Wlc 5508 radius authentication fail

I am trying to setup a wireless lan for the first time using 5508, all is working to a point, until i try to setup client authentication using the following
so settings are:
Layer Wlan settings:
Layer 2 security:WPA+WPA2
AES
Auth Key mgmt:802.1x
We have the authentication server enabled:
Ip an port are correct
AAA overide not enabled
Order for authentication, radius only
Advanced: dafault settings
Radius authentication servers:
Call Station ID Type: IP address
MAC Delimiter: Colon
Network User
Management
Server Index
Server Address
Port
IPSec
Admin Status
Server Index
Server Address
Shared Secret Format
                 ASCII                 Hex              
Shared Secret
Confirm Shared Secret
Key Wrap
  (Designed for FIPS customers and requires a key wrap compliant RADIUS server)
Port Number
Server Status
                 Enabled                  Disabled              
Support for RFC 3576
                 Enabled                  Disabled              
Server Timeout
  seconds
Network User
Enable
Management
Enable
IPSec
Enable
*radiusTransportThread: Dec 21 12:07:46.488: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 115) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
*radiusTransportThread: Dec 21 12:07:46.012: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 114) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
*Dot1x_NW_MsgTask_1: Dec 21 12:07:29.811: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3028 Max EAP identity request retries (3) exceeded for client 00:19:d2:b9:d5:e1
*Dot1x_NW_MsgTask_1: Dec 21 12:07:29.811: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:b9:d5:e1
*radiusTransportThread: Dec 21 12:07:16.412: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 113) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
*Dot1x_NW_MsgTask_1: Dec 21 12:06:59.741: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3028 Max EAP identity request retries (3) exceeded for client 00:19:d2:b9:d5:e1
Radius server occasionally sees attempts from user "XXZZYY"

Osvaldo,
Your observation is correct and this should be documented on the WLC help tab if you search for keyword network user under radius auth.
Quote:
Network User—Network user authentication check box. If this option is enabled, this entry is considered as the network user RADIUS authenticating server entry. If you did not set the RADIUS server entry on the WLAN configuration (WLANs > Edit > Security > AAA Servers), you must enable this option for networkusers.
Management—Management authentication check box. If this option is enabled, this entry is considered as the management RADIUS authenticating server entry. If you enable this option, authentication requests go to the RADIUS server
AAA server defined on WLAN takes precedence over global.

Similar Messages

  • WLC 5508 WPA Authentication Problems

    Hello,
    We have a WLC 5508 with 7.4.100.0 Firmware.
    We are using 1141 and 1142 APs and we are having authentication problems with clients that are connecting to our WLAN with WPA+AES autentication. The clients receive in her laptop a password error, and we receive the following log in wlc:
    Client Excluded: MACAddress:f8:f1:eb:dd:ff:cd Base Radio MAC :08:ad:dd:76:4d:30 Slot: 0 User Name: unknown Ip Address: unknown Reason:802.1x Authentication failed 3 times. ReasonCode: 4
    The strange thing is that the problem is solved restarting the Access-points.
    Anyone had this problem previusly?
    Thanks in advance.

    I made the configuration using the Cisco Recommended settings, the strange thing its that the users connect normally, until they starts with authentication problems. I restart the access points and the problem its solved.
    Cisco Recommended  and not recommended Authentication Settings
    Security encryption settings need to be identical for WPA and WPA2 for TKIP and AES as shown in this image:
    These images provide examples of incompatible settings for TKIP and AES:
    Note: Be aware that security settings permit unsupported features.
    These images provide examples of compatible settings:

  • WLC 5508 Radius Server

    what is the authentication list precedence for radius authentication?
    global list       network user checkbox
    per wlan        aaa server add
    global list       network user uncheck
    i  have 3 radius server, 2 of which are use for gloabl authentication(all  ap are hreap) and a 3rd one use only for 1 site, when the 2 first radius  server fails the wlc use the 3rd one, but the 3rd only has database for  1 site users,
    do  i need to uncheck the network user checkbox on the 3rd radius and  create a hreap group then associate the 3rd one?  i dont want the 3rd  radius to be able for the gloabl list to take this as normal globla  radius. any commnets?

    Osvaldo,
    Your observation is correct and this should be documented on the WLC help tab if you search for keyword network user under radius auth.
    Quote:
    Network User—Network user authentication check box. If this option is enabled, this entry is considered as the network user RADIUS authenticating server entry. If you did not set the RADIUS server entry on the WLAN configuration (WLANs > Edit > Security > AAA Servers), you must enable this option for networkusers.
    Management—Management authentication check box. If this option is enabled, this entry is considered as the management RADIUS authenticating server entry. If you enable this option, authentication requests go to the RADIUS server
    AAA server defined on WLAN takes precedence over global.

  • Local Radius Authentication - Fails

    Hello all,
    Access Point 1230AG (c1200-k9w7-mx.123-2.JA)
    Client Adapter ABG (PCI)
    I am new to Wireless Lan configuration with Aironet products (first project). I am configuring an Access Point for a small LAN and i can not get local radius authentication working. The password always fails if I try:
    test aaa group radius xxxxx port 1812 new-code
    although the password is matching..........
    another thing is that in the configuration, it always defaults to 'nthash' mode. is this normal? in other words if i type:
    radius-server local
    user dgarnett password xxxx
    when i do a 'show run' it displays as
    user xxxx
    I also get the following during a debug:
    There is no RADIUS DB Some Radius attributes may not be stored
    any help greatly appreciated
    ap#test aaa group radius dgarnett 123456789 port 1812 new-code
    Trying to authenticate with Servergroup radius
    User rejected
    ap#
    Feb 19 20:57:44.535: RADIUS(00000000): Config NAS IP: 10.14.14.14
    Feb 19 20:57:44.535: RADIUS(00000000): Config NAS IP: 10.14.14.14
    Feb 19 20:57:44.535: RADIUS(00000000): sending
    Feb 19 20:57:44.535: RADIUS(00000000): Send Access-Request to 10.14.14.14:1812 id 21645/14, len 64
    Feb 19 20:57:44.535: RADIUS: authenticator 9C C4 E8 64 80 8B 64 8A - E7 5F 0A 64 14 2F 5D B6
    Feb 19 20:57:44.536: RADIUS: User-Password [2] 18 *
    Feb 19 20:57:44.536: RADIUS: User-Name [1] 10 "dgarnett"
    Feb 19 20:57:44.536: RADIUS: Service-Type [6] 6 Login [1]
    Feb 19 20:57:44.536: RADIUS: NAS-IP-Address [4] 6 10.14.14.14
    Feb 19 20:57:44.536: RADIUS: Nas-Identifier [32] 4 "ap"
    Feb 19 20:57:44.537: RADSRV: Client dgarnett password failed
    Feb 19 20:57:44.537: RADIUS: Received from id 21645/14 10.14.14.14:1812, Access-Reject, len 88
    Feb 19 20:57:44.538: RADIUS: authenticator 3C B3 9A 7F 61 27 3A A6 - 84 39 B6 DF 22 DF 45 26
    Feb 19 20:57:44.538: RADIUS: State [24] 50
    Feb 19 20:57:44.538: RADIUS: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF [????????????????]
    Feb 19 20:57:44.539: RADIUS: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF [????????????????]
    Feb 19 20:57:44.539: RADIUS: 6B 7C 18 EA F0 20 A4 E5 B1 28 0E BD 57 61 24 9A [k|??? ???(??Wa$?]
    Feb 19 20:57:44.539: RADIUS: Message-Authenticato[80] 18 *
    Feb 19 20:57:44.539: RADIUS(00000000): Received from id 21645/14
    Feb 19 20:57:44.539: RADIUS(00000000): Unique id not in use
    Feb 19 20:57:44.540: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius attributes may not be stored

    Just as an update.......I set this up authenticating to an external (ACSNT) Radius server and it authenticates successfully. But still will not for the local dbase. My goal is to use the Corporate ACS as primary and the local as backup. I think my problem has to do with the Radius attributes 24 (State) and 80 (Message Auth). I also think that it points back to the NTHash stuff. Please advise as I am not new security practices and wireless, but I am new to Cisco Wireless networking.

