WLC 2106 problem

Similar Messages

• Wlc 2106 problem ( cant connect to 2 lwapp ( 1242 & 1131 ) need advice

  Dear All,
  could you give me some advice to configure wlc with 2 lwapp,
  i did try to used 1 lwapp ( 1242 ag ) and it's work, but when i try to connect with 2 lwapp ( 1242 & 1131 ), i can't associated with lwapp 1131 ag, i did used same configuration for both,
  need youd advice and reference guide for this issue.
  thanks and regards

  Hi Heru,
  If both are lwapp aps then they should be able to join 2106 controller. Can you confirm if 1130 is also connected to same subnet where 1242 is connected? Is management subnet/vlan different from the vlan you are connecting your LWAPP APs.
  Hope this link should help
  http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/c42lwap.html#wp1104685
  HTH
  Ankur
  *Pls rate all helpfull post

• WLC-2106 and multiple interfaces on the same network

  Hi there,
  I recently created a TAC request to the Cisco support regarding our WLC-2106, but they could not help me. Basically I just learned that you can create new interfaces for the wireless LAN controller and then dedicate them to a given wireless network (SSID). This way I could more effectively utilize network bandwidth also. Problem is that all of the interfaces have to be in a different network segment in order to work, which is not what I want. I specifically want to have several interfaces on the same network segment.
  Has anyone tried to accomplish the same?

  Basically what I've misunderstood is that all the traffic generated by our wireless clients have been going through the single 100Mbit/s ethernet port on the wireless LAN controller (management interface), and to mitigate this I thought I could create new interfaces (ports) and dedicate those to given WLAN networks.. I see now that this is not supported. Not inside the same network at least.
  So, by reading further and consulting my best friend Google I learned about a setting called "AP Mode". Changing that from Local (the default) to H-REAP the APs should not route their traffic anymore through the management interface on the wireless controller, but instead route all the client traffic directly to the local LAN. This way you effectively remove the 100Mbit/s bottle-neck when all the APs were using the management interface both for configuration and client data traffic.
  It seems you also have to enable H-REAP Local switching from a given WLAN network in addition to changing the AP Mode of your access points to H-REAP. I'm still in the testing phase here so should anyone have any insight to this, I'd be greatful to hear more.

• WLC 2106 and Linksys Bridge WET610N works with 7.0.116.0 release?

  Hi all,
  i'm having troubles with WLC 2106 controller and several wireless bridges, so i'd like to know if i can fix it in some way.
  My environment is as follows:
  1 WLC 2106 with 2 Aironet 1240G
  I have a production appliance that needs an ethernet port to work, so i bought a Linksys Bridge WET610N to make it works via wireless.
  The Linksys bridge connects to the 1240G as a client and works well, but the appliance connected to the ethernet port of the bridge is unreachable.
  Searching for the problem, i found that the wlc act as a proxy arp for the wireless clients and being the ethernet appliance a "passive" client, the controller isn't aware of it.
  My WLC is running the 7.0.98.0 firmware. In the release notes for the 7.0.116.0, in the "Non-Cisco WGB Support" seems to state that now also non cisco bridges can work using the passive client feature. I've already enabled it on my controller but this didn't solve my problem.
  Can anyone tell me if the upgrade to the 7.0.116.0 can fix it?
  Thanks in advance
  Riccardo Coppola

  I'm not sure what (cheap) devices can do the wgb feature that is inter-brand compatible.
  The thing is that the WLC enforces the rule "1 wireless client = 1 client". Meaning you can't bridge multiple clients behind a wireless clients, that just screws up roaming mechanisms etc ...
  Cisco WGBs have the IAPP protocol to tell the WLC "listen, I'm a WGB wireless client and those are the wired clients connected to me, allow them on the network".
  What does "universal WGB" feature does is that the WGB forwards the traffic of the client (only 1 client supported in this case !) to the infrastructure AP but the WGB never sends anything with its own mac address. It uses the client mac address as source.
  This means that the WLC has no way of knowing that there is more than 1 device. It just thinks that your wired client is a wireless client.
  So it's more than mac cloning since the WgB has to be the one authenticating to the infrastructure (Wpa/wpa2 whatsoever) by spoofing the client mac. The WGB is still in charge of roaming decisions and so on and so on...
  I hope it clarifies the situation ?

