WLC 5508 Problem with #DOT1X-3-INVALID_REPLAY_CTR

Similar Messages

• WLC 5508 problem

  Hi
  I have one 5508 and about 70 Cisco1140 AP and spred around in to about 5 sites.
  We use a Microsoft IAS server as radius server with auth from the AD with dot1x and certificate in the clinents to verify the clientents
  The clients are IBM and Dell laptops
  Some clients loses the connection to the network time to time
  I have some errors in the WLC logg
  dot1xMsgTask: Jan 18 11:23:34.254: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:426 Max EAP retransmissions
  exceeded for client 00:24:d7:22:0e:e0
  *apfMsConnTask_3: Jan 18 11:21:13.118: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:273 Could not che
  ck supported rates. Missing Supported Rate. Length :0. Mobile MAC: b8:ff:61:8f:df:25.
  *Dot1x_NW_MsgTask_0: Jan 18 11:15:31.521: %DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:708 Receiv
  ed invalid EAPOL-key M2 msg in START state - invalid secure bit; len 40, key type 1, client 00:21:6a
  :50:21:80
  *spamApTask0: Jan 18 11:14:34.630: %LWAPP-3-VALIDATE_ERR: spam_lrad.c:9090 Validation of SPAM Vendor
  Specific Payload failed - AP  30:37:a6:c9:53:20
  *dot1xMsgTask: Jan 18 11:14:19.850: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2914 Max EAP identity re
  quest retries (14) exceeded for client 00:1f:3b:16:aa:ef
  Decrypt error occurred for clienten 00:24:d7:69:fb:7c using WPA2 key on 802.11a interface of AP e8:04:62:60:a0:10
  Any sugestions ?

  Looking at the error messages, they don't point to a singlular fault with the WLC, more like a client issue.  Below I'll explain the messages you are seeing.
  dot1xMsgTask: Jan 18 11:23:34.254: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:426 Max EAP retransmissions
  exceeded for client 00:24:d7:22:0e:e0
        This means, the WLC has sent an EAP request to the client, and has not received a response.  This could be because either the cleint didn't hear the request, or the AP didn't hear the response.  It could also be the client ignored the request.  You may want to take a look at the following document and see if you want to change the EAP timer values
  .   https://supportforums.cisco.com/docs/DOC-12110
  *apfMsConnTask_3: Jan 18 11:21:13.118: %APF-3-CHECK_SUPP_RATES_FAILED: apf_utils.c:273 Could not che
  ck supported rates. Missing Supported Rate. Length :0. Mobile MAC: b8:ff:61:8f:df:25.
     The WLC was reading a message from the client, and the client did not tell the WLC what rates it could support.  This could happen because the packet from the client wasn't heard fully.  As well, some clients will see the WLC that they are associated to, and not the individual AP.  In this case, it is possible that the client didnt' send the supported rates, as it didn't see a change in BSSID>
  *Dot1x_NW_MsgTask_0: Jan 18 11:15:31.521: %DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:708 Receiv
  ed invalid EAPOL-key M2 msg in START state - invalid secure bit; len 40, key type 1, client 00:21:6a
  :50:21:80
     The client tried to send a key, when the PEM state on the WLC was START.  More than likely the client thought it could roam, but the WLC thought differently
  *spamApTask0: Jan 18 11:14:34.630: %LWAPP-3-VALIDATE_ERR: spam_lrad.c:9090 Validation of SPAM Vendor
  Specific Payload failed - AP  30:37:a6:c9:53:20
     Bad packet.
  *dot1xMsgTask: Jan 18 11:14:19.850: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2914 Max EAP identity request retries (14) exceeded for client 00:1f:3b:16:aa:ef
     WLC is sending EAP Identity request to the client, and it is not repsonding. 
  Decrypt error occurred for clienten 00:24:d7:69:fb:7c using WPA2 key on 802.11a interface of AP e8:04:62:60:a0:10
  Couldn't decrypt the packet.  Could be a bad key, or could be we didnt' get the full packet, thus making the decrypt fail.
      For the most part, these are commonly seen issues.  Could be the result of RF issues, so you may want to take a look and make sure the coverage at the site is clean.   Some of these can also be caused by WZC, which likes to ignore EAP messages, and has a tendancy to use the login credentials that get cached.  Which if these are not domain credentials can cause issues as well.
  Cheers,
  Steve
  If  this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

