Multiple Mobility Anchors

Hi,
I’m struggling to find an answer for this one, please can someone point me in the direction of a document?
I have a four 5508 controllers. One in Office A, One in Office B and TWO in the DC (Where our internet edge is present)
Office A and B are within the same Campus and there is AP coverage the reaches between the offices, these controllers are part of the same mobility group as user walk between the offices, this mobility group is called (MOB-AB)
The two WLC's in the DC are also in their own separate mobility group (MOB-DC) These controllers have no AP's landing on them as there used to anchor our internet only Guest SSID (GUESTWIFI)
The question I have is how do you put a preference on a EOIP tunnel? If I wanted to take one of the DC WLCs out of production how can I make all the office WLCs only use the path to a single DC WLC
Now I know I can just delete it via the GUI but there must be a graceful way to do this, or a way to set a preference?
Any help would be appreciated.
Thanks
RG

RG,
    You don't specify which tunnel to use.  The WLC will load balance between them so as not to overload a particular anchor.
If you take one of the WLC down, power down, shut the interface(s), they will detect that the WLC is down and will send all the traffic to the one that is still up.
Cheers,
Steve
If  this helps you and/or answers  your question please mark the question as "answered" and/or rate it, so  other users can easily find it.

Similar Messages

  • Contacts with multiple mobile numbers

    Hello all,
    This is my first post here, so please be patient with me.  I searched through previous threads, but did not find an sufficient answer to the problem I am having.  To set the stage, I will give you what I am working with
    g-mail account with close to 500 contacts
    iPhone 5, latest version 6.1.3
    MacBook Air, latest version 10.8.3
    I have my g-mail account linked to my iPhone as an Exchange connection so that I can view the contacts.  I have my computer contacts program connected with Google as well.  The problem I am having is that most of these 500 contacts have multiple mobile phone numbers.  I am able to create this contact easily in g-mail and can relabel the phone types to match what they are.  Let's say for instance:
    Name:  John Smith
    Home: 111-111-1111
    Mobile:  222-222-2222
    Mobile:333-333-3333
    etc.
    I have done quite a bit of testing and found that the computer contacts matches up perfectly with whatever I put in there, including multiple mobile numbers.  My iPhone on the other hand, does not show the second Mobile number.  It will recognize multiple home, work, and pager numbers, but not multiple mobiles (it only shows the first one on the list).  Why would it allow multiple numbers of the other types and not mobile numbers?
    Is there something I am doing incorrectly, or has Apple overlooked a simple, important function?  The things I do not want to do are:
    create custom phone labels for my contacts as in mobile1, mobile2 - there are too many and this is an inefficient solution.
    change all of the cell numbers to be work numbers - same as above, and what if someone else is updating g-mail contacts and does not follow the rule?
    unlink the Google tie I have on the computer - this seems to be the only one of the two that works, and I do not want to have to constantly remember to download an updated contact list.  The list changes constantly, and I know I would eventually forget ( I am looking for a poka-yoke here).
    Any ideas about solutions?
    Thank you for the help

    I have no prblem syncing multiple mobile numbers so I don't think it's a universal issue with iOS. The only difference I see is I am using CardDav instead of using the Exchange option. Have you tried it that way? You can urn off contacts in the Exchange account and add the CardDav account separately.

  • Wireless guest access with CWA and ISE using mobility anchor

    My team is trying to demo wireless guest access using CWA with an ISE server.  We appear to be hitting an issue when combining this with mobility anchoring.
    When we don't use a mobility anchor the authentication goes off without a hitch seemingly proving that the ISE configuration is sound.  The test laptop associates and gets redirected, auths, moves to the RUN state and access to the network is granted.
    When the mobility anchor is enabled, the test laptop does get redirected, authentication is successful, but the process does not fully complete, as on the foreign controller the user is in RUN state whereas on the anchor the user is still stuck at CWA required.
    Now, I've read the L2 auth occurs between the foreign controller and ISE, and the L3 auth occurs between the anchor controller and ISE, but this does not appear to borne out in packet captures of the process where both parts of the auth seems to go to and from the foreign controller and ISE.
    I'm curious to know if anyone else has come across this issue, or has ideas where I should be looking in the config or debugs to find the root cause.
    When setting up the controllers and ISE this guide (linked below) was used and the controllers are 2504 controllers on 7.5 series software and ISE is on the latest 1.2 patches:
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
    To me it seems to be mobility related, but the authentication flow does seem to be off compared with what the guide says.

