WLC L3 Roaming Using FlexConnect

Hi everyone.
A customer has a network with several buildings (each with a different VLAN/subnet), and a single WLC.
The Access Points are grouped by AP groups, and on each building the clients are assigned to different VLANs.
There is one single SSID with the users connect to on the entire campus, and it assigns (as expected) different ip address segments depending on which building the users are connecting into.
The problem comes whenever a user is in a building and walks to another, since the buildings are not that far from each other, and the client machine is still connected to the network, it tries to roam but it doesn't know that it has to refresh its IP address.
I know there's something that is not working here, but I can't find documentation about this. Is this a supported configuration? Is this an expected behaviour? How can I fix this?
Thanks in advance for your help

If you are using FlexConnect Local switching, then L3 roaming is unsupported feature.
Here is some reference in the 7.6 configuration guide (see configuring FlexConnect section or page 926)
http://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/7-6/configuration/guide/b_cg76.pdf
Here is another good reference about FlexConnect Design from a CiscoLive presentation.
BRKEWN-2016 - Architecting Network for Branch Offices with CUWN
As you can see on page 9, these are the advantages you get if you have a local WLC at your branch. L3 roaming is one
* Cookie cutter configuration for every branch site 
* Layer-3 roaming within the branch 
* WGB support 
* Reliable Multicast (filtering) 
* IPv6 L3 Mobility 
HTH
Rasika
**** Pls rate all useful responses. Each time you rate a response Cisco will donate $1 to Kiva ****

Similar Messages

  • What is the advantages of using Flexconnect groups

    what is the advantages of using Flexconnect groups in WLC?
    Reg,
    Ezra.

    Pls refer this document for more detail about these features
    http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch7_HREA.html#wp1091114
    FlexConnect is one mode an AP can operate, typically deployed in Branch setup where you do not have a controller at branch site. Those AP can register to a controller at your HQ or main site. So traffic will terminate at your branch switch instead of tunnel back to HQ-WLC.
    If you want roaming within your branch FlexConnect AP then you have to put those AP into a FlexConnect Group. Then only key information shared among those AP to facilitate fast roaming.
    Pls do not forget to rate our responses if you find them useful.
    HTH
    Rasika

  • Roaming between Flexconnect groups for scaling

    I have a customer that needs flexconnect at each of his 10 locations to access local servers and printers. The customer has a pair of 5508 WLCs running 7.6.130.0.
    While the customer currently has 25 and under AP count per site, they are considering an expansion to 50 - 60 per site.
    We are considering the mobility agent on 3650/3850/4500 switches, but the multi-hop restriction will drive the cost too high.
    What is the downside for defining multiple flexconnect groups per site?
    The customer is also considering Unified Communications. For example, would the voice RTP stream on a wireless IP phone roaming between APs on different flexconnect groups appear to be seamless?

    If you plan on utilizing any real-time applications such as voice, you would not want these devices to be roaming between FlexConnect Groups.  There will be a full re-authentication of the client; with the exception of OKC capable machines, which "may" roam more cleanly.  This means some standard data clients may perform a fast roam, or at least not notice much of a hiccup even with a full re-auth. 
    In either scenario, you would want to make sure this is NOT a L3 mobility roam (ie. FlexConnect WLAN/VLAN mapping to different networks).  This will cause major problems for all your clients as they will most likely end up talking on the new VLAN with their old IP address.
    Mobility / Roaming Scenarios
    WLAN Configuration
    Local Switching
    Central Switching
    CCKM
    PMK (OKC)
    Others
    CCKM
    PMK (OKC)
    Others
    Mobility Between Same Flex Group
    Fast Roam(1)
    Fast Roam(1)
    Full Auth(1)
    Fast Roam
    Fast Roam
    Full Auth
    Mobility Between Different Flex Group
    Full Auth(1)
    Fast Roam(1)
    Full Auth(1)
    Full Auth
    Fast Roam
    Full Auth
    Inter Controller Mobility
    N/A
    N/A
    N/A
    Full Auth
    Fast Roam
    Full Auth
    (1) Provided WLAN is mapped to the same VLAN (same subnet).

  • Multiple WLC redundancy using flexconnect across multiple branches.

