WPA2 Auth on WLC 5760 using ISE 1.2

Similar Messages

• How to use ISE Guest Portal for AD users

  Hi there,
  As  subject explains all, I want to use ISE Guest Portal for my domain  users. I have tried many different ways to authenticate users and  finally I came to the conclusion that ISE CWA works pretty well and is  very stable. WLC Webauth sucks alot, does not redirect to the login page  always.
  Can  you please share what other ways are stable ways to authenticate AD  users? I know about WPA 802.1x authentication but that requires a CA in  the network which is not available at the moment. So can you please  Suggect?
  Otherwise,  I want to use ISE Guest Portal for my AD users as well. AD is already  integrated to ISE, the issue happens when I attempt to athenticate using  AD user account, the user gets authenticated but the Guest Portal  redirects me to Device Provissioning page and there it shows an error  saying "there is not policy to register the device, contact system  admin"
  Am I missing something??
  I am running WLC 5760 with ISE 1.2
  Thanks in advance..

  Hi,
  Can you post a screenshot of your current policies? Also for 802.1x authentication although it is best practices you do not have to have an internal CA to make this solution work. You can disable the option to "validate server certificate" or you can use a trusted CA to sign the certificate for the eap interface.
  In most cases 802.1x is the method to go because it provides dynamic authentication without forcing users to redirected to a web page multiple times throughout the day, scenarios such as computers that sleep or users that are mobile will not have connectivity until they redirect to the portal if one of the scenarios exist. You also gain WPA encryption on your WLAN, if you are using strictly layer 3 web auth you run into issues where encryption is not used and rely on encryption from the application as your method of data integrity and security.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Guest Anchor with web auth using ISE guest portal

  Hello All,
  Before launching into my exact issues, could anyone confirm if they have completed a wireless Guest anchor setup using 2504 controllers on 7.4 as the anchor (5508 is the foreign) with webauth external redirection at ISE 1.1.3 using ISE Guest Services?
  I am attempting this for an internal POC and have hit a couple of issues. Firstly I am looking for correct configuration confirmation prior to going in depth with a couple of the issues. I've been using the TrustSec 2.1 how to guides to build the parts I am not strong on so if anyone has actual completed this setup, I'd love to go through it with you.
  massive thanks to anyone that can assist.
  JS.

  Thanks for the reply RikJonAtk.
  so to start with, based on the trust sec documents, of the guest WLAN on the anchor I need to configure mac filtering at the layer 2 security menu as well as enable RADIUS NAC under the Advanced tab. But when I do this, I get an error message that states that mac filitering and RADIUS NAC cannot be enable at the same time.
  Additionally, if I just enable the RADIUS NAC setting under the Advanced tab in the WLAN, I get another error message that states that the priority order for Web-Auth can only be set for radius, so I go to the AAA server tab and send local and LDAP to the not use column and hit apply. If I move to another menu then check the priority order again under the AAA servers tab, the local and LDAP have been moved back to the menu field to be used again.  So I initially though it might be a bug, but I was hoping to find someone here that has done this already and can look at my issues and maybe walk me through their configs, which I'll mirror and see how it goes.
  Thanks in Advanced,
  JS

• ISE Compatibility with WLC 5760

  The ISE compatibility Matrix (June 5, 2013), does have a row for WLC 5760 in its tables.
  The WLC 5760 Release Notes says it is compatible with with ISE without specfying which features.
  Why is the WLC 5760 missing from the ISE Compat Matrix and how can I get specific ISE feature support (ie CoA, DACL).
  Thanks.         

  Hello Marvin,
  ISE 1.2 is in road map and it will be available till July 17, 2013 and that will support WLC 5760 and all the features which you are looking.

• WLC 5760 AUTHMGR-5-FAIL log

  I am using the WLC 5760
  My SSID use WPA2 PSK and i don't use ISE or Radius or AAA to authentication
  Some client can connect to the AP,but can not ping the gateway
  When i show logging from WLC,it will see the log like
  %AUTHMGR-5-FAIL: Authorization failed or unapplied for client
  How do i resolve this problem
  Thank's

  Hi,
  Have you made sure that the appropriate vlans are permitted on the trunk between the WLC and the switch?
  Normally the gateway is an SVI on a core switch, so if the vlan is not permitted, you wouldn't be able to ping the gateway.
  HTH
  Mike

