Peer-to-peer blocking / SGT / upstream behavior
Is there a way to take a WLC 5508, enable peer-to-peer blocking functionality and send the traffic up stream to be ran through an ACL and then sent back down to the WLC 5508 back into the same WLAN? A switch typically won't forward traffic out the port it came in on right?
I know this sounds crazy but I want to use ISE to apply a Security Group Tag to hosts and then use a higher powered switch to filter traffic rather than doing it on the WLC.
The goal is for hosts on the same WLAN to have or not have access to each other based on Authentication / SGT. For instance if Joe authenticates all of Joe's device can talk to each other. If Mary authenticates all of Mary's devices can talk as well. However, based on security group tagging and SGACLs Mary's devices cannot talk to Joe's.
Any thoughts?
Thanks for the quick response Steve. However, I am already aware of that setting. My question focuses more the the switching that will happen once the traffic is pushed up stream.
"A switch typically won't forward traffic out the port it came in on right?"
This is based on what I have read in the peer-to-peer blocking section of the docs here:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70wlan.html#wp1209597
"In controller software releases prior to 4.2, peer-to-peer blocking is applied globally to all clients on all WLANs and causes traffic between two clients on the same VLAN to be transferred to the upstream VLAN rather than being bridged by the controller. This behavior usually results in traffic being dropped at the upstream switch because switches do not forward packets out the same port on which they are received."
Similar Messages
-
Hi,
I need to configure partial peer 2 peer blocking to deny all traffic between two peer clients connected to the samw wlan.
All traffic must be denied except the communication between some specific tcp ports.
At wich level of configuration is possible or best to do this ?
How does exacactly the controller behaves when using the forward to UpStream feature on the wlan, which configuration is needed on an upstream catalyst 6500 switch in order to control the traffic between peer wlan clients ?
thanks.
Giorgio.Peer to peer blcoking is sort of all or none http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/wlan/config_wlan_chapter_01010.html
What you can do is use an acl on the WLC to limit traffic from certain ip to a certain ip.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a00807ce372.shtml
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
Peer-to-peer Blocking problems
Hi folks,
I'm using WiSMs version 7.0.235.3 and WLC 7.0.230.0. I'm trying to allow peer-to-peer communication but am having some difficulty. I have "Peer to Peer Blocking" set to Disable and can ping between devices i.e. ICMP is working fine. IP however is not working which doesn't really make any sense to me. I've confirmed this using Wireshark. If I set "Peer to Peer Blocking" to Drop, all traffic is blocked.
Any assistance/recommendations would be appreciated.
Thanks. S.What are you actually trying to do? Is the issue when clients are associated to
The same WLAN on the same WLC?
Sent from Cisco Technical Support iPhone App -
AP to AP peer-to-peer blocking
If you have two autonomous AP's, both with the same user vlan and subnet, is there a way to block users from one AP communicating with users on the second AP.
I know you can use PSPF for users connected to the same AP but need the best way to stop them when connected to seperate AP's in same vlan.
Thanks.Hi Mat,
Here is the second part of the config for using PSPF;
Configuring Protected Ports
To prevent communication between client devices associated to different access points on your wireless LAN, you must set up protected ports on the switch to which your access points are connected. Follow these steps to set up protected ports on your switch:
Beginning in privileged EXEC mode, follow these steps to define a port on your switch as a protected port:
Command Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
interface interface-id
Enter interface configuration mode, and enter the type and number of the switchport interface to configure, such as gigabitethernet0/1.
Step 3
switchport protected
Configure the interface to be a protected port.
Step 4
end
Return to privileged EXEC mode.
Step 5
show interfaces interface-id switchport
Verify your entries.
Step 6
copy running-config startup-config
(Optional) Save your entries in the configuration file.
To disable protected port, use the no switchport protected interface configuration command.
http://www.cisco.com/en/US/docs/wireless/access_point/12.2_15_JA/configuration/guide/s15rf.html#wp1038494
Hope this helps!
Rob -
Clarification on Blocked Process Report behavior
We have team members who are at odds over how this event is handled and it's coverage.
After enabling this is sp_configure, and for the sake of argument keeping the threshold = 5 (default), and no other trace filters are applied - which of the following is true, false, or misunderstood:
1. All-inclusive. The report will be generated for ANY transaction that is blocked for more than 5 seconds, meaning all transactions are contrasted against this threshold and no such transactions would be missed.
2. "ad-hoc query-like" ; point-in-time only. The threshold is only contrasted against at a point-in-time only, in that at a set interval active transactions are reported against. This would mean blocked transactions that occur between this interval
would not be reported against.
Reading the MSDN/BOL articles, the language used is terse and somewhat left open to interpretation.
The general discussion that started this is around whether or not running an external query (such as in SSMS) to report on blocking (which only reports on transactions at that point in time) is basically the same thing as running the blocked process report
trace event, except in the trace event the "query" is run at "some interval" automatically.
I am pretty sure I will win a beer if I am right on my answer to this - but I need expert arbitration. Please help me, I'm thirsty!
Thanks very much for the assist!It's number 2: every 5 seconds the "LOCK MONITOR" checks for blocked processes and depending on the threshold will accumulate the sessions which are "still standing" after the threshold time, let's say 30 seconds.
There is no Event involved until that point of the threshold being exceeded - that then is the event (which one can trace via SQL Trace or Extended Events), not before that.
Andreas Wolter (Blog |
Twitter)
MCSM: Microsoft Certified Solutions Master Data Platform, MCM, MVP
www.SarpedonQualityLab.com |
www.SQL-Server-Master-Class.com -
Moving a bookmarks to a different folder -- block 'spring-open' behavior?
When I'm doing a cleanup of my bookmarks window, I often want to quickly move numerous recently captured bookmarks collected in a " • New bookmarks" folder at the top of the window to one or another of the many topical folders further down in the window.
Each time I drag a recently captured link down to one of these folders, no matter how quickly I try to drop it on the folder, the folder almost always seems to snap open -- which in turn can push all the other lower folders down and off the bottom of the window.
Any way to drag a link (or folder) onto another folder and have it be moved to that folder **without the target folder opening**?
[This problem didn't occur in Netscape because there was a substantial delay before the target folder would open (although it would eventually open if you wanted it to)]
Thanks . . .Hi
Welcome to Apple Discussions
Target folder will always open. That's the way it was designed. To completely avoid it, save the link via the Bookmarks menu.
Otherwise, the "trick" to avoid the rapid spring-action occurring with folders other than the target is to drag the URL over the left side (collections) of the Bookmarks Manager until you arrive at the target folder. If a folder inadvertently opens, then move the URL a bit more to the left until the folder closes. -
Allow client to client traffic
Hi all,
I have two clients trying to connect to each other with no success.
I have a 5760 controller and a pretty plain wlan config...
The only way the managed to Ping one to another is by activating the command:
peer-blocking forward-upstream
But I think this throw the traffic to the uplink switch and lets it deal with it... but that will allow unicast traffic, but nothing else.
Any idea?