  • WLC 5508 Local Authentication- need guidance

    Hi formers'
    i have the combo of WLC 5508 (ver 7.0) and AP1041n, just want to ask how i can do local authentication.
    The environment don't have ACS, no directory services ( AD or LDAP).
    Requirement:
    say, i have one WLAN name "admin". Where-ever if user want to connect to this SSID, they need to prompt username/password,
    user's entry is store at WLC.
    i create the user at local net user, and map it to appropirate WLAN.
    at the WLAN, i enable local EAP and select the profile that i create.
    PROBLEM STATEMENT:
    The moment i test, it always prompt to input  EAP-TTLS domain\usename. password (token)
    Question
    a. any goes wrong with my setting? how really local authentication work with no ACS and directory services running at the back?
    b. can please post any useful document URL or any supportive info, it will be very helpful
    Thanks
    Noel

    Surendra's document may refer to local authentication with ldap database but you could follow it without doing the LDAP part and the users will be stored in the local net users of the WLC.
    You could also follow the WLC config guide in the "Local eap" chapter.
    The concerning part in your description is that your laptop prompts for EAP-TTLS. That means that you configured your laptop for that method. The WLC is only with peap/eap-fast

  • WLC 4402 RADIUS Authentication with IAS

    Hello
    I configured a WLAN with PEAP (CHAP v2)and Radius authentication to a Win 2003 IAS Radius Server.
    On the controller 4402 the layer 2 security is set to WPA1+WPA2 with 802.1x authentication.
    The IAS server don't use the configured policy when a authentication reguest arrive.
    I there an issue with special RADIUS attributes or configuration items on the IAS Server?
    The following event appear in the windows logs:
    User STANS\kaesmr was denied access.
    Fully-Qualified-User-Name = STANS\kaesmr
    NAS-IP-Address = 172.17.25.6
    NAS-Identifier = keynet-01
    Called-Station-Identifier = 00-18-74-FB-CA-20:keynet
    Calling-Station-Identifier = 00-16-CE-52-C8-EB
    Client-Friendly-Name = Wireless-Controller
    Client-IP-Address = 172.17.25.6
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 1
    Proxy-Policy-Name = Windows-Authentifizierung f?r alle Benutzer verwenden
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = <undetermined>
    Authentication-Type = Extension
    EAP-Type = <undetermined>
    Reason-Code = 21
    Reason = The request was rejected by a third-party extension DLL file.

    What I understand from your post is that the authentication is not handled by your IAS server. IF I am correct, the problem might be with the "Allow AA override" option disabled in your WLAN. If it is enabled, then the AAA server or your IAS server will override the security parameters set locally on the controller.
    So, first ensure whether "Allow AAA override" is enabled under Controller--->WLAN field.
    Also, chek out the logs of the IAS server for obtaining more info on this.

  • WLC log RADIUS server failed to respond to request

    I'm keep on getting same couple MACs being failed.  I was hoping somebody has more inside about this?  Radius server is pingable from WLC. People are authenticating.  Please let me know what log should I provide.  Thank you in advance.
    Thu Feb 20 16:22:06 2014
    RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 78) for client 3c:a9:f4:42:11:a0 / user 'unknown'
    3
    Thu Feb 20 16:22:06 2014
    RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 77) for client 24:77:03:20:78:d0 / user 'unknown'
    4
    Thu Feb 20 16:22:06 2014
    RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 76) for client 24:77:03:d0:bd:b4 / user 'unknown'
    5
    Thu Feb 20 16:22:00 2014
    RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 75) for client 24:77:03:26:86:7c / user 'unknown'
    6
    Thu Feb 20 16:21:59 2014
    RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 74) for client 24:77:03:20:78:d0 / user 'unknown'
    7
    Thu Feb 20 16:21:59 2014
    RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 73) for client 3c:a9:f4:42:11:a0 / user 'unknown'
    8
    Thu Feb 20 16:21:59 2014
    RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 72) for client a0:82:1f:d8:24:02 / user 'unknown'

    You should look at the ACS logs as that will give you a better idea of the failure.
    Sent from Cisco Technical Support iPhone App

  • WLC 5508 AD authentication for management

    Hi,
    I was wondering if it is possible to set up a 5508 to authenticate to AD for management.  Currently, all of our Cisco devices authenticate to AD through NPS running on a windows 2008 server and if the server is unavailable, they failover to local authentication.  I'd like to do this on our new controller but I can't seem to find the correct info on how to do this, if it can.  All my searches result in instructions on how to authenticate wireless users.
    Thanks

    Yes, you can via NPS (Radius) which then ties into AD. Here is a Cisco exmaple document:
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml
    I hope this helps...

  • WLC 5508 Radius accounting issue

    I have a WLAN configured with 802.1x PEAP pointing to an external RADIUS server.  It works fine for the most part, but I'm having problem closing accounting sessions in RADIUS.  I've found this is related to the client table in the WLC.  The user session does not end in RADIUS unless the WLC officially removes the client from the db, which takes 5-6 minutes from what I can see (probably due to the default idle timeout of 300 seconds). 
    For example:
    1.  I connect my tablet to the test WLAN.  It associates and authenticates successfully and the WLC sends the accounting info to my RADIUS server, opening up a user session.  If I turn off the wifi in the tablet, the client entry stays in the WLC client table until it times out.  The WLC removes my tablet from the client table after 5-6 minutes, and then the session closes in the accounting table.  I can force the session to close much earlier by manually removing the client from the WLC.
    2.  Same as #1, but this time instead of turning of the wifi in the tablet, I choose to connect to a different WLAN in the WLC.  The user session in the accounting DB never closes.  If I reconnect back to the original test WLAN with 802.1x, it opens up yet another user session in RADIUS accounting.  Now I have a "dead" user session in accounting that is going to be open forever unless I delete it from SQL.
    Is this an issue with the end user client not sending the disassociation frame properly, or a config problem with the WLC?  How can I make it so that every time a client drops from an AP or moves to a different WLAN, the WLC would immediately send accounting updates to my RADIUS server and close the user session properly?
    Thanks,
    Wil

    Well like you said, the WLC will keep the client in the DB until the idle timer expires. This is normal and I don't think you will be able to change this unless you set the idle timer to a lower value.
    Sent from Cisco Technical Support iPhone App

  • WLC 5508 DNS discovery fails. After a ping it works!

    Hello guys,
    I have a deployment with a 5508 HA Cluster. The AP´s (2702) should be discoverd with DNS. I get only the message:
    %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP
    When i Ping the Controller:
    ping cisco-capwap-controller
    ​The AP gets discovered. I tried this with 3 AP´s. Every time the the same behavior.
    Does anybody know that?
    Regards Stefan

    Hi Stefan,
    I would configure DHCP option 43, in that way AP will get WLC info as part of DHCP assignment,
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/97066-dhcp-option-43-00.html
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • WLC 5508 and Microsoft Radius Server 2008

    Hi, I am trying to setup WLC 5508 for a customer who want to use MS NPS for Radius authentication, however there aren't many good documents showing how to configure the MS NPS.
    I have couple of questions:
    1, Does WLC 5508 support MS NPS on Server 2008 R2?
    2, Are there any good document showing how to configure this?
    Thanks

    Hadisharifi,
    There is no single document that we can pick for configuring WLC and NPS. However, you may visit the below listed document for NPS  and WLC side configuration:
    Configure the WLC for RADIUS Authentication through an External RADIUS Server
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml#c2
    Fo the NPS side configuration, you may consider the attached document.
    Regds,
    JK
    Do rate helpful posts-

  • WLC 5508 do not Join CAP2602E

    Dear All,
    My WLC a 5508 version 8.0.100.0.Do not Join a CAP2602E, is the first time that i connect this model of AP to the WLC.
    I have enabled some Debug and I see that on the controller I got the "Unknown AP type. Using Controller Version!!!" error on the WLC.
    Following the trouble shooting guide lines about Join issue, I have also checked this:
    (Cisco Controller) >show ap join stats detailed 84:80:2d:c2:9c:90  <-----This is the 2602E Mac
    Sync phase statistics
    - Time at sync request received............................ Not applicable
    - Time at sync completed................................... Not applicable
    Discovery phase statistics
    - Discovery requests received.............................. 75
    - Successful discovery responses sent...................... 75
    - Unsuccessful discovery request processing................ 0
    - Reason for last unsuccessful discovery attempt........... Not applicable
    - Time at last successful discovery attempt................ Dec 02 16:43:17.470
    - Time at last unsuccessful discovery attempt.............. Not applicable
    Join phase statistics
    - Join requests received................................... 0
    - Successful join responses sent........................... 0
    - Unsuccessful join request processing..................... 0
    - Reason for last unsuccessful join attempt................ Not applicable
    - Time at last successful join attempt..................... Not applicable
    - Time at last unsuccessful join attempt................... Not applicable
    Configuration phase statistics
    --More-- or (q)uit
    - Configuration requests received.......................... 0
    - Successful configuration responses sent.................. 0
    - Unsuccessful configuration request processing............ 0
    - Reason for last unsuccessful configuration attempt....... Not applicable
    - Time at last successful configuration attempt............ Not applicable
    - Time at last unsuccessful configuration attempt.......... Not applicable
    Last AP message decryption failure details
    - Reason for last message decryption failure............... Not applicable
    Last AP disconnect details
    - Reason for last AP connection failure.................... Not applicable
    - Last AP disconnect reason................................ Not applicable
    Last join error summary
    - Type of error that occurred last......................... None
    - Reason for error that occurred last...................... Not applicable
    - Time at which the last join error occurred............... Not applicable
    AP disconnect details
    - Reason for last AP connection failure.................... Not applicable
    WLC Policy config is:  Someone can help pls?