    FOREIGN
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Adding mobile on LWAPP AP 0c:d9:96:ba:7d:20(1)
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Association received from mobile on BSSID 0c:d9:96:ba:7d:2f
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Global 200 Clients are allowed to AP radio
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Max Client Trap Threshold: 0  cur: 0
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Rf profile 600 Clients are allowed to AP wlan
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Re-applying interface policy for client
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4565 setting Central switched to TRUE
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4568 apVapId = 1 and Split Acl Id = 65535
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying site-specific Local Bridging override for station 00:1e:c2:c0:96:05 - vapId 1, site 'AP-Group-CHEC.default', interface 'management'
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying Local Bridging Interface Policy for station 00:1e:c2:c0:96:05 - vlan 84, interface id 0, interface 'management'
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE  statusCode is 0 and status is 0
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE  ssid_done_flag is 0 finish_flag is 0
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 suppRates  statusCode is 0 and gotSuppRatesElement is 1
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfProcessAssocReq (apf_80211.c:7830) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Idle to AAA Pending
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
    *radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created for mobile, length = 253
    *radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created in mscb for mobile, length = 253
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Received SGT for this Client.
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 255 to 255
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 84
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Re-applying interface policy for client
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 0 on mobile
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
    MAC: 00:1e:c2:c0:96:05, source 2
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Initializing policy
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfMsAssoStateInc
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 1800, apfMsTimeOut '1800' and sessionTimerRunning flag is  0
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 49) in 1800 seconds
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 1800
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
    *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
    *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
    *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
    *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 apfMsRunStateInc
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 5793
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Adding Fast Path rule
      type = Airespace AP Client
      on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
      IPv4 ACL ID = 255, IPv6 ACL ID = 255,
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
    *mmMaListen: Jan 28 23:05:02.363: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
    *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4
    *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 0.0.0.0 plumbing in FP SCB
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP processing DHCP REQUEST (3)
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 5, flags: 0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   requested ip: 10.130.98.8
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP received op BOOTREPLY (2) (len 320,vlan 84, port 13, encap 0xec07)
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP processing DHCP ACK (5)
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 0, flags: 0
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 10.130.98.8
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   siaddr: 10.30.4.173,  giaddr: 0.0.0.0
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   server id: 1.1.1.2  rcvd server id: 1.1.1.2
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) DHCP Address Re-established
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Reached PLUMBFASTPATH: from line 6978
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
      type = Airespace AP Client
      on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
      IPv4 ACL ID = 255, IPv6 ACL ID
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 Assigning Address 10.130.98.8 to mobile
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP successfully bridged packet to STA
    *pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
    *pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4
    *pemReceiveTask: Jan 28 23:05:03.890: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 10.130.98.8 plumbing in FP SCB
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Received SGT for this Client.
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 0 to 255
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 AAA redirect is NULL. Skipping Web-auth for Radius NAC enabled WLAN.
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
    MAC: 00:1e:c2:c0:96:05, source 2
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Applying cached RADIUS Override values for mobile 00:1e:c2:c0:96:05 (caller pem_api.c:2307)
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Applied RADIUS override policy
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
      type = Airespace AP Client
      on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
      IPv4 ACL ID = 255, IPv6 ACL ID
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Change state to RUN (20) last state RUN (20)
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfMsAssoStateInc
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 3600, apfMsTimeOut '1800' and sessionTimerRunning flag is  1
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 49) in 3600 seconds
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 3600
    *apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
    *apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
    *pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
    *pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4

  • CWA using ISE and mobility anchor

    My team is trying to demo wireless guest access using CWA with an ISE server.  We appear to be hitting an issue when combining this with mobility anchoring.
    When we don't use a mobility anchor the authentication goes off without a hitch seemingly proving that the ISE configuration is sound.  The test laptop associates and gets redirected, auths, moves to the RUN state and access to the network is granted.
    When the mobility anchor is enabled, the test laptop does get redirected, authentication is successful, but the process does not fully complete, as on the foreign controller the user is in RUN state whereas on the anchor the user is still stuck at CWA required.
    Now, I've read the L2 auth occurs between the foreign controller and ISE, and the L3 auth occurs between the anchor controller and ISE, but this does not appear to borne out in packet captures of the process where both parts of the auth seems to go to and from the foreign controller and ISE.
    I'm curious to know if anyone else has come across this issue, or has ideas where I should be looking in the config or debugs to find the root cause.
    When setting up the controllers and ISE this guide (linked below) was used and the controllers are 2504 controllers on 7.5 series software and ISE is on the latest 1.2 patches:
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
    To me it seems to be mobility related, but the authentication flow does seem to be off compared with what the guide says.

    FOREIGN
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Adding mobile on LWAPP AP 0c:d9:96:ba:7d:20(1)
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Association received from mobile on BSSID 0c:d9:96:ba:7d:2f
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Global 200 Clients are allowed to AP radio
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Max Client Trap Threshold: 0  cur: 0
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Rf profile 600 Clients are allowed to AP wlan
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Re-applying interface policy for client
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4565 setting Central switched to TRUE
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4568 apVapId = 1 and Split Acl Id = 65535
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying site-specific Local Bridging override for station 00:1e:c2:c0:96:05 - vapId 1, site 'AP-Group-CHEC.default', interface 'management'
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying Local Bridging Interface Policy for station 00:1e:c2:c0:96:05 - vlan 84, interface id 0, interface 'management'
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE  statusCode is 0 and status is 0
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE  ssid_done_flag is 0 finish_flag is 0
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 suppRates  statusCode is 0 and gotSuppRatesElement is 1
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfProcessAssocReq (apf_80211.c:7830) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Idle to AAA Pending
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
    *radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created for mobile, length = 253
    *radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created in mscb for mobile, length = 253
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Received SGT for this Client.
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 255 to 255
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 84
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Re-applying interface policy for client
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 0 on mobile
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
    MAC: 00:1e:c2:c0:96:05, source 2
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Initializing policy
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfMsAssoStateInc
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 1800, apfMsTimeOut '1800' and sessionTimerRunning flag is  0
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 49) in 1800 seconds
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 1800
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
    *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
    *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
    *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
    *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 apfMsRunStateInc
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 5793
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Adding Fast Path rule
      type = Airespace AP Client
      on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
      IPv4 ACL ID = 255, IPv6 ACL ID = 255,
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
    *mmMaListen: Jan 28 23:05:02.363: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
    *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4
    *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 0.0.0.0 plumbing in FP SCB
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP processing DHCP REQUEST (3)
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 5, flags: 0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   requested ip: 10.130.98.8
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP received op BOOTREPLY (2) (len 320,vlan 84, port 13, encap 0xec07)
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP processing DHCP ACK (5)
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 0, flags: 0
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 10.130.98.8
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   siaddr: 10.30.4.173,  giaddr: 0.0.0.0
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   server id: 1.1.1.2  rcvd server id: 1.1.1.2
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) DHCP Address Re-established
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Reached PLUMBFASTPATH: from line 6978
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
      type = Airespace AP Client
      on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
      IPv4 ACL ID = 255, IPv6 ACL ID
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 Assigning Address 10.130.98.8 to mobile
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP successfully bridged packet to STA
    *pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
    *pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4
    *pemReceiveTask: Jan 28 23:05:03.890: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 10.130.98.8 plumbing in FP SCB
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Received SGT for this Client.
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 0 to 255
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 AAA redirect is NULL. Skipping Web-auth for Radius NAC enabled WLAN.
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
    MAC: 00:1e:c2:c0:96:05, source 2
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Applying cached RADIUS Override values for mobile 00:1e:c2:c0:96:05 (caller pem_api.c:2307)
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Applied RADIUS override policy
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
      type = Airespace AP Client
      on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
      IPv4 ACL ID = 255, IPv6 ACL ID
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Change state to RUN (20) last state RUN (20)
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfMsAssoStateInc
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 3600, apfMsTimeOut '1800' and sessionTimerRunning flag is  1
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 49) in 3600 seconds
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 3600
    *apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
    *apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
    *pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
    *pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4