Naor.HI Naor,
The peer-blocking forward-upstream Causes the packets to be forwarded on the upstream VLAN. The device above the controller decides what action to take regarding the packets.
Peer-to-peer blocking is applied to individual WLANs, and each client inherits the peer-to-peer blocking
setting of the WLAN to which it is associated. Peer-to-Peer enables you to have more control over how traffic
is directed. For example, you can choose to have traffic bridged locally within the controller, dropped by the
controller, or forwarded to the upstream VLAN.
NOTE:
To enable peer-to-peer blocking on a WLAN configured for FlexConnect local switching, select Drop
From the P2P Blocking drop-down list and select the FlexConnect Local Switching check box.
Please do go through the link below to understand the Peer to Peer blocking behaviour.
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-5/config_guide/b_cg75/b_cg75_chapter_01001011.pdf
Regards
Salma -
Peer-to-Peer Traffic Flow on Same AP
Hi Valued Professionals,
Can someone please verify the traffic data path for traffic on a non-FlexConnect SSID that is sent from a client of AP1 to another client of AP1 on the same SSID?
1. Is it bridged locally by AP1 to the receiving client on the same SSID on the same AP1?
2. Is it forwarded to the WLC to be tromboned (i.e. sent back) to the same AP1 for transmission to the receiving client?
I have seen a few posts on this and nothing really conclusively believable, so please provide some more concrete insight.
To re-iterate, this is about traffic between two clients connected to the same SSID on the same AP.
HREAP is NOT in use (i.e. no FlexConnect as Cisco now call HREAP).
Peer-to-Peer blocking is also NOT in use.
Kindest Regards,
JIn the case of Wireless controller + Switch + AP scenario.
Go to WLC admin page, click on NEW to create WLAN SSID. 2106 can support up to 8 ssid IIRC.
say you created SSID WLAN1, click on edit. and select Management as interface. this SSID would be associated with your internal VLAN.
Before you create the 2nd WLAN SSID. Go to CONTROLLER->INTERFACES->give your dynamic interface a name and a VLAN ID. this VLAN ID must be the same as your switch port (switchport mode access,switchport access VLAN ID)this dynamic interface is for your DSL VLAN.
repeat the same SSID creation as WLAN SSID1 and name it SSID2 or etc.
also at your DSL router, assign it to be DHCP server. under the new WLAN SSID2 click edit.and change the interface named to be the dymanic interface name that you created.and make sure admin status is enabled.and client connect to the SSID2 will get the ip from your DSL dhcp.
just my 0.002 cent worth -
Howto block p2p traffic of clients connected to the same ssid on different wlc
Hi all,
I use two wlc 4400 (4.2.x version) with a mobility domain and one ssid, both wlc are connected to a cisco l2 switch infrastructure. On the wlc I use the p2p blocking action 'drop' (http://www.cisco.com/en/US/docs/wireless/controller/5.2/configuration/guide/c52wlan.html#wp1209597) to isolate the clients from each other. Does anybody know if only unicast traffic is blocked or also multicast and broadcast traffic like arp requests?
Concerning blocking p2p traffic of clients connected to the same ssid but different controllers I found the following statement in the LAP FAQs (http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a00806a4da3.shtml):
===
Q. In autonomous APs, Public Secure Packet Forwarding (PSPF) is used to avoid client devices associated to this AP from inadvertently sharing files with other client devices on the wireless network. Is there any equivalent feature in Lightweight APs?
A. The feature or the mode that performs the similar function of PSPF in lightweight architecture is called peer-to-peer blocking mode. Peer-to-peer blocking mode is actually available with the controllers that manage the LAP. If this mode is disabled on the controller (which is the default setting), it allows the wireless clients to communicate with each other through the controller. If the mode is enabled, it blocks the communication between clients through the controller. It only works among the APs that have joined to the same controller. When enabled, this mode does not block wireless clients terminated on one controller from the ability to get to wireless clients terminated on a different controller, even in the same mobility group.
===
Does anybody know what's the best practise to prevent this inter wlc client traffic? I already read about using acls on the wlc dynamic interfaces, or private vlans on the l2 switch vlans where the dynamic interfaces are connected to. Is it allowed to completely isolate the wlc from each other on these dynamic interfaces with acls or private vlans or do the wlc need to see each other on this interfaces (e.g. heart beat)?
Many thanks in advance,
ThorstenHi Sasha,Thorsten
The bug is Junked and I believe which is what you are running into with your tests:
CSCtr60787 WLC P2P Blocking Set to Forward-UpStream Doesn't Work.
Bugtoolkit : http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
To answer your original query :
ACL is only solution to block client communication on same ssid between 2 wlcs. 5508 works better with ACLs then 44xx platform.
ARP requests will be forwarded to upstream router just like any other traffic. WLC won't proxy arp for clients on same vlan.
Gateway arp's I believe should be handled by WLC . ( Don't quote me on this but I am pretty sure it is ) ..If it was not, then how would client know about gw ?
Multicast traffic is not applicable for p2p.
Your ACL can be as simple as this for the scenario :
WLC 1 - clientvlan = 10
WLC 2 - clientvlan = 10
and you want to restrict users from wlc1-wlc1, wlc1-wlc2, wlc2-wlc2 for same vlan10.
Basically in that case the ACL should look like on both WLCs :
1. Permit statement to talk to gateway.
2. Deny to subnet.
3. Permit all.
4. If DHCP/DNS other services are on same subnet then you would need to add a permit
statement before the deny.
5. Attach the ACL to SSID or dymanic interface.
Thanks..Salil
CSCtr60787 WLC P2P Blocking Set to Forward-UpStream Doesn't Work. -
Block clients from individual wlan
I have 5508 with 2 WLANS (corp, guest) I would like to be able to block certain users via MAC address from CORP but not guest.
Can this be done.
CORP is using WPA2+AES
GUEST is using Web Auth ( guest is not setup as a "guest vlan" in the config, just a regular wlan.
TIAHello,
Like Viren said mac-address filtering is not the most secure way as they can be easily spoofed.
Why don't you try Peer-to-peer blocking.
Peer-to-peer blocking is applied to individual WLANs, and each client inherits the peer-to-peer blocking setting of the WLAN to which it is associated. Peer-to-Peer enables you to have more control over how traffic is directed. For example, you can choose to have traffic bridged locally within the controller, dropped by the controller, or forwarded to the upstream VLAN.
For more on this you can ckeck the following short cisco doc:
http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/wlan/config_wlan_chapter_01010.html -
Manage WLAN autoreconnection behavior in iOS
Hello there
I'm currently developing an iPhone/iPad application to control UAVs (Unmanned Aerial Vehicules). Those UAVs are equipped with WLAN mesh nodes and they build a flying ad-hoc WLAN network. The iPhone or iPad is connected to this network. Now as the UAVs are flying, they can loss the connection to the controlling device. In this case the iPhone/iPad would automatically reconnect to an other WLAN network in range if the device was connected to this network once before. The UAV detects that it has lost its connection to the controlling device and will fly back as long as it has no connection.