    Dear All,
    I have done other tests, and I hope this time I will be more precise.
    The AP are on the same vlan where is located the WLC.
    I found a way to work around the problem.
    If I take a out-of-the-box AP and connect if on the same vlan of WLC, and after the boot I configure on the Ap:
    capwap ap ip address 172.xx.xx.xx mask
    capwap ap ip defaut-gataway 172.xx.xx.xx
    capwap ap controller ip address ip_addressxx.xx.xx.xx
    capwap ap primary-base controller_name controller_ip_address
    The Ap try to Join the WLC but with no success:
    User Access Verification
    Username: cisco
    Password:
    AP1c6a.7ae2.ab11>en
    Password:
    % Access denied
    AP1c6a.7ae2.ab11>en
    Password:
    AP1c6a.7ae2.ab11#
    AP1c6a.7ae2.ab11#
    AP1c6a.7ae2.ab11#
    AP1c6a.7ae2.ab11#capwap
    AP1c6a.7ae2.ab11#capwap ap
    AP1c6a.7ae2.ab11#capwap ap controll
    AP1c6a.7ae2.ab11#capwap ap controller ip address 172.26.110.4
    AP1c6a.7ae2.ab11#capwap ap controller ip address 172.26.110.4                                  prima
    AP1c6a.7ae2.ab11#capwap ap primary-base wlc01 172.26.110.4
    AP1c6a.7ae2.ab11#capwap ap primary-base wlc01 172.26.110.4controller ip address 172.26.110.4                                  ip addess
    AP1c6a.7ae2.ab11#capwap ap ip addess      
    AP1c6a.7ae2.ab11#capwap ap ip
    *Mar  1 00:03:56.479: %MESH-3-TIMER_EXPIRED: Mesh Lwapp join timer expired
    *Mar  1 00:03:56.479: %MESH-3-TIMER_EXPIRED: Mesh Lwapp join failed expired
    *Mar  1 00:03:56.479: %MESH-6-LINK_UPDOWN: Mesh station 1c6a.7ae2.ab11 link Down
    *Mar  1 00:03:58.479: %LINK-6-UPDOWN: Interface BVI1, changed state to down
    *Mar  1 00:03:59.479: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to down
    % Incomplete command.
    AP1c6a.7ae2.ab11#capwap ap ip ?
      address          Configure ap static IP address
      default-gateway  Configure Default-gateway IP address
    AP1c6a.7ae2.ab11#capwap ap ip defa
    AP1c6a.7ae2.ab11#capwap ap ip default-gateway 172.26.110.1
    AP1c6a.7ae2.ab11#capwap ap ip default-gateway 172.26.110.1                            address\
    AP1c6a.7ae2.ab11#capwap ap ip address 172.26.110.
    *Mar  1 00:04:39.891: %IP-4-CLASS: Bad IP address and mask 0.0.0.0/0 in class_resolve()
    *Mar  1 00:04:40.391: %MESH-6-CAPWAP_RESTART: Mesh Capwap re-started
    *Mar  1 00:04:41.555: %CAPWAP-3-ERRORLOG: Invalid event 29 & state 4 combination.
    *Mar  1 00:04:41.555: %CAPWAP-3-ERRORLOG: SM handler: Failed to process timer message. Event 29, state 4
    *Mar  1 00:04:41.555: %CAPWAP-3-ERRORLOG: Failed to handle timer message.
    *Mar  1 00:04:41.555: %CAPWAP-3-ERRORLOG: Failed to process timer message.
    *Mar  1 00:04:42.391: %LINK-6-UPDOWN: Interface BVI1, changed state to up
    *Mar  1 00:04:43.391: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
    *Mar  1 00:04:45.439: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
    *Mar  1 00:04:45.447: %PARSER-4-BADCFG: Unexpected end of configuration file.
    *Mar  1 00:04:45.467: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Mar  1 00:04:46.439: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Mar  1 00:04:46.471: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
    *Mar  1 00:04:46.479: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Mar  1 00:04:47.499: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Mar  1 00:04:48.499: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up?
    A.B.C.D  
    AP1c6a.7ae2.ab11#capwap ap ip address 172.26.110.30 255.255.254.0
    You should configure Domain and Name Server from controller CLI/GUI.
    AP1c6a.7ae2.ab11#
    *Mar  1 00:05:16.503: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to downsh
    *Mar  1 00:05:16.507: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Mar  1 00:05:17.503: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Mar  1 00:05:17.527: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Mar  1 00:05:18.527: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    % Type "show ?" for a list of subcommands
    AP1c6a.7ae2.ab11#
    AP1c6a.7ae2.ab11#
    AP1c6a.7ae2.ab11#
    AP1c6a.7ae2.ab11#
    AP1c6a.7ae2.ab11#sh cap
    AP1c6a.7ae2.ab11#sh cap
    *Mar  1 00:05:26.467: %CAPWAP-3-ERRORLOG: Selected MWAR 'wlc01'(index 0).
    *Mar  1 00:05:26.467: %CAPWAP-3-ERRORLOG: Go join a capwap controller
    *Dec  4 07:46:23.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.26.110.4 peer_port: 5246
    *Dec  4 07:46:23.003: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to downw
    AP1c6a.7ae2.ab11#sh capwap
    *Dec  4 07:46:23.011: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Dec  4 07:46:23.707: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.26.110.4 peer_port: 5246
    *Dec  4 07:46:23.707: %CAPWAP-5-SENDJOIN: sending Join Request to 172.26.110.4
    *Dec  4 07:46:23.711: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.26.110.4
    *Dec  4 07:46:23.711: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.26.110.4:5246
    *Dec  4 07:46:23.711: %CAPWAP-3-ERRORLOG: Selected MWAR 'wlc01'(index 0).
    *Dec  4 07:46:23.711: %CAPWAP-3-ERRORLOG: Go join a capwap controller
    *Dec  4 07:46:23.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.26.110.4 peer_port: 5246
    *Dec  4 07:46:23.291: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Dec  4 07:46:23.319: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Dec  4 07:46:23.723: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.26.110.4 peer_port: 5246
    *Dec  4 07:46:23.723: %CAPWAP-5-SENDJOIN: sending Join Request to 172.26.110.4
    *Dec  4 07:46:23.727: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.26.110.4
    *Dec  4 07:46:23.727: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.26.110.4:5246
    *Dec  4 07:46:23.727: %CAPWAP-3-ERRORLOG: Selected MWAR 'wlc01'(index 0).
    *Dec  4 07:46:23.727: %CAPWAP-3-ERRORLOG: Go join a capwap controller
    *Dec  4 07:46:23.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.26.110.4 peer_port: 5246
    *Dec  4 07:46:23.627: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Dec  4 07:46:23.635: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
    *Dec  4 07:46:23.719: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.26.110.4 peer_port: 5246
    *Dec  4 07:46:23.719: %CAPWAP-5-SENDJOIN: sending Join Request to 172.26.110.4
    *Dec  4 07:46:23.723: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.26.110.4
    *Dec  4 07:46:23.723: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.26.110.4:5246
    *Dec  4 07:46:23.723: %CAPWAP-3-ERRORLOG: Selected MWAR 'wlc01'(index 0).
    *Dec  4 07:46:23.723: %CAPWAP-3-ERRORLOG: Go join a capwap controller
    *Dec  4 07:46:23.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.26.110.4 peer_port: 5246
    *Dec  4 07:46:23.723: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.26.110.4 peer_port: 5246
    *Dec  4 07:46:23.727: %CAPWAP-5-SENDJOIN: sending Join Request to 172.26.110.4
    *Dec  4 07:46:24.327: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Dec  4 07:46:24.335: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
    *Dec  4 07:46:24.343: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Dec  4 07:46:24.467: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.26.110.9 peer_port: 5246
    *Dec  4 07:46:24.467: %CAPWAP-5-SENDJOIN: sending Join Request to 172.26.110.9
    *Dec  4 07:46:24.467: %CAPWAP-3-ERRORLOG: Invalid event 10 & state 5 combination.
    *Dec  4 07:46:24.467: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 10 state 5.
    *Dec  4 07:46:24.467: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
    *Dec  4 07:46:24.467: %CAPWAP-3-ERRORLOG: Failed to process encrypted capwap packet from 172.26.110.9
    *Dec  4 07:46:25.363: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Dec  4 07:46:25.371: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
    *Dec  4 07:46:25.379: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Dec  4 07:46:26.399: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Dec  4 07:46:27.399: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    *Dec  4 07:46:29.467: %CAPWAP-5-SENDJOIN: sending Join Request to 172.26.110.9
    *Dec  4 07:46:29.471: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
    *Dec  4 07:46:29.479: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Dec  4 07:46:30.471: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Dec  4 07:46:30.499: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Dec  4 07:46:31.499: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    % Incomplete command.
    AP1c6a.7ae2.ab11#sh capwap
    AP1c6a.7ae2.ab11#sh capwap ip
