Wlc issue

i was cleared the ap stats , how to get again ap join status in wlc

I would like to suggest you to please check the below link :
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/99948-lap-notjoin-wlc-tshoot.html#req
Please let me know If the Solution is helpful.

Similar Messages

Joining WLC Issues

Hi,
I'm having difficulty with a lwapp joining our WLC. The error mesage is:
*Mar 1 00:00:44.284: %LWAPP-5-CHANGED: LWAPP changed state to JOIN
*Mar 1 00:00:50.285: LWAPP_CLIENT_ERROR_DEBUG: spamHandleJoinTimer: Did not recieve the Join response
*Mar 1 00:00:50.285: LWAPP_CLIENT_ERROR_DEBUG: No more AP manager IP addresses remain.
*Mar 1 00:00:50.285: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: DID NOT GET JOIN RESPONSE.
*Mar 1 00:00:50.285: %LWAPP-5-CHANGED: LWAPP changed state to DOWNXmodem file system is available.
Searched and found out that this would be related to the AP being not authorized. So I went ahead and added it via the GUI the AP mac and the SSC key.
It shows up in the GUI and in the command line.
However it still does not join. I have applied the changes. The AP keeps rebooting with the same error message. I just don't know why it will not join the WLC. Is there something else I'm missing?
I've enabled the following debugging:
debug mac addr <ap-mac-address>
    (in xx:xx:xx:xx:xx format)
    debug client <ap-mac-address>
    debug lwapp events enable    debug lwapp errors enable    debug pm pki enable
And the debug:
Hi,
I'm having difficulty with a lwapp joining our WLC. The error mesage is:
*Mar 1 00:00:44.284: %LWAPP-5-CHANGED: LWAPP changed state to JOIN
*Mar 1 00:00:50.285: LWAPP_CLIENT_ERROR_DEBUG: spamHandleJoinTimer: Did not recieve the Join response
*Mar 1 00:00:50.285: LWAPP_CLIENT_ERROR_DEBUG: No more AP manager IP addresses remain.
*Mar 1 00:00:50.285: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: DID NOT GET JOIN RESPONSE.
*Mar 1 00:00:50.285: %LWAPP-5-CHANGED: LWAPP changed state to DOWNXmodem file system is available.
Searched and found out that this would be related to the AP being not authorized. So I went ahead and added it via the GUI the AP mac and the SSC key.
It shows up in the GUI and in the command line.
However it still does not join. I have applied the changes. The AP keeps rebooting with the same error message. I just don't know why it will not join the WLC. Is there something else I'm missing?
I've enabled the following debugging:
debug mac addr <ap-mac-address>
    (in xx:xx:xx:xx:xx format)
    debug client <ap-mac-address>
    debug lwapp events enable    debug lwapp errors enable    debug pm pki enable
And the debug:
Hi,
I'm having difficulty with a lwapp joining our WLC. The error mesage is:
*Mar 1 00:00:44.284: %LWAPP-5-CHANGED: LWAPP changed state to JOIN
*Mar 1 00:00:50.285: LWAPP_CLIENT_ERROR_DEBUG: spamHandleJoinTimer: Did not recieve the Join response
*Mar 1 00:00:50.285: LWAPP_CLIENT_ERROR_DEBUG: No more AP manager IP addresses remain.
*Mar 1 00:00:50.285: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: DID NOT GET JOIN RESPONSE.
*Mar 1 00:00:50.285: %LWAPP-5-CHANGED: LWAPP changed state to DOWNXmodem file system is available.
Searched and found out that this would be related to the AP being not authorized. So I went ahead and added it via the GUI the AP mac and the SSC key.
It shows up in the GUI and in the command line.
However it still does not join. I have applied the changes. The AP keeps rebooting with the same error message. I just don't know why it will not join the WLC. Is there something else I'm missing?
I've enabled the following debugging:
debug mac addr <ap-mac-address>
    (in xx:xx:xx:xx:xx format)
    debug client <ap-mac-address>
    debug lwapp events enable    debug lwapp errors enable    debug pm pki enable
And the debug:
*Feb 10 16:50:15.890: 00:12:7f:25:58:16 DHCP received op BOOTREQUEST (1) (len 584, port 29, encap 0xec00)
*Feb 10 16:50:15.890: 00:12:7f:25:58:16 DHCP received a REQUEST on 'management' interface from AP -- bouncing to local DHCP server.
*Feb 10 16:50:15.890: 00:12:7f:25:58:16 DHCP sending to local dhcp server (0.0.0.0:68 -> 10.0.200.7:1067, len 301)
*Feb 10 16:50:15.890: 00:12:7f:25:58:16 DHCP received op BOOTREPLY (2) (len 308, port 29, encap 0xec00)
*Feb 10 16:50:15.890: 00:12:7f:25:58:16 DHCP dropping packet (no mscb) found - (giaddr 0.0.0.0, pktInfo->srcPort 67, op: 'BOOTREPLY')
*Feb 10 16:50:15.891: 00:12:7f:25:58:16 DHCP received op BOOTREQUEST (1) (len 584, port 29, encap 0xec00)
*Feb 10 16:50:15.891: 00:12:7f:25:58:16 DHCP received a REQUEST on 'management' interface from AP -- bouncing to local DHCP server.
*Feb 10 16:50:15.891: 00:12:7f:25:58:16 DHCP sending to local dhcp server (0.0.0.0:68 -> 10.0.200.7:1067, len 319)
*Feb 10 16:50:15.892: 00:12:7f:25:58:16 DHCP received op BOOTREPLY (2) (len 308, port 29, encap 0xec00)
*Feb 10 16:50:15.892: 00:12:7f:25:58:16 DHCP dropping packet (no mscb) found - (giaddr 0.0.0.0, pktInfo->srcPort 67, op: 'BOOTREPLY')
*Feb 10 16:50:15.892: 00:12:7f:25:58:16 DHCP received op BOOTREPLY (2) (len 548, port 0, encap 0x0)
*Feb 10 16:50:15.893: 00:12:7f:25:58:16 DHCP received a REPLY from the local server -- forwarding to 'management' interface
*Feb 10 16:50:15.893: 00:12:7f:25:58:16 DHCP received op BOOTREPLY (2) (len 548, port 0, encap 0x0)
*Feb 10 16:50:15.893: 00:12:7f:25:58:16 DHCP received a REPLY from the local server -- forwarding to 'management' interface
*Feb 10 16:50:17.895: 00:12:7f:25:58:16 DHCP received op BOOTREPLY (2) (len 308, port 29, encap 0xec00)
*Feb 10 16:50:17.895: 00:12:7f:25:58:16 DHCP dropping packet (no mscb) found - (giaddr 10.0.200.1, pktInfo->srcPort 67, op: 'BOOTREPLY')
*Feb 10 16:50:21.571: 00:12:7f:25:58:16 Received LWAPP DISCOVERY REQUEST to ff:ff:ff:ff:ff:ff on port '29'
*Feb 10 16:50:21.571: 00:12:7f:25:58:16 Join Priority Processing status = 0, Incoming Ap's Priority 0, MaxLrads = 50,joined Aps =32
*Feb 10 16:50:21.572: 00:12:7f:25:58:16 Successful transmission of LWAPP Discovery Response to AP 00:12:7f:25:58:16 on port 29
*Feb 10 16:51:24.636: sshpmLscTask: LSC Task received a message 4
The first part is the dhcp and it gets an IP address. After that it doesn't give me any errors. However on the AP it just gives the same error message:
*Mar 1 00:00:50.285: LWAPP_CLIENT_ERROR_DEBUG: No more AP manager IP addresses remain.
Please help.
Thank you.

What is the hardware platform of this WLC and what version of code? Is this a 2100 or 4400 series?
-Cisco 4400
Also, what discovery method are you using for this AP to find the WLC management interface? Option 43, DNS, IP-Helper/IP Port Forwarding?
-The AP is on the same subnet as WLC
Is the AP L2 adjacent to the management or on another VLAN? What VLAN is AP in and what VLAN is management/ap-manager in?
-Same VLAN
Here is the output
(Cisco Controller) >show ap join stats detailed 00:12:7f:25:58:16
Discovery phase statistics
- Discovery requests received.............................. 4
- Successful discovery responses sent...................... 4
- Unsuccessful discovery request processing................ 0
- Reason for last unsuccessful discovery attempt........... Not applicable
- Time at last successful discovery attempt................ Feb 10 17:16:23.844
- Time at last unsuccessful discovery attempt.............. Not applicable
Join phase statistics
- Join requests received................................... 0
- Successful join responses sent........................... 0
- Unsuccessful join request processing..................... 0
- Reason for last unsuccessful join attempt................ Not applicable
- Time at last successful join attempt..................... Not applicable
- Time at last unsuccessful join attempt................... Not applicable
Configuration phase statistics
- Configuration requests received.......................... 0
- Successful configuration responses sent.................. 0
- Unsuccessful configuration request processing............ 0
- Reason for last unsuccessful configuration attempt....... Not applicable
--More-- or (q)uit
- Time at last successful configuration attempt............ Not applicable
- Time at last unsuccessful configuration attempt.......... Not applicable
Last AP message decryption failure details
- Reason for last message decryption failure............... Not applicable
Last AP disconnect details
- Reason for last AP connection failure.................... Not applicable
Last join error summary
- Type of error that occurred last......................... None
- Reason for error that occurred last...................... Not applicable
- Time at which the last join error occurred............... Not applicable
                                                                           Ethernet Mac : 00:00:00:00:00:00 Ip Address : 10.0.200.120
It's weird there's no join errors ....
Thank you.