Now the problem arises since the iPhone/iPad will NOT automatically reconnect to the UAVs WLAN when it becomes in range again, because the controlling device already connected to an other known WLAN.
I need a kind of mechanism to either:
- automatically switch back to the UAVs WLAN from the app
- block the autoreconnection behavior of the device except for the UAVs WLAN SSID as long as the app is running
- or an other solution which solves this problem
Ideally this should be achieved without leaving the app and without violation of apples coding conventions. The description of the project you can find here: http://rvs.unibe.ch/teaching/projects/projectiPad_UAVFrontend.html
Any advise? Your help would be highly appreciated.hello
I'm encountering a similar problem. I develope an app for iPad / iPhone, which connects to mesh nodes (in an IPv6 ad-hoc net). It would be great if the iOS SDK would provide a possibility to programmatically connect to such a network or reconnect, if connection was lost. However I did not yet find any possibility, which would work without private APIs.
Any guess how this could be achieved in a "legal" way?
Some help would be really great... -
No valid PMKID found in the MSCB
Im having issues Roaming on the 2.4 802.11b/g/n network.....It works some of the time but then my mobile client get dissconnected..
5508 Code 7.4.100.0
30 APs - AIR-CAP3602I-A-K9
any ideas?
error log:
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Reassociation received from mobile on BSSID f8:4f:57:e3:00:a2
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Global 200 Clients are allowed to AP radio
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Max Client Trap Threshold: 0 cur: 24
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Rf profile 200 Clients are allowed to AP wlan
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Applying Interface policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Re-applying interface policy for client
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 10.1.35.195 RUN (20) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2018)
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 10.1.35.195 RUN (20) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2246)
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 In processSsidIE:4256 setting Central switched to FALSE
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Applying site-specific Local Bridging override for station 00:90:4c:52:0e:a0 - vapId 3, site 'HQ-01', interface 'management'
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Applying Local Bridging Interface Policy for station 00:90:4c:52:0e:a0 - vlan 0, interface id 0, interface 'management'
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Applying site-specific override for station 00:90:4c:52:0e:a0 - vapId 3, site 'HQ-01', interface 'management'
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Applying Interface policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Re-applying interface policy for client
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 10.1.35.195 RUN (20) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2018)
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 10.1.35.195 RUN (20) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2246)
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 STA - rates (8): 139 22 24 36 48 72 96 108 12 18 0 0 0 0 0 0
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 STA - rates (10): 139 22 24 36 48 72 96 108 12 18 0 0 0 0 0 0
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 Processing RSN IE type 48, length 38 for mobile 00:90:4c:52:0e:a0
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 Received RSN IE with 1 PMKIDs from mobile 00:90:4c:52:0e:a0
*apfMsConnTask_3: Jan 28 14:22:53.933: Received PMKID: (16)
*apfMsConnTask_3: Jan 28 14:22:53.933: [0000] fa 18 3d af eb a4 7a 7e 9d e9 5c 80 b4 fd f1 f1
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 Searching for PMKID in MSCB PMKID cache for mobile 00:90:4c:52:0e:a0
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 No valid PMKID found in the MSCB PMKID cache for mobile 00:90:4c:52:0e:a0
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 Trying to compute a PMKID from MSCB PMK cache for mobile 00:90:4c:52:0e:a0
*apfMsConnTask_3: Jan 28 14:22:53.933: CCKM: Find PMK in cache: BSSID = (6)
*apfMsConnTask_3: Jan 28 14:22:53.933: [0000] f8 4f 57 e3 00 a0
*apfMsConnTask_3: Jan 28 14:22:53.933: CCKM: Find PMK in cache: realAA = (6)
*apfMsConnTask_3: Jan 28 14:22:53.933: [0000] f8 4f 57 e3 00 a1
*apfMsConnTask_3: Jan 28 14:22:53.933: CCKM: Find PMK in cache: PMKID = (16)
*apfMsConnTask_3: Jan 28 14:22:53.933: [0000] fa 18 3d af eb a4 7a 7e 9d e9 5c 80 b4 fd f1 f1
*apfMsConnTask_3: Jan 28 14:22:53.933: CCKM: AA (6)
*apfMsConnTask_3: Jan 28 14:22:53.933: [0000] f8 4f 57 e3 00 a1
*apfMsConnTask_3: Jan 28 14:22:53.933: CCKM: SPA (6)
*apfMsConnTask_3: Jan 28 14:22:53.933: [0000] 00 90 4c 52 0e a0
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 Unable to compute a valid PMKID from MSCB PMK cache for mobile 00:90:4c:52:0e:a0
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 Searching for PMK in global PMK cache for mobile 00:90:4c:52:0e:a0
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 Found an entry in the global PMK cache for station 00:90:4c:52:0e:a0
*apfMsConnTask_3: Jan 28 14:22:53.933: CCKM: AA (6)
*apfMsConnTask_3: Jan 28 14:22:53.933: [0000] f8 4f 57 e3 00 a1
*apfMsConnTask_3: Jan 28 14:22:53.934: CCKM: SPA (6)
*apfMsConnTask_3: Jan 28 14:22:53.934: [0000] 00 90 4c 52 0e a0
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 Unable to compute a valid PMKID from global PMK cache for mobile 00:90:4c:52:0e:a0
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 Setting active key cache index 0 ---> 8
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 unsetting PmkIdValidatedByAp
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 10.1.35.195 RUN (20) Deleted mobile LWAPP rule on AP [dc:a5:f4:64:63:90]
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 Updated location for station old AP dc:a5:f4:64:63:90-0, new AP f8:4f:57:e3:00:a0-0
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 apfMsRunStateDec
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 apfMs1xStateDec
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 10.1.35.195 RUN (20) Change state to START (0) last state RUN (20)
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 10.1.35.195 START (0) Initializing policy
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 10.1.35.195 START (0) Change state to AUTHCHECK (2) last state START (0)
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 10.1.35.195 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 10.1.35.195 8021X_REQD (3) DHCP required on AP f8:4f:57:e3:00:a0 vapId 3 apVapId 2for this client
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 10.1.35.195 8021X_REQD (3) Plumbed mobile LWAPP rule on AP f8:4f:57:e3:00:a0 vapId 3 apVapId 2 flex-acl-name:
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 apfPemAddUser2 (apf_policy.c:276) Changing state for mobile 00:90:4c:52:0e:a0 on AP f8:4f:57:e3:00:a0 from Associated to Associated
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 apfPemAddUser2:session timeout forstation 00:90:4c:52:0e:a0 - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is 0
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0
*apfMsConnTask_3: Jan 28 14:22:53.935: 00:90:4c:52:0e:a0 Sending Assoc Response to station on BSSID f8:4f:57:e3:00:a1 (status 0) ApVapId 2 Slot 0
*apfMsConnTask_3: Jan 28 14:22:53.935: 00:90:4c:52:0e:a0 apfProcessAssocReq (apf_80211.c:7391) Changing state for mobile 00:90:4c:52:0e:a0 on AP f8:4f:57:e3:00:a0 from Associated to Associated
*apfMsConnTask_3: Jan 28 14:22:53.937: 00:90:4c:52:0e:a0 Updating AID for REAP AP Client f8:4f:57:e3:00:a0 - AID ===> 103
*dot1xMsgTask: Jan 28 14:22:53.940: 00:90:4c:52:0e:a0 Disable re-auth, use PMK lifetime.
