RF Grouping problem WLC 5508
Hi,
We have a problem regarding RF Grouping between two WLC 5508.
The two controllers have the same RF Group name,RF Grouping is enabled,they belong to the same mobility group,their management IP
address is on the same subnet, they ping each other but they don't elect a Group Leader. Each one
elects itself as the Group Leader.
We have tried to place 2 APs,each belonging to different controller, close one to the other but nothing changed.
Any help would be much appreciated.
Hi Nicolas,
Because we have an almost live network, we wouldn't like to go public with our configurations. Is there any other way we can send them to you?
Thanks in advance,
Theofilos
Similar Messages
-
Windows Sharing problem from WLC 5508 to wired LAN
Dear All,
I'm having problem with windows sharing (file/printer sharing) from Wireless lan client which is connected to AP3500 and
WLC 5508 then to Nexus 7010. It's already using ip command, for example \\192.168.84.65
WLC os version 7.0.116.0 (using AP groups)
Nexus os version 4.2(6)
The weird thing is i can connect using windows sharing from wired LAN to wireless user however not vice versa.
for better explanation, here are the scenarios
1. Wireless lan to wired LAN using windows sharing - failed
1. Wired LAN to Wireless lan using windows sharing - success.
I've been analyzing by making sure that all the to end, there would be no firewall within source pc(s) and destination pc(s) and also
the ACL inside Nexus.
Been dying here to find solution for this, due to the customer is using it for file and printer sharing service.
Anyone has idea to solve this problem, i'm looking forward for any suggestion coming.
Arrai.Peer to peer within wlc is using default setting which is allowed and as you may know, peer to peer permission only related between wireless client not wired one. CMIIW.
-
WLC 5508 - wlan stability problems
Hi.
I have a WLC 5508 with half a dozen LAPs (AIR-CAP3502I-E-K9).
They have been working but sometimes clients detect conectivity problems with the wlan.
Here is the message log I can obtain from the controller:
Nov 09 12:16:31.886: [ERROR] pemTimers.c 330: invalid interface name (john_doe) in mscb!!!*dot1xMsgTask: Nov 09 12:16:10.286: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:444 Max EAPOL-key M1 retransmissions exceeded for client 00:26:c6:12:e8:32Previous message occurred 7 times.Nov 09 11:55:24.682: [ERROR] pemTimers.c 330: invalid interface name (john_doe) in mscb!!!*apfReceiveTask: Nov 09 11:51:30.788: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *spamApTask2: Nov 09 11:51:20.144: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 10.23.1.118*dot1xMsgTask: Nov 09 11:50:44.878: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:444 Max EAPOL-key M1 retransmissions exceeded for client e0:ca:94:93:be:67*apfReceiveTask: Nov 09 11:50:40.672: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *apfReceiveTask: Nov 09 11:50:38.625: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *apfReceiveTask: Nov 09 11:50:35.531: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *apfReceiveTask: Nov 09 11:50:31.068: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *apfReceiveTask: Nov 09 11:50:29.257: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *apfReceiveTask: Nov 09 11:50:28.707: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg *apfReceiveTask: Nov 09 11:50:24.065: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg
Can somebody help me to understand these messages?
1)
*apfReceiveTask: Nov 09 11:50:24.065: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg
2)
Nov 09 11:55:24.682: [ERROR] pemTimers.c 330: invalid interface name (john_doe) in mscb!!!
3)
*dot1xMsgTask: Nov 09 11:50:44.878: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:444 Max EAPOL-key M1 retransmissions exceeded for client e0:ca:94:93:be:67
Thanks1)
*apfReceiveTask: Nov 09 11:50:24.065: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg
//APs are rebooting. don't panic, check the up time of AP. This message seen when AP rebooted/freshly joined and waiting for wlc to assign channel.
2)
Nov 09 11:55:24.682: [ERROR] pemTimers.c 330: invalid interface name (john_doe) in mscb!!!
