Repeated wlc 5508 client web authentication

I'm trying to troubleshoot a situation where many of our guest wireless users are repeatedly being prompted to reauthenticate via the web interface.  the session timeout is set to 4 hours, however, many times a client is presented with a web authentication screen right in the middle of browsing at random times.
I do have several system log entries, but cannot find the specific entries in the Error code reference for the WLC.  For example, I don't find anything on %AAA-3-VALIDATE_GUEST_SESSION_FAILED: file_db.c:4022 Guest user session validation failed for guest1. Index provided is out of range..
I'm running a WLC 5508 with 7.0.98.0 and have read through all of the release notes, error code references, etc., and don't see anything regarding this issue.
The WCS screenshot shows a good example of how often this occurs!  Is the client actually re-associating with the AP (which in turn would require a web reauth)?  Not sure if I'm barking up the wrong tree - focusing on web auth when I may actually need to be focusing on AP association...
I do have a TAC case opened up, but was wondering if anyone has experienced this before?
Sorry for the rambling...

Rene,
I did several things and at least one of them seemed to resolve the issue:
These notes are directly from my TAC case and I will try to provide a little more information [in brackets].
1.       Upgrade WLC to 7.0.98.218 [self explanatory]
2.       Upgrade WCS to 7.0.172.0 [current version, as of this note]
3.       Increase DHCP scope time on ASA from default (30 minutes) to 4
days [DHCP running external from the WLC]
4.       Remove TKIP from the WLAN - only allow AES [had both configured but tech advised to only use AES]
5.       Increased session timeout from 14400 seconds to 64800 seconds
(4 hours to 18 hours) [don't think this helped resolve the issue, but it certainly was more convenient for our longer-term guests]
I think that the TKIP and/or DHCP setting was integral as part of the resolution.  I upgraded the WLC because the version that I was running didn't have the web-auth debug option, so I'm not sure that that actually contributed to the resolution.
Good Luck,
Rob.

Similar Messages

  • WLC 5508 - Clients disconnecting

    I am running WLC 5508 7.2.111.3 with some 2602i AP.
    Last week one user reported his new macbook pro 2013 was encountering connectivity issues.His older macbook pro 2009 was working perfectly.
    The user is sitting in the middle of 2nd floor having equal distance from second's floor access points.
    The problem is that his Macbook pro 2013 was persistently trying to associate with 3rd's floor Access Points. Whatever i tried to do (deauthenticate user,rebooting 2nd & 3rd floor APs) the connection was persistent to 3rd floor Access Point. Even when i tried to install an Access Point in the user's office his Macbook Pro 2013 refused (!!!) to leave 3rd's floor Access Points.However his Macbook pro 2009 was always connected to the nearest Access Point (either to 2nd floor Access Points or to the newly installed access point in his office).
    This week i had two visitors in 4th floor reporting that their Laptops (Sony Vaio) were doing very slow with the wireless.
    When i tried to troubleshoot i found in the controller that their laptops were associating with 4th floor Access Points and after a minute they were disconnected and trying to associate to Ground Floor (!) Access Points. Of course they couldn't establish a connection and then associated again with 4th floor access points and after a while disconnected and trying to associate to Ground Floor Access Points
    I tried to debug client with Sony Vaio and saw in the controller the following message
    *apfMsConnTask_7: Mar 24 10:42:15.473: %APF-4-INVALID_ACTION_CATEGORY: apf_wme_utils.c:5481 Could not process 802.11 Action. Received Action frame with invalid category field(not supported by controller) from client. Mobile:*********, Category:7.
    I also see a lot of these messages for other clients.
    *apfMsConnTask_3: Mar 19 12:03:54.243: %APF-4-ASSOCREQ_PROC_FAILED: apf_80211.c:5275 Failed to process an association request from c8:6f:1d:24:0e:7d. WLAN:5, SSID:************. mobile in database timed out.
    Am i hitting any bug similar or equal to CSCue53980?

    have you tried with open authentication ( no security ) ? Check if client is able to associate then

  • Problems with re authentications in a wireless with WLC working with web authentication and a radius server

    Hi everyone, im having problems in a wireless network, the SSID has security layer 2 WPA, layer 3 web authentication (internal default page), and external RADIUS.
    When a client makes a roaming from one AP to another one or when he has a idle time, he needs to re authenticate in the web login page. Somebody knows a solution to avoid this behavior?. Or somebody has a troubleshooting way to determine why the clients have this problems??

    A few things I can share that might help .. Your actually feet on the ground will be importnat to see this issue for yourself.
    I know when a client or if the AP sends a DEAUTH frame the client will need to reestablish its connection and it will 100% of the time require a new web auth. If a client loses connection while roaming and a DEAUTH is sent on either side you will get the page. If youre client isnt romaing cleanly this can be a problem.
    Another problem is your using EAP. Are you using CCK or a device that supports OKC. What does your radius server say when a client roams ?
    You could also simply your config and then reapply your security and see where it breaks. By this I mean. For testing, create a SSID turn off security and leave layer 3 web auth on. Roam and see what happens. If it works, then start to apply the security and see where it breaks.
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

  • Cisco WLC 5508 simultaneous Web Auth Users logins?