    AP1c6a.7ae2.ab11#sh capwap ip ?
      config  CAPWAP IP static configuration
    AP1c6a.7ae2.ab11#sh capwap ip con
    AP1c6a.7ae2.ab11#sh capwap ip config
    LWAPP Static IP Configuration
    IP Address         172.26.110.30  
    IP netmask         255.255.254.0  
    Default Gateway    172.26.110.1   
    Primary Controller 172.26.110.4   
    AP1c6a.7ae2.ab11#
    *Dec  4 07:47:22.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.26.110.9:5246
    *Dec  4 07:47:23.035: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led state 255
    *Dec  4 07:47:23.047: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
    *Dec  4 07:47:23.071: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Dec  4 07:47:24.047: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Dec  4 07:47:24.079: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
    *Dec  4 07:47:24.087: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Dec  4 07:47:25.107: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Dec  4 07:47:26.107: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    *Dec  4 07:47:33.071: %CAPWAP-3-ERRORLOG: Selected MWAR 'wlc01'(index 0).
    *Dec  4 07:47:33.071: %CAPWAP-3-ERRORLOG: Go join a capwap controller
    *Dec  4 07:47:36.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.26.110.4 peer_port: 5246
    *Dec  4 07:47:36.003: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
    *Dec  4 07:47:36.011: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Dec  4 07:47:36.711: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.26.110.4 peer_port: 5246
    *Dec  4 07:47:36.715: %CAPWAP-5-SENDJOIN: sending Join Request to 172.26.110.4
    *Dec  4 07:47:36.715: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.26.110.4
    *Dec  4 07:47:36.715: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.26.110.4:5246
    *Dec  4 07:47:36.715: %CAPWAP-3-ERRORLOG: Selected MWAR 'wlc01'(index 0).
    *Dec  4 07:47:36.715: %CAPWAP-3-ERRORLOG: Go join a capwap controller
    *Dec  4 07:47:36.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.26.110.4 peer_port: 5246
    *Dec  4 07:47:36.287: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Dec  4 07:47:36.315: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Dec  4 07:47:36.719: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.26.110.4 peer_port: 5246
    *Dec  4 07:47:36.719: %CAPWAP-5-SENDJOIN: sending Join Request to 172.26.110.4
    *Dec  4 07:47:36.723: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.26.110.4
    *Dec  4 07:47:36.723: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.26.110.4:5246
    *Dec  4 07:47:36.723: %CAPWAP-3-ERRORLOG: Selected MWAR 'wlc01'(index 0).
    *Dec  4 07:47:36.723: %CAPWAP-3-ERRORLOG: Go join a capwap controller
    *Dec  4 07:47:36.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.26.110.4 peer_port: 5246
    *Dec  4 07:47:36.627: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Dec  4 07:47:36.635: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
    *Dec  4 07:47:36.719: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.26.110.4 peer_port: 5246
    *Dec  4 07:47:36.719: %CAPWAP-5-SENDJOIN: sending Join Request to 172.26.110.4
    *Dec  4 07:47:36.723: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.26.110.4
    *Dec  4 07:47:36.723: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.26.110.4:5246
    *Dec  4 07:47:36.723: %CAPWAP-3-ERRORLOG: Go join a capwap controller
    On the WLC side at the same time:
    *spamApTask0: Dec 04 08:46:34.619: ðcIÝ
    *spamApTask0: Dec 04 08:46:34.619: f0:9e:63:49:dd:a0 Radius Authentication failed. Closing dtls Connection.
    *spamApTask0: Dec 04 08:46:34.627: Unable to find deleted AP f0:9e:63:49:dd:a0
    *spamApTask0: Dec 04 08:46:34.628: 1c:6a:7a:e2:ab:11 Discarding non-ClientHello Handshake OR DTLS encrypted packet from  172.26.110.30:10930)since DTLS session is not established
    *spamApTask0: Dec 04 08:46:35.345: f0:9e:63:49:dd:a0 State machine handler: Failed to process  msg type = 3 state = 0 from 172.26.110.30:10930
    *spamApTask0: Dec 04 08:46:35.346: 1c:6a:7a:e2:ab:11 Failed to parse CAPWAP packet from 172.26.110.30:10930
    *spamApTask0: Dec 04 08:46:35.346: ðcIÝ
    *spamApTask0: Dec 04 08:46:35.346: f0:9e:63:49:dd:a0 Radius Authentication failed. Closing dtls Connection.
    *spamApTask0: Dec 04 08:46:35.354: Unable to find deleted AP f0:9e:63:49:dd:a0
    *spamApTask0: Dec 04 08:46:35.354: 1c:6a:7a:e2:ab:11 Discarding non-ClientHello Handshake OR DTLS encrypted packet from  172.26.110.30:10930)since DTLS session is not established
    *spamApTask0: Dec 04 08:46:36.070: f0:9e:63:49:dd:a0 State machine handler: Failed to process  msg type = 3 state = 0 from 172.26.110.30:10930
    *spamApTask0: Dec 04 08:46:36.070: 1c:6a:7a:e2:ab:11 Failed to parse CAPWAP packet from 172.26.110.30:10930
    *spamApTask0: Dec 04 08:46:36.071: ðcIÝ
    *spamApTask0: Dec 04 08:46:36.071: f0:9e:63:49:dd:a0 Radius Authentication failed. Closing dtls Connection.
    *spamApTask0: Dec 04 08:46:36.079: Unable to find deleted AP f0:9e:63:49:dd:a0
    *spamApTask0: Dec 04 08:46:36.080: 1c:6a:7a:e2:ab:11 Discarding non-ClientHello Handshake OR DTLS encrypted packet from  172.26.110.30:10930)since DTLS session is not established
    *spamApTask0: Dec 04 08:46:36.799: f0:9e:63:49:dd:a0 State machine handler: Failed to process  msg type = 3 state = 0 from 172.26.110.30:10930
    *spamApTask0: Dec 04 08:46:36.799: 1c:6a:7a:e2:ab:11 Failed to parse CAPWAP packet from 172.26.110.30:10930
    *spamApTask0: Dec 04 08:46:36.799: ðcIÝ
    *spamApTask0: Dec 04 08:46:36.799: f0:9e:63:49:dd:a0 Radius Authentication failed. Closing dtls Connection.
    *spamApTask0: Dec 04 08:46:36.807: Unable to find deleted AP f0:9e:63:49:dd:a0
    *spamApTask0: Dec 04 08:46:36.808: 1c:6a:7a:e2:ab:11 Discarding non-ClientHello Handshake OR DTLS encrypted packet from  172.26.110.30:10930)since DTLS session is not established
    *spamApTask1: Dec 04 08:47:36.875: Unknown AP type. Using Controller Version!!!
    *spamApTask1: Dec 04 08:47:36.876: Unknown AP type. Using Controller Version!!!
    *spamApTask1: Dec 04 08:47:36.876: Unknown AP type. Using Controller Version!!!
    *spamApTask1: Dec 04 08:47:36.876: Unknown AP type. Using Controller Version!!!
    But If I take thw same Ap unplug the power cord, and press the MODE button, then I go in Rommode, I do the command Boot, the Ap restart, I configure again the same capwap ap commands, and the Ap JOIN the WLC!!!!! Somone can explain me why?
    AP1c6a.7ae2.ab11#
    IOS Bootloader - Starting system.
    flash is writable
    FLASH CHIP:  Macronix Mirrorbit (00C2)
    Xmodem file system is available.
    flashfs[0]: 42 files, 8 directories
    flashfs[0]: 0 orphaned files, 0 orphaned directories
    flashfs[0]: Total bytes: 31997952
    flashfs[0]: Bytes used: 11515904
    flashfs[0]: Bytes available: 20482048
    flashfs[0]: flashfs fsck took 16 seconds.
    Reading cookie from SEEPROM
    Base Ethernet MAC address: 1c:6a:7a:e2:ab:11
    Ethernet speed is 100 Mb - FULL Duplex
    button is pressed, wait for button to be released...
    button pressed for 24 seconds
    process_config_recovery: set IP address and config to default 10.0.0.1
    process_config_recovery: image recovery
    image_recovery: Download default IOS tar image tftp://255.255.255.255/ap3g2-k9w7-tar.default
    examining image...
    DPAA Set for Independent Mode
    DPAA_INIT = 0x0
    %Error opening tftp://255.255.255.255/ap3g2-k9w7-tar.default (connection timed out)ap:
    ap:
    ap:
    ap:
    ap:
    ap:
    ap: boot
    Rebooting system to reset DPAA...
    IOS Bootloader - Starting system.
    flash is writable
    FLASH CHIP:  Macronix Mirrorbit (00C2)
    Xmodem file system is available.
    flashfs[0]: 42 files, 8 directories
    flashfs[0]: 0 orphaned files, 0 orphaned directories
    flashfs[0]: Total bytes: 31997952
    flashfs[0]: Bytes used: 11515904
    flashfs[0]: Bytes available: 20482048
    flashfs[0]: flashfs fsck took 15 seconds.
    Reading cookie from SEEPROM
    Base Ethernet MAC address: 1c:6a:7a:e2:ab:11
    Ethernet speed is 100 Mb - FULL Duplex
    Loading "flash:/ap3g2-k9w8-mx.152-4.JA1/ap3g2-k9w8-mx.152-4.JA1"...###########################
    File "flash:/ap3g2-k9w8-mx.152-4.JA1/ap3g2-k9w8-mx.152-4.JA1" uncompressed and installed, entry point: 0x2003000
    executing...
    Secondary Bootloader - Starting system.
    Xmodem file system is available.
    flashfs[0]: 42 files, 8 directories
    flashfs[0]: 0 orphaned files, 0 orphaned directories
    flashfs[0]: Total bytes: 31997952
    flashfs[0]: Bytes used: 11515904
    flashfs[0]: Bytes available: 20482048