• WLC 2504 problems with one IP address range

  I am having an interesting issue configuring a new 2504.
  How it is setup:
  Port 1 management with vlan tagging on vlan 111
  Port 2 trunking with ap-manager2 on vlan 3, 102 on vlan 102 (Not ap-manager), and 1001 on vlan 1001.
  All of the vlans have distinctive and unique IP ranges. Vlan 111 is running 172.16.128 /20, 102 is 172.19.252 /23 and vlan 1001 should be running 172.17 /16.
  Here is my problem. I can setup all of the dynamic interfaces on the appropriate ip ranges, but for some reason when I configure the 1001 vlan dynamic interface with the /16 address space, I lose connectivity to the GUI managment interface. I have to go in through the CLI and remove the interface or change the IP range. I have tried other /16 address space on that vlan and do not have a problem with them. the 172.17 space appears to be the only one that will not work.
  I have attached the config from the controller (Minus some site specific stuff like the SNMP community and wpa stuff.) The config is using a 172.20 /16 right now on the 1001 interface so that I could get into the controller and download the config. It should be 172.17 /16. The acutal IP info should be 172.17.4.253 255.255.0.0 172.17.0.254
  My computer is on the 1001 vlan and I have verified the IP is not in use and am using the same subnet, gateway etc as I am trying to configure the wlc with.
  Switch config:
  Port 1 is plugged into g0/2 with the following config
  interface GigabitEthernet0/2
  switchport trunk allowed vlan 1,3,102,111,1001
  switchport mode trunk
  spanning-tree portfast
  Port 2 is plugged into fa0/47 and just has switchport mode trunk.
  How can I get the interface to work with the proper IP range for vlan 1001?

  I finally had a chance to fiddle around with this issue again and have some more information on the problem. It appears to not be an issue with the IP address, but rather with the VLAN. The 172.17.0.0/16 subnet is on VLAN 1001 which it appears the WLC does not care for. This problem is repeatable on the following versions of code that I have tried:
  7.0.220.0
  7.1.91.0
  7.4.110.0 (Not in use for production until we upgrade from WCS to Prime.)
  Any thoughts? Moving the 1001 VLAN to another number would be a HUGE undertaking so if there is not an answer within the firmware on the WLC, I will have to bridge two VLANs with bpdufilter enabled... Not my first choice for sure...

• WLC 5508 issue with 4 ports in portchannel

  Hi,
  We have one WLC 5508 and LAG is enabled on it but when we connect 4 cables to a distribution switch only 3 links are sending and receiving traffic and the 4th one is up with outgoing traffic from the distribution switch to WLC but nothing incoming.
  Some APs went down and refuse to be registered back to the WLC. when we shut down the 4th port everything is back to normal.
  the etherchannel config is identical and I can see all ports are active and not suspended :
  interface GigabitEthernet2/2/1
  description PortChannel-WLC1-Port1
   switchport
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 60-67,2808,2922,2923,2932
   switchport mode trunk
   channel-group 99 mode on
  interface GigabitEthernet2/2/2
  description PortChannel-WLC1-Port2
   switchport
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 60-67,2808,2922,2923,2932
   switchport mode trunk
   channel-group 99 mode on
  interface GigabitEthernet2/2/3
  description PortChannel-WLC1-Port3
   switchport
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 60-67,2808,2922,2923,2932
   switchport mode trunk
   channel-group 99 mode on
  interface GigabitEthernet2/2/4
  description PortChannel-WLC1-Port4
   switchport
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 60-67,2808,2922,2923,2932
   switchport mode trunk
   channel-group 99 mode on