    Hi there,
    We have 2 WLC5508 (7.2.111.3) with several SSID's.
    One of them is configured as Passthrough with an external splash server. Works fine.
    Now we want to use the "On MAC Filter failure".
    If the client MAC-adresse is configured under MAC Filtering on the WLC, the authentication is done without WebAuth.
    If MAC-adress is not known, the client will be redirect to the external WebAuth server for authentication.
    To keep the Passthrough functionality for the user, we hardcoded an username&password in the splash-page.
    So, every client WebAuth uses the same username&password for authentication against the WLC.
    User Login Policies is set to unlimited.
    So far so good, it seems to work, but I have read, that Cisco 5500 controllers supports only 150 simultaneous Web Auth Users logins.
    The two WLC's have abount 100-170 clients connected.
    Question:
    - Will these be an issue with the 150 simultaneous logins, despited when usin only one user for all Wifi-clients?
    - Can the user WebAuth be done with a Cisco ISE like Passthrough, no username&password should be entered by the user.
      If yes, some guide information wolud be great.
    - When successfully authenticated, a logout screen shows on the Windows client. Can this be hidden some how?
    Thanks for the answers ;-)
    Kind regards,
    Norbert

    Question:
    - Will these be an issue with the 150 simultaneous logins, despited when usin only one user for all Wifi-clients?
    > I believe this means at the same time... I have clients doing the same thing with hundreds or more of guest users
    - Can the user WebAuth be done with a Cisco ISE like Passthrough, no username&password should be entered by the user.
      If yes, some guide information would be great.
    > ISE is really used to login with a username and password and to be able to profile.  You would need to ask that on the Security forum to get their input if this is something then would do or just leave it on the WLC
    - When successfully authenticated, a logout screen shows on the Windows client. Can this be hidden some how?
    > Not really... some machines with popup blocker does block this and you don't see the logout, but you can't remove this.
    Thanks,
    Scott
    *****Help out other by using the rating system and marking answered questions as "Answered"*****

  • WLC 5508 - Client Intermittent Drop Out

    We have an intermittent issue where clients seeem to drop their connectivity intermittently and I wondered if anyone else have seen this.
    When the client drops out it is associated to the AP at good signal strength -45 -> -49 dbm. All our clients are running Win7. Once the issue occurs a yellow exclamation mark appear across the system tray wireless icon and a message appears in the "Network and Sharing Centre" that either says “no internet connection” or “DNS server not responding". The association with the AP appears to be intact. This seems to be confirmed as the client can ping its default gateway and can be pinged from another device but no connectivity above layer 3 appear to be working. Really the best way to describe it is that all communication above layer 3 stops. This behaviour is extremely intermittent.
    The wireless clients are a small cross section of HP business laptops. HP8460p, HP6930p and a few other models. The laptops are all running the latest wireless drivers available (that was the first thing we tried). We have two 5508 wireless controllers operating 60 APs between them. Most of the APs in the area where we are seeing the issue are AIR-LAP1242 we do run the AIR-CAP3502 also but not in this area. We only have 2.4GHz enabled but with the extended data rates (to 130mbps). We have multiple WLANs but the one that seems to be causing the issue is the only one running WPA2.
    The only way to restore full connectivity to the client is to hard reset the wireless adapter.
    We have run debugs on the client and ran a sniffer trace between the controller and the authentication server but so far this has not turned up anything. The wireless controller is showing the client still associated but a link test from the controller to the client failed.
    Any ideas would be welcome. I can provide further information if required.

    Hi
    What EAP type do you have deployed, as I guess you are using 802.1X?
    Does this problem occur during client roaming?
    Is the problem specific to only HP devices or are other laptop vendors in the mix?
    I would suggest that you perform a packet capture on one of the wireless clients when the problem happens. You could use wireshark. Perform the following tests during the capture:
    1. Ping a remote device on a different subnet.
    2. Perform a layer 4 and above activity such as opening a web page or FTP.
    In the interim, you could try the following:
    1. Disable Aironet IE on the WLAN SSID Advanced tab
    2. Increase the packet max-retries timeout value on the dot11radio interface.

  • Cisco 5508 external web authentication

    Hi all,
    Firstly, I do apologise as this question has been posted in another forum, I believe it is the wrong one though hence me posting here.
    I am running with a pair of Cisco 5508 controllers with 7.4.121.0 installed. We offer a guest Internet service to our user base and guests. To access the guest service a user must first authenticate via an externally hosted server, I won't go into the specifics but it is a secure service will a valid, signed cert for the login page. The issue I am hitting is that when a user logs into the portal the controller cert is then displayed (2.2.2.2) which returns a cert error. It kind of makes the service look insecure when it isn't. I've read numerous articles about creating CSRs, etc and loading certificates on the controller, but the issue we have is that we use externally hosted DNS servers for the service and they are refusing to create a DNS record. We can't use internally hosted DNS servers as this breaks our security policy. Is there any other way around this or do I just have to have the user accept the cert error?
    Thanks

    I hear you and I was under the same impression. If I go through the steps I followed maybe it can be explained..
    Upgraded the primary controller from 6.0.x to 7.0.x a, APs upgraded. Upgraded FUS to 1.9. Upgraded controller to 7.4.121.0, upgraded APs. APs joined the controller. Disabled WebAuth Secure Web. Followed same steps for secondary controller. Shutdown primary controller to test failover to secondary. APs did not failover. Waited 15 mins, debugged CAPWAP and saw nothing coming in. Brought primary back online, waited 15 mins, debugged CAPWAP and saw nothing coming in. Waited a further 15 mins. Still no APs joining. Enabled WebAuth Secure on the primary, and boom, all the APs joined the primary. Not sure if this was just a coincidence, but this was the behaviour I witnessed. I'm running a pair of 5508's.
    I've not witnessed this before, but this is the first time I've disabled this setting. Understand it has nothing to do with APs joining and may just be a coincidence, but this is what I experienced. I ran out of time during the change window so couldn't test this further and try to simulate again, will try again when the next window becomes available.

  • Internal Web Authentication + Local Net User

    Hi all,
    I'm trying to setup the WLC with internal web authentication + local net user account. I've setup a WLAN for this local net user configure the user profile map to this WLAN.
    When the laptop get associated with the designated WLAN, and user tried to browse to the internet, the internal web authentication page doesn't appear on the browser.
    I'm just curious is there any DNS server require in order to direct the user entered URL request to the virtual interface?
    regards.