//It is cosmetic and can be ignored.
3)
*dot1xMsgTask: Nov 09 12:16:10.286: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:444 Max EAPOL-key M1 retransmissions exceeded for client 00:26:c6:12:e8:32
//Keys M1-M5 used for wireless auth, here client having struggle completing the auth process.
get output of, WLC>debug client -
What I am trying to configure is Mobility Groups.
My understanding is that this will allow AP to successfully register and fail over over seamlessly if any of the WLC had to fail ?
It could be I am confusing two things into one :( & I am totally confused and not understanding the benefits of mobility group mentioned above.
Also when a AP starts up and registers with the WLC ......I click on a registered AP > High Availability ( Primary / Sec / Tertiary ) all fields are blank...
Initially I also thought that once my SSO is all setup and working than those options "AP > High Availability" will get populated automatically but clearly not unless something is not working.
My current config is as follows:-
WLC 5508 * 2
WLC 1 - Primary
WLC 2 - HA SKU (Secondary )
Redundancy = SSO (Both AP and Client SSO)
=============
(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.6.130.0
Bootloader Version............................... 1.0.20
Field Recovery Image Version..................... 7.6.101.1
Firmware Version................................. FPGA 1.7, Env 1.8, USB console 2.2
Build Type....................................... DATA + WPS
System Name...................................... WLC5508
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
Redundancy Mode.................................. SSO (Both AP and Client SSO)
IP Address....................................... 10.31.66.21
Last Reset....................................... Software reset
System Up Time................................... 0 days 22 hrs 39 mins 57 secs
System Timezone Location......................... (GMT) London, Lisbon, Dublin, Edinburgh
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180
Configured Country............................... GB - United Kingdom
Operating Environment............................ Commercial (0 to 40 C)
--More-- or (q)uit
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +38 C
External Temperature............................. +21 C
Fan Status....................................... OK
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 1
Number of Active Clients......................... 0
Burned-in MAC Address............................ F8:72:EA:EE:5B:B2
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 500
============================================
TATA,
Mobility and mobility groups are used for the wireless users roaming. What we know that a wireless users can roam between different APs within the same WLC, but when the SSID is used within multiple WLCs, and the client wanted to roam to an AP joined to another WLC, you would need to configure WLC mobility to maintain seamless roaming. For more info:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_010001101.html
Now, I understand that your purpose is to have high availability for your APs. No this is done traditionally from the AP page, under HA tab, where you configure the WLCs names and IPs there. This can be done manually on each AP (you can use CLI to make it easier) or you can push a configuration template using a management server (WCS/NCS/CPI).
Configuring HA on the AP:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01110000.html
http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01110001.html
Using CPI to push AP configuration templates:
http://www.cisco.com/c/en/us/td/docs/wireless/prime_infrastructure/2-0/configuration/guide/pi_20_cg/temp.html
Now mobility may play a role in this, as if you have already configured mobility for your WLCs, then you won't need to configure a "name" for the WLCs when you add them under the HA tab in AP configuration page. That's it.
BR, Ala -
WLC 5508 Problem with #DOT1X-3-INVALID_REPLAY_CTR
Hi all,
I have WLC 5508 with version 7.4.110.0 and with 13 AccessPoints.So 12 of this AP are AIR-LAP1142N-E-K9 and 1 is AIR-CAP3602I-E-K9.