  • WLC as a Mobility Anchor for guest access - Management on DMZ or not DMZ

    When using Guest Access Cisco recommend a Mobility Anchor Controller be placed on a DMZ and the guest access wireless Lan is tunneled to this controller.  This means that 2 DMZ subnetworks are required - one for the management interface and one for the wireless lan's dynamic interface itself.
    I am trying to see if there are any disadvantages/security risks using 2 physical ports on the controller (no LAG) and placing one on a corporate network inside the firewall for management and to terminate the mobility anchor tunnel, and one outside the firewall on a DMZ for the wireless lan's dynamic interface.
    Advantages that I see are that no tunnels need to go though a firewall, management of the WLC is kept completely inside the corporate network, protected by the firewall and not left on the DMZ.
    Thanks.

    OK, so to recap;
    - place the 2nd WLC in the DMZ with only 1 port (set for dynamic AP management)?
    - Then Anchor the guest SSID (on it's DMZ IP instead of management IP as is now)
    And to make that kind of anchoring work, I have to open ports below on the firewall.. right?
    UDP port 16666 for inter-WLC  communication, and IP protocol ID 97 Ethernet in IP for client traffic.
    and:
    •TCP 161 and 162 for SNMP 
    •UDP 69 for TFTP 
    •TCP 80 or 443 for HTTP, or HTTPS for GUI access 
    •TCP 23 or 22 for Telnet, or SSH for CLI access
    Thanks to confirm that

  • DHCP issue with mobility anchor

    Hi Guys,
    I am having a bit of trouble to get the DHCP to work in my configuration. basically I have configured one SSID on two WLCs (running same version of code), I configured WLC 1 as anchor  controller and configured itself as mobility anchor (local), and on foreign controller (WLC2), I have configured the anchor as a mobility anchor. I have added both of the WLCs in each other's mobility list, however WLC1 and 2 are not in the same mobility group. clients are getting IP address through an external DHCP server.
    the problem is that when I used the management interface for the WLAN, I could get IP address through DHCP without any problem, however if I use another dynamic interface created for the SSID, then I could not get IP address anymore. I did another test with two WLCs configured in the same mobility group, then everythnig works fine. I have double checked my configuration for the dynamic interface but could not find anything wrong.
    so my question is
    is it possible to do auto anchoring configuration with two WLCs in different mobility group (different mobility group name), since based on my test management interface works,  but another dynamic interface did not work. in the configuration guide, it says: "you must add controllers to the mobility group member list before you can designate them as mobiolity anchors for a WLAN", does that mean the mobility group name has to be the same for both of the WLCs? if that's the case why does management interface worked?
    thanks in advance for you help.

    Hi Nicolas,
    thanks for your reply, i guess that's where the problem is - I could not ping the dynamic interface from the DHCP server. (eping and mping works fine)
    however I could ping the dynamic interface of the foreign controller (i have created another dynamic interface on the same subnet on the foreign controller, i understand it's not really necessary since we getting IP in the range defined on the anchor controller). the only difference between the two controllers is that the foreign controller enabled LAG, and only connected to the core swithc number 1, but the anchor controlelr is not (it has two connections to two core switches respectively).
    so does this mean I can not use this controller to be a anchor controller if it has two connections to two differnet switches? if yes is there any documentation on this point?
    Thanks very much for your help.

  • Multiple Mobile Clients

    Hi to all.
    I want to use multiple mobile clients (up to 50) to send data (texts/numbers) to the same server wirelessly.
    What is the best way to go? Bluetooth or WiFi? Is there any limitation in any of the protocols? Which one will quarantee that the data of all the clients will be received at the server?
    Thanks, appreciate your concern...
    Std.