• AP 1140 and WLC 2106

  Does someone know if WLC 2106 support AP 1140 ? I read that AP 1140 is CAPWAP only and I don't know if WLC 2106 supports CAPWAP.
  Thanks

  Yes it does, you may have to upgrade your controller software to get 802.11n and CAPWAP, use the latest code 6.0.182.
  CAPWAP was supported from code 5.2.157
  The max throughput on the 2106 though is only 100mbps so yo wont see the highest speeds

• AP1522 with WLC 2106

  Hi.
  I want to know how to join the AP1522 to a WLC 2106.
  The Controller and the AP are in the network, but the AP can't be joined to the controller. What is missing?

  First of all make sure that the APs can communicate and get IP address from DHCP server (it might be an external DHCP or internal pool running on WLC).
  Are your APs on the same subnet as controller?

• Want to configure wpa2 enterprise in wlc 2106

  Hi,
  I want to configure the wlc 2106 with wpa2 enterprise .... i reckon that iI need ACS server ( Radius Server ) with server certificate as well client certificate.
  how do i configure the redius server to get access through wpa2 enterprise .. If i am wrong , what are all things required to enable wpa2 enterprise with AES encryption .
  Is it possible to get the evalution copy of acs server with certificate ?
  how to go ahead for the same .
  It would be great help me to get the proper answer  for configuration of wpa2 enterprise with AES ...

  The below link may help you..
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008095382f.shtml
  Regards
  Surendra

• WLC 2106 and iPhones

  Just recently I am having issues with my WLC 2106 WiFi network and iPhones.  For the past week, the iPhones have been locking up the network much like as it was described with the ARP issues with the exception that what I have been reading, this issue did not effect the 2100 series.
  I've done searches but have not found anything applicable to what is happening now.
  Any help will be GREATLY appreciated.

  It's running on v. 4.0.217.0.  Right now I'm controlling who is accessing the wifi via MAC filter to prevent anyone with an iphone to log on but that just doesn't cut it since there's a lot of visitors coming in to use the wifi.
  I won't be able to go in and do more testing for a week or two to get that debug log.
  But this seems to be a common issue with at least the 2106s.  As soon as anyone logs in with an iphone, the controller locks up and the only thing to do is reboot.  It only fairly recently started happening so maybe it's only with the newer iphones?

• WLC 2106 question

  Hello,
  What is the recomended way to connect  5 APs 1242 to a wlc 2106?
  Connect directly the 5 APs to the wlc and use one port for the management interface and connection to the switch or to connect the APs to a switch and use one connection for the wlc?
  Thanks in advance.

  Depends on the AP.
  One FastEthernet connection to the switch doens't "really" create a bottleneck.  Your AP might.  If you, say, you have 1130 or older then I'd say no significant bottleneck because the APs are also FastEthernet.
  If you use the newer ones, like the 1250 and newer, which has GigEthernet and/or higher throughput (if you enable 802.11n) the yes.  The switch AND the WLC 2100 are both the bottleneck.

• WLC 2106 Configuration steps

  I have WLC 2106,And 5 LWAP, 3 Cat3560 Switches.and my 2851 CME router providing DHCP for Data VLAN 1 nad Voice VLAN 100
  any one can please help me how to do the basic configuration
  when i configure Managment and AP manager on WLC 2106 on untaged VLAN 0 i can able to ping but when i cahnged the VLAN to 1 im not able to communicate to WLC from switch or any port from WLC
  please help me to configure the WLC
  Thanks & Regards
  PRajoth

  The software guide states "A zero value for the VLAN identifier (on the Controller > Interfaces page) means that the interface is untagged.
  The default (untagged) native VLAN on Cisco switches is VLAN 1. When controller interfaces are configured as tagged (meaning that the VLAN identifier is set to a non-zero value), the VLAN must be allowed on the 802.1Q trunk configuration on the neighbor switch and not be the native untagged VLAN.
  Cisco recommends that only tagged VLANs be used on the controller. You should also allow only relevant VLANs on the neighbor switch's 802.1Q trunk connections to controller ports. All other VLANs should be disallowed or pruned in the switch port trunk configuration. This practice is extremely important for optimal performance of the controller.
  Note Cisco recommends that you assign one set of VLANs for WLANs and a different set of VLANs for management interfaces to ensure that controllers properly route VLAN traffic"
  Can you supply a screen shot of the interfaces page from your WLC and supply the WLC switch port configuration also? Just to sanity check what you have so far?