ACL on WLC issue

Im seeting up a radius server so it can authenticate a guest server.
The guest server acting as a radius (192.168.128.154)
I manage to re-direct guest user to WLC logon page, I then enter username and password, logon without a problem, got Ip address, I could ping everywhere including the Internet, but browsing the web doesnt work.
Strange thing is I can ping google.com but I cannot browse using the web browser.
When I remove the 3 AClL, it bypass logon windows and get straight to the Internet.
What i want is first it get authenticate ( wlc redirect to the radius server - 192.168.128.154), then user can browse the Internet
Attached is the ACLs.
Any input is sppeciated.

Even though it's on a WLC, the ACL stil has that implicit deny at the end of it.
So you are specifically allowing anyone to access that server, that server to get to anyone and ICMP, but after that you are not allowing any other connections out.
Basically you would want to add some entries that deny "guest" to "internal" then do a permit any any any. That way you stop them from getting to internal resources but they can still get to the interwebs
Cheers,
Steve
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

TACACS on Cisco WLC Issue

I just installed a Cisco 5508 WLC on our network. I have the Management IP in the management VLAN and on the controller I set it up "untagged". WLC has two ports connected to a Cisco 4507 switch in the port-channel config.
I can ping the controller from the network fine, I can ping the TACACS server from the controller. I have the priority setup as "TACACS+, LOCAL". However when I try to log into the WLC and look at the debug it shows that I am Authenticating and that is about it, For some reason Authorization traffic is not passing. Using wireshark I have confirmed that the request is coming from the Management IP Interface.
I have followed the instructions from this link:
http://www.cisco.com/en/US/customer/docs/wireless/controller/5.0/configuration/guide/c5sol.html
Any ideas?

Its running on Windows, Cisco Secure ACS 3.3
Here is the debug:
(Cisco Controller) >*aaaQueueReader: Nov 22 23:43:15.157: AuthenticationRequest: 0x2bc328e8
*aaaQueueReader: Nov 22 23:43:15.157:   Callback.....................................0x108a6808
*aaaQueueReader: Nov 22 23:43:15.157:   protocolType.................................0x00020030
*aaaQueueReader: Nov 22 23:43:15.157:   proxyState...................................00:00:00:7E:00:00-00:00
*aaaQueueReader: Nov 22 23:43:15.157:   Packet contains 5 AVPs (not shown)
*aaaQueueReader: Nov 22 23:43:15.157: Forwarding request to 10.10.10.10 port=49
*tplusTransportThread: Nov 22 23:43:16.315: 00000000: c0 01 02 00 0f b1 0a f4    .............`2.
*tplusTransportThread: Nov 22 23:43:16.315: 00000010: 16 28 0b e4 58 be bd 9f 9f f8 58 60              .(..X.....X`
*tplusTransportThread: Nov 22 23:43:16.315: tplus response: type=1 seq_no=2 session_id=0fb10af4 length=16 encrypted=0
*tplusTransportThread: Nov 22 23:43:16.315: TPLUS_AUTHEN_STATUS_GETPASS
*tplusTransportThread: Nov 22 23:43:16.315: auth_cont get_pass reply: pkt_length=26
*tplusTransportThread: Nov 22 23:43:16.315: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Nov 22 23:43:16.353: 00000000: c0 01 04 00 0f b1 0a f4 .......... ............d...
*tplusTransportThread: Nov 22 23:43:16.353: 00000010: ac 51                                             .Q
*tplusTransportThread: Nov 22 23:43:16.353: tplus response: type=1 seq_no=4 session_id=0fb10af4 length=6 encrypted=0
*tplusTransportThread: Nov 22 23:43:16.353: tplus_make_author_request() from tplus_authen_passed returns rc=0
*tplusTransportThread: Nov 22 23:43:16.353: Forwarding request to 10.10.10.10 port=49
*tplusTransportThread: Nov 22 23:43:16.356: 00000000: c0 02 02 00 18 d3 91 67 00 00 00 06 cc e5 c2 af .......g........
*tplusTransportThread: Nov 22 23:43:16.356: 00000010: 32 69                                             2i
*tplusTransportThread: Nov 22 23:43:16.356: author response body: status=1 arg_cnt=0 msg_len=0 data_len=0
*tplusTransportThread: Nov 22 23:43:16.356:
User has the following mgmtRole 0
*tplusTransportThread: Nov 22 23:43:16.356: 00:00:00:7e:00:00 Returning AAA Success for mobile 00:00:00:7e:00:00
*tplusTransportThread: Nov 22 23:43:16.356: AuthorizationResponse: 0x2d2e5678
*tplusTransportThread: Nov 22 23:43:16.356:     structureSize................................74
*tplusTransportThread: Nov 22 23:43:16.356:     resultCode...................................0
*tplusTransportThread: Nov 22 23:43:16.356:     protocolUsed.................................0x00000010
*tplusTransportThread: Nov 22 23:43:16.356:     proxyState...................................00:00:00:7E:00:00-00:00
*tplusTransportThread: Nov 22 23:43:16.356:     Packet contains 2 AVPs:
*tplusTransportThread: Nov 22 23:43:16.356:         AVP[01] Service-Type.............................0x00000000 (0) (4 bytes)
*tplusTransportThread: Nov 22 23:43:16.356:         AVP[02] Unknown Attribute 243....................0x00000001 (1) (4 bytes)

Guest Nac & WLC issues

Hello,
I have Guest Nac Appliance & WLC 5508, but I want to know,
1. IF CAN I USE THE SAME USERNAME AND PASWORD AUTHENTICATED IN GUEST NAC IN 3 DEVICES? example: Lap Top, MAC, Iphone.
2. How many usernames can be stored in Guest Nac: NAC3310-GUEST-K9??
Thanks a lot

Hi,
1. Don't see a problem with that, or perhaps I'm not understanding the question right?
2. No limit in the software, so as many as you like, until your database fills up your hard drive.
Faisal

WLC issue with RADIUS

Hello,
I have the following strange behavior:
my WLCs connects to RADIUS server using the IP address of a dynamic interface instead of using the management interface's IP address.
Tha dynamic interface is on the same subnet/vlan of the RADIUS server.
which is the best interface to use for RADIUS authentications?
And how can I decide which interface shuold be the IP radius-source interface for connecting with my radius servers?
Thanks everybody
Johnny

If you have the Radius server on a subnet in which you have any interface on the wlc on, you will see the wlc using that interface ip address. The AAA client ip address you should use is the dynamic interface ip address. The only time you will see the wlc use its management interface is when your wired and wireless (dynamic interfaces) are on different subnets.

Cisco NCS configuration backup and restore of WLC issues found

Hi,
I recently tested the process for a customer of defaulting a Cisco WLC to factory configuration and then restoring the configuration from Cisco NCS. It was not seamless to say the least and I wonder if I have just gone about it the wrong way.
Have have set the NCS platform to configuration sync with the 5508 controllers at 04:00 every day and prior to the controller defaulting I ensured that NCS also reported that the config was in sync.
I have also set NCS to complete a tftp backup of the controller every night 23:00 - interestingly though I have no idea where this is stored on the NCS platform ( a VM appliance ) or what it's filename is.
Anyway my experiences where as follows:-
1. defaulted WLC and via serial CLI ended up at the configuration wizard.
2. Set the correct LAG, management IP, hostname that NCS knew this controller by.
3. To test things just created a dummy WLAN ( SSID ) as I assumed this would be overwritten ( big mistake ! ).
At this point I connected the controller to the network and tried to restore the configuration from the config sync version.
First problem - you have to remember to set up the SNMP community string you were using as it is needed by the configuration sync process. After adding this to the controller I could push the configuration to the controller.
Second problem - failed to add the first WLAN from the backup as I have added the temporary dummy WLAN via the wizard and NCS reported a conflict. So had to delete WLAN ID 1 from the WLC GUI directly and then the config push no longer reported this error.
Third problem - for some reason did not add the TACACS server details - reported the error that it could not added them. I manually added these via a template via NCS and all was well.
Fourth problem - all but the first WLAN was in the disabled state - had to re-enable all of the WLANs
Fifth problem - any default items I had disabled or removed have not been saved - therefore I have removed the public and private SNMP communities - but these were still on the WLC after the restore. I have disabled unused ports not in the LAG as they show an error in NCS - these where not disabled after the restore.
So all in all not a very satisfactory restore process from NCS to an defaulted WLC ( ment to simulate to the customer what would be needed if they had to replace a controller due to hardware failure ).
So - anybody like to comment on what I did wrong - is there a different / better way of achieving this ??
Regards
Robert

Hello Robert,
all the tasks you did seem to be fine for me.
I was also wondering the process os restoring from NCS controller configuration backups ...
If anyone else could give another method with less drawbacks, that would be appreciated, but i doubt about it.
regards,
Guillaume.

Top Memory utilization

Dears,
I have issue in my wireless lan controller (WISM2) installed on 6509 E, to day i foun Memory utlization exceed from 43% to 72% without i do any thing
but i see the CPU in 6509 was 70 % also this related to WLC issue.
i attached sh process memory from WLC & sh logg from 6509 & sh process cpu history from 6509 and snapshot from NCS please i wait any feedback.
Thanks

It is recommended to... Here are the release notes so you know what is being upgraded depending on the WLC platform:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/fus_rn_OL-31390-01.html#wp43702
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"*****

Issue with 2504 WLC and 2602 AP. need help please.