    Hi
    I'm wondering if someone could give me a hint please.
    I have two WLC 5508s in two different branches/countries. 
    They have APs configured as Flexconnect with local routing.
    However all the APs are only on the first controller as the controller IP was manually entered before deployment.
    (I'm guessing this will need to be changed to DNS resolution?)
    1. I would like to load balance  APs that are in more contries/branches across Europe between the two WLCs
    2. and/or if one of the controllers go down, the APs would automatically move onto the other one.
    I'm just not sure if both can be done if the APs are on flexconnect.
    Thanks in advance for any replies.

    Hi,
    1. I would like to load balance  APs that are in more contries/branches across Europe between the two WLCs
    It can work, If you have configured the both WLC with excatly same way(same wlan id, same wlan name.....etc)
    2. and/or if one of the controllers go down, the APs would automatically move onto the other one.
    If the configuration for both wlc is same then primary fails then secondary will take place. Make sure WLAN ID order has to be consistent.
    Regards

  • WLC 7.4 and Flexconnect AP support

    Hi all,
    Forgive me for not finding it on my own since I am sure it exists. Does anyone have a link to a support chart that shows where support for APs stops on WLC 7.4 code? Specifically, while running APs in Flexconnect mode? Thanks in advance

    Sure, it's always in the release notes.
    http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn74.html#wp1029587
    HTH,
    Steve
    Please remember to rate useful posts, and mark questions as answered

  • WLC 5760 centralized mode Flexconnect support?

    Hi all,
    I am currently digging through the documentation about the 5760 WLC and converged access mode and found one particular information, which I need more clarification for.
    This is the link
    http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps12598/qa_c67-726507.html
    And here the specific snippet:
    Q. What deployment modes can the Cisco 5760 WLC and Cisco Catalyst 3850 support?
    A. The Cisco 5760 WLC can operate in centralized mode (also known as local  mode) as well as converged access mode, whereas the Cisco Catalyst 3850  operates in converged access mode. At this time, there is no support  for office-extend access points, indoor or outdoor mesh, or FlexConnect  access points on the Cisco 5760 WLC and Cisco Catalyst 3850.
    Now my questions are:
    Does this apply to the converged access mode only or also centralized mode?
    Do 5508/WiSM2 WLCs still support APs in the specified modes even when using the new mobility architecture?
    When is it planned to add support for the new platforms, if at all?
    Hoping for some answers!
    Regards,
    Patrick

    Hi Patrick,
    Why not post your question here;
    https://supportforums.cisco.com/thread/2220448
    There's an open forum Converged Access Q&A session on the go direct with Cisco...
    Richard

  • WLC - 7920 roam reason troubleshooting

    Hi,
    I have one WLC 4402 (4.1.185) and i have some cisco 7920 . I'm only use local mac filtering.
    I also have WCS 4.1 and i tried to generate roam reason report but report didn't show any info.
    How can i see in this info in WLC or in WCS.
    Best Regards,
    MC

    Hi,
    I didn't saw also PC's roaming. I thought i should I have to config CCKM instead of mac-filtering to see 7920 roam in WLC.
    Regards,
    MC

  • 2504 WLC HA sku Using N+1 -- What code to use?

    Just need a little direction please, could anyone tell me if N+1 is supported in 7.4.121 code using the 2504 HA sku WLC? I am finding some conflicting information on Cisco docs and forums. If not, what would be the most stable code to use that would support N+1 with the 2504 HA sku?

    Hello Britain , Starting with Release 7.4, the -HA SKU can be used in N+1 mode. After 90 days, a daily reminder about reconnecting the primary controller will be sent to the network administrator.

  • WLC Client Roaming Between APs

    I have a single WLC with AP1231's. I have clients associating to one AP, but they are not always re-associating to an alternate AP as always desired when roaming to an alternate location. Is there a way to adjust how clients associate to an alternate AP based on better signal strength of a closer AP?

    The best place to look for the commands, is in the command reference for your specific version as they do vary quite a bit from version to version.
    There are also client settings on the adaptor which dictate how the client behaves, on the Intel client you can change the conditions which cause the client to roam, I am also assuming that you have good wireless coverage otherwise the clients will tend to stick to the one cell, there are various settings on the controller to adjust for performance and coverage, there is one setting which says it can adjust the power settings on the client, I would check the notebook supplied as I recently did worth with an IBM which required a patch.
    On the Intel client under advance there is a setting called ?Roaming Aggressiveness?
    Best of luck