    flashfs[0]: flashfs fsck took 8 seconds.
    Base Ethernet MAC address: 1c:6a:7a:e2:ab:11
    Boot CMD: 'boot  flash:/ap3g2-k9w8-mx.152-4.JA1/ap3g2-k9w8-xx.152-4.JA1'
    Loading "flash:/ap3g2-k9w8-mx.152-4.JA1/ap3g2-k9w8-xx.152-4.JA1"...###############################
    File "flash:/ap3g2-k9w8-mx.152-4.JA1/ap3g2-k9w8-xx.152-4.JA1" uncompressed and installed, entry point: 0x2003000
    executing...
                  Restricted Rights Legend
    Use, duplication, or disclosure by the Government is
    subject to restrictions as set forth in subparagraph
    (c) of the Commercial Computer Software - Restricted
    Rights clause at FAR sec. 52.227-19 and subparagraph
    (c) (1) (ii) of the Rights in Technical Data and Computer
    Software clause at DFARS sec. 252.227-7013.
               cisco Systems, Inc.
               170 West Tasman Drive
               San Jose, California 95134-1706
    Cisco IOS Software, C2600 Software (AP3G2-K9W8-M), Version 15.2(4)JA1, RELEASE SOFTWARE (fc2)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2013 by Cisco Systems, Inc.
    Compiled Tue 30-Jul-13 22:57 by prod_rel_team
    Initializing flashfs...
    flashfs[3]: 42 files, 8 directories
    flashfs[3]: 0 orphaned files, 0 orphaned directories
    flashfs[3]: Total bytes: 31739904
    flashfs[3]: Bytes used: 11515904
    flashfs[3]: Bytes available: 20224000
    flashfs[3]: flashfs fsck took 8 seconds.
    flashfs[3]: Initialization complete.
    flashfs[4]: 0 files, 1 directories
    flashfs[4]: 0 orphaned files, 0 orphaned directories
    flashfs[4]: Total bytes: 11999232
    flashfs[4]: Bytes used: 1024
    flashfs[4]: Bytes available: 11998208
    flashfs[4]: flashfs fsck took 0 seconds.
    flashfs[4]: Initialization complete.
    Copying radio files from flash: to ram:
    Copy in progress...CCCCC
    Copy in progress...CCC
    Copy in progress...CCCC
    Copy in progress...CCCC
    Copy in progress...CC
    Uncompressing radio files...
    ...done Initializing flashfs.
    Radio0  present 8764 8000 0 A8000000 A8010000 0
    Rate table has 244 entries (64 SGI/104 BF variants)
    Radio1  present 8764 8000 0 88000000 88010000 4
    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.
    A summary of U.S. laws governing Cisco cryptographic products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    If you require further assistance please contact us by sending email to
    [email protected].
    %Error opening flash:/ap3g2-rcvk9w8-mx/info (No such file or directory)cisco AIR-CAP2602E-E-K9 (PowerPC) processor (revision A0) with 180214K/81920K bytes of memory.
    Processor board ID FCZ1843Q0WD
    PowerPC CPU at 800Mhz, revision number 0x2151
    Last reset from power-on
    LWAPP image version 7.5.1.73
    1 Gigabit Ethernet interface
    2 802.11 Radios
    32K bytes of flash-simulated non-volatile configuration memory.
    Base ethernet MAC Address: 1C:6A:7A:E2:AB:11
    Part Number                          : 73-14511-03
    PCA Assembly Number                  : 800-37898-01
    PCA Revision Number                  : B0
    PCB Serial Number                    : FOC18403PBM
    Top Assembly Part Number             : 800-38357-02
    Top Assembly Serial Number           : FCZ1843Q0WD
    Top Revision Number                  : A0
    Product/Model Number                 : AIR-CAP2602E-E-K9   
    % Please define a domain-name first.
    Press RETURN to get started!
    *Mar  1 00:00:11.299: FIPS IOS test Image Checksum successful
    *Mar  1 00:00:11.299: FIPS IOS test Crypto RNG DEK Key Test successful
    *Mar  1 00:00:11.299: FIPS IOS test SHA-1 successful
    *Mar  1 00:00:11.299: FIPS IOS test HMAC-SHA1 successful
    *Mar  1 00:00:11.299: FIPS IOS test AES CBC 128-bit Encrypt successful
    *Mar  1 00:00:11.299: FIPS IOS test AES CBC 128-bit Decrypt successful
    *Mar  1 00:00:11.299: FIPS IOS test IOS AES CMAC Encrypt successful
    *Mar  1 00:00:11.299: FIPS IOS test IOS CCM Encrypt successful
    *Mar  1 00:00:11.299: FIPS IOS test IOS CCM Decrypt successful
    *Mar  1 00:00:11.331: FIPS IOS test RSA Signature Generation successful
    *Mar  1 00:00:11.335: FIPS IOS test RSA Signature Verification successful
    *Mar  1 00:00:11.335: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed
    *Mar  1 00:00:11.335: %IFMGR-7-NO_IFINDEX_FILE: Unable to open nvram:/ifIndex-table No such file or directory
    *Mar  1 00:00:11.791: Registering HW DTLS
    *Mar  1 00:00:14.591: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up
    *Mar  1 00:00:18.271: FIPS RADIO test AES 128-bit encrypt for TX on Dot11Radio 0 successful
    *Mar  1 00:00:18.271: FIPS RADIO test AES 128-bit CCM encrypt on Dot11Radio 0 successful
    *Mar  1 00:00:18.271: FIPS RADIO test AES 128-bit CCM decrypt on Dot11Radio 0 successful
    *Mar  1 00:00:18.271: FIPS RADIO test AMAC AES 128-bit CMAC encrypt on Dot11Radio 0 successful
    *Mar  1 00:00:18.271: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0
    *Mar  1 00:00:24.399: FIPS RADIO test AES 128-bit encrypt for TX on Dot11Radio 1 successful
    *Mar  1 00:00:24.399: FIPS RADIO test AES 128-bit CCM encrypt on Dot11Radio 1 successful
    *Mar  1 00:00:24.399: FIPS RADIO test AES 128-bit CCM decrypt on Dot11Radio 1 successful
    *Mar  1 00:00:24.399: FIPS RADIO test AMAC AES 128-bit CMAC encrypt on Dot11Radio 1 successful
    *Mar  1 00:00:24.399: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1
    *Mar  1 00:00:24.483: %LWAPP-3-CLIENTERRORLOG: Config load from flash failed. Initialising Cfg
    *Mar  1 00:00:26.831: %CDP_PD-4-POWER_OK: Full power - AC_ADAPTOR inline power source
    *Mar  1 00:00:26.859: %SYS-5-RESTART: System restarted --
    Cisco IOS Software, C2600 Software (AP3G2-K9W8-M), Version 15.2(4)JA1, RELEASE SOFTWARE (fc2)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2013 by Cisco Systems, Inc.
    Compiled Tue 30-Jul-13 22:57 by prod_rel_team
    *Mar  1 00:00:26.859: %SNMP-5-COLDSTART: SNMP agent on host ap is undergoing a cold start
    *Mar  1 00:00:26.915: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Mar  1 00:00:26.923: %LWAPP-3-CLIENTERRORLOG: Config load from flash failed. Initialising Cfg
    *Mar  1 00:00:26.923: %CAPWAP-3-ERRORLOG: Failed to load configuration from flash. Resetting to default config
    *Mar  1 00:00:26.927: %PARSER-4-BADCFG: Unexpected end of configuration file.
    *Mar  1 00:00:26.939: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to uplwapp_crypto_init: MIC Present and Parsed Successfully
    *Mar  1 00:00:27.031: %SSH-5-ENABLED: SSH 2.0 has been enabled
    *Mar  1 00:00:27.031: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
    *Mar  1 00:00:27.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
    *Mar  1 00:00:27.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Mar  1 00:00:28.035: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
    *Mar  1 00:00:28.083: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
    *Mar  1 00:00:29.071: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    *Mar  1 00:00:29.159: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
    *Mar  1 00:00:29.167: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
    *Mar  1 00:00:29.175: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Mar  1 00:00:30.063: FIPS HW test SHA-1 successful
    *Mar  1 00:00:30.063: FIPS HW test HMAC-SHA1 successful
    *Mar  1 00:00:30.063: FIPS HW test AES CBC 128-bit Encrypt successful
    *Mar  1 00:00:30.063: FIPS HW test AES CBC 128-bit Decrypt successful
    *Mar  1 00:00:30.159: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
    *Mar  1 00:00:30.167: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Mar  1 00:00:30.195: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Mar  1 00:00:30.563: FIPS HW test SHA-1 successful
    *Mar  1 00:00:30.563: FIPS HW test HMAC-SHA1 successful
    *Mar  1 00:00:30.563: FIPS HW test AES CBC 128-bit Encrypt successful
    *Mar  1 00:00:30.563: FIPS HW test AES CBC 128-bit Decrypt successful
    *Mar  1 00:00:30.563: %SOAP_FIPS-2-SELF_TEST_HW_SUCCESS: HW crypto FIPS self test passed
    *Mar  1 00:00:30.563: DPAA Initialization Complete
    *Mar  1 00:00:30.563: %SYS-3-HARIKARI: Process DPAA INIT top-level routine exited
    *Mar  1 00:00:31.195: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    *Mar  1 00:00:31.563: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up%Default route without gateway, if not a point-to-point interface, may impact performance
    *Mar  1 00:00:55.703: Logging LWAPP message to 255.255.255.255.
    Not in Bound state.
    *Mar  1 00:01:55.707: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
    User Access Verification
    Username: cisco