  sh etherchannel 99 sum
  Flags:  D - down        P - bundled in port-channel
          I - stand-alone s - suspended
          H - Hot-standby (LACP only)
          R - Layer3      S - Layer2
          U - in use      N - not in use, no aggregation
          f - failed to allocate aggregator
          M - not in use, no aggregation due to minimum links not met
          m - not in use, port not aggregated due to minimum links not met
          u - unsuitable for bundling
          d - default port
          w - waiting to be aggregated
  Number of channel-groups in use: 38
  Number of aggregators:           38
  Group  Port-channel  Protocol    Ports
  ------+-------------+-----------+-----------------------------------------------
  99     Po99(SU)         -        Gi2/2/1(P)     Gi2/2/2(P)     Gi2/2/3(D)     
                                   Gi2/2/4(P)     
  Last applied Hash Distribution Algorithm: Fixed
  Gi2/2/3 is down becasue we had to shut down the interface because when it is up many APs refuse to register.

• WLC 5508 integration with fortigate and Guest Vlan

  Hi
  I have 5508 Cisco WLC and i want to connect my wlc one port to fortigate (FW) for direct internet.
  And other port in WLC i will connect on Cisco Core Switch for other SSID's and for management. Now the question is how to divide port in WLC 5508, how to point layer 3 traffic if don't configure switch port as trunk.
  Kindly what will be best solution.

  sh etherchannel 99 sum
  Flags:  D - down        P - bundled in port-channel
          I - stand-alone s - suspended
          H - Hot-standby (LACP only)
          R - Layer3      S - Layer2
          U - in use      N - not in use, no aggregation
          f - failed to allocate aggregator
          M - not in use, no aggregation due to minimum links not met
          m - not in use, port not aggregated due to minimum links not met
          u - unsuitable for bundling
          d - default port
          w - waiting to be aggregated
  Number of channel-groups in use: 38
  Number of aggregators:           38
  Group  Port-channel  Protocol    Ports
  ------+-------------+-----------+-----------------------------------------------
  99     Po99(SU)         -        Gi2/2/1(P)     Gi2/2/2(P)     Gi2/2/3(D)     
                                   Gi2/2/4(P)     
  Last applied Hash Distribution Algorithm: Fixed
  Gi2/2/3 is down becasue we had to shut down the interface because when it is up many APs refuse to register.