• Microsoft Server 2003 / PEAP / WLC 2106

  Has anyone ever had a certificate vanishing issue on an M$ Server 2003?  For some strange reason the certificate under my IAS RAS policy keeps disappearing after an undetermined amount of time?  The server is the only DC / CA root / IAS in the forest.  I'm not sure why the self-signed cert. will not remain in the cert. store?
  Current config.:
  (2) WLC 2106 (both RADIUS clients on DC/IAS)
  (5) 1141 LAPs
  Authentication: PEAP/MS-CHAPv2
  Encryption: TKIP/AES
  Any ideas?  Thanks.

  In 4.1, disabling DHCP proxy did just that, it disabled the "proxy". If you ever look at your dhcp lease of a wireless client, it comes from a dhcp server of 1.1.1.1 (virtual IP of the controller). With proxy disabled, the address will no longer be masked.
  In 4.2 and beyond, disabling dhcp proxy actually disables the DHCP Relay that is the process of the controller sending the dhcp requests to a specified server.
  So if in 4.1, you had "dhcp proxy" disabled, in 4.2 and beyond, you are actually disabling the relay as well.
  If this is indeed the case, enable dhcp proxy, or add an IP Helper adress to your router for this vlan, just like you would normally do for Wired clients.

• Wlc 2106 mDns bonjour AirPlay AirTunes apple??? help

  Hi guys,
  Long time reader, first time poster.. I'm after some advice.
  I'm failing dismally trying to configure a 2106 Wlc to allow apple device (iPhone, iPads) to stream AirPlay to an apple tv 2.
  Now, I have this working perfectly with a 5508 WLC.
  I understand that the apple devices all need to be on the same subnet (they are), that multicast needs to be enabled, and I've tried a variety of multicast addresses as mentioned in many posts.. Also the wired infrastructure is not the problem (as connecting net gear access points into the same wired infrastructure works fine).
  I've also read posts where some people say the 2100series doesn't support AirPlay/bonjour/mDns and others saying they have had it work.
  But I can't find a definitive answer.
  Can anyone confirm or deny which WLC support AirPlay, as if I need to switch I want to make sure they do.
  The 5508 works fine.
  Anybody able to shed some wisdom?
  Thanks Wayne.
  Sent from Cisco Technical Support iPad App

  I have a 2106 in the lab and it works fine. Here are a few screen shots and a link that may help..
  http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfmulti.html

• WLC 2504 problems with one IP address range

  I am having an interesting issue configuring a new 2504.
  How it is setup:
  Port 1 management with vlan tagging on vlan 111
  Port 2 trunking with ap-manager2 on vlan 3, 102 on vlan 102 (Not ap-manager), and 1001 on vlan 1001.
  All of the vlans have distinctive and unique IP ranges. Vlan 111 is running 172.16.128 /20, 102 is 172.19.252 /23 and vlan 1001 should be running 172.17 /16.
  Here is my problem. I can setup all of the dynamic interfaces on the appropriate ip ranges, but for some reason when I configure the 1001 vlan dynamic interface with the /16 address space, I lose connectivity to the GUI managment interface. I have to go in through the CLI and remove the interface or change the IP range. I have tried other /16 address space on that vlan and do not have a problem with them. the 172.17 space appears to be the only one that will not work.
  I have attached the config from the controller (Minus some site specific stuff like the SNMP community and wpa stuff.) The config is using a 172.20 /16 right now on the 1001 interface so that I could get into the controller and download the config. It should be 172.17 /16. The acutal IP info should be 172.17.4.253 255.255.0.0 172.17.0.254
  My computer is on the 1001 vlan and I have verified the IP is not in use and am using the same subnet, gateway etc as I am trying to configure the wlc with.
  Switch config:
  Port 1 is plugged into g0/2 with the following config
  interface GigabitEthernet0/2
  switchport trunk allowed vlan 1,3,102,111,1001
  switchport mode trunk
  spanning-tree portfast
  Port 2 is plugged into fa0/47 and just has switchport mode trunk.
  How can I get the interface to work with the proper IP range for vlan 1001?