• 3850 WLC - 5760 Anchor: Multiple Guest SSIDs issue

  Hi,
  I have configured a 3850 Foreign WLC and a 5760 as anchor WLC in a DMZ behind an ASA FW. The Anchor Controller is configured to advertise 3 GUEST Wireless:
  (INSIDE) ---- ASA FW (guest in interface) -------------------------- (Te1/0/1) 5760 ANCHOR (Te1/0/2) -------------------- L3 Link-------------------- (guest out interface) ASA FW ---- (OUTSIDE)
  GUEST1: 10.9.65.0/24 – VLAN 11
  GUEST2: 10.9.66.0/24 – VLAN 12
  GUEST3: 10.9.67.0/24 – VLAN 13
  Management VLAN 1: 10.8.252.1 (Anchor Management VLAN – Mobility)
  The link between the WLC and the Guest OUT Interface on the ASA Firewall is a L3 Link, NOT a Trunk.
  The 5760 WLC is also a DHCP server for the three client VLANs above. I have also configured 3 SVIs as default gateways for these VLANs:
  Interface vlan 11 – 10.9.65.1
  Interface vlan 12 – 10.9.66.1
  Interface vlan 13 – 10.9.67.1
  wgh-anchorwlc5760-primary#show ip interface brief
  Interface              IP-Address      OK? Method Status                Protocol
  Vlan1                  10.8.252.1      YES NVRAM  up                    up
  Vlan11                 10.9.65.1       YES manual up                    up
  Vlan12                 10.9.66.1       YES manual up                    up
  Vlan13                 10.9.67.1       YES manual up                    up
  GigabitEthernet0/0     10.8.252.85     YES NVRAM  down                  down
  Te1/0/1                unassigned      YES unset  up                    up
  Te1/0/2                10.8.253.1      YES NVRAM  up                    up
  Capwap0                unassigned      YES unset  up                    up
  If a client connects to GUEST1 SSID it gets an IP address in VLAN 11 and its default gateway is 10.9.65.1.
  If a client connects to GUEST2 SSID it gets an IP address in VLAN 12 and its default gateway is 10.9.66.1.
  If a client connects to GUEST3 SSID it gets an IP address in VLAN 13 and its default gateway is 10.9.67.1.
  Mobility is UP and I can see clients connected to the Anchor WLC either in IPLEARN or WEBAUTH_PEND state. DHCP is working fine, clients get an IP and the right default gateway and DNS servers when connect, for example, to GUEST1.
  anchorwlc5760-primary#show wireless client summary
  Number of Local Clients : 3
  MAC Address    AP Name                          WLAN State              Protocol
  04f7.e482.b21c N/A                              2    IPLEARN            Mobile
  bc3e.6d32.17f6 N/A                              2    IPLEARN            Mobile
  a826.d5b3.5ae8 N/A                              2    WEBAUTH_PEND       Mobile
  However, they are not able to ping the default gateway – SVI VLAN 11: 10.9.65.1, so I can not see any traffic leaving the Anchor WLC to continue with the Web Authentication Process (cwa) using ISE. I can see that the authorization policy (“unkown” and the URL to ISE) has been pushed to the clients but I am not redirected to ISE Web Authentication Portal when I open my web browser. I have done some captures on the FW interfaces but I cannot see any traffic coming from the clients.
  I know that usually there is a Trunk (that allows client VLANs) between a WLC and L3 Switch when you configure multiples SSIDs and then configure the SVIs on the L3 Switch. However, I think this design with a L3 Link should work too because 5760 is a WLC+L3Switch.
  My question is: Why clients are not able to ping their default gateway?
  I hope it makes sense.
  I appreciate any thoughts and help. Thanks in advance.
  Joana.

  Hi,
  I couldn't get it working (I doubt if it is really possible). I had to add a switch between the 5760 Anchor Controller and the ASA Firewall:
  (INSIDE) ---- ASA FW (guest in interface) -------------------------- (Te1/0/1) 5760 ANCHOR (Te1/0/2) -------------------- SWITCH-------------------- (guest out interface) ASA FW ---- (OUTSIDE)
  The link between the 5760 and the Switch is configured as a Trunk and it allows the 3 Guest SSIDs (VLANs). The link between the Switch and the ASA FW is configured as a Layer 3 link. I also set up the default gateways for the 3 GUEST VLANs in the Switch (3 vlan interfaces) and the 5760 as DHCP Server.
  I hope it helps.
  Joana.