    Well if you are using webauth for guest users, you really want to have an open ssid and wither have a username and password on the wlc or use a passthrough webauth where the guest users just have to click submit or accept. If you are using this for internal users, then you really shouldn't use webauth since this will not be single sign on. Again, you can if you want your internal users to sign on again. There is wpa/wpa2 PSK and then there is wpa/wpa2 8021.x in which this will require either using local EAP or a Radius Server. Ther radius server will either have the local user accounts or you can point this to AD. Depending on if you use EAP-PEAP (certificate on the radius server only) or EAP-TLS (certificate on both the radius and clinet) you will need a certificate.
    For webauth only, you do not need a certificate on the user or radius server, a certificate will be required on the wlc if you don't want users to be promted with a certifcate error message. 5.1 supports unchained certificates, but I always use RapiddSSL for a root ca cert just to make deployment mush simpler for the client. So webauth and EAP will require certifcates with webauth being optional.

  • External Web authentication server for Guest access

    I have a guest wireless wlan setup. When guest users attach to our guest wireless they are prompted by the built in web security on the WLC's.
    Cisco talks about how to setup the WLC to route web authentication to an external web server, but they don't say what kind of web server to use or examples.
    I need some help on getting an external web server to do web authentication. With the server we would like to get some basic info from the user. name, email, pupose of using wlan, and some background info they don't see like, computer name, mac address. This is all for tracking purposes.
    Hotels do this type of web authentication for example.
    Any help would be great.

    Hi Patrick,
    I'm having the same problem here. I configured my WLC that redirect the login page to WEB Server, but I don't know how configure the Web Server to back the credentials to WLC. Did you can solve this problem?
    thanks!
    Claudio

  • SNMP web authenticated users wlc 5508

    Hello everyone,
    I am using web authentication with my Wlc 5508 and I would like to check all users currently connected (ip, login used, MAC address, ...) with SNMP.
    I am using an external web server and my client are authenticated with ldap.
    I know I can receive these information with traps, but I would like to create a short program which will check all users when I click on a button.
    Can anyone help me ?
    Thanks a lot for your answers.

    Hello Julien,
    Thank you for the info. +5 for solving your own problem.
    Regards,
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • WLC Client excluded - web authentication failed 3 times

    Is there any more I can do with the following? The customer only has 4400 controllers and WCS' both on the highest firmware currently available...
    An example of the alert generated in the event of an excessive authentication failure is as follows:
    Client '08:60:6e:35:7c:29 (172.16.235.133)' which was associated with interface '802.11b/g/n' of AP '25CS-AP21-24SE' is excluded. The reason code is '5(Web Authentication failed 3 times.)'.
    E-mail will be suppressed up to 30 minutes for these alarms.
    I need clarification of the following so that a process can be put in place to show if it is possible to deal with potential threats/attempts to hack into the network as the customers security are not accepting notification only. Therefore please advise:
    - What does ‘excluded’ mean in this scenario? Is the client permanently excluded or only temporarily?
    - If the client is not permanently excluded - if there are multiple occurrences of this alert for the same client can the client be disabled via the WCS console?
    - If necessary could e-mail suppression be turned off - for this alert only?
    Hope you can help but I think they need Prime and ISE to satisfy their security concerns myself!
    BR
    Rockford

    There is a command line syntax which will also allow you to export and import an IAS config to other IAS servers. Then you will be sure they are identical...
    http://support.microsoft.com/kb/883619

