ISE and dhcp snooping

Hi all,
The ISE configuration validator says we should have DHCP snooping enabled on our network access devices (switches) so we do it. However I have never understood what this accomplishes. (In terms of ISE/NAC. I understand what DHCP snooping is).
Can anyone explain? Thanks.

Thanks for the reply, Vattulu.
Interesting article/section, but I don't see where it says anything about the relationship between dhcp snooping and profiling. It seems to be talking about the use of dhcp snooping option 82 to convey the 802.1x user info to the dhcp server. The dhcp server can then act on this information to assign specific IPs to specific users. I can see how ISE would get this information via ip-helper or maybe by snmp bulk query, but don't understand how that would assist with profiling. I mean, ISE already has the 802.1x user identity from the radius request, right? Maybe you can enlighten me.
Googling around I found this article/section:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/user_guide/ise_user_guide/ise_sw_cnfg.html#wp1059679
which seems to imply that dhcp snooping info can be used when applying DACLs. Interesting, because I thought that was based on the ip device tracking table only. But, it says that dhcp snooping is optional, and doesn't go into any detail.
Still digging, I would like to understand this. Thanks for your help.

Similar Messages

  • How to synchronize between DHCP binding table and DHCP snooping table ?

    I clear DHCP snooping table with command "clear ip dhcp snooping binding " , and PC can't communicate with other any more. So how to synchronize between DHCP binding table and DHCP snooping table ?
    dhcp-test#sh ip dhcp bind
    IP address Client-ID/ Lease expiration Type
    Hardware address
    99.1.65.32 0100.1125.353c.25 Mar 02 1993 01:05 AM Automatic
    99.1.65.33 0100.1438.059f.85 Mar 02 1993 12:01 AM Automatic
    dhcp-test#sh ip dhcp snooping binding
    MacAddress IpAddress Lease(sec) Type VLAN Interface
    Total number of bindings: 0
    thanks!

    ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id expiry seconds
    Add binding entries to the DHCP snooping binding database. The vlan-id range is from 1 to 4904. The seconds range is from 1 to 4294967295.
    Enter the above command for each entry that you add
    To delete the database agent or binding file, use the no ip dhcp snooping database interface configuration command. To reset the timeout or delay values, use the ip dhcp snooping database timeout seconds or the ip dhcp snooping database write-delay seconds global configuration command.To renew the database, use the renew ip dhcp snooping database privileged EXEC command.

  • Catalyst 3750E's and DHCP Snooping

    I am using on our perimeter Catalyst 3750E's and 4500 series switches and I have DHCP Snooping enabled.  Each switch has redundant Layer 3 10Gb uplinks back to our Core/Distribution switches.  We have a central DHCP server and each switch writes its snooping database back to a central TFTP server.
    This was working fine until we upgraded our Active Directory domain to a 2008 domain, with our DHCP server now residing on a Windows 2008R2 server.
    Since the upgrade all 12 stacks of 3750E's will no longer write of the dhcp snooping database.
    show ip dhcp snooping database
    Agent URL : tftp://<path>
    Write delay Timer : 3600 seconds
    Abort Timer : 300 seconds
    Agent Running : No
    Delay Timer Expiry : 17 (00:00:17)
    Abort Timer Expiry : Not Running
    Last Succeded Time : None
    Last Failed Time : None
    Last Failed Reason : No failure recorded.
    Total Attempts       :        0   Startup Failures :        0
    Successful Transfers :        0   Failed Transfers :        0
    Successful Reads     :        0   Failed Reads     :        0
    Successful Writes    :        0   Failed Writes    :        0
    Media Failures       :        0
    All of the 4500's (5 of them) however still work as they did prior to the upgrade.
    show ip dhcp snooping database
    Agent URL : tftp://<path>
    Write delay Timer : 3600 seconds
    Abort Timer : 60 seconds
    Agent Running : No
    Delay Timer Expiry : 2737 (00:45:37)
    Abort Timer Expiry : Not Running
    Last Succeded Time : 07:18:07 EDT Wed Jun 15 2011
    Last Failed Time : None
    Last Failed Reason : No failure recorded.
    Total Attempts       :       13   Startup Failures :        0
    Successful Transfers :       13   Failed Transfers :        0
    Successful Reads     :        0   Failed Reads     :        0
    Successful Writes    :       13   Failed Writes    :        0
    Media Failures       :        0
    Is this a software bug and has anybody else seen this after upgrading to a Windows 2008 AD domain?