• Config RADIUS on WLC 5508 - Problems comunication with NPS Server

  Hi,
  I'm facing some problems when configuring RADIUS auth with a NPS Windows Server.
  My WLAN interface is in a different vlan than the management interface, is that a problem?
  I want this wlan to be on a different vlan from the management. When i use wlan interface in the same vlan the RADIUS works without problems. But in different vlans is not working.
  The NPS server as 2 NICs, 1 for the wireless vlan, and another for the management vlan.
  the logs from the WLC shows this, but i have difficulties interpreting all this data:
  *apfMsConnTask_0: Dec 29 12:49:14.636: Association request from the P2P Client Process P2P Ie and Upadte CB
  *apfMsConnTask_5: Dec 29 12:49:36.607: 3c:c2:43:94:3e:bc Adding mobile on LWAPP AP d4:d7:48:45:fb:20(0)
  *apfMsConnTask_5: Dec 29 12:49:36.607: 3c:c2:43:94:3e:bc Association received from mobile on AP d4:d7:48:45:fb:20
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying site-specific Local Bridging override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying Local Bridging Interface Policy for station 3c:c2:43:94:3e:bc - vlan 900, interface id 16, interface 'wlan'
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Applying site-specific override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc processSsidIE  statusCode is 0 and status is 0
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc processSsidIE  ssid_done_flag is 0 finish_flag is 0
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc STA - rates (8): 130 132 139 12 18 150 24 36 0 0 0 0 0 0 0 0
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc suppRates  statusCode is 0 and gotSuppRatesElement is 1
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc extSuppRates  statusCode is 0 and gotExtSuppRatesElement is 1
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Processing RSN IE type 48, length 20 for mobile 3c:c2:43:94:3e:bc
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Received RSN IE with 0 PMKIDs from mobile 3c:c2:43:94:3e:bc
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Setting active key cache index 8 ---> 8
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc unsetting PmkIdValidatedByAp
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Initializing policy
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) DHCP required on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8for this client
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc Not Using WMM Compliance code qosCap 00
  *apfMsConnTask_5: Dec 29 12:49:36.608: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8 flex-acl-name:
  *apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfMsAssoStateInc
  *apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfPemAddUser2 (apf_policy.c:270) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Idle to Associated
  *apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc Stopping deletion of Mobile Station: (callerId: 48)
  *apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc Sending Assoc Response to station on BSSID d4:d7:48:45:fb:20 (status 0) ApVapId 8 Slot 0
  *apfMsConnTask_5: Dec 29 12:49:36.609: 3c:c2:43:94:3e:bc apfProcessAssocReq (apf_80211.c:6309) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
  *dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Station 3c:c2:43:94:3e:bc setting dot1x reauth timeout = 0
  *dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Stopping reauth timeout for 3c:c2:43:94:3e:bc
  *dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
  *dot1xMsgTask: Dec 29 12:49:36.611: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 1)
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.684: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 2)
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Received EAPOL EAPPKT from mobile 3c:c2:43:94:3e:bc
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Received Identity Response (count=2) from mobile 3c:c2:43:94:3e:bc
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc EAP State update from Connecting to Authenticating for mobile 3c:c2:43:94:3e:bc
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Authenticating state
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:36.761: 3c:c2:43:94:3e:bc Entering Backend Auth Response state for mobile 3c:c2:43:94:3e:bc
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.794: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.794: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Aborting state
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 4)
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Reached Max EAP-Identity Request retries (3) for STA 3c:c2:43:94:3e:bc
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Sent Deauthenticate to mobile on BSSID d4:d7:48:45:fb:20 slot 0(caller 1x_auth_pae.c:3165)
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Scheduling deletion of Mobile Station:  (callerId: 6) in 10 seconds
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Disconnected state
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:54.795: 3c:c2:43:94:3e:bc Not sending EAP-Failure for STA 3c:c2:43:94:3e:bc
  *apfMsConnTask_5: Dec 29 12:49:55.518: 3c:c2:43:94:3e:bc Association received from mobile on AP d4:d7:48:45:fb:20
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying site-specific Local Bridging override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying Local Bridging Interface Policy for station 3c:c2:43:94:3e:bc - vlan 900, interface id 16, interface 'wlan'
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Applying site-specific override for station 3c:c2:43:94:3e:bc - vapId 9, site 'XXX', interface 'wlan'
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc processSsidIE  statusCode is 0 and status is 0
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc processSsidIE  ssid_done_flag is 0 finish_flag is 0
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc STA - rates (8): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc suppRates  statusCode is 0 and gotSuppRatesElement is 1
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc extSuppRates  statusCode is 0 and gotExtSuppRatesElement is 1
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Processing RSN IE type 48, length 20 for mobile 3c:c2:43:94:3e:bc
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Received RSN IE with 0 PMKIDs from mobile 3c:c2:43:94:3e:bc
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Setting active key cache index 8 ---> 8
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc unsetting PmkIdValidatedByAp
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Initializing policy
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) DHCP required on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8for this client
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc Not Using WMM Compliance code qosCap 00
  *apfMsConnTask_5: Dec 29 12:49:55.519: 3c:c2:43:94:3e:bc 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP d4:d7:48:45:fb:20 vapId 9 apVapId 8 flex-acl-name:
  *apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc apfPemAddUser2 (apf_policy.c:270) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
  *apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc Stopping deletion of Mobile Station: (callerId: 48)
  *apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc Sending Assoc Response to station on BSSID d4:d7:48:45:fb:20 (status 0) ApVapId 8 Slot 0
  *apfMsConnTask_5: Dec 29 12:49:55.520: 3c:c2:43:94:3e:bc apfProcessAssocReq (apf_80211.c:6309) Changing state for mobile 3c:c2:43:94:3e:bc on AP d4:d7:48:45:fb:20 from Associated to Associated
  *dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Station 3c:c2:43:94:3e:bc setting dot1x reauth timeout = 0
  *dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Stopping reauth timeout for 3c:c2:43:94:3e:bc
  *dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
  *dot1xMsgTask: Dec 29 12:49:55.521: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 1)
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc Received EAPOL START from mobile 3c:c2:43:94:3e:bc
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc dot1x - moving mobile 3c:c2:43:94:3e:bc into Connecting state
  *Dot1x_NW_MsgTask_4: Dec 29 12:49:55.592: 3c:c2:43:94:3e:bc Sending EAP-Request/Identity to mobile 3c:c2:43:94:3e:bc (EAP Id 2)