  • WLC 5508, SW 6.0.199.4, 1142 AP: Clients getting dropped intermittently

    We have deployed a WLC 5508 w/ SW version 6.0.199.4, 1142 AP's & open authentication w/ MAC filtering. Clients are randomly getting dropped with "Limited Access" shown in Win 7. In this state, the client machine is unable to ping the gateway and sometimes lose their DHCP assigned IP as well. A manual disconnect/re-connect to the SSID is required everytime.
    I ran a debug on one the clients stuck in the "Limited Access" state (debug client xx:xx:xx:xx):
    *Apr 15 16:59:23.205: e0:91:53:60:1f:e4 Adding mobile on LWAPP AP 3c:ce:73:c5:1e:b0(0)
    *Apr 15 16:59:23.205: e0:91:53:60:1f:e4 Scheduling deletion of Mobile Station:  (callerId: 23) in 5 seconds
    *Apr 15 16:59:23.205: e0:91:53:60:1f:e4 apfProcessProbeReq (apf_80211.c:4722) Changing state for mobile e0:91:53:60:1f:e4 on AP 3c:ce:73:c5:1e:b0 from Idle to Probe
    *Apr 15 16:59:23.205: e0:91:53:60:1f:e4 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Apr 15 16:59:23.225: e0:91:53:60:1f:e4 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Apr 15 16:59:23.225: e0:91:53:60:1f:e4 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Apr 15 16:59:23.646: e0:91:53:60:1f:e4 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Apr 15 16:59:23.646: e0:91:53:60:1f:e4 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Apr 15 16:59:23.666: e0:91:53:60:1f:e4 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Apr 15 16:59:23.666: e0:91:53:60:1f:e4 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Apr 15 16:59:28.553: e0:91:53:60:1f:e4 apfMsExpireCallback (apf_ms.c:418) Expiring Mobile!
    *Apr 15 16:59:28.554: e0:91:53:60:1f:e4 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [3c:ce:73:c5:1e:b0]
    *Apr 15 16:59:28.554: e0:91:53:60:1f:e4 Deleting mobile on AP 3c:ce:73:c5:1e:b0(0)
    On doing a manual re-connect, got the following logs:
    *Apr 15 17:01:38.143: e0:91:53:60:1f:e4 Association received from mobile on AP b8:62:1f:e9:9f:30
    *Apr 15 17:01:38.143: e0:91:53:60:1f:e4 Applying site-specific IPv6 override for station e0:91:53:60:1f:e4 - vapId 7, site 'Academy', interface 'students'
    *Apr 15 17:01:38.143: e0:91:53:60:1f:e4 Applying IPv6 Interface Policy for station e0:91:53:60:1f:e4 - vlan 15, interface id 14, interface 'students'
    *Apr 15 17:01:38.143: e0:91:53:60:1f:e4 Applying site-specific override for station e0:91:53:60:1f:e4 - vapId 7, site 'Academy', interface 'students'
    *Apr 15 17:01:38.143: e0:91:53:60:1f:e4 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1276)
    *Apr 15 17:01:38.143: e0:91:53:60:1f:e4 STA - rates (8): 130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
    *Apr 15 17:01:38.143: e0:91:53:60:1f:e4 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
    *Apr 15 17:01:38.143: e0:91:53:60:1f:e4 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [b8:62:1f:e5:6a:90]
    *Apr 15 17:01:38.144: e0:91:53:60:1f:e4 Updated location for station old AP b8:62:1f:e5:6a:90-0, new AP b8:62:1f:e9:9f:30-0
    *Apr 15 17:01:38.144: e0:91:53:60:1f:e4 apfProcessAssocReq (apf_80211.c:4268) Changing state for mobile e0:91:53:60:1f:e4 on AP b8:62:1f:e9:9f:30 from Probe to AAA Pending
    *Apr 15 17:01:38.144: e0:91:53:60:1f:e4 Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
    *Apr 15 17:01:38.144: e0:91:53:60:1f:e4 0.0.0.0 START (0) Initializing policy
    *Apr 15 17:01:38.144: e0:91:53:60:1f:e4 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
    *Apr 15 17:01:38.144: e0:91:53:60:1f:e4 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
    *Apr 15 17:01:38.144: e0:91:53:60:1f:e4 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP b8:62:1f:e9:9f:30 vapId 7 apVapId 2
    *Apr 15 17:01:38.144: e0:91:53:60:1f:e4 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
    *Apr 15 17:01:38.144: e0:91:53:60:1f:e4 apfPemAddUser2 (apf_policy.c:213) Changing state for mobile e0:91:53:60:1f:e4 on AP b8:62:1f:e9:9f:30 from AAA Pending to Associated
    *Apr 15 17:01:38.145: e0:91:53:60:1f:e4 Scheduling deletion of Mobile Station:  (callerId: 49) in 65535 seconds
    *Apr 15 17:01:38.145: e0:91:53:60:1f:e4 Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
    *Apr 15 17:01:38.145: e0:91:53:60:1f:e4 Sending Assoc Response to station on BSSID b8:62:1f:e9:9f:30 (status 0) Vap Id 2 Slot 0
    *Apr 15 17:01:38.145: e0:91:53:60:1f:e4 apfProcessRadiusAssocResp (apf_80211.c:1957) Changing state for mobile e0:91:53:60:1f:e4 on AP b8:62:1f:e9:9f:30 from Associated to Associated
    *Apr 15 17:01:38.189: e0:91:53:60:1f:e4 DHCP received op BOOTREQUEST (1) (len 308, port 13, encap 0xec03)
    *Apr 15 17:01:38.189: e0:91:53:60:1f:e4 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
    *Apr 15 17:01:39.953: e0:91:53:60:1f:e4 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
    *Apr 15 17:01:39.954: e0:91:53:60:1f:e4 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4166, Adding TMP rule
    *Apr 15 17:01:39.954: e0:91:53:60:1f:e4 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
      type = Airespace AP - Learn IP address
      on AP b8:62:1f:e9:9f:30, slot 0, interface = 13, QOS = 0
      ACL Id = 255, Jumbo F
    *Apr 15 17:01:39.954: e0:91:53:60:1f:e4 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
    *Apr 15 17:01:39.954: e0:91:53:60:1f:e4 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
    *Apr 15 17:01:39.954: e0:91:53:60:1f:e4 Sent an XID frame
    *Apr 15 17:01:40.807: e0:91:53:60:1f:e4 Orphan Packet from STA - IP 169.254.201.128
    *Apr 15 17:01:43.234: e0:91:53:60:1f:e4 DHCP received op BOOTREQUEST (1) (len 308, port 13, encap 0xec03)
    *Apr 15 17:01:43.234: e0:91:53:60:1f:e4 DHCP processing DHCP DISCOVER (1)
    *Apr 15 17:01:43.234: e0:91:53:60:1f:e4 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
    *Apr 15 17:01:43.234: e0:91:53:60:1f:e4 DHCP   xid: 0x9b24c896 (2602879126), secs: 1280, flags: 0
    *Apr 15 17:01:43.234: e0:91:53:60:1f:e4 DHCP   chaddr: e0:91:53:60:1f:e4
    *Apr 15 17:01:43.234: e0:91:53:60:1f:e4 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *Apr 15 17:01:43.234: e0:91:53:60:1f:e4 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *Apr 15 17:01:43.234: e0:91:53:60:1f:e4 DHCP successfully bridged packet to DS
    *Apr 15 17:01:43.234: e0:91:53:60:1f:e4 DHCP received op BOOTREPLY (2) (len 308, port 13, encap 0xec00)
    *Apr 15 17:01:43.234: e0:91:53:60:1f:e4 DHCP processing DHCP OFFER (2)