Logs of my WLC are:
*Dot1x_NW_MsgTask_1: Jan 11 01:15:05.167: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 90:c1:15:c6:c3:49 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
*Dot1x_NW_MsgTask_4: Jan 11 01:09:41.015: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 5c:0a:5b:c1:16:34 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
*Dot1x_NW_MsgTask_3: Jan 11 01:03:32.269: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 40:b3:95:13:da:cb - got 00 00 00 00 00 00 00 03, expected 00 00 00 00 00 00 00 04
*Dot1x_NW_MsgTask_3: Jan 11 01:03:32.266: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 40:b3:95:13:da:cb - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 04
*Dot1x_NW_MsgTask_0: Jan 11 01:03:31.648: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 24:77:03:67:01:48 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
*Dot1x_NW_MsgTask_5: Jan 11 01:03:31.638: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 14:10:9f:da:c1:cd - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
*Dot1x_NW_MsgTask_2: Jan 11 01:03:31.638: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client cc:78:5f:29:cc:82 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
*Dot1x_NW_MsgTask_4: Jan 11 01:03:31.633: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 08:11:96:55:81:c4 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
*Dot1x_NW_MsgTask_0: Jan 11 01:03:31.631: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 84:3a:4b:56:36:50 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
*Dot1x_NW_MsgTask_1: Jan 11 01:03:31.630: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 14:10:9f:e2:d4:91 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
*Dot1x_NW_MsgTask_0: Jan 11 00:59:52.593: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client a0:88:b4:60:20:f8 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
*apfRogueTask_3: Jan 11 00:59:32.168: #APF-1-UNABLE_TO_CONTAIN_ROGUE: apf_rogue.c:4414 Unable to contain rogue 40:01:C6:11:F9:F1 - Not enough Container AP(s). Number of Container AP(s) 2, Requested containment level 4
*apfRogueTask_3: Jan 11 00:58:38.635: #APF-1-UNABLE_TO_CONTAIN_ROGUE: apf_rogue.c:4414 Unable to contain rogue 40:01:C6:11:F9:F1 - Not enough Container AP(s). Number of Container AP(s) 1, Requested containment level 4
*Dot1x_NW_MsgTask_0: Jan 11 00:50:06.885: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 10:68:3f:46:4e:e8 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
*Dot1x_NW_MsgTask_0: Jan 11 00:50:06.883: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 10:68:3f:46:4e:e8 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 02
*dot1xMsgTask: Jan 11 00:49:05.842: #DOT1X-3-PSK_CONFIG_ERR: 1x_ptsm.c:618 Client c8:e0:eb:19:2a:97 may be using an incorrect PSK
*apfRogueTask_3: Jan 11 00:40:42.576: #APF-1-UNABLE_TO_CONTAIN_ROGUE: apf_rogue.c:4414 Unable to contain rogue 40:01:C6:11:F9:F1 - Not enough Container AP(s). Number of Container AP(s) 3, Requested containment level 4
*Dot1x_NW_MsgTask_3: Jan 11 00:40:17.471: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client c4:43:8f:f1:8c:8b - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
*Dot1x_NW_MsgTask_4: Jan 11 00:40:03.368: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client f0:d1:a9:8e:1a:dc - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
*Dot1x_NW_MsgTask_1: Jan 11 00:39:30.528: #DOT1X-3-INVALID_REPLAY_CTR: 1x_eapkey.c:360 Invalid replay counter from client 14:10:9f:d8:84:09 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02
I already go to this link to check the Description of errors-
http://www.cisco.com/en/US/docs/wireless/controller/message/guide/msgs4.html#wp1000139
Appreciate all feedback. Thank you.Hi Ruben,
a) After successful dot1x authentication, session keys are derived from pairwise master key.
b) When the AP transmits a key to a station by default, it expects a response back within a set timeframe.
c) If the station does not respond, the AP increments the counter and retransmits the key.
d) If the AP receives a response to first message just after the retransmission of the key, a mismatch occurs in the counter.
This in most of the cases will be a client driver problem.
Solution :
1) try to increase the EAPOL-Key Timeout ( config advanced eap ).
2) Upgrade the client driver.
*****Help out other by using the rating system and marking answered questions as "Answered"***** -
WLC 5508 HA Problem Soft.ver 7.4.100
Dear Support,
we are using two WLC 5508 software ver.7.4.100 with first 50AP license and in the next day we add 50AP license again to the primary WLC. when we activate HA base in the following guiden http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/High_Availability_DG.html but when we doing test the failover we found a couple log message on the Secondary WLC like below and not for long time all AP on the Secondary WLC was drop off.