  yes, I thought of that. But if i use a simple password authentication on the wireless, i can reach the server with the same subnet interface. But i don't want to allow this subnet to acess the management subnet of the wireless controller.
  One question i have is: The WLC uses whitch subnet on radius? Uses the subnet of the wireless interface or uses always the management interface?
  Could you help me understand how the radius auth works with this wireless controller? Did you see anything strange in the logs that I posted above? It seems to run ok until:
  dot1x - moving mobile 3c:c2:43:94:3e:bc into Authenticating state
  Entering Backend Auth Response state for mobile 3c:c2:43:94:3e:bc
  Received EAPOL START from mobile 3c:c2:43:94:3e:bc
  dot1x - moving mobile 3c:c2:43:94:3e:bc into Aborting state
  I also note this: "Applying Local Bridging Interface Policy for station "
  What does this means?

• WLC - Geting Problem with Web Portal

  Hi,
  When enable the SSID that associate with web portal for guest user, the WLC found difficult to process and the system halt.Unable to get into the management ip for the WLC.
  However after disable that particular SSID, the system operates in well condition.
  FYI, we are running under version 5.0. Controller model -Wism.
  Please advice.

  I'm not sure if this is it or not, but it's in the release notes.
  CSCsm98250-After you upgrade the controller to software release 5.0, web authentication stops working, and you can no longer access the controller through HTTP or a Telnet or SSH session

• WLC 5508: LAG with not stacked switches

  Hello!
  We are planning to implement the redundant physical connection from 5508 WLC to not stacked 3750 switches.
  The sheme is attached.
  Is there any way to implement such variant of the topology?

  When you don't have LAG enabled, you can choose a primary port and a backup port.
  Do you mean to choose primary and backup for managment interface?
  As it is mentioned in documentation about AP-managment: "You cannot map the AP-manager interface to a backup port"
  http://www.cisco.com/en/US/docs/wireless/controller/7.3/configuration/guide/b_wlc-cg_chapter_011.html#ID345

• Cisco WLC 5508 with 3702APs - mobile hotspot for 2000 Guest users

  Cisco WLC 5508 with 3702APs - mobile hotspot for 2000 Guest users
  I've been given a fantastic "opportunity" by my boss to use our existing wireless infrastructure to provide internet access to potentially upto 2000 VIP guests arriving with BYOD devices, in a very densely populated area for a 3 day event. We are talking an area of approx 200m x 15m. Think of it as an awards ceremony/concert. The solution will also be mobile so we will be using internet breakout from different telcos as it will move to approx 20 countries. The area is also incredibly densely populated with other wifi APs. I did a brief site survey and AirMagnet could detect over 2500 other 'rogue' APs from where I was stood! I hope CleanAir works!
  We need a simple authentication method for them to connect with zero admin from our side. We don't want to just offer up a rolling daily PSK as that's a bit amateur and we don't really want the VIP guests sharing the PSK with others during their stay. Ideally they could self-provision by providing an email address.
  I know the WLC can handle webauth for local users but I don't think it scales very well. ie I don't think I can offer the account to several hundred people.
  Cisco ISE looks a very expansive (and expensive) product but I don't think we need all it's capabilities (do I?). It would be nice to just ask a potential user for their email address and grant them access and email them next year. I've seen Cisco NAC but that looks over the top too for just guest users who will only be accessing a shared internet connection.
  I've seen 3rd party supposed software solutions from Kiosk Antamedia etc do they work with Cisco Enterprise WLC solutions?
  We'd like to limit users to a certain (low) bandwidth and block (say) torrent traffic to keep the general user experience worthwhile.
  Does anybody have any case study documents or experience of such a project? As well as the authentication it's how well the APs will handle the dense potential number of clients trying to connect in such a confined space. 
  Any suggestions would be gratefully appreciated from the knowledgeable community.
  Cheers,
  Mike