    Password:
    AP1c6a.7ae2.ab11>en
    Password:
    AP1c6a.7ae2.ab11#sh capwap
    AP1c6a.7ae2.ab11#sh capwap ip
    AP1c6a.7ae2.ab11#sh capwap ip con
    AP1c6a.7ae2.ab11#sh capwap ip config
    LWAPP Static IP Configuration
    AP1c6a.7ae2.ab11#
    Not in Bound state.
    *Mar  1 00:02:45.707: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
    AP1c6a.7ae2.ab11#
    AP1c6a.7ae2.ab11#
    AP1c6a.7ae2.ab11#
    AP1c6a.7ae2.ab11#
    AP1c6a.7ae2.ab11#
    AP1c6a.7ae2.ab11#cap
    AP1c6a.7ae2.ab11#capwap ap
    AP1c6a.7ae2.ab11#capwap ap co
    AP1c6a.7ae2.ab11#capwap ap controller 172.26.110.4
                                          ^
    % Invalid input detected at '^' marker.
    AP1c6a.7ae2.ab11#capwap ap controller 172.26.110.4i172.26.110.4p172.26.110.4 172.26.110.4a172.26.110.4d172.26.110.4d172.26.110.4r172.26.110.4e172.26.110.4s172.26.110.4s172.26.110.4 172.26.110.4
    AP1c6a.7ae2.ab11#capwap ap controller ip address 172.26.110.4                                    prim
    AP1c6a.7ae2.ab11#capwap ap prima
    AP1c6a.7ae2.ab11#capwap ap primary-base wlc01 172.2
    Not in Bound state.6.
    *Mar  1 00:03:35.707: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.110.4 ?
      <cr>
    AP1c6a.7ae2.ab11#capwap ap primary-base wlc01 172.26.110.4
    AP1c6a.7ae2.ab11#capwap ap primary-base wlc01 172.26.110.4                                 ip def
    AP1c6a.7ae2.ab11#capwap ap ip default-gateway 172.26.110.4 1
    AP1c6a.7ae2.ab11#capwap ap ip default-gateway 172.26.110.1                            add
    AP1c6a.7ae2.ab11#capwap ap ip address 172.26.110.30 255.255.254.0
    Not in Bound state.
    *Mar  1 00:04:25.707: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
    You should configure Domain and Name Server from controller CLI/GUI.
    AP1c6a.7ae2.ab11#
    AP1c6a.7ae2.ab11#
    AP1c6a.7ae2.ab11#
    AP1c6a.7ae2.ab11#
    AP1c6a.7ae2.ab11#sh cap
    AP1c6a.7ae2.ab11#sh capw
    AP1c6a.7ae2.ab11#sh capwap ip
    AP1c6a.7ae2.ab11#sh capwap ip con
    Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
    AP1c6a.7ae2.ab11#sh capwap ip config
    LWAPP Static IP Configuration
    IP Address         172.26.110.30  
    IP netmask         255.255.254.0  
    Default Gateway    172.26.110.1   
    Primary Controller 172.26.110.4   
    AP1c6a.7ae2.ab11#
    *Mar  1 00:04:47.067: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
    examining image...!
    extracting info (283 bytes)
    Image info:
        Version Suffix: k9w8-.153-3.JA
        Image Name: ap3g2-k9w8-mx.153-3.JA
        Version Directory: ap3g2-k9w8-mx.153-3.JA
        Ios Image Size: 225792
        Total Image Size: 13455872
        Image Feature: WIRELESS LAN|LWAPP
        Image Family: AP3G2
        Wireless Switch Management Version: 8.0.100.0
    Extracting files...
    *Mar  1 00:04:57.067: %CAPWAP-3-ERRORLOG: Selected MWAR 'wlc01'(index 0).
    *Mar  1 00:04:57.067: %CAPWAP-3-ERRORLOG: Go join a capwap controller
    *Dec  4 07:57:47.000: %CAPWAP-5-DTLSREQSEND: DT
    ap3g2-k9w8-mx.153-3.JA/ (directory) 0 (bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/V2.bin (12826 bytes)!
    extracting ap3g2-k9w8-mx.153-3.JA/Y2.bin (5830 bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/file_hashes (7254 bytes)!
    extracting ap3g2-k9w8-mx.153-3.JA/8004.img (561134 bytes)!!!LS connection request sent peer_ip: 172.26.110.4 peer_port: 5246
    *Dec  4 07:57:47.707: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.26.110.4 peer_port: 5246
    *Dec  4 07:57:47.707: %CAPWAP-5-SENDJOIN: sending Join Request to 172.26.110.4perform archive download capwap:/ap3g2 tar file
    *Dec  4 07:57:47.751: %CAPWAP-6-AP_IMG_DWNLD: Required image not found on AP. Downloading image from Controller.
    *Dec  4 07:57:47.751: Loading file /ap3g2...
    extracting ap3g2-k9w8-mx.153-3.JA/U2.bin (6996 bytes)!
    extracting ap3g2-k9w8-mx.153-3.JA/X5.bin (1566 bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/final_hash.sig (513 bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/R5.bin (3423 bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/ap3g2-k9w8-tx.153-3.JA (73 bytes)!
    extracting ap3g2-k9w8-mx.153-3.JA/R2.bin (13992 bytes)!
    extracting ap3g2-k9w8-mx.153-3.JA/img_sign_rel_sha2.cert (1371 bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/B2.bin (9328 bytes)!
    extracting ap3g2-k9w8-mx.153-3.JA/info (283 bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/F5.bin (3662 bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/8006.img (563979 bytes)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    ap3g2-k9w8-mx.153-3.JA/html/ (directory) 0 (bytes)
    ap3g2-k9w8-mx.153-3.JA/html/level/ (directory) 0 (bytes)
    ap3g2-k9w8-mx.153-3.JA/html/level/1/ (directory) 0 (bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/html/level/1/forms.js (20125 bytes)!
    extracting ap3g2-k9w8-mx.153-3.JA/html/level/1/appsui.js (563 bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/html/level/1/ap_home.shtml.gz (1370 bytes)!
    ap3g2-k9w8-mx.153-3.JA/html/level/1/images/ (directory) 0 (bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/html/level/1/images/info.gif (399 bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/html/level/1/images/cisco-logo-2007.gif (1648 bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/html/level/1/images/background_web41.jpg (732 bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/html/level/1/images/login_homeap.gif (19671 bytes)!!
    extracting ap3g2-k9w8-mx.153-3.JA/html/level/1/images/itp-logo.png (2822 bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/html/level/1/config.js (27254 bytes)!!
    extracting ap3g2-k9w8-mx.153-3.JA/html/level/1/sitewide.js (17250 bytes)!
    extracting ap3g2-k9w8-mx.153-3.JA/html/level/1/officeExtendap.css (41801 bytes)!!!!
    extracting ap3g2-k9w8-mx.153-3.JA/html/level/1/back.shtml (512 bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/html/level/1/config-oeap.js (779 bytes)
    ap3g2-k9w8-mx.153-3.JA/html/level/15/ (directory) 0 (bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/html/level/15/officeExtendapBanner.htm (7514 bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/html/level/15/officeExtendapConfig.shtml.gz (2864 bytes)!
    extracting ap3g2-k9w8-mx.153-3.JA/html/level/15/officeExtendapSummary.htm (985 bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/html/level/15/officeExtendapHelp.htm (5721 bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/html/level/15/officeExtendapMain.shtml.gz (3350 bytes)!
    extracting ap3g2-k9w8-mx.153-3.JA/html/level/15/officeExtendapEvent.shtml.gz (988 bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/B5.bin (1963 bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/E5.bin (1846 bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/Y5.bin (1511 bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/C2.bin (19822 bytes)!!
    extracting ap3g2-k9w8-mx.153-3.JA/final_hash (141 bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/ap3g2-k9w8-xx.153-3.JA (11381713 bytes)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    *Dec  4 07:59:47.723: %CAPWAP-3-ERRORLOG: Invalid event 48 & state 10 combination.
    *Dec  4 07:59:47.723: %CAPWAP-3-ERRORLOG: SM handler: Failed to process timer message. Event 48, state 10
    *Dec  4 07:59:47.723: %CAPWAP-3-ERRORLOG: Failed to handle timer message.
    *Dec  4 07:59:47.723: %CAPWAP-3-ERRORLOG: Failed to process timer message.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    extracting ap3g2-k9w8-mx.153-3.JA/C5.bin (6936 bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/ap3g2-k9w8-mx.153-3.JA (215867 bytes)!!!!!!!!!!!!!!!!!
    extracting ap3g2-k9w8-mx.153-3.JA/U5.bin (3048 bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/img_sign_rel.cert (1375 bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/Q5.bin (2806 bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/X2.bin (16324 bytes)!
    extracting ap3g2-k9w8-mx.153-3.JA/E2.bin (19822 bytes)!!
    extracting ap3g2-k9w8-mx.153-3.JA/Q2.bin (6996 bytes)!
    extracting ap3g2-k9w8-mx.153-3.JA/ap3g2-bl-2600 (190140 bytes)!!!!!!!!!!!!!!
    extracting ap3g2-k9w8-mx.153-3.JA/V5.bin (512 bytes)
    extracting ap3g2-k9w8-mx.153-3.JA/F2.bin (13992 bytes)!
    extracting ap3g2-k9w8-mx.153-3.JA/ap3g2-bl-3600 (189183 bytes)!!!!!!!!!!!!!!!
    extracting info.ver (283 bytes)
    Deleting current version: flash:/ap3g2-k9w8-mx.152-4.JA1...
    Set booting path to recovery image: ''...done.
    New software image installed in flash:/ap3g2-k9w8-mx.153-3.JA
    Configuring system to use
    n
    e
    wW riimtaigneg. .o.udto nteh.e
    eavrecnhti vleo gd otwon lfolaads:h :t/aekveesn t1.5l1o gs e.c.o.n
    d
    s