1. DP Critical Error
2. *RRM-DCLNT-2_4: May 23 07:43:53.204: #RRM-3-RRM_LOGMSG: rrmTables.c:682 RRM LOG: Could not retrieve RRM Coverage Measurement DataKey BSSID:34:db:fd:dd:3e:20,Key SlotId:0
*RRM-DCLNT-2_4: May 23 07:43:53.164: #RRM-3-RRM_LOGMSG: rrmTables.c:682 RRM LOG: Could not retrieve RRM Coverage Measurement DataKey BSSID:34:db:fd:dd:3e:20,Key SlotId:0
*RRM-DCLNT-2_4: May 23 07:43:52.854: #RRM-3-RRM_LOGMSG: rrmTables.c:682 RRM LOG: Could not retrieve RRM Coverage Measurement DataKey BSSID:2c:36:f8:72:fc:c0,Key SlotId:0
I also send a complete log for both problem above and enclose it with pdf file. need you advice and assistance,
regard, afriansyahI agree go to version 7.4.121.0 I has some strange issues on prior releases. Personally I am running 7.6.120.0 right now but that's mainly due to support for the 3702 access points.
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/High_Availability_DG.html#pgfId-74573
that's a good guide just to double check yourself just in case. - -
Upgrade WLC 5508 to 7.4.121.0 problem
After I upgraded WLC 5508 from 7.2.111.3 to 7.4.121.0, all 3602i APs don't associate with the controller. All APs were working/associating with controller on 7.2.111.3 at same setting. IP address of APs are setup as DHCP.
The error message is "AP couldn't get IP address".
Any one has this type of problem when you upgrade WLC 5508 from 7.2.111.3 to 7.4.121.0.
Thanks,Hi,
This doesn't look like software issue.
You have to check why the APs are not able to get ip address. Try connecting a PC to a swtich port where one of these APs are connected and see if you are able to get IP on PC.
Also check if the DHCP server is reachable and if there are IP address in the pool assigned for APs.
HTH,
Thanks & Regards,
Ishant
*** Please rate the post if you find it useful *** -
WLC 5508 LDAP Windows 2008 Server - auth based on AD groups
hi NG,
i'm trying to web-authenticate my Wifi user of an WLC 5508 against LDAP.
Thereby i'm trying to autenticate all users within a GROUP, not an OU within the MS Active Directory based upon an Windows 2008 Server.
I can authenticate against a user, witch is beeing put into an OU, according to examples based here: https://www.cisco.com/en/US/products/ps6366/prod_configuration_examples_list.html
Checking based upon Users within OUs works fine.
But i have not got all of those users wihin one single OU!
Need help for following: LDAP-Auth based on AD Groups:
Using:
MS-Domain: MY-DOMAIN.CH
AD-GROUP: VPN-USERS
AD-Structure:
MY-DOMAIN.CH
|
GROUPS
|
Administrative Groups
|
VPN-USERS
(-> Member of this Groups (Wireless1, Wirless2, ...)
Server Adress: IP.IP.IP.IP
Port: 389
Enable Server Stats YES
Simple Bind Authenticated
Bind Username LDAP-USER
Bind Password supersecret
Bind Passw. confirm supersecret
User Base DN: ?-1-?
User Attribute: ?-2-?
User Object Type: Person
Server Timeout 2
What happens for instance, if i put a GROUP within a GROUP regarding the LDAP Authentication.
I guess i have to authenticate against the "upper" GROUP, or do i have to create an entry on the WLC for every GROUP i'm questoning?
Could some one provide my with an example, since i have not found documentation regarding this topic.
Thank you.Hi,
User Base DN : this is in case you want to restrict the search area. If you put "dc=mydomain,dc=CH", you will search your whole AD. Depending on the size, it can be slow ...