  Hi Rasika,
  We are having WLC 5508 model with software version running 7.4.121.0. AP Models are AIR-CAP2602I.
  Normally our WAN links are good even while the issue pertains. We are connected to remote offices over ipsec site to site vpn for WAN. The link latency in WLC between the AP and the controller shows  <1ms.
  currently the Guest network is using WPA2-PSK auth given in the controller. we are trying to find a option to make the Guest wireless auth local to the office, and see if this solves the problem. 
  any suggestions,
  Thank you,
  Arjun

• WLC 5508 software version working with ISE1.1.2

  Hi,
  My understanding is that for fully WLC 5508 integration with ISE 1.1.2, it needs Version 7.2.103.0.  Question is if customer has 5508 with either 7.0.230 or 7.0.98, and ISE 1.1.2, can AAA part work?  what part will not work, any potential issue if they don't upgrade 5508 to 7.2.103?
  Thanks in advance!
  Tina

  Please check the below Table:
  Table 1 Supported Network Access Devices
  Device
  Minimum OS Version
  MAB
  802.1X
  Web Auth
  Session CoA
  VLAN
  DACL
  SGA
  IOS Sensor
  CWA
  LWA
  Wireless LAN Controller (WLC) 2500, 5500
  7.2.103.0
  No6
  Yes
  Yes
  Yes
  Yes
  Yes
  Yes
  Yes
  No
  Ref. Link: http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp55038

• WLC 5508 -7.4.100 mDNS Bonjour snooping

  Hello
  Have 7.4 installed and configured for Bonjour Snooping. All is working, but working too well. We have a large campus that house 2 schools and each school is complaining that they can see the other schools AppleTV devices.
  I have played around with a few different scenarios to see if I can localize the bonjour traffic.
  I guess I am looking to create a logical split for bonjour devices amoung the schools.
  Apple came to the school and informed us that the IPAD has a limit of 64 devices that can be seen via the bonjour. At some point we will have over 100 AppleTV added.
  so we have 3 wlc 5508's with 7.4.100
  we have 2 SSIDs that span the whole campus
  using AP groups to segment the floors in buildings
  So the schools are logically split with AP groups
  Here is what I have tried
  I created few mDNS profiles and assigned the services for Apple TV - let's call them school1 and school2
  I assign the mDNS profiles to the interfaces dedicated each school
  enable snooping on the WLAN with profile of none
  The end result is that devices from both schools can be seen.
  I tried to create new ssid for apple TVs and a new ssid for 1 schools teachers
  I followed the vlan select example
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_tech_note09186a0080bb1d7c.shtml
  end result is that devices from both schools can be seen
  I have tried the mDNS without multicast enabled just like the video shows to no avail - I assume maybe my AP groups might be more complicated then the example of just 2 vlans
  https://supportforums.cisco.com/community/netpro/wireless-mobility/begin-wireless/blog/2013/01/01/wireless-lan-controller-wlc-release-74--bonjour-gateway-configuration-example
  I have tried combinations of things, but I must be missing something
  In the webinar, Cisco said it will use filtering to restrict which  clients can see which services (Apple TV's, etc). What will Cisco use to  filter Bonjour requests?
  according to this article
  http://www.pcadvisor.co.uk/news/network-wifi/3376119/cisco-answers-user-questions-about-upcoming-apple-bonjour-gateway/#ixzz2SIDqFH49
  The filtering options are: · Per WLAN/SSID · Per VLAN or AP  Group · Per Interface Group (which is a group of VLANs pooled together).
  A Bonjour service policy can be created and applied on any one of  the above criteria. In the future, we will support per-user Bonjour  service policies which will come as a RADIUS attribute from the AAA server.
  Read more: http://www.pcadvisor.co.uk/news/network-wifi/3376119/cisco-answers-user-questions-about-upcoming-apple-bonjour-gateway/#ixzz2SZqMYpdh
  Cheers
  Any insight would be appreciated

