Radius Nac
Hi,
I try to mount a NAC lab with the following architecture :
- 802.1x on switch ports
- ACSv5 with an external database (windows) for machine and user authentification
- ACS v5 do vlan assignement and it works great.
- Nac Manager
- Nac agent on workstations : tried with CTA or CAA
I try to add a posture validation to check for the presence of an antivirus.
So I insalled a NAC Manager and add a "External Policy Check" on my ACS policy rule.
The Endpoint has CTA or CCA for posture validation.
It seems ACS doen't even try to make the request to the manager. I get the following error in ACS :
STEP_79=15038 Skipping External Policy because of missing or malformed required attributes
My question is : What do I need to do external posture validation with acs5 to a Nac Manager.
The guide reference I used is : http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/user/guide/common_scenarios.html#wp1053461
Thanks for your answer
Regards
I think with radius the vlan select and dynamic vlan assignment are two different topics. You can have ISE set users on different vlans within the same WLAN as long as the interface is present on the controller. I have tested this and works just fine.
The vlan select maybe a topic that the wireless folks can shed some light on.
Thanks
Tarik Admani
*Please rate helpful posts*
Similar Messages
-
Can ISE 1.1 act as a RADIUS for WGB through WLC?
thank youTarik,
Thanks for your answer, here is the problem !!!
In order to do PROFILING/POSTURING and all that for wireless clients here is what's needed:
Need to go to WLC (wireless controller) and choose RADIUS/NAC for the SSID.
So SSID = test RADIUS/NAC - then all normal clients go through ISE and get postured and profiled and all that works fine except...
WGBs cannot connect to SSID=test at all and they do not appear on ISE as an attempt at all.
As soon as I remove option RADIUS/NAC from WLC wgb connects and shows up on ISE fine and get authenticated ---> you would say well there you go that's ur problem , well yeah but if i DISABLE Radius/Nac option from WLC I lose the ability to control normal users that connect to SSID=test so it would just be PERMIT/DENY ACCESS based on username and the whole point of ISE would be ACS or Simple Radius Server.
Do you get my point?
Thank you.
P.s so for me to POSTURE/PROFILE wireless clients I need to use RADIUS/NAC option and for WGBs I have to setup a NEW SSID and leave that SSID without RADIUS/NAC option so it can only authenticate through ISE and not posture/profile clients, and I do not need to posture/profile clients behind WGB (it would be great but I don't necessarily need to, and I know they don't support CoA Change of Access attribute in RADIUS) -
FlexConnect & ISE ACLs - AAA Overide/RADIUS NAC
Hi Chaps,
I have 3 ACLs configured on a WLC for CWA, Corp and Guest users. On local mode APs, theses are called up using the Airespace fields in the ISE policies dependant on what rule is hit.
ACL-WEBAUTH-REDIRECT
ACL-PERMIT-CORP-TRAFFIC
ACL-PERMIT-GUEST-TRAFFIC
Will FlexConnect APs call up the ACLs in the same way as a local mode as the WLAN will be AAA Override/RADIUS NAC or will FC ACLs be required.
Cheers,
NI believe you need to create Flex ACLs on the fWLC. These Flex ACLs can be called the same as regular ACLs so in ISE you wouldnt have to change the auth profile.
-
Radius NAC VLAN select support
Hi all,
I have digged through the WLC documentation for 7.3 and in the chapter about Radius NAC I read that the VLAN select feature is not supported.
Does anyone know if this will change?
VLAN select is actually a useful feature and I wouldn't understand if NAC support over the ISE won't be possible.
Hope someone can shed some light on this.
Regards,
PatrickI think with radius the vlan select and dynamic vlan assignment are two different topics. You can have ISE set users on different vlans within the same WLAN as long as the interface is present on the controller. I have tested this and works just fine.
The vlan select maybe a topic that the wireless folks can shed some light on.
Thanks
Tarik Admani
*Please rate helpful posts* -
ISE 1.3 not receiving Radius requests from WLC 5508 ver 8.0.110.0
Hello all. I just implemented ISE 1.3 at a customer site. added a WLC running 8.0.110.0 using its mgmt address with a RADIUS preshared key. On the WLC, I created to SSIDs, corp and guest.
For corp I configured WPA2 and AES and forwarded Radius requests to my 2 ISE node PSN interfaces
For the guest I configured MAC filter with advanced features AAA overide and Radius NAC - per Cisco's documents
The corp forwards Radius requests to ISE, the guest does not. I get nothing from the guest.
I configured the WLC step by step from the Cisco document. I have completed over 10 ISE implementations in the last year using ISE 1.2 and WLC 7.x and have never run into this issue before.
Any help will be much appreciated.This issue has been resolved. The issue was that for the guest SSID MAC filtering was enabled as required, but they had the test PCs on a mac filter bypass list for that SSID in the WLC. This was automatically authenticating the PC, and therefore not forwarding the RADIUS to ISE.
Once we removed the PC from the MAC filter list in the WLC, the authentications were forwarded to ISE as desired. -
WLC Applying cached RADIUS Override values for mobile
Hello!
We have a WiSM2 (version 7.4.110.0) with approx 200 APs. We are doing RADIUS authentication via a PacketFence backend. Everything usually works fine, but we are having an intermittent issue...
The WiSM2 gets its VLAN assignment for a client from the PacketFence server and does AAA override. If a client has not registered their device, go on one VLAN. Once they register, PacketFence disconnects them via RADIUS to the WiSM2, and then they should get their new VLAN assignment. This works fine in the majority of cases, but occasionally, after registering, the client disconnects and reconnects but is still put back on registration VLAN.
debug client mac shows this in the logs:
Applying cached RADIUS Override values for mobile 00:25:56:3d:f6:7b (caller pem_api.c:2210)
And I do not see the WiSM2 asking the PacketFence server for a VLAN assignment in the PacketFence logs.
Eventually, if the client stays disconnected long enough (5+ minutes), they can reconnect and get the proper VLAN assignment. I had previously opened a TAC about this, and they suggested a WiSM2 software upgrade and setting the Session Timeout on the WLAN to 900 seconds, which I did. This issue then disappeared for several weeks, but it has started happening again today (we saw it happen to about 15 clients throughout the day).
Anyone have any ideas on why this is happening, and how to stop the caching? Any thoughts would be greatly appreciated.
Here is the output from a show wlan of one of our WLANs we have seen this on:
WLAN Identifier.................................. 2
Profile Name..................................... BlitzNet
Network Name (SSID).............................. BlitzNet
Status........................................... Enabled
MAC Filtering.................................... Enabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Enabled
Network Admission Control
Client Profiling Status ....................... Disabled
DHCP ......................................... Disabled
HTTP ......................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 538
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 900 seconds
User Idle Timeout................................ 300 seconds
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... WISM2_SDC
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ blitznet
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
PMIPv6 Mobility Type............................. none
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Drop
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ ipofradiusserver 1812
Accounting.................................... Global Servers
Interim Update............................. Disabled
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
WAPI.......................................... Disabled
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Disabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Disabled
Client MFP.................................... Optional but inactive (WPA2 not configured)
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Mobility Anchor List
WLAN ID IP Address Status
802.11u........................................ Disabled
MSAP Services.................................. DisabledThere is nothing in the RADIUS server logs. It is as if the WiSM2 does not talk to it for the 2nd request. The flow for a problem client is like this:
1. New client associates
2. WiSM asks RADIUS server for VLAN
3. RADIUS Server hasn't seen it, so it puts it on VLAN 84 (our registration VLAN)
4. Client goes through captive portal
5. RADIUS server sends disconnect client message to WiSM
6. Client disconnects, reconnects
7. WiSM2 puts it back on VLAN 84, when it should put it on a VLAN determined by the SSID. The WiSM2 never asks the RADIUS server for the VLAN again, until the client has stayed disconnected for 5+ minutes, and I see the message in the wism2 log that I wrote above.
In the vast majority of cases, step 7 works properly. That is, when the client reconnects, it asks the RADIUS server what VLAN to put it on (I see it in the RADIUS server logs). I see the second request come in, and the RADIUS server replies with appropriate VLAN for the SSID.
After they get their proper VLAN, this doesn't occur again. It is as if the RADIUS server caches the client's VLAN override attribute somewhere and uses that, rather than asking the RADIUS server. -
WLC with ISE as radius and also external web server
Hi friends,
I am biulding a wireless network with 5508 WLC and trying to use ISE as radius server and also to redirect the web-login to it.
I was trying to understand that to achieve the external web-login, do i need to use the raduius-nac option under advanced on the guest wireless where i am trying this out. and if not, where do i actually use it?
So far what i have understood that i do need to have preauth ACL on the Layer 3 security, but the issue is there is no hit reaching the ISE.
any suggestions would be higly appreciated guys!
Regards,
MohitHi mohit,
Please make sure the below steps for guest auth thru ISE,
1)Add the WLC in your ISE as netork devices.
2)In Guest SSID you need to choose the pre authentication acl.That acl should allow the below traffic
a. any to ISE
b.ISE to any
c.any to dns server
d.dns to any
3)The external redirect url will be
https://ip address:8443/guestportal/Login.action
4)AAA server for that SSId would be your ISE ip with port number 1812.
5)In advanced tab please choose the AAA override. No need of radius nac.
6)Create appropriate authorization profile in ISE for guest.Example is below , -
WLC 5508 Release 7.4.100.0 RADIUS PROBLEM
Hi,
Previously I was using 7.0.116.0 and there was no problem on Radius Authentication.
Client uses secure V2
After upgrading 7.4.100.0 Radius Authentication Successfull,
but Secure V2 continuously opens login page
Thanks(Cisco Controller) >show wlan 2
WLAN Identifier.................................. 2
Profile Name..................................... Eduroam
Network Name (SSID).............................. eduroam
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 48
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ eduroam_1
Multicast Interface.............................. Not Configured
--More-- or (q)uit
WLAN ACL......................................... unconfigured
DHCP Server...................................... 10.0.15.1
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ 193.140.164.5 1812
--More-- or (q)uit
Accounting.................................... Disabled
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Enabled
PSK..................................... Disabled
CCKM.................................... Disabled
FT(802.11r)............................. Disabled
FT-PSK(802.11r)......................... Disabled
FT Reassociation Timeout......................... 20
FT Over-The-Air mode............................. Enabled
FT Over-The-Ds mode.............................. Enabled
CCKM tsf Tolerance............................... 1000
--More-- or (q)uit
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
H-REAP Local Authentication................... Disabled
H-REAP Learn IP Address....................... Enabled
Client MFP.................................... Optional
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Mobility Anchor List
WLAN ID IP Address Status -
Cannot authenticate Radius via WLC
Trying to configure RADIUS client on Server 2012 using a 5508 series WLC. Getting the following debug on the WLC:
(Cisco Controller) >*dot1xMsgTask: Dec 13 12:43:19.695: 74:e5:43:5d:48:78 Not sending EAP-Failure for STA 74:e5:43:5d:48:78
*apfMsConnTask_7: Dec 13 12:43:25.523: 74:e5:43:5d:48:78 Association received from mobile on BSSID 0c:68:03:b8:60:47
*apfMsConnTask_7: Dec 13 12:43:25.523: 74:e5:43:5d:48:78 Global 200 Clients are allowed to AP radio
*apfMsConnTask_7: Dec 13 12:43:25.523: 74:e5:43:5d:48:78 Max Client Trap Threshold: 0 cur: 9
*apfMsConnTask_7: Dec 13 12:43:25.523: 74:e5:43:5d:48:78 Rf profile 600 Clients are allowed to AP wlan
*apfMsConnTask_7: Dec 13 12:43:25.523: 74:e5:43:5d:48:78 Deleting client immediately since WLAN has changed
*apfMsConnTask_7: Dec 13 12:43:25.523: 74:e5:43:5d:48:78 Scheduling deletion of Mobile Station: (callerId: 50) in 1 seconds
*Dot1x_NW_MsgTask_0: Dec 13 12:43:25.550: 74:e5:43:5d:48:78 Ignoring any event(1), since client is marked for deletion
*osapiBsnTimer: Dec 13 12:43:26.494: 74:e5:43:5d:48:78 apfMsExpireCallback (apf_ms.c:615) Expiring Mobile!
*apfReceiveTask: Dec 13 12:43:26.494: 74:e5:43:5d:48:78 apfMsExpireMobileStation (apf_ms.c:5827) Changing state for mobile 74:e5:43:5d:48:78 on AP 0c:68:03:b8:60:40 from Associated to Disassociated
*apfReceiveTask: Dec 13 12:43:26.494: 74:e5:43:5d:48:78 apfMsAssoStateDec
*apfReceiveTask: Dec 13 12:43:26.494: 74:e5:43:5d:48:78 apfMsExpireMobileStation (apf_ms.c:5959) Changing state for mobile 74:e5:43:5d:48:78 on AP 0c:68:03:b8:60:40 from Disassociated to Idle
*apfReceiveTask: Dec 13 12:43:26.494: 74:e5:43:5d:48:78 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfReceiveTask: Dec 13 12:43:26.494: 74:e5:43:5d:48:78 0.0.0.0 8021X_REQD (3) Deleted mobile LWAPP rule on AP [0c:68:03:b8:60:40]
*apfReceiveTask: Dec 13 12:43:26.494: 74:e5:43:5d:48:78 Deleting mobile on AP 0c:68:03:b8:60:40(0)
*apfMsConnTask_7: Dec 13 12:43:31.820: 74:e5:43:5d:48:78 Adding mobile on LWAPP AP 0c:68:03:d7:c7:90(0)
*apfMsConnTask_7: Dec 13 12:43:31.820: 74:e5:43:5d:48:78 Reassociation received from mobile on BSSID 0c:68:03:d7:c7:97
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 Global 200 Clients are allowed to AP radio
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 Max Client Trap Threshold: 0 cur: 3
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 Rf profile 600 Clients are allowed to AP wlan
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 Re-applying interface policy for client
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2018)
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2246)
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 In processSsidIE:4210 setting Central switched to TRUE
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 In processSsidIE:4213 apVapId = 8 and Split Acl Id = 65535
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 Applying site-specific Local Bridging override for station 74:e5:43:5d:48:78 - vapId 8, site 'default-group', interface 'management'
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 Applying Local Bridging Interface Policy for station 74:e5:43:5d:48:78 - vlan 219, interface id 0, interface 'management'
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 STA - rates (4): 130 132 139 150 0 0 0 0 0 0 0 0 0 0 0 0
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 Processing RSN IE type 48, length 20 for mobile 74:e5:43:5d:48:78
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 Received RSN IE with 0 PMKIDs from mobile 74:e5:43:5d:48:78
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 Setting active key cache index 8 ---> 8
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 unsetting PmkIdValidatedByAp
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)
*apfMsConnTask_7: Dec 13 12:43:31.822: 74:e5:43:5d:48:78 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_7: Dec 13 12:43:31.822: 74:e5:43:5d:48:78 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 0c:68:03:d7:c7:90 vapId 8 apVapId 8 flex-acl-name:
*apfMsConnTask_7: Dec 13 12:43:31.822: 74:e5:43:5d:48:78 apfMsAssoStateInc
*apfMsConnTask_7: Dec 13 12:43:31.822: 74:e5:43:5d:48:78 apfPemAddUser2 (apf_policy.c:276) Changing state for mobile 74:e5:43:5d:48:78 on AP 0c:68:03:d7:c7:90 from Idle to Associated
*apfMsConnTask_7: Dec 13 12:43:31.822: 74:e5:43:5d:48:78 apfPemAddUser2:session timeout forstation 74:e5:43:5d:48:78 - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is 0
*apfMsConnTask_7: Dec 13 12:43:31.822: 74:e5:43:5d:48:78 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_7: Dec 13 12:43:31.822: 74:e5:43:5d:48:78 Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0
*apfMsConnTask_7: Dec 13 12:43:31.822: 74:e5:43:5d:48:78 Sending Assoc Response to station on BSSID 0c:68:03:d7:c7:97 (status 0) ApVapId 8 Slot 0
*apfMsConnTask_7: Dec 13 12:43:31.822: 74:e5:43:5d:48:78 apfProcessAssocReq (apf_80211.c:7399) Changing state for mobile 74:e5:43:5d:48:78 on AP 0c:68:03:d7:c7:90 from Associated to Associated
*apfMsConnTask_7: Dec 13 12:43:31.822: 74:e5:43:5d:48:78 Updating AID for REAP AP Client 0c:68:03:d7:c7:90 - AID ===> 3
*dot1xMsgTask: Dec 13 12:43:31.825: 74:e5:43:5d:48:78 Station 74:e5:43:5d:48:78 setting dot1x reauth timeout = 1800
*dot1xMsgTask: Dec 13 12:43:31.825: 74:e5:43:5d:48:78 dot1x - moving mobile 74:e5:43:5d:48:78 into Connecting state
*dot1xMsgTask: Dec 13 12:43:31.825: 74:e5:43:5d:48:78 Sending EAP-Request/Identity to mobile 74:e5:43:5d:48:78 (EAP Id 1)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:31.831: 74:e5:43:5d:48:78 Received EAPOL START from mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:31.831: 74:e5:43:5d:48:78 dot1x - moving mobile 74:e5:43:5d:48:78 into Connecting state
*Dot1x_NW_MsgTask_0: Dec 13 12:43:31.831: 74:e5:43:5d:48:78 Sending EAP-Request/Identity to mobile 74:e5:43:5d:48:78 (EAP Id 2)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.346: 74:e5:43:5d:48:78 Received EAPOL EAPPKT from mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.346: 74:e5:43:5d:48:78 Received Identity Response (count=2) from mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.346: 74:e5:43:5d:48:78 EAP State update from Connecting to Authenticating for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.346: 74:e5:43:5d:48:78 dot1x - moving mobile 74:e5:43:5d:48:78 into Authenticating state
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.346: 74:e5:43:5d:48:78 Entering Backend Auth Response state for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.350: 74:e5:43:5d:48:78 Processing Access-Challenge for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.350: 74:e5:43:5d:48:78 Entering Backend Auth Req state (id=3) for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.350: 74:e5:43:5d:48:78 Sending EAP Request from AAA to mobile 74:e5:43:5d:48:78 (EAP Id 3)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.358: 74:e5:43:5d:48:78 Received EAPOL EAPPKT from mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.358: 74:e5:43:5d:48:78 Received EAP Response from mobile 74:e5:43:5d:48:78 (EAP Id 3, EAP Type 25)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.358: 74:e5:43:5d:48:78 Entering Backend Auth Response state for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.360: 74:e5:43:5d:48:78 Processing Access-Challenge for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.360: 74:e5:43:5d:48:78 Entering Backend Auth Req state (id=4) for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.360: 74:e5:43:5d:48:78 Sending EAP Request from AAA to mobile 74:e5:43:5d:48:78 (EAP Id 4)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.514: 74:e5:43:5d:48:78 Received EAPOL EAPPKT from mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.514: 74:e5:43:5d:48:78 Received EAP Response from mobile 74:e5:43:5d:48:78 (EAP Id 4, EAP Type 25)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.514: 74:e5:43:5d:48:78 Entering Backend Auth Response state for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.516: 74:e5:43:5d:48:78 Processing Access-Challenge for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.516: 74:e5:43:5d:48:78 Entering Backend Auth Req state (id=5) for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.516: 74:e5:43:5d:48:78 Sending EAP Request from AAA to mobile 74:e5:43:5d:48:78 (EAP Id 5)
*apfMsConnTask_7: Dec 13 12:43:42.724: 74:e5:43:5d:48:78 Client stats update: Time now in sec 1386956622, Last Acct Msg Sent at 0 sec
*apfMsConnTask_7: Dec 13 12:43:42.724: 74:e5:43:5d:48:78 Requested to send acct interim update request msg to APF task for client 74:e5:43:5d:48:78
*apfMsConnTask_7: Dec 13 12:43:42.725: 74:e5:43:5d:48:78 Client stats update: Time now in sec 1386956622, Last Acct Msg Sent at 0 sec
*apfMsConnTask_7: Dec 13 12:43:42.725: 74:e5:43:5d:48:78 Requested to send acct interim update request msg to APF task for client 74:e5:43:5d:48:78
*apfMsConnTask_7: Dec 13 12:43:42.726: 74:e5:43:5d:48:78 Client stats update: Time now in sec 1386956622, Last Acct Msg Sent at 0 sec
*apfMsConnTask_7: Dec 13 12:43:42.726: 74:e5:43:5d:48:78 Requested to send acct interim update request msg to APF task for client 74:e5:43:5d:48:78
*apfMsConnTask_7: Dec 13 12:43:42.727: 74:e5:43:5d:48:78 Association received from mobile on BSSID 0c:68:03:d7:c7:90
*apfMsConnTask_7: Dec 13 12:43:42.727: 74:e5:43:5d:48:78 Global 200 Clients are allowed to AP radio
*apfMsConnTask_7: Dec 13 12:43:42.728: 74:e5:43:5d:48:78 Max Client Trap Threshold: 0 cur: 4
*apfMsConnTask_7: Dec 13 12:43:42.728: 74:e5:43:5d:48:78 Rf profile 600 Clients are allowed to AP wlan
*apfMsConnTask_7: Dec 13 12:43:42.728: 74:e5:43:5d:48:78 Deleting client immediately since WLAN has changed
*apfMsConnTask_7: Dec 13 12:43:42.728: 74:e5:43:5d:48:78 Scheduling deletion of Mobile Station: (callerId: 50) in 1 seconds
*apfMsConnTask_7: Dec 13 12:43:42.731: 74:e5:43:5d:48:78 Client stats update: Time now in sec 1386956622, Last Acct Msg Sent at 0 sec
*apfMsConnTask_7: Dec 13 12:43:42.731: 74:e5:43:5d:48:78 Requested to send acct interim update request msg to APF task for client 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:42.744: 74:e5:43:5d:48:78 Ignoring any event(1), since client is marked for deletion
*osapiBsnTimer: Dec 13 12:43:43.694: 74:e5:43:5d:48:78 apfMsExpireCallback (apf_ms.c:615) Expiring Mobile!