    *Apr 15 17:01:43.234: e0:91:53:60:1f:e4 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
    *Apr 15 17:01:43.234: e0:91:53:60:1f:e4 DHCP   xid: 0x9b24c896 (2602879126), secs: 0, flags: 0
    *Apr 15 17:01:43.234: e0:91:53:60:1f:e4 DHCP   chaddr: e0:91:53:60:1f:e4
    *Apr 15 17:01:43.235: e0:91:53:60:1f:e4 DHCP   ciaddr: 0.0.0.0,  yiaddr: 10.6.2.160
    *Apr 15 17:01:43.235: e0:91:53:60:1f:e4 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *Apr 15 17:01:43.235: e0:91:53:60:1f:e4 DHCP   server id: 10.6.15.254  rcvd server id: 10.6.15.254
    *Apr 15 17:01:43.235: e0:91:53:60:1f:e4 DHCP successfully bridged packet to STA
    *Apr 15 17:01:43.240: e0:91:53:60:1f:e4 DHCP received op BOOTREQUEST (1) (len 316, port 13, encap 0xec03)
    *Apr 15 17:01:43.241: e0:91:53:60:1f:e4 DHCP processing DHCP REQUEST (3)
    *Apr 15 17:01:43.241: e0:91:53:60:1f:e4 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
    *Apr 15 17:01:43.241: e0:91:53:60:1f:e4 DHCP   xid: 0x9b24c896 (2602879126), secs: 1280, flags: 0
    *Apr 15 17:01:43.241: e0:91:53:60:1f:e4 DHCP   chaddr: e0:91:53:60:1f:e4
    *Apr 15 17:01:43.241: e0:91:53:60:1f:e4 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *Apr 15 17:01:43.241: e0:91:53:60:1f:e4 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *Apr 15 17:01:43.241: e0:91:53:60:1f:e4 DHCP   requested ip: 10.6.2.160
    *Apr 15 17:01:43.241: e0:91:53:60:1f:e4 DHCP   server id: 10.6.15.254  rcvd server id: 10.6.15.254
    *Apr 15 17:01:43.241: e0:91:53:60:1f:e4 DHCP successfully bridged packet to DS
    *Apr 15 17:01:43.241: e0:91:53:60:1f:e4 DHCP received op BOOTREPLY (2) (len 308, port 13, encap 0xec00)
    *Apr 15 17:01:43.241: e0:91:53:60:1f:e4 DHCP processing DHCP ACK (5)
    *Apr 15 17:01:43.241: e0:91:53:60:1f:e4 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
    *Apr 15 17:01:43.241: e0:91:53:60:1f:e4 DHCP   xid: 0x9b24c896 (2602879126), secs: 0, flags: 0
    *Apr 15 17:01:43.241: e0:91:53:60:1f:e4 DHCP   chaddr: e0:91:53:60:1f:e4
    *Apr 15 17:01:43.241: e0:91:53:60:1f:e4 DHCP   ciaddr: 0.0.0.0,  yiaddr: 10.6.2.160
    *Apr 15 17:01:43.241: e0:91:53:60:1f:e4 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *Apr 15 17:01:43.241: e0:91:53:60:1f:e4 DHCP   server id: 10.6.15.254  rcvd server id: 10.6.15.254
    *Apr 15 17:01:43.242: e0:91:53:60:1f:e4 10.6.2.160 DHCP_REQD (7) Change state to RUN (20) last state RUN (20)
    *Apr 15 17:01:43.242: e0:91:53:60:1f:e4 10.6.2.160 RUN (20) Reached PLUMBFASTPATH: from line 4972
    *Apr 15 17:01:43.242: e0:91:53:60:1f:e4 10.6.2.160 RUN (20) Replacing Fast Path rule
      type = Airespace AP Client
      on AP b8:62:1f:e9:9f:30, slot 0, interface = 13, QOS = 0
      ACL Id = 255, Jumbo Frames = NO,
    *Apr 15 17:01:43.242: e0:91:53:60:1f:e4 10.6.2.160 RUN (20) Successfully plumbed mobile rule (ACL ID 255)
    *Apr 15 17:01:43.242: e0:91:53:60:1f:e4 Assigning Address 10.6.2.160 to mobile
    *Apr 15 17:01:43.242: e0:91:53:60:1f:e4 DHCP successfully bridged packet to STA
    *Apr 15 17:01:43.242: e0:91:53:60:1f:e4 10.6.2.160 Added NPU entry of type 1, dtlFlags 0x0
    *Apr 15 17:01:43.242: e0:91:53:60:1f:e4 Sending a gratuitous ARP for 10.6.2.160, VLAN Id 15
    *Apr 15 17:01:46.428: e0:91:53:60:1f:e4 DHCP received op BOOTREQUEST (1) (len 308, port 13, encap 0xec03)
    *Apr 15 17:01:46.428: e0:91:53:60:1f:e4 DHCP processing DHCP INFORM (8)
    *Apr 15 17:01:46.429: e0:91:53:60:1f:e4 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
    *Apr 15 17:01:46.429: e0:91:53:60:1f:e4 DHCP   xid: 0xbb0d5d87 (3138215303), secs: 0, flags: 0
    *Apr 15 17:01:46.429: e0:91:53:60:1f:e4 DHCP   chaddr: e0:91:53:60:1f:e4
    *Apr 15 17:01:46.429: e0:91:53:60:1f:e4 DHCP   ciaddr: 10.6.2.160,  yiaddr: 0.0.0.0
    *Apr 15 17:01:46.429: e0:91:53:60:1f:e4 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *Apr 15 17:01:46.429: e0:91:53:60:1f:e4 DHCP successfully bridged packet to DS
    *Apr 15 17:01:46.429: e0:91:53:60:1f:e4 DHCP received op BOOTREPLY (2) (len 308, port 13, encap 0xec00)
    *Apr 15 17:01:46.429: e0:91:53:60:1f:e4 DHCP processing DHCP ACK (5)
    *Apr 15 17:01:46.429: e0:91:53:60:1f:e4 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
    *Apr 15 17:01:46.429: e0:91:53:60:1f:e4 DHCP   xid: 0xbb0d5d87 (3138215303), secs: 0, flags: 0
    *Apr 15 17:01:46.429: e0:91:53:60:1f:e4 DHCP   chaddr: e0:91:53:60:1f:e4
    *Apr 15 17:01:46.429: e0:91:53:60:1f:e4 DHCP   ciaddr: 10.6.2.160,  yiaddr: 0.0.0.0
    *Apr 15 17:01:46.429: e0:91:53:60:1f:e4 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *Apr 15 17:01:46.429: e0:91:53:60:1f:e4 DHCP   server id: 10.6.15.254  rcvd server id: 10.6.15.254
    show client e0:91:53:60:1f:e4 (after re-connect)
    (Cisco Controller) >show client detail e0:91:53:60:1f:e4
    Client MAC Address............................... e0:91:53:60:1f:e4
    Client Username ................................. N/A
    AP MAC Address................................... b8:62:1f:e9:9f:30
    Client State..................................... Associated    
    Client NAC OOB State............................. Access
    Wireless LAN Id.................................. 7 
    BSSID............................................ b8:62:1f:e9:9f:31 
    Connected For ................................... 105 secs
    Channel.......................................... 11
    IP Address....................................... 10.6.2.160
    Association Id................................... 8 
    Authentication Algorithm......................... Open System
    Reason Code...................................... 1 
    Status Code...................................... 0 
    Session Timeout.................................. 65535
    Client CCX version............................... No CCX support
    QoS Level........................................ Silver
    Diff Serv Code Point (DSCP)...................... disabled
    802.1P Priority Tag.............................. disabled
    WMM Support...................................... Enabled
    U-APSD Support................................... Disabled
    Power Save....................................... OFF
    Current Rate..................................... m7
    Supported Rates.................................. 1.0,2.0,5.5,11.0,6.0,9.0,
        ............................................. 12.0,18.0,24.0,36.0,48.0,
        ............................................. 54.0
    Mobility State................................... Local
