Wireless Anchor SSID for CWA ISE 1.3

Hello Team,
Trying to follow this guide: http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11
We are trying to enable for a guest access with an anchored WLC.
However when we create the SSID with mac filtering, the local WLC is putting the mac address of the client in to the excluded clients list, instead of passing on the auth to the foreign DMZ WLC anchor.
I have created the SSID with correct anchors.
Any Ideas? Maybe this option doesn't actually work with anchor?

"However when we create the SSID with mac filtering, the local WLC is putting the mac address of the client in to the excluded clients list, instead of passing on the auth to the foreign DMZ WLC anchor."
In the anchoring scenario, the AAA authentication comes from the Foreign not the Anchor as it is layer 2 authentication.
Make sure your Local WLC is able to authenticate the user.
Steve

Similar Messages

Is it supported Anchor Controller for CWA??

Hi all.
I'm working in a CWA solution to be implemented in our customer, but all the information I found always talk about the CWA in a shared WLC but not in a dedicated WLC in which one of them is a Foreing WLC and the other is the Anchor WLC.
I didn't found any information about the support of this feature and any note about its configuration.
Anyone can help me?
Thanks in advance.
Best Regards.

Well in CWA, the ISE is hosting the portal page. You can always have an anchor WLC in the dmz, but you would have to open ports back up to ISE. When using an anchor WLC you basically are placing guest traffic directly in the dmz by tunneling all the traffic to that dmz WLC. That dmz WLC would have a portal page and a 3rd party certificate (optional) and can authenticate local or clients from radius.
Sent from Cisco Technical Support iPhone App

Wireless guest access with CWA and ISE using mobility anchor

My team is trying to demo wireless guest access using CWA with an ISE server. We appear to be hitting an issue when combining this with mobility anchoring.
When we don't use a mobility anchor the authentication goes off without a hitch seemingly proving that the ISE configuration is sound. The test laptop associates and gets redirected, auths, moves to the RUN state and access to the network is granted.
When the mobility anchor is enabled, the test laptop does get redirected, authentication is successful, but the process does not fully complete, as on the foreign controller the user is in RUN state whereas on the anchor the user is still stuck at CWA required.
Now, I've read the L2 auth occurs between the foreign controller and ISE, and the L3 auth occurs between the anchor controller and ISE, but this does not appear to borne out in packet captures of the process where both parts of the auth seems to go to and from the foreign controller and ISE.
I'm curious to know if anyone else has come across this issue, or has ideas where I should be looking in the config or debugs to find the root cause.
When setting up the controllers and ISE this guide (linked below) was used and the controllers are 2504 controllers on 7.5 series software and ISE is on the latest 1.2 patches:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
To me it seems to be mobility related, but the authentication flow does seem to be off compared with what the guide says.