*apfReceiveTask: Dec 13 12:43:43.694: 74:e5:43:5d:48:78 apfMsExpireMobileStation (apf_ms.c:5827) Changing state for mobile 74:e5:43:5d:48:78 on AP 0c:68:03:d7:c7:90 from Associated to Disassociated
*apfReceiveTask: Dec 13 12:43:43.694: 74:e5:43:5d:48:78 apfMsAssoStateDec
*apfReceiveTask: Dec 13 12:43:43.694: 74:e5:43:5d:48:78 apfMsExpireMobileStation (apf_ms.c:5959) Changing state for mobile 74:e5:43:5d:48:78 on AP 0c:68:03:d7:c7:90 from Disassociated to Idle
*apfReceiveTask: Dec 13 12:43:43.694: 74:e5:43:5d:48:78 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfReceiveTask: Dec 13 12:43:43.695: 74:e5:43:5d:48:78 0.0.0.0 8021X_REQD (3) Deleted mobile LWAPP rule on AP [0c:68:03:d7:c7:90]
*apfReceiveTask: Dec 13 12:43:43.695: 74:e5:43:5d:48:78 Deleting mobile on AP 0c:68:03:d7:c7:90(0)
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 Adding mobile on LWAPP AP 0c:68:03:b8:60:40(0)
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 Reassociation received from mobile on BSSID 0c:68:03:b8:60:40
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 Global 200 Clients are allowed to AP radio
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 Max Client Trap Threshold: 0 cur: 9
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 Rf profile 600 Clients are allowed to AP wlan
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 Re-applying interface policy for client
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2018)
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2246)
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 In processSsidIE:4210 setting Central switched to TRUE
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 In processSsidIE:4213 apVapId = 1 and Split Acl Id = 65535
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 Applying site-specific Local Bridging override for station 74:e5:43:5d:48:78 - vapId 1, site 'default-group', interface 'management'
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 Applying Local Bridging Interface Policy for station 74:e5:43:5d:48:78 - vlan 219, interface id 0, interface 'management'
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 STA - rates (4): 130 132 139 150 0 0 0 0 0 0 0 0 0 0 0 0
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 Processing RSN IE type 48, length 20 for mobile 74:e5:43:5d:48:78
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 Received RSN IE with 0 PMKIDs from mobile 74:e5:43:5d:48:78
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 Setting active key cache index 8 ---> 8
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 unsetting PmkIdValidatedByAp
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 0c:68:03:b8:60:40 vapId 1 apVapId 1 flex-acl-name:
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 apfMsAssoStateInc
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 apfPemAddUser2 (apf_policy.c:276) Changing state for mobile 74:e5:43:5d:48:78 on AP 0c:68:03:b8:60:40 from Idle to Associated
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 apfPemAddUser2:session timeout forstation 74:e5:43:5d:48:78 - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is 0
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 Sending Assoc Response to station on BSSID 0c:68:03:b8:60:40 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 apfProcessAssocReq (apf_80211.c:7399) Changing state for mobile 74:e5:43:5d:48:78 on AP 0c:68:03:b8:60:40 from Associated to Associated
*apfMsConnTask_7: Dec 13 12:43:49.067: 74:e5:43:5d:48:78 Updating AID for REAP AP Client 0c:68:03:b8:60:40 - AID ===> 1
*dot1xMsgTask: Dec 13 12:43:49.068: 74:e5:43:5d:48:78 Station 74:e5:43:5d:48:78 setting dot1x reauth timeout = 1800
*dot1xMsgTask: Dec 13 12:43:49.068: 74:e5:43:5d:48:78 dot1x - moving mobile 74:e5:43:5d:48:78 into Connecting state
*dot1xMsgTask: Dec 13 12:43:49.068: 74:e5:43:5d:48:78 Sending EAP-Request/Identity to mobile 74:e5:43:5d:48:78 (EAP Id 1)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:49.075: 74:e5:43:5d:48:78 Received EAPOL START from mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:49.076: 74:e5:43:5d:48:78 dot1x - moving mobile 74:e5:43:5d:48:78 into Connecting state
debug client 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:49.076: 74:e5:43:5d:48:78 Sending EAP-Request/Identity to mobile 74:e5:43:5d:48:78 (EAP Id 2)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:58.993: 74:e5:43:5d:48:78 Received EAPOL EAPPKT from mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:58.993: 74:e5:43:5d:48:78 Received Identity Response (count=2) from mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:58.993: 74:e5:43:5d:48:78 EAP State update from Connecting to Authenticating for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:58.993: 74:e5:43:5d:48:78 dot1x - moving mobile 74:e5:43:5d:48:78 into Authenticating state
*Dot1x_NW_MsgTask_0: Dec 13 12:43:58.993: 74:e5:43:5d:48:78 Entering Backend Auth Response state for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.000: 74:e5:43:5d:48:78 Processing Access-Challenge for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.000: 74:e5:43:5d:48:78 Entering Backend Auth Req state (id=3) for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.000: 74:e5:43:5d:48:78 Sending EAP Request from AAA to mobile 74:e5:43:5d:48:78 (EAP Id 3)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.007: 74:e5:43:5d:48:78 Received EAPOL EAPPKT from mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.007: 74:e5:43:5d:48:78 Received EAP Response from mobile 74:e5:43:5d:48:78 (EAP Id 3, EAP Type 25)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.007: 74:e5:43:5d:48:78 Entering Backend Auth Response state for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.010: 74:e5:43:5d:48:78 Processing Access-Challenge for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.010: 74:e5:43:5d:48:78 Entering Backend Auth Req state (id=4) for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.010: 74:e5:43:5d:48:78 Sending EAP Request from AAA to mobile 74:e5:43:5d:48:78 (EAP Id 4)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.038: 74:e5:43:5d:48:78 Received EAPOL EAPPKT from mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.038: 74:e5:43:5d:48:78 Received EAP Response from mobile 74:e5:43:5d:48:78 (EAP Id 4, EAP Type 25)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.038: 74:e5:43:5d:48:78 Entering Backend Auth Response state for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.040: 74:e5:43:5d:48:78 Processing Access-Challenge for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.040: 74:e5:43:5d:48:78 Entering Backend Auth Req state (id=5) for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.040: 74:e5:43:5d:48:78 Sending EAP Request from AAA to mobile 74:e5:43:5d:48:78 (EAP Id 5)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.069: 74:e5:43:5d:48:78 Received EAPOL EAPPKT from mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.070: 74:e5:43:5d:48:78 Received EAP Response from mobile 74:e5:43:5d:48:78 (EAP Id 5, EAP Type 25)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.070: 74:e5:43:5d:48:78 Entering Backend Auth Response state for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.071: 74:e5:43:5d:48:78 Processing Access-Challenge for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.071: 74:e5:43:5d:48:78 Entering Backend Auth Req state (id=6) for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.071: 74:e5:43:5d:48:78 Sending EAP Request from AAA to mobile 74:e5:43:5d:48:78 (EAP Id 6)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.125: 74:e5:43:5d:48:78 Received EAPOL EAPPKT from mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.125: 74:e5:43:5d:48:78 Received EAP Response from mobile 74:e5:43:5d:48:78 (EAP Id 6, EAP Type 25)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.125: 74:e5:43:5d:48:78 Entering Backend Auth Response state for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.128: 74:e5:43:5d:48:78 Processing Access-Reject for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.128: 74:e5:43:5d:48:78 Removing PMK cache due to EAP-Failure for mobile 74:e5:43:5d:48:78 (EAP Id 6)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.128: 74:e5:43:5d:48:78 Sending EAP-Failure to mobile 74:e5:43:5d:48:78 (EAP Id 6)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.128: 74:e5:43:5d:48:78 Entering Backend Auth Failure state (id=6) for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.128: 74:e5:43:5d:48:78 Setting quiet timer for 5 seconds for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.128: 74:e5:43:5d:48:78 dot1x - moving mobile 74:e5:43:5d:48:78 into Unknown state
*apfMsConnTask_7: Dec 13 12:44:00.651: 74:e5:43:5d:48:78 Client stats update: Time now in sec 1386956640, Last Acct Msg Sent at 0 sec
*apfMsConnTask_7: Dec 13 12:44:00.651: 74:e5:43:5d:48:78 Requested to send acct interim update request msg to APF task for client 74:e5:43:5d:48:78
*apfMsConnTask_7: Dec 13 12:44:00.659: 74:e5:43:5d:48:78 Client stats update: Time now in sec 1386956640, Last Acct Msg Sent at 0 sec
*apfMsConnTask_7: Dec 13 12:44:00.660: 74:e5:43:5d:48:78 Requested to send acct interim update request msg to APF task for client 74:e5:43:5d:48:78
*apfMsConnTask_7: Dec 13 12:44:00.660: 74:e5:43:5d:48:78 Association received from mobile on BSSID 0c:68:03:b8:60:40
*apfMsConnTask_7: Dec 13 12:44:00.660: 74:e5:43:5d:48:78 Global 200 Clients are allowed to AP radio
*apfMsConnTask_7: Dec 13 12:44:00.660: 74:e5:43:5d:48:78 Max Client Trap Threshold: 0 cur: 10
*apfMsConnTask_7: Dec 13 12:44:00.660: 74:e5:43:5d:48:78 Rf profile 600 Clients are allowed to AP wlan
*apfMsConnTask_7: Dec 13 12:44:00.660: 74:e5:43:5d:48:78 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 219
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 Re-applying interface policy for client
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2018)
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2246)
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 In processSsidIE:4210 setting Central switched to TRUE
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 In processSsidIE:4213 apVapId = 1 and Split Acl Id = 65535
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 Applying site-specific Local Bridging override for station 74:e5:43:5d:48:78 - vapId 1, site 'default-group', interface 'management'
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 Applying Local Bridging Interface Policy for station 74:e5:43:5d:48:78 - vlan 219, interface id 0, interface 'management'
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 STA - rates (4): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 Processing RSN IE type 48, length 20 for mobile 74:e5:43:5d:48:78
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 Received RSN IE with 0 PMKIDs from mobile 74:e5:43:5d:48:78
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 Setting active key cache index 8 ---> 8
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 unsetting PmkIdValidatedByAp
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 0.0.0.0 8021X_REQD (3) Initializing policy
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 0c:68:03:b8:60:40 vapId 1 apVapId 1 flex-acl-name:
*apfMsConnTask_7: Dec 13 12:44:00.662: 74:e5:43:5d:48:78 apfPemAddUser2 (apf_policy.c:276) Changing state for mobile 74:e5:43:5d:48:78 on AP 0c:68:03:b8:60:40 from Associated to Associated
*apfMsConnTask_7: Dec 13 12:44:00.662: 74:e5:43:5d:48:78 apfPemAddUser2:session timeout forstation 74:e5:43:5d:48:78 - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is 0
*apfMsConnTask_7: Dec 13 12:44:00.662: 74:e5:43:5d:48:78 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_7: Dec 13 12:44:00.662: 74:e5:43:5d:48:78 Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0
*apfMsConnTask_7: Dec 13 12:44:00.662: 74:e5:43:5d:48:78 Sending Assoc Response to station on BSSID 0c:68:03:b8:60:40 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_7: Dec 13 12:44:00.662: 74:e5:43:5d:48:78 apfProcessAssocReq (apf_80211.c:7399) Changing state for mobile 74:e5:43:5d:48:78 on AP 0c:68:03:b8:60:40 from Associated to Associated
*dot1xMsgTask: Dec 13 12:44:00.664: 74:e5:43:5d:48:78 dot1x - moving mobile 74:e5:43:5d:48:78 into Connecting state
*dot1xMsgTask: Dec 13 12:44:00.664: 74:e5:43:5d:48:78 Sending EAP-Request/Identity to mobile 74:e5:43:5d:48:78 (EAP Id 1)
*Dot1x_NW_MsgTask_0: Dec 13 12:44:00.677: 74:e5:43:5d:48:78 Received EAPOL START from mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:44:00.677: 74:e5:43:5d:48:78 dot1x - moving mobile 74:e5:43:5d:48:78 into Connecting state
*Dot1x_NW_MsgTask_0: Dec 13 12:44:00.677: 74:e5:43:5d:48:78 Sending EAP-Request/Identity to mobile 74:e5:43:5d:48:78 (EAP Id 2)
I setup wireshark to capture on all interfaces and am getting absolutely 0 packet data when I attempt to authenticate as well.
Thanks in advance,
-BThanks for the reply Scott...so sorry for the spammy post!
The radius server where the client is deployed is not displaying any sort of logs in any of the NPS log files.
Show WLAN 1 is as follows:
WLAN Identifier.................................. 1
Profile Name..................................... GHI
Network Name (SSID).............................. GHI
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Disabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status ....................... Enabled
DHCP ......................................... Enabled
HTTP ......................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
User Idle Timeout................................ 300 seconds
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... GHI_WLC
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
mDNS Status...................................... Enabled
mDNS Profile Name................................ default-mdns-profile
DHCP Server...................................... Default
DHCP Address Assignment Required................. Enabled
Static IP client tunneling....................... Disabled
PMIPv6 Mobility Type............................. none
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
--More-- or (q)uit
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Drop
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ 172.18.0.44 1812
Accounting.................................... Global Servers
Interim Update............................. 600 Seconds
Dynamic Interface............................. Enabled
Dynamic Interface Priority.................... wlan
--More-- or (q)uit
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Enabled
PSK..................................... Disabled
CCKM.................................... Disabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Enabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
WAPI.......................................... Disabled
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Disabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Mobility Anchor List
WLAN ID IP Address Status
802.11u........................................ Disabled
MSAP Services.................................. Disabled
Hope this helps and thanks again!
/r
B -
CSS Script for checking RADIUS Service
Hi,
We are using CSS 11501 boxes for load-sharing RADIUS (NAC) requests between different ACS Servers.
How can I configure a keepalive method for checking the RADIUS service on the ACS Servers ?
If this needs to be a script then Can anyone provide some hints\tips ?
Thanks,
NamanThis needs to be a script.
The best way would be to sniff a request/response from a known user [or fake user], then extract the udp header + payload in hex format, then create a CSS script to send the hex formatted query and to verify that the hex formatted response matches the server response.
I believe the ap-kal-dns script uses a similar approach so you can look at it to get an idea of what you have to do.
Gilles. -
Problem with roamingin in VoIP SSID...
Hi guys,
My client has a WLC 5508 with a two dosens of 1262s. I set SSID for the VoIP but when the client roams there is a loss of packest. The client is using Cisco phones. Any help will be appreciated.
Pete
(Cisco Controller) >show wlan 144
WLAN Identifier.................................. 144
Profile Name..................................... VoIP_Network
Network Name (SSID).............................. Inside_144
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 10
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ 144_v
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Platinum
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... 802.11b and 802.11g only
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers
Accounting.................................... Global Servers
Interim Update............................. Disabled
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Enabled
TKIP Cipher............................. Enabled
AES Cipher.............................. Disabled
WPA2 (RSN IE).............................. Disabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Enabled
CCKM.................................... Disabled
FT(802.11r)............................. Disabled
FT-PSK(802.11r)......................... Disabled
FT Reassociation Timeout................... 20
FT Over-The-Air mode....................... Enabled
FT Over-The-Ds mode........................ Enabled
GTK Randomization.......................... Enabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional but inactive (WPA2 not configured)
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Mobility Anchor List
WLAN ID IP Address Status
802.11u........................................ Disabled
Access Network type............................ Not configured
Network Authentication type.................... Not configured
Internet service............................... Disabled
HESSID......................................... 00:00:00:00:00:00
Hotspot 2.0.................................... Disabled
WAN Metrics configuration
Link status.................................. 0
Link symmetry................................ 0
Downlink speed............................... 0
Uplink speed................................. 0
Mobility Services Advertisement Protocol....... Disabled
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >debug client 2c:54:2d:ea:d4:0e
*apfMsConnTask_2: Nov 30 17:02:25.463: 2c:54:2d:ea:d4:0e Association received from mobile on AP 34:bd:c8:b2:b1:10
*apfMsConnTask_2: Nov 30 17:02:25.464: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1697)
*apfMsConnTask_2: Nov 30 17:02:25.464: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1864)
*apfMsConnTask_2: Nov 30 17:02:25.464: 2c:54:2d:ea:d4:0e Applying site-specific Local Bridging override for station 2c:54:2d:ea:d4:0e - vapId 144, site 'Floor_1', interface '144_v'
*apfMsConnTask_2: Nov 30 17:02:25.464: 2c:54:2d:ea:d4:0e Applying Local Bridging Interface Policy for station 2c:54:2d:ea:d4:0e - vlan 144, interface id 12, interface '144_v'
*apfMsConnTask_2: Nov 30 17:02:25.464: 2c:54:2d:ea:d4:0e Applying site-specific override for station 2c:54:2d:ea:d4:0e - vapId 144, site 'Floor_1', interface '144_v'
*apfMsConnTask_2: Nov 30 17:02:25.464: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1697)
*apfMsConnTask_2: Nov 30 17:02:25.464: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1864)
*apfMsConnTask_2: Nov 30 17:02:25.464: 2c:54:2d:ea:d4:0e processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_2: Nov 30 17:02:25.464: 2c:54:2d:ea:d4:0e processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_2: Nov 30 17:02:25.464: 2c:54:2d:ea:d4:0e STA - rates (4): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_2: Nov 30 17:02:25.464: 2c:54:2d:ea:d4:0e suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_2: Nov 30 17:02:25.464: 2c:54:2d:ea:d4:0e STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_2: Nov 30 17:02:25.464: 2c:54:2d:ea:d4:0e extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_2: Nov 30 17:02:25.464: 2c:54:2d:ea:d4:0e Processing WPA IE type 221, length 22 for mobile 2c:54:2d:ea:d4:0e
*apfMsConnTask_2: Nov 30 17:02:25.464: 2c:54:2d:ea:d4:0e apfMsRunStateDec
*apfMsConnTask_2: Nov 30 17:02:25.464: 2c:54:2d:ea:d4:0e apfMs1xStateDec
*apfMsConnTask_2: Nov 30 17:02:25.464: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Change state to START (0) last state RUN (20)
*apfMsConnTask_2: Nov 30 17:02:25.464: 2c:54:2d:ea:d4:0e pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfMsConnTask_2: Nov 30 17:02:25.464: 2c:54:2d:ea:d4:0e 10.123.201.4 START (0) Initializing policy
*apfMsConnTask_2: Nov 30 17:02:25.464: 2c:54:2d:ea:d4:0e 10.123.201.4 START (0) Change state to AUTHCHECK (2) last state RUN (20)
*apfMsConnTask_2: Nov 30 17:02:25.464: 2c:54:2d:ea:d4:0e 10.123.201.4 AUTHCHECK (2) Change state to 8021X_REQD (3) last state RUN (20)
*pemReceiveTask: Nov 30 17:02:25.464: 2c:54:2d:ea:d4:0e 10.123.201.4 Removed NPU entry.