  • WLC 5508- GUI Cert Error

    I tried installing chained certificate in for the https access in wlc 5508. It failed and later i came to know it will only accept unchained cert for management access. But now the problem is i could not get GUI access. It shows error like "This server security certificate is revoked "
    What should i do now..?

    Amjad,
    Do you mean this link for unchained certs ?
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

  • EAP-TLS on WLC 5508 agains IAS RADIUS

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin-top:0cm;
    mso-para-margin-right:0cm;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0cm;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    Hi, anyone experienced issue like this?
    I am installing a WLC 5508 using EAP-TLS authentication with an IAS Radius server.
    I got “Access-Accept” debug message received from RADIUS server.
    However the wireless client failed to connect.
    Below is partially the debug message from the WLC
    Any feedbacks are welcome
    *Oct 07 15:08:24.403:     Callback.....................................0x10c527d0
    *Oct 07 15:08:24.403:     protocolType.................................0x00140001
    *Oct 07 15:08:24.403:     proxyState...................................00:19:7D:72:B4:3B-09:00
    *Oct 07 15:08:24.403:     Packet contains 12 AVPs (not shown)
    *Oct 07 15:08:24.403: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
    *Oct 07 15:08:24.404: 00:19:7d:72:b4:3b Successful transmission of Authentication Packet (id 101) to 10.86.8.105:1812, proxy state 00:19:7d:72:b4:3b-00:00
    *Oct 07 15:08:24.404: 00000000: 01 65 00 d2 d0 bc 95 1b  f7 c9 71 dd 32 cb b7 0a  .e........q.2...
    *Oct 07 15:08:24.404: 00000010: 52 eb 0c 3e 01 22 68 6f  73 74 2f 49 44 31 30 2d  R..>."host/ID10-
    *Oct 07 15:08:24.404: 00000020: 30 41 46 4a 30 33 31 2e  65 75 63 2e 6e 65 73 74  0AFJ031.euc.test
    *Oct 07 15:08:24.404: 00000030: 6c 65 2e 63 6f 6d 1f 13  30 30 2d 31 39 2d 37 64  01.com..00-19-7d
    *Oct 07 15:08:24.404: 00000040: 2d 37 32 2d 62 34 2d 33  62 1e 1a 30 30 2d 33 61  -72-b4-3b..00-3a
    *Oct 07 15:08:24.404: 00000050: 2d 39 38 2d 39 35 2d 34  36 2d 35 30 3a 57 57 53  -98-95-46-50:TES
    *Oct 07 15:08:24.404: 00000060: 33 30 30 05 06 00 00 00  01 04 06 0a 56 0c d2 20  300.........V...
    *Oct 07 15:08:24.404: 00000070: 0c 49 44 48 4f 4a 58 43  30 30 31 1a 0c 00 00 37  .IDHOJXC001....7
    *Oct 07 15:08:24.404: 00000080: 63 01 06 00 00 00 01 06  06 00 00 00 02 0c 06 00  c...............
    *Oct 07 15:08:24.404: 00000090: 00 05 14 3d 06 00 00 00  13 4f 27 02 03 00 25 01  ...=.....O'...%.
    *Oct 07 15:08:24.404: 000000a0: 68 6f 73 74 2f 49 44 31  30 2d 30 41 46 4a 30 33  host/ID10-0AFJ03
    *Oct 07 15:08:24.404: 000000b0: 31 2e 65 75 63 2e 6e 65  73 74 6c 65 2e 63 6f 6d  1.euc.nestle.com
    *Oct 07 15:08:24.404: 000000c0: 50 12 80 be 54 a7 26 52  8e 63 0f 2f 87 a5 78 53  P...T.&R.c./..xS
    *Oct 07 15:08:24.404: 000000d0: 68 6e                                             hn
    *Oct 07 15:08:24.405: 00000000: 02 65 00 34 3e c1 67 35  f7 be 57 75 43 ce 19 ca  .e.4>.g5..WuC...
    *Oct 07 15:08:24.405: 00000010: 83 5d 83 95 19 20 31 b1  03 a2 00 00 01 37 00 01  .]....1......7..
    *Oct 07 15:08:24.405: 00000020: 0a 56 08 69 01 cb 63 8b  13 1e 16 37 00 00 00 00  .V.i..c....7....
    *Oct 07 15:08:24.405: 00000030: 00 00 00 5f                                       ..._
    *Oct 07 15:08:24.405: ****Enter processIncomingMessages: response code=2
    *Oct 07 15:08:24.405: ****Enter processRadiusResponse: response code=2
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Access-Accept received from RADIUS server 10.86.8.105 for mobile 00:19:7d:72:b4:3b receiveId = 9
    *Oct 07 15:08:24.405: AuthorizationResponse: 0x1524b3d8
    *Oct 07 15:08:24.405:     structureSize................................78
    *Oct 07 15:08:24.405:     resultCode...................................0
    *Oct 07 15:08:24.405:     protocolUsed.................................0x00000001
    *Oct 07 15:08:24.405:     proxyState...................................00:19:7D:72:B4:3B-09:00
    *Oct 07 15:08:24.405:     Packet contains 1 AVPs:
    *Oct 07 15:08:24.405:         AVP[01] Class....................................DATA (30 bytes)
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Applying new AAA override for station 00:19:7d:72:b4:3b
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Override values for station 00:19:7d:72:b4:3b
        source: 4, valid bits: 0x0
        qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
        dataAvgC: -1, rTAvgC
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Inserting new RADIUS override into chain for station 00:19:7d:72:b4:3b
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Override values for station 00:19:7d:72:b4:3b
        source: 4, valid bits: 0x0
        qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
        dataAvgC: -1, rTAvgC
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:24.405: 00000000: 01 00 00 04 03 ff 00 04                           ........
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:24.405: 00000000: 01 03 00 5f fe 00 89 00  20 00 00 00 00 00 00 00  ..._............
    *Oct 07 15:08:24.405: 00000010: 00 3e 5d 2a e3 2a c2 22  71 0b 06 e8 42 6c 3c bf  .>]*.*."q...Bl<.
    *Oct 07 15:08:24.405: 00000020: 45 1e 5c e7 a1 68 ae 0c  c0 9f 22 ce 0c 3e 96 45  E.\..h...."..>.E
    *Oct 07 15:08:24.405: 00000030: ee 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:24.405: 00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:24.405: 00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:24.405: 00000060: 00 00 00                                          ...