Remember that the User Base DN is also used for the admin user.
In conclusion, User Base DN should be the most restrictive path that leads to both the admins and the users you want to authenticate.
Example :
OU=Employees,OU=Humans,DC=Mydomain,DC=CH
This would prevent to search in machines or any assets. This implies that the admin you bind with is an employee and you are only authenticating employees. You can have any number of OUs under employees, it doesn't matter
Attribute : This is the object attribute that the WLC uses to compare with the user name. In general, you would go with sAMAccountName in AD. CN would be another common example for LDAP databases.
If what you are looking for is to restrict access and only authenticate people who belong to a certain group. Then you need a radius server like ACS.
That server will be able to make selections and check the "memberOf" attribute to make sure it is in a certain group.
Nicolas
===
Don't forget to rate answers that you find useful -
Hi,
We are using 2 WLC 5508 running 7.0.98.0 sw (AP's are 1142) at our primary site. They are hosting 3 different WLAN/SSID's, one for guest and the
other 2 are for corporate access. We have put the WLC's in a mobility group, say "AAAA".
Now we have the need for our UK peer site to publish a corp WLAN that exists in UK - at our site, and when trying to configure for that (following the c70cg.pdf) - I put the WLC's for UK in a new mobility group, say "BBBB". But i can't add our WLC's into that mobilty group
(i get a duplicate mac address message).
What's the correct way of configuring this, does all WLCs need to be in the same mobility group?
Is there some reason why we can't have 2 mobility groups? Is there any upside/downside to configuring 2 mob. groups?
Any clearification would be greatly appreciated
BR
//MikaelI think you are misunderstanding , so far what you did on your local swedish site is correct. Your two swedish WLCs have to be in their own same mobility group so you can give seamless roaming to your wireless users across your swedish area without interruption.
On a WLC mobility group config page, you can have only one entry per WLC, this is why you are getting the duplicate error message.
WEBGUI - CONTROLLER - MOBILITY MANAGEMENT - MOBILITY GROUPS
If you want to put your 4 WLCs so they exchange mobility messages, the following has to happen on all 4 WLCs.
xx:xx:xx:xx:xx:xx 192.168.1.1 uk
yy:yy:yy:yy:yy:yy 192.168.1.2 uk
zz:zz:zz:zz:zz:zz 172.17.1.1 sweden
aa:aa:aa:aa:aa:aa 172.17.1.2 sweden
Note when you add WLC on the mobility section, the WLC start sending messages to each like, hey i have this client and you have that client and so on. But this has nothing to do with what you are trying to achieve.
With regards to the execs that are coming, yes, replicate the SSID and point it to the Radius Server they have in UK, add your swedish WLC(s) as a NAS on the Radius Server and it should work as if they were in UK. that should be enough and i advise you to do the following for mobility groups config.
on the two UK WLCs
xx:xx:xx:xx:xx:xx 192.168.1.1 uk
yy:yy:yy:yy:yy:yy 192.168.1.2 uk
on the two Swedish WLCs
zz:zz:zz:zz:zz:zz 172.17.1.1 sweden
aa:aa:aa:aa:aa:aa 172.17.1.2 sweden
hope i cleared it out for you. greeting from cold Belgium tonight :-) and hope the execs will enjoy Sweden! -
WLC 5508, DHCP Problem after Update Cisco ASA(DHCP-Server)
Hello,
our Problem is, our Apple Devices get no ip adress from our Cisco ASA Cluster(ASA 9.1.2) over Wireless(Cisco WLC 5508). All other devices(Windows, Android,...) work correct, without problems. Our WLC is in HA-Mode.
Does anybody have an Idea?
Thank you very much and Best regards,
StefanHello again,
I hope this case is the solution.
https://supportforums.cisco.com/message/3942112#3942112
I will let you know after downgrade.