*apfMsConnTask_2: Nov 30 17:02:25.464: 2c:54:2d:ea:d4:0e 10.123.201.4 8021X_REQD (3) DHCP required on AP 34:bd:c8:b2:b1:10 vapId 144 apVapId 2for this client
*apfMsConnTask_2: Nov 30 17:02:25.465: 2c:54:2d:ea:d4:0e 10.123.201.4 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 34:bd:c8:b2:b1:10 vapId 144 apVapId 2
*apfMsConnTask_2: Nov 30 17:02:25.465: 2c:54:2d:ea:d4:0e apfPemAddUser2 (apf_policy.c:268) Changing state for mobile 2c:54:2d:ea:d4:0e on AP 34:bd:c8:b2:b1:10 from Associated to Associated
*apfMsConnTask_2: Nov 30 17:02:25.465: 2c:54:2d:ea:d4:0e Scheduling deletion of Mobile Station: (callerId: 49) in 1800 seconds
*apfMsConnTask_2: Nov 30 17:02:25.465: 2c:54:2d:ea:d4:0e Sending Assoc Response to station on BSSID 34:bd:c8:b2:b1:10 (status 0) ApVapId 2 Slot 0
*apfMsConnTask_2: Nov 30 17:02:25.465: 2c:54:2d:ea:d4:0e apfProcessAssocReq (apf_80211.c:6290) Changing state for mobile 2c:54:2d:ea:d4:0e on AP 34:bd:c8:b2:b1:10 from Associated to Associated
*dot1xMsgTask: Nov 30 17:02:25.466: 2c:54:2d:ea:d4:0e Creating a PKC PMKID Cache entry for station 2c:54:2d:ea:d4:0e (RSN 0)
*dot1xMsgTask: Nov 30 17:02:25.466: 2c:54:2d:ea:d4:0e Setting active key cache index 0 ---> 8
*dot1xMsgTask: Nov 30 17:02:25.466: 2c:54:2d:ea:d4:0e Setting active key cache index 8 ---> 0
*dot1xMsgTask: Nov 30 17:02:25.466: 2c:54:2d:ea:d4:0e Initiating WPA PSK to mobile 2c:54:2d:ea:d4:0e
*dot1xMsgTask: Nov 30 17:02:25.466: 2c:54:2d:ea:d4:0e dot1x - moving mobile 2c:54:2d:ea:d4:0e into Force Auth state
*dot1xMsgTask: Nov 30 17:02:25.466: 2c:54:2d:ea:d4:0e Skipping EAP-Success to mobile 2c:54:2d:ea:d4:0e
*dot1xMsgTask: Nov 30 17:02:25.466: 2c:54:2d:ea:d4:0e Starting key exchange to mobile 2c:54:2d:ea:d4:0e, data packets will be dropped
*dot1xMsgTask: Nov 30 17:02:25.466: 2c:54:2d:ea:d4:0e Sending EAPOL-Key Message to mobile 2c:54:2d:ea:d4:0e
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_6: Nov 30 17:02:25.990: 2c:54:2d:ea:d4:0e Received EAPOL-Key from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Nov 30 17:02:25.990: 2c:54:2d:ea:d4:0e Received EAPOL-key in PTK_START state (message 2) from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Nov 30 17:02:25.990: 2c:54:2d:ea:d4:0e Stopping retransmission timer for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Nov 30 17:02:25.990: 2c:54:2d:ea:d4:0e Sending EAPOL-Key Message to mobile 2c:54:2d:ea:d4:0e
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_6: Nov 30 17:02:26.015: 2c:54:2d:ea:d4:0e Received EAPOL-Key from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Nov 30 17:02:26.015: 2c:54:2d:ea:d4:0e Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Nov 30 17:02:26.016: 2c:54:2d:ea:d4:0e apfMs1xStateInc
*Dot1x_NW_MsgTask_6: Nov 30 17:02:26.016: 2c:54:2d:ea:d4:0e 10.123.201.4 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state RUN (20)
*Dot1x_NW_MsgTask_6: Nov 30 17:02:26.016: 2c:54:2d:ea:d4:0e 10.123.201.4 L2AUTHCOMPLETE (4) DHCP required on AP 34:bd:c8:b2:b1:10 vapId 144 apVapId 2for this client
*Dot1x_NW_MsgTask_6: Nov 30 17:02:26.016: 2c:54:2d:ea:d4:0e 10.123.201.4 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 34:bd:c8:b2:b1:10 vapId 144 apVapId 2
*Dot1x_NW_MsgTask_6: Nov 30 17:02:26.016: 2c:54:2d:ea:d4:0e apfMsRunStateInc
*Dot1x_NW_MsgTask_6: Nov 30 17:02:26.016: 2c:54:2d:ea:d4:0e 10.123.201.4 L2AUTHCOMPLETE (4) Change state to RUN (20) last state RUN (20)
*Dot1x_NW_MsgTask_6: Nov 30 17:02:26.017: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Reached PLUMBFASTPATH: from line 5362
*Dot1x: Nov 30 17:02:26.017: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Adding Fast Path rule
type = Airespace AP Client
on AP 34:bd:c8:b2:b1:10, slot 0, interface = 1, QOS = 2
IPv4 ACL ID = 255, IPv6 ACL ID = 2
*Dot1x_NW_MsgTask_6: Nov 30 17:02:26.017: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 7006 Local Bridging Vlan = 144, Local Bridging intf id = 12
*Dot1x_NW_MsgTask_6: Nov 30 17:02:26.017: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255)
*Dot1x_NW_MsgTask_6: Nov 30 17:02:26.017: 2c:54:2d:ea:d4:0e Stopping retransmission timer for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Nov 30 17:02:26.017: 2c:54:2d:ea:d4:0e Key exchange done, data packets from mobile 2c:54:2d:ea:d4:0e should be forwarded shortly
*Dot1x_NW_MsgTask_6: Nov 30 17:02:26.017: 2c:54:2d:ea:d4:0e Sending EAPOL-Key Message to mobile 2c:54:2d:ea:d4:0e
state PTKINITDONE (message 5 - group), replay counter 00.00.00.00.00.00.00.02
*spamApTask5: Nov 30 17:02:26.017: 2c:54:2d:ea:d4:0e Sent EAPOL-Key M5 for mobile 2c:54:2d:ea:d4:0e
*pemReceiveTask: Nov 30 17:02:26.017: 2c:54:2d:ea:d4:0e 10.123.201.4 Added NPU entry of type 1, dtlFlags 0x0
*Dot1x_NW_MsgTask_6: Nov 30 17:02:26.036: 2c:54:2d:ea:d4:0e Received EAPOL-Key from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Nov 30 17:02:26.036: 2c:54:2d:ea:d4:0e Received EAPOL-key in REKEYNEGOTIATING state (message 6) from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Nov 30 17:02:26.036: 2c:54:2d:ea:d4:0e Stopping retransmission timer for mobile 2c:54:2d:ea:d4:0e
*apfMsConnTask_2: Nov 30 17:03:17.385: 2c:54:2d:ea:d4:0e Association received from mobile on AP 34:bd:c8:b2:b1:10
*apfMsConnTask_2: Nov 30 17:03:17.385: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1697)
*apfMsConnTask_2: Nov 30 17:03:17.385: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1864)
*apfMsConnTask_2: Nov 30 17:03:17.385: 2c:54:2d:ea:d4:0e Applying site-specific Local Bridging override for station 2c:54:2d:ea:d4:0e - vapId 144, site 'Floor_1', interface '144_v'
*apfMsConnTask_2: Nov 30 17:03:17.385: 2c:54:2d:ea:d4:0e Applying Local Bridging Interface Policy for station 2c:54:2d:ea:d4:0e - vlan 144, interface id 12, interface '144_v'
*apfMsConnTask_2: Nov 30 17:03:17.385: 2c:54:2d:ea:d4:0e Applying site-specific override for station 2c:54:2d:ea:d4:0e - vapId 144, site 'Floor_1', interface '144_v'
*apfMsConnTask_2: Nov 30 17:03:17.385: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1697)
*apfMsConnTask_2: Nov 30 17:03:17.385: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1864)
*apfMsConnTask_2: Nov 30 17:03:17.385: 2c:54:2d:ea:d4:0e processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_2: Nov 30 17:03:17.385: 2c:54:2d:ea:d4:0e processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_2: Nov 30 17:03:17.386: 2c:54:2d:ea:d4:0e STA - rates (4): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_2: Nov 30 17:03:17.386: 2c:54:2d:ea:d4:0e suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_2: Nov 30 17:03:17.386: 2c:54:2d:ea:d4:0e STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_2: Nov 30 17:03:17.386: 2c:54:2d:ea:d4:0e extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_2: Nov 30 17:03:17.386: 2c:54:2d:ea:d4:0e Processing WPA IE type 221, length 22 for mobile 2c:54:2d:ea:d4:0e
*apfMsConnTask_2: Nov 30 17:03:17.386: 2c:54:2d:ea:d4:0e apfMsRunStateDec
*apfMsConnTask_2: Nov 30 17:03:17.386: 2c:54:2d:ea:d4:0e apfMs1xStateDec
*apfMsConnTask_2: Nov 30 17:03:17.386: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Change state to START (0) last state RUN (20)
*apfMsConnTask_2: Nov 30 17:03:17.386: 2c:54:2d:ea:d4:0e pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfMsConnTask_2: Nov 30 17:03:17.386: 2c:54:2d:ea:d4:0e 10.123.201.4 START (0) Initializing policy
*apfMsConnTask_2: Nov 30 17:03:17.386: 2c:54:2d:ea:d4:0e 10.123.201.4 START (0) Change state to AUTHCHECK (2) last state RUN (20)
*apfMsConnTask_2: Nov 30 17:03:17.386: 2c:54:2d:ea:d4:0e 10.123.201.4 AUTHCHECK (2) Change state to 8021X_REQD (3) last state RUN (20)
*pemReceiveTask: Nov 30 17:03:17.386: 2c:54:2d:ea:d4:0e 10.123.201.4 Removed NPU entry.
*apfMsConnTask_2: Nov 30 17:03:17.386: 2c:54:2d:ea:d4:0e 10.123.201.4 8021X_REQD (3) DHCP required on AP 34:bd:c8:b2:b1:10 vapId 144 apVapId 2for this client
*apfMsConnTask_2: Nov 30 17:03:17.386: 2c:54:2d:ea:d4:0e 10.123.201.4 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 34:bd:c8:b2:b1:10 vapId 144 apVapId 2
*apfMsConnTask_2: Nov 30 17:03:17.386: 2c:54:2d:ea:d4:0e apfPemAddUser2 (apf_policy.c:268) Changing state for mobile 2c:54:2d:ea:d4:0e on AP 34:bd:c8:b2:b1:10 from Associated to Associated
*apfMsConnTask_2: Nov 30 17:03:17.386: 2c:54:2d:ea:d4:0e Scheduling deletion of Mobile Station: (callerId: 49) in 1800 seconds
*apfMsConnTask_2: Nov 30 17:03:17.386: 2c:54:2d:ea:d4:0e Sending Assoc Response to station on BSSID 34:bd:c8:b2:b1:10 (status 0) ApVapId 2 Slot 0
*apfMsConnTask_2: Nov 30 17:03:17.386: 2c:54:2d:ea:d4:0e apfProcessAssocReq (apf_80211.c:6290) Changing state for mobile 2c:54:2d:ea:d4:0e on AP 34:bd:c8:b2:b1:10 from Associated to Associated
*dot1xMsgTask: Nov 30 17:03:17.389: 2c:54:2d:ea:d4:0e Creating a PKC PMKID Cache entry for station 2c:54:2d:ea:d4:0e (RSN 0)
*dot1xMsgTask: Nov 30 17:03:17.389: 2c:54:2d:ea:d4:0e Setting active key cache index 0 ---> 8
*dot1xMsgTask: Nov 30 17:03:17.389: 2c:54:2d:ea:d4:0e Setting active key cache index 8 ---> 0
*dot1xMsgTask: Nov 30 17:03:17.389: 2c:54:2d:ea:d4:0e Initiating WPA PSK to mobile 2c:54:2d:ea:d4:0e
*dot1xMsgTask: Nov 30 17:03:17.389: 2c:54:2d:ea:d4:0e dot1x - moving mobile 2c:54:2d:ea:d4:0e into Force Auth state
*dot1xMsgTask: Nov 30 17:03:17.389: 2c:54:2d:ea:d4:0e Skipping EAP-Success to mobile 2c:54:2d:ea:d4:0e
*dot1xMsgTask: Nov 30 17:03:17.389: 2c:54:2d:ea:d4:0e Starting key exchange to mobile 2c:54:2d:ea:d4:0e, data packets will be dropped
*dot1xMsgTask: Nov 30 17:03:17.389: 2c:54:2d:ea:d4:0e Sending EAPOL-Key Message to mobile 2c:54:2d:ea:d4:0e
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_6: Nov 30 17:03:17.422: 2c:54:2d:ea:d4:0e Received EAPOL-Key from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Nov 30 17:03:17.422: 2c:54:2d:ea:d4:0e Received EAPOL-key in PTK_START state (message 2) from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Nov 30 17:03:17.422: 2c:54:2d:ea:d4:0e Stopping retransmission timer for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Nov 30 17:03:17.423: 2c:54:2d:ea:d4:0e Sending EAPOL-Key Message to mobile 2c:54:2d:ea:d4:0e
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_6: Nov 30 17:03:17.433: 2c:54:2d:ea:d4:0e Received EAPOL-Key from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Nov 30 17:03:17.433: 2c:54:2d:ea:d4:0e Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Nov 30 17:03:17.433: 2c:54:2d:ea:d4:0e apfMs1xStateInc
*Dot1x_NW_MsgTask_6: Nov 30 17:03:17.433: 2c:54:2d:ea:d4:0e 10.123.201.4 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state RUN (20)
*Dot1x_NW_MsgTask_6: Nov 30 17:03:17.433: 2c:54:2d:ea:d4:0e 10.123.201.4 L2AUTHCOMPLETE (4) DHCP required on AP 34:bd:c8:b2:b1:10 vapId 144 apVapId 2for this client
*Dot1x_NW_MsgTask_6: Nov 30 17:03:17.433: 2c:54:2d:ea:d4:0e 10.123.201.4 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 34:bd:c8:b2:b1:10 vapId 144 apVapId 2
*Dot1x_NW_MsgTask_6: Nov 30 17:03:17.433: 2c:54:2d:ea:d4:0e apfMsRunStateInc
*Dot1x_NW_MsgTask_6: Nov 30 17:03:17.433: 2c:54:2d:ea:d4:0e 10.123.201.4 L2AUTHCOMPLETE (4) Change state to RUN (20) last state RUN (20)
*Dot1x_NW_MsgTask_6: Nov 30 17:03:17.435: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Reached PLUMBFASTPATH: from line 5362
*Dot1x: Nov 30 17:03:17.435: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Adding Fast Path rule
type = Airespace AP Client
on AP 34:bd:c8:b2:b1:10, slot 0, interface = 1, QOS = 2
IPv4 ACL ID = 255, IPv6 ACL ID = 2
*Dot1x_NW_MsgTask_6: Nov 30 17:03:17.435: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 7006 Local Bridging Vlan = 144, Local Bridging intf id = 12
*Dot1x_NW_MsgTask_6: Nov 30 17:03:17.435: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255)
*Dot1x_NW_MsgTask_6: Nov 30 17:03:17.435: 2c:54:2d:ea:d4:0e Stopping retransmission timer for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Nov 30 17:03:17.435: 2c:54:2d:ea:d4:0e Key exchange done, data packets from mobile 2c:54:2d:ea:d4:0e should be forwarded shortly
*Dot1x_NW_MsgTask_6: Nov 30 17:03:17.435: 2c:54:2d:ea:d4:0e Sending EAPOL-Key Message to mobile 2c:54:2d:ea:d4:0e
state PTKINITDONE (message 5 - group), replay counter 00.00.00.00.00.00.00.02
*spamApTask5: Nov 30 17:03:17.435: 2c:54:2d:ea:d4:0e Sent EAPOL-Key M5 for mobile 2c:54:2d:ea:d4:0e
*pemReceiveTask: Nov 30 17:03:17.435: 2c:54:2d:ea:d4:0e 10.123.201.4 Added NPU entry of type 1, dtlFlags 0x0
*Dot1x_NW_MsgTask_6: Nov 30 17:03:17.447: 2c:54:2d:ea:d4:0e Received EAPOL-Key from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Nov 30 17:03:17.447: 2c:54:2d:ea:d4:0e Received EAPOL-key in REKEYNEGOTIATING state (message 6) from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Nov 30 17:03:17.447: 2c:54:2d:ea:d4:0e Stopping retransmission timer for mobile 2c:54:2d:ea:d4:0e
*emWeb: Nov 30 17:03:46.162: Configuring IPv6 ACL for WLAN:144, aclName passed is NULL
*apfReceiveTask: Nov 30 17:03:46.173: 2c:54:2d:ea:d4:0e apfSendDisAssocMsgDebug (apf_80211.c:2162) Changing state for mobile 2c:54:2d:ea:d4:0e on AP 34:bd:c8:b2:b1:10 from Associated to Disassociated
*apfReceiveTask: Nov 30 17:03:46.178: 2c:54:2d:ea:d4:0e Sent Disassociate to mobile on AP 34:bd:c8:b2:b1:10-0 (reason 1, caller apf_ms.c:5558)
*apfReceiveTask: Nov 30 17:03:46.183: 2c:54:2d:ea:d4:0e Sent Deauthenticate to mobile on BSSID 34:bd:c8:b2:b1:10 slot 0(caller apf_ms.c:5678)
*apfReceiveTask: Nov 30 17:03:46.183: 2c:54:2d:ea:d4:0e apfMsAssoStateDec
*apfReceiveTask: Nov 30 17:03:46.183: 2c:54:2d:ea:d4:0e apfMsExpireMobileStation (apf_ms.c:5716) Changing state for mobile 2c:54:2d:ea:d4:0e on AP 34:bd:c8:b2:b1:10 from Disassociated to Idle
*apfReceiveTask: Nov 30 17:03:46.183: 2c:54:2d:ea:d4:0e pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfReceiveTask: Nov 30 17:03:46.183: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Deleted mobile LWAPP rule on AP [34:bd:c8:b2:b1:10]
*pemReceiveTask: Nov 30 17:03:46.183: 2c:54:2d:ea:d4:0e 10.123.201.4 Removed NPU entry.
