary CCKM key management method.
    Phone's 802.1X security mode does not mean that phone would only support dynamic WEP encryption method in this mode although in contexts term "802.1X" may be attached to pure dynamic WEP (legacy / pre WPA era)security methods.
     802.1X security mode can be seen on Nokia Eseries phones as sort of an "everything with EAP based authentication is allowed" mode, meaning that following key management and cipher configurations are supported:
    - WPA-Enterprise  = WPA Key Management (EAP based authentication) with TKIP encryption
    - WPA2-Enterprise = WPA2 Key Management (EAP based authentication) with AES encryption
    - Mixed WPA/WPA2-Enterprise = I.e. WPA/WPA2 Mode Migration WPA2 Key Management (EAP based authentication) with AES (for unicast data) and TKIP (for multicast data) ciphers
    - 802.1X dynamic WEP = legacy (pre-WPA era) 802.1X based dynamic WEP (EAP based authentication with dynamic WEP encryption)
    Supported:
    - CCKM with WEP = CCKM Key Management (EAP based authentication) with dynamic WEP encryption
    - CCKM with TKIP = CCKM Key Management (EAP based authentication) with TKIP encryption
    Not supported:
    - CCKM with AES = CCKM Key Management (EAP based authentication) with AES encryption
    Please note that CCKM-AES mode (CCKM Key Management with AES cipher) is not working properly due to some incompatibilities between Cisco and Nokia implementations thus it must not be listed as a supported combination on the current Nokia E-series devices. We are also seeing CCKM-Fast
    Re-authentication failures with Cisco autonomous AP's when AES encryption is used although initial authentication to autonomous AP's is successful. Nokia is currently working with Cisco to get CCKM-AES based authentications and roaming working properly with both LWAPP and autonomous Cisco AP's.
     Also note that Nokia E-Series does not support Cisco proprietary CKIP/CMIC encryption/data integrity methods. CKIP/CMIC is supported at least by Cisco autonomous AP's and it seems to be available also
    at least on LWAPP AP version 4.1.171.0.
     CCKM on E-Series devices has been tested against Cisco LWAPP (ver. 4.1.171.0) and it works when TKIP encryption is in use (WPA Policy + TKIP encryption in Cisco LWAPP configuration terms).
    In practice this means Cisco LWAPP is configured in a following manner: WLAN -> Edit -> Security-> 
    Layer 2 Security = WPA+WPA2
    WPA+WPA2 Parameters:
    -WPA Policy = enabled
    -WPA Encryption = TKIP enabled, AES disabled
    -WPA2 policy = disabled
    -Auth.Key Mgmt = CCKM
    Br,
    -Pasi-

  • 4402 WLC & 1000 AP's

    I'm trying to setup my wireless in a test environment before putting in my production just to verify I know how to set it up. Here is what I have: 3560 switch/POE, 4402 WLC, & a 1000 AP.
    I plugged my AP into f0/1 of my switch and added it to VLAN 3. I assigned it an Ip address of 10.0.3.1
    I setup G0/1 to trunk to port 1 of the WLC. Native vlan 1 with no ip address assigned.
    On my WLC I setup a management port untagged assigned it IP address 192.168.1.184 with a gateway of 192.168.1.184.
    I setup ap-manager untagged with an IP address of 192.168.1.185, gateway 192.168.1.184
    I setup one interface "ccla_conf_net2" assigned it IP address 10.0.3.22 Vlan 3 with a gateway of 10.0.3.1
    Lag is disabled so I assigned all interface's to port 1.
    I can ping 10.0.3.22 and 10.0.3.1 but when I go into monitor on the WLC it's showing 0 AP's as being up. Plus my wireless laptop is not picking up the SSID "ccla_conf_net2"
    Do you have any clues as to what I'm doing wrong??

    First suggestion is that you may have forgotton to configure your "ccla_conf_net2" as being capable of dynamic AP managment. Have you done that? Also, how did you get the IP address into the AP?