Best regards,
Stefan -
WLC 5508 WPA Authentication Problems
Hello,
We have a WLC 5508 with 7.4.100.0 Firmware.
We are using 1141 and 1142 APs and we are having authentication problems with clients that are connecting to our WLAN with WPA+AES autentication. The clients receive in her laptop a password error, and we receive the following log in wlc:
Client Excluded: MACAddress:f8:f1:eb:dd:ff:cd Base Radio MAC :08:ad:dd:76:4d:30 Slot: 0 User Name: unknown Ip Address: unknown Reason:802.1x Authentication failed 3 times. ReasonCode: 4
The strange thing is that the problem is solved restarting the Access-points.
Anyone had this problem previusly?
Thanks in advance.I made the configuration using the Cisco Recommended settings, the strange thing its that the users connect normally, until they starts with authentication problems. I restart the access points and the problem its solved.
Cisco Recommended and not recommended Authentication Settings
Security encryption settings need to be identical for WPA and WPA2 for TKIP and AES as shown in this image:
These images provide examples of incompatible settings for TKIP and AES:
Note: Be aware that security settings permit unsupported features.
These images provide examples of compatible settings: -
Problem uploading SSL certificat on a WLC 5508
Hello,
I'm trying to upload a SSL-certificate (RSA:2048) on a WLC 5508 via the "Management->HTTP-HTTPS" - Tab and get the following problem :
*TransferTask: Jul 18 16:36:14.487: %UPDATE-3-CERT_INST_FAIL: updcode.c:1276 Failed to install Webauth certificate. rc = 1
*TransferTask: Jul 18 16:36:14.487: %SSHPM-3-KEYED_PEM_DECODE_FAILED: sshpmcert.c:4028 Cannot PEM decode private key
I've generated it using the following commands:
# openssl pkcs12 -export -in my.crt -inkey my.key -certfile my.ca-bundle -out CA.pfx
# openssl pkcs12 -in CA.pfx -nodes -out CA.pem
But it doesn't work...
Does anyone have an idea?
Best regards,
EricHello Eric,
I'm facing the same problem, when trying to upload a chained SSL certificate (2048bits) to the wlc version 7.0.116.0
Did you use an unchained certificate and what size is your cert?
According to a Cisco document, for controllers version 5.1.151.0 and later, only unchained certificates are supported for the management certificate.
I'm just wondering, if this limitation still applies to the newer versions.
Regards,
Oliver -
Problem Concurent client WLC 5508
Hi All support,
i have running cisco wlc 5508 with software upgrade 7-4-100-0.aes and 24 cisco 1552 AP with mode mesh, concurent client only show 185 clients but if we using dual load wlc ( Whitout mobility group, if using mobility group clients still stuck concurent) clients can get online 150 on wlc01 and 130 on wlc02 ,total client we have is 300 client.for more information we using feature passive client on this network. any body can help ??