*apfReceiveTask: Nov 30 17:03:46.183: 2c:54:2d:ea:d4:0e apfMsRunStateDec
*apfReceiveTask: Nov 30 17:03:46.183: 2c:54:2d:ea:d4:0e apfMs1xStateDec
*apfReceiveTask: Nov 30 17:03:46.183: 2c:54:2d:ea:d4:0e Deleting mobile on AP 34:bd:c8:b2:b1:10(0)Hi guys and Saravanan thank for the ideas....
the qualituy is getting better, not satisfactory for the customer though...
I have upgraded the firware as advised to 1.4.3 - I forgot to mention I have 7925g wifi phonee
I set the 802.1x + cckm with eap-fast and WPA2 and definately the quality of the calls got a huge improvement but still not enough. What can be the reason for the confinuing problems during roaming?
Guys, is it possible to set the CCKM without ACS (or WDS - i think that was the second option)
here is some output:
(Cisco Controller) show>wlan 3
WLAN Identifier.................................. 3
Profile Name..................................... test_wifi_144
Network Name (SSID).............................. test144
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 1
Exclusionlist.................................... Disabled
Session Timeout.................................. 65535 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ 144_v
--More-- or (q)uit
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Platinum
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Required
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... ap-cac-limit
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... 802.11b and 802.11g only
DTIM period for 802.11a radio.................... 2
DTIM period for 802.11b radio.................... 2
Radius Servers
--More-- or (q)uit
Authentication................................ 172.16.106.53 1645
Accounting.................................... Disabled
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Enabled
PSK..................................... Disabled
CCKM.................................... Enabled
FT(802.11r)............................. Disabled
FT-PSK(802.11r)......................... Disabled
FT Reassociation Timeout................... 20
FT Over-The-Air mode....................... Enabled
FT Over-The-Ds mode........................ Enabled
--More-- or (q)uit
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
--More-- or (q)uit
Multicast Buffer................................. Disabled
Mobility Anchor List
WLAN ID IP Address Status
802.11u........................................ Disabled
Access Network type............................ Not configured
Network Authentication type.................... Not configured
Internet service............................... Disabled
HESSID......................................... 00:00:00:00:00:00
Hotspot 2.0.................................... Disabled
WAN Metrics configuration
Link status.................................. 0
Link symmetry................................ 0
Downlink speed............................... 0
Uplink speed................................. 0
Mobility Services Advertisement Protocol....... Disabled
(Cisco Controller) >debug client 2C542DEAD40E
*apfMsConnTask_3: Dec 07 13:55:49.522: 2c:54:2d:ea:d4:0e Adding mobile on LWAPP AP 34:bd:c8:b3:d9:f0(0)
*apfMsConnTask_3: Dec 07 13:55:49.522: 2c:54:2d:ea:d4:0e Association received from mobile on AP 34:bd:c8:b3:d9:f0
*apfMsConnTask_3: Dec 07 13:55:49.523: 2c:54:2d:ea:d4:0e 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1697)
*apfMsConnTask_3: Dec 07 13:55:49.523: 2c:54:2d:ea:d4:0e 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1864)
*apfMsConnTask_3: Dec 07 13:55:49.523: 2c:54:2d:ea:d4:0e Applying site-specific Local Bridging override for station 2c:54:2d:ea:d4:0e - vapId 3, site 'Floor_1', interface '144_v'
*apfMsConnTask_3: Dec 07 13:55:49.523: 2c:54:2d:ea:d4:0e Applying Local Bridging Interface Policy for station 2c:54:2d:ea:d4:0e - vlan 144, interface id 12, interface '144_v'
*apfMsConnTask_3: Dec 07 13:55:49.523: 2c:54:2d:ea:d4:0e Applying site-specific override for station 2c:54:2d:ea:d4:0e - vapId 3, site 'Floor_1', interface '144_v'
*apfMsConnTask_3: Dec 07 13:55:49.523: 2c:54:2d:ea:d4:0e 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1697)
*apfMsConnTask_3: Dec 07 13:55:49.523: 2c:54:2d:ea:d4:0e 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1864)
*apfMsConnTask_3: Dec 07 13:55:49.523: 2c:54:2d:ea:d4:0e processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_3: Dec 07 13:55:49.523: 2c:54:2d:ea:d4:0e processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_3: Dec 07 13:55:49.523: 2c:54:2d:ea:d4:0e STA - rates (4): 130 132 139 150 0 0 0 0 0 0 0 0 0 0 0 0
*apfMsConnTask_3: Dec 07 13:55:49.523: 2c:54:2d:ea:d4:0e suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_3: Dec 07 13:55:49.523: 2c:54:2d:ea:d4:0e STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_3: Dec 07 13:55:49.523: 2c:54:2d:ea:d4:0e extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_3: Dec 07 13:55:49.523: 2c:54:2d:ea:d4:0e Processing RSN IE type 48, length 22 for mobile 2c:54:2d:ea:d4:0e
*apfMsConnTask_3: Dec 07 13:55:49.523: 2c:54:2d:ea:d4:0e CCKM: Mobile is using CCKM
*apfMsConnTask_3: Dec 07 13:55:49.523: 2c:54:2d:ea:d4:0e Received RSN IE with 0 PMKIDs from mobile 2c:54:2d:ea:d4:0e
*apfMsConnTask_3: Dec 07 13:55:49.523: 2c:54:2d:ea:d4:0e Setting active key cache index 8 ---> 8
*apfMsConnTask_3: Dec 07 13:55:49.523: 2c:54:2d:ea:d4:0e unsetting PmkIdValidatedByAp
*apfMsConnTask_3: Dec 07 13:55:49.523: 2c:54:2d:ea:d4:0e 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_3: Dec 07 13:55:49.523: 2c:54:2d:ea:d4:0e 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*apfMsConnTask_3: Dec 07 13:55:49.523: 2c:54:2d:ea:d4:0e 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*apfMsConnTask_3: Dec 07 13:55:49.523: 2c:54:2d:ea:d4:0e 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 34:bd:c8:b3:d9:f0 vapId 3 apVapId 1for this client
*apfMsConnTask_3: Dec 07 13:55:49.524: 2c:54:2d:ea:d4:0e 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 34:bd:c8:b3:d9:f0 vapId 3 apVapId 1
*apfMsConnTask_3: Dec 07 13:55:49.524: 2c:54:2d:ea:d4:0e apfMsAssoStateInc
*apfMsConnTask_3: Dec 07 13:55:49.524: 2c:54:2d:ea:d4:0e apfPemAddUser2 (apf_policy.c:268) Changing state for mobile 2c:54:2d:ea:d4:0e on AP 34:bd:c8:b3:d9:f0 from Idle to Associated
*apfMsConnTask_3: Dec 07 13:55:49.524: 2c:54:2d:ea:d4:0e Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_3: Dec 07 13:55:49.524: 2c:54:2d:ea:d4:0e Sending Assoc Response to station on BSSID 34:bd:c8:b3:d9:f0 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_3: Dec 07 13:55:49.524: 2c:54:2d:ea:d4:0e apfProcessAssocReq (apf_80211.c:6290) Changing state for mobile 2c:54:2d:ea:d4:0e on AP 34:bd:c8:b3:d9:f0 from Associated to Associated
*dot1xMsgTask: Dec 07 13:55:49.525: 2c:54:2d:ea:d4:0e Disable re-auth, use PMK lifetime.
*dot1xMsgTask: Dec 07 13:55:49.525: 2c:54:2d:ea:d4:0e Station 2c:54:2d:ea:d4:0e setting dot1x reauth timeout = 65535
*dot1xMsgTask: Dec 07 13:55:49.525: 2c:54:2d:ea:d4:0e dot1x - moving mobile 2c:54:2d:ea:d4:0e into Connecting state
*dot1xMsgTask: Dec 07 13:55:49.525: 2c:54:2d:ea:d4:0e Sending EAP-Request/Identity to mobile 2c:54:2d:ea:d4:0e (EAP Id 1)
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.574: 2c:54:2d:ea:d4:0e Received EAPOL EAPPKT from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.574: 2c:54:2d:ea:d4:0e Received Identity Response (count=1) from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.574: 2c:54:2d:ea:d4:0e EAP State update from Connecting to Authenticating for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.574: 2c:54:2d:ea:d4:0e dot1x - moving mobile 2c:54:2d:ea:d4:0e into Authenticating state
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.574: 2c:54:2d:ea:d4:0e Entering Backend Auth Response state for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.583: 2c:54:2d:ea:d4:0e Processing Access-Challenge for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.583: 2c:54:2d:ea:d4:0e Entering Backend Auth Req state (id=85) for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.583: 2c:54:2d:ea:d4:0e WARNING: updated EAP-Identifier 1 ===> 85 for STA 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.583: 2c:54:2d:ea:d4:0e Sending EAP Request from AAA to mobile 2c:54:2d:ea:d4:0e (EAP Id 85)
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.591: 2c:54:2d:ea:d4:0e Received EAPOL EAPPKT from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.591: 2c:54:2d:ea:d4:0e Received EAP Response from mobile 2c:54:2d:ea:d4:0e (EAP Id 85, EAP Type 3)
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.591: 2c:54:2d:ea:d4:0e Entering Backend Auth Response state for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.602: 2c:54:2d:ea:d4:0e Processing Access-Challenge for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.602: 2c:54:2d:ea:d4:0e Entering Backend Auth Req state (id=86) for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.602: 2c:54:2d:ea:d4:0e Sending EAP Request from AAA to mobile 2c:54:2d:ea:d4:0e (EAP Id 86)
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.621: 2c:54:2d:ea:d4:0e Received EAPOL EAPPKT from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.621: 2c:54:2d:ea:d4:0e Received EAP Response from mobile 2c:54:2d:ea:d4:0e (EAP Id 86, EAP Type 43)
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.621: 2c:54:2d:ea:d4:0e Entering Backend Auth Response state for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.625: 2c:54:2d:ea:d4:0e Processing Access-Challenge for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.625: 2c:54:2d:ea:d4:0e Entering Backend Auth Req state (id=87) for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.625: 2c:54:2d:ea:d4:0e Sending EAP Request from AAA to mobile 2c:54:2d:ea:d4:0e (EAP Id 87)
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.653: 2c:54:2d:ea:d4:0e Received EAPOL EAPPKT from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.653: 2c:54:2d:ea:d4:0e Received EAP Response from mobile 2c:54:2d:ea:d4:0e (EAP Id 87, EAP Type 43)
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.653: 2c:54:2d:ea:d4:0e Entering Backend Auth Response state for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.655: 2c:54:2d:ea:d4:0e Processing Access-Challenge for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.655: 2c:54:2d:ea:d4:0e Entering Backend Auth Req state (id=89) for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.655: 2c:54:2d:ea:d4:0e WARNING: updated EAP-Identifier 87 ===> 89 for STA 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.655: 2c:54:2d:ea:d4:0e Sending EAP Request from AAA to mobile 2c:54:2d:ea:d4:0e (EAP Id 89)
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.671: 2c:54:2d:ea:d4:0e Received EAPOL EAPPKT from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.671: 2c:54:2d:ea:d4:0e Received EAP Response from mobile 2c:54:2d:ea:d4:0e (EAP Id 89, EAP Type 43)
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.671: 2c:54:2d:ea:d4:0e Entering Backend Auth Response state for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.676: 2c:54:2d:ea:d4:0e Processing Access-Challenge for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.676: 2c:54:2d:ea:d4:0e Entering Backend Auth Req state (id=90) for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.676: 2c:54:2d:ea:d4:0e Sending EAP Request from AAA to mobile 2c:54:2d:ea:d4:0e (EAP Id 90)
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.691: 2c:54:2d:ea:d4:0e Received EAPOL EAPPKT from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.691: 2c:54:2d:ea:d4:0e Received EAP Response from mobile 2c:54:2d:ea:d4:0e (EAP Id 90, EAP Type 43)
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.691: 2c:54:2d:ea:d4:0e Entering Backend Auth Response state for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.702: 2c:54:2d:ea:d4:0e Processing Access-Accept for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.703: 2c:54:2d:ea:d4:0e Resetting web IPv4 acl from 255 to 255
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.703: 2c:54:2d:ea:d4:0e Username entry (test960) created for mobile, length = 253
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.703: 2c:54:2d:ea:d4:0e Username entry (test960) created in mscb for mobile, length = 253
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.703: 2c:54:2d:ea:d4:0e Setting re-auth timeout to 65535 seconds, got from WLAN config.
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.703: 2c:54:2d:ea:d4:0e Station 2c:54:2d:ea:d4:0e setting dot1x reauth timeout = 65535
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.703: 2c:54:2d:ea:d4:0e Creating a PKC PMKID Cache entry for station 2c:54:2d:ea:d4:0e (RSN 2)
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.703: 2c:54:2d:ea:d4:0e Resetting MSCB PMK Cache Entry 0 for station 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.703: 2c:54:2d:ea:d4:0e Setting active key cache index 8 ---> 8
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.703: 2c:54:2d:ea:d4:0e Setting active key cache index 8 ---> 0
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.703: 2c:54:2d:ea:d4:0e Adding BSSID 34:bd:c8:b3:d9:f0 to PMKID cache at index 0 for station 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.703: New PMKID: (16)
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.703: [0000] ab 8f b5 75 ad c5 8e af 50 0d ce 4a f1 7b 16 9e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.703: 2c:54:2d:ea:d4:0e Disabling re-auth since PMK lifetime can take care of same.
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.703: 2c:54:2d:ea:d4:0e CCKM: Create a global PMK cache entry
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.703: 2c:54:2d:ea:d4:0e unsetting PmkIdValidatedByAp
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.703: 2c:54:2d:ea:d4:0e Sending EAP-Success to mobile 2c:54:2d:ea:d4:0e (EAP Id 90)
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.703: 2c:54:2d:ea:d4:0e Found an cache entry for BSSID 34:bd:c8:b3:d9:f0 in PMKID cache at index 0 of station 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.703: 2c:54:2d:ea:d4:0e Found an cache entry for BSSID 34:bd:c8:b3:d9:f0 in PMKID cache at index 0 of station 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.703: Including PMKID in M1 (16)
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.703: [0000] ab 8f b5 75 ad c5 8e af 50 0d ce 4a f1 7b 16 9e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.703: 2c:54:2d:ea:d4:0e Starting key exchange to mobile 2c:54:2d:ea:d4:0e, data packets will be dropped
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.703: 2c:54:2d:ea:d4:0e Sending EAPOL-Key Message to mobile 2c:54:2d:ea:d4:0e
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.703: 2c:54:2d:ea:d4:0e Entering Backend Auth Success state (id=90) for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.703: 2c:54:2d:ea:d4:0e Received Auth Success while in Authenticating state for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.704: 2c:54:2d:ea:d4:0e dot1x - moving mobile 2c:54:2d:ea:d4:0e into Authenticated state
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.721: 2c:54:2d:ea:d4:0e Received EAPOL-Key from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.721: 2c:54:2d:ea:d4:0e Received EAPOL-key in PTK_START state (message 2) from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.721: 2c:54:2d:ea:d4:0e CCKM: Sending cache add
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.721: CCKM: Sending CCKM PMK (Version_1) information to mobility group
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.721: CCKM: Sending CCKM PMK (Version_2) information to mobility group
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.721: 2c:54:2d:ea:d4:0e Stopping retransmission timer for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.721: 2c:54:2d:ea:d4:0e Sending EAPOL-Key Message to mobile 2c:54:2d:ea:d4:0e
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.741: 2c:54:2d:ea:d4:0e Received EAPOL-Key from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.741: 2c:54:2d:ea:d4:0e Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.741: 2c:54:2d:ea:d4:0e apfMs1xStateInc
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.741: 2c:54:2d:ea:d4:0e 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.741: 2c:54:2d:ea:d4:0e 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 34:bd:c8:b3:d9:f0 vapId 3 apVapId 1for this client
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.741: 2c:54:2d:ea:d4:0e 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 34:bd:c8:b3:d9:f0 vapId 3 apVapId 1
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.741: 2c:54:2d:ea:d4:0e 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.741: 2c:54:2d:ea:d4:0e 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 5253, Adding TMP rule