  • Frequent startup with question mark folder icon--a diagnostic challange!!!

    I recently obtained a 500 mhz G4 Cube; I transplanted memory, video board, video riser board, and DVD/CD drive from my old (dead) 450mhz G4 Cube (logicboard and DC-DC board were fried) to the 500 mhz Cube AND I added a Western Digital 80gb hard drive. The problem involves frequent startups with the question mark folder (Mac OS logo alternates with question mark).; Eventually the system folder is found and OS 10.4.11 starts up--sometimes in 20 seconds and sometimes in 3, 4, 5 minutes or longer..........I have tried 2 brand new batteries after numerous PRAM (via keyboard) and CUDA resets (depressing the CUDA button on the motherboard just once and then installing the new battery). The battery terminals in the Cube look perfect--no corrosion. With the new battery, startups were fine for a day but now 4 out of 5 times, I will get the question mark folder. Using Disc Utility, I fixed any errant permissions and the hard drive checks out with zero problems. Once running, the Cube works great, but these startups are maddening. One other issue; if I start up with the G4 Cube 9.1 installation disc, the install program DOES NOT recognize any bootable discs; whilst starting up using the Tiger Upgrade install disc, my 2 bootable discs (partitions of my Western Dig. hard drive) ARE recognized. Any ideas would be greatly welcome!!

    I believe I have solved the problem regarding the question mark startup---> after rechecking all cable connections to HD, OD, and logic board, I revisited the jumper setup on the HD; it turns out that I set the HD up to be the MASTER, but what I should have done was set the HD to be the MASTER with attached SLAVE. Since reconfiguring the jumper, all startups have so far been normal. Also, I did install OS 9 drivers, but I the OS 9.1 install disc still does not recognized my 5 gig partition when starting up from the CD; this is minor in retrospect as I can still use the classic mode with a earlier version of OSX that does not hog so much disc space.

  • Is it possible to config H-REAP/REAP and CAPWAP in Autonomous mode with a WLC?

    I'm going to deploying all new AP as Remote-Edge AP and they will be shipped straight to site.  With a pool of WLCs deployed in central DC locations.  I would like to get local staff to deploy a basic CLI discovery script for the APs.  However, i thought LAPs don't have CLI???
    I'm thinking I must use a Lightweight AP with the WLC to use Remote-Edge AP functionality - However, I'm not sure... the configuration example at the bottom doesn't state whether it an Autonomous AP or a Lightweight one.  
    http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml
    H-REAP Controller Discovery using CLI commands
    H REAPs will most commonly discover upstream controllers via DHCP option 43 or DNS resolution. Without either of these methods available, it may be desirable to provide detailed instructions to administrators at remote sites so that each H REAP may be configured with the IP address of the controllers to which they should connect. Optionally, H REAP IP addressing may be set manually as well (if DHCP is either not available or not desired).
    This example details how an H REAP's IP address, hostname, and controller IP address may be set through the console port of the access point.
    AP_CLI#capwap ap hostname ap1130ap1130#capwap ap ip address 10.10.10.51 255.255.255.0ap1130#capwap ap ip default-gateway 10.10.10.1ap1130#capwap ap controller ip address 172.17.2.172
    Could anyone help?
    Cheers
    Adrian.