regards,
Sigit H.Wthis is debug iapp :
*iappSocketTask: Mar 18 11:13:09.419: [0480] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.419: [0496] 00 00 00 00 00 27 22 16 13 f9 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420: [0512] 00 00 00 02 00 00 00 00 00 00 01 46 b8 17 01 00
*iappSocketTask: Mar 18 11:13:09.420: [0528] 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420: [0544] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420: [0560] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420: [0576] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420: [0592] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420: [0608] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420: [0624] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420: [0640] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420: [0656] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420: [0672] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420: [0688] 00 00 27 22 40 a8 81 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420: [0704] 01 00 00 00 00 00 00 00 a8 b9 19 01 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420: [0720] 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420: [0736] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420: [0752] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:09.420: [0768] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.785: IAPP Rx Frame (1633)
*iappSocketTask: Mar 18 11:13:10.785: [0000] d0 c2 82 e3 ae c4 2c 36 f8 73 e6 80 81 00 00 0b
*iappSocketTask: Mar 18 11:13:10.785: [0016] 08 00 45 00 05 cc d3 da 40 00 ff 11 28 8a 0a 9d
*iappSocketTask: Mar 18 11:13:10.785: [0032] 32 6d 0a 9d 32 15 3e 69 14 7f 05 b8 00 00 00 20
*iappSocketTask: Mar 18 11:13:10.785: [0048] 03 20 bb 9f 00 00 01 04 00 00 00 00 00 00 01 08
*iappSocketTask: Mar 18 11:13:10.785: [0064] 00 00 2c 36 f8 73 e6 80 2c 36 f8 73 e6 80 2c 36
*iappSocketTask: Mar 18 11:13:10.785: [0080] f8 73 e6 80 00 00 aa aa 03 00 40 96 00 00 06 03
*iappSocketTask: Mar 18 11:13:10.785: [0096] 32 8b 2c 36 f8 73 e6 80 2c 36 f8 73 e6 80 00 00
*iappSocketTask: Mar 18 11:13:10.785: [0112] 39 00 05 ed e1 cf 0a 30 08 00 00 27 22 40 a4 df
*iappSocketTask: Mar 18 11:13:10.785: [0128] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0144] 00 00 a0 05 00 00 00 00 00 0c 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0160] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0176] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0192] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0208] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0224] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0240] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0256] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0272] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0288] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0304] 00 00 00 00 00 00 00 00 27 22 84 89 30 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0320] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a3
*iappSocketTask: Mar 18 11:13:10.786: [0336] 06 00 00 00 00 00 18 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0352] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0368] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0384] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0400] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0416] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0432] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0448] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0464] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0480] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0496] 00 00 00 00 00 27 22 40 a8 57 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0512] 00 00 00 00 00 00 00 00 00 00 00 00 aa 0d 01 00
*iappSocketTask: Mar 18 11:13:10.786: [0528] 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0544] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0560] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0576] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0592] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0608] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0624] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0640] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0656] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0672] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0688] 00 00 27 22 2c a9 c6 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0704] 00 00 00 00 00 00 00 00 00 a2 06 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0720] 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0736] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0752] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:10.786: [0768] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: IAPP Rx Frame (1633)
*iappSocketTask: Mar 18 11:13:12.554: [0000] d0 c2 82 e3 ae c4 2c 36 f8 73 04 20 81 00 00 0b
*iappSocketTask: Mar 18 11:13:12.554: [0016] 08 00 45 00 05 cc 00 50 40 00 ff 11 fc 17 0a 9d
*iappSocketTask: Mar 18 11:13:12.554: [0032] 32 6a 0a 9d 32 15 30 44 14 7f 05 b8 00 00 00 20
*iappSocketTask: Mar 18 11:13:12.554: [0048] 03 20 bb fa 00 00 01 04 00 00 00 00 00 00 01 08
*iappSocketTask: Mar 18 11:13:12.554: [0064] 00 00 2c 36 f8 73 04 20 2c 36 f8 73 04 20 2c 36
*iappSocketTask: Mar 18 11:13:12.554: [0080] f8 73 04 20 00 00 aa aa 03 00 40 96 00 00 06 03
*iappSocketTask: Mar 18 11:13:12.554: [0096] 32 8b 2c 36 f8 73 04 20 2c 36 f8 73 04 20 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0112] 39 00 05 ed 00 00 0a 30 08 00 00 27 22 40 a8 f0
*iappSocketTask: Mar 18 11:13:12.554: [0128] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0144] 00 00 b0 14 01 00 00 00 00 12 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0160] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0176] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0192] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0208] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0224] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0240] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0256] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0272] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0288] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0304] 00 00 00 00 00 00 00 00 27 22 16 a3 f7 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0320] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ad
*iappSocketTask: Mar 18 11:13:12.554: [0336] 10 01 00 00 00 00 24 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0352] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0368] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0384] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0400] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0416] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0432] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0448] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0464] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0480] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0496] 00 00 00 00 00 27 22 40 a9 37 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0512] 00 00 00 00 00 00 00 00 00 00 00 00 b1 13 01 00
*iappSocketTask: Mar 18 11:13:12.554: [0528] 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0544] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0560] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0576] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0592] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0608] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0624] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0640] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0656] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0672] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0688] 00 00 27 22 40 a9 fd 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0704] 00 00 00 00 00 00 00 00 00 b2 16 01 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0720] 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0736] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0752] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*iappSocketTask: Mar 18 11:13:12.554: [0768] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
(Cisco Controller) >debug iapp all disable -
WLC 5508 7.0.98.0 problem with locpRxServerTask missed software watchdog
Hi
today my wlc 5508 crash. after trying to get access via sp. i doesnt reponds. so i rebooted. in the sh tech i saw this message which i gues indicates the RC of the failure. ANY IDEAS...