  I finally had a chance to fiddle around with this issue again and have some more information on the problem. It appears to not be an issue with the IP address, but rather with the VLAN. The 172.17.0.0/16 subnet is on VLAN 1001 which it appears the WLC does not care for. This problem is repeatable on the following versions of code that I have tried:
  7.0.220.0
  7.1.91.0
  7.4.110.0 (Not in use for production until we upgrade from WCS to Prime.)
  Any thoughts? Moving the 1001 VLAN to another number would be a HUGE undertaking so if there is not an answer within the firmware on the WLC, I will have to bridge two VLANs with bpdufilter enabled... Not my first choice for sure...

• WLC ACL Problem

  Hi all,
  I'm having problems when trying to apply an ACL to my WLC dynamic interfaces. I have three WLANs that I wish to keep separated and am using ACLs that I have configured on the controller, the only problem is they don't seem to work!
  Ping test from 10.201.32.11 on WLAN1 to 10.201.27.41 on WLAN2 works and the current ACL is below:
       1 Out     10.201.32.0/255.255.252.0       10.201.24.0/255.255.252.0    Any     0-65535     0-65535  Any   Deny           0
       2  In     10.201.24.0/255.255.252.0       10.201.32.0/255.255.252.0    Any     0-65535     0-65535  Any   Deny           0
       3 Out     10.201.32.0/255.255.252.0       10.201.28.0/255.255.255.0    Any     0-65535     0-65535  Any   Deny           0
       4  In     10.201.28.0/255.255.255.0       10.201.32.0/255.255.252.0    Any     0-65535     0-65535  Any   Deny           0
       5 Out     10.201.32.0/255.255.252.0     192.168.200.0/255.255.255.224  Any     0-65535     0-65535  Any   Deny           0
       6  In   192.168.200.0/255.255.255.224     10.201.32.0/255.255.252.0    Any     0-65535     0-65535  Any   Deny           0
       7 Any         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0          Any     0-65535     0-65535  Any Permit          69
   DenyCounter : 0
  Each WLAN is sat on its own separate dynamic interface and own unique subnet.
  Any suggestions would be most appreciated.
  Thanks.

  Hi,
  Keep in mind the direction of the ACL.
  In means from client destined  to WLC
  Out means from WLC destined to client.
  It should look like this:
  Index  Dir       IP Address/Netmask              IP Address/Netmask        Prot    Range       Range    DSCP  Action      Counter
       1  In     10.201.32.0/255.255.252.0       10.201.24.0/255.255.252.0    Any     0-65535     0-65535  Any   Deny           0
       2 Out     10.201.24.0/255.255.252.0       10.201.32.0/255.255.252.0    Any     0-65535     0-65535  Any   Deny           0
  Don't forget to apply the ACL on interface or on WLAN.
  Regards,
  Christos.