FOREIGN
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Adding mobile on LWAPP AP 0c:d9:96:ba:7d:20(1)
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Association received from mobile on BSSID 0c:d9:96:ba:7d:2f
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Global 200 Clients are allowed to AP radio
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Max Client Trap Threshold: 0 cur: 0
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Rf profile 600 Clients are allowed to AP wlan
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Re-applying interface policy for client
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4565 setting Central switched to TRUE
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4568 apVapId = 1 and Split Acl Id = 65535
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying site-specific Local Bridging override for station 00:1e:c2:c0:96:05 - vapId 1, site 'AP-Group-CHEC.default', interface 'management'
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying Local Bridging Interface Policy for station 00:1e:c2:c0:96:05 - vlan 84, interface id 0, interface 'management'
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfProcessAssocReq (apf_80211.c:7830) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Idle to AAA Pending
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station: (callerId: 20) in 10 seconds
*radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created for mobile, length = 253
*radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created in mscb for mobile, length = 253
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Received SGT for this Client.
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 255 to 255
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 84
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Re-applying interface policy for client
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 0 on mobile
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
MAC: 00:1e:c2:c0:96:05, source 2
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Initializing policy
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfMsAssoStateInc
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 1800, apfMsTimeOut '1800' and sessionTimerRunning flag is 0
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station: (callerId: 49) in 1800 seconds
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 1800
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
*DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
*DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
*DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmQueryRequested'
*DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
*DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
*DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmQueryRequested'
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 apfMsRunStateInc
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 5793
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Adding Fast Path rule
type = Airespace AP Client
on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
IPv4 ACL ID = 255, IPv6 ACL ID = 255,
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 84, Local Bridging intf id = 0
*mmMaListen: Jan 28 23:05:02.363: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
*pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4
*pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 0.0.0.0 plumbing in FP SCB
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP processing DHCP REQUEST (3)
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 5, flags: 0
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   requested ip: 10.130.98.8
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP received op BOOTREPLY (2) (len 320,vlan 84, port 13, encap 0xec07)
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP processing DHCP ACK (5)
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 0, flags: 0
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0, yiaddr: 10.130.98.8
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   siaddr: 10.30.4.173, giaddr: 0.0.0.0
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   server id: 1.1.1.2 rcvd server id: 1.1.1.2
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) DHCP Address Re-established
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Reached PLUMBFASTPATH: from line 6978
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
type = Airespace AP Client
on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
IPv4 ACL ID = 255, IPv6 ACL ID
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 84, Local Bridging intf id = 0
*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 Assigning Address 10.130.98.8 to mobile
*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP successfully bridged packet to STA
*pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
*pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4
*pemReceiveTask: Jan 28 23:05:03.890: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 10.130.98.8 plumbing in FP SCB
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Received SGT for this Client.
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 0 to 255
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 AAA redirect is NULL. Skipping Web-auth for Radius NAC enabled WLAN.
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
MAC: 00:1e:c2:c0:96:05, source 2
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Applying cached RADIUS Override values for mobile 00:1e:c2:c0:96:05 (caller pem_api.c:2307)
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Applied RADIUS override policy
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
type = Airespace AP Client
on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
IPv4 ACL ID = 255, IPv6 ACL ID
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 84, Local Bridging intf id = 0
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Change state to RUN (20) last state RUN (20)
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfMsAssoStateInc
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 3600, apfMsTimeOut '1800' and sessionTimerRunning flag is 1
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station: (callerId: 49) in 3600 seconds
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 3600
*apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
*apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
*pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
*pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4

CWA/ISE/WLC - client timeout when redirected to portal.

Problem: When connecting to the CWA ssid, the client gets redirected to: https://lab-ise01.lab.local:8443/guestportal/gateway?sessionId=3c02a8c00000000878430a51&action=cwa
but the link times out.
I'm currently following this guide: https://supportforums.cisco.com/docs/DOC-26442
Any thoughts or suggestions are appreciated.
Info: ISE 1.1.1 and vWLC 7.3.101.0 is installed on vmware. Identity Source: Internal Users. AP is in FlexConnect mode. MAC filtering enable, no layer 3 security. Allow AAA Override enabled. Radius NAC enabled.
Topology:
Win7/iPad - - - AP----labswitch-----switch-----switch-----VMware
(Traffic does not pass through FW and there are no ACL on the switches.)
ACL on WLC:
Client on WLC

Hi all.
Accoding with this behaviour, I have a similar problem with the renew of the IP address. In a similar scenario (ISE1.1.2 + vWLC 7.3.101. + CWA + DVLAN assigment); for test purposses I need to use the AP in flexconnect mode with central control and traffic data due to vWLC does not support APs in a local mode.
Applying WCA in a SSID with a "non-routed" interface and two interfaces for both different profiles. Client passes CWA profile in "non route" subnet when redirected; after a successful web authetication ISE sends to WLC the new attributes including the new VLAN, new ACL and the access-accept, but the client is not trying to change the IP address through DHCP.
I use two rules for authentication
First: Guest Redirection; condition "Wireless MAB" then "WLC-CWA" (central authentication - ACL-POSTURE-REDIRECT)
Second (This rule above the first) Guest Traffic; Condition "Network access: UseCase EQUALS GuestFlow) then "Guest Permit Access"(with includes new vlan assigment in function of the role based - new ACL asigment - Termination-Action=0)
WLC shows me the data correctly, it changes the interface, the ACL and changes the client status to RUN but maintains the IP address belonging to the old VLAN (non-routed vlan)
Could be possible that this bug will be hitting me?
Are there any Radius Attribute to force a DHCP IP procces for this devices?
Thanks in advanced.
Best Regards.