    The thing that causes the "-" half-slected buttons on the Account Creation tab is the absence of a value for the (new in 10.5?) attribute in the com.apple.MCX plist file. You can find this by using the Inspector in Workgroup Manager, getting the user account and editing the MCXSettings attrbute:
    cachedaccounts.WarnOnCreate.allowNever
    otherwise known as "Show Mobile Account Dialog's Never Option" if you look in the Details tab of Workgroup Manager,
    otherwise known as "Show "Don't ask me again" checkbox" if you look in the Account Creation tab of Workgroup Manager.
    Pet peeve -- three different terms for the same thing?

  • Mobility Anchor/Foreign WLC code versions

    I am trying to setup a mobility anchor (5500 version: 7.2.111.3). I need this version as to support the Bonjour gateway.
    The foreign WLC is a WiSM-1 (version: 7.0.220.0).
    I have control/data path up. I am able to ping through it. I am, however, getting invalid mobility packets to the foreign WLC from the Anchor.
    Do the code versions have to be identical for a mobility anchor? I do not plan on perofrming any AP roaming to the anchor.
    Thanks.

    Output below. Anchor first.
    (Cisco Controller) >show wlan 1
    WLAN Identifier.................................. 1
    Profile Name..................................... pn
    Network Name (SSID).............................. pn_test
    Status........................................... Enabled
    MAC Filtering.................................... Disabled
    Broadcast SSID................................... Disabled
    AAA Policy Override.............................. Disabled
    Network Admission Control
      Client Profiling Status ....................... Disabled
      Radius-NAC State............................... Disabled
      SNMP-NAC State................................. Disabled
      Quarantine VLAN................................ 0
    Maximum number of Associated Clients............. 0
    Maximum number of Clients per AP Radio........... 200
    Number of Active Clients......................... 0
    Exclusionlist Timeout............................ 60 seconds
    Session Timeout.................................. 1800 seconds
    CHD per WLAN..................................... Enabled
    Webauth DHCP exclusion........................... Disabled
    Interface........................................ guest-dmz
    --More-- or (q)uit
    Multicast Interface.............................. guest-dmz
    WLAN IPv4 ACL.................................... unconfigured
    WLAN IPv6 ACL.................................... unconfigured
    DHCP Server...................................... Default
    DHCP Address Assignment Required................. Enabled
    Static IP client tunneling....................... Disabled
    Quality of Service............................... Silver
    Scan Defer Priority.............................. 4,5,6
    Scan Defer Time.................................. 100 milliseconds
    WMM.............................................. Allowed
    WMM UAPSD Compliant Client Support............... Disabled
    Media Stream Multicast-direct.................... Disabled
    CCX - AironetIe Support.......................... Enabled
    CCX - Gratuitous ProbeResponse (GPR)............. Disabled
    CCX - Diagnostics Channel Capability............. Disabled
    Dot11-Phone Mode (7920).......................... Disabled
    Wired Protocol................................... None
    Passive Client Feature........................... Disabled
    Peer-to-Peer Blocking Action..................... Disabled
    Radio Policy..................................... All
    DTIM period for 802.11a radio.................... 1
    DTIM period for 802.11b radio.................... 1
    Radius Servers
    --More-- or (q)uit
       Authentication................................ Disabled
       Accounting.................................... Disabled
       Dynamic Interface............................. Disabled
    LDAP Servers
       Server 1...................................... 10.4.21.177 389
       Server 2...................................... 10.4.21.178 389
    Local EAP Authentication......................... Disabled
    Security
       802.11 Authentication:........................ Open System
       FT Support.................................... Disabled
       Static WEP Keys............................... Disabled
       802.1X........................................ Disabled
       Wi-Fi Protected Access (WPA/WPA2)............. Disabled
       Wi-Fi Direct policy configured................ Disabled
       EAP-Passthrough............................... Disabled
       CKIP ......................................... Disabled
       Web Based Authentication...................... Enabled
    IPv4 ACL........................................ Unconfigured
    IPv6 ACL........................................ Unconfigured
    Web-Auth Flex ACL............................... Unconfigured
    Web Authentication server precedence:
    1............................................... local
    --More-- or (q)uit
    2............................................... ldap
       Web-Passthrough............................... Disabled
       Conditional Web Redirect...................... Disabled
       Splash-Page Web Redirect...................... Disabled
       Auto Anchor................................... Enabled
       FlexConnect Local Switching................... Disabled
       FlexConnect Local Authentication.............. Disabled
       FlexConnect Learn IP Address.................. Enabled
       Client MFP.................................... Optional but inactive (WPA2 not configured)
       Tkip MIC Countermeasure Hold-down Timer....... 60
    Call Snooping.................................... Disabled
    Roamed Call Re-Anchor Policy..................... Disabled
    SIP CAC Fail Send-486-Busy Policy................ Enabled
    SIP CAC Fail Send Dis-Association Policy......... Disabled
    KTS based CAC Policy............................. Disabled
    Band Select...................................... Disabled
    Load Balancing................................... Disabled
    Multicast Buffer................................. Disabled
    Mobility Anchor List
    WLAN ID     IP Address            Status
    1           10.241.15.5           Up                             
    --More-- or (q)uit