  • File associations not roamed using Remote Desktop Server 2012 R2 Standard

    Hello everyone,
    As the title mentions, some File Associations does not seems to roam on a RDS 2012 R2 server. We use the following configuration:
    Windows Server 2012 R2 Remote Desktop Server(s)
    Roaming Profiles to a user based network share
    Delete cached copies of Roaming profiles [Computer GPO]
    So there is no local stored profile after logoff. 
    Exclude directories in roaming profile [User GPO]
    We only exclude "$Recycle.Bin" for testing. So all other profile settings (Local, LocalLow, Roaming) should be roamed.
    With the above settings, some associations are, after logoff and logon not remembered. For example .pdf is always restored to MS Word even if Acrobat Reader is chosen as default program. 
    When we do not delete the cached copy of the Roaming profile [Computer GPO], the file associations are remembered after logoff and logon.
    We did a little of research:
    When changing the default application for PDF files to Acrorobat Reader, the setting for this user in the registry is:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice
    Hash: BTWAFQFaLiw=
    ProgId: AcroExch.Document.11
    After logging off, the NTUSER.DAT for this users does contains the same settings. I guess the settings are successfully roamed to the shared roaming folder.
    But after login, the settings are set back to:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice
    Hash: mj3iGjB82bU=
    ProgId: AppX86746z2101ayy2ygv3g96e4eqdf8r99j
    My suggestion is these settings are not restored in the cached roaming profile.
    Someone who recon this and knows if there is a solution for this issue?
    Using a Association Configuration File (DISM) with the Computer GPO Setting "Set a default association configuration file", we can set the default program for the users. But this is a global Computer GPO setting and not all users must have the same
    default programs. 
    Using this setting is no option for our environment.
    Hope Someone can help us.

    Hi,
    For this you can make one separate group for all that users and applied the policy setting which you want to setup. But as per me, windows uses the Local and LocalLow folders for application data that does not roam with the user. Usually this data is either
    machine specific or too large to roam.  Maybe your thought would be a workaround.
    More information.
    Deploy Roaming User Profiles
    https://technet.microsoft.com/en-us/library/jj649079.aspx
    Hope it helps!
    Thanks.
    Dharmesh Solanki
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • Cisco 4402 WLC IOS Upgradation using CLI and Web Interface

    Hi,
    I would like to know how to upgrade IOS of Cisco 4402 WireLess LAN Controller using CLI and Web interface ?
    Can any one help me regarding the same.
    Please answer as soon as possible.
    Thanks in advance.

    Here are the instructions for upgrading the controllers via GUI:
    http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn52.html#wp472449
    Instructions via cli:
    Cisco recommends that a direct CLI console port connection is used to update the controller software.
    1. Make sure a TFTP server is available for the Operating System (OS) software download. Also, keep these guidelines in mind when the TFTP server is set up:
    If a download is performed through the service port, the TFTP server must be on the same subnet as the service port because the service port is not routable.
    If a download is performed through the Distribution System (DS) network port, the TFTP server can be on the same or a different subnet because the DS port is routable.
    The TFTP server cannot run on the same computer as the Cisco Wireless Control System (WCS) because WCS and the TFTP server use the same communication port.
    2. Download the desired OS software update file from the Cisco website to the default directory on the TFTP server.
    3. Log into the WLC CLI.
    4. Issue the ping server-ip-address command to verify that the WLC can contact the TFTP server.
    5. Issue the transfer download start command and answer n when prompted to view the current download settings.
    This example shows the command output:
    transfer download start
    Mode........................................... TFTP
    Data Type...................................... Code
    TFTP Server IP.................................
    xxx.xxx.xxx.xxx
    6. TFTP Path...................................... TFTP Filename.................................. AS_2000_3_0_x_x.aes --OR-- AS_4100_3_0_x_x.aes --OR-- AS_4400_3_0_x_x.aes Are you sure you want to start? (y/n) n Transfer Canceled Issue these commands to change the download settings:
    * transfer download mode tftp
    * transfer download datatype code
    * transfer download serverip tftp-server-ip-address
    * transfer download filename filename
    * transfer download path absolute-tftp-server-path-to-file
    Note: All TFTP servers require the full pathname. For example, in Windows, the path is C:\TFTP-Root. (In UNIX forward slashes (/) are required.)
    7. Issue the transfer download start command to view the updated settings, and answer y when prompted to confirm the current download settings and start the OS code download.
    This example shows the download command output:
    transfer download start
    Mode........................................... TFTP
    Data Type...................................... Code
    TFTP Server IP.................................
    xxx.xxx.xxx.xxx
    TFTP Path......................................
    path>
    TFTP Filename..................................
    AS_2000_3_0_x_x.aes --OR--
    AS_4100_3_0_x_x.aes --OR--
    AS_4400_3_0_x_x.aes
    Are you sure you want to start? (y/n) y
    TFTP Code transfer starting.
    TFTP receive complete... extracting components.
    Writing new bootloader to flash.
    Making backup copy of RTOS.
    Writing new RTOS to flash.
    Making backup copy of Code.
    Writing new Code to flash.
    TFTP File transfer operation completed successfully. Please
    restart the switch (reset system) for update to complete.
    8. The WLC now has the code update in active volatile RAM, but the reset system command must be issued to save the code update to non-volatile RAM (NVRAM) and reboot the WLC.
    This is a sample output:
    The system has unsaved changes.
    Would you like to save them now? (y/n) y
    The controller completes the bootup proce