    Mobility Move Count.............................. 0
    Security Policy Completed........................ Yes
    Policy Manager State............................. RUN
    Policy Manager Rule Created...................... Yes
    ACL Name......................................... none
    ACL Applied Status............................... Unavailable
    Policy Type...................................... N/A
    Encryption Cipher................................ None
    Management Frame Protection...................... No
    EAP Type......................................... Unknown
    Interface........................................ students
    VLAN............................................. 15
    Quarantine VLAN.................................. 0
    Access VLAN...................................... 15
    Client Capabilities:
          CF Pollable................................ Not implemented
          CF Poll Request............................ Not implemented
          Short Preamble............................. Implemented
          PBCC....................................... Not implemented
          Channel Agility............................ Not implemented
          Listen Interval............................ 1
          Fast BSS Transition........................ Not implemented
    Fast BSS Transition Details:
    Client Statistics:
          Number of Bytes Received................... 36509
          Number of Bytes Sent....................... 32902
          Number of Packets Received................. 300
          Number of Packets Sent..................... 66
          Number of EAP Id Request Msg Timeouts...... 0
          Number of EAP Request Msg Timeouts......... 0
          Number of EAP Key Msg Timeouts............. 0
          Number of Data Retries..................... 95
          Number of RTS Retries...................... 0
          Number of Duplicate Received Packets....... 1
          Number of Decrypt Failed Packets........... 0
          Number of Mic Failured Packets............. 0
          Number of Mic Missing Packets.............. 0
          Number of Policy Errors.................... 0
          Radio Signal Strength Indicator............ -66 dBm
          Signal to Noise Ratio...................... 29 dB
    Nearby AP Statistics:
          APSOEBFF_COR3(slot 0) .....................
    antenna0: 50 seconds ago -91 dBm................. antenna1: 50 seconds ago -76 dBm
          APSOEAFF_FAC(slot 0) ......................
    antenna0: 108 seconds ago -89 dBm................ antenna1: 108 seconds ago -87 dBm
          APSOEBGF_FAC(slot 0) ......................
    antenna0: 50 seconds ago -82 dBm................. antenna1: 50 seconds ago -71 dBm
          APSOEBGF_STAFF(slot 0) ....................
    antenna0: 49 seconds ago -74 dBm................. antenna1: 49 seconds ago -58 dBm
    WLAN config
    WLAN Identifier.................................. 9
    Profile Name..................................... STAFF
    Network Name (SSID).............................. STAFF
    Status........................................... Enabled
    MAC Filtering.................................... Enabled
    Broadcast SSID................................... Enabled
    AAA Policy Override.............................. Disabled
    Network Admission Control
      NAC-State...................................... Disabled
      Quarantine VLAN................................ 0
    Number of Active Clients......................... 32
    Exclusionlist.................................... Disabled
    Session Timeout.................................. Infinity
    CHD per WLAN..................................... Disabled
    Webauth DHCP exclusion........................... Disabled
    Interface........................................ staff
    WLAN ACL......................................... unconfigured
    DHCP Server...................................... Default
    DHCP Address Assignment Required................. Disabled
    Quality of Service............................... Silver (best effort)
    Scan Defer Priority.............................. 5,6
    Scan Defer Time.................................. 100 milliseconds
    WMM.............................................. Allowed
    Media Stream Multicast-direct.................... Disabled
    CCX - AironetIe Support.......................... Enabled
    CCX - Gratuitous ProbeResponse (GPR)............. Disabled
    CCX - Diagnostics Channel Capability............. Disabled
    Dot11-Phone Mode (7920).......................... Disabled
    Wired Protocol................................... None
    IPv6 Support..................................... Disabled
    Peer-to-Peer Blocking Action..................... Disabled
    Radio Policy..................................... All
    DTIM period for 802.11a radio.................... 1
    DTIM period for 802.11b radio.................... 1
    Radius Servers
       Authentication................................ Disabled
       Accounting.................................... Disabled
       Dynamic Interface............................. Disabled
    Local EAP Authentication......................... Disabled
    Security
       802.11 Authentication:........................ Open System
       Static WEP Keys............................... Disabled
       802.1X........................................ Disabled
       Wi-Fi Protected Access (WPA/WPA2)............. Disabled
       CKIP ......................................... Disabled
       Web Based Authentication...................... Disabled
       Web-Passthrough............................... Disabled
       Conditional Web Redirect...................... Disabled
       Splash-Page Web Redirect...................... Disabled
       Auto Anchor................................... Disabled
       H-REAP Local Switching........................ Disabled
       H-REAP Learn IP Address....................... Enabled
       Infrastructure MFP protection................. Enabled (Global Infrastructure MFP Disabled)
       Client MFP.................................... Optional but inactive (WPA2 not configured)
       Tkip MIC Countermeasure Hold-down Timer....... 60
    Call Snooping.................................... Disabled
    Band Select...................................... Disabled
    Load Balancing................................... Disabled
    HELPPPP!