    well i found this 
    When DHCP snooping is disabled and DAI is enabled, the switch shuts down all the hosts because all 
    ARP entries in the ARP table will be checked against a nonexistent DHCP database. When DHCP 
    snooping is disabled or in non-DHCP environments, use ARP ACLs to permit or to deny ARP packets
    We dont do arp acl 
    Here is a little infor on the setup on 6500 
    Switch DHCP snooping is enabled
    DHCP snooping is configured on following VLANs: Q,W,E,RT,TY,Y
    Insertion of option 82 is enabled
    Option 82 on untrusted port is not allowed
    Verification of hwaddr field is enabled
    Verification of giaddr field is enabled
    Interface                    Trusted     Rate limit (pps)
    GigabitEthernetX/X          yes         unlimited
    Port-channel                     yes         unlimited
    port config port-channel 
    ip arp inspection trust
     ip dhcp snooping trust
    2960 config 
    Switch DHCP snooping is enabled
    DHCP snooping is configured on following VLANs:Q
    Insertion of option 82 is disabled
       circuit-id default format: vlan-mod-port
       remote-id: 1111:1111:1111 (MAC)
    Option 82 on untrusted port is not allowed
    Verification of hwaddr field is enabled
    Verification of giaddr field is enabled
    DHCP snooping trust/rate is configured on the following Interfaces:
    Interface                  Trusted    Allow option    Rate limit (pps)
    Port-channel              yes        yes             unlimited
    port config 
    interface Port-channel
    ip arp inspection trust
    ip dhcp snooping trust

  • Can I use DHCP snooping and IOS DHCP server on the same switch stack

    Hello,
    I am shortly going to be deploying a Cisco CallManager solution for a customer whose network comprises stacks of Catalyst 3850 switches.
    There is no separate core/server farm switch so the CallManager servers, voice gateways and IP phones will all plug into the same stack and be in the same VLAN (not my choice!).
    For security we want to enable DHCP snooping and were planning on using the IOS DHCP server on the Catalyst switch stack.
    Will this work? - when I enable DHCP snooping in networks with separate access layer switches I set the uplinks to the core as trusted links.
    I am not sure whether DHCP snooping will work in this case. Do I need to set the VLAN interface on the switch as trusted, is this even possible?
    Unfortunately I do not have access to a layer 3 switch to test this at the moment.
    Thanks

    Nope.  That's the issue.
    They'll sync on a third device acting as a hotspot, but the device sending a signal is not "on" the network it creates so the airport is all by itself on that network.  At least that is what it looks like to me.  Anyone have another take on it?  Seems pretty silly that an iPad can put out a wifi signal, an Airport Express can receive a wifi signal, and yet there is no simple way to get them to communicate under this particular condition.

  • IP DHCP snooping, IP source Guard, and DIA

    Hi All,
    I have Configured DHCP snooping and IP source guard and Dynamic arp inspection on my 3560 and 3750 Network Switches,
    on both of them I'm facing that issue. (the printers and access points are configured to get ip addresses via DHCP), but when the lease time expires, they don't get ip addresses, and become unreacheable.
    while all other clients get thier ip addresses normally
    below you can find the Configuration configuration
    ip dhcp snooping vlan 98,105,111
    no ip dhcp snooping information option
    ip dhcp snooping database flash:dhcpsnooping
    ip dhcp snooping database write-delay 15
    ip dhcp snooping
    ip arp inspection vlan 98,105,111
    ip verify trust on all access ports including printers and access point ports
    all access ports are DHCP snooping untrusted
    also when I create a static dhcp snooping binding record for these devices on the switch it resolves the Issue, but when I reload the switch it's removed automatically.
    any resolution will be much appreciated.
    regards,
    Maher

    check the following link for configuration of DHCP snooping
    http://packetlife.net/blog/2010/aug/18/dhcp-snooping-and-dynamic-arp-inspection/
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