• Config RADIUS on WLC 5508 - Problems comunication with NPS Server

  Hi,
  I'm facing some problems when configuring RADIUS auth with a NPS Windows Server.
  My WLAN interface is in a different vlan than the management interface, is that a problem?
  I want this wlan to be on a different vlan from the management. When i use wlan interface in the same vlan the RADIUS works without problems. But in different vlans is not working.
  The NPS server as 2 NICs, 1 for the wireless vlan, and another for the management vlan.
  the logs from the WLC shows this, but i have difficulties interpreting all this data:
  *apfMsConnTask_0: Dec 29 12:49:14.636: Association request from the P2P Client Process P2P Ie and Upadte CB
  *apfMsConnTask_5: Dec 29 12:49:36.607: 3c:c2:43:94:3e:bc Adding mobile on LWAPP AP d4:d7:48:45:fb:20(0)
  *apfMsConnTask_5: Dec 29 12:49:36.607: 3c:c2:43:94:3e:bc Association received from mobile on AP d4:d7:48:45:fb:20
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying site-specific Local Bridging override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying Local Bridging Interface Policy for station 3c:c2:43:94:3e:bc - vlan 900, interface id 16, interface 'wlan'
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying site-specific override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc processSsidIE  statusCode is 0 and status is 0
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc processSsidIE  ssid_done_flag is 0 finish_flag is 0
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc STA - rates (8): 130 132 139 12 18 150 24 36 0 0 0 0 0 0 0 0
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc suppRates  statusCode is 0 and gotSuppRatesElement is 1
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc extSuppRates  statusCode is 0 and gotExtSuppRatesElement is 1
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Processing RSN IE type 48, length 20 for mobile 3c:c2:43:94:3e:bc
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Received RSN IE with 0 PMKIDs from mobile 3c:c2:43:94:3e:bc
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Setting active key cache index 8 ---> 8
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc unsetting PmkIdValidatedByAp
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Initializing policy
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) DHCP required on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8for this client
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Not Using WMM Compliance code qosCap 00
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8 flex-acl-name:
  *apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfMsAssoStateInc
  *apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfPemAddUser2 (apf_policy.c:270) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Idle to Associated
  *apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc Stopping deletion of Mobile Station: (callerId: 48)
  *apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc Sending Assoc Response to station on BSSID d4:d7:48:45:fb:20 (status 0) ApVapId 8 Slot 0
  *apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfProcessAssocReq (apf_80211.c:6309) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
  *dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Station 3c:c2:43:94:3e:bc setting dot1x reauth timeout = 0
  *dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Stopping reauth timeout for 3c:c2:43:94:3e:bc
  *dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
  *dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 1)
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 2)
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Received EAPOL EAPPKT from mobile 3c:c2:43:94:3e:bc
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Received Identity Response (count=2) from mobile 3c:c2:43:94:3e:bc
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc EAP State update from Connecting to Authenticating for mobile 3c:c2:43:94:3e:bc
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Authenticating state
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Entering Backend Auth Response state for mobile 3c:c2:43:94:3e:bc
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.794: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.794: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Aborting state
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 4)
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Reached Max EAP-Identity Request retries (3) for STA 3c:c2:43:94:3e:bc
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Sent Deauthenticate to mobile on BSSID d4:d7:48:45:fb:20 slot 0(caller 1x_auth_pae.c:3165)
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Scheduling deletion of Mobile Station:  (callerId: 6) in 10 seconds
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Disconnected state
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Not sending EAP-Failure for STA 3c:c2:43:94:3e:bc
  *apfMsConnTask_5: Dec 29 12:49:55.518: 3c:c2:43:94:3e:bc Association received from mobile on AP d4:d7:48:45:fb:20
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying site-specific Local Bridging override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying Local Bridging Interface Policy for station 3c:c2:43:94:3e:bc - vlan 900, interface id 16, interface 'wlan'
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying site-specific override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc processSsidIE  statusCode is 0 and status is 0
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc processSsidIE  ssid_done_flag is 0 finish_flag is 0
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc STA - rates (8): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc suppRates  statusCode is 0 and gotSuppRatesElement is 1
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc extSuppRates  statusCode is 0 and gotExtSuppRatesElement is 1
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Processing RSN IE type 48, length 20 for mobile 3c:c2:43:94:3e:bc
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Received RSN IE with 0 PMKIDs from mobile 3c:c2:43:94:3e:bc
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Setting active key cache index 8 ---> 8
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc unsetting PmkIdValidatedByAp
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Initializing policy
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) DHCP required on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8for this client
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Not Using WMM Compliance code qosCap 00
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8 flex-acl-name:
  *apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc apfPemAddUser2 (apf_policy.c:270) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
  *apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc Stopping deletion of Mobile Station: (callerId: 48)
  *apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc Sending Assoc Response to station on BSSID d4:d7:48:45:fb:20 (status 0) ApVapId 8 Slot 0
  *apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc apfProcessAssocReq (apf_80211.c:6309) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
  *dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Station 3c:c2:43:94:3e:bc setting dot1x reauth timeout = 0
  *dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Stopping reauth timeout for 3c:c2:43:94:3e:bc
  *dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
  *dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 1)
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 2)

  yes, I thought of that. But if i use a simple password authentication on the wireless, i can reach the server with the same subnet interface. But i don't want to allow this subnet to acess the management subnet of the wireless controller.
  One question i have is: The WLC uses whitch subnet on radius? Uses the subnet of the wireless interface or uses always the management interface?
  Could you help me understand how the radius auth works with this wireless controller? Did you see anything strange in the logs that I posted above? It seems to run ok until:
  dot1x - moving mobile 3c:c2:43:94:3e:bc into Authenticating state
  Entering Backend Auth Response state for mobile 3c:c2:43:94:3e:bc
  Received EAPOL START from mobile 3c:c2:43:94:3e:bc
  dot1x - moving mobile 3c:c2:43:94:3e:bc into Aborting state
  I also note this: "Applying Local Bridging Interface Policy for station "
  What does this means?