    We have 75 evenly distributed AP's servicing the 500 odd users. Found the below traps on WLC. I was making some changes in the WLAN settings at the time:
    Tue Apr 16 00:03:45 2013          Client Excluded: MACAddress:8c:a9:82:5d:d2:dc Base Radio MAC :3c:ce:73:c6:fe:00 Slot: 0 User Name: unknown Ip Address: unknown Reason:802.11 Association failed repeatedly. ReasonCode: 2
    106          Tue Apr 16 00:03:45 2013          Client Excluded: MACAddress:58:94:6b:f2:24:c8 Base Radio MAC :c8:f9:f9:4c:01:30 Slot: 1 User Name: unknown Ip Address: unknown Reason:802.11 Association failed repeatedly. ReasonCode: 2
    107          Tue Apr 16 00:03:45 2013          Client Excluded: MACAddress:bc:77:37:72:dc:0b Base Radio MAC :3c:ce:73:c6:53:10 Slot: 0 User Name: unknown Ip Address: unknown Reason:802.11 Association failed repeatedly. ReasonCode: 2
    108          Tue Apr 16 00:03:45 2013          Client Excluded: MACAddress:00:26:c7:7d:12:76 Base Radio MAC :3c:ce:73:c4:79:80 Slot: 0 User Name: unknown Ip Address: unknown Reason:802.11 Association failed repeatedly. ReasonCode: 2
    109          Tue Apr 16 00:03:45 2013          Client Excluded: MACAddress:bc:77:37:75:1f:93 Base Radio MAC :c8:f9:f9:2b:85:30 Slot: 0 User Name: unknown Ip Address: unknown Reason:802.11 Association failed repeatedly. ReasonCode: 2
    110          Tue Apr 16 00:03:45 2013          Client Excluded: MACAddress:ac:72:89:58:8e:b9 Base Radio MAC :3c:ce:73:c6:53:10 Slot: 0 User Name: unknown Ip Address: unknown Reason:802.11 Association failed repeatedly. ReasonCode: 2
    111          Tue Apr 16 00:03:44 2013          Client Excluded: MACAddress:bc:77:37:26:cd:e3 Base Radio MAC :3c:ce:73:c5:1f:10 Slot: 0 User Name: unknown Ip Address: unknown Reason:802.11 Association failed repeatedly. ReasonCode: 2
    112          Tue Apr 16 00:03:44 2013          Client Excluded: MACAddress:ac:72:89:25:ea:e0 Base Radio MAC :3c:ce:73:c6:77:70 Slot: 0 User Name: unknown Ip Address: unknown Reason:802.11 Association failed repeatedly. ReasonCode: 2
    113          Tue Apr 16 00:03:44 2013          Client Excluded: MACAddress:00:24:2c:6a:85:3d Base Radio MAC :3c:ce:73:c6:6a:50 Slot: 0 User Name: unknown Ip Address: unknown Reason:802.11 Association failed repeatedly. ReasonCode: 2
    114          Tue Apr 16 00:03:44 2013          Client Excluded: MACAddress:68:5d:43:61:16:51 Base Radio MAC :3c:ce:73:f6:0c:20 Slot: 0 User Name: unknown Ip Address: unknown Reason:802.11 Association failed repeatedly. ReasonCode: 2
    115          Tue Apr 16 00:03:44 2013          Client Excluded: MACAddress:7c:d1:c3:8a:64:f6 Base Radio MAC :3c:ce:73:c4:74:20 Slot: 1 User Name: unknown Ip Address: unknown Reason:802.11 Association failed repeatedly. ReasonCode: 2