  • ISE - DHCP SPAN and DHCP Profiling

    Hi everyone,
    We're embarking on an evaluation of ISE and trying to clarify my thoughts around the DHCP based profiling probes.
    If we are using DHCP SPAN and have all DHCP traffic mirrored to ISE, should we still use IP helpers and the DHCP probe?
    I would expect if we're using DHCP SPAN and mirroring all the traffic then using the DHCP probe with IP helpers on floor switches is a little redundant.
    Thanks,
    Mark

    Hi,
    Just to add from my experience;
    I am deploying ISE for the first time, I have around 100 sites ( I only use ISE+WLC 7.3, NO WIRED).
    It's good to forward all dhcp request to ISE with IP-HELPERS before deploying.
    This is what I did with one of my sites and I had no problem when they switched over as 90% of devices were already profiles using dhcp probe
    Hope to help.
    P.s note that WLC 7.3 does send first http packet to ISE but only if you opened up safari first after authentication, if you opened any other application that uses http protocol it will send weird strings to ise, ie VIBER and so on.
    Look around i've posted a thread about it

  • C2950 IOS for DHCP Snooping and DAI

    hi all,
    anyone knows what image i would need for my 2950 to enable DHCP snooping and DAI features (just for lab purpose)?
    or are these features just available on the bigger modular switches (4500 and 6500)?
    >sh ver
    Cisco Internetwork Operating System Software
    IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA8a, RELEASE SOFTWARE (fc1)
    Copyright (c) 1986-2006 by cisco Systems, Inc.
    Compiled Fri 28-Jul-06 15:16 by weiliu
    Image text-base: 0x80010000, data-base: 0x8056A000
    Switch(config)#ip dhcp snooping ?
      information  DHCP Snooping information
      vlan         DHCP Snooping vlan
      <cr>
    Switch(config)#ip arp ?
    % Unrecognized command

    Hi Alain,
    Thanks for this info! I've read you're CCNA Security.
    Just curious, are you gonna write your CCNP Security soon?
    Could you recommend a good lab switch for SECURE?
    Sent from Cisco Technical Support iPad App

  • Help understanding DHCP Snooping and Dynamic ARP Inspection

    Please help me to understand DHCP Snooping and Dynamic ARP Inspection.

    HI Ezra,
    In simple words:
    DHCP Snooping is a feature which is available on switches. This feature is used to prevent rogue dhcp server attacks.
    In the diagram, a valid dhcp server is connected to the network. The computers are suppose to receive dynamic ip addresses from the valid server. An attacker implants a rogue dhcp server on the network as shown in the diagram. The following steps are followed for a client to receive an ip address from a dhcp server.
    When a client (computer) is connected to the switch and is configured to receive a dynamic ip address from a dhcp server, the dhcp service on the client, sends out a DHCP Discover packet, searching for servers on the network. This packet is broadcast in nature. DHCP servers on the network, would respond to the DHCP Discover packet sent from the client. In the example, both the DHCP servers would respond to the DHCP discover packet. The client would process the first packet it receives. If the response send by the rogue dhcp server reaches the client first, then the computer would have an ip address provided by the rogue dhcp server.
    To prevent this, dhcp snooping is configured on the port on which the valid dhcp server is connected to. After the configuration is performed, no other ports on the switch would be able to respond to DHCP Discover packets from the clients. So even through the attacker has set up a rogue dhcp server, the port on the switch to which the attacker has connected would not be allowed to respond to DHCP discover packets. Thus dhcp snooping thwarts the attempt from the attacker in setting up a rogue dhcp server.
    DAI:
    Please read the expalined version from here: http://ciscocertstudyblog.blogspot.de/2010/06/ciscoblogpics.html
    More about DHCP snooping and DAI: Please read this attached document with some detailed explanation.
    Hope it helps.
    Regards
    Please use rating system and mark athe question answered it may help others.