Somehow the AP does not associates with the 2504 controller.
What could possibily be the issue.
Thanks in advance.
Anyway, Here is the log from the AP.
AP log
===========================================================
*Mar 1 00:30:35.551: %CAPWAP-5-DHCP_OPTION_43: Controller address 192.168.120.4 obtained through DHCP
*Mar 1 00:30:35.551: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Mar 1 00:30:44.551: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
*Mar 1 00:30:44.551: %CAPWAP-3-ERRORLOG: Discovery response from MWAR 'SNGNY-WLC1'running version 7.0.220.0 is rejected.
*Mar 1 00:30:44.551: %CAPWAP-3-ERRORLOG: Failed to decode discovery response.
*Mar 1 00:30:44.551: %CAPWAP-3-ERRORLOG: CAPWAP SM handler: Failed to process message type 2 state 2.
*Mar 1 00:30:44.551: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Mar 1 00:30:44.551: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 192.168.120.4
===========================================================
show version output from the Access Point
=========================================================
AP0006.f6ec.be2a#show ver
Cisco IOS Software, C2600 Software (AP3G2-RCVK9W8-M), Version 15.2(2)JB, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 11-Dec-12 00:07 by prod_rel_team
ROM: Bootstrap program is C2600 boot loader
BOOTLDR: C2600 Boot Loader (AP3G2-BOOT-M) LoaderVersion 12.4(25e)JA1, RELEASE SOFTWARE (fc1)
AP0006.f6ec.be2a uptime is 33 minutes
System returned to ROM by power-on
System image file is "flash:/ap3g2-rcvk9w8-mx/ap3g2-rcvk9w8-xx"
Last reload reason:
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
--More--
*Mar 1 00:33:46.071: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination.
*Mar 1 00:33:46.171: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 192.168.120.98, mask 255.255.255.0, hostname AP0006.f6ec.be2a
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AIR-CAP2602I-A-K9    (PowerPC) processor (revision A0) with 180214K/81920K bytes of memory.
Processor board ID FGL1704ZC0Q
PowerPC CPU at 800Mhz, revision number 0x2151
Last reset from power-on
LWAPP image version 7.4.1.37
1 Gigabit Ethernet interface
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:06:F6:EC:BE:2A
Part Number                          : 73-14588-02
PCA Assembly Number                  : 800-37899-01
PCA Revision Number                  : A0
PCB Serial Number                    : FOC165188Y4
Top Assembly Part Number             : 800-38356-01
Top Assembly Serial Number           : FGL1704ZC0Q
Top Revision Number                  : A0
Product/Model Number                 : AIR-CAP2602I-A-K9
Configuration register is 0xF
========================================================

Blake's right. Your WLC is running 7.0.X code which does not support the AP2600. Check the Release Notes and look under Software Release Support for Access Points to determine what suitable firmware your WLC can support your AP.

WLC, ISE certificate authentication issue

Hi Folks,
This is the setup:
Redundant pair of WLC 5508 (version 7.5.102.0)
Redundant Pair of ISE (Version 1.2.0.899)
     The ISE servers are connected to the corporate Active Directory (the AD servers are configured as external identity sources)
     There is a rule based authentication profile which queries the AD identity source when it receives wireless 802.1x authentication requests.
A corporate WLAN is configured on the WLC:
L2 security WPA+WPA2 (AES Encryption), ISE server 1 and 2 configured as the AAA Authentication servers.
This is all working correctly - I associate to the Corp WLAN (Authentication WPA2 enterprise, encryption AES CCMP, 802.1x auth MS-CHAPv2 using AD credentials) ... I can see the authentication request being processed correctly by the ISE, and I get access to the network.
The client I am working for wants to restrict access to the WLAN to users who have been allocated a certificate from the corporate CA, and this is where I am having issues.
I took a test laptop, and requested a new certificate (mmc, add snapin, certificates, current user, personal, request new cert).
The cert that was issued was signed only by a Corporate AD server with CA services (there is nothing in the certification path above the cert I was issued, apart from the issuing server itself).   I changed the security settings of my connection to the corp wlan (using TLS instead of mschapv2, and pointing to the certificate I requested)
Initally authentication failed because the ISE did not trust the CA that provided my certificate (the ISE radius authentication troubleshooting tool had this entry: '12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain').
I exported the issuing CA's root certificate (followed this process http://support.microsoft.com/kb/555252), and imported the cert into ISE (administration, system, certificates, certificate store, import) - status of the cert is enabled, and it is trusted for client auth.
After I did this, I could no longer associate to the Corp WLAN.
My laptop's wireless management software logs were filled with messages saying that the authentication server did not respond.
The ISE troubleshooting tool reported no new failed or successful authentication attempts.
Strangely though, the WLC log had a lot of entries like this: 'AAA Authentication Failure for UserName:host/laptop_asset_tag.corp.com User Type: WLAN USER'.
It looks like the WLC is trying to locally authenticate my session when I use TLS, rather than hand off the authentication request to the ISE.    Other users who authenticate using their AD credentials only (as I described above) can still authenticate ok.
Anyone able to shed some light on where I have gone wrong or what additional troubleshooting I can do?
Thanks in advance,
Darragh

Hi,
I had the same issue with microsoft CA and running ISE 1.1.4. The CA file was "corrupted", but you didn't see it at first glance. You can verify if the client CA matches the root CA via openssl.
Try to export the root CA and the issuing CA in a different format (Base64), import both root and issuing into ise and check if that works. Also check if "Trust for client authentication or Secure Syslog services" in the Certificate Store -> CA -> Edit, is set.
If this does not work, try to import the CA into another system and export it, then import into ISE.
Regards,

Device issue with WLC (excluded client)