*Dot1x_NW_MsgTask_: Dec 07 13:55:49.741: 2c:54:2d:ea:d4:0e 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP 34:bd:c8:b3:d9:f0, slot 0, interface = 1, QOS = 2
IPv4 ACL ID = 255, IPv
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.741: 2c:54:2d:ea:d4:0e 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 7006 Local Bridging Vlan = 144, Local Bridging intf id = 12
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.741: 2c:54:2d:ea:d4:0e 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255)
*Dot1x_NW_MsgTask_6: Dec 07 13:55:49.741: 2c:54:2d:ea:d4:0e Stopping retransmission timer for mobile 2c:54:2d:ea:d4:0e
*apfReceiveTask: Dec 07 13:55:49.741: 2c:54:2d:ea:d4:0e 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*apfReceiveTask: Dec 07 13:55:49.741: 2c:54:2d:ea:d4:0e 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4891, Adding TMP rule
*apfReceiveTask: Dec 07 13:55:49.742: 2c:54:2d:ea:d4:0e 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
type = Airespace AP - Learn IP address
on AP 34:bd:c8:b3:d9:f0, slot 0, interface = 1, QOS = 2
IPv4 ACL ID = 255,
*apfReceiveTask: Dec 07 13:55:49.742: 2c:54:2d:ea:d4:0e 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 7006 Local Bridging Vlan = 144, Local Bridging intf id = 12
*apfReceiveTask: Dec 07 13:55:49.742: 2c:54:2d:ea:d4:0e 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255)
*pemReceiveTask: Dec 07 13:55:49.742: 2c:54:2d:ea:d4:0e 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*pemReceiveTask: Dec 07 13:55:49.742: 2c:54:2d:ea:d4:0e Sent an XID frame
*pemReceiveTask: Dec 07 13:55:49.742: 2c:54:2d:ea:d4:0e 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*pemReceiveTask: Dec 07 13:55:49.742: 2c:54:2d:ea:d4:0e Sent an XID frame
*DHCP Socket Task: Dec 07 13:55:50.513: 2c:54:2d:ea:d4:0e DHCP received op BOOTREQUEST (1) (len 556,vlan 0, port 1, encap 0xec03)
*DHCP Socket Task: Dec 07 13:55:50.513: 2c:54:2d:ea:d4:0e DHCP selecting relay 1 - control block settings:
dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
dhcpGateway: 0.0.0.0, dhcpRelay: 0.0.0.0 VLAN: 0
*DHCP Socket Task: Dec 07 13:55:50.513: 2c:54:2d:ea:d4:0e DHCP selected relay 1 - 172.16.100.121 (local address 10.123.200.15, gateway 10.123.200.1, VLAN 144, port 1)
*DHCP Socket Task: Dec 07 13:55:50.513: 2c:54:2d:ea:d4:0e DHCP transmitting DHCP DISCOVER (1)
*DHCP Socket Task: Dec 07 13:55:50.513: 2c:54:2d:ea:d4:0e DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
*DHCP Socket Task: Dec 07 13:55:50.513: 2c:54:2d:ea:d4:0e DHCP xid: 0xf12d461 (252892257), secs: 0, flags: 0
*DHCP Socket Task: Dec 07 13:55:50.514: 2c:54:2d:ea:d4:0e DHCP chaddr: 2c:54:2d:ea:d4:0e
*DHCP Socket Task: Dec 07 13:55:50.514: 2c:54:2d:ea:d4:0e DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Dec 07 13:55:50.514: 2c:54:2d:ea:d4:0e DHCP siaddr: 0.0.0.0, giaddr: 10.123.200.15
*DHCP Socket Task: Dec 07 13:55:50.514: 2c:54:2d:ea:d4:0e DHCP requested ip: 10.123.205.33
*DHCP Socket Task: Dec 07 13:55:50.514: 2c:54:2d:ea:d4:0e DHCP ARPing for 10.123.200.1 (SPA 10.123.200.15, vlanId 144)
*DHCP Socket Task: Dec 07 13:55:50.514: 2c:54:2d:ea:d4:0e DHCP selecting relay 2 - control block settings:
dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
dhcpGateway: 0.0.0.0, dhcpRelay: 10.123.200.15 VLAN: 144
*DHCP Socket Task: Dec 07 13:55:50.514: 2c:54:2d:ea:d4:0e DHCP selected relay 2 - 172.16.100.122 (local address 10.123.200.15, gateway 10.123.200.1, VLAN 144, port 1)
*DHCP Socket Task: Dec 07 13:55:50.514: 2c:54:2d:ea:d4:0e DHCP transmitting DHCP DISCOVER (1)
*DHCP Socket Task: Dec 07 13:55:50.514: 2c:54:2d:ea:d4:0e DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 2
*DHCP Socket Task: Dec 07 13:55:50.514: 2c:54:2d:ea:d4:0e DHCP xid: 0xf12d461 (252892257), secs: 0, flags: 0
*DHCP Socket Task: Dec 07 13:55:50.514: 2c:54:2d:ea:d4:0e DHCP chaddr: 2c:54:2d:ea:d4:0e
*DHCP Socket Task: Dec 07 13:55:50.514: 2c:54:2d:ea:d4:0e DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Dec 07 13:55:50.514: 2c:54:2d:ea:d4:0e DHCP siaddr: 0.0.0.0, giaddr: 10.123.200.15
*DHCP Socket Task: Dec 07 13:55:50.514: 2c:54:2d:ea:d4:0e DHCP requested ip: 10.123.205.33
*DHCP Socket Task: Dec 07 13:55:50.514: 2c:54:2d:ea:d4:0e DHCP ARPing for 10.123.200.1 (SPA 10.123.200.15, vlanId 144)
*DHCP Socket Task: Dec 07 13:55:52.512: 2c:54:2d:ea:d4:0e DHCP received op BOOTREQUEST (1) (len 556,vlan 0, port 1, encap 0xec03)
*DHCP Socket Task: Dec 07 13:55:52.512: 2c:54:2d:ea:d4:0e DHCP selecting relay 1 - control block settings:
dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
dhcpGateway: 0.0.0.0, dhcpRelay: 10.123.200.15 VLAN: 144
*DHCP Socket Task: Dec 07 13:55:52.512: 2c:54:2d:ea:d4:0e DHCP selected relay 1 - 172.16.100.121 (local address 10.123.200.15, gateway 10.123.200.1, VLAN 144, port 1)
*DHCP Socket Task: Dec 07 13:55:52.512: 2c:54:2d:ea:d4:0e DHCP transmitting DHCP DISCOVER (1)
*DHCP Socket Task: Dec 07 13:55:52.512: 2c:54:2d:ea:d4:0e DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
*DHCP Socket Task: Dec 07 13:55:52.512: 2c:54:2d:ea:d4:0e DHCP xid: 0xf12d461 (252892257), secs: 0, flags: 0
*DHCP Socket Task: Dec 07 13:55:52.512: 2c:54:2d:ea:d4:0e DHCP chaddr: 2c:54:2d:ea:d4:0e
*DHCP Socket Task: Dec 07 13:55:52.512: 2c:54:2d:ea:d4:0e DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Dec 07 13:55:52.512: 2c:54:2d:ea:d4:0e DHCP siaddr: 0.0.0.0, giaddr: 10.123.200.15
*DHCP Socket Task: Dec 07 13:55:52.512: 2c:54:2d:ea:d4:0e DHCP requested ip: 10.123.205.33
*DHCP Socket Task: Dec 07 13:55:52.513: 2c:54:2d:ea:d4:0e DHCP sending REQUEST to 10.123.200.1 (len 374, port 1, vlan 144)
*DHCP Socket Task: Dec 07 13:55:52.513: 2c:54:2d:ea:d4:0e DHCP selecting relay 2 - control block settings:
dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
dhcpGateway: 0.0.0.0, dhcpRelay: 10.123.200.15 VLAN: 144
*DHCP Socket Task: Dec 07 13:55:52.513: 2c:54:2d:ea:d4:0e DHCP selected relay 2 - 172.16.100.122 (local address 10.123.200.15, gateway 10.123.200.1, VLAN 144, port 1)
*DHCP Socket Task: Dec 07 13:55:52.513: 2c:54:2d:ea:d4:0e DHCP transmitting DHCP DISCOVER (1)
*DHCP Socket Task: Dec 07 13:55:52.513: 2c:54:2d:ea:d4:0e DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 2
*DHCP Socket Task: Dec 07 13:55:52.513: 2c:54:2d:ea:d4:0e DHCP xid: 0xf12d461 (252892257), secs: 0, flags: 0
*DHCP Socket Task: Dec 07 13:55:52.513: 2c:54:2d:ea:d4:0e DHCP chaddr: 2c:54:2d:ea:d4:0e
*DHCP Socket Task: Dec 07 13:55:52.513: 2c:54:2d:ea:d4:0e DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Dec 07 13:55:52.513: 2c:54:2d:ea:d4:0e DHCP siaddr: 0.0.0.0, giaddr: 10.123.200.15
*DHCP Socket Task: Dec 07 13:55:52.513: 2c:54:2d:ea:d4:0e DHCP requested ip: 10.123.205.33
*DHCP Socket Task: Dec 07 13:55:52.513: 2c:54:2d:ea:d4:0e DHCP sending REQUEST to 10.123.200.1 (len 374, port 1, vlan 144)
*DHCP Socket Task: Dec 07 13:55:52.513: 2c:54:2d:ea:d4:0e DHCP received op BOOTREPLY (2) (len 322,vlan 144, port 1, encap 0xec00)
*DHCP Socket Task: Dec 07 13:55:52.513: 2c:54:2d:ea:d4:0e DHCP setting server from OFFER (server 172.16.100.121, yiaddr 10.123.201.4)
*DHCP Socket Task: Dec 07 13:55:52.513: 2c:54:2d:ea:d4:0e DHCP sending REPLY to STA (len 430, port 1, vlan 0)
*DHCP Socket Task: Dec 07 13:55:52.513: 2c:54:2d:ea:d4:0e DHCP transmitting DHCP OFFER (2)
*DHCP Socket Task: Dec 07 13:55:52.513: 2c:54:2d:ea:d4:0e DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Dec 07 13:55:52.513: 2c:54:2d:ea:d4:0e DHCP xid: 0xf12d461 (252892257), secs: 0, flags: 0
*DHCP Socket Task: Dec 07 13:55:52.513: 2c:54:2d:ea:d4:0e DHCP chaddr: 2c:54:2d:ea:d4:0e
*DHCP Socket Task: Dec 07 13:55:52.513: 2c:54:2d:ea:d4:0e DHCP ciaddr: 0.0.0.0, yiaddr: 10.123.201.4
*DHCP Socket Task: Dec 07 13:55:52.513: 2c:54:2d:ea:d4:0e DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Dec 07 13:55:52.513: 2c:54:2d:ea:d4:0e DHCP server id: 1.1.1.1 rcvd server id: 172.16.100.121
*DHCP Socket Task: Dec 07 13:55:52.514: 2c:54:2d:ea:d4:0e DHCP received op BOOTREPLY (2) (len 322,vlan 144, port 1, encap 0xec00)
*DHCP Socket Task: Dec 07 13:55:52.514: 2c:54:2d:ea:d4:0e DHCP dropping OFFER from 172.16.100.122 (yiaddr 10.123.205.33)
*DHCP Socket Task: Dec 07 13:55:52.523: 2c:54:2d:ea:d4:0e DHCP received op BOOTREQUEST (1) (len 556,vlan 0, port 1, encap 0xec03)
*DHCP Socket Task: Dec 07 13:55:52.523: 2c:54:2d:ea:d4:0e DHCP selecting relay 1 - control block settings:
dhcpServer: 172.16.100.121, dhcpNetmask: 0.0.0.0,
dhcpGateway: 0.0.0.0, dhcpRelay: 10.123.200.15 VLAN: 144
*DHCP Socket Task: Dec 07 13:55:52.523: 2c:54:2d:ea:d4:0e DHCP selected relay 1 - 172.16.100.121 (local address 10.123.200.15, gateway 10.123.200.1, VLAN 144, port 1)
*DHCP Socket Task: Dec 07 13:55:52.523: 2c:54:2d:ea:d4:0e DHCP transmitting DHCP REQUEST (3)
*DHCP Socket Task: Dec 07 13:55:52.524: 2c:54:2d:ea:d4:0e DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
*DHCP Socket Task: Dec 07 13:55:52.524: 2c:54:2d:ea:d4:0e DHCP xid: 0xf12d461 (252892257), secs: 0, flags: 0
*DHCP Socket Task: Dec 07 13:55:52.524: 2c:54:2d:ea:d4:0e DHCP chaddr: 2c:54:2d:ea:d4:0e
*DHCP Socket Task: Dec 07 13:55:52.524: 2c:54:2d:ea:d4:0e DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Dec 07 13:55:52.524: 2c:54:2d:ea:d4:0e DHCP siaddr: 0.0.0.0, giaddr: 10.123.200.15
*DHCP Socket Task: Dec 07 13:55:52.524: 2c:54:2d:ea:d4:0e DHCP requested ip: 10.123.201.4
*DHCP Socket Task: Dec 07 13:55:52.524: 2c:54:2d:ea:d4:0e DHCP server id: 172.16.100.121 rcvd server id: 1.1.1.1
*DHCP Socket Task: Dec 07 13:55:52.524: 2c:54:2d:ea:d4:0e DHCP sending REQUEST to 10.123.200.1 (len 382, port 1, vlan 144)
*DHCP Socket Task: Dec 07 13:55:52.524: 2c:54:2d:ea:d4:0e DHCP selecting relay 2 - control block settings:
dhcpServer: 172.16.100.121, dhcpNetmask: 0.0.0.0,
dhcpGateway: 0.0.0.0, dhcpRelay: 10.123.200.15 VLAN: 144
*DHCP Socket Task: Dec 07 13:55:52.524: 2c:54:2d:ea:d4:0e DHCP selected relay 2 - NONE
*DHCP Socket Task: Dec 07 13:55:52.524: 2c:54:2d:ea:d4:0e DHCP received op BOOTREPLY (2) (len 322,vlan 144, port 1, encap 0xec00)
*DHCP Socket Task: Dec 07 13:55:52.525: 2c:54:2d:ea:d4:0e Static IP client associated to interface 144_v which can support client subnet.
*DHCP Socket Task: Dec 07 13:55:52.525: 2c:54:2d:ea:d4:0e apfMsRunStateInc
*DHCP Socket Task: Dec 07 13:55:52.525: 2c:54:2d:ea:d4:0e 10.123.201.4 DHCP_REQD (7) Change state to RUN (20) last state RUN (20)
*DHCP Socket Task: Dec 07 13:55:52.526: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Reached PLUMBFASTPATH: from line 5776
*DHCP Soc: Dec 07 13:55:52.526: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Replacing Fast Path rule
type = Airespace AP Client
on AP 34:bd:c8:b3:d9:f0, slot 0, interface = 1, QOS = 2
IPv4 ACL ID = 255, IPv6 ACL ID
*DHCP Socket Task: Dec 07 13:55:52.526: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 7006 Local Bridging Vlan = 144, Local Bridging intf id = 12
*DHCP Socket Task: Dec 07 13:55:52.526: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255)
*DHCP Socket Task: Dec 07 13:55:52.526: 2c:54:2d:ea:d4:0e Assigning Address 10.123.201.4 to mobile
*DHCP Socket Task: Dec 07 13:55:52.526: 2c:54:2d:ea:d4:0e DHCP success event for client. Clearing dhcp failure count for interface 144_v.
*DHCP Socket Task: Dec 07 13:55:52.526: 2c:54:2d:ea:d4:0e DHCP sending REPLY to STA (len 430, port 1, vlan 0)
*DHCP Socket Task: Dec 07 13:55:52.526: 2c:54:2d:ea:d4:0e DHCP transmitting DHCP ACK (5)
*DHCP Socket Task: Dec 07 13:55:52.526: 2c:54:2d:ea:d4:0e DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Dec 07 13:55:52.526: 2c:54:2d:ea:d4:0e DHCP xid: 0xf12d461 (252892257), secs: 0, flags: 0
*DHCP Socket Task: Dec 07 13:55:52.526: 2c:54:2d:ea:d4:0e DHCP chaddr: 2c:54:2d:ea:d4:0e
*DHCP Socket Task: Dec 07 13:55:52.526: 2c:54:2d:ea:d4:0e DHCP ciaddr: 0.0.0.0, yiaddr: 10.123.201.4
*DHCP Socket Task: Dec 07 13:55:52.526: 2c:54:2d:ea:d4:0e DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Dec 07 13:55:52.527: 2c:54:2d:ea:d4:0e DHCP server id: 1.1.1.1 rcvd server id: 172.16.100.121
*pemReceiveTask: Dec 07 13:55:52.527: 2c:54:2d:ea:d4:0e 10.123.201.4 Added NPU entry of type 1, dtlFlags 0x10
*pemReceiveTask: Dec 07 13:55:52.527: 2c:54:2d:ea:d4:0e Sending a gratuitous ARP for 10.123.201.4, VLAN Id 144
*apfMsConnTask_3: Dec 07 13:57:01.509: 2c:54:2d:ea:d4:0e Association received from mobile on AP 34:bd:c8:b3:d9:f0
*apfMsConnTask_3: Dec 07 13:57:01.509: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1697)
*apfMsConnTask_3: Dec 07 13:57:01.509: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1864)
*apfMsConnTask_3: Dec 07 13:57:01.509: 2c:54:2d:ea:d4:0e Applying site-specific Local Bridging override for station 2c:54:2d:ea:d4:0e - vapId 3, site 'Floor_1', interface '144_v'
*apfMsConnTask_3: Dec 07 13:57:01.509: 2c:54:2d:ea:d4:0e Applying Local Bridging Interface Policy for station 2c:54:2d:ea:d4:0e - vlan 144, interface id 12, interface '144_v'
*apfMsConnTask_3: Dec 07 13:57:01.509: 2c:54:2d:ea:d4:0e Applying site-specific override for station 2c:54:2d:ea:d4:0e - vapId 3, site 'Floor_1', interface '144_v'
*apfMsConnTask_3: Dec 07 13:57:01.509: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1697)
*apfMsConnTask_3: Dec 07 13:57:01.509: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1864)
*apfMsConnTask_3: Dec 07 13:57:01.509: 2c:54:2d:ea:d4:0e processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_3: Dec 07 13:57:01.509: 2c:54:2d:ea:d4:0e processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_3: Dec 07 13:57:01.509: 2c:54:2d:ea:d4:0e STA - rates (4): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_3: Dec 07 13:57:01.509: 2c:54:2d:ea:d4:0e suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_3: Dec 07 13:57:01.509: 2c:54:2d:ea:d4:0e STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_3: Dec 07 13:57:01.509: 2c:54:2d:ea:d4:0e extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_3: Dec 07 13:57:01.509: 2c:54:2d:ea:d4:0e Processing RSN IE type 48, length 22 for mobile 2c:54:2d:ea:d4:0e
*apfMsConnTask_3: Dec 07 13:57:01.509: 2c:54:2d:ea:d4:0e CCKM: Mobile is using CCKM
*apfMsConnTask_3: Dec 07 13:57:01.509: 2c:54:2d:ea:d4:0e Received RSN IE with 0 PMKIDs from mobile 2c:54:2d:ea:d4:0e
*apfMsConnTask_3: Dec 07 13:57:01.509: 2c:54:2d:ea:d4:0e Found an cache entry for BSSID 34:bd:c8:b3:d9:f0 in PMKID cache at index 0 of station 2c:54:2d:ea:d4:0e
*apfMsConnTask_3: Dec 07 13:57:01.509: 2c:54:2d:ea:d4:0e Removing BSSID 34:bd:c8:b3:d9:f0 from PMKID cache of station 2c:54:2d:ea:d4:0e
*apfMsConnTask_3: Dec 07 13:57:01.509: 2c:54:2d:ea:d4:0e Resetting MSCB PMK Cache Entry 0 for station 2c:54:2d:ea:d4:0e
*apfMsConnTask_3: Dec 07 13:57:01.509: 2c:54:2d:ea:d4:0e Setting active key cache index 0 ---> 8
*apfMsConnTask_3: Dec 07 13:57:01.510: 2c:54:2d:ea:d4:0e unsetting PmkIdValidatedByAp
*apfMsConnTask_3: Dec 07 13:57:01.510: 2c:54:2d:ea:d4:0e apfMsRunStateDec
*apfMsConnTask_3: Dec 07 13:57:01.510: 2c:54:2d:ea:d4:0e apfMs1xStateDec
*apfMsConnTask_3: Dec 07 13:57:01.510: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Change state to START (0) last state RUN (20)
*apfMsConnTask_3: Dec 07 13:57:01.510: 2c:54:2d:ea:d4:0e pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfMsConnTask_3: Dec 07 13:57:01.510: 2c:54:2d:ea:d4:0e 10.123.201.4 START (0) Initializing policy
*apfMsConnTask_3: Dec 07 13:57:01.510: 2c:54:2d:ea:d4:0e 10.123.201.4 START (0) Change state to AUTHCHECK (2) last state RUN (20)
*apfMsConnTask_3: Dec 07 13:57:01.510: 2c:54:2d:ea:d4:0e 10.123.201.4 AUTHCHECK (2) Change state to 8021X_REQD (3) last state RUN (20)
*apfMsConnTask_3: Dec 07 13:57:01.510: 2c:54:2d:ea:d4:0e 10.123.201.4 8021X_REQD (3) DHCP required on AP 34:bd:c8:b3:d9:f0 vapId 3 apVapId 1for this client
*apfMsConnTask_3: Dec 07 13:57:01.510: 2c:54:2d:ea:d4:0e 10.123.201.4 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 34:bd:c8:b3:d9:f0 vapId 3 apVapId 1
*apfMsConnTask_3: Dec 07 13:57:01.510: 2c:54:2d:ea:d4:0e apfPemAddUser2 (apf_policy.c:268) Changing state for mobile 2c:54:2d:ea:d4:0e on AP 34:bd:c8:b3:d9:f0 from Associated to Associated
*apfMsConnTask_3: Dec 07 13:57:01.510: 2c:54:2d:ea:d4:0e Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_3: Dec 07 13:57:01.510: 2c:54:2d:ea:d4:0e Sending Assoc Response to station on BSSID 34:bd:c8:b3:d9:f0 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_3: Dec 07 13:57:01.510: 2c:54:2d:ea:d4:0e apfProcessAssocReq (apf_80211.c:6290) Changing state for mobile 2c:54:2d:ea:d4:0e on AP 34:bd:c8:b3:d9:f0 from Associated to Associated
*dot1xMsgTask: Dec 07 13:57:01.512: 2c:54:2d:ea:d4:0e Disable re-auth, use PMK lifetime.
*dot1xMsgTask: Dec 07 13:57:01.512: 2c:54:2d:ea:d4:0e dot1x - moving mobile 2c:54:2d:ea:d4:0e into Connecting state
*dot1xMsgTask: Dec 07 13:57:01.512: 2c:54:2d:ea:d4:0e Sending EAP-Request/Identity to mobile 2c:54:2d:ea:d4:0e (EAP Id 1)
*pemReceiveTask: Dec 07 13:57:01.513: 2c:54:2d:ea:d4:0e 10.123.201.4 Removed NPU entry.