  • [solved] DHCP snooping in environment with core and access switches

    Hello,
    I'd like to know what steps are needed to configure DHCP snooping in my environment:
    1) two core switches Catalyst 6500 (VSS): VLAN defined here, DHCP server connected here
    2) access switches Catalyst 3750: clients connected here
    Access switches are connected to core ones via trunk ports (fiber optics).
    How many snooping databases are required?  One for core and next for each stack?

    Hi Marian,
    If your network is properly designed and connected so that clients, including DHCP clients, are attached to the access layer switches, then the DHCP Snooping should be run only on access switches. Running DHCP Snooping on core switches is not going to increase the security because the DHCP communication has already been sanitized on the access layer.
    If you intend to save the DHCP Snooping database then each switch performing the DHCP Snooping needs to have its own database if you intend to use a persistent storage for it. However, you can always have the switch to save the database to its own FLASH, alleviating the need for a centralized networked storage.
    I am not sure if this answers your question so please feel welcome to ask further.
    Best regards,
    Peter

  • Sg200-50 support dhcp snooping and dynamic arp inspection?

    do the sg200-50 switches support:
    dhcp snooping
    dynamic arp inspection
    ?? thanks

    HI d.pennington,
    SG200 is L2 switch only.  so this mean switch not support dhcp snooping.  Switch support IGMP snooping, Switch support dynamic arp table.  You can management switch with web page GUI only (CLI) not supported.
    Thanks,
    Moh

  • ISE and CDP device sensor

    Hi, all.
    Anyone can explain to me, how the CDP device sensor probe works with ISE ???
    What I am trying to do, is to identify different Cisco Wireless Access Point models (i.e. LAP 1142) with ISE.
    Since the APs do speak CDP (I can see the AP devices on the switch), this should be possible with the CDP device sensor on the switch, shouldn't it  ....
    I have done the following so far:
    Configured the switch to talk to ISE via radius accounting:
    aaa group server radius SERVERGROUP_radius_accounting
         server name ISE02
    radius server ISE02
          address ipv4 [ISE02 ip address] auth-port 1645 acct-port 1646
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 6 support-multiple
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server attribute nas-port-id include remote-id
    radius-server dead-criteria time 30 tries 3
    radius-server retry method reorder
    radius-server retransmit 2
    radius-server timeout 2
    radius-server deadtime 1
    radius-server key 7 [ISE02 radius key]
    radius-server vsa send cisco-nas-port
    radius-server vsa send accounting
    radius-server vsa send authentication
    aaa accounting dot1x default start-stop group SERVERGROUP_radius_accounting
    Configured SNMP traps to be sent to ISE:
    snmp-server host [ISE02 ip address] [SNMP RO Community]
    authentication mac-move permit
    authentication critical recovery delay 120 
    mac address-table notification change interval 60
    mac address-table notification change
    mac address-table notification mac-move 
    interface GigabitEthernet0/1
    snmp trap mac-notification change added
    snmp trap mac-notification change removed 
    Configured logging to ISE:
    epm logging
    logging host [ISE02 ip address] transport udp port 20514
    Configured CoA:
    aaa server radius dynamic-author