• WLC 5760 - MAC Filtering wireless clients

  Hi,
  Does anyone ever deployed mac-filtering authentication to wireless clients in the WLC 5760?
  I've configured a WLAN for Mac-filtering authentication only (named it as "macauth"):
  wlan RNVDOS 4 RNVDOS
  aaa-override
  no broadcast-ssid
  client vlan RNVDOS
  mac-filtering macauth
  no security wpa
  no security wpa akm dot1x
  no security wpa wpa2
  no security wpa wpa2 ciphers aes
  session-timeout 1800
  no shutdown
  Then, below Configuration->Security->MAC Filtering I've added several MAC addresses i.e. :
  MAC Address: 88532e9ef70a  Attribute List: macauth
  Which turned out to be display in the CLI as:
  username 88532e9ef70a mac aaa attribute list macauth
  The problem is that whenever I try to associate the wireless client 88532e9ef70a, the client passes to the exclusion list.:
  Sep 16 10:54:55.603: 8853.2E9E.F70A Adding mobile on LWAPP AP  0C68.03EA.4070 (1)  1 wcm: E9E.F70A (.t^GwtSessionID: 0afe01fbtQ^GwH^Cnz^Gw00dd) was added to ^G$h\225v^K
  Sep 16 10:54:55.603: 8853.2E9E.F70A  Creating WL station entry for client -  rc 0 1 wcm:
  Sep 16 10:54:55.603: 8853.2E9E.F70A Association received from mobile on AP  0C68.03EA.4070  1 wcm: (.t^GwtSessionID: 0afe01fbtQ^GwH^Cnz^Gw00dd) was added to ^G$h\225v^K
  Sep 16 10:54:55.603: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: ssionID: 0afe01fbtQ^GwH^Cnz^Gw00dd) was added to ^G$h\225v^K
  Sep 16 10:54:55.603: 8853.2E9E.F70A apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: H^Cnz^Gw00dd) was added to ^G$h\225v^K
  Sep 16 10:54:55.603: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm:  ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
  Sep 16 10:54:55.603: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm:  0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
  Sep 16 10:54:55.603: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
  Sep 16 10:54:55.603: 8853.2E9E.F70A Applying site-specific IPv6 override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm:  ^G$h\225v^K
  Sep 16 10:54:55.603: 8853.2E9E.F70A Applying local bridging Interface Policy for station  8853.2E9E.F70A  - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
  Sep 16 10:54:55.603: 8853.2E9E.F70A Applying site-specific override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
  Sep 16 10:54:55.603: 8853.2E9E.F70A STA - rates (8): 1 wcm:  140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
  Sep 16 10:54:55.603: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: - vapId 4, site 'renova', interface 'RNVDOS'
  Sep 16 10:54:55.603: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from Idle to AAA Pending
  Sep 16 10:54:55.603: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 20) in 10 seconds
  Sep 16 10:54:55.604: 8853.2E9E.F70A
  client incoming attribute size are 0 1 wcm:   (callerId: 20) in 10 seconds
  Sep 16 10:54:55.604: 8853.2E9E.F70A Sending Assoc Response to station on BSSID  0C68.03EA.4070  (status 256) ApVapId 2 Slot 1 1 wcm: 68.03EA.4070  from Idle to AAA Pending
  Sep 16 10:54:55.604: 8853.2E9E.F70A apfProcessRadiusAssocResp (apf_80211.c: 1 wcm: 2149) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from AAA Pending to Authenticated
  Sep 16 10:54:55.604: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 18) in 10 seconds
  Sep 16 10:54:55.813: 8853.2E9E.F70A Association received from mobile on AP  0C68.03EA.4070  1 wcm: n.t^Gwseconds
  Sep 16 10:54:55.813: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: onds
  Sep 16 10:54:55.813: 8853.2E9E.F70A apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: H^Cnz^Gw  0C68.03EA.4070  f^G$h\225v^K
  Sep 16 10:54:55.813: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm:  ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
  Sep 16 10:54:55.813: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm:  0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
  Sep 16 10:54:55.813: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
  Sep 16 10:54:55.813: 8853.2E9E.F70A Applying site-specific IPv6 override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: f^G$h\225v^K
  Sep 16 10:54:55.813: 8853.2E9E.F70A Applying local bridging Interface Policy for station  8853.2E9E.F70A  - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
  Sep 16 10:54:55.813: 8853.2E9E.F70A Applying site-specific override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
  Sep 16 10:54:55.813: 8853.2E9E.F70A STA - rates (8): 1 wcm:  140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
  Sep 16 10:54:55.813: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: - vapId 4, site 'renova', interface 'RNVDOS'
  Sep 16 10:54:55.813: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from Authenticated to AAA Pending
  Sep 16 10:54:55.813: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 20) in 10 seconds
  Sep 16 10:54:55.814: 8853.2E9E.F70A
  client incoming attribute size are 0 1 wcm:   (callerId: 20) in 10 seconds
  Sep 16 10:54:55.814: 8853.2E9E.F70A Sending Assoc Response to station on BSSID  0C68.03EA.4070  (status 256) ApVapId 2 Slot 1 1 wcm: 68.03EA.4070  from Authenticated to AAA Pending
  Sep 16 10:54:55.814: 8853.2E9E.F70A apfProcessRadiusAssocResp (apf_80211.c: 1 wcm: 2149) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from AAA Pending to Authenticated
  Sep 16 10:54:55.814: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 18) in 10 seconds
  Sep 16 10:54:56.520: 8853.2E9E.F70A Association received from mobile on AP  0C68.03EA.4070  1 wcm: n.t^Gwseconds
  Sep 16 10:54:56.520: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: onds
  Sep 16 10:54:56.520: 8853.2E9E.F70A apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: H^Cnz^Gw  0C68.03EA.4070  f^G$h\225v^K
  Sep 16 10:54:56.520: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm:  ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
  Sep 16 10:54:56.520: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm:  0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
  Sep 16 10:54:56.520: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
  Sep 16 10:54:56.520: 8853.2E9E.F70A Applying site-specific IPv6 override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: f^G$h\225v^K
  Sep 16 10:54:56.520: 8853.2E9E.F70A Applying local bridging Interface Policy for station  8853.2E9