*dot1xMsgTask: Jan 28 14:22:53.940: 00:90:4c:52:0e:a0 dot1x - moving mobile 00:90:4c:52:0e:a0 into Connecting state
*dot1xMsgTask: Jan 28 14:22:53.940: 00:90:4c:52:0e:a0 Sending EAP-Request/Identity to mobile 00:90:4c:52:0e:a0 (EAP Id 1)
*apfMsConnTask_2: Jan 28 14:22:53.942: Stats update: Non Zero value
*apfMsConnTask_2: Jan 28 14:22:53.942: Stats update: Non Zero value
WLAN config
WLAN Identifier.................................. 3
Profile Name..................................... Employee
Network Name (SSID).............................. Employee
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status ....................... Disabled
DHCP ......................................... Disabled
HTTP ......................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 166
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 86400 seconds
User Idle Timeout................................ 28800 seconds
--More-- or (q)uit
User Idle Threshold.............................. 100 Bytes
NAS-identifier................................... BLUE-5508-01
CHD per WLAN..................................... Disabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
PMIPv6 Mobility Type............................. none
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
--More-- or (q)uit
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Disabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ 10.0.12.72 1812
Accounting.................................... 10.0.12.72 1813
Interim Update............................. Disabled
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
--More-- or (q)uit
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Enabled
PSK..................................... Disabled
CCKM.................................... Enabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Disabled
GTK Randomization.......................... Disabled
--More-- or (q)uit
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
WAPI.......................................... Disabled
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Enabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
--More-- or (q)uit
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Mobility Anchor List
WLAN ID IP Address Status
802.11u........................................ Disabled
MSAP Services.................................. DisabledI am having the same problem. 5508 running 7.0.240. System works fine for data users, but we are testing Jabber clients for the first time and see alot of lost calls while roaming between APs. My debug client output looks just like Bryant's. It shows a reassociation request with a PMKID provided by the client. Then No valid PMKID found in the MSCB PMKID cache for mobile, Unable to compute a valid PMKID from MSCB PMK cache for mobile, Found an entry in the global PMK cache for station, then Unable to compute a valid PMKID from global PMK cache for mobile. The client is then successfully reauthenticated, but the delay impacts voice calls. What would cause this behavior? Debug below:
*apfMsConnTask_4: Feb 10 13:35:48.910: 88:53:95:42:e9:4f Received RSN IE with 1 PMKIDs from mobile 88:53:95:42:e9:4f
*apfMsConnTask_4: Feb 10 13:35:48.910: Received PMKID: (16)
*apfMsConnTask_4: Feb 10 13:35:48.910: [0000] 20 0f 15 45 60 e7 b3 04 57 61 19 55 ac 9c 81 36
*apfMsConnTask_4: Feb 10 13:35:48.910: 88:53:95:42:e9:4f Searching for PMKID in MSCB PMKID cache for mobile 88:53:95:42:e9:4f
*apfMsConnTask_4: Feb 10 13:35:48.910: 88:53:95:42:e9:4f No valid PMKID found in the MSCB PMKID cache for mobile 88:53:95:42:e9:4f
*apfMsConnTask_4: Feb 10 13:35:48.910: 88:53:95:42:e9:4f Trying to compute a PMKID from MSCB PMK cache for mobile 88:53:95:42:e9:4f
*apfMsConnTask_4: Feb 10 13:35:48.910: CCKM: Find PMK in cache: BSSID = (6)
*apfMsConnTask_4: Feb 10 13:35:48.910: [0000] 6c 50 4d 2a b7 40
*apfMsConnTask_4: Feb 10 13:35:48.911: CCKM: Find PMK in cache: realAA = (6)
*apfMsConnTask_4: Feb 10 13:35:48.911: [0000] 6c 50 4d 2a b7 4e
*apfMsConnTask_4: Feb 10 13:35:48.911: CCKM: Find PMK in cache: PMKID = (16)
*apfMsConnTask_4: Feb 10 13:35:48.911: [0000] 20 0f 15 45 60 e7 b3 04 57 61 19 55 ac 9c 81 36
*apfMsConnTask_4: Feb 10 13:35:48.911: 88:53:95:42:e9:4f Unable to compute a valid PMKID from MSCB PMK cache for mobile 88:53:95:42:e9:4f
*apfMsConnTask_4: Feb 10 13:35:48.911: 88:53:95:42:e9:4f Searching for PMK in global PMK cache for mobile 88:53:95:42:e9:4f
*apfMsConnTask_4: Feb 10 13:35:48.911: 88:53:95:42:e9:4f Found an entry in the global PMK cache for station 88:53:95:42:e9:4f
*apfMsConnTask_4: Feb 10 13:35:48.911: CCKM: AA (6)
*apfMsConnTask_4: Feb 10 13:35:48.911: [0000] 6c 50 4d 2a b7 4e
*apfMsConnTask_4: Feb 10 13:35:48.911: CCKM: SPA (6)
*apfMsConnTask_4: Feb 10 13:35:48.911: [0000] 88 53 95 42 e9 4f
*apfMsConnTask_4: Feb 10 13:35:48.911: 88:53:95:42:e9:4f Unable to compute a valid PMKID from global PMK cache for mobile 88:53:95:42:e9:4f -
How to restrict AP client-to-client traffic in same SSID
Dear all,
Please kindly advise how wireless client-to-client traffic can be restricted? The AP is controlled by WLC.
Thanks.
EricHi Eric,
Great question! Here is the related info, note the nice change in WLC Version 4.2.x.x;
Q. In autonomous APs, Public Secure Packet Forwarding (PSPF) is used to avoid client devices associated to this AP from inadvertently sharing files with other client devices on the wireless network. Is there any equivalent feature in Lightweight APs?
A. The feature or the mode that performs the similar function of PSPF in Lightweight architecture is called peer-to-peer blocking mode. Peer-to-peer blocking mode is actually available with the controllers that manage the LAP.
If this mode is disabled on the controller, which is by default, it allows the wireless clients to communicate with each other through the controller. If the mode is enabled, it blocks the communication between clients through the controller.
It only works among the APs that have joined to the same controller. When enabled, this mode does not block wireless clients terminated on one controller from the ability to get to wireless clients terminated on a different controller, even in the same mobility group.
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a00806a4da3.shtml
Configuring Peer-to-Peer Blocking
In controller software releases prior to 4.2, peer-to-peer blocking is applied globally to all clients on all WLANs and causes traffic between two clients on the same VLAN to be transferred to the upstream VLAN rather than being bridged by the controller. This behavior usually results in traffic being dropped at the upstream switch because switches do not forward packets out the same port on which they are received.
In controller software release 4.2, peer-to-peer blocking is applied to individual WLANs, and each client inherits the peer-to-peer blocking setting of the WLAN to which it is associated.
http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/c42wlan.html#wp1084832
Hope this helps!