    client [ISE02 ip address] server-key 7 [ISE02 radius key]
    Configured DHCP snooping, device tracking and device sensors:
    ip dhcp snooping vlan xyz
    no ip dhcp snooping information option
    ip dhcp snooping
    ip device tracking
    device-sensor filter-list dhcp list DSFL_dhcp
    option name domain-name-servers
    option name host-name
    option name domain-name
    option name class-identifier
    option name client-identifier
    device-sensor filter-list lldp list DSFL_lldp
    tlv name system-name
    tlv name system-description
    tlv name system-capabilities
    tlv name management-address
    device-sensor filter-list cdp list DSFL_cdp
    tlv name device-name
    tlv name port-id-type
    tlv name capabilities-type
    tlv name version-type
    tlv name platform-type
    tlv name duplex-type
    tlv number 34
    device-sensor filter-spec dhcp include list DSFL_dhcp
    device-sensor filter-spec lldp include list DSFL_lldp
    device-sensor filter-spec cdp include list DSFL_cdp
    device-sensor notify all-changes
    Configured an additional IP helper on the AP vlan pointing to ISE:
    interface vlan xyz
    ip helper-address [ISE02 ip address]
    I have configured new profiling conditions on ISE, which use the cdp attributes:
    and used these conditions in a new profiling policy for the 114x AP:
    ISE is configured to listen to DHCP, radius, DNS and SNMP traps ....
    However, the only thing ISE sees of this AP, is the dhcp probe:
    and therefore, the 114x policy has no effect .......
    ISE version is the following:
    Cisco Application Deployment Engine OS Release: 2.0
    ADE-OS Build Version: 2.0.4.018
    ADE-OS System Architecture: i386
    Copyright (c) 2005-2011 by Cisco Systems, Inc.
    All rights reserved.
    Hostname: deess01nise02
    Version information of installed applications
    Cisco Identity Services Engine
    Version      : 1.1.2.145
    Build Date   : Fri Oct 26 21:10:35 2012
    Install Date : Fri Jan 18 07:18:49 2013
    Cisco Identity Services Engine Patch
    Version      : 2
    Install Date : Mon Jan 21 07:36:50 2013
    Cisco Identity Services Engine Patch
    Version      : 3
    Install Date : Mon Jan 21 07:42:11 2013
    Version of the switch:
    cisco WS-C3560CG-8PC-S (PowerPC) processor (revision C0) with 131072K bytes of memory.
    Processor board ID FOC1619Y180
    Last reset from power-on
    7 Virtual Ethernet interfaces
    10 Gigabit Ethernet interfaces
    The password-recovery mechanism is enabled.
    512K bytes of flash-simulated non-volatile configuration memory.
    Base ethernet MAC Address       : 58:BF:EA:B9:AC:80
    Motherboard assembly number     : 73-13272-06
    Power supply part number        : 341-0407-01
    Motherboard serial number       : FOC16174ZZ5
    Power supply serial number      : LIT16120XR8
    Model revision number           : C0
    Motherboard revision number     : A0
    Model number                    : WS-C3560CG-8PC-S
    System serial number            : FOC1619Y180
    Top Assembly Part Number        : 800-33676-02
    Top Assembly Revision Number    : A0
    Version ID                      : V02
    CLEI Code Number                : CMMD900ARB
    Hardware Board Revision Number  : 0x00
    Switch Ports Model              SW Version            SW Image
    *    1 10    WS-C3560CG-8PC-S   15.0(2)SE             C3560c405ex-UNIVERSALK9-M   
    What am I missing ??? Should this config make the switch send CDP information about connected devices to the ISE (via radius accounting) ???
    How do the device sensors work ???
    Rgs
    Frank