    Hi Adrian,
    Further down in the doc you linked;
    H-REAP Controller Discovery using CLI commands
    H REAPs will most commonly discover upstream controllers via DHCP       option 43 or DNS resolution. Without either of these methods available, it may       be desirable to provide detailed instructions to administrators at remote sites       so that each H REAP may be configured with the IP address of the controllers to       which they should connect. Optionally, H REAP IP addressing may be set manually       as well (if DHCP is either not available or not desired).
    This example details how an H REAP's IP address, hostname, and       controller IP address may be set through the console port of the access       point.
    AP_CLI#capwap ap hostname ap1130
    ap1130#capwap ap ip address 10.10.10.51 255.255.255.0
    ap1130#capwap ap ip default-gateway 10.10.10.1
    ap1130#capwap ap controller ip address 172.17.2.172
    Note: Access points must run the LWAPP-enabled IOS® Recovery Image Cisco           IOS Software Release 12.3(11)JX1 or later, in order to support these CLI           commands out of the box. Access points with the SKU prefix of LAP (for example,           AIR-LAP-1131AG-A-K9), shipped on or after June 13, 2006 run Cisco IOS Software           Release 12.3(11)JX1 or later. These commands are available to any access point           that ships from the manufacturer running this code level, has the code upgraded           manually to this level, or is upgraded automatically by connecting to a           controller running version 6.0 or later.
    These configuration commands are only accepted when the access point is       in Standalone mode.
    Cheers!
    Rob

  • Local printers not working with 2504 WLC

                       I have a 2504  WLC with 3 1262 WAPs in lightweight mode.
         Clients connect using WPA2 PSK AES with no problem.  Clients are Windows XP Home SP3.  Test pages end up in print queue and eventually get a error printing status.  Clients are not part of a domain and in a standalone workgroup - techstream.
    Printer can be pinged from wireless client.
    Another 1262N WAP in standalone mode connected to same lan from windows 7 sp1 clients have no problem printing to a local printer.
    What does work on the Windows XP Home client is connecting to a network shared printer authenticating with domain admin id and password and it works.  Reboot and the network shared printer can not connect multiple reasons are "access is denied" and message box says "only security tab will be displayed....."   Another Windows XP Home SP3 client on reboot can't open the network shared printer with message "Can't find printer"
    The local printers do work on these pc's with an old colubris router that has an outside interface on our lan and internal network with clients getting dhcp address from colubris router of 192.168.3.XXX  . 
    What is wrong with the wireless 2504 WLC?
    Thanks
    Broadcast forwarding was enabled.

    Although a cisco tech support was helpful in making sure multicasting was enabled and a multicast server defined, the problem was at the CP2025DN printer. It had old network ip mask and gateway configured on the printer.
    The new devices were part of the new network configuration (Mask and gateway had changed). I didn’t change that printer when I changed all the other printers at the facility because it was still active thru the old wireless network. I forgot to change the printer ip config when I brought the new wap on the new wireless network with the wlc 2504.
    End result was the clients were part of a different subnet and gateway configuration then the printer and this disrupted the communication between clients and the printer. Once I corrected the mask and gateway on the printer to be the same as the dhcp scope of the wireless network, communication and printing worked.
    Problem solved.  User error

  • While surfing the internet I get frequent stopages with the notation "Shockwave Flash may be busy - - - - -" Why doesn't it say Adobe Flash and how do I get it fixed?

    While surfing the internet I get frequent stopages with the notation "Shockwave Flash may be busy - - - - -" Why doesn't it say Adobe Flash and how do I get it fixed?

    The  site will NOT let me post in the  "flash player" forum. When I open the  list of forums to post in, I see  flash player listed, but it is grey  in color and you can not click on  it. Under the scroll box that gives  you the choices of forums to post  your question in you see this:
    "Why are some locations grayed out?                                                This means that you can view content in these locations, but may not   have access to post to them. Or, the content type you've chosen is not   available there (i.e. trying to put a blog post in a project where  blogs  are turned off). Also to move content to "Your documents",  "Private  discussions" or "Your Videos" you have to be the author."
    So   tell me HOW the hell am I supposed to post in that forum, when it is   not letting me?  I have had   this problem since back in April, I have tried posting to get help and   all I get is complaints I posted in the wrong place, and it is the SITE   that is not letting me post in the right place.