  • WLC 5508 And Third Party SSL for Web Authenticaiton

    Hello,
    We are using WLC 5508 and currently the authentication process is via Customized WebAuth. As you know that with the WebAuth the authentication process won't work unless you launch Web Browser and you will be redirected to the Authentication Page where you type your username and password. This is a bit fuzzy for most of the users and what I'm thinking is to use different authentication mechanism where the user will automatically be prompted upon connecting to any SSID. I have read that Public/Thrid Party certificate will do this and any client can accept the public certificate.
    Anyone can elaborate on this approach?
    Regards, 

    With machines that are not part of the domain, typicall if you still want to secure them usin 802.1x, you would leverage a radius server and users would be told of the SSID to connect to and enter their AD credentials.  Of course, if you use AD credentials, users will now join all their other devices to that SSID. This is where ISE comes in and you can profile devices. Even though the WLC with v7.6 can profile, it's not a full fledge profiler.  Depending on how well you know radius, you can leverage a portal page also and depending on the AD group a user is a member of, you can out them is a specific Vlan or if you leverage interface groups.  You can do many things, but you need to really know radius and client types to figure out what can and work well in your environment. Radius alone to someone who hasn't played with it, can take days to setup without help. 
    Every client I setup radius for is different and it comes down to how their users are setup in AD, what devices they have and the requirements. 
    Scott

  • Web authentication different user same client

    Hi,
    We are currently building a guest WLAN. The authentication works with LDAP via web authentication. Users can log on via smartphones and Windows laptops. Now we have a little problem with the Windows laptops, discovered in the testing phase. When user A is successful logon to the laptop through web authentication and then log off the laptop. User B can simply work under the same credentials of user A, without problems. This is not desirable, another user must then log in to the laptop with own credentials.
    The WLC 5508 remember the client MAC address, not the user.
    Any tips?
    Thank you!

    When the user logs off the session remains active on the WLC.
    We have the "User Idle Timeout" set on 100000 sec. Unchecked the "Enable Session Timeout". This to logout users after a certain time via a time trigger. Guests 24 hours, students half year, staff 1 year. (If the WLC not often need to restart).
    For non domain devices this is not a problem, since users are not dependent on the Windows domain then.
    How can we debug users, lets say user A en B on one laptop?

  • Delayed Web Authentication on 5500 WLC

    Hi
    I have setup a Guest WLAN on 5508 WLC with web authentication, I noticed during tests that it takes about 2 to 3 minutes to complete authentication process and providing access to the client machine. My WLC is running version 7.3.101.0.
    Has anyone came across similar situation or can suggest a solution to this issue?
    Feel free to ask if you need more details.
    Thanks
    Sunil

    Well what I would do for testing is the following:
    Remove WebAuth to see if there is an issue with connectivity on that subnet
    Map the Guest WLAN to a working subnet or create a new SSID and map that to a known working subnet
    If your using a custom WebAuth, try using the default internal WebAuth page to see if there is any difference
    If your authenticating Guest using radius, check the radius logs for errors
    Is it all devices or is it an issue with few or a certain model
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

  • Web Authentication on HTTP Instead of HTTPS in WLC 5700 and WS-C3650-48PD (IOS XE)

    Hello,
    I have configured a Guest SSID with web authentication (captive portal).
    wlan XXXXXXX 2 Guest
     aaa-override
     client vlan YYYYYYYYY
     no exclusionlist
     ip access-group ACL-Usuarios-WIFI
     ip flow monitor wireless-avc-basic input
     ip flow monitor wireless-avc-basic output
     mobility anchor 10.181.8.219
     no security wpa
     no security wpa akm dot1x
     no security wpa wpa2
     no security wpa wpa2 ciphers aes
     security web-auth
     security web-auth parameter-map global
     session-timeout 65535
     no shutdown
    The configuration of webauth parameter map  is :
    service-template webauth-global-inactive
     inactivity-timer 3600 
    service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
     voice vlan
    parameter-map type webauth global
     type webauth
     virtual-ip ipv4 1.1.1.1
     redirect on-success http://www.google.es
    I need to  login on web authentication on HTTP instead of HTTPS.
    If I  login on HTTP, I will not receive certificate alerts that prevent the users connections.
    I saw how to configure it with 7.x relesae but I have IOS XE Version 03.03.05SE and I don´t know how to configure it.
    Web Authentication on HTTP Instead of HTTPS
    You can login on web authentication on HTTP instead of HTTPS. If you login on HTTP, you do not receive certificate alerts.
    For earlier than WLC Release 7.2 code, you must disable HTTPS management of the WLC and leave HTTP management. However, this only allows the web management of the WLC over HTTP.
    For WLC Release 7.2 code, use the config network web-auth secureweb disable command to disable. This only disables HTTPS for the web authentication and not the management. Note that this requires a reboot of the controller !
    On WLC Release 7.3 and later code, you can enable/disable HTTPS for WebAuth only via GUI and CLI.
    Can anyone tell me how to configure web authentication on HTTP instead of HTTPS with IOS XE?
    Thanks in advance.
    Regards.

    The documentation doesn't provide very clear direction, does it?
    To download the WLC's default webauth page, browse to the controller's Security > Web Login Page. Make sure the web authentication type is Internal (Default). Hit the Preview button. Then use your browser's File > Save As... menu item to save the HTML into a file. Edit this to your liking and bundle it and any graphics images up into a TAR archive, then upload via the controller's COMMAND page.

Maybe you are looking for

  • Printing in TUMBLE mode not working

    hello, I have the problem that the TUMBLE mode does not work in my program. I have tested the printer with MS Word to be sure it works with my hardware and it succeeded. I use a DocPrint Object and specified the PrintRequestAttributeSet attributes Or

  • MS Word doc to PDF containing Signature

    Hi, I am using Vista and Adobe Acrobat Professional 8.1.2. I scanned a signature and converted it to a TIFF file with the background transparent. For those that are interested, my process to convert a scanned signature using Photoshop to a TIFF file

  • Trying to print on envelope...

    Hi Canon Community! I am trying to use my PIXMA MG5422 to print on A7 envelopes (5 x 7). I have them loaded in the top tray per the instructions on the printer but every time I try to actually print, they jam. Any ideas?

  • My Yahoo toobar changes my apps when I reboot my computer. Why.?

    When I start up and open Firefox I notice that my Yahoo toolbar has changed to apps that I do not want. The toolbar has been the same for several months and all of a sudden it changes daily on me.

  • App store keeps crashing when i try to see all my purchases

    I've alredy reset it and it's still the same way as before