    802.11u........................................ Disabled
      Access Network type............................ Not configured
      Network Authentication type.................... Not configured
      Internet service............................... Disabled
      HESSID......................................... 00:00:00:00:00:00
    Hotspot 2.0.................................... Disabled
      WAN Metrics configuration
        Link status.................................. 0
        Link symmetry................................ 0
        Downlink speed............................... 0
        Uplink speed................................. 0
    Mobility Services Advertisement Protocol....... Disabled
    (Cisco Controller) >show interface detailed virtual
    Interface Name................................... virtual
    MAC Address...................................... 68:ef:bd:93:bd:00
    IP Address....................................... 1.1.1.1
    DHCP Option 82................................... Disabled
    Virtual DNS Host Name............................ Disabled
    AP Manager....................................... No
    Guest Interface.................................. No
    (WiSM-slot4-1) >show wlan 11
    WLAN Identifier.................................. 11
    Profile Name..................................... pn
    Network Name (SSID).............................. pn_test
    Status........................................... Enabled
    MAC Filtering.................................... Disabled
    Broadcast SSID................................... Disabled
    AAA Policy Override.............................. Disabled
    Network Admission Control
      Radius-NAC State............................... Disabled
      SNMP-NAC State................................. Disabled
      Quarantine VLAN................................ 0
    Maximum number of Associated Clients............. 0
    Number of Active Clients......................... 0
    Exclusionlist Timeout............................ 60 seconds
    Session Timeout.................................. 1800 seconds
    CHD per WLAN..................................... Enabled
    Webauth DHCP exclusion........................... Disabled
    Interface........................................ management
    Multicast Interface.............................. Not Configured
    --More-- or (q)uit
    WLAN ACL......................................... unconfigured
    DHCP Server...................................... Default
    DHCP Address Assignment Required................. Enabled
    Static IP client tunneling....................... Disabled
    Quality of Service............................... Silver (best effort)
    Scan Defer Priority.............................. 4,5,6
    Scan Defer Time.................................. 100 milliseconds
    WMM.............................................. Allowed
    WMM UAPSD Compliant Client Support............... Disabled
    Media Stream Multicast-direct.................... Disabled
    CCX - AironetIe Support.......................... Enabled
    CCX - Gratuitous ProbeResponse (GPR)............. Disabled
    CCX - Diagnostics Channel Capability............. Disabled
    Dot11-Phone Mode (7920).......................... Disabled
    Wired Protocol................................... None
    IPv6 Support..................................... Disabled
    Peer-to-Peer Blocking Action..................... Disabled
    Radio Policy..................................... All
    DTIM period for 802.11a radio.................... 1
    DTIM period for 802.11b radio.................... 1
    Radius Servers
       Authentication................................ Disabled
       Accounting.................................... Disabled
    --More-- or (q)uit
       Dynamic Interface............................. Disabled
    LDAP Servers
       Server 1...................................... 10.4.21.177 389
       Server 2...................................... 10.4.21.178 389
    Local EAP Authentication......................... Disabled
    Security
       802.11 Authentication:........................ Open System
       Static WEP Keys............................... Disabled
       802.1X........................................ Disabled
       Wi-Fi Protected Access (WPA/WPA2)............. Disabled
       CKIP ......................................... Disabled
       IP Security................................... Disabled
       IP Security Passthru.......................... Disabled
       Web Based Authentication...................... Enabled
    ACL............................................. Unconfigured
    Web Authentication server precedence:
    1............................................... local
    2............................................... radius
    3............................................... ldap
       Web-Passthrough............................... Disabled
       Conditional Web Redirect...................... Disabled
       Splash-Page Web Redirect...................... Disabled
    --More-- or (q)uit
       Auto Anchor................................... Enabled
       H-REAP Local Switching........................ Disabled
       H-REAP Local Authentication................... Disabled
       H-REAP Learn IP Address....................... Enabled
       Client MFP.................................... Optional but inactive (WPA2 not configured)
       Tkip MIC Countermeasure Hold-down Timer....... 60
    Call Snooping.................................... Disabled
    Roamed Call Re-Anchor Policy..................... Disabled
    SIP CAC Fail Send-486-Busy Policy................ Enabled
    SIP CAC Fail Send Dis-Association Policy......... Disabled
    Band Select...................................... Disabled
    Load Balancing................................... Disabled
    Mobility Anchor List
    WLAN ID     IP Address            Status
    11          10.241.15.5           Up                             
    (WiSM-slot4-1) >show interface detailed virtual
    Interface Name................................... virtual
    MAC Address...................................... 00:1a:6c:20:51:60
    IP Address....................................... 1.1.1.1
    DHCP Option 82................................... Disabled
    Virtual DNS Host Name............................ Disabled
    AP Manager....................................... No
    Guest Interface.................................. No