  • 4402 WLC Trunk/STP Issue

    Hello,
    We have a few WLC's on our Network. The last WLC we deployed is having issues with connectivity. Persistent PING tests are showing drops every 20 packets or so. We noticed that the Mgt VLAN is flapping in STP.
    The WLC is connected to a 4506 Switch 10/100/1000 mode. Auto negotiation is on and the port on both sides is 1000/Full. Having no issues with the others controllers.
    4506 port config:
    interface GigabitEthernet3/42
    description Trunk to nyc1-32-wlc-02
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 1,50-52
    switchport mode trunk
    VLAN 52 is the Mgt VLAN associated with the WLC. Any help would be appreciated. Thank you.
    John

    I connected Port 2 to 4506-2 and we're still having the same issue. It appears that the Mgt VLAN is being dropped from Spanning Tree.
    ICMP packets are OK:
    nyc1-32-4506-1#sh spanning-tree int gi3/42
    Vlan Role Sts Cost Prio.Nbr Type
    VLAN0001 Desg FWD 4 128.170 Edge P2p
    VLAN0050 Desg FWD 4 128.170 Edge P2p
    VLAN0051 Desg FWD 4 128.170 Edge P2p
    VLAN0052 Desg FWD 4 128.170 Edge P2p
    ICMP Packets time out:
    nyc1-32-4506-1#sh spanning-tree int gi3/42
    no spanning tree info available for GigabitEthernet3/42
    After 4 time outs, the SPT on the interface comes back up.
    nyc1-32-4506-1#sh spanning-tree int gi3/42
    Vlan Role Sts Cost Prio.Nbr Type
    VLAN0001 Desg FWD 4 128.170 Edge P2p
    VLAN0050 Desg FWD 4 128.170 Edge P2p
    VLAN0051 Desg FWD 4 128.170 Edge P2p
    VLAN0052 Desg FWD 4 128.170 Edge P2p
    nyc1-32-4506-1#
    Before we enabled spanning-tree trunk fast, we got several time-outs (7 - 9), now we only get 4 (with it enabled).
    Any idea? Thank you.

  • Is 1252G AP compatible with 5508 WLC

    hi,
    I want to know whether 1252G AP can register with 5508 WLC? from the datasheet 5505 support CAPWAP while 1252 is LWAP. Kindly provide the link regarding the compatibility as well.
    Regards
    Nareh

    hi,
    I would also to add that I will be using CAP 1552E (802.11N) outdoor AP with the 1252G AP. Is it possible that both LWAP and CAPWAP AP registers with the same 5508 WLC ?
    Regards
    Nareh

  • Steps to update a 4402 WLC from 4.2 to latest 7.x

    Greetings,
    We need to upgrade a 4402 wlc from 4.2 where it is now, to the most recent 7.x release.  I believe this is a 2 step process.  Does anybody know the correct steps to upgrade to?  Obviously we can't just jump straight to 7.x
    Thanks in advance!
    -Zach

    http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_0_116_0.html#wp233853
    If you read the release notes a little more carefully, you will also see the following:
    4.2.130.0 or earlier 4.2 release
    Upgrade to 4.2.176.0 before upgrading to 7.0.116.0.
    4.2.173.0 or later 4.2 release
    You can upgrade directly to 7.0.116.0.
    Note If you upgrade from 4.2.176.0 to 7.0.116.0, the upgrade fails for the first time. The upgrade completes successfully when you upgrade again.
    4.2.209.0 or later 4.2 release
    You can upgrade directly to 7.0.116.0.
    Just keep the above in mind depending upon your 4.2 release.

  • I'm having frequent RSDs with my MacBook Pro 15" Core Duo Model A1150.

    I'm having frequent RSDs with my MacBook Pro 15" Core Duo Model A1150. Checked inside for dust around fans, etc., but none was visible. Laptop gets very warm, more so on the left side than right. Any suggestions for finding the problem & solutions?

    Using Apple Hardware Test
    Kelley Computing - Rember
    But it's covered by Apple's warranty - if you ask, they should erase & reinstall OS X then if it still panics without adding any 3rd party software, there has to be some problem with the computer.