  Here are the ACLs for the controller
  acl create BlockBonjour
  acl apply BlockBonjour
  acl counter start
  acl rule add BlockBonjour 1
  acl rule add BlockBonjour 2
  acl rule action BlockBonjour 1 deny
  acl rule action BlockBonjour 2 permit
  acl rule destination address BlockBonjour 1 224.0.0.251 255.255.255.255
  acl rule destination address BlockBonjour 2 0.0.0.0 0.0.0.0
  acl rule destination port range BlockBonjour 1 0 65535
  acl rule destination port range BlockBonjour 2 0 65535
  acl rule source address BlockBonjour 1 0.0.0.0 0.0.0.0
  acl rule source address BlockBonjour 2 0.0.0.0 0.0.0.0
  acl rule source port range BlockBonjour 1 0 65535
  acl rule source port range BlockBonjour 2 0 65535
  acl rule direction BlockBonjour 1  In 
  acl rule direction BlockBonjour 2 Any 
  acl rule dscp BlockBonjour 1  Any 
  acl rule dscp BlockBonjour 2  Any 
  acl rule protocol BlockBonjour 1  Any 
  acl rule protocol BlockBonjour 2  Any 
  acl apply BlockBonjour ipv6 acl create BlockAllIPv6
  ipv6 acl apply BlockAllIPv6
  ipv6 acl rule add BlockAllIPv6 1
  ipv6 acl rule action BlockAllIPv6 1 deny
  ipv6 acl rule destination address BlockAllIPv6 1 :: 0
  ipv6 acl rule destination port range BlockAllIPv6 1 0 65535
  ipv6 acl rule source address BlockAllIPv6 1 :: 0
  ipv6 acl rule source port range BlockAllIPv6 1 0 65535
  ipv6 acl rule direction BlockAllIPv6 1 Any 
  ipv6 acl rule dscp BlockAllIPv6 1  Any 
  ipv6 acl rule protocol BlockAllIPv6 1 Any
  ipv6 acl apply BlockAllIPv6
  Apply to wlan:  The wlan index is used in this case, the first wlan created on controller
  wlan acl 1 BlockBonjour
  wlan ipv6 acl 1 BlockAllIPv6

• One WLC 5508, Multiple Sites/Networks

  So I'm trying to think this design out in my head.  Here is what I have:
  Corp Office with a WLC 5508 configured with a management port and a guest WLAN port for guest wireless etc to the corp Layer 3 switch in a wireless VLAN, using 802.1q trunk of course.  The WLC is configured to be a DHCP server for the Guest WLAN.
  (Side note:  the sites are connected using WAN routers at each location configured with bundled T3's and all routes are setup and each network successfully traverses to the other)
  First phase will be to install 30 APs.  5 at the corporate office and 25 and two other sites.  I'm using a class A network but have subnetted the networks so to speak to make each site have multiple VLANs using class C networks.  I want to be able to implement the WLC 5508 at the corporate office and manage the APs centrally at all locations.  The APs are already configured for lightweight mode and I have successfully configured 5 of them and connected. 
  My question is if I install the other 25 APs at the other 2 offsite locations and connect them to the network, will it automatically contact the WLC and get a DHCP address from the Corporate WLAN DHCP even though it is at another site?  Am I overlooking a step or configuration method for this type of implementation?
  Thanks for all contributions!