  • If anchor WLC fails, roaming wireless users get "stuck"

    I did a test in our lab where I roamed from an AP on WLC A to an AP on WLC B. My client kept its same IP address and connectivity remained. I'm running WLC 4.0.219, so the traffic at this point was not symetrical, but the connectivity was up. WLC A was the Anchor WLC.
    Then, I failed WLC A. My wireless client still had its original IP address from WLC, so I lost all connectivity. WLC B did not try to anything so that my client would get a new IP address (from WLC B) and regain connectivity.
    The only way I could get my client to work again was to go to WLC B and "Remove" the client. It looks like this forced the client to re-authenticate and get a new IP address.
    Is this the only way to get a client back on the network in this type of failure scenario?

    Did both WLC's have dynamic interfaces on the same subnet or did each WLC have interfaces on different subnets. I have tried this failure before with no issues, as long as the WLC have interfaces on the same subnet for the users.

  • WLC L3 Roaming - Step by Step Guide

    Guys,
    I know that there are very similar diagrams in the mobility guide on L3 roaming, but wanted to put a bit more text around each step and wanted you guys to check if it was correct of if I have got it completly wrong. It is just important to get this bit of the puzzle correct.
    Please see the attached jpeg diagram, (can post in Visio if you prefer).
    Have I got the text correct in regards to how this works. I am giving our support guys a heads up on this at some stage so would be good for some comments?
    Kindest regards as always, and thx for all the help.
    Ken

    Here is a link regarding what you are looking for. Your diagram seems accurate though.
    http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/c42mobil.html

  • WLC roaming debug assistance

    I'm in a position where I need to prove that a suppliers device doesn't truly roam between APs on a WLC. The device will eventually drop the AP when the signal is low enough and then re-authenticate to a new AP, but it doesn't seamlessly roam.
    As far as proving it, on the WLC Client Detail page, the device doesn't support CCX extensions, which, as far as I understand, is probably evidence enough in itself.
    I've also logged the device and have only ever seen
    xx:xx:xx:xx:xx Association received from mobile on BSSID aa:aa:aa:aa:aa
    I've never seen a
    xx:xx:xx:xx:xx Reassociation received from mobile on BSSID aa:aa:aa:aa:aa
    Is that evidence enough that that device doesn't actually roam?
    Is there a more elegant way, in layman's terms, to prove the point?