  • Mobility Anchor , extened anchor

    I have a query.
    If there are 3 companies all using cisco wlc and 2 of the companies have a mobility anchor between them.(Company A and B), is it possible to for Company C to connect to companie A wireless lan via the mobility anchor on Company B?  Kind of extending the anchor?
    Cheers in advance.

    Mobility group name is just for roaming purposes. You can still anchor to another WLC WLAN if you want. It's like having a guest anchor WLC. The guest anchors should have a different mobility group name than the foreign WLC's.
    Sent from Cisco Technical Support iPhone App

  • Mobility Anchor between a 5700WLC and a 8500WLC

    Hi
    I've been apporached to possibly setup a Mobility Anchor between the company I work for and an external company.
    We currenly implamenting the 8500WLC, but the external company have 5700 WLC converged wireless, which of around 12 months ago wasn't able to create a Mobility Anchor.
    As the external company will only want to broadcast over our APs, we wont be broadcasting over theirs, would it be possible to create a mobility anchor then?
    I remember speaking to Cisco last year, and they said it is on their road map, but not sure it it is there yet.
    cheers

    I think it is possible as long as you have compatible software version on your 8500. It has to be either 7.6.x or 8.x where you can configure new mobility, then only it can be peer with 5760. Refer this for mobility peering config for those platforms
    http://mrncciew.com/2014/05/06/configuring-new-mobility/
    Once you have the above then you need to configure the mobility anchor feature for specific SSID. Since you want to advertise their SSID on your AP, on their 5760 SSID to be configured as mobility anchor
    wlan XYC
    mobility anchor
    On your 8500 mobilty anchor config for the given SSID (XYZ) you need to specify the 5760 management IP  as mobility anchor.
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • Import vcf into Address Book loosing multiple mobile phone numbers

    When I import vcf entries that hold more than one mobile phone number, all but the first number is lost. This behavior changed from address book version 4.1.2 (osx 10.5 leopard) to address book version 5.0.1 (snow leopard - 10.6.2).
    You can try yourself:
    create an entry in the address book that has multiple mobile phone numbers, export that entry as a vcf file, delete the entry in the address book and reimport the vcf file. All but the first mobile phone number is lost! It works correct in addressbook in leopard but does not anymore in the latest version of snow leopard. I even think the error just appeard after the last update to 10.6.2!
    Apple, please fix this bug!
    regard
    Christof

    Address Book 5.0.1 multiple field issues:
    We have found the same thing. It seems to only be Address Book 5.0.1 which is affected. We are cautiously using our previous version 5.0 (from Snow Leopard 10.6.1) which seems not to be affected.
    It is also a problem if you merge records. We have found that any fields which have matching labels will be deleted leaving only one. In some cases other fields which do not match label are also deleted. We have also experienced an issue with the preferences for the formatting of Phone Numbers in the preferences dialog no longer working correctly.
    We have reported this to Apple RADAR bug reports. We have referenced this thread too.
    In the meantime our advice is to:
    Back up your Apple Address Book contacts and keep the backup safe.
    carefully use Address Book v 5.0 from Snow Leopard 10.6.1 (cautiously at your own risk as there may be issues using a version that is not designed for 10.6.2 - back up your address book first). This version has always seemed pretty reliable for us.
    If you continue to use v 5.0.1 do not merge any contacts. do not run find duplicates (just in case). do not import any contacts into the address book.
    Edward Hirst
    Equinox Features

  • Guest Mobility Anchor N+1 Redundancy Design

    Anchor WLC redundancy is achieved through the mobility groups. For redundancy, we can increase the mobility group size, including additional controllers for redundancy.
    Does N+1 redundancy works across different mobility groups (Anchor WLCs in different DMZ zones for different internet breakout points for Guest access)?
    Does it supports pre-empt (preferred) action when the failed primary Anchor WLC recovers?
    For WLC 4.1 version or later, mpings are used for keepalive packets between the foreign and anchor controllers. However, there is no setting to set the order of preferred Anchor controllers.

    You can have multiple anchor wlc in the DMZ. These will always have a different mobility group name than your foreign wlc's. There is no pre-empt in a multiple anchor wlc. I believe with 5.2 you can specify which anchor wlc you want traffic to go to, but then again, I don't like any of the 5.x code. With the 4.x and earlier versions of the 5.x code, the decision on where traffic will go to is calculated by the foreign wlc that has to anchor the trafic to one of the anchor wlc's in the DMZ. Local WLC uses these anchor wlc's in the order WLCs are configuredIs failover transparent to the user.... no. Since best practice is to make sure your dhcp scopes on the wlc do not overlap, users who is anchored to one that fails, will move to the other wlc. This usually will make the client renew its dhcp address.

  • 10.5 server, 10.4 clients getting multiple mobile accounts - weird results

    I would like to reopen this discussion:
    http://discussions.apple.com/thread.jspa?threadID=1664772&tstart=7
    What happens visually is that the user appears to log in to a network account, but the Macintosh HD icon changes to the "house" used for the home directory, and all the mobile account data (which is naturally in /Users/<login>) is not accessible. If you use Netinfo Manager or System Preferences, you can see multiple accounts for the user.
    We have been getting many laptops randomly succumbing to this bug. 10.5.8 server, 10.4.11 clients. I ran nicl on one that was affected today, with "nicl . -list /users", and found 3 user account records with the same login. I then used the "directory IDs" from the nicl -list commands and compared the data for each account with "nicl -v . -read <dirID>" replacing <dirID> with the numeric directory IDs for the accounts.
    One of the accounts had no "home" attribute, so I deleted it using "sudo nicl . -delete <dirID>". The only difference between the other accounts is the value of the "copy_timestamp" attribute (it differed by 20 seconds or so). I blindly removed the record with the later copy_timestamp value, after which I was able to login to the mobile account normally.
    Interestingly during the login, I pinged the machine rapidly over ssh, running the "nicl . -list /users" command. I could see the original directory ID. Then for a while a new directory ID appeared and the old one was gone. Then both the old and the new appeared. Finally, after the successful login, the old directory ID was back. I guess the mobile account login process is constantly banging on Netinfo.
    Another thing to note is that when I go to Workgroup Manager (10.5) and bring up the Mobility > Acount Creation preferences, they show up with the "Never" and "Always" buttons half-selected ("-"), as well as the one for the "Show "Don't ask me again" checkbox" setting. Guess the com.apple.MCX.plist file schema changed from 10.4 to 10.5. I will research the differences. Maybe I'll get lucky and stop this behavior from happening...