Best Practice "One SSID for everything"

Hello Guys,
we switched from ACS to ISE and now we want to have just two SSIDs for alle Business Needs:
I´m not sure if this is the right or best way to do it.
One SSID is for Guest Network and also for BYOD Registration.
The second SSID is for BYOD and Company Devices (LAptop ipad iphone....). But we have also cisco 7925g which should get and client cert and then also connect to that ssid. In the old setup it was an seperate SSID with CCKM enabled. Now because of campatibilty i had to disable cckm. Also the new SSId would have CLient band select enabled, which should be good for voice, right ?
With your expirience is it a good idea to but all clients in 1 SSID ?
Is Wireless Voice working fine without cckm ?
What is your recommendation for that setup regarding ssid and voice/video configuration specially 802.11 settings and CAC
Thanks for help
Kind regards
Philip

A lot of vendors will suggest also to have one SSID if possible, but the rule of thumb is 3-4 max. The main issue is the differences required for specific WLAN's, which isn't just for Data and Voice, but you also have to look at mDNS, multicast, 802.11r, DTIM's, MFP, etc. You can combine all devices to use one, but all the features/setting will be the same, which isn't ideal all the time. There are attributes which you can set from ISE to push out to the WLC(s), but its the other unique values that you need to research and understand.

Wireless Connection Problems for Home Hub 3 and Vi...

We have upgraded from BT Home Hub 2 to version 3 and had a BT man (engineer) visit to set it up. He did so with no problems on our PC (wired, runnning XP) and installed all relevant software on the PC and this is connected which so far has been fast (enough - as expected) and reliable. Once the 'main' computer in the house was connected we then tried to connect other things to the internet using this BT Hub 3.
However when attempting to connect our family laptop (running Vista) we hit trouble. Initially I tried to use the icon in the tray (bottom right of the screen) by clicking on connect to a network, then selecting our hub, then inputting the wireless key and going through the menus correctly. It would only connect 'locally' and not recognise the hub. It says identifying then says unidentified (public network BT Hub 3) and only 'local' access which I then change to private network. With my preivious internet I was able to set it up as Home network - now I can only choose between public or private BUT NOT Home, Work or Public.
So I then tried the BT disc that comes with the hub into the laptop. I go through the menus - it asks is the broadband light steady blue? Yes. Click next to continue wireless set up. So I press continue. It then asks for the wireless network/SSID BTHub3- numbers and letters and the wireless key. So I put that in correctly (double checking) and click next. It then says Connecting to your Hub which then gets ticked but then the checking wireless key doesn't tick - it crosses, and says failed. It asks me to check I typed the numbers and letters correctly (I am sure of that) and It goes to Manuel set up. Where I select my hub and again type in the wireless key and click next. But the same thing happens - connecting to your hub gets ticked but checking wireless key fails.
I then get a message that says i should do a wired set up, which I can do and works but on the laptop wired solutions is just not satisfactory - laptops need wireless connectivity. Is this a problem with my laptop, Vista or the hub/modem or a combination.
I also have been able to connect other things to the internet such as a netbook (running Windows 7) and a games console. Please comment if anthing needs explaining or more detail. Your help will be much appreciated. Thank you in advance.
Solved!
Go to Solution.

John46: I uninstalled the Hub programmes you said to. I then tried to connect to a network (wirelessly - accessed either by going to Start - Connect to or from the icon in the tray (bottom right). I selected my hub and clicked connect. It does its thing and says 'successfully connected to...' I close that and go onto Network and Sharing Center and it shows its trying to identify the network and wait a few seconds it then shows 'unidentified network (public network)...' and that I have only got local access and so cannot surf the web.
As I mentioned in my earlier post:
With my previous Internet I was able to set it up as Home network - now I can only choose between public or private BUT not got the choice between Home, Work or Public.
Hope I've explained myself.

Using exisiting wireless network SSID name and settings

I want to use an existing wireless network SSID and settings as i setup my new airport time capsule. I plan to turn off the wireless network at the Westell modem/router that now establsihes the network. what setting do i pick in airport utility? : extend a wirless network or steup a new wireless network?
When should i turn off the wirelss at the Westell router? Before or after running airport utility?