* Start Cisco Crash Handler Serv *
Sys Name: usa-5354-wlc-02
Model: AIR-CT5508-K9
Version: 7.0.98.0
Timestamp: Thu Jan 5 05:43:13 2012
SystemUpTime: 254 days 4 hrs 46 mins 24 secs
pid: 1225
TID: 944042816
Task Name: locpRxServerTask
Reason: Reaper Reset
timer tcb: 0x2572
timer cb: 0x10354e28 ('rrmTimerInit+600')
timer arg1: 0x19b11010
timer arg2: 0x0
Long time taken timer call back inforamtion:
--More-- or (q)uit
Time Stamp: Thu Sep 22 15:56:24 2011
timer cb: 0x100d6f48 ('apfRldpScheduleSet+656')
Duration : 103753 usecs, cbCount= 15
Analysis of Failure:
Software was stopped by the reaper for the following reason:
Reaper Reset: Task "locpRxServerTask" missed software watchdogMay be here is the bug that u r hitting..
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti21343
Upgrade the image to the latest that we have (7.0.220)
Please dont forget to rate the useful posts!!
Regards
Surendra -
WLC 5508 + NPS MS-CHAP v2 Auth problems
Hi,
I am having a lot of trouble trying to set up a Cisco WLC 5508 to use NPS on Windows Server 2008 as it's authentication.
When a client attempts to connect to the WLAN, the authentication is denied on Windows 7/Vista/XP, however, on Mac/iOS clients, it asks to accept the certificate (this is a public cert, issued by Entrust - however, it is a wildcard cert..), but then it will connect.
So I have two questions:
1/ Why won't the windows clients authenticate? If I set up the WLAN profile on the windows machine, and I deselect "Validate server certificate", then they connect just fine....
2/ Is it possible to make it so the user is not prompted to accept the certificate? Why can't this certificate be validated locally by the client?
Thanks,
JoshLooks like it might have been an issue with that certificate, I don't know.
Either it didn't like the wildcard, or it didn't like the intermediate/root CA.
I downloaded a Comodo Trial SSL and plugged that in - works like a charm now!
Maybe you are looking for
-
How do I create an Apple ID for my kids which are linked to my Apple ID so that they can make purchases without me having to tell them my user/password?
-
I currently use iCloud on a MacBook Pro. I opened my iBook G4 that hasn't been used in years. I have many email messages that i would like to transfer to the MacBook Pro, but every password I use to access MobileMe is not accepted. Any suggestions on
-
Consuming a Web Service with PasswordDigest Authentication in ABAP
Hello, I need to consume a web service in ABAP from a non-SAP application. The web service uses wsse:UsernameToken with PasswordDigest in the SOAP Header for authentication. However, I havent seen any documentation for using Password Digest in ABAP.
-
Updating with Adobe Application Manager will not work
I get an error as I am trying to update my Adobe Suite software. How do I get this to work properly? I have never had issues with this until now. Any help is appreciated.
-
can anyone suggest a great music scan and organize app?