    The thing that causes the "-" half-slected buttons on the Account Creation tab is the absence of a value for the (new in 10.5?) attribute in the com.apple.MCX plist file. You can find this by using the Inspector in Workgroup Manager, getting the user account and editing the MCXSettings attrbute:
    cachedaccounts.WarnOnCreate.allowNever
    otherwise known as "Show Mobile Account Dialog's Never Option" if you look in the Details tab of Workgroup Manager,
    otherwise known as "Show "Don't ask me again" checkbox" if you look in the Account Creation tab of Workgroup Manager.
    Pet peeve -- three different terms for the same thing?

  • 5508 as mobility anchor to 5760 WLC

    I have 4 5508 WLCs in my environment now, installed at various locations. One 5508 is acting as an anchor for guest access.  All other 5508s connect back to the anchor for the same SSID, the guest wireless WLAN.  A new office is opening up with several new APs using a newer 5760 WLC running as an MC.  Currently the 5508's do not have New Mobility enabled.  I'm pretty sure I need to enable this on the anchor at least, but the question is do all 5508 WLCs need to be changed to support New Mobility; and if so, does it require any new configuration so that I don't break the guest wireless SSID?  I am new to New Mobility so I am not sure what to expect.  Other than rebooting a few WLCs to turn on New Mobility.
    All 5508's run 7.6.130.0.  The newer 5760 runs 03.06.02E. 
    Thanks
    Jeff

    OK, so to recap;
    - place the 2nd WLC in the DMZ with only 1 port (set for dynamic AP management)?
    - Then Anchor the guest SSID (on it's DMZ IP instead of management IP as is now)
    And to make that kind of anchoring work, I have to open ports below on the firewall.. right?
    UDP port 16666 for inter-WLC  communication, and IP protocol ID 97 Ethernet in IP for client traffic.
    and:
    •TCP 161 and 162 for SNMP 
    •UDP 69 for TFTP 
    •TCP 80 or 443 for HTTP, or HTTPS for GUI access 
    •TCP 23 or 22 for Telnet, or SSH for CLI access
    Thanks to confirm that