Establish a permanent Ethernet cable connection from one of the LAN <-> ports on the Westell router to the WAN "O" port on the Time Capsule.
Configure the Time Capsule to "create a wireless network" using the same settings for the Time Capsule network as the Westell.
Make sure that the Time Capsule has been configured to operate in Bridge Mode to work correctly with the Westell router.
Once you have the Time Capsule set up and working, you can turn off the wireless function on the Westell router.

Round trip time is more with wireless phone SSID

Hi,
We have separate SSID for data and voip in our wireless network.
I have connected my laptop to wi-phone SSID and gave a ping to other laptop IP on same SSID. The round trip time is around 707ms. Sometimes it is reaching more than 1000 ms.
When i connect to my data SSID, the round trip time is very very less around 3 tp 4 ms.
When I try to ping to a phone which is on call, the round trip time is around 50 ms.
Please suggest on how to resolve this issue. Please let me know, if any configuration related information is required.
Regards,
Madhan kumar G

it could be due to power-save enabled on those laptops. Disable it and try.
disable/enable wmm on laptop and try.
Try pinging the phone at off call you may experience high RTT when it is not on call.
ping on WLC is handled as best effort. try file transfer or iperf/jperf.
what's the client(s) rssi and snr when you test.
If the above didn't help check config between the WLANs in question.

Touchsmart Computer not recognizing Wireless N SSID at 5GHz

I have two HP Touchsmart 600-1105xt computers running Windows 7 x64. I have a 802.11n wireless LAN card with Bluetooth and according to system information it is Ethernet 802.3 PCI and the manufacturer is Rankin Technologies. I recently bought a Netgear WNDR 3300 dual band high performance router. The router setup was easy and I set SSID for 5GHz and 2.4GHz. So far, I can only see the 2.4GHz SSID on either computer and can connect just fine, but I cannot see the 5GHz SSID on either computer. I have gone through the Netgear manual and adjusted settings with no solution.
I checked Device Manager and the Network Adapter properties. The Advanced Tab has the following settings:
Adhoc Support 802.11n: disable
Country Region 2.4GHz: #0 (1-11)
Country Region 5GHz: #7 (36-165)
IEEE802.11H: Disable
Multimedia/Gaming Environment: Disable
Power Saving Mode: Max_PSP
Radio ON/OFF: Enable
This indicates to me that my wireless N adapters are capable of both 2.4 and 5GHz on wireless N.
Anything I can do to be able to see both the 5GHz and 2.4 GHz SSIDs?

I have the same exact problem , same wireless card and settings and have been trying to solve it. My PC is 3 weeks old and HP technical support said they can fix it but because it is a "network specialty" problem they want to charge me for their service. No way will I pay, 1. I have a 2 year warranty and 2. brand new out of the box should be 100% operable. Anyway if you find a solution, please email me at [email protected] and I will reciprocate if you forward me your email.
For now trying to get HP to honor their responsibility has been unsuccessful.
Freddy

Cisco WLC 's Anchored SSID multiple subnets

Hi,
I have a requirement to land an SSID on an anchor controller but depending on which AP the client connects I need them to receive certain IP address.
So...
I have an LWAP known as AP1 connecting to WLC1, WLC1 uses WLC2 as the Anchor controller for the ssid SSID1. When a user connects I want that user to get an address out of SUBNET1. If a user connects to AP2 which is also connected to WLC1 I want that user to get an address out of SUBNET2
Now.. If the AP's where located directly on WLC2 I could use AP groups to provide this functionality, does anyone know if its possible to combine this with anchoring????
Thanks
RG

As of right now, you can't specify where the anchor controller traffic will go to (if you have multiple anchor controllers). The only way is assign only one anchor to a foreign WLC and all those AP's will anchor to the assigned anchor controller.
When you anchor ssid's, the anchor places user on the interface that is specified on the anchor controller SSID. So AP groups will not work for any ap's that are on any foreing WLC's. AP Groups will work for AP's that are joined to the anchor, but not the other way around.

WRT610N SSID for 5mhz not broadcasting.