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.654: 2c:54:2d:ea:d4:0e Received EAPOL EAPPKT from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.654: 2c:54:2d:ea:d4:0e Received Identity Response (count=1) from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.654: 2c:54:2d:ea:d4:0e EAP State update from Connecting to Authenticating for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.654: 2c:54:2d:ea:d4:0e dot1x - moving mobile 2c:54:2d:ea:d4:0e into Authenticating state
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.654: 2c:54:2d:ea:d4:0e Entering Backend Auth Response state for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.684: 2c:54:2d:ea:d4:0e Processing Access-Challenge for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.684: 2c:54:2d:ea:d4:0e Entering Backend Auth Req state (id=86) for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.684: 2c:54:2d:ea:d4:0e WARNING: updated EAP-Identifier 1 ===> 86 for STA 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.684: 2c:54:2d:ea:d4:0e Sending EAP Request from AAA to mobile 2c:54:2d:ea:d4:0e (EAP Id 86)
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.695: 2c:54:2d:ea:d4:0e Received EAPOL EAPPKT from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.695: 2c:54:2d:ea:d4:0e Received EAP Response from mobile 2c:54:2d:ea:d4:0e (EAP Id 86, EAP Type 3)
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.695: 2c:54:2d:ea:d4:0e Entering Backend Auth Response state for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.699: 2c:54:2d:ea:d4:0e Processing Access-Challenge for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.699: 2c:54:2d:ea:d4:0e Entering Backend Auth Req state (id=87) for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.699: 2c:54:2d:ea:d4:0e Sending EAP Request from AAA to mobile 2c:54:2d:ea:d4:0e (EAP Id 87)
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.806: 2c:54:2d:ea:d4:0e Received EAPOL EAPPKT from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.806: 2c:54:2d:ea:d4:0e Received EAP Response from mobile 2c:54:2d:ea:d4:0e (EAP Id 87, EAP Type 43)
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.806: 2c:54:2d:ea:d4:0e Entering Backend Auth Response state for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.809: 2c:54:2d:ea:d4:0e Processing Access-Challenge for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.809: 2c:54:2d:ea:d4:0e Entering Backend Auth Req state (id=88) for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.809: 2c:54:2d:ea:d4:0e Sending EAP Request from AAA to mobile 2c:54:2d:ea:d4:0e (EAP Id 88)
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.874: 2c:54:2d:ea:d4:0e Received EAPOL EAPPKT from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.874: 2c:54:2d:ea:d4:0e Received EAP Response from mobile 2c:54:2d:ea:d4:0e (EAP Id 88, EAP Type 43)
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.874: 2c:54:2d:ea:d4:0e Entering Backend Auth Response state for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.880: 2c:54:2d:ea:d4:0e Processing Access-Challenge for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.880: 2c:54:2d:ea:d4:0e Entering Backend Auth Req state (id=90) for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.880: 2c:54:2d:ea:d4:0e WARNING: updated EAP-Identifier 88 ===> 90 for STA 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.880: 2c:54:2d:ea:d4:0e Sending EAP Request from AAA to mobile 2c:54:2d:ea:d4:0e (EAP Id 90)
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.903: 2c:54:2d:ea:d4:0e Received EAPOL EAPPKT from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.903: 2c:54:2d:ea:d4:0e Received EAP Response from mobile 2c:54:2d:ea:d4:0e (EAP Id 90, EAP Type 43)
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.903: 2c:54:2d:ea:d4:0e Entering Backend Auth Response state for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.909: 2c:54:2d:ea:d4:0e Processing Access-Challenge for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.909: 2c:54:2d:ea:d4:0e Entering Backend Auth Req state (id=91) for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:01.909: 2c:54:2d:ea:d4:0e Sending EAP Request from AAA to mobile 2c:54:2d:ea:d4:0e (EAP Id 91)
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.061: 2c:54:2d:ea:d4:0e Received EAPOL EAPPKT from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.061: 2c:54:2d:ea:d4:0e Received EAP Response from mobile 2c:54:2d:ea:d4:0e (EAP Id 91, EAP Type 43)
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.061: 2c:54:2d:ea:d4:0e Entering Backend Auth Response state for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.076: 2c:54:2d:ea:d4:0e Processing Access-Accept for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.076: 2c:54:2d:ea:d4:0e Resetting web IPv4 acl from 255 to 255
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.076: 2c:54:2d:ea:d4:0e Setting re-auth timeout to 65535 seconds, got from WLAN config.
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.077: 2c:54:2d:ea:d4:0e Station 2c:54:2d:ea:d4:0e setting dot1x reauth timeout = 65535
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.077: 2c:54:2d:ea:d4:0e Creating a PKC PMKID Cache entry for station 2c:54:2d:ea:d4:0e (RSN 2)
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.077: 2c:54:2d:ea:d4:0e Resetting MSCB PMK Cache Entry 0 for station 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.077: 2c:54:2d:ea:d4:0e Setting active key cache index 8 ---> 8
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.077: 2c:54:2d:ea:d4:0e Setting active key cache index 8 ---> 0
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.077: 2c:54:2d:ea:d4:0e Adding BSSID 34:bd:c8:b3:d9:f0 to PMKID cache at index 0 for station 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.077: New PMKID: (16)
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.077: [0000] 16 bf c0 3e 07 00 79 b1 51 ca d3 47 44 69 1b a1
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.077: 2c:54:2d:ea:d4:0e Disabling re-auth since PMK lifetime can take care of same.
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.077: 2c:54:2d:ea:d4:0e CCKM: Create a global PMK cache entry
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.077: 2c:54:2d:ea:d4:0e unsetting PmkIdValidatedByAp
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.077: 2c:54:2d:ea:d4:0e Sending EAP-Success to mobile 2c:54:2d:ea:d4:0e (EAP Id 91)
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.077: 2c:54:2d:ea:d4:0e Found an cache entry for BSSID 34:bd:c8:b3:d9:f0 in PMKID cache at index 0 of station 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.077: 2c:54:2d:ea:d4:0e Found an cache entry for BSSID 34:bd:c8:b3:d9:f0 in PMKID cache at index 0 of station 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.077: Including PMKID in M1 (16)
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.077: [0000] 16 bf c0 3e 07 00 79 b1 51 ca d3 47 44 69 1b a1
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.077: 2c:54:2d:ea:d4:0e Starting key exchange to mobile 2c:54:2d:ea:d4:0e, data packets will be dropped
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.077: 2c:54:2d:ea:d4:0e Sending EAPOL-Key Message to mobile 2c:54:2d:ea:d4:0e
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.077: 2c:54:2d:ea:d4:0e Entering Backend Auth Success state (id=91) for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.077: 2c:54:2d:ea:d4:0e Received Auth Success while in Authenticating state for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.077: 2c:54:2d:ea:d4:0e dot1x - moving mobile 2c:54:2d:ea:d4:0e into Authenticated state
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.113: 2c:54:2d:ea:d4:0e Received EAPOL-Key from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.113: 2c:54:2d:ea:d4:0e Received EAPOL-key in PTK_START state (message 2) from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.113: 2c:54:2d:ea:d4:0e CCKM: Sending cache add
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.113: CCKM: Sending CCKM PMK (Version_1) information to mobility group
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.113: CCKM: Sending CCKM PMK (Version_2) information to mobility group
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.113: 2c:54:2d:ea:d4:0e Stopping retransmission timer for mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.113: 2c:54:2d:ea:d4:0e Sending EAPOL-Key Message to mobile 2c:54:2d:ea:d4:0e
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.164: 2c:54:2d:ea:d4:0e Received EAPOL-Key from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.164: 2c:54:2d:ea:d4:0e Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 2c:54:2d:ea:d4:0e
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.164: 2c:54:2d:ea:d4:0e apfMs1xStateInc
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.164: 2c:54:2d:ea:d4:0e 10.123.201.4 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state RUN (20)
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.164: 2c:54:2d:ea:d4:0e 10.123.201.4 L2AUTHCOMPLETE (4) DHCP required on AP 34:bd:c8:b3:d9:f0 vapId 3 apVapId 1for this client
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.164: 2c:54:2d:ea:d4:0e 10.123.201.4 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 34:bd:c8:b3:d9:f0 vapId 3 apVapId 1
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.164: 2c:54:2d:ea:d4:0e apfMsRunStateInc
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.164: 2c:54:2d:ea:d4:0e 10.123.201.4 L2AUTHCOMPLETE (4) Change state to RUN (20) last state RUN (20)
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.166: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Reached PLUMBFASTPATH: from line 5362
*Dot1x: Dec 07 13:57:02.166: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Adding Fast Path rule
type = Airespace AP Client
on AP 34:bd:c8:b3:d9:f0, slot 0, interface = 1, QOS = 2
IPv4 ACL ID = 255, IPv6 ACL ID = 2
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.166: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 7006 Local Bridging Vlan = 144, Local Bridging intf id = 12
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.166: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255)
*Dot1x_NW_MsgTask_6: Dec 07 13:57:02.166: 2c:54:2d:ea:d4:0e Stopping retransmission timer for mobile 2c:54:2d:ea:d4:0e
*pemReceiveTask: Dec 07 13:57:02.166: 2c:54:2d:ea:d4:0e 10.123.201.4 Added NPU entry of type 1, dtlFlags 0x0
*apfMsConnTask_2: Dec 07 13:57:03.265: 2c:54:2d:ea:d4:0e CCKM: Received REASSOC REQ IE
*apfMsConnTask_2: Dec 07 13:57:03.265: 2c:54:2d:ea:d4:0e Reassociation received from mobile on AP 34:bd:c8:b2:b1:10
*apfMsConnTask_2: Dec 07 13:57:03.265: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1697)
*apfMsConnTask_2: Dec 07 13:57:03.265: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1864)
*apfMsConnTask_2: Dec 07 13:57:03.265: 2c:54:2d:ea:d4:0e Applying site-specific Local Bridging override for station 2c:54:2d:ea:d4:0e - vapId 3, site 'Floor_1', interface '144_v'
*apfMsConnTask_2: Dec 07 13:57:03.265: 2c:54:2d:ea:d4:0e Applying Local Bridging Interface Policy for station 2c:54:2d:ea:d4:0e - vlan 144, interface id 12, interface '144_v'
*apfMsConnTask_2: Dec 07 13:57:03.265: 2c:54:2d:ea:d4:0e Applying site-specific override for station 2c:54:2d:ea:d4:0e - vapId 3, site 'Floor_1', interface '144_v'
*apfMsConnTask_2: Dec 07 13:57:03.265: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1697)
*apfMsConnTask_2: Dec 07 13:57:03.265: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1864)
*apfMsConnTask_2: Dec 07 13:57:03.265: 2c:54:2d:ea:d4:0e processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_2: Dec 07 13:57:03.265: 2c:54:2d:ea:d4:0e processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_2: Dec 07 13:57:03.266: 2c:54:2d:ea:d4:0e STA - rates (4): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_2: Dec 07 13:57:03.266: 2c:54:2d:ea:d4:0e suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_2: Dec 07 13:57:03.266: 2c:54:2d:ea:d4:0e STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_2: Dec 07 13:57:03.266: 2c:54:2d:ea:d4:0e extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_2: Dec 07 13:57:03.266: 2c:54:2d:ea:d4:0e Processing RSN IE type 48, length 22 for mobile 2c:54:2d:ea:d4:0e
*apfMsConnTask_2: Dec 07 13:57:03.266: 2c:54:2d:ea:d4:0e CCKM: Mobile is using CCKM
*apfMsConnTask_2: Dec 07 13:57:03.266: 2c:54:2d:ea:d4:0e Received RSN IE with 0 PMKIDs from mobile 2c:54:2d:ea:d4:0e
*apfMsConnTask_2: Dec 07 13:57:03.266: 2c:54:2d:ea:d4:0e Found an cache entry for BSSID 34:bd:c8:b3:d9:f0 in PMKID cache at index 0 of station 2c:54:2d:ea:d4:0e
*apfMsConnTask_2: Dec 07 13:57:03.266: 2c:54:2d:ea:d4:0e Removing BSSID 34:bd:c8:b3:d9:f0 from PMKID cache of station 2c:54:2d:ea:d4:0e
*apfMsConnTask_2: Dec 07 13:57:03.266: 2c:54:2d:ea:d4:0e Resetting MSCB PMK Cache Entry 0 for station 2c:54:2d:ea:d4:0e
*apfMsConnTask_2: Dec 07 13:57:03.266: 2c:54:2d:ea:d4:0e Setting active key cache index 0 ---> 8
*apfMsConnTask_2: Dec 07 13:57:03.266: 2c:54:2d:ea:d4:0e unsetting PmkIdValidatedByAp
*apfMsConnTask_2: Dec 07 13:57:03.266: 2c:54:2d:ea:d4:0e CCKM: Processing REASSOC REQ IE
*apfMsConnTask_2: Dec 07 13:57:03.266: 2c:54:2d:ea:d4:0e CCKM: using HMAC SHA1 to compute MIC
*apfMsConnTask_2: Dec 07 13:57:03.266: 2c:54:2d:ea:d4:0e CCKM: Received a valid REASSOC REQ IE
*apfMsConnTask_2: Dec 07 13:57:03.267: 2c:54:2d:ea:d4:0e CCKM: Initializing PMK cache entry with a new PTK
*apfMsConnTask_2: Dec 07 13:57:03.267: 2c:54:2d:ea:d4:0e Setting active key cache index 8 ---> 8
*apfMsConnTask_2: Dec 07 13:57:03.267: 2c:54:2d:ea:d4:0e Resetting MSCB PMK Cache Entry 0 for station 2c:54:2d:ea:d4:0e
*apfMsConnTask_2: Dec 07 13:57:03.267: 2c:54:2d:ea:d4:0e Setting active key cache index 8 ---> 8
*apfMsConnTask_2: Dec 07 13:57:03.267: 2c:54:2d:ea:d4:0e Setting active key cache index 8 ---> 0
*apfMsConnTask_2: Dec 07 13:57:03.267: 2c:54:2d:ea:d4:0e Creating a PKC PMKID Cache entry for station 2c:54:2d:ea:d4:0e (RSN 2) on BSSID 34:bd:c8:b3:d9:f0
*apfMsConnTask_2: Dec 07 13:57:03.267: 2c:54:2d:ea:d4:0e Setting active key cache index 0 ---> 8
*apfMsConnTask_2: Dec 07 13:57:03.267: 2c:54:2d:ea:d4:0e CCKM: using HMAC SHA1 to compute MIC
*apfMsConnTask_2: Dec 07 13:57:03.267: 2c:54:2d:ea:d4:0e Including CCKM Response IE (length 54) in Assoc Resp to mobile
*apfMsConnTask_2: Dec 07 13:57:03.267: 2c:54:2d:ea:d4:0e Sending Assoc Response to station on BSSID 34:bd:c8:b2:b1:10 (status 202) ApVapId 1 Slot 0
*apfMsConnTask_2: Dec 07 13:57:03.267: 2c:54:2d:ea:d4:0e Scheduling deletion of Mobile Station: (callerId: 22) in 3 seconds
*apfMsConnTask_3: Dec 07 13:57:04.925: 2c:54:2d:ea:d4:0e Association received from mobile on AP 34:bd:c8:b3:d9:f0
*apfMsConnTask_3: Dec 07 13:57:04.925: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1697)
*apfMsConnTask_3: Dec 07 13:57:04.925: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1864)
*apfMsConnTask_3: Dec 07 13:57:04.925: 2c:54:2d:ea:d4:0e Applying site-specific Local Bridging override for station 2c:54:2d:ea:d4:0e - vapId 3, site 'Floor_1', interface '144_v'
*apfMsConnTask_3: Dec 07 13:57:04.925: 2c:54:2d:ea:d4:0e Applying Local Bridging Interface Policy for station 2c:54:2d:ea:d4:0e - vlan 144, interface id 12, interface '144_v'
*apfMsConnTask_3: Dec 07 13:57:04.925: 2c:54:2d:ea:d4:0e Applying site-specific override for station 2c:54:2d:ea:d4:0e - vapId 3, site 'Floor_1', interface '144_v'
*apfMsConnTask_3: Dec 07 13:57:04.925: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1697)
*apfMsConnTask_3: Dec 07 13:57:04.925: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1864)
*apfMsConnTask_3: Dec 07 13:57:04.925: 2c:54:2d:ea:d4:0e processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_3: Dec 07 13:57:04.925: 2c:54:2d:ea:d4:0e processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_3: Dec 07 13:57:04.925: 2c:54:2d:ea:d4:0e STA - rates (4): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_3: Dec 07 13:57:04.925: 2c:54:2d:ea:d4:0e suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_3: Dec 07 13:57:04.925: 2c:54:2d:ea:d4:0e STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_3: Dec 07 13:57:04.925: 2c:54:2d:ea:d4:0e extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_3: Dec 07 13:57:04.925: 2c:54:2d:ea:d4:0e Processing RSN IE type 48, length 22 for mobile 2c:54:2d:ea:d4:0e
*apfMsConnTask_3: Dec 07 13:57:04.925: 2c:54:2d:ea:d4:0e CCKM: Mobile is using CCKM
*apfMsConnTask_3: Dec 07 13:57:04.925: 2c:54:2d:ea:d4:0e Received RSN IE with 0 PMKIDs from mobile 2c:54:2d:ea:d4:0e
*apfMsConnTask_3: Dec 07 13:57:04.925: 2c:54:2d:ea:d4:0e Setting active key cache index 8 ---> 8
*apfMsConnTask_3: Dec 07 13:57:04.925: 2c:54:2d:ea:d4:0e unsetting PmkIdValidatedByAp
*apfMsConnTask_3: Dec 07 13:57:04.925: 2c:54:2d:ea:d4:0e apfMsRunStateDec
*apfMsConnTask_3: Dec 07 13:57:04.926: 2c:54:2d:ea:d4:0e apfMs1xStateDec
*apfMsConnTask_3: Dec 07 13:57:04.926: 2c:54:2d:ea:d4:0e 10.123.201.4 RUN (20) Change state to START (0) last state RUN (20) -
Clients disconnect because of Capabilites change
Hi all,
recently we migrated AIR-LAP1131AG APs from a 4402 WLC running 4.1.185.0 release to a 5508 running 7.6.130.0. After we did that some clients constantly disconnected and reconnected. I strongly assume it has something to do with the additional features that were introduced between the releases.