  • Mobility Anchor connection drops during authentication

    Hi,
    I have a strange situation, hopefully someone can help. I have a WLAN setup with foreign - anchor controllers and MAC address authentication using central RADIUS server. In some cases for some clients the foreign export cannot build up because during the 802.11 process the foreign disconnects the client due to a session timer expires. Some clients can connect, others experience this issue. Sometimes client can get IP address via the anchor DHCP proxy but then foreign disconnects it with expiring message. (foreign sw version 6.0.202, anchor sw version 6.0.188 but we have same situation with other foreign which has 7.4.110 version)
    Debug shows the following (suspicious part is in red):
    *Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 Reassociation received from mobile on AP e8:04:62:f6:bf:00
    *Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 Applying site-specific IPv6 override for station 60:c5:47:99:b0:a6 - vapId 3, site 'default-group', interface 'management'
    *Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 Applying IPv6 Interface Policy for station 60:c5:47:99:b0:a6 - vlan 850, interface id 0, interface 'management'
    *Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 STA - rates (6): 24 164 48 72 96 108 0 0 0 0 0 0 0 0 0 0
    *Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [e8:04:62:f6:cd:d0]
    *Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 Updated location for station old AP e8:04:62:f6:cd:d0-0, new AP e8:04:62:f6:bf:00-0
    *Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 apfProcessAssocReq (apf_80211.c:4270) Changing state for mobile 60:c5:47:99:b0:a6 on AP e8:04:62:f6:bf:00 from Probe to AAA Pending
    *Jan 15 12:07:01.190: 60:c5:47:99:b0:a6 Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
    *Jan 15 12:07:01.326: 60:c5:47:99:b0:a6 Inserting AAA Override struct for mobile MAC: 60:c5:47:99:b0:a6, source 2
    *Jan 15 12:07:01.326: 60:c5:47:99:b0:a6 Setting session timeout 7201 on mobile 60:c5:47:99:b0:a6
    *Jan 15 12:07:01.326: 60:c5:47:99:b0:a6 Session Timeout is 7201 - starting session timer for the mobile
    *Jan 15 12:07:01.326: 60:c5:47:99:b0:a6 0.0.0.0 START (0) Initializing policy
    *Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
    *Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
    *Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP e8:04:62:f6:bf:00 vapId 3 apVapId 3
    *Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
    *Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 apfPemAddUser2 (apf_policy.c:213) Changing state for mobile 60:c5:47:99:b0:a6 on AP e8:04:62:f6:bf:00 from AAA Pending to Associated
    *Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 Scheduling deletion of Mobile Station:  (callerId: 49) in 7200 seconds
    *Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 Sending Assoc Response to station on BSSID e8:04:62:f6:bf:00 (status 0) Vap Id 3 Slot 0
    *Jan 15 12:07:01.327: 60:c5:47:99:b0:a6 apfProcessRadiusAssocResp (apf_80211.c:1956) Changing state for mobile 60:c5:47:99:b0:a6 on AP e8:04:62:f6:bf:00 from Associated to Associated
    *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Applying post-handoff policy for station 60:c5:47:99:b0:a6 - valid mask 0xb00
    *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6     QOS Level: -1, DSCP: -1, dot1p: -1, Data Avg: -1, realtime Avg: -1, Data Burst -1, Realtime Burst -1
    *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6     Session: 7200, User session: 7201, User elapsed 104  Interface: (null) ACL: N/A
    *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Inserting AAA Override struct for mobile MAC: 60:c5:47:99:b0:a6, source 16
    *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Setting session timeout 7201 on mobile 60:c5:47:99:b0:a6
    *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Session Timeout is 7201 - starting session timer for the mobile
    *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 Scheduling deletion of Mobile Station:  (callerId: 55) in 7200 seconds
    *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED
    *Jan 15 12:07:01.328: 60:c5:47:99:b0:a6 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state RUN (20)
    *Jan 15 12:07:01.329: 60:c5:47:99:b0:a6 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 4245
    *Jan 15 12:07:01.329: 60:c5:47:99:b0:a6 0.0.0.0 RUN (20) Adding Fast Path rule  type = Airespace AP Client on AP e8:04:62:f6:bf:00, slot 0, interface = 29, QOS = 0  ACL Id = 255, Jumbo Frames = NO, 802.1
    *Jan 15 12:07:01.329: 60:c5:47:99:b0:a6 0.0.0.0 RUN (20) Successfully plumbed mobile rule (ACL ID 255)
    *Jan 15 12:07:01.332: 60:c5:47:99:b0:a6 Set bi-dir guest tunnel for 60:c5:47:99:b0:a6 as in Export Foreign role
    *Jan 15 12:07:01.335: 60:c5:47:99:b0:a6 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4
    *Jan 15 12:07:11.890: 60:c5:47:99:b0:a6 0.0.0.0 RUN (20) State Update from Mobility-Complete to Mobility-Incomplete
    *Jan 15 12:07:11.890: 60:c5:47:99:b0:a6 apfMmProcessDeleteMobile (apf_mm.c:531) Expiring Mobile!
    *Jan 15 12:07:11.890: 60:c5:47:99:b0:a6 apfMsExpireMobileStation (apf_ms.c:4427) Changing state for mobile 60:c5:47:99:b0:a6 on AP e8:04:62:f6:bf:00 from Associated to Disassociated
    *Jan 15 12:07:11.891: 60:c5:47:99:b0:a6 apfMsExpireMobileStation (apf_ms.c:4548) Changing state for mobile 60:c5:47:99:b0:a6 on AP e8:04:62:f6:bf:00 from Disassociated to Idle
    *Jan 15 12:07:11.891: 60:c5:47:99:b0:a6 0.0.0.0 RUN (20) Deleted mobile LWAPP rule on AP [e8:04:62:f6:bf:00]
    *Jan 15 12:07:11.891: 60:c5:47:99:b0:a6 Deleting mobile on AP e8:04:62:f6:bf:00(0)
    *Jan 15 12:07:11.894: 60:c5:47:99:b0:a6 0.0.0.0 Removed NPU entry.
    *Jan 15 12:07:12.053: 60:c5:47:99:b0:a6 Adding mobile on LWAPP AP 68:bd:ab:48:80:f0(0)
    *Jan 15 12:07:12.053: 60:c5:47:99:b0:a6 Scheduling deletion of Mobile Station:  (callerId: 23) in 5 seconds
    *Jan 15 12:07:12.053: 60:c5:47:99:b0:a6 apfProcessProbeReq (apf_80211.c:4761) Changing state for mobile 60:c5:47:99:b0:a6 on AP 68:bd:ab:48:80:f0 from Idle to Probe
    Question: Why is that 10 sec timer still ticking at that phase when client already reached RUN state?
    On a foreign wlc with sw 7.4.110 using anchor with sw 6.0.188 the situation is even worse, all clients have this issue and cannot connect.
    Thanks
    Hege

    Hi,
    Yes, that was the first thing to check. We don't use the DHCP required option (unchecked on both sides). The only difference between acnhor and foreign configuration is that in foreign L2 macfiltering is enabled and radius servers are specified while on anchor it is not enabled and specified. I have tried it on anchor with enabling macfiltering (without radius servers specified there) but I have the same behaviour. AAA override is also enabled on both sides.
    I have also increased the authentication timeout in advanced timers options from 10 sec to 40 secs but no luck, debug shows the same 10secs.
    I am thinking on 2 options. 1st option is that the anchor software is too old (6.0.188) and needs to be upgraded to 7.0.240 (anchor is a 4400 wlc). 2nd option is that there might be too much delay between anchor and foreign?
    On the same setup if we use guest access with web authentication on the anchor side (no MAC authentication), then eveyrthing is fine.
    Thanks
    Hege

Maybe you are looking for

  • Error in create Customer code.

    hi, when i try to create the new customer, am getting "ACCT GROUP SOLD to PARTY user EXT. NO".  can you please suggest where we need to assing , whether the customer number is auto genrate or manuall number? and how the running number interval which

  • Photoshop album starter edition 3 how to get past registration page?

    Having done a system restore on my computer My photo album continually asks for registration I have an unlock key , put that in and away we go asking me to register again cannot get to open my photos, Adobe helpdesk suggested I transfer my photos but

  • AR - On-Account Receipts

    Hi, I am trying to extract OnAccount Receipts using below query. But I noticed that in some cases there are multiple cash_receipt_id for a single receipt_number. Also there are multiple records for one cash_receipt_id in AR_RECEIVABLE_APPLICATIONS_AL

  • Delivery type RLL

    hi all i want to active/inactive availability check for  one delivery type like RLL in outbound delivery:Return delivery to vendor not for all delivery. how can do it? Regards Ramin

  • Vendor with excise

    Hi, How I can find out, Wether  the Vendor have maintain Excise Details. where I can Check it? Regards, Dhanush.S.T