    A switch with sensor capability gathers  endpoint information from network devices using protocols such as Cisco  Discovery Protocol (CDP), LLDP, and DHCP, subject to statically configured  filters, and makes this information available to its registered clients in the  context of an access session. An access session represents an endpoint's  connection to the network device
    Client notifications and accounting  messages containing profiling data along with the session events, and other  session-related data, such as MAC address and ingress port are generated and  sent to the internal and external clients (ISE). By default, for each supported  peer protocol, client notifications and accounting events are only generated  where an incoming packet includes a TLV that has not previously been received in  the context of a given session. You can enable client notifications and  accounting events for all TLV changes, where either a new TLV has been received  or a previously received TLV has been received with a different value using CLI  commands.
    http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/15.0_1_se/device_sensor/guide/sensor_guide.html#wp1112722

  • Ip source guard feature and dhcp DHCP scope exhaustion (client spoofs other clients)

    Hi everybody.
    A dhcp server assigns ip adress based on mac address carried by client hardware field in dhcp packets.
    One potential attack is when a rogue host mimics different mac addresses and causes dhcp server to assign the ip addresses until no ip address is left for legitimate host.
    For e.g a host h1 with mac1 has assigned ip address by dhcp server as:
    199.199.199.1 mac1
    Dhcp server has the above entry in its database.
    Using hacking tools such as Yersinia or Gobbler one can create a dhcp discover messages each time creating a different mac for client hardware field in dhcp server thereby causing a dhcp server to assign ip addresses because to dhcp server , these are legitimate dhcp discover messages with each carrying a different mac in client hardware addresses.
    You might say use dhcp snooping and it will prevent that (  dhcp scope exhaustion) and configure the switch to check if src mac matches the client hardware address in dhcp message. But still we can creat spoofed discover messages where src mac in ethernet header will match the client hardware address in dhcp discover message. We still did not overcome the problem.
    You might say use IP source guard feature but will it really prevent that problem from happening?
    Let me illustrate it :
    h1---------f1/1SW---------DHCP server
    Let say we have configured dhcp snooping on sw1 and f1/1 is untrusted port.  The switch has following dhcp binding
    199.199.199.1    mac1   vlan1  f1/1
    Next we configure ip source guard to  validate both src mac and src ip against the dhcp bindings  . When  we configures ip source guard first  , it will allow dhcp communication only so a host can request ip address and a dhcp binding can be built. After that ip source guard will validate src ip or src mac or both against the dhcp binding.depending upon how we configure ip source guard.
    In our case we have configured ip source guard to validate both src mac and src ip against the dhcp binding.
    A dhcp binding is already created as:
    199.199.199.1 mac1 vlan 1 f1/1
    Now using the hacking tools Yersinia or Gobbler on h1, we create our first spoofed dhcp discover message  where src mac=mac2 in ethernet header and  client harware address= mac2 in dhcp discover message. Since switch is configured with ip source guard feature and therefore allows dhcp discover message to pass through. Dhcp server upon receiving the dhcp message assigns another ip address from the pool. Now the dhcp server has following entries:
    199.199.199.1 mac1
    199.199.199.2 mac2.
    We can continue to craft spoofed dhcp discover messages as mentioned above and have dhcp server keep assigning ip addresses until the whole pool is exhausted.
    So my question is how does  ip source guard in conjuction with dhcp snooping prevent this particular attack from happening? ( i.e DHCP scope exhaustion)
    I really appreciate your input.
    thanks and have a great week.

    Thanks Karthikeyan.
    First of all, we gather all the information about the  locations of legitimate dhcp servers in our network. Once we have this information, we will configure the ports used to reach them as trusted. All the ports where end users will connect will be untrusted and therefore subject to dhcp snooping .
    it means if any of user connected in that switch/vlan runs a dhcp  services like vmware for eg. Snooping will prevent the dhcp/bootp  servers connected to that port will not be able to process.
    Yes that is correct. Because dhcp snooping feature will check these ports for the messages usually sent by dhcp server such as dhcp offer, etc. If the end user is running dhcp server using virtual machine, that port should be configured as trusted if it is dertermined  that end user is running a legitimate dhcp server using vm ware.
    When we have the dhcp snooping it prevents the 1st level of hacking  itself. I don't think so it will have any impact on dhcp address  releasing.
    I am sorry. You lost me here. What is 1 level of hacking?
    Dhcp snooping checks for dhcp messages such as dhcp release, dhcp decline.on untrusted port against the dhcp bindings.
    Here is why;
    h1---------SW1-------dhcp server
                   |
                 h2
    Let say we don't have dhcp snooping in above attack and  h2 is a legitimate user has already assigned ip address 199.199.199.2 by dhcp server. Thus the dhcp server has an entry:
    199.199.199.2 mac2
    Next we connect rogue user and it gets ip address 199.199.199.1 now the dhcp server has entries:
    199.199.199. 1  mac1
    199.199.199.2   mac2
    Now using hacking tools, h1 create a fake dhcp release message  with  199.199.199.199.2   mac2
    Dhcp server upon receiving this message, will release the ip address and returns it to the pool.
    By using DHCP snooping, switch will peer inside dhcp release message and checks against the binding. If there is conflict, it will drop the message.
    IFor e.g
    If have dhcp snooping configured , then switch will have adhcp binding as:
    199.199.199.1    mac1    vlan 1   f1/1  lease time
    199.199.199.2     mac2    vlan 2    f1/2 lease time.
    If h1 tries to send fake dhcp release with ip address 199.199.199.2    mac2
    Switch will check ip address 199.199.199.2  and mac2 against the binding related to f1/1 . Sw will find a conflict and therefore drops the dhcp release packet.
    Thanks