I have a single client that is having issues staying connected to my WLC running code 7.0.220.0
Here are the debugs, it just keeps on looping:
*apfMsConnTask_0: Jul 18 10:41:06.352: 00:40:96:b8:78:7a Adding mobile on LWAPP AP 10:8c:cf:78:93:80(0)
*apfMsConnTask_0: Jul 18 10:41:06.352: 00:40:96:b8:78:7a Association received from mobile on AP 10:8c:cf:78:93:80
*apfMsConnTask_0: Jul 18 10:41:06.352: 00:40:96:b8:78:7a 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1626)
*apfMsConnTask_0: Jul 18 10:41:06.352: 00:40:96:b8:78:7a Applying site-specific IPv6 override for station 00:40:96:b8:78:7a - vapId 11, site 'TWR-5', interface 'pharmwireless'
*apfMsConnTask_0: Jul 18 10:41:06.352: 00:40:96:b8:78:7a Applying IPv6 Interface Policy for station 00:40:96:b8:78:7a - vlan 274, interface id 12, interface 'pharmwireless'
*apfMsConnTask_0: Jul 18 10:41:06.352: 00:40:96:b8:78:7a Applying site-specific override for station 00:40:96:b8:78:7a - vapId 11, site 'TWR-5', interface 'pharmwireless'
*apfMsConnTask_0: Jul 18 10:41:06.352: 00:40:96:b8:78:7a 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1626)
*apfMsConnTask_0: Jul 18 10:41:06.353: 00:40:96:b8:78:7a STA - rates (6): 24 36 48 72 96 108 0 0 0 0 0 0 0 0 0 0
*apfMsConnTask_0: Jul 18 10:41:06.353: 00:40:96:b8:78:7a Processing RSN IE type 48, length 38 for mobile 00:40:96:b8:78:7a
*apfMsConnTask_0: Jul 18 10:41:06.353: 00:40:96:b8:78:7a 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_0: Jul 18 10:41:06.353: 00:40:96:b8:78:7a 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*apfMsConnTask_0: Jul 18 10:41:06.353: 00:40:96:b8:78:7a 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*apfMsConnTask_0: Jul 18 10:41:06.353: 00:40:96:b8:78:7a 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 10:8c:cf:78:93:80 vapId 11 apVapId 8for this client
*apfMsConnTask_0: Jul 18 10:41:06.353: 00:40:96:b8:78:7a Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Jul 18 10:41:06.353: 00:40:96:b8:78:7a 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 10:8c:cf:78:93:80 vapId 11 apVapId 8
*apfMsConnTask_0: Jul 18 10:41:06.353: 00:40:96:b8:78:7a apfMsAssoStateInc
*apfMsConnTask_0: Jul 18 10:41:06.353: 00:40:96:b8:78:7a apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 00:40:96:b8:78:7a on AP 10:8c:cf:78:93:80 from Idle to Associated
*apfMsConnTask_0: Jul 18 10:41:06.353: 00:40:96:b8:78:7a Scheduling deletion of Mobile Station: (callerId: 49) in 1800 seconds
*apfMsConnTask_0: Jul 18 10:41:06.353: 00:40:96:b8:78:7a Sending Assoc Response to station on BSSID 10:8c:cf:78:93:80 (status 0) ApVapId 8 Slot 0
*apfMsConnTask_0: Jul 18 10:41:06.353: 00:40:96:b8:78:7a apfProcessAssocReq (apf_80211.c:5237) Changing state for mobile 00:40:96:b8:78:7a on AP 10:8c:cf:78:93:80 from Associated to Associated
*dot1xMsgTask: Jul 18 10:41:06.354: 00:40:96:b8:78:7a Creating a PKC PMKID Cache entry for station 00:40:96:b8:78:7a (RSN 2)
*dot1xMsgTask: Jul 18 10:41:06.354: 00:40:96:b8:78:7a Adding BSSID 10:8c:cf:78:93:87 to PMKID cache for station 00:40:96:b8:78:7a
*dot1xMsgTask: Jul 18 10:41:06.355: New PMKID: (16)
*dot1xMsgTask: Jul 18 10:41:06.355:      [0000] 4a 0c ea 60 5c 8c 76 2a ee 47 50 bd ad 58 e0 d9
*dot1xMsgTask: Jul 18 10:41:06.355: 00:40:96:b8:78:7a Initiating RSN PSK to mobile 00:40:96:b8:78:7a
*dot1xMsgTask: Jul 18 10:41:06.355: 00:40:96:b8:78:7a dot1x - moving mobile 00:40:96:b8:78:7a into Force Auth state
*dot1xMsgTask: Jul 18 10:41:06.355: 00:40:96:b8:78:7a Skipping EAP-Success to mobile 00:40:96:b8:78:7a
*dot1xMsgTask: Jul 18 10:41:06.355: Including PMKID in M1 (16)
*dot1xMsgTask: Jul 18 10:41:06.355:      [0000] 4a 0c ea 60 5c 8c 76 2a ee 47 50 bd ad 58 e0 d9
*dot1xMsgTask: Jul 18 10:41:06.355: 00:40:96:b8:78:7a Starting key exchange to mobile 00:40:96:b8:78:7a, data packets will be dropped
*dot1xMsgTask: Jul 18 10:41:06.355: 00:40:96:b8:78:7a Sending EAPOL-Key Message to mobile 00:40:96:b8:78:7a
                              state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*osapiBsnTimer: Jul 18 10:41:07.362: 00:40:96:b8:78:7a 802.1x 'timeoutEvt' Timer expired for station 00:40:96:b8:78:7a and for message = M2
*dot1xMsgTask: Jul 18 10:41:07.362: 00:40:96:b8:78:7a Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 00:40:96:b8:78:7a
*apfLbsTask: Jul 18 10:41:07.762: 00:40:96:b8:78:7a Copy AP LOCP - mode:0 slotId:0, apMac 0x10:8c:cf:78:93:80
*apfLbsTask: Jul 18 10:41:07.762: 00:40:96:b8:78:7a Copy WLAN LOCP EssIndex:11 aid:1 ssid:RUMCWireless-S
*apfLbsTask: Jul 18 10:41:07.762: 00:40:96:b8:78:7a Copy Security LOCP ecypher:0x0 ptype:0x2, p:0x1, eaptype:0x6 w:0x1 aalg:0x0, PMState: 8021X_REQD
*apfLbsTask: Jul 18 10:41:07.762: 00:40:96:b8:78:7a Copy 802.11 LOCP a:0x0 b:0x0 c:0x0 d:0x0 e:0x1 protocol2:0x2 statuscode 0, reasoncode 1, status 3
*apfLbsTask: Jul 18 10:41:07.762: 00:40:96:b8:78:7a Copy CCX LOCP 5
*apfLbsTask: Jul 18 10:41:07.762: 00:40:96:b8:78:7a Copy MobilityData LOCP status:0, anchorip:0x0
*osapiBsnTimer: Jul 18 10:41:08.361: 00:40:96:b8:78:7a 802.1x 'timeoutEvt' Timer expired for station 00:40:96:b8:78:7a and for message = M2
*dot1xMsgTask: Jul 18 10:41:08.361: 00:40:96:b8:78:7a Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 00:40:96:b8:78:7a
*osapiBsnTimer: Jul 18 10:41:09.361: 00:40:96:b8:78:7a 802.1x 'timeoutEvt' Timer expired for station 00:40:96:b8:78:7a and for message = M2
*dot1xMsgTask: Jul 18 10:41:09.362: 00:40:96:b8:78:7a Retransmit failure for EAPOL-Key M1 to mobile 00:40:96:b8:78:7a, retransmit count 3, mscb deauth count 0
*dot1xMsgTask: Jul 18 10:41:09.363: 00:40:96:b8:78:7a Sent Deauthenticate to mobile on BSSID 10:8c:cf:78:93:80 slot 0(caller 1x_ptsm.c:534)
*dot1xMsgTask: Jul 18 10:41:09.363: 00:40:96:b8:78:7a Scheduling deletion of Mobile Station: (callerId: 57) in 10 seconds
*apfMsConnTask_0: Jul 18 10:41:12.953: 00:40:96:b8:78:7a Association received from mobile on AP 10:8c:cf:78:93:80
*apfMsConnTask_0: Jul 18 10:41:12.953: 00:40:96:b8:78:7a 0.0.0.0 8021X_REQD (3) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1626)
*apfMsConnTask_0: Jul 18 10:41:12.953: 00:40:96:b8:78:7a Applying site-specific IPv6 override for station 00:40:96:b8:78:7a - vapId 11, site 'TWR-5', interface 'pharmwireless'
*apfMsConnTask_0: Jul 18 10:41:12.953: 00:40:96:b8:78:7a Applying IPv6 Interface Policy for station 00:40:96:b8:78:7a - vlan 274, interface id 12, interface 'pharmwireless'
*apfMsConnTask_0: Jul 18 10:41:12.953: 00:40:96:b8:78:7a Applying site-specific override for station 00:40:96:b8:78:7a - vapId 11, site 'TWR-5', interface 'pharmwireless'
*apfMsConnTask_0: Jul 18 10:41:12.953: 00:40:96:b8:78:7a 0.0.0.0 8021X_REQD (3) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1626)
*apfMsConnTask_0: Jul 18 10:41:12.953: 00:40:96:b8:78:7a STA - rates (6): 24 36 48 72 96 108 0 0 0 0 0 0 0 0 0 0
*apfMsConnTask_0: Jul 18 10:41:12.953: 00:40:96:b8:78:7a Processing RSN IE type 48, length 38 for mobile 00:40:96:b8:78:7a
*apfMsConnTask_0: Jul 18 10:41:12.953: 00:40:96:b8:78:7a 0.0.0.0 8021X_REQD (3) Initializing policy
*apfMsConnTask_0: Jul 18 10:41:12.953: 00:40:96:b8:78:7a 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)
*apfMsConnTask_0: Jul 18 10:41:12.953: 00:40:96:b8:78:7a 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*apfMsConnTask_0: Jul 18 10:41:12.953: 00:40:96:b8:78:7a 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 10:8c:cf:78:93:80 vapId 11 apVapId 8for this client
*apfMsConnTask_0: Jul 18 10:41:12.953: 00:40:96:b8:78:7a Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Jul 18 10:41:12.953: 00:40:96:b8:78:7a 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 10:8c:cf:78:93:80 vapId 11 apVapId 8
*apfMsConnTask_0: Jul 18 10:41:12.953: 00:40:96:b8:78:7a apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 00:40:96:b8:78:7a on AP 10:8c:cf:78:93:80 from Associated to Associated
*apfMsConnTask_0: Jul 18 10:41:12.953: 00:40:96:b8:78:7a Scheduling deletion of Mobile Station: (callerId: 49) in 1800 seconds
*apfMsConnTask_0: Jul 18 10:41:12.954: 00:40:96:b8:78:7a Sending Assoc Response to station on BSSID 10:8c:cf:78:93:80 (status 0) ApVapId 8 Slot 0
*apfMsConnTask_0: Jul 18 10:41:12.954: 00:40:96:b8:78:7a apfProcessAssocReq (apf_80211.c:5237) Changing state for mobile 00:40:96:b8:78:7a on AP 10:8c:cf:78:93:80 from Associated to Associated
*dot1xMsgTask: Jul 18 10:41:12.955: 00:40:96:b8:78:7a Creating a PKC PMKID Cache entry for station 00:40:96:b8:78:7a (RSN 2)
*dot1xMsgTask: Jul 18 10:41:12.955: 00:40:96:b8:78:7a Adding BSSID 10:8c:cf:78:93:87 to PMKID cache for station 00:40:96:b8:78:7a
*dot1xMsgTask: Jul 18 10:41:12.955: New PMKID: (16)
*dot1xMsgTask: Jul 18 10:41:12.956:      [0000] 4a 0c ea 60 5c 8c 76 2a ee 47 50 bd ad 58 e0 d9