During debugging I saw that after the client entered the RUN state that it got disconnected with the following error:
*spamApTask0: Mar 31 01:57:27.649: xx:xx:xx:xx:xx:xx Association Failed on REAP AP BSSID yy:yy:yy:yy:yy:yy (slot 0), status 1 0 Capabilities changed
Here is the whole debug output (X is the client, Y is the AP, Z are other APs for the group key)
*apfMsConnTask_3: Mar 31 01:57:17.623: xx:xx:xx:xx:xx:xx Adding mobile on LWAPP AP yy:yy:yy:yy:yy:yy(0)
*apfMsConnTask_3: Mar 31 01:57:17.623: xx:xx:xx:xx:xx:xx Association received from mobile on BSSID yy:yy:yy:yy:yy:yy
*apfMsConnTask_3: Mar 31 01:57:17.623: xx:xx:xx:xx:xx:xx Global 200 Clients are allowed to AP radio
*apfMsConnTask_3: Mar 31 01:57:17.623: xx:xx:xx:xx:xx:xx Max Client Trap Threshold: 0 cur: 0
*apfMsConnTask_3: Mar 31 01:57:17.623: xx:xx:xx:xx:xx:xx Rf profile 600 Clients are allowed to AP wlan
*apfMsConnTask_3: Mar 31 01:57:17.623: xx:xx:xx:xx:xx:xx override for default ap group, marking intgrp NULL
*apfMsConnTask_3: Mar 31 01:57:17.623: xx:xx:xx:xx:xx:xx Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx Re-applying interface policy for client
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2219)
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2240)
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx In processSsidIE:4850 setting Central switched to FALSE
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx Applying site-specific Local Bridging override for station xx:xx:xx:xx:xx:xx - vapId 5, site 'default-group', interface 'irglbxv'
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx Applying Local Bridging Interface Policy for station xx:xx:xx:xx:xx:xx - vlan 14, interface id 14, interface 'irglbxv'
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx STA - rates (4): 2 4 11 22 0 0 0 0 0 0 0 0 0 0 0 0
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx STA - rates (12): 2 4 11 22 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx Processing RSN IE type 48, length 20 for mobile xx:xx:xx:xx:xx:xx
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx Updating AID for REAP AP Client yy:yy:yy:yy:yy:yy - AID ===> 1
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx Encryption policy is set to 0x80000001
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx Central switch is FALSE
*apfMsConnTask_3: Mar 31 01:57:17.624: xx:xx:xx:xx:xx:xx Sending Local Switch flag = 1
*apfMsConnTask_3: Mar 31 01:57:17.625: xx:xx:xx:xx:xx:xx 0.0.0.0 8021X_REQD (3) DHCP required on AP yy:yy:yy:yy:yy:yy vapId 5 apVapId 5for this client
*apfMsConnTask_3: Mar 31 01:57:17.625: xx:xx:xx:xx:xx:xx Not Using WMM Compliance code qosCap 00
*apfMsConnTask_3: Mar 31 01:57:17.625: xx:xx:xx:xx:xx:xx 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP yy:yy:yy:yy:yy:yy vapId 5 apVapId 5 flex-acl-name:
*apfMsConnTask_3: Mar 31 01:57:17.625: xx:xx:xx:xx:xx:xx apfMsAssoStateInc
*apfMsConnTask_3: Mar 31 01:57:17.625: xx:xx:xx:xx:xx:xx apfPemAddUser2 (apf_policy.c:333) Changing state for mobile xx:xx:xx:xx:xx:xx on AP yy:yy:yy:yy:yy:yy from Idle to Associated
*apfMsConnTask_3: Mar 31 01:57:17.625: xx:xx:xx:xx:xx:xx apfPemAddUser2:session timeout forstation xx:xx:xx:xx:xx:xx - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is 0
*apfMsConnTask_3: Mar 31 01:57:17.625: xx:xx:xx:xx:xx:xx Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_3: Mar 31 01:57:17.625: xx:xx:xx:xx:xx:xx Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0
*apfMsConnTask_3: Mar 31 01:57:17.625: xx:xx:xx:xx:xx:xx Sending Assoc Response to station on BSSID zz:zz:zz:zz:zz:zz (status 0) ApVapId 5 Slot 0
*apfMsConnTask_3: Mar 31 01:57:17.625: xx:xx:xx:xx:xx:xx apfProcessAssocReq (apf_80211.c:8294) Changing state for mobile xx:xx:xx:xx:xx:xx on AP yy:yy:yy:yy:yy:yy from Associated to Associated
*spamApTask0: Mar 31 01:57:17.708: xx:xx:xx:xx:xx:xx Sent 1x initiate message to multi thread task for mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.708: xx:xx:xx:xx:xx:xx Creating a PKC PMKID Cache entry for station xx:xx:xx:xx:xx:xx (RSN 2)
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx Resetting MSCB PMK Cache Entry 0 for station xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx Setting active key cache index 8 ---> 8
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx Setting active key cache index 8 ---> 0
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx Adding BSSID yy:yy:yy:yy:yy:yy to PMKID cache at index 0 for station xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: New PMKID: (16)
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: [0000] 95 e5 c8 10 ba cc 57 e5 1d 4c ab ae c3 eb 0c f5
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx Initiating RSN PSK to mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx EAP-PARAM Debug - eap-params for Wlan-Id :5 is disabled - applying Global eap timers and retries
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx dot1x - moving mobile xx:xx:xx:xx:xx:xx into Force Auth state
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx Skipping EAP-Success to mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx EAPOL Header:
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: 00000000: 02 03 00 5f ..._
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx Found an cache entry for BSSID yy:yy:yy:yy:yy:yy in PMKID cache at index 0 of station xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx Found an cache entry for BSSID yy:yy:yy:yy:yy:yy in PMKID cache at index 0 of station xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: Including PMKID in M1 (16)
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: [0000] 95 e5 c8 10 ba cc 57 e5 1d 4c ab ae c3 eb 0c f5
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx Starting key exchange to mobile xx:xx:xx:xx:xx:xx, data packets will be dropped
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx Sending EAPOL-Key Message to mobile zz:zz:zz:zz:zz:zz
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx Sending EAPOL-Key Message to mobile zz:zz:zz:zz:zz:zz
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx Allocating EAP Pkt for retransmission to mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.709: xx:xx:xx:xx:xx:xx mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:01 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.710: xx:xx:xx:xx:xx:xx mscb->apfMsBssid = yy:yy:yy:yy:yy:yy mscb->apfMsAddress = xx:xx:xx:xx:xx:xx mscb->apfMsApVapId = 5
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.710: xx:xx:xx:xx:xx:xx dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 0 mscb->apfMsLwappMwarInet.ipv4.addr = 171969037
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.710: xx:xx:xx:xx:xx:xx mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 173667675 mscb->apfMsLwappLradPort = 23341
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.792: xx:xx:xx:xx:xx:xx Received EAPOL-Key from mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.792: xx:xx:xx:xx:xx:xx Received EAPOL-key in PTK_START state (message 2) from mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.792: xx:xx:xx:xx:xx:xx Stopping retransmission timer for mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.792: xx:xx:xx:xx:xx:xx EAPOL Header:
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.792: 00000000: 02 03 00 5f ..._
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.792: xx:xx:xx:xx:xx:xx Sending EAPOL-Key Message to mobile zz:zz:zz:zz:zz:zz
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.792: xx:xx:xx:xx:xx:xx Sending EAPOL-Key Message to mobile zz:zz:zz:zz:zz:zz
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.792: xx:xx:xx:xx:xx:xx Reusing allocated memory for EAP Pkt for retransmission to mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.792: xx:xx:xx:xx:xx:xx mscb->apfMsLwappLradNhMac = 00:00:0c:07:ac:01 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 1
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.792: xx:xx:xx:xx:xx:xx mscb->apfMsBssid = yy:yy:yy:yy:yy:yy mscb->apfMsAddress = xx:xx:xx:xx:xx:xx mscb->apfMsApVapId = 5
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.793: xx:xx:xx:xx:xx:xx dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 0 mscb->apfMsLwappMwarInet.ipv4.addr = 171969037
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.793: xx:xx:xx:xx:xx:xx mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = 173667675 mscb->apfMsLwappLradPort = 23341
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.897: xx:xx:xx:xx:xx:xx Received EAPOL-Key from mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.897: xx:xx:xx:xx:xx:xx Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.897: xx:xx:xx:xx:xx:xx Stopping retransmission timer for mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.897: xx:xx:xx:xx:xx:xx Freeing EAP Retransmit Bufer for mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.897: xx:xx:xx:xx:xx:xx apfMs1xStateInc
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.897: xx:xx:xx:xx:xx:xx 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state 8021X_REQD (3)
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx Central switch is FALSE
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx Sending the Central Auth Info
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx Central Auth Info Allocated PMKLen = 32
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx PMK: pmkActiveIndex = 0
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx msAssocTypeFlagsMsb = 0 msAssocTypeFlagsLsb = 2
apfMsEntryType = 0 apfMsEapType = 0
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx Sending Local Switch flag = 0
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx 0.0.0.0 L2AUTHCOMPLETE (4) DHCP required on AP yy:yy:yy:yy:yy:yy vapId 5 apVapId 5for this client
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx Not Using WMM Compliance code qosCap 00
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP yy:yy:yy:yy:yy:yy vapId 5 apVapId 5 flex-acl-name:
*spamApTask0: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx spamEncodeCentralAuthInoMsPayload: msAssocTypeFlagsMsb = 0 msAssocTypeFlagsLsb = 2
apfMsEntryType = 0 pmkLen = 32
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 6178, Adding TMP rule
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP yy:yy:yy:yy:yy:yy, slot 0, interface = 1, QOS = 0
IPv4 ACL ID = 255, IPv
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 14, Local Bridging intf id = 14
*Dot1x_NW_MsgTask_7: Mar 31 01:57:17.898: xx:xx:xx:xx:xx:xx 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*pemReceiveTask: Mar 31 01:57:17.900: xx:xx:xx:xx:xx:xx 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*apfOrphanSocketTask: Mar 31 01:57:18.904: xx:xx:xx:xx:xx:xx Orphan Packet from STA - IP 10.89.246.63
*apfOrphanSocketTask: Mar 31 01:57:18.904: xx:xx:xx:xx:xx:xx apfMsRunStateInc
*apfOrphanSocketTask: Mar 31 01:57:18.904: xx:xx:xx:xx:xx:xx 10.89.246.63 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)
*apfOrphanSocketTask: Mar 31 01:57:18.904: xx:xx:xx:xx:xx:xx Assigning Address 10.89.246.63 to mobile
*pemReceiveTask: Mar 31 01:57:18.905: xx:xx:xx:xx:xx:xx 10.89.246.63 Removed NPU entry.
*dot1xMsgTask: Mar 31 01:57:19.863: GTK Rotation Kicked in for AP: zz:zz:zz:zz:zz:zz SlotId = 0 - (0x3ff07bf8)
*dot1xMsgTask: Mar 31 01:57:19.863: Generated a new group key for AP zz:zz:zz:zz:zz:zz(0) - vap 1
*dot1xMsgTask: Mar 31 01:57:19.863: GTK rotation for zz:zz:zz:zz:zz:zz
*dot1xMsgTask: Mar 31 01:57:19.863: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*dot1xMsgTask: Mar 31 01:57:19.863: Generated a new group key for AP zz:zz:zz:zz:zz:zz(0) - vap 2
*dot1xMsgTask: Mar 31 01:57:19.863: GTK rotation for zz:zz:zz:zz:zz:zz
*dot1xMsgTask: Mar 31 01:57:19.864: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*dot1xMsgTask: Mar 31 01:57:19.864: Generated a new group key for AP zz:zz:zz:zz:zz:zz(0) - vap 3
*dot1xMsgTask: Mar 31 01:57:19.864: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*dot1xMsgTask: Mar 31 01:57:19.864: Generated a new group key for AP zz:zz:zz:zz:zz:zz(0) - vap 4
*dot1xMsgTask: Mar 31 01:57:19.864: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*dot1xMsgTask: Mar 31 01:57:19.864: Generated a new group key for AP zz:zz:zz:zz:zz:zz(0) - vap 5
*dot1xMsgTask: Mar 31 01:57:19.865: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*mmMaListen: Mar 31 01:57:20.863: xx:xx:xx:xx:xx:xx 10.89.246.63 RUN (20) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*mmMaListen: Mar 31 01:57:20.863: xx:xx:xx:xx:xx:xx 10.89.246.63 RUN (20) Reached PLUMBFASTPATH: from line 5850
*dot1xMsgTask: Mar 31 01:57:21.263: GTK Rotation Kicked in for AP: zz:zz:zz:zz:zz:zz SlotId = 0 - (0x3ff07bf8)
*dot1xMsgTask: Mar 31 01:57:21.263: Generated a new group key for AP zz:zz:zz:zz:zz:zz(0) - vap 1
*dot1xMsgTask: Mar 31 01:57:21.263: GTK rotation for zz:zz:zz:zz:zz:zz
*dot1xMsgTask: Mar 31 01:57:21.263: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*dot1xMsgTask: Mar 31 01:57:21.263: Generated a new group key for AP zz:zz:zz:zz:zz:zz(0) - vap 2
*dot1xMsgTask: Mar 31 01:57:21.263: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*dot1xMsgTask: Mar 31 01:57:21.263: Generated a new group key for AP zz:zz:zz:zz:zz:zz(0) - vap 3
*dot1xMsgTask: Mar 31 01:57:21.263: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*dot1xMsgTask: Mar 31 01:57:21.264: Generated a new group key for AP zz:zz:zz:zz:zz:zz(0) - vap 4
*dot1xMsgTask: Mar 31 01:57:21.264: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*dot1xMsgTask: Mar 31 01:57:21.264: Generated a new group key for AP zz:zz:zz:zz:zz:zz(0) - vap 5
*dot1xMsgTask: Mar 31 01:57:21.264: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*spamApTask0: Mar 31 01:57:27.649: xx:xx:xx:xx:xx:xx Association Failed on REAP AP BSSID yy:yy:yy:yy:yy:yy (slot 0), status 1 0 Capabilities changed
*spamApTask0: Mar 31 01:57:27.649: xx:xx:xx:xx:xx:xx apfMsDeleteByMscb Scheduling mobile for deletion with deleteReason 8, reasonCode 1
*spamApTask0: Mar 31 01:57:27.649: xx:xx:xx:xx:xx:xx Scheduling deletion of Mobile Station: (callerId: 30) in 1 seconds
*osapiBsnTimer: Mar 31 01:57:28.463: xx:xx:xx:xx:xx:xx apfMsExpireCallback (apf_ms.c:626) Expiring Mobile!
*apfReceiveTask: Mar 31 01:57:28.463: xx:xx:xx:xx:xx:xx apfMsExpireMobileStation (apf_ms.c:6655) Changing state for mobile xx:xx:xx:xx:xx:xx on AP yy:yy:yy:yy:yy:yy from Associated to Disassociated
*apfReceiveTask: Mar 31 01:57:28.463: xx:xx:xx:xx:xx:xx Sent Deauthenticate to mobile on BSSID yy:yy:yy:yy:yy:yy slot 0(caller apf_ms.c:6749)
*apfReceiveTask: Mar 31 01:57:28.463: xx:xx:xx:xx:xx:xx Found an cache entry for BSSID yy:yy:yy:yy:yy:yy in PMKID cache at index 0 of station xx:xx:xx:xx:xx:xx
*apfReceiveTask: Mar 31 01:57:28.463: xx:xx:xx:xx:xx:xx Removing BSSID yy:yy:yy:yy:yy:yy from PMKID cache of station xx:xx:xx:xx:xx:xx
*apfReceiveTask: Mar 31 01:57:28.463: xx:xx:xx:xx:xx:xx Resetting MSCB PMK Cache Entry 0 for station xx:xx:xx:xx:xx:xx
*apfReceiveTask: Mar 31 01:57:28.463: xx:xx:xx:xx:xx:xx Setting active key cache index 0 ---> 8
*apfReceiveTask: Mar 31 01:57:28.463: xx:xx:xx:xx:xx:xx Deleting the PMK cache when de-authenticating the client.
*apfReceiveTask: Mar 31 01:57:28.463: xx:xx:xx:xx:xx:xx Global PMK Cache deletion failed.
*apfReceiveTask: Mar 31 01:57:28.463: xx:xx:xx:xx:xx:xx apfMsAssoStateDec
*apfReceiveTask: Mar 31 01:57:28.463: xx:xx:xx:xx:xx:xx apfMsExpireMobileStation (apf_ms.c:6787) Changing state for mobile xx:xx:xx:xx:xx:xx on AP yy:yy:yy:yy:yy:yy from Disassociated to Idle
*apfReceiveTask: Mar 31 01:57:28.463: xx:xx:xx:xx:xx:xx pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfReceiveTask: Mar 31 01:57:28.464: xx:xx:xx:xx:xx:xx 10.89.246.63 START (0) Deleted mobile LWAPP rule on AP [yy:yy:yy:yy:yy:yy]
*apfReceiveTask: Mar 31 01:57:28.464: xx:xx:xx:xx:xx:xx Deleting mobile on AP yy:yy:yy:yy:yy:yy(0)
*dot1xMsgTask: Mar 31 01:57:30.263: GTK Rotation Kicked in for AP: zz:zz:zz:zz:zz:zz SlotId = 1 - (0x3ff07bf8)
*dot1xMsgTask: Mar 31 01:57:30.263: Generated a new group key for AP zz:zz:zz:zz:zz:zz(1) - vap 1
*dot1xMsgTask: Mar 31 01:57:30.263: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*dot1xMsgTask: Mar 31 01:57:30.263: Generated a new group key for AP zz:zz:zz:zz:zz:zz(1) - vap 2
*dot1xMsgTask: Mar 31 01:57:30.263: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*dot1xMsgTask: Mar 31 01:57:30.263: Generated a new group key for AP zz:zz:zz:zz:zz:zz(1) - vap 3
*dot1xMsgTask: Mar 31 01:57:30.263: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*dot1xMsgTask: Mar 31 01:57:30.263: Generated a new group key for AP zz:zz:zz:zz:zz:zz(1) - vap 4
*dot1xMsgTask: Mar 31 01:57:30.263: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
*dot1xMsgTask: Mar 31 01:57:30.264: Generated a new group key for AP zz:zz:zz:zz:zz:zz(1) - vap 5
*dot1xMsgTask: Mar 31 01:57:30.264: Sending of M5 for zz:zz:zz:zz:zz:zz is Skipped, rc = 1
Here is the configuration of the SSID on the 4402 and 5508 for comparison.
4402
WLAN Identifier.................................. 2
Profile Name..................................... xxxxx
Network Name (SSID).............................. xxxxx
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. Infinity
Interface........................................ xxxxxx
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Quality of Service............................... Silver (best effort)
WMM.............................................. Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Radio Policy..................................... All
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Enabled
TKIP Cipher............................. Enabled
AES Cipher.............................. Disabled
WPA2 (RSN IE).............................. Disabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Enabled
CCKM.................................... Disabled
CKIP ......................................... Disabled
IP Security................................... Disabled
IP Security Passthru.......................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Auto Anchor................................... Disabled
Cranite Passthru.............................. Disabled
Fortress Passthru............................. Disabled
H-REAP Local Switching........................ Disabled
Infrastructure MFP protection................. Enabled (Global Infrastructure MFP Disabled)
Client MFP.................................... Optional but inactive (WPA2 not configured)
Tkip MIC Countermeasure Hold-down Timer....... 60
Mobility Anchor List
WLAN ID IP Address Status
5508
WLAN Identifier.................................. 5
Profile Name..................................... xxxxx
Network Name (SSID).............................. xxxxx
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 3
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 86400 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 12 hours
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... xxxxxxxx
CHD per WLAN..................................... Disabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ xxxxxxxx
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
PMIPv6 Mobility Type............................. none
PMIPv6 MAG Profile........................... Unconfigured
PMIPv6 Default Realm......................... Unconfigured
PMIPv6 NAI Type.............................. Hexadecimal
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Disabled
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Disabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Disabled
Accounting.................................... Disabled
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Enabled
TKIP Cipher............................. Enabled
AES Cipher.............................. Disabled
WPA2 (RSN IE).............................. Disabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Enabled
CCKM.................................... Disabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Disabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
WAPI.......................................... Disabled
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Enabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
flexconnect PPPoE pass-through................ Disabled
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional but inactive (WPA2 not configured)
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Disabled
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Split Tunnel (Printers).......................... Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Does anybody have an idea where else I could look at?
Regards,
PatrickI thought the same that those devices simply are too old. However I would like to know what causes this capabilities change. We want to get rid of the old H/W, but at the moment it looks as if we would need to revert back to the 4402 in order to get those things working again.
I have not enough information, but those devices are some kind of handhelds. Their MAC OUI belongs to Newport Electronics.
Regards,
Patrick -
Cisco Flex 7500 controller with client disconnects
Hey All,
There will be alot of info in this post, hopefully all helpful, more info the better right! If you require anymore info to help me out to not hesistate to request it.