Rob -
Clients disconnect because of Capabilites change
Hi all,
recently we migrated AIR-LAP1131AG APs from a 4402 WLC running 4.1.185.0 release to a 5508 running 7.6.130.0. After we did that some clients constantly disconnected and reconnected. I strongly assume it has something to do with the additional features that were introduced between the releases.
During debugging I saw that after the client entered the RUN state that it got disconnected with the following error:
*spamApTask0: Mar 31 01:57:27.649: xx:xx:xx:xx:xx:xx Association Failed on REAP AP BSSID yy:yy:yy:yy:yy:yy (slot 0), status 1 0 Capabilities changed
Here is the whole debug output (X is the client, Y is the AP, Z are other APs for the group key)
*apfMsConnTask_3: Mar 31 01:57:17.623: xx:xx:xx:xx:xx:xx Adding mobile on LWAPP AP yy:yy:yy:yy:yy:yy(0)
*apfMsConnTask_3: Mar 31 01:57:17.623: xx:xx:xx:xx:xx:xx Association received from mobile on BSSID yy:yy:yy:yy:yy:yy
*apfMsConnTask_3: Mar 31 01:57:17.623: xx:xx:xx:xx:xx:xx Global 200 Clients are allowed to AP radio
*apfMsConnTask_3: Mar 31 01:57:17.623: xx:xx:xx:xx:xx:xx Max Client Trap Threshold: 0 cur: 0
*apfMsConnTask_3: Mar 31 01:57:17.623: xx:xx:xx:xx:xx:xx Rf profile 600 Clients are allowed to AP wlan
*apfMsConnTask_3: Mar 31 01:57:17.623: xx:xx:xx:xx:xx:xx override for default ap group, marking intgrp NULL
*apfMsConnTask_3: Mar 31 01:57:17.623: xx:xx:xx:xx:xx:xx Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx Re-applying interface policy for client
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2219)
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2240)
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx In processSsidIE:4850 setting Central switched to FALSE
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx Applying site-specific Local Bridging override for station xx:xx:xx:xx:xx:xx - vapId 5, site 'default-group', interface 'irglbxv'
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx Applying Local Bridging Interface Policy for station xx:xx:xx:xx:xx:xx - vlan 14, interface id 14, interface 'irglbxv'
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx STA - rates (4): 2 4 11 22 0 0 0 0 0 0 0 0 0 0 0 0
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx STA - rates (12): 2 4 11 22 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx Processing RSN IE type 48, length 20 for mobile xx:xx:xx:xx:xx:xx
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx Updating AID for REAP AP Client yy:yy:yy:yy:yy:yy - AID ===> 1
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx Encryption policy is set to 0x80000001
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx Central switch is FALSE
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx Sending Local Switch flag = 1
*apfMsConnTask_3: Mar 31 01:57:17.625: xx:xx:xx:xx:xx:xx 0.0.0.0 8021X_REQD (3) DHCP required on AP yy:yy:yy:yy:yy:yy vapId 5 apVapId 5for this client
*apfMsConnTask_3: Mar 31 01:57:17.625: xx:xx:xx:xx:xx:xx Not Using WMM Compliance code qosCap 00
*apfMsConnTask_3: Mar 31 01:57:17.625: xx:xx:xx:xx:xx:xx 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP yy:yy:yy:yy:yy:yy vapId 5 apVapId 5 flex-acl-name:
*apfMsConnTask_3: Mar 31 01:57:17.625: xx:xx:xx:xx:xx:xx apfMsAssoStateInc
*apfMsConnTask_3: Mar 31 01:57:17.625: xx:xx:xx:xx:xx:xx apfPemAddUser2 (apf_policy.c:333) Changing state for mobile xx:xx:xx:xx:xx:xx on AP yy:yy:yy:yy:yy:yy from Idle to Associated
*apfMsConnTask_3: Mar 31 01:57:17.625: xx:xx:xx:xx:xx:xx apfPemAddUser2:session timeout forstation xx:xx:xx:xx:xx:xx - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is 0
*apfMsConnTask_3: Mar 31 01:57:17.625: xx:xx:xx:xx:xx:xx Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_3: Mar 31 01:57:17.625: xx:xx:xx:xx:xx:xx Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0
*apfMsConnTask_3: Mar 31 01:57:17.625: xx:xx:xx:xx:xx:xx Sending Assoc Response to station on BSSID zz:zz:zz:zz:zz:zz (status 0) ApVapId 5 Slot 0
*apfMsConnTask_3: Mar 31 01:57:17.625: xx:xx:xx:xx:xx:xx apfProcessAssocReq (apf_80211.c:8294) Changing state for mobile xx:xx:xx:xx:xx:xx on AP yy:yy:yy:yy:yy:yy from Associated to Associated
*spamApTask0: Mar 31 01:57:17.708: xx:xx:xx:xx:xx:xx Sent 1x initiate message to multi thread task for mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.708: xx:xx:xx:xx:xx:xx Creating a PKC PMKID Cache entry for station xx:xx:xx:xx:xx:xx (RSN 2)
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx Resetting MSCB PMK Cache Entry 0 for station xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx Setting active key cache index 8 ---> 8
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx Setting active key cache index 8 ---> 0
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx Adding BSSID yy:yy:yy:yy:yy:yy to PMKID cache at index 0 for station xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: New PMKID: (16)
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: [0000] 95 e5 c8 10 ba cc 57 e5 1d 4c ab ae c3 eb 0c f5
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx Initiating RSN PSK to mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx EAP-PARAM Debug - eap-params for Wlan-Id :5 is disabled - applying Global eap timers and retries
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx dot1x - moving mobile xx:xx:xx:xx:xx:xx into Force Auth state
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx Skipping EAP-Success to mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx EAPOL Header:
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: 00000000: 02 03 00 5f ..._
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx Found an cache entry for BSSID yy:yy:yy:yy:yy:yy in PMKID cache at index 0 of station xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx Found an cache entry for BSSID yy:yy:yy:yy:yy:yy in PMKID cache at index 0 of station xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: Including PMKID in M1 (16)
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: [0000] 95 e5 c8 10 ba cc 57 e5 1d 4c ab ae c3 eb 0c f5
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx Starting key exchange to mobile xx:xx:xx:xx:xx:xx, data packets will be dropped
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx Sending EAPOL-Key Message to mobile zz:zz:zz:zz:zz:zz
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx Sending EAPOL-Key Message to mobile zz:zz:zz:zz:zz:zz
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx Allocating EAP Pkt for retransmission to mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:01 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.710: xx:xx:xx:xx:xx:xx mscb->apfMsBssid = yy:yy:yy:yy:yy:yy mscb->apfMsAddress = xx:xx:xx:xx:xx:xx mscb->apfMsApVapId = 5
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.710: xx:xx:xx:xx:xx:xx dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 0 mscb->apfMsLwappMwarInet.ipv4.addr = 171969037
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.710: xx:xx:xx:xx:xx:xx mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 173667675 mscb->apfMsLwappLradPort = 23341