  Ok so I have configured my environment as suggested.  I can see the new IP Address lease to the AP at my remote site on
  the DHCP Server (Windows Server DHCP at the remote site).  I can ping that IP from the Central office to the remote site however the WIreless Controller is not associating the AP at all.  Although I can ping the AP from the WLC.  I checked the logs and I dont see any association attempt from that IP or MACt.  So here is what I have:
  Central Site-
       WLC 5508 With Internal DHCP for local APs
       APs associating successfully
  Remote Site
       Windows DHCP with Option 43 Configured per Cisco AP Option 43 Whitepaper
       AP 1142-Light-Weight attached to switchport (Wireless Vlan configured) and reachable via ping through all of network.
       AP obtained IP from Windows DHCP from Wireless Scope I configured successfully.
  So it doesn't seem the CAPWAP tunnel was built successfully.  I do have an ASA 5520 in the environment but all traffic to remote sites is wide open as I do not block any ports so CAPWAP traffic should flow well.
  Mission a step?
  Dee

• WLC 5508 webauth_bundle

  Hi
  I'm trying to upload webauth_bundle-1.0.2.zip file on WLC 5508 controller with software version 7.0.220.0 via tftp server.
  First the controller says that "Unknown bundle type. Valid bundle is a tar file." so I unzip file and create a tar file and now WLC says
  "Error: Webauth Bundle file transfer failed - File is too big".
  Could someone help me
  thanks

  Antonello,
  What you need to do is extract the webauth_bundle-1.0.2.zip file. This zip files has all the different types of webauth or pasthrough examples and login.tar files. Take a look at the readme.html file inside of the zip and that will explain the different bundles. When you decide on one, you can upload the login.tar file.
  These examples allowyou to customize them. Hope this helps.

• WLC 5508 AP authorization

                     Hello Forum Team!
  Wich is the best way to filter out unwanted ap's to join a specific WLC? For example, I have a WLC 5508 cluster with four ap's already joined and registered but other surrounding ap's from other WLC clusters are starting to register with this new cluster. Which is the best way to prevent these ap's to register with this new WLC cluster? MAC address filter list or ap authorization list?
  Thanks in advanced for your great support!

  Hi Nephtali,
  1. You can use the Authorize AP's against AAA function to make sure that all the AP's registering to your WLC are authorized AP's of the network.  By enabling this feature, only those AP's whose mac-addresses are present in the authorization list, will be able to register to the WLC.
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/98848-lap-auth-uwn-config.html#backinfo
  2. AP priming and Rouge Rules.
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_tech_note09186a00808e2d27.shtml
  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70rrm.html#wp1180349
  Regards
  Dont forget to rate helpful posts

• WLC 5508 7.0.98.0 problem with locpRxServerTask missed software watchdog

  Hi
  today my wlc 5508 crash. after trying to get access via sp. i doesnt reponds. so i rebooted. in the sh tech i saw this message which i gues indicates the RC of the failure.    ANY IDEAS...
  *             Start Cisco Crash Handler Serv               *
  Sys Name:       usa-5354-wlc-02
  Model:          AIR-CT5508-K9
  Version:        7.0.98.0
  Timestamp:      Thu Jan  5 05:43:13 2012
  SystemUpTime:   254 days 4 hrs 46 mins 24 secs
  pid:            1225
  TID:            944042816
  Task Name:      locpRxServerTask
  Reason:         Reaper Reset
  timer tcb:      0x2572
  timer cb:       0x10354e28 ('rrmTimerInit+600')
  timer arg1:     0x19b11010
  timer arg2:     0x0
  Long time taken timer call back inforamtion:
  --More-- or (q)uit
  Time Stamp:     Thu Sep 22 15:56:24 2011
  timer cb:       0x100d6f48 ('apfRldpScheduleSet+656')
  Duration  : 103753 usecs, cbCount= 15
  Analysis of Failure:
    Software was stopped by the reaper for the following reason:
       Reaper Reset: Task "locpRxServerTask" missed software watchdog

  May be here is the bug that u r hitting..
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti21343
  Upgrade the image to the latest that we have (7.0.220)
  Please dont forget to rate the useful posts!!
  Regards
  Surendra