  • ISE and CoA 'port bounce' on WLC 7.2

    Hi,
    Im trying to get a vlan change done with CoA and MAB on a WLC 7.2 but it looks like it doese't disconnect the client, hence no new dhcp request.
    Everything is working except 'port bounce'. I can see the new vlan in the controller, if i do a ifconfig /renew on the client it gets the new subnet and everything works as it should. If i remove the endpoint in ISE it swaps the vlan again on the controller, but no port bounce...
    Is it possible to do this at all?
    Page 244/245  in the Configuration guide -  RADISUS NAC -Guidelines and Limitations says:
    VLAN select is not supported
    ISE 1.1.1
    WLC 7.2
    Thanks
    Message was edited by: Mikael Gustafsson

    Hi,
    So in general there is no easy solution to do a vlan change for guest users on a wireless?
    What Im trying to do is to separate the guest vlan from the rest of the network.
    Were the user first get the vlan with the ISE interface in, with ACL for DNS and guest portal. And DHCP proxy from WLC.
    After authentication he would get the guest vlan with only DHCP proxy and a default gw at the fw 
    I did try the CoA DHCP option on the guest portal and it's not a good solution, the user needs interact to accept an applet install , and it's (from what I understand from the UG) only working on windows.  (and I didnt get it to work)
    Thanks
    Message was edited by: Mikael Gustafsson

  • CWA using ISE and mobility anchor

    My team is trying to demo wireless guest access using CWA with an ISE server.  We appear to be hitting an issue when combining this with mobility anchoring.
    When we don't use a mobility anchor the authentication goes off without a hitch seemingly proving that the ISE configuration is sound.  The test laptop associates and gets redirected, auths, moves to the RUN state and access to the network is granted.
    When the mobility anchor is enabled, the test laptop does get redirected, authentication is successful, but the process does not fully complete, as on the foreign controller the user is in RUN state whereas on the anchor the user is still stuck at CWA required.
    Now, I've read the L2 auth occurs between the foreign controller and ISE, and the L3 auth occurs between the anchor controller and ISE, but this does not appear to borne out in packet captures of the process where both parts of the auth seems to go to and from the foreign controller and ISE.
    I'm curious to know if anyone else has come across this issue, or has ideas where I should be looking in the config or debugs to find the root cause.
    When setting up the controllers and ISE this guide (linked below) was used and the controllers are 2504 controllers on 7.5 series software and ISE is on the latest 1.2 patches:
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
    To me it seems to be mobility related, but the authentication flow does seem to be off compared with what the guide says.