    *Oct 07 15:08:25.316: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:25.317: 00000000: 01 03 00 5f fe 00 89 00  20 00 00 00 00 00 00 00  ..._............
    *Oct 07 15:08:25.317: 00000010: 01 3e 5d 2a e3 2a c2 22  71 0b 06 e8 42 6c 3c bf  .>]*.*."q...Bl<.
    *Oct 07 15:08:25.317: 00000020: 45 1e 5c e7 a1 68 ae 0c  c0 9f 22 ce 0c 3e 96 45  E.\..h...."..>.E
    *Oct 07 15:08:25.317: 00000030: ee 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:25.317: 00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:25.317: 00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:25.317: 00000060: 00 00 00                                          ...
    *Oct 07 15:08:26.317: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:26.317: 00000000: 01 03 00 5f fe 00 89 00  20 00 00 00 00 00 00 00  ..._............
    *Oct 07 15:08:26.317: 00000010: 02 3e 5d 2a e3 2a c2 22  71 0b 06 e8 42 6c 3c bf  .>]*.*."q...Bl<.
    *Oct 07 15:08:26.317: 00000020: 45 1e 5c e7 a1 68 ae 0c  c0 9f 22 ce 0c 3e 96 45  E.\..h...."..>.E
    *Oct 07 15:08:26.317: 00000030: ee 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:26.317: 00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:26.317: 00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:26.317: 00000060: 00 00 00                                          ...
    *Oct 07 15:08:27.753: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:27.753: 00000000: 01 00 00 30 01 01 00 30  01 00 6e 65 74 77 6f 72  ...0...0..networ
    *Oct 07 15:08:27.753: 00000010: 6b 69 64 3d 57 57 53 33  30 30 2c 6e 61 73 69 64  kid=TES300,nasid
    *Oct 07 15:08:27.753: 00000020: 3d 49 44 48 4f 4a 58 43  30 30 31 2c 70 6f 72 74  =IDHOJXC001,port
    *Oct 07 15:08:27.753: 00000030: 69 64 3d 31                                            id=1
    *Oct 07 15:08:27.760: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 5) from mobile 00:19:7d:72:b4:3b
    *Oct 07 15:08:27.760: 00000000: 01 01 00 00 00                                    .....
    *Oct 07 15:08:27.760: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:27.760: 00000000: 01 00 00 30 01 02 00 30  01 00 6e 65 74 77 6f 72  ...0...0..networ
    *Oct 07 15:08:27.760: 00000010: 6b 69 64 3d 57 57 53 33  30 30 2c 6e 61 73 69 64  kid=TES300,nasid
    *Oct 07 15:08:27.760: 00000020: 3d 49 44 48 4f 4a 58 43  30 30 31 2c 70 6f 72 74  =IDHOJXC001,port
    *Oct 07 15:08:27.760: 00000030: 69 64 3d 31                                       id=1
    *Oct 07 15:08:27.762: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 41) from mobile 00:19:7d:72:b4:3b
    *Oct 07 15:08:27.762: 00000000: 01 00 00 25 02 01 00 25  01 68 6f 73 74 2f 49 44  ...%...%.host/ID
    *Oct 07 15:08:27.762: 00000010: 31 30 2d 30 41 46 4a 30  33 31 2e 65 75 63 2e 6e  10-0AFJ031.euc.t
    *Oct 07 15:08:27.762: 00000020: 65 73 74 6c 65 2e 63 6f  6d                       est01.com
    *Oct 07 15:08:27.764: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 41) from mobile 00:19:7d:72:b4:3b
    *Oct 07 15:08:27.764: 00000000: 01 00 00 25 02 02 00 25  01 68 6f 73 74 2f 49 44  ...%...%.host/ID
    *Oct 07 15:08:27.764: 00000010: 31 30 2d 30 41 46 4a 30  33 31 2e 65 75 63 2e 6e  10-0AFJ031.euc.t
    *Oct 07 15:08:27.764: 00000020: 65 73 74 6c 65 2e 63 6f  6d                       est01.com
    *Oct 07 15:08:27.765: AuthenticationRequest: 0x1ad0b36c

    Thanks for your reply jedubois
    Really appreciate it.
    I have tried to change the value for EAPOL-Key Timeout, still the client won't connect.
    Below are the outputs for the eap advanced config
    (Cisco Controller) >show advanced eap
    EAP-Identity-Request Timeout (seconds)........... 30
    EAP-Identity-Request Max Retries................. 2
    EAP Key-Index for Dynamic WEP.................... 0
    EAP Max-Login Ignore Identity Response........... enable
    EAP-Request Timeout (seconds).................... 30
    EAP-Request Max Retries.......................... 2
    EAPOL-Key Timeout (milliseconds)................. 5000
    EAPOL-Key Max Retries............................ 2
    (Cisco Controller) >
    Any other suggestion?

  • Does WLC 5508 (7.2) support PEAP to MS radius?

    Hi,
    I'm running version  7.2.111.3 on my WLC 5508 and I try to figure out how I can set PEAP towards my configurerd Radius servers.
    On my Local EAP profile I can specify PEAP, but how is it default configurerd when you just specify the radius servers on the "WLANs > Edit Test > security > AAA servers tab ?
    The MS radius logs tell me that it is EAP and not PEAP, so the questions is does the WLC support Microsoft: Protected EAP ???
    Dot1x_NW_MsgTask_0: Oct 10 11:02:27.279: 24:77:03:07:75:28 AAA EAP Packet created request = 0x1bd4647c.. !!!! -> should be AAA PEAP ???
    *Dot1x_NW_MsgTask_0: Oct 10 11:02:27.279: 24:77:03:07:75:28 Sending EAP Attribute (code=2, length=35, id=2) for mobile 24:77:03:07:75:28
    *Dot1x_NW_MsgTask_0: Oct 10 11:02:27.280: 24:77:03:07:75:28 [BE-req] Radius  EAP/Local WLAN 3.
    Thanks in advance,
    Michel

    you're right +5. looks like it sort of gives more granular selection/priority, if we don't want to use any AAA from global when all the configured AAA on WLAN failed then it will be useful.
    http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70sol.html
    Step 16
    Select the
    Network User
    check box to enable network user authentication (or accounting), or unselect it to disable this feature. The default value is selected. If you enable this feature, this entry is considered the RADIUS authentication (or accounting) server for network users. If you did not configure a RADIUS server entry on the WLAN, you must enable this option for network users.

Maybe you are looking for