*dot1xMsgTask: Jul 18 10:41:12.956: 00:40:96:b8:78:7a Initiating RSN PSK to mobile 00:40:96:b8:78:7a
*dot1xMsgTask: Jul 18 10:41:12.956: 00:40:96:b8:78:7a dot1x - moving mobile 00:40:96:b8:78:7a into Force Auth state
*dot1xMsgTask: Jul 18 10:41:12.956: 00:40:96:b8:78:7a Skipping EAP-Success to mobile 00:40:96:b8:78:7a
*dot1xMsgTask: Jul 18 10:41:12.956: Including PMKID in M1 (16)
*dot1xMsgTask: Jul 18 10:41:12.956:      [0000] 4a 0c ea 60 5c 8c 76 2a ee 47 50 bd ad 58 e0 d9
*dot1xMsgTask: Jul 18 10:41:12.956: 00:40:96:b8:78:7a Starting key exchange to mobile 00:40:96:b8:78:7a, data packets will be dropped
*dot1xMsgTask: Jul 18 10:41:12.956: 00:40:96:b8:78:7a Sending EAPOL-Key Message to mobile 00:40:96:b8:78:7a
                              state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*osapiBsnTimer: Jul 18 10:41:13.961: 00:40:96:b8:78:7a 802.1x 'timeoutEvt' Timer expired for station 00:40:96:b8:78:7a and for message = M2
*dot1xMsgTask: Jul 18 10:41:13.965: 00:40:96:b8:78:7a Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 00:40:96:b8:78:7a
*osapiBsnTimer: Jul 18 10:41:14.961: 00:40:96:b8:78:7a 802.1x 'timeoutEvt' Timer expired for station 00:40:96:b8:78:7a and for message = M2
*dot1xMsgTask: Jul 18 10:41:14.962: 00:40:96:b8:78:7a Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 00:40:96:b8:78:7a
*apfLbsTask: Jul 18 10:41:15.762: 00:40:96:b8:78:7a Copy AP LOCP - mode:0 slotId:0, apMac 0x10:8c:cf:78:93:80
*apfLbsTask: Jul 18 10:41:15.762: 00:40:96:b8:78:7a Copy WLAN LOCP EssIndex:11 aid:1 ssid:RUMCWireless-S
*apfLbsTask: Jul 18 10:41:15.762: 00:40:96:b8:78:7a Copy Security LOCP ecypher:0x0 ptype:0x2, p:0x1, eaptype:0x6 w:0x1 aalg:0x0, PMState: 8021X_REQD
*apfLbsTask: Jul 18 10:41:15.762: 00:40:96:b8:78:7a Copy 802.11 LOCP a:0x0 b:0x0 c:0x0 d:0x0 e:0x1 protocol2:0x2 statuscode 0, reasoncode 1, status 3
*apfLbsTask: Jul 18 10:41:15.762: 00:40:96:b8:78:7a Copy CCX LOCP 5
*apfLbsTask: Jul 18 10:41:15.762: 00:40:96:b8:78:7a Copy MobilityData LOCP status:0, anchorip:0x0
*osapiBsnTimer: Jul 18 10:41:15.961: 00:40:96:b8:78:7a 802.1x 'timeoutEvt' Timer expired for station 00:40:96:b8:78:7a and for message = M2
*dot1xMsgTask: Jul 18 10:41:15.965: 00:40:96:b8:78:7a Retransmit failure for EAPOL-Key M1 to mobile 00:40:96:b8:78:7a, retransmit count 3, mscb deauth count 1
*dot1xMsgTask: Jul 18 10:41:15.967: 00:40:96:b8:78:7a Sent Deauthenticate to mobile on BSSID 10:8c:cf:78:93:80 slot 0(caller 1x_ptsm.c:534)
*dot1xMsgTask: Jul 18 10:41:15.967: 00:40:96:b8:78:7a Scheduling deletion of Mobile Station: (callerId: 57) in 10 seconds
*apfMsConnTask_0: Jul 18 10:41:19.491: 00:40:96:b8:78:7a Association received from mobile on AP 10:8c:cf:78:93:80
*apfMsConnTask_0: Jul 18 10:41:19.491: 00:40:96:b8:78:7a 0.0.0.0 8021X_REQD (3) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1626)
*apfMsConnTask_0: Jul 18 10:41:19.492: 00:40:96:b8:78:7a Applying site-specific IPv6 override for station 00:40:96:b8:78:7a - vapId 11, site 'TWR-5', interface 'pharmwireless'
*apfMsConnTask_0: Jul 18 10:41:19.492: 00:40:96:b8:78:7a Applying IPv6 Interface Policy for station 00:40:96:b8:78:7a - vlan 274, interface id 12, interface 'pharmwireless'
*apfMsConnTask_0: Jul 18 10:41:19.492: 00:40:96:b8:78:7a Applying site-specific override for station 00:40:96:b8:78:7a - vapId 11, site 'TWR-5', interface 'pharmwireless'
*apfMsConnTask_0: Jul 18 10:41:19.492: 00:40:96:b8:78:7a 0.0.0.0 8021X_REQD (3) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1626)
*apfMsConnTask_0: Jul 18 10:41:19.492: 00:40:96:b8:78:7a STA - rates (6): 24 36 48 72 96 108 0 0 0 0 0 0 0 0 0 0
*apfMsConnTask_0: Jul 18 10:41:19.492: 00:40:96:b8:78:7a Processing RSN IE type 48, length 38 for mobile 00:40:96:b8:78:7a
*apfMsConnTask_0: Jul 18 10:41:19.492: 00:40:96:b8:78:7a 0.0.0.0 8021X_REQD (3) Initializing policy
*apfMsConnTask_0: Jul 18 10:41:19.492: 00:40:96:b8:78:7a 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)
*apfMsConnTask_0: Jul 18 10:41:19.492: 00:40:96:b8:78:7a 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*apfMsConnTask_0: Jul 18 10:41:19.492: 00:40:96:b8:78:7a 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 10:8c:cf:78:93:80 vapId 11 apVapId 8for this client
*apfMsConnTask_0: Jul 18 10:41:19.492: 00:40:96:b8:78:7a Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Jul 18 10:41:19.492: 00:40:96:b8:78:7a 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 10:8c:cf:78:93:80 vapId 11 apVapId 8
*apfMsConnTask_0: Jul 18 10:41:19.492: 00:40:96:b8:78:7a apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 00:40:96:b8:78:7a on AP 10:8c:cf:78:93:80 from Associated to Associated
*apfMsConnTask_0: Jul 18 10:41:19.492: 00:40:96:b8:78:7a Scheduling deletion of Mobile Station: (callerId: 49) in 1800 seconds
*apfMsConnTask_0: Jul 18 10:41:19.492: 00:40:96:b8:78:7a Sending Assoc Response to station on BSSID 10:8c:cf:78:93:80 (status 0) ApVapId 8 Slot 0
*apfMsConnTask_0: Jul 18 10:41:19.492: 00:40:96:b8:78:7a apfProcessAssocReq (apf_80211.c:5237) Changing state for mobile 00:40:96:b8:78:7a on AP 10:8c:cf:78:93:80 from Associated to Associated
*dot1xMsgTask: Jul 18 10:41:19.494: 00:40:96:b8:78:7a Creating a PKC PMKID Cache entry for station 00:40:96:b8:78:7a (RSN 2)
*dot1xMsgTask: Jul 18 10:41:19.494: 00:40:96:b8:78:7a Adding BSSID 10:8c:cf:78:93:87 to PMKID cache for station 00:40:96:b8:78:7a
*dot1xMsgTask: Jul 18 10:41:19.494: New PMKID: (16)
*dot1xMsgTask: Jul 18 10:41:19.494:      [0000] 4a 0c ea 60 5c 8c 76 2a ee 47 50 bd ad 58 e0 d9
*dot1xMsgTask: Jul 18 10:41:19.494: 00:40:96:b8:78:7a Initiating RSN PSK to mobile 00:40:96:b8:78:7a
*dot1xMsgTask: Jul 18 10:41:19.494: 00:40:96:b8:78:7a dot1x - moving mobile 00:40:96:b8:78:7a into Force Auth state
*dot1xMsgTask: Jul 18 10:41:19.494: 00:40:96:b8:78:7a Skipping EAP-Success to mobile 00:40:96:b8:78:7a
*dot1xMsgTask: Jul 18 10:41:19.494: Including PMKID in M1 (16)
*dot1xMsgTask: Jul 18 10:41:19.494:      [0000] 4a 0c ea 60 5c 8c 76 2a ee 47 50 bd ad 58 e0 d9
*dot1xMsgTask: Jul 18 10:41:19.494: 00:40:96:b8:78:7a Starting key exchange to mobile 00:40:96:b8:78:7a, data packets will be dropped
*dot1xMsgTask: Jul 18 10:41:19.494: 00:40:96:b8:78:7a Sending EAPOL-Key Message to mobile 00:40:96:b8:78:7a
                              state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*osapiBsnTimer: Jul 18 10:41:20.561: 00:40:96:b8:78:7a 802.1x 'timeoutEvt' Timer expired for station 00:40:96:b8:78:7a and for message = M2
*dot1xMsgTask: Jul 18 10:41:20.561: 00:40:96:b8:78:7a Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 00:40:96:b8:78:7a
*osapiBsnTimer: Jul 18 10:41:21.561: 00:40:96:b8:78:7a 802.1x 'timeoutEvt' Timer expired for station 00:40:96:b8:78:7a and for message = M2
*dot1xMsgTask: Jul 18 10:41:21.561: 00:40:96:b8:78:7a Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 00:40:96:b8:78:7a
*osapiBsnTimer: Jul 18 10:41:22.561: 00:40:96:b8:78:7a 802.1x 'timeoutEvt' Timer expired for station 00:40:96:b8:78:7a and for message = M2
*dot1xMsgTask: Jul 18 10:41:22.562: 00:40:96:b8:78:7a Retransmit failure for EAPOL-Key M1 to mobile 00:40:96:b8:78:7a, retransmit count 3, mscb deauth count 2
*dot1xMsgTask: Jul 18 10:41:22.563: 00:40:96:b8:78:7a Sent Deauthenticate to mobile on BSSID 10:8c:cf:78:93:80 slot 0(caller 1x_ptsm.c:534)
*dot1xMsgTask: Jul 18 10:41:22.563: 00:40:96:b8:78:7a Scheduling deletion of Mobile Station: (callerId: 57) in 10 seconds
*apfLbsTask: Jul 18 10:41:23.762: 00:40:96:b8:78:7a Copy AP LOCP - mode:0 slotId:0, apMac 0x10:8c:cf:78:93:80
*apfLbsTask: Jul 18 10:41:23.762: 00:40:96:b8:78:7a Copy WLAN LOCP EssIndex:11 aid:1 ssid:RUMCWireless-S
*apfLbsTask: Jul 18 10:41:23.762: 00:40:96:b8:78:7a Copy Security LOCP ecypher:0x0 ptype:0x2, p:0x1, eaptype:0x6 w:0x1 aalg:0x0, PMState: 8021X_REQD
*apfLbsTask: Jul 18 10:41:23.762: 00:40:96:b8:78:7a Copy 802.11 LOCP a:0x0 b:0x0 c:0x0 d:0x0 e:0x1 protocol2:0x2 statuscode 0, reasoncode 1, status 3
*apfLbsTask: Jul 18 10:41:23.762: 00:40:96:b8:78:7a Copy CCX LOCP 5
*apfLbsTask: Jul 18 10:41:23.762: 00:40:96:b8:78:7a Copy MobilityData LOCP status:0, anchorip:0x0
*apfMsConnTask_0: Jul 18 10:41:26.116: 00:40:96:b8:78:7a Association received from mobile on AP 10:8c:cf:78:93:80
*apfMsConnTask_0: Jul 18 10:41:26.117: 00:40:96:b8:78:7a 0.0.0.0 8021X_REQD (3) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1626)
*apfMsConnTask_0: Jul 18 10:41:26.117: 00:40:96:b8:78:7a Applying site-specific IPv6 override for station 00:40:96:b8:78:7a - vapId 11, site 'TWR-5', interface 'pharmwireless'
*apfMsConnTask_0: Jul 18 10:41:26.117: 00:40:96:b8:78:7a Applying IPv6 Interface Policy for station 00:40:96:b8:78:7a - vlan 274, interface id 12, interface 'pharmwireless'