    FOREIGN
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Adding mobile on LWAPP AP 0c:d9:96:ba:7d:20(1)
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Association received from mobile on BSSID 0c:d9:96:ba:7d:2f
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Global 200 Clients are allowed to AP radio
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Max Client Trap Threshold: 0  cur: 0
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Rf profile 600 Clients are allowed to AP wlan
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Re-applying interface policy for client
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4565 setting Central switched to TRUE
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4568 apVapId = 1 and Split Acl Id = 65535
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying site-specific Local Bridging override for station 00:1e:c2:c0:96:05 - vapId 1, site 'AP-Group-CHEC.default', interface 'management'
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying Local Bridging Interface Policy for station 00:1e:c2:c0:96:05 - vlan 84, interface id 0, interface 'management'
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE  statusCode is 0 and status is 0
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE  ssid_done_flag is 0 finish_flag is 0
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 suppRates  statusCode is 0 and gotSuppRatesElement is 1
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfProcessAssocReq (apf_80211.c:7830) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Idle to AAA Pending
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
    *radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created for mobile, length = 253
    *radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created in mscb for mobile, length = 253
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Received SGT for this Client.
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 255 to 255
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 84
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Re-applying interface policy for client
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 0 on mobile
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
    MAC: 00:1e:c2:c0:96:05, source 2
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Initializing policy
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfMsAssoStateInc
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 1800, apfMsTimeOut '1800' and sessionTimerRunning flag is  0
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 49) in 1800 seconds
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 1800
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
    *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
    *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
    *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
    *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 apfMsRunStateInc
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 5793
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Adding Fast Path rule
      type = Airespace AP Client
      on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
      IPv4 ACL ID = 255, IPv6 ACL ID = 255,
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
    *mmMaListen: Jan 28 23:05:02.363: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
    *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4
    *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 0.0.0.0 plumbing in FP SCB
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP processing DHCP REQUEST (3)
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 5, flags: 0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   requested ip: 10.130.98.8
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP received op BOOTREPLY (2) (len 320,vlan 84, port 13, encap 0xec07)
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP processing DHCP ACK (5)
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 0, flags: 0
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 10.130.98.8
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   siaddr: 10.30.4.173,  giaddr: 0.0.0.0
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   server id: 1.1.1.2  rcvd server id: 1.1.1.2
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) DHCP Address Re-established
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Reached PLUMBFASTPATH: from line 6978
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
      type = Airespace AP Client
      on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
      IPv4 ACL ID = 255, IPv6 ACL ID
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 Assigning Address 10.130.98.8 to mobile
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP successfully bridged packet to STA
    *pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
    *pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4
    *pemReceiveTask: Jan 28 23:05:03.890: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 10.130.98.8 plumbing in FP SCB
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Received SGT for this Client.
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 0 to 255
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 AAA redirect is NULL. Skipping Web-auth for Radius NAC enabled WLAN.
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
    MAC: 00:1e:c2:c0:96:05, source 2
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Applying cached RADIUS Override values for mobile 00:1e:c2:c0:96:05 (caller pem_api.c:2307)
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Applied RADIUS override policy
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
      type = Airespace AP Client
      on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
      IPv4 ACL ID = 255, IPv6 ACL ID
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Change state to RUN (20) last state RUN (20)
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfMsAssoStateInc
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 3600, apfMsTimeOut '1800' and sessionTimerRunning flag is  1
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 49) in 3600 seconds
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 3600
    *apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
    *apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
    *pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
    *pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4

  • DHCP snooping setup help

    Hi,
    Can anyone help me with these setup issues.
    The Cat OS config guide chapter "configuring DHCP-snooping and IP source guard" for v8.4 doesnt mention how to:
    1) Disable dhcp-snooping
    2) configure a destination for the snooping database.
    I would like to setup the local flash PCMCIA card as a destination for the DB.
    I have found documentation for other releases of CatOS that state how to specify a DB location:
    set dhcp-snooping bindings-database <device>:[filename]
    However this syntax is not supported in 8.4. With command line auto-complete (the tab key) and/or help there is no option for "bindings-database" available.
    Do I need to activate the DB somewhere else in the config?
    thanks,

    The command to disable DHCP snooping is:disabled the ip dhcp snooping

Maybe you are looking for

  • How to display icon in alv report output

    hi, my ewquirement in in alv report in one column to diaplay the icon(tickmark) based on some codition. how to achieve it?? condition is Affected (Locked on Current ECM) u2013 can use symbols    for affected and   for changing u2013 u2022     Lock AE

  • Copy value from report to page item

    Hi all, Does anyone knows how to copy an item value from a report to a page item, each time the report runs?? thanks

  • Parent not finished until children complete - stops new job from starting

    Is there anyway that we can 'de-link' 'disassocaite' - some method that we can start a new job again - even though children of a previous job are still active. This is causing quite a problem in our system whereby we need to start another background

  • Verify Disk gives message invalid volume file count/invalid directory count

    My Powerbook G4 (running Leopard 10.5.5) was running slower and slower. So I ran Disk Utility. When running "Verify Disk", I received the following message - Quote At "checking volume information", got the following message – Invalid volume file coun

  • Purchased TV show doesn't appear on iPod

    I purchased an episode of Friends, and downloaded it to iTunes AND my iPod, and I even watched it one time! but the next day, I go to watch it again, and not only has the "TV Show" option disappeared from my Video menu, but so has my purchased episod