    Hi
    I can see multiple time given client authentication failed. So it is look like given client unable to connect to the network.  See the reference time interval & Access-Reject message for this client.
    *Dot1x_NW_MsgTask_5: Sep 22 10:43:20.536: 00:80:48:78:50:65 Processing Access-Reject for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:43:20.536: 00:80:48:78:50:65 apfMsPeapSimReqCntInc
    *Dot1x_NW_MsgTask_5: Sep 22 10:43:20.536: 00:80:48:78:50:65 apfMsPeapSimReqFailureCntInc
    *Dot1x_NW_MsgTask_5: Sep 22 10:43:20.536: 00:80:48:78:50:65 PMK: Sending cache delete
    *Dot1x_NW_MsgTask_5: Sep 22 10:43:20.536: 00:80:48:78:50:65 Removing PMK cache entry for station 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:43:20.536: 00:80:48:78:50:65 1 PMK-remove groupcast messages sent 
    *Dot1x_NW_MsgTask_5: Sep 22 10:43:20.536: 00:80:48:78:50:65 Removing PMK cache due to EAP-Failure for mobile 00:80:48:78:50:65 (EAP Id 167)
    *Dot1x_NW_MsgTask_5: Sep 22 10:43:20.536: 00:80:48:78:50:65 Sending EAP-Failure to mobile 00:80:48:78:50:65 (EAP Id 167)
    *Dot1x_NW_MsgTask_5: Sep 22 10:43:20.536: 00:80:48:78:50:65 Entering Backend Auth Failure state (id=167) for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:43:20.537: 00:80:48:78:50:65 Setting quiet timer for 5 seconds for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:43:20.537: 00:80:48:78:50:65 dot1x - moving mobile 00:80:48:78:50:65 into Unknown state
    *osapiBsnTimer: Sep 22 10:44:31.404: 00:80:48:78:50:65 802.1x 'timeoutEvt' Timer expired for station 00:80:48:78:50:65 and for message = M0
    *dot1xMsgTask: Sep 22 10:44:31.404: 00:80:48:78:50:65 Retransmit 1 of EAP-Request (length 95) for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:44:31.418: 00:80:48:78:50:65 Received EAPOL EAPPKT from mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:44:31.419: 00:80:48:78:50:65 Received EAP Response from mobile 00:80:48:78:50:65 (EAP Id 231, EAP Type 25)
    *Dot1x_NW_MsgTask_5: Sep 22 10:44:31.419: 00:80:48:78:50:65 Resetting reauth count 0 to 0 for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:44:31.419: 00:80:48:78:50:65 Entering Backend Auth Response state for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:44:31.423: 00:80:48:78:50:65 Processing Access-Reject for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:44:31.423: 00:80:48:78:50:65 apfMsPeapSimReqCntInc
    *Dot1x_NW_MsgTask_5: Sep 22 10:44:31.423: 00:80:48:78:50:65 apfMsPeapSimReqFailureCntInc
    *Dot1x_NW_MsgTask_5: Sep 22 10:44:31.423: 00:80:48:78:50:65 1 PMK-remove groupcast messages sent 
    *Dot1x_NW_MsgTask_5: Sep 22 10:44:31.423: 00:80:48:78:50:65 Removing PMK cache due to EAP-Failure for mobile 00:80:48:78:50:65 (EAP Id 231)
    *Dot1x_NW_MsgTask_5: Sep 22 10:44:31.423: 00:80:48:78:50:65 Sending EAP-Failure to mobile 00:80:48:78:50:65 (EAP Id 231)
    *Dot1x_NW_MsgTask_5: Sep 22 10:44:31.423: 00:80:48:78:50:65 Entering Backend Auth Failure state (id=231) for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:44:31.423: 00:80:48:78:50:65 Setting quiet timer for 5 seconds for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:44:31.423: 00:80:48:78:50:65 dot1x - moving mobile 00:80:48:78:50:65 into Unknown state
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.319: 00:80:48:78:50:65 Resetting reauth count 0 to 0 for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.320: 00:80:48:78:50:65 Entering Backend Auth Response state for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 Processing Access-Reject for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 apfMsPeapSimReqCntInc
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 apfMsPeapSimReqFailureCntInc
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 1 PMK-remove groupcast messages sent 
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 Removing PMK cache due to EAP-Failure for mobile 00:80:48:78:50:65 (EAP Id 140)
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 Sending EAP-Failure to mobile 00:80:48:78:50:65 (EAP Id 140)
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 Entering Backend Auth Failure state (id=140) for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 apfBlacklistMobileStationEntry2 (apf_ms.c:6172) Changing state for mobile 00:80:48:78:50:65 on AP 6c:99:89:77:41:e0 from Associated to Exclusion-list (1)
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 Scheduling deletion of Mobile Station:  (callerId: 44) in 10 seconds
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 10.0.45.201 8021X_REQD (3) Change state to START (0) last state 8021X_REQD (3)
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 10.0.45.201 START (0) Reached FAILURE: from line 5620
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 Scheduling deletion of Mobile Station:  (callerId: 9) in 10 seconds
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 Max AAA failure for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 Setting quiet timer for 5 seconds for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:47:28.327: 00:80:48:78:50:65 dot1x - moving mobile 00:80:48:78:50:65 into Unknown state
    *osapiBsnTimer: Sep 22 10:47:33.204: 00:80:48:78:50:65 802.1x 'quiteWhile' Timer expired for station 00:80:48:78:50:65 and for message = M0
    *osapiBsnTimer: Sep 22 10:47:38.204: 00:80:48:78:50:65 apfMsExpireCallback (apf_ms.c:632) Expiring Mobile!
    *apfReceiveTask: Sep 22 10:47:38.204: 00:80:48:78:50:65 Freeing EAP Retransmit Bufer for mobile 00:80:48:78:50:65
    *apfReceiveTask: Sep 22 10:47:38.204: 00:80:48:78:50:65 Sent Deauthenticate to mobile on BSSID 6c:99:89:77:41:e0 slot 0(caller apf_ms.c:7065)
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.223: 00:80:48:78:50:65 Sending EAP Request from AAA to mobile 00:80:48:78:50:65 (EAP Id 31)
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.223: 00:80:48:78:50:65 Reusing allocated memory for  EAP Pkt for retransmission to mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.233: 00:80:48:78:50:65 Received EAPOL EAPPKT from mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.233: 00:80:48:78:50:65 Received EAP Response from mobile 00:80:48:78:50:65 (EAP Id 31, EAP Type 25)
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.233: 00:80:48:78:50:65 Resetting reauth count 0 to 0 for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.233: 00:80:48:78:50:65 Entering Backend Auth Response state for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.240: 00:80:48:78:50:65 Processing Access-Reject for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.240: 00:80:48:78:50:65 apfMsPeapSimReqCntInc
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.240: 00:80:48:78:50:65 apfMsPeapSimReqFailureCntInc
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.241: 00:80:48:78:50:65 1 PMK-remove groupcast messages sent 
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.241: 00:80:48:78:50:65 Removing PMK cache due to EAP-Failure for mobile 00:80:48:78:50:65 (EAP Id 31)
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.241: 00:80:48:78:50:65 Sending EAP-Failure to mobile 00:80:48:78:50:65 (EAP Id 31)
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.241: 00:80:48:78:50:65 Entering Backend Auth Failure state (id=31) for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.241: 00:80:48:78:50:65 Setting quiet timer for 5 seconds for mobile 00:80:48:78:50:65
    *Dot1x_NW_MsgTask_5: Sep 22 10:52:47.241: 00:80:48:78:50:65 dot1x - moving mobile 00:80:48:78:50:65 into Unknown state
    Also few times client forced to go to START status from RUN status with below reasoning. Make sure you disable management frame protection (802.11w) on this WLAN. Also if this is FlexConnect deployment, make sure you use FlexConnect Group if you required to support Opportunistic Key Caching (kind of fast roaming)
    *apfMsConnTask_7: Sep 22 11:02:23.723: 00:80:48:78:50:65 apfValidateDot11wGroupMgmtCipher:1552, Received NULL 11w Group Mgmt Cipher Suite for STA, hence returning
    *apfMsConnTask_7: Sep 22 11:02:23.723: 00:80:48:78:50:65 AID 1 in Assoc Req from flex AP 68:86:a7:29:cf:60 is same as in mscb 00:80:48:78:50:65
    *apfMsConnTask_7: Sep 22 11:02:23.723: 00:80:48:78:50:65 apfMsRunStateDec
    *apfMsConnTask_7: Sep 22 11:02:23.723: 00:80:48:78:50:65 apfMs1xStateDec
    *apfMsConnTask_7: Sep 22 11:02:23.723: 00:80:48:78:50:65 10.0.45.201 RUN (20) Change state to START (0) last state RUN (20)
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • FlexConnect Local Auth. Usernames not showing in WLC/NCS