*apfMsConnTask_0: Jul 18 10:41:26.117: 00:40:96:b8:78:7a Applying site-specific override for station 00:40:96:b8:78:7a - vapId 11, site 'TWR-5', interface 'pharmwireless'
*apfMsConnTask_0: Jul 18 10:41:26.117: 00:40:96:b8:78:7a 0.0.0.0 8021X_REQD (3) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1626)
*apfMsConnTask_0: Jul 18 10:41:26.117: 00:40:96:b8:78:7a STA - rates (6): 24 36 48 72 96 108 0 0 0 0 0 0 0 0 0 0
*apfMsConnTask_0: Jul 18 10:41:26.117: 00:40:96:b8:78:7a Processing RSN IE type 48, length 38 for mobile 00:40:96:b8:78:7a
*apfMsConnTask_0: Jul 18 10:41:26.117: 00:40:96:b8:78:7a 0.0.0.0 8021X_REQD (3) Initializing policy
*apfMsConnTask_0: Jul 18 10:41:26.117: 00:40:96:b8:78:7a 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)
*apfMsConnTask_0: Jul 18 10:41:26.117: 00:40:96:b8:78:7a 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*apfMsConnTask_0: Jul 18 10:41:26.117: 00:40:96:b8:78:7a 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 10:8c:cf:78:93:80 vapId 11 apVapId 8for this client
*apfMsConnTask_0: Jul 18 10:41:26.117: 00:40:96:b8:78:7a Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Jul 18 10:41:26.117: 00:40:96:b8:78:7a 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 10:8c:cf:78:93:80 vapId 11 apVapId 8
*apfMsConnTask_0: Jul 18 10:41:26.117: 00:40:96:b8:78:7a apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 00:40:96:b8:78:7a on AP 10:8c:cf:78:93:80 from Associated to Associated
*apfMsConnTask_0: Jul 18 10:41:26.117: 00:40:96:b8:78:7a Scheduling deletion of Mobile Station: (callerId: 49) in 1800 seconds
*apfMsConnTask_0: Jul 18 10:41:26.117: 00:40:96:b8:78:7a Sending Assoc Response to station on BSSID 10:8c:cf:78:93:80 (status 0) ApVapId 8 Slot 0
*apfMsConnTask_0: Jul 18 10:41:26.117: 00:40:96:b8:78:7a apfProcessAssocReq (apf_80211.c:5237) Changing state for mobile 00:40:96:b8:78:7a on AP 10:8c:cf:78:93:80 from Associated to Associated
*dot1xMsgTask: Jul 18 10:41:26.120: 00:40:96:b8:78:7a Creating a PKC PMKID Cache entry for station 00:40:96:b8:78:7a (RSN 2)
*dot1xMsgTask: Jul 18 10:41:26.120: 00:40:96:b8:78:7a Adding BSSID 10:8c:cf:78:93:87 to PMKID cache for station 00:40:96:b8:78:7a
*dot1xMsgTask: Jul 18 10:41:26.120: New PMKID: (16)
*dot1xMsgTask: Jul 18 10:41:26.120:      [0000] 4a 0c ea 60 5c 8c 76 2a ee 47 50 bd ad 58 e0 d9
*dot1xMsgTask: Jul 18 10:41:26.120: 00:40:96:b8:78:7a Initiating RSN PSK to mobile 00:40:96:b8:78:7a
*dot1xMsgTask: Jul 18 10:41:26.120: 00:40:96:b8:78:7a dot1x - moving mobile 00:40:96:b8:78:7a into Force Auth state
*dot1xMsgTask: Jul 18 10:41:26.120: 00:40:96:b8:78:7a Skipping EAP-Success to mobile 00:40:96:b8:78:7a
*dot1xMsgTask: Jul 18 10:41:26.120: Including PMKID in M1 (16)
*dot1xMsgTask: Jul 18 10:41:26.120:      [0000] 4a 0c ea 60 5c 8c 76 2a ee 47 50 bd ad 58 e0 d9
*dot1xMsgTask: Jul 18 10:41:26.120: 00:40:96:b8:78:7a Starting key exchange to mobile 00:40:96:b8:78:7a, data packets will be dropped
*dot1xMsgTask: Jul 18 10:41:26.120: 00:40:96:b8:78:7a Sending EAPOL-Key Message to mobile 00:40:96:b8:78:7a
                              state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*osapiBsnTimer: Jul 18 10:41:27.161: 00:40:96:b8:78:7a 802.1x 'timeoutEvt' Timer expired for station 00:40:96:b8:78:7a and for message = M2
*dot1xMsgTask: Jul 18 10:41:27.162: 00:40:96:b8:78:7a Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 00:40:96:b8:78:7a
*osapiBsnTimer: Jul 18 10:41:28.161: 00:40:96:b8:78:7a 802.1x 'timeoutEvt' Timer expired for station 00:40:96:b8:78:7a and for message = M2
*dot1xMsgTask: Jul 18 10:41:28.162: 00:40:96:b8:78:7a Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 00:40:96:b8:78:7a
*osapiBsnTimer: Jul 18 10:41:29.161: 00:40:96:b8:78:7a 802.1x 'timeoutEvt' Timer expired for station 00:40:96:b8:78:7a and for message = M2
*dot1xMsgTask: Jul 18 10:41:29.162: 00:40:96:b8:78:7a Retransmit failure for EAPOL-Key M1 to mobile 00:40:96:b8:78:7a, retransmit count 3, mscb deauth count 3
*dot1xMsgTask: Jul 18 10:41:29.162: 00:40:96:b8:78:7a Blacklisting (if enabled) mobile 00:40:96:b8:78:7a
*dot1xMsgTask: Jul 18 10:41:29.162: 00:40:96:b8:78:7a apfBlacklistMobileStationEntry2 (apf_ms.c:4294) Changing state for mobile 00:40:96:b8:78:7a on AP 10:8c:cf:78:93:80 from Associated to Exclusion-list (1)
*dot1xMsgTask: Jul 18 10:41:29.162: 00:40:96:b8:78:7a Scheduling deletion of Mobile Station: (callerId: 44) in 10 seconds
*dot1xMsgTask: Jul 18 10:41:29.163: 00:40:96:b8:78:7a 0.0.0.0 8021X_REQD (3) Change state to START (0) last state 8021X_REQD (3)
*dot1xMsgTask: Jul 18 10:41:29.163: 00:40:96:b8:78:7a 0.0.0.0 START (0) Reached FAILURE: from line 4025
*dot1xMsgTask: Jul 18 10:41:29.164: 00:40:96:b8:78:7a Scheduling deletion of Mobile Station: (callerId: 9) in 10 seconds
*apfLbsTask: Jul 18 10:41:31.766: 00:40:96:b8:78:7a Copy AP LOCP - mode:0 slotId:0, apMac 0x10:8c:cf:78:93:80
*apfLbsTask: Jul 18 10:41:31.766: 00:40:96:b8:78:7a Copy WLAN LOCP EssIndex:11 aid:1 ssid:RUMCWireless-S
*apfLbsTask: Jul 18 10:41:31.766: 00:40:96:b8:78:7a Copy Security LOCP ecypher:0x0 ptype:0x2, p:0x1, eaptype:0x6 w:0x1 aalg:0x0, PMState:      START
*apfLbsTask: Jul 18 10:41:31.766: 00:40:96:b8:78:7a Copy 802.11 LOCP a:0x0 b:0x0 c:0x0 d:0x0 e:0x1 protocol2:0x2 statuscode 0, reasoncode 1, status 8
*apfLbsTask: Jul 18 10:41:31.766: 00:40:96:b8:78:7a Copy CCX LOCP 5
*apfLbsTask: Jul 18 10:41:31.766: 00:40:96:b8:78:7a Copy MobilityData LOCP status:0, anchorip:0x0
*osapiBsnTimer: Jul 18 10:41:39.165: 00:40:96:b8:78:7a apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Jul 18 10:41:39.166: 00:40:96:b8:78:7a Scheduling deletion of Mobile Station: (callerId: 46) in 60 seconds
*apfReceiveTask: Jul 18 10:41:39.166: 00:40:96:b8:78:7a apfMsExpireMobileStation (apf_ms.c:5131) Changing state for mobile 00:40:96:b8:78:7a on AP 10:8c:cf:78:93:80 from Exclusion-list (1) to Exclusion-list (2)
*apfReceiveTask: Jul 18 10:41:39.166: 00:40:96:b8:78:7a 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [10:8c:cf:78:93:80]
*apfMsConnTask_0: Jul 18 10:41:51.799: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_0: Jul 18 10:41:52.313: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_0: Jul 18 10:41:53.316: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_0: Jul 18 10:41:54.320: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_0: Jul 18 10:41:55.323: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_0: Jul 18 10:41:56.326: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_6: Jul 18 10:41:59.292: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_6: Jul 18 10:41:59.339: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_6: Jul 18 10:42:00.342: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_6: Jul 18 10:42:01.346: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_6: Jul 18 10:42:02.349: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_6: Jul 18 10:42:03.352: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*spamApTask0: Jul 18 10:42:07.907: 00:40:96:b8:78:7a Received Idle-Timeout from AP 10:8c:cf:78:93:80, slot 0 for STA 00:40:96:b8:78:7a
*spamApTask0: Jul 18 10:42:07.907: 00:40:96:b8:78:7a Ignoring delete request from AP due to mobile in exclusion list or marked for deletion already
*apfMsConnTask_0: Jul 18 10:42:08.127: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_0: Jul 18 10:42:08.370: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_0: Jul 18 10:42:09.373: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_0: Jul 18 10:42:10.377: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_0: Jul 18 10:42:11.380: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_0: Jul 18 10:42:12.383: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_5: Jul 18 10:42:27.323: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_5: Jul 18 10:42:28.438: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_5: Jul 18 10:42:29.441: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_5: Jul 18 10:42:30.445: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_5: Jul 18 10:42:31.448: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_4: Jul 18 10:42:36.045: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_4: Jul 18 10:42:36.467: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_4: Jul 18 10:42:37.470: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*apfMsConnTask_4: Jul 18 10:42:38.474: 00:40:96:b8:78:7a Ignoring assoc request due to mobile in exclusion list or marked for deletion
*osapiBsnTimer: Jul 18 10:42:39.169: 00:40:96:b8:78:7a apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Jul 18 10:42:39.170: 00:40:96:b8:78:7a apfMsAssoStateDec
*apfReceiveTask: Jul 18 10:42:39.170: 00:40:96:b8:78:7a Deleting mobile on AP 10:8c:cf:78:93:80(0)
Can anyone tell me why this is happening?
Thank You