We have been having some issues with clients connecting and disconnecting several times a day and having to manually reconnect from the icon on their taskbar. We have about 380 APs, and 200+ more to deploy that we have and are licensed for but are having some issues that we want to resolve first obviously.
Some locations our setup is a bit more complex than this with multiple SSIDs and vlans, but this issue is everywhere so i will keep it to our simple setup for now:
AP Models: AIR-LAP1042N-A-K9, AIR-CAP1602I-A-K9 (Most locations do not have a mix of both, most have 1042s)
Running a single SSID - WPA/WPA2 with: WPA - TKIP and WPA2 - AES on the same SSID.
They talk back to a Cisco Flex 7500 Series through a tunnel (should not be any port blocking preventing communication)
We are running from what i understand a bad firmware version (7.6.100.0) and during our next maintenance window i am going to try and get them to change to a more stable firmware version.
Data Rates of 1,2,5.5,11 Mbps are disabled
TPCv1 coverage running
Automatic Power Assignment
I will not focus on the a/n/ac network as most of our devices are connecting to WPA due to the config they already have.
Ideally i would like to get rid of WPA all together but i am not 100% in control of the decisions to get the started and people here like to delay things lol.
It is hard to say if the issue is specific to a model as we have so few 1602Is, and it is just at our main office. I have not heard many complaints but i have noticed i will now and then get a limited or no connectivity settings on my wireless icon on my PC. I use hard-wired so i don't really notice if it is not working.
In most locations it looks like the controller is doing a decent job at selection channels to use. I did find one spot where it had on 11 APs down a long hallway, and did not use channel 6 once. I statically set that location to stagger the channels to see what kind results we had and am still waiting to hear on that as they complained the most out of all of our locations. In some cases 3 APs in a row were on channel 1 in the hallway, in alot of casses 1 was 2 times in a row as well as 11 so there was alot of overlap.
I am attaching my show sysinfo and show wlan 17 for that informtion, some of the other settings i have changed today that were previously enabled/set different are:
Disabled Cisco Aironet IE
Set channel automatic rescan from 10 mintues to 12 hours as i can image if it is changing the channels alot it can lead to disconnects.
Some of the main things we get in our message log are:
*dot1xMsgTask: Oct 16 15:17:36.943: #DOT1X-4-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:508 Max EAPOL-key M5 retransmissions exceeded for client 84:85:06:0b:a6:33
- Not sure why we get this as we have a PSK and do not have local eap enabled.....
*apfMsConnTask_6: Oct 16 15:19:01.753: #APF-3-AID_UPDATE_FAILED: apf_80211.c:6570 Error updating Association ID for REAP AP Clientc8:f9:f9:2b:fd:50 - AID 4
*apfMsConnTask_6: Oct 16 15:19:01.753: #LWAPP-3-INVALID_AID2: spam_api.c:1462 Association identifier 4 for client 18:9e:fc:4d:9e:87 is already in use by 8c:2d:aa:b7:70:5e
- There is a bug for this log, but according to the bug our 7.6.100.0 is not effected
Here is my show sysinfo:
(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.6.100.0
RTOS Version..................................... 7.6.100.0
Bootloader Version............................... 7.6.101.2
Emergency Image Version.......................... 7.6.101.2
Build Type....................................... DATA + WPS
System Name...................................... Cisco_cf:17:26
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1295
Redundancy Mode.................................. Disabled
IP Address....................................... 10.156.50.100
System Up Time................................... 52 days 5 hrs 54 mins 25 secs
System Timezone Location......................... (GMT -4:00) Altantic Time (Canada)
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180
Configured Country............................... CA - Canada
--More-- or (q)uit
Operating Environment............................ Commercial (10 to 35 C)
Internal Temp Alarm Limits....................... 10 to 38 C
Internal Temperature............................. +22 C
Fan Status....................................... OK
RAID Volume Status............................... OK
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 13
Number of Active Clients......................... 1584
Burned-in MAC Address............................ 70:81:05:CF:17:20
Power Supply 1................................... Present, OK
Power Supply 2................................... Present, OK
Maximum number of APs supported.................. 600
Here is my Show wlan 17
WLAN Identifier.................................. 17
Profile Name..................................... AirCCRSB
Network Name (SSID).............................. AirCCRSB
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 1768
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 28800 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 12 hours
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... Cisco_cf:17:26
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Disabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers
Accounting.................................... Global Servers
Interim Update............................. Disabled
Framed IPv6 Acct AVP ...................... Prefix
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Enabled
TKIP Cipher............................. Enabled
AES Cipher.............................. Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Enabled
CCKM.................................... Disabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Enabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
WAPI.......................................... Disabled
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Enabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
flexconnect PPPoE pass-through................ Disabled
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Disabled
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Split Tunnel (Printers).......................... Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Mobility Anchor List
WLAN ID IP Address Status
802.11u........................................ Disabled
MSAP Services.................................. Disabled
Local Policy
Priority Policy NameAs long as you take the configuration backup downgrading from 7.6.100.0 to 7.4.121.0 should be fine. Because this is Flexconnect deployment, make sure you review the release notes thoroughly as config like vlan mapping is impacted it is painful to reconfigure.
I still think moving to 7.6MR3 & once 8.x get stable going for that code is a good plan. Though 7.4.121.0 is assure wave it does not mean it has no bugs.(remember that prior to this 7.4.110.0 was assure wave & it deferred in quick time) . I would say 8.x going to be the code staying for long time period, so ultimately you have to be there.
In 8.x there are few FlexConnect improvements,one being AP won't reload when you change from local mode to FlexConnect.
HTH
Rasika
**** Pls rate all useful responses *** -
No valid PMKID found in the MSCB
Im having issues Roaming on the 2.4 802.11b/g/n network.....It works some of the time but then my mobile client get dissconnected..
5508 Code 7.4.100.0
30 APs - AIR-CAP3602I-A-K9
any ideas?
error log:
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Reassociation received from mobile on BSSID f8:4f:57:e3:00:a2
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Global 200 Clients are allowed to AP radio
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Max Client Trap Threshold: 0 cur: 24
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Rf profile 200 Clients are allowed to AP wlan
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Applying Interface policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Re-applying interface policy for client
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 10.1.35.195 RUN (20) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2018)
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 10.1.35.195 RUN (20) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2246)
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 In processSsidIE:4256 setting Central switched to FALSE
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Applying site-specific Local Bridging override for station 00:90:4c:52:0e:a0 - vapId 3, site 'HQ-01', interface 'management'
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Applying Local Bridging Interface Policy for station 00:90:4c:52:0e:a0 - vlan 0, interface id 0, interface 'management'
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Applying site-specific override for station 00:90:4c:52:0e:a0 - vapId 3, site 'HQ-01', interface 'management'
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Applying Interface policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 Re-applying interface policy for client
*apfMsConnTask_3: Jan 28 14:22:53.932: 00:90:4c:52:0e:a0 10.1.35.195 RUN (20) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2018)
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 10.1.35.195 RUN (20) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2246)
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 STA - rates (8): 139 22 24 36 48 72 96 108 12 18 0 0 0 0 0 0
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 STA - rates (10): 139 22 24 36 48 72 96 108 12 18 0 0 0 0 0 0
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 Processing RSN IE type 48, length 38 for mobile 00:90:4c:52:0e:a0
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 Received RSN IE with 1 PMKIDs from mobile 00:90:4c:52:0e:a0
*apfMsConnTask_3: Jan 28 14:22:53.933: Received PMKID: (16)
*apfMsConnTask_3: Jan 28 14:22:53.933: [0000] fa 18 3d af eb a4 7a 7e 9d e9 5c 80 b4 fd f1 f1
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 Searching for PMKID in MSCB PMKID cache for mobile 00:90:4c:52:0e:a0
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 No valid PMKID found in the MSCB PMKID cache for mobile 00:90:4c:52:0e:a0
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 Trying to compute a PMKID from MSCB PMK cache for mobile 00:90:4c:52:0e:a0
*apfMsConnTask_3: Jan 28 14:22:53.933: CCKM: Find PMK in cache: BSSID = (6)
*apfMsConnTask_3: Jan 28 14:22:53.933: [0000] f8 4f 57 e3 00 a0
*apfMsConnTask_3: Jan 28 14:22:53.933: CCKM: Find PMK in cache: realAA = (6)
*apfMsConnTask_3: Jan 28 14:22:53.933: [0000] f8 4f 57 e3 00 a1
*apfMsConnTask_3: Jan 28 14:22:53.933: CCKM: Find PMK in cache: PMKID = (16)
*apfMsConnTask_3: Jan 28 14:22:53.933: [0000] fa 18 3d af eb a4 7a 7e 9d e9 5c 80 b4 fd f1 f1
*apfMsConnTask_3: Jan 28 14:22:53.933: CCKM: AA (6)
*apfMsConnTask_3: Jan 28 14:22:53.933: [0000] f8 4f 57 e3 00 a1
*apfMsConnTask_3: Jan 28 14:22:53.933: CCKM: SPA (6)
*apfMsConnTask_3: Jan 28 14:22:53.933: [0000] 00 90 4c 52 0e a0
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 Unable to compute a valid PMKID from MSCB PMK cache for mobile 00:90:4c:52:0e:a0
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 Searching for PMK in global PMK cache for mobile 00:90:4c:52:0e:a0
*apfMsConnTask_3: Jan 28 14:22:53.933: 00:90:4c:52:0e:a0 Found an entry in the global PMK cache for station 00:90:4c:52:0e:a0
*apfMsConnTask_3: Jan 28 14:22:53.933: CCKM: AA (6)
*apfMsConnTask_3: Jan 28 14:22:53.933: [0000] f8 4f 57 e3 00 a1
*apfMsConnTask_3: Jan 28 14:22:53.934: CCKM: SPA (6)
*apfMsConnTask_3: Jan 28 14:22:53.934: [0000] 00 90 4c 52 0e a0
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 Unable to compute a valid PMKID from global PMK cache for mobile 00:90:4c:52:0e:a0
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 Setting active key cache index 0 ---> 8
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 unsetting PmkIdValidatedByAp
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 10.1.35.195 RUN (20) Deleted mobile LWAPP rule on AP [dc:a5:f4:64:63:90]
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 Updated location for station old AP dc:a5:f4:64:63:90-0, new AP f8:4f:57:e3:00:a0-0
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 apfMsRunStateDec
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 apfMs1xStateDec
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 10.1.35.195 RUN (20) Change state to START (0) last state RUN (20)
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 10.1.35.195 START (0) Initializing policy
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 10.1.35.195 START (0) Change state to AUTHCHECK (2) last state START (0)
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 10.1.35.195 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 10.1.35.195 8021X_REQD (3) DHCP required on AP f8:4f:57:e3:00:a0 vapId 3 apVapId 2for this client
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 10.1.35.195 8021X_REQD (3) Plumbed mobile LWAPP rule on AP f8:4f:57:e3:00:a0 vapId 3 apVapId 2 flex-acl-name:
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 apfPemAddUser2 (apf_policy.c:276) Changing state for mobile 00:90:4c:52:0e:a0 on AP f8:4f:57:e3:00:a0 from Associated to Associated
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 apfPemAddUser2:session timeout forstation 00:90:4c:52:0e:a0 - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is 0
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_3: Jan 28 14:22:53.934: 00:90:4c:52:0e:a0 Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0
*apfMsConnTask_3: Jan 28 14:22:53.935: 00:90:4c:52:0e:a0 Sending Assoc Response to station on BSSID f8:4f:57:e3:00:a1 (status 0) ApVapId 2 Slot 0
*apfMsConnTask_3: Jan 28 14:22:53.935: 00:90:4c:52:0e:a0 apfProcessAssocReq (apf_80211.c:7391) Changing state for mobile 00:90:4c:52:0e:a0 on AP f8:4f:57:e3:00:a0 from Associated to Associated
*apfMsConnTask_3: Jan 28 14:22:53.937: 00:90:4c:52:0e:a0 Updating AID for REAP AP Client f8:4f:57:e3:00:a0 - AID ===> 103
*dot1xMsgTask: Jan 28 14:22:53.940: 00:90:4c:52:0e:a0 Disable re-auth, use PMK lifetime.
*dot1xMsgTask: Jan 28 14:22:53.940: 00:90:4c:52:0e:a0 dot1x - moving mobile 00:90:4c:52:0e:a0 into Connecting state
*dot1xMsgTask: Jan 28 14:22:53.940: 00:90:4c:52:0e:a0 Sending EAP-Request/Identity to mobile 00:90:4c:52:0e:a0 (EAP Id 1)
*apfMsConnTask_2: Jan 28 14:22:53.942: Stats update: Non Zero value
*apfMsConnTask_2: Jan 28 14:22:53.942: Stats update: Non Zero value
WLAN config
WLAN Identifier.................................. 3
Profile Name..................................... Employee
Network Name (SSID).............................. Employee
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status ....................... Disabled
DHCP ......................................... Disabled
HTTP ......................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 166
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 86400 seconds
User Idle Timeout................................ 28800 seconds
--More-- or (q)uit
User Idle Threshold.............................. 100 Bytes
NAS-identifier................................... BLUE-5508-01
CHD per WLAN..................................... Disabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
PMIPv6 Mobility Type............................. none
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
--More-- or (q)uit
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Disabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ 10.0.12.72 1812
Accounting.................................... 10.0.12.72 1813
Interim Update............................. Disabled
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
--More-- or (q)uit
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Enabled
PSK..................................... Disabled
CCKM.................................... Enabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Disabled
GTK Randomization.......................... Disabled
--More-- or (q)uit
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
WAPI.......................................... Disabled
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Enabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
--More-- or (q)uit
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Mobility Anchor List
WLAN ID IP Address Status
802.11u........................................ Disabled
MSAP Services.................................. DisabledI am having the same problem. 5508 running 7.0.240. System works fine for data users, but we are testing Jabber clients for the first time and see alot of lost calls while roaming between APs. My debug client output looks just like Bryant's. It shows a reassociation request with a PMKID provided by the client. Then No valid PMKID found in the MSCB PMKID cache for mobile, Unable to compute a valid PMKID from MSCB PMK cache for mobile, Found an entry in the global PMK cache for station, then Unable to compute a valid PMKID from global PMK cache for mobile. The client is then successfully reauthenticated, but the delay impacts voice calls. What would cause this behavior? Debug below:
*apfMsConnTask_4: Feb 10 13:35:48.910: 88:53:95:42:e9:4f Received RSN IE with 1 PMKIDs from mobile 88:53:95:42:e9:4f
*apfMsConnTask_4: Feb 10 13:35:48.910: Received PMKID: (16)
*apfMsConnTask_4: Feb 10 13:35:48.910: [0000] 20 0f 15 45 60 e7 b3 04 57 61 19 55 ac 9c 81 36
*apfMsConnTask_4: Feb 10 13:35:48.910: 88:53:95:42:e9:4f Searching for PMKID in MSCB PMKID cache for mobile 88:53:95:42:e9:4f
*apfMsConnTask_4: Feb 10 13:35:48.910: 88:53:95:42:e9:4f No valid PMKID found in the MSCB PMKID cache for mobile 88:53:95:42:e9:4f
*apfMsConnTask_4: Feb 10 13:35:48.910: 88:53:95:42:e9:4f Trying to compute a PMKID from MSCB PMK cache for mobile 88:53:95:42:e9:4f
*apfMsConnTask_4: Feb 10 13:35:48.910: CCKM: Find PMK in cache: BSSID = (6)
*apfMsConnTask_4: Feb 10 13:35:48.910: [0000] 6c 50 4d 2a b7 40
*apfMsConnTask_4: Feb 10 13:35:48.911: CCKM: Find PMK in cache: realAA = (6)
*apfMsConnTask_4: Feb 10 13:35:48.911: [0000] 6c 50 4d 2a b7 4e
*apfMsConnTask_4: Feb 10 13:35:48.911: CCKM: Find PMK in cache: PMKID = (16)
*apfMsConnTask_4: Feb 10 13:35:48.911: [0000] 20 0f 15 45 60 e7 b3 04 57 61 19 55 ac 9c 81 36
*apfMsConnTask_4: Feb 10 13:35:48.911: 88:53:95:42:e9:4f Unable to compute a valid PMKID from MSCB PMK cache for mobile 88:53:95:42:e9:4f
*apfMsConnTask_4: Feb 10 13:35:48.911: 88:53:95:42:e9:4f Searching for PMK in global PMK cache for mobile 88:53:95:42:e9:4f
*apfMsConnTask_4: Feb 10 13:35:48.911: 88:53:95:42:e9:4f Found an entry in the global PMK cache for station 88:53:95:42:e9:4f
*apfMsConnTask_4: Feb 10 13:35:48.911: CCKM: AA (6)
*apfMsConnTask_4: Feb 10 13:35:48.911: [0000] 6c 50 4d 2a b7 4e
*apfMsConnTask_4: Feb 10 13:35:48.911: CCKM: SPA (6)
*apfMsConnTask_4: Feb 10 13:35:48.911: [0000] 88 53 95 42 e9 4f
*apfMsConnTask_4: Feb 10 13:35:48.911: 88:53:95:42:e9:4f Unable to compute a valid PMKID from global PMK cache for mobile 88:53:95:42:e9:4f -
ISE 1.2 Guest Access for EAP(Dot1x) Authentication
Hi.
I want to use encryption for guest access.
In order to use the "RADIUS-NAC" in the WLC, you can not use or "Open + MAC" only "WPA + dot1".
(Specification of the WLC)
When the "Open + MAC", return from the ISE at the time of the "Web Authentication" in the "Session-Timeout Attribute", I was able to forcibly disconnect the radio.
(Attribute is the same value as the (ISE TimeProfile) time the guest user can use)
If you connect to a wireless terminal to forced disconnect after screen of Web authentication is displayed, you can not login.
(Because the account has been revoked)
I want to make even dot1x this environment.
However, because it becomes the "re-authentication time" If dot1x, as long as the terminal is connected to the radio, it is not cut.
In addition, even in the setting of "Attribute Termination-Action = Default", does not return until the Web authentication.
(Status of the WLC remains "Auth Yes")
(Session of the ISE remains "Started")
Use the (EAP) Dot1x, Can I "is allowed to forcibly disconnected," "to match the time of TimeProfile" in the same way as "Open + MAC" thing?
Thank you.Note:
Cisco ISE:Version1.2.0.899-8
Cisco WLC(5508):Version 7.6.120
Maybe you are looking for
-
Satellite A205: Dynadock - How to connect to LCD TV with HDMI to DVI cable
I recently purchased this product and had a problem when connecting it to my LCD TV. I used a HDMI to DVI cable to connect it to the TV. Only a small portion of the full display shows on the TV. I have adjusted all setting on the laptop (Satellite A2
-
Can any other phone be used with a 6210 car kit?
Hi, I have just purchased a car and it has a nokia 6210 hands free kit fited into the car. It works as I have hecked it with a friends mobile phone, however, will this kit work with any other nokia mobile phones? Any help would be appreciated. Thanks
-
Hi Gurus, Need your assistance on our issue. 1. Have updated the cost center assignment relationship in OM 2. Ran RHINTE30 to reflect to PA 3. When checking in PA20 the record is somewhat ruined, the position ID is still reflected but the Org Unit an
-
I don't have permission to view content on hard drive in mac pro???
I no longer wanted to use my macbook anymore, it's a 2008 model if I remember correctly the white plastic version. However, I wanted to put the hard drive I have in it into my mac pro since I have two more available slots for storage. But after I put
-
How to use CWD4ALL with SQLDeveloper?
Could someone giv me an insight on how to use the trail version of this tool reverse engineer an existing schema mentioned as a connection in SQL Developer?