  • Create a point to point link with a wlc 4402

    Hi to all,
    i have a wlc 4402 and i need to configure a point to point link with two air-lap1310g-e-k9, i have found on cisco.com this link:
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808e9c1b.shtml#zero
    but on the wlc configuration page i cannot found some configuration step.
    Someone have configured this type of behaviour or can give me some hints?!
    How can i configure on the wlc the parameter about the bridges configuration?! Or i must configure the bridges overriding the global configuration?!
    Thanks and best regards,
    Carlo Sagratella.

    The correct thing to do would be to downgrade the 1310's to autonomous (or 1242's) and set up a root bridge and non-root bridge.
    Alternately however, if you REALLY wanted one of the points to be LWAPP, in theory you could always make one of the Access Points Autonomous and join it as a workgroup bridge to the LWAPP AP. However, there really is no reason to do that since it would be cleaner to convert both to autonomous.

  • Air Fortress Gateway and 4402 WLC

    All,
    I'm in the process of a demo/protoype using the cisco lightweight products (4402 controllers w/ 1240 LAP), and using Air Fortress gateway for Layer 2 authentication...I have 3 lightweight AP's associated with the controller (running in Layer 3 mode is only way to get AP's to talk to controller), but when my test client loaded with Air fortress gateway associates with the cisco AP, it's not able to aquire DHCP address, the Air Fortress gateway does not let any traffic thru...the Air Fortress gateway does allow connections thru to dhcp server if I associate to a Intermic AP, then I'm corporate network with Layer 2 FIPS 140-2 encryption via Air Fortress gateway...any one run into same situation?

    hi,
    i am also facing a similar issue, i have a fortress sec?re gateway AF2100 connected on to a vlan 88 on a 6500 switch. of which one of the modules is Wireless services module (2 WLC 4404 integrated on a module) configured in Layer 3 mode. and i have 1242 LWAP APs connected on to the network. the Pcoket PC gets associated to the SSID (which is clubbed to vlan 88) but it is unable to ping the gateways encrypted leg. when i sniffed the packets using ethreal i am able to see that there is exchange of packets between both mac-addresses (mac-add of the pocket PC and that of the encrypted leg). but the Pocket Pc does not get registered and it shows no reply when a ping is initiated to the encrypted leg IP.
    i can also see that there is a sudden increase in the number of the packets that are being decrypted by the fortress when a ping is initiated by the pocket PC.
    At the same time if we remove the LWAPP technology and use autonomous APs in the same setup it works perfectly fine.
    what did you mean in your post about registering it with ACS. are you referring to Cisco Secure Access control server here.

  • Dynamic VLAN assignment issue with ACS & WLC

    I have configured an ACS (v4.2) & a WLC 4402 (5.2.193.0) according to the document listed at: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
    When I attempt to authenticate a user in the ACS local user database, I receive an auth failure.  I have enabled debugging in the WLC's CLI and I see that I get an authentication failure from the ACS.  Upon reviewing the ACS's 'failed attempts' log, I see the username I attempt to authenticare with but it reports 'CN user unknown' even though this user is the local database.
    During troubleshooting, I discovered that if I modify the AAA client for the WLC and change it to 'Cisco Aironet' rather than 'Cisco Airespace', authentication works perfectly, the proper user is authenticated to the local database and I am able to connect to the SSID.  The only issue is that because I'm now using Aironet instead of Airespace, the IETF attributes 064, 065, and 081 (VLAN, 802, and the VLAN ID respectively) do not properly assign the VLAN that the user needs to be on.
    Am I missing something?

    I determined that a NAP was blocking my authentication using Airespace and can successfully authenticate with both Aironet and Airespace now.  I also reviewed the debug output of both types of connections and I can see the proper attributes coming through, but the wireless clients just won't assign to the right VLAN interface.
    I've reviewed all of the configuration settings per the document about 40 or 50 times now and I am certain I'm not missing anything.  I do indeed have override enabled but the configured interface 'management' is still the one the user is assigned to every time, even in the client connection details under the monitor tab.  ARGH!!

Maybe you are looking for