    Hi,
    I am working on a new install where the customer is using local RADIUS servers at each of their many campuses
    (for local dynamic VLAN assignment), while using a single set of controllers at the core of their network.
    For the record, we have set up a pair of 5508s (v 7.2.103.0) in their central data center with 3602i APs around the various campuses. We are using FlexConnect groups to locally authenticate and switch the users.
    Right now, the config is working great as far as authentication and local switching goes. The problem we are experiencing is that none of the authenticated usernames are being passed back to the controller (and ultimately NCS). This makes the tracking and troubleshooting of users difficult. Is there something I am missing here? I can't seem to find any fixes relevant to this issue in the 7.2.110.0 release notes.
    Maybe I am going about this wrong. I am very open to alternative solutions.
    Thanks.

    After discussing this issue with local Cisco folks, TAC and colleagues, it seems that locally authenticated user names are not passed to the controller (or NCS). It's not a bug, it's just the way it is.
    If you want the AP to authenticate and locally switch users while communication to the controller is down (i.e. loss of WAN link), no usernames are sent to the controller for logging or troubleshooting... even when AP to WLC communication is working fine. It's a trade-off of information (usernames) for uptime.
    If any Cisco wireless development folks are browsing, consider this a 'feature' I would like to see. Thanks.

Maybe you are looking for