Auth succeeded from AAA server side but there is a problem with 4-way handshake. It is obvious the problem is with the client because it does not reply the message 2 of the handshake.
What is this client?
Try upgrading the driver or the firmware. That sort it out.
Sent from Cisco Technical Support iPad App

5760 WLC & ISE 1.2 PEAP Issues

I have the following setup:
WLC 5508 (7.4.100)
WLC 5760 (03.03.02) (I'm replacing the 5508 with the 5760)
ISE 1.2
Im currently running 802.1x PEAP with external AD authentication, on the 5508 and everything is working 100%.
As soon as I switch the users over to the 5760 I get the following errors on the ISE:
Event
5440 Endpoint abandoned EAP session and started new
Failure Reason
5440 Endpoint abandoned EAP session and started new
Resolution
Verify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
Root cause
Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.
I took the config of a working 5760, why would this one give the above errors ?
Jaco

Hello!
Turn on debugs on your 5760 to track authentication activities. Most probably you'll spot the issue from them. If not - post them here, so we'll have a look as well.
Thanks, Irina

AP - WLC joining issue

We have 3 WLC's(5500) in our network and about 150 AP's. Only 4 AP's register to 1 controller, over 70 to 2nd and about 50 to 3rd. On checking & comparing few of the AP's this is what i concluded.
1. 4 AP's that registered to the first WLC did not have that AP in the primary, secondary or tertiary list. If it was there then it was either secondary or tertiary or the device name entered is not resolvable by DNS but the device name is correct. Management IP was not configured on any of the 4 AP's for any of the WLC's
2. AP's registered to second and third WLC's have similar config. First WLC as Primary, Second as secondary and third Tertiary with correct DNS name in the field but wrong device name. Also all have Management IP's entered as well.
CAPWAP Join Taken Time for 4 AP's varies from 6to10 mins while for other AP its few seconds. DNS for cisco-capwap-controller points to WLC with4 AP's. I donot see any use of option in DNS for WAP's.
How can i make AP's join this WLC.
Should I get the DNS and device name discrepancy corrected?
What is the selection process for AP's to choose WLC, as I see AP's not joining WLC in there building but joining a WLC in other adjacent building? Is there a way for me to influence this decision?

What is the selection process for AP's to choose WLC, as I see AP's not joining WLC in there building but joining a WLC in other adjacent building? Is there a way for me to influence this decision?
Best way to do this is configure AP High Availability of APs with primary,secondary,tertiary WLC name & IP (both fields required). This is taking precedence over any other methods.
http://mrncciew.com/2013/04/07/ap-failover/
If you have AP join issue, try to configure DHCP option 43 & see if that helps
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/97066-dhcp-option-43-00.html
If this is one off case, you can try static or broadcast forwarding as a interim solution
http://mrncciew.com/2013/03/17/ap-registration/
http://mrncciew.com/2013/05/04/wlc-discovery-via-broadcast/
HTH
Rasika
*** Pls rate all useful responses ***

Deployment of WLC-5508 with 2702i-D have performance issue.

Hi Team,
We have centrally deployed WLC-5508 with 50 AP licence along with HA scenario. we have 3 locations.
1- HQ. have 26 AP with POWINJ5.
2- Branch location A- 8 AP with POWINJ5.
3. Branch location B have 8 AP with POWINJ4.
my exception is to achieve that single SSID with dynamic VLAN from group police (NPS). MY HO have 26 AP and those are working in local mode.
and branches are connected through flexconnect mode. and all are working with different-2 NPS.
Now i am facing a problem with this deployment are following.
1- branch A have performance issue.
2- HQ have performance issue.
3- i don't want to go with dedicated NPS for every location.
In order to achieve this deployment i want only single SSID with primary and secondary NPS at my HQ with dynamic VLAN for respective departmental users vlans..
above is my problem and concern. otherwise i am successfully achieving this solution with dedicated NPS with single group policy. but when i am going forward to achieve my expectation that time i am facing authentication issue at my HQ and sometimes am not able to get proper VLAN IPs. at my HQ.
kindly help me in that to understand where I am doing wrong things to achieve my expectation.
Thanks.
Nalin