I have a WRT610n v1.0 router with firmware version 1.00.03 B15 and for some reason when I set the router to N and to auto channel width it does not broadcast the SSID. On my windows xp machine it only shows the b/g SSID for the 2.4 mhz. Even when I shut off the 2.4mhz and only turn on the 5mhz it still does not broadcast the SSID for it.
Wondering if there is something I need to do to overcome this or?
THanks!
Firmware Version: 1.00.03 B15
FirmFirmware Version: 1.00.03 B15
warFirmware Version: 1.00.03 B15
e Version: 1.00.03 B15

mcraul wrote:
its an RAlink wirelress usb 802.11 b/g/n
If that's the exact model then that is the reason why it does not work: the adapter is not 802.11a compatible, i.e. it does not support 5 GHz. Only an adapter which supports 802.11a is able to use the 5 GHz band.
Of course your adapter will pick up the 2.4 GHz band regardless of it's mode.
Thus again: try to set the 5 GHz band to Wireless-A only and check if you can see the SSID now. With an 802.11b/g/n adapter you won't pick it up. Your adapter simply does not support the 5 GHz band...

How can I use my Iphone as wireless internet receiver for my MacBook Pro?

Can anyone tell me how to use my Iphone 4 a wireless internet receiver for my macbook pro? Thanks & greeting from the Netherlands! Matthijs

Apple!!!! Please listen to your customers!!!!
http://finance.yahoo.com/news/Smartphone-Fans-Want-FM-iw-1184795842.html?x=0&.v= 1
Give us or make us pay for FM app already!!!!!
http://www.tomsguide.com/us/Apple-iPhone-iPod-FM-Receiver,news-4855.html

A s d f g keys not working on a wireless Apple keyboard for Imac

a s d f g keys not working on a wireless Apple keyboard for Imac.
When I type they on't work.
*Exmple o complete entence.
Plee help! Thi i very rutrtin. I on't wnt to ue cut n pte or ome letter.
Thnk you in vnce.

Make a Service appointment for the keyboard at your local AASP.
Apple - Find Locations
I'm not sure how old it is, but it is covered for 1 full year as long as it didn't take that 19 story dive.

How do I make my HP P2055dn printer into a wireless network printer for 5 computers

How do I make my HP P2055dn printer into a wireless network printer for 5 computers? Windows versions on computers used are XP,Vista & 7.
Thanks
Leon

Unplug the USB cable from the printer. Plug your printer into your wireless router with an Ethernet cable.
Next, on each computer, get the latest software for your printer from the "Support & Drivers" link at the top of this page. Install it and select "Network" installation when it asks.
Say thanks by clicking "Kudos" "thumbs up" in the post that helped you.
I am employed by HP

HP B500 Wireless Bluethooth Adapter for HP Printer Not Working With Windows 8.1

I have been using the HP BT500 bluetooth Wireless adapter to print wirelessly to my HP Officejet Pro 8500 printer. I have been using Windows Vista, but recently upgraded to Windows 8.1. I learned after the upgrade that the HP B500 wireless bluetooth adapter is not compatable with Windows 8.1. I have attempted to find a driver upgrade for the B500, but there does not appear to be one available. I have also searched the HP site and other sites in an attempt to locate an alter wireless blotth adapter to replace the B500, but have again been unable to locate one.
Is there a wireless bluetooth apter that will allow me to print wirelessly to my HP Office Pro 8500 from my laptop?

Hi @Raider83,
Welcome to the HP Forums!
I noticed that your HP B500 wireless bluetooth adapter for your HP Officejet 8500 is not working with Windows 8.1. I am sorry to hear this but happy to look into this for you!
I am not sure if you are using a 32-bit or 64-bit Operating System. But sometimes with Windows 8.1 you can use compatibility mode to install an older version of the driver. Which might help the situation. Here is a link to some other Windows drivers, HP bt500 Bluetooth USB 2.0 Wireless Adapter Drivers.
Once you got a driver downloaded, follow this guide, Make older programs compatible with this version of Windows, on how to install it using compatibility mode. It is not guaranteed to work, but it is worth a try!
If you still need me to look for other bluetooth adapters, please respond with your printer's Product/Model Number. To find your printer's Product/Model Number follow instructions in this link. Finding Your HP Product Model Number. As there are multiple HP Officejet 8500 printers.
Thank you for posting, and have a nice day!
RnRMusicMan
I work on behalf of HP
Please click “Accept as Solution ” if you feel my post solved your issue, it will help others find the solution.
Click the “Kudos Thumbs Up" to say “Thanks” for helping!

Wireless Anchor SSID for CWA ISE 1.3

Similar Messages

Maybe you are looking for