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.792: xx:xx:xx:xx:xx:xx Received EAPOL-Key from mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.792: xx:xx:xx:xx:xx:xx Received EAPOL-key in PTK_START state (message 2) from mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.792: xx:xx:xx:xx:xx:xx Stopping retransmission timer for mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.792: xx:xx:xx:xx:xx:xx EAPOL Header:
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.792: 00000000: 02 03 00 5f ..._
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.792: xx:xx:xx:xx:xx:xx Sending EAPOL-Key Message to mobile zz:zz:zz:zz:zz:zz
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.792: xx:xx:xx:xx:xx:xx Sending EAPOL-Key Message to mobile zz:zz:zz:zz:zz:zz
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.792: xx:xx:xx:xx:xx:xx Reusing allocated memory for EAP Pkt for retransmission to mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.792: xx:xx:xx:xx:xx:xx mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:01 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.792: xx:xx:xx:xx:xx:xx mscb->apfMsBssid = yy:yy:yy:yy:yy:yy mscb->apfMsAddress = xx:xx:xx:xx:xx:xx mscb->apfMsApVapId = 5
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.793: xx:xx:xx:xx:xx:xx dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 0 mscb->apfMsLwappMwarInet.ipv4.addr = 171969037
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.793: xx:xx:xx:xx:xx:xx mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 173667675 mscb->apfMsLwappLradPort = 23341
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.897: xx:xx:xx:xx:xx:xx Received EAPOL-Key from mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.897: xx:xx:xx:xx:xx:xx Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.897: xx:xx:xx:xx:xx:xx Stopping retransmission timer for mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.897: xx:xx:xx:xx:xx:xx Freeing EAP Retransmit Bufer for mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.897: xx:xx:xx:xx:xx:xx apfMs1xStateInc
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.897: xx:xx:xx:xx:xx:xx 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state 8021X_REQD (3)
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx Central switch is FALSE
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx Sending the Central Auth Info
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx Central Auth Info Allocated PMKLen = 32
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx PMK: pmkActiveIndex = 0
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx msAssocTypeFlagsMsb = 0 msAssocTypeFlagsLsb = 2
apfMsEntryType = 0 apfMsEapType = 0
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx Sending Local Switch flag = 0
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx 0.0.0.0 L2AUTHCOMPLETE (4) DHCP required on AP yy:yy:yy:yy:yy:yy vapId 5 apVapId 5for this client
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx Not Using WMM Compliance code qosCap 00
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP yy:yy:yy:yy:yy:yy vapId 5 apVapId 5 flex-acl-name:
*spamApTask0: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx spamEncodeCentralAuthInoMsPayload: msAssocTypeFlagsMsb = 0 msAssocTypeFlagsLsb = 2
apfMsEntryType = 0 pmkLen = 32
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 6178, Adding TMP rule
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP yy:yy:yy:yy:yy:yy, slot 0, interface = 1, QOS = 0
IPv4 ACL ID = 255, IPv
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 14, Local Bridging intf id = 14
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*pemReceiveTask: Mar 31 01:57:17.900: xx:xx:xx:xx:xx:xx 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*apfOrphanSocketTask: Mar 31 01:57:18.904: xx:xx:xx:xx:xx:xx Orphan Packet from STA - IP 10.89.246.63
*apfOrphanSocketTask: Mar 31 01:57:18.904: xx:xx:xx:xx:xx:xx apfMsRunStateInc
*apfOrphanSocketTask: Mar 31 01:57:18.904: xx:xx:xx:xx:xx:xx 10.89.246.63 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)
*apfOrphanSocketTask: Mar 31 01:57:18.904: xx:xx:xx:xx:xx:xx Assigning Address 10.89.246.63 to mobile
*pemReceiveTask: Mar 31 01:57:18.905: xx:xx:xx:xx:xx:xx 10.89.246.63 Removed NPU entry.
*dot1xMsgTask: Mar 31 01:57:19.863: GTK Rotation Kicked in for AP: zz:zz:zz:zz:zz:zz SlotId = 0 - (0x3ff07bf8)
*dot1xMsgTask: Mar 31 01:57:19.863: Generated a new group key for AP zz:zz:zz:zz:zz:zz(0) - vap 1
*dot1xMsgTask: Mar 31 01:57:19.863: GTK rotation for zz:zz:zz:zz:zz:zz
*dot1xMsgTask: Mar 31 01:57:19.863: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*dot1xMsgTask: Mar 31 01:57:19.863: Generated a new group key for AP zz:zz:zz:zz:zz:zz(0) - vap 2
*dot1xMsgTask: Mar 31 01:57:19.863: GTK rotation for zz:zz:zz:zz:zz:zz
*dot1xMsgTask: Mar 31 01:57:19.864: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*dot1xMsgTask: Mar 31 01:57:19.864: Generated a new group key for AP zz:zz:zz:zz:zz:zz(0) - vap 3
*dot1xMsgTask: Mar 31 01:57:19.864: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*dot1xMsgTask: Mar 31 01:57:19.864: Generated a new group key for AP zz:zz:zz:zz:zz:zz(0) - vap 4
*dot1xMsgTask: Mar 31 01:57:19.864: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*dot1xMsgTask: Mar 31 01:57:19.864: Generated a new group key for AP zz:zz:zz:zz:zz:zz(0) - vap 5
*dot1xMsgTask: Mar 31 01:57:19.865: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*mmMaListen: Mar 31 01:57:20.863: xx:xx:xx:xx:xx:xx 10.89.246.63 RUN (20) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*mmMaListen: Mar 31 01:57:20.863: xx:xx:xx:xx:xx:xx 10.89.246.63 RUN (20) Reached PLUMBFASTPATH: from line 5850
*dot1xMsgTask: Mar 31 01:57:21.263: GTK Rotation Kicked in for AP: zz:zz:zz:zz:zz:zz SlotId = 0 - (0x3ff07bf8)
*dot1xMsgTask: Mar 31 01:57:21.263: Generated a new group key for AP zz:zz:zz:zz:zz:zz(0) - vap 1
*dot1xMsgTask: Mar 31 01:57:21.263: GTK rotation for zz:zz:zz:zz:zz:zz
*dot1xMsgTask: Mar 31 01:57:21.263: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*dot1xMsgTask: Mar 31 01:57:21.263: Generated a new group key for AP zz:zz:zz:zz:zz:zz(0) - vap 2
*dot1xMsgTask: Mar 31 01:57:21.263: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*dot1xMsgTask: Mar 31 01:57:21.263: Generated a new group key for AP zz:zz:zz:zz:zz:zz(0) - vap 3
*dot1xMsgTask: Mar 31 01:57:21.263: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*dot1xMsgTask: Mar 31 01:57:21.264: Generated a new group key for AP zz:zz:zz:zz:zz:zz(0) - vap 4
*dot1xMsgTask: Mar 31 01:57:21.264: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*dot1xMsgTask: Mar 31 01:57:21.264: Generated a new group key for AP zz:zz:zz:zz:zz:zz(0) - vap 5
*dot1xMsgTask: Mar 31 01:57:21.264: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*spamApTask0: Mar 31 01:57:27.649: xx:xx:xx:xx:xx:xx Association Failed on REAP AP BSSID yy:yy:yy:yy:yy:yy (slot 0), status 1 0 Capabilities changed
*spamApTask0: Mar 31 01:57:27.649: xx:xx:xx:xx:xx:xx apfMsDeleteByMscb Scheduling mobile for deletion with deleteReason 8, reasonCode 1
*spamApTask0: Mar 31 01:57:27.649: xx:xx:xx:xx:xx:xx Scheduling deletion of Mobile Station: (callerId: 30) in 1 seconds
*osapiBsnTimer: Mar 31 01:57:28.463: xx:xx:xx:xx:xx:xx apfMsExpireCallback (apf_ms.c:626) Expiring Mobile!