I am facing 2 different problems.
1st issue- in existing setup we have throughput issue. (while downloading or uploading any data from the internet or Intranet, that time wireless clients are facing slowness of the Speed. and same time when i am trying from LAN i am not facing any issue)
2nd Issue- I want to achieve only single SSID with primary and secondary NPS (AD group is bind with vlan Attributes) with dynamic VLAN for respective departmental users.
for Issue no 2 i have created SSID to achieve the single ssid parameter for every location. in order to achieve i have change all access points mode local to Flexconnect mode after that i have created AP groups location wise and then create flexconnect Groups where i have mapped all the vlan through AAA VLAN-ACL mapping. created interface group and mapped all the vlans in that group.
for more understanding please go through the below mentioned CLI view.
Cisco Controller) >show wlan apgroups
Total Number of AP Groups........................ 4
Site Name........................................ GURGAON-AP-GROUP
Site Description................................. GURGAON-AP-GROUP
Venue Group Code................................. Unspecified
Venue Type Code.................................. Unspecified
NAS-identifier................................... Fractal-WLC1
Client Traffic QinQ Enable....................... FALSE
DHCPv4 QinQ Enable............................... FALSE
AP Operating Class............................... Not-configured
Capwap Prefer Mode............................... Not-configured
RF Profile
2.4 GHz band..................................... <none>
5 GHz band....................................... <none>
WLAN ID Interface Network Admission Control Radio Pol icy
3 gurgaon-interface Disabled None
--More-- or (q)uit
4 gurgaon-guest Disabled None
*AP3600 with 802.11ac Module will only advertise first 8 WLANs on 5GHz radios.
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
GUR-AP-01 2 AIR-CAP2702I-D-K9 f4:4e:05:78:ae:e4 default location 1 IN 1
GUR-AP-05 2 AIR-CAP2702I-D-K9 f4:4e:05:80:b5:18 default location 1 IN 1
GUR-AP-03 2 AIR-CAP2702I-D-K9 bc:16:65:13:71:00 default location 1 IN 1
GUR-AP-07 2 AIR-CAP2702I-D-K9 f4:4e:05:80:b3:f8 default location 1 IN 1
GUR-AP-06 2 AIR-CAP2702I-D-K9 f4:4e:05:80:b3:e0 default location 1 IN 1
GUR-AP-08 2 AIR-CAP2702I-D-K9 f4:4e:05:45:78:98 default location 1 IN 1
GUR-AP-02 2 AIR-CAP2702I-D-K9 f4:4e:05:80:b3:2c default location 1 IN 1
GUR-AP-04 2 AIR-CAP2702I-D-K9 f4:4e:05:78:ae:64 default location 1 IN 1
GUR-AP-09 2 AIR-CAP2702I-D-K9 f4:4e:05:80:b4:44 default location 1 IN 1
Site Name........................................ MUMBAI-AP-GROUP
Site Description................................. MUMBAI-AP-GROUP
Venue Group Code................................. Unspecified
Venue Type Code.................................. Unspecified
--More-- or (q)uit
NAS-identifier................................... Fractal-WLC1
Client Traffic QinQ Enable....................... FALSE
DHCPv4 QinQ Enable............................... FALSE
AP Operating Class............................... Not-configured
Capwap Prefer Mode............................... Not-configured
RF Profile
2.4 GHz band..................................... <none>
5 GHz band....................................... <none>
WLAN ID Interface Network Admission Control Radio Policy
1 group for mumbai Disabled None
2 guest wifi Disabled None
*AP3600 with 802.11ac Module will only advertise first 8 WLANs on 5GHz radios.
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
FAL-7-AP08 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:24:d8 7th Floor 1 IN 3
--More-- or (q)uit
FAL-7-AP10 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:25:18 7th Floor 1 IN 1
FAL-7-AP14 2 AIR-CAP2702I-D-K9 f0:7f:06:bf:ad:e8 7th Floor 1 IN 1
FAL-7-AP01 2 AIR-CAP2702I-D-K9 f0:7f:06:bf:b0:4c 7th Floor 1 IN 1
FAL-7-AP07 2 AIR-CAP2702I-D-K9 f0:7f:06:30:92:bc 7th Floor 1 IN 1
FAL-7-AP13 2 AIR-CAP2702I-D-K9 f0:7f:06:30:91:80 7th Floor 1 IN 1
FAL-7-AP02 2 AIR-CAP2702I-D-K9 f0:7f:06:30:91:94 7th Floor 1 IN 1
FAL-7-AP05 2 AIR-CAP2702I-D-K9 f0:7f:06:30:91:e8 7th Floor 1 IN 1
FAL-7-AP12 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:25:f0 7th Floor 1 IN 3
FAL-7-AP03 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:25:e4 7th Floor 1 IN 1
FAL-7-AP06 2 AIR-CAP2702I-D-K9 f0:7f:06:30:91:84 7th Floor 1 IN 3
FAL-7-AP04 2 AIR-CAP2702I-D-K9 f0:7f:06:bf:b0:14 7th Floor 1 IN 1
FAL-7-AP09 2 AIR-CAP2702I-D-K9 f0:7f:06:92:b4:c8 7th Floor 1 IN 3
FAL-7-AP11 2 AIR-CAP2702I-D-K9 f0:7f:06:30:93:08 7th Floor 1 IN 1
Site Name........................................ MUMBAI-THIRD-FLOOR-AP
Site Description................................. MUMBAI-THIRD-FLOOR-AP
Venue Group Code................................. Unspecified
Venue Type Code.................................. Unspecified
NAS-identifier................................... Fractal-WLC1
Client Traffic QinQ Enable....................... FALSE
--More-- or (q)uit
DHCPv4 QinQ Enable............................... FALSE
AP Operating Class............................... Not-configured
Capwap Prefer Mode............................... Not-configured
RF Profile
2.4 GHz band..................................... <none>
5 GHz band....................................... <none>
WLAN ID Interface Network Admission Control Radio Policy
1 group for mumbai Disabled None
2 guest wifi Disabled None
*AP3600 with 802.11ac Module will only advertise first 8 WLANs on 5GHz radios.
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
FAL-3-AP07 2 AIR-CAP2702I-D-K9 f0:7f:06:30:91:a4 3rd Floor 1 IN 3
FAL-3-AP09 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:25:94 3rd Floor 1 IN 3
FAL-3-AP11 2 AIR-CAP2702I-D-K9 f4:0f:1b:73:00:74 3rd Floor- Eurek 1 IN 3
FAL-3-AP06 2 AIR-CAP2702I-D-K9 f0:7f:06:bf:ae:d0 3rd Floor 1 IN 3
--More-- or (q)uit
FAL-3-AP10 2 AIR-CAP2702I-D-K9 f0:7f:06:92:b5:88 3rd Floor 1 IN 3
FAL-3-AP08 2 AIR-CAP2702I-D-K9 f0:7f:06:92:b4:9c 3rd Floor 1 IN 3
FAL-3-AP03 2 AIR-CAP2702I-D-K9 f0:7f:06:bf:af:a0 3rd Floor 1 IN 1
FAL-3-AP12 2 AIR-CAP2702I-D-K9 f0:7f:06:92:b3:fc 3rd Floor- Eurek 1 IN 3
FAL-3-AP02 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:25:28 3rd Floor 1 IN 3
FAL-3-AP01 2 AIR-CAP2702I-D-K9 f0:7f:06:92:b4:f4 3rd Floor 1 IN 3
FAL-3-AP04 2 AIR-CAP2702I-D-K9 f0:7f:06:30:92:8c 3rd Floor 1 IN 2
FAL-3-AP05 2 AIR-CAP2702I-D-K9 f0:7f:06:30:91:f4 3rd Floor 1 IN 3
Site Name........................................ RAHEJA-AP-GROUP
Site Description................................. RAHEJA-AP-GROUP
Venue Group Code................................. Unspecified
Venue Type Code.................................. Unspecified
NAS-identifier................................... Fractal-WLC1
Client Traffic QinQ Enable....................... FALSE
DHCPv4 QinQ Enable............................... FALSE
AP Operating Class............................... Not-configured
Capwap Prefer Mode............................... Not-configured
RF Profile
--More-- or (q)uit
2.4 GHz band..................................... <none>
5 GHz band....................................... <none>
WLAN ID Interface Network Admission Control Radio Policy
5 raheja-interface Disabled None
2 raheja-guest Disabled None
*AP3600 with 802.11ac Module will only advertise first 8 WLANs on 5GHz radios.
AP Name Slots AP Model Ethernet MAC Location Port Country Priority
FAL-RAHEJA-AP04 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:24:1c Near Meeting Roo 1 IN 3
FAL-RAHEJA-AP02 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:37:3c Confrennce Room 1 IN 3
FAL-RAHEJA-AP03 2 AIR-CAP2702I-D-K9 f0:7f:06:30:93:48 Near Confrence R 1 IN 3
FAL-RAHEJA-AP05 2 AIR-CAP2702I-D-K9 f0:7f:06:bf:ae:c0 Near Meeting Roo 1 IN 3
FAL-RAHEJA-AP06 2 AIR-CAP2702I-D-K9 f0:7f:06:92:b3:a0 Near Server Room 1 IN 3
FAL-RAHEJA-AP01 2 AIR-CAP2702I-D-K9 f0:7f:06:92:b3:20 Reception Area 1 IN 3
FAL-RAHEJA-AP08 2 AIR-CAP2702I-D-K9 f0:7f:06:8d:25:68 USER BAY ROAD si 1 IN 1
FAL-RAHEJA-AP09 2 AIR-CAP2702I-D-K9 f0:7f:06:92:b4:d4 Training Room 1 IN 1
--More-- or (q)uit
Site Name........................................ default-group
Site Description................................. <none>
NAS-identifier................................... Fractal-WLC1
Client Traffic QinQ Enable....................... FALSE
DHCPv4 QinQ Enable............................... FALSE
AP Operating Class............................... Not-configured
Capwap Prefer Mode............................... Not-configured
RF Profile
2.4 GHz band..................................... <none>
5 GHz band....................................... <none>
WLAN ID Interface Network Admission Control Radio Policy
1 group for mumbai Disabled None
2 guest wifi Disabled None
3 gurgaon-interface Disabled None
4 gurgaon-guest Disabled None
5 raheja-interface Disabled None
6 test Disabled None
Cisco Controller) >show flexconnect group summary
FlexConnect Group Summary: Count: 4
Group Name # Aps
Gurgaon-AP 9
HQ-3RD-FLR-AP-GROUP 12
HQ-7THFLR-AP-GROUP 14
Raheja-AP-Group 8
(Cisco Controller) >show flexconnect group detail Gurgaon-AP
Number of AP's in Group: 9
bc:16:65:13:71:00 GUR-AP-03 Joined Flexconnect
f4:4e:05:45:78:98 GUR-AP-08 Joined Flexconnect
f4:4e:05:78:ae:64 GUR-AP-04 Joined Flexconnect
f4:4e:05:78:ae:e4 GUR-AP-01 Joined Flexconnect
f4:4e:05:80:b3:2c GUR-AP-02 Joined Flexconnect
f4:4e:05:80:b3:e0 GUR-AP-06 Joined Flexconnect
f4:4e:05:80:b3:f8 GUR-AP-07 Joined Flexconnect
f4:4e:05:80:b4:44 GUR-AP-09 Joined Flexconnect
f4:4e:05:80:b5:18 GUR-AP-05 Joined Flexconnect
Efficient AP Image Upgrade ..... Disabled
Master-AP-Mac Master-AP-Name Model Manual
Group Radius Servers Settings:
Type Server Address Port
Primary Unconfigured Unconfigured
Secondary Unconfigured Unconfigured
--More-- or (q)uit
Group Radius AP Settings:
AP RADIUS server............ Disabled
EAP-FAST Auth............... Disabled
LEAP Auth................... Disabled
EAP-TLS Auth................ Disabled
EAP-TLS CERT Download....... Disabled
PEAP Auth................... Disabled
Server Key Auto Generated... No
Server Key.................. <hidden>
Authority ID................ 436973636f0000000000000000000000
Authority Info.............. Cisco A_ID
PAC Timeout................. 0
Multicast on Overridden interface config: Disabled
DHCP Broadcast Overridden interface config: Disabled
Number of User's in Group: 0
Vlan :........................................... 203
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 205
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 204
--More-- or (q)uit
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 206
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 207
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 208
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 209
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 210
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 211
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 212
Ingress ACL :................................... None
Egress ACL :.................................... None
--More-- or (q)uit
Vlan :........................................... 216
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 217
Ingress ACL :................................... None
Egress ACL :.................................... None
Vlan :........................................... 218
Ingress ACL :................................... None
Egress ACL :.................................... None
Group-Specific FlexConnect Wlan-Vlan Mapping:
WLAN ID Vlan ID
WLAN ID SSID Central-Dhcp Dns-Override Nat-Pat
(Cisco Controller) >
(Cisco Controller) >show wlan summary
Number of WLANs.................................. 6
WLAN ID WLAN Profile Name / SSID Status Interface Name PMIPv6 Mobility
1 FRACTAL-EMP-MUMBAI / FRACTAL Enabled group for mumbai none
2 FRACTAL-GUEST / FRACTAL-GUEST Enabled guest wifi none
3 FRACTAL-EMP-GURGAON / FRACTAL-GURGAON Enabled gurgaon-interface none
4 GURGAON-GUEST / FRACTAL-GUEST-GURGAON Enabled gurgaon-guest none
5 RAHEJA-EMP-WIRELESS / FRACTAL-R Enabled raheja-interface none
6 TEST-SSID / TEST-SSID Enabled test none
hope this will give you proper understanding.

Issue installing a SSL certificate on WLC

I have a certificate obtained from verisign for logging in a wireless campus network, and I'm installing it via TFTP to the WLC. At the end of the transference appear the next message
"TFTP WPS Signature file transfer starting.
TFTP receive complete... updating WPS signatures.
Error in signature file. Please check message log"
In WLC log files apears the next issues:
Thu Mar 12 15:39:55 2009 [ERROR] sig.c 758: ERROR reading revision number from new signature file
Thu Mar 12 15:39:55 2009 [ERROR] sig.c 531: ERROR parsing revision number
Thu Mar 12 15:39:55 2009 [ERROR] sig.c 459: ERROR: No value specified for token Bag Attributes
But I don't know what excactly that means, and how can I fix it.
For doing this work I followed a Cisco Guide for this approach, using the OpenSSL program.

I fixed the last issue, but now the certificate is already in the WLC but is not installed, the log file says:
Fri Mar 20 10:33:11 2009 [ERROR] sig.c 758: ERROR reading revision number from new signature file
Fri Mar 20 10:33:11 2009 [ERROR] sig.c 531: ERROR parsing revision number
Fri Mar 20 10:33:11 2009 [ERROR] sig.c 459: ERROR: No value specified for token
The compatibility is on. The file is .crt for testing i've changed for .cer and .pem but any of them has been successful

Wlc issue

Similar Messages

Maybe you are looking for