*apfReceiveTask: Mar 31 01:57:28.463: xx:xx:xx:xx:xx:xx apfMsExpireMobileStation (apf_ms.c:6655) Changing state for mobile xx:xx:xx:xx:xx:xx on AP yy:yy:yy:yy:yy:yy from Associated to Disassociated
*apfReceiveTask: Mar 31 01:57:28.463: xx:xx:xx:xx:xx:xx Sent Deauthenticate to mobile on BSSID yy:yy:yy:yy:yy:yy slot 0(caller apf_ms.c:6749)
*apfReceiveTask: Mar 31 01:57:28.463: xx:xx:xx:xx:xx:xx Found an cache entry for BSSID yy:yy:yy:yy:yy:yy in PMKID cache at index 0 of station xx:xx:xx:xx:xx:xx
*apfReceiveTask: Mar 31 01:57:28.463: xx:xx:xx:xx:xx:xx Removing BSSID yy:yy:yy:yy:yy:yy from PMKID cache of station xx:xx:xx:xx:xx:xx
*apfReceiveTask: Mar 31 01:57:28.463: xx:xx:xx:xx:xx:xx Resetting MSCB PMK Cache Entry 0 for station xx:xx:xx:xx:xx:xx
*apfReceiveTask: Mar 31 01:57:28.463: xx:xx:xx:xx:xx:xx Setting active key cache index 0 ---> 8
*apfReceiveTask: Mar 31 01:57:28.463: xx:xx:xx:xx:xx:xx Deleting the PMK cache when de-authenticating the client.
*apfReceiveTask: Mar 31 01:57:28.463: xx:xx:xx:xx:xx:xx Global PMK Cache deletion failed.
*apfReceiveTask: Mar 31 01:57:28.463: xx:xx:xx:xx:xx:xx apfMsAssoStateDec
*apfReceiveTask: Mar 31 01:57:28.463: xx:xx:xx:xx:xx:xx apfMsExpireMobileStation (apf_ms.c:6787) Changing state for mobile xx:xx:xx:xx:xx:xx on AP yy:yy:yy:yy:yy:yy from Disassociated to Idle
*apfReceiveTask: Mar 31 01:57:28.463: xx:xx:xx:xx:xx:xx pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfReceiveTask: Mar 31 01:57:28.464: xx:xx:xx:xx:xx:xx 10.89.246.63 START (0) Deleted mobile LWAPP rule on AP [yy:yy:yy:yy:yy:yy]
*apfReceiveTask: Mar 31 01:57:28.464: xx:xx:xx:xx:xx:xx Deleting mobile on AP yy:yy:yy:yy:yy:yy(0)
*dot1xMsgTask: Mar 31 01:57:30.263: GTK Rotation Kicked in for AP: zz:zz:zz:zz:zz:zz SlotId = 1 - (0x3ff07bf8)
*dot1xMsgTask: Mar 31 01:57:30.263: Generated a new group key for AP zz:zz:zz:zz:zz:zz(1) - vap 1
*dot1xMsgTask: Mar 31 01:57:30.263: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*dot1xMsgTask: Mar 31 01:57:30.263: Generated a new group key for AP zz:zz:zz:zz:zz:zz(1) - vap 2
*dot1xMsgTask: Mar 31 01:57:30.263: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*dot1xMsgTask: Mar 31 01:57:30.263: Generated a new group key for AP zz:zz:zz:zz:zz:zz(1) - vap 3
*dot1xMsgTask: Mar 31 01:57:30.263: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*dot1xMsgTask: Mar 31 01:57:30.263: Generated a new group key for AP zz:zz:zz:zz:zz:zz(1) - vap 4
*dot1xMsgTask: Mar 31 01:57:30.263: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*dot1xMsgTask: Mar 31 01:57:30.264: Generated a new group key for AP zz:zz:zz:zz:zz:zz(1) - vap 5
*dot1xMsgTask: Mar 31 01:57:30.264: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
Here is the configuration of the SSID on the 4402 and 5508 for comparison.
4402
WLAN Identifier.................................. 2
Profile Name..................................... xxxxx
Network Name (SSID).............................. xxxxx
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. Infinity
Interface........................................ xxxxxx
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Quality of Service............................... Silver (best effort)
WMM.............................................. Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Radio Policy..................................... All
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Enabled
TKIP Cipher............................. Enabled
AES Cipher.............................. Disabled
WPA2 (RSN IE).............................. Disabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Enabled
CCKM.................................... Disabled
CKIP ......................................... Disabled
IP Security................................... Disabled
IP Security Passthru.......................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Auto Anchor................................... Disabled
Cranite Passthru.............................. Disabled
Fortress Passthru............................. Disabled
H-REAP Local Switching........................ Disabled
Infrastructure MFP protection................. Enabled (Global Infrastructure MFP Disabled)
Client MFP.................................... Optional but inactive (WPA2 not configured)
Tkip MIC Countermeasure Hold-down Timer....... 60
Mobility Anchor List
WLAN ID IP Address Status
5508
WLAN Identifier.................................. 5
Profile Name..................................... xxxxx
Network Name (SSID).............................. xxxxx
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 3
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 86400 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 12 hours
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... xxxxxxxx
CHD per WLAN..................................... Disabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ xxxxxxxx
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
PMIPv6 Mobility Type............................. none
PMIPv6 MAG Profile........................... Unconfigured
PMIPv6 Default Realm......................... Unconfigured
PMIPv6 NAI Type.............................. Hexadecimal
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Disabled
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Disabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Disabled
Accounting.................................... Disabled
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Enabled
TKIP Cipher............................. Enabled
AES Cipher.............................. Disabled
WPA2 (RSN IE).............................. Disabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Enabled
CCKM.................................... Disabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Disabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
WAPI.......................................... Disabled
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Enabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
flexconnect PPPoE pass-through................ Disabled
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional but inactive (WPA2 not configured)
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Disabled
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Split Tunnel (Printers).......................... Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Does anybody have an idea where else I could look at?
Regards,
PatrickI thought the same that those devices simply are too old. However I would like to know what causes this capabilities change. We want to get rid of the old H/W, but at the moment it looks as if we would need to revert back to the 4402 in order to get those things working again.
I have not enough information, but those devices are some kind of handhelds. Their MAC OUI belongs to Newport Electronics.
Regards,
Patrick -
Cisco Flex 7500 controller with client disconnects
Hey All,
There will be alot of info in this post, hopefully all helpful, more info the better right! If you require anymore info to help me out to not hesistate to request it.
We have been having some issues with clients connecting and disconnecting several times a day and having to manually reconnect from the icon on their taskbar. We have about 380 APs, and 200+ more to deploy that we have and are licensed for but are having some issues that we want to resolve first obviously.
Some locations our setup is a bit more complex than this with multiple SSIDs and vlans, but this issue is everywhere so i will keep it to our simple setup for now:
AP Models: AIR-LAP1042N-A-K9, AIR-CAP1602I-A-K9 (Most locations do not have a mix of both, most have 1042s)
Running a single SSID - WPA/WPA2 with: WPA - TKIP and WPA2 - AES on the same SSID.
They talk back to a Cisco Flex 7500 Series through a tunnel (should not be any port blocking preventing communication)
We are running from what i understand a bad firmware version (7.6.100.0) and during our next maintenance window i am going to try and get them to change to a more stable firmware version.
Data Rates of 1,2,5.5,11 Mbps are disabled
TPCv1 coverage running
Automatic Power Assignment
I will not focus on the a/n/ac network as most of our devices are connecting to WPA due to the config they already have.
Ideally i would like to get rid of WPA all together but i am not 100% in control of the decisions to get the started and people here like to delay things lol.
It is hard to say if the issue is specific to a model as we have so few 1602Is, and it is just at our main office. I have not heard many complaints but i have noticed i will now and then get a limited or no connectivity settings on my wireless icon on my PC. I use hard-wired so i don't really notice if it is not working.
In most locations it looks like the controller is doing a decent job at selection channels to use. I did find one spot where it had on 11 APs down a long hallway, and did not use channel 6 once. I statically set that location to stagger the channels to see what kind results we had and am still waiting to hear on that as they complained the most out of all of our locations. In some cases 3 APs in a row were on channel 1 in the hallway, in alot of casses 1 was 2 times in a row as well as 11 so there was alot of overlap.
I am attaching my show sysinfo and show wlan 17 for that informtion, some of the other settings i have changed today that were previously enabled/set different are:
Disabled Cisco Aironet IE
Set channel automatic rescan from 10 mintues to 12 hours as i can image if it is changing the channels alot it can lead to disconnects.
Some of the main things we get in our message log are:
*dot1xMsgTask: Oct 16 15:17:36.943: #DOT1X-4-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:508 Max EAPOL-key M5 retransmissions exceeded for client 84:85:06:0b:a6:33
- Not sure why we get this as we have a PSK and do not have local eap enabled.....
*apfMsConnTask_6: Oct 16 15:19:01.753: #APF-3-AID_UPDATE_FAILED: apf_80211.c:6570 Error updating Association ID for REAP AP Clientc8:f9:f9:2b:fd:50 - AID 4
*apfMsConnTask_6: Oct 16 15:19:01.753: #LWAPP-3-INVALID_AID2: spam_api.c:1462 Association identifier 4 for client 18:9e:fc:4d:9e:87 is already in use by 8c:2d:aa:b7:70:5e
- There is a bug for this log, but according to the bug our 7.6.100.0 is not effected
Here is my show sysinfo:
(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.6.100.0
RTOS Version..................................... 7.6.100.0
Bootloader Version............................... 7.6.101.2
Emergency Image Version.......................... 7.6.101.2
Build Type....................................... DATA + WPS
System Name...................................... Cisco_cf:17:26
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1295
Redundancy Mode.................................. Disabled
IP Address....................................... 10.156.50.100
System Up Time................................... 52 days 5 hrs 54 mins 25 secs
System Timezone Location......................... (GMT -4:00) Altantic Time (Canada)
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180
Configured Country............................... CA - Canada
--More-- or (q)uit
Operating Environment............................ Commercial (10 to 35 C)
Internal Temp Alarm Limits....................... 10 to 38 C
Internal Temperature............................. +22 C
Fan Status....................................... OK
RAID Volume Status............................... OK
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 13
Number of Active Clients......................... 1584
Burned-in MAC Address............................ 70:81:05:CF:17:20
Power Supply 1................................... Present, OK
Power Supply 2................................... Present, OK
Maximum number of APs supported.................. 600
Here is my Show wlan 17
WLAN Identifier.................................. 17
Profile Name..................................... AirCCRSB
Network Name (SSID).............................. AirCCRSB
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 1768
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 28800 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 12 hours
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... Cisco_cf:17:26
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Disabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers
Accounting.................................... Global Servers
Interim Update............................. Disabled
Framed IPv6 Acct AVP ...................... Prefix
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Enabled
TKIP Cipher............................. Enabled
AES Cipher.............................. Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Enabled
CCKM.................................... Disabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Enabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
WAPI.......................................... Disabled
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Enabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
flexconnect PPPoE pass-through................ Disabled
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Disabled
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Split Tunnel (Printers).......................... Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Mobility Anchor List
WLAN ID IP Address Status
802.11u........................................ Disabled
MSAP Services.................................. Disabled
Local Policy
Priority Policy NameAs long as you take the configuration backup downgrading from 7.6.100.0 to 7.4.121.0 should be fine. Because this is Flexconnect deployment, make sure you review the release notes thoroughly as config like vlan mapping is impacted it is painful to reconfigure.
I still think moving to 7.6MR3 & once 8.x get stable going for that code is a good plan. Though 7.4.121.0 is assure wave it does not mean it has no bugs.(remember that prior to this 7.4.110.0 was assure wave & it deferred in quick time) . I would say 8.x going to be the code staying for long time period, so ultimately you have to be there.
In 8.x there are few FlexConnect improvements,one being AP won't reload when you change from local mode to FlexConnect.
HTH
Rasika
**** Pls rate all useful responses ***
Maybe you are looking for
-
Is the Droid razr m compatable with the square? I have heard it works great and I have also heard that it will lock up.. Anyone?
-
Duplication of Line Items in Shopping Cart
Hi, We currently use SRM 4.0 with ECC6 and IE version 6.0. The situation we are facing is as follows: When the user completes shopping at the vendor's web based catalogue and hits return button, even line item that punches out from the vendor catalgu
-
The downloads window does not open
I am running Beta 4.0b7 and whilst I am able to download files I cannot see the downloads window. I have tried selecting the window via tools and downloads but it does not appear. However, after doing this it is listed in the 'window' menu, although
-
Logging in to Blackberry Protect from a BB
Why can I not log in to Blackberry Protect on the web from a BB smartphone? I have two BBs and if one is lost, it would be very handy to be able to trace/lock/wipe it from the other (or any other BB for that matter) using BB Protect.
-
Tax Code does not appear in services PO at Services line item
Dear Experts, I am trying to create a services PO with tax code. The tax code should be entered at Services Line item level not the PO line item level. But I can not see Tax Code field in the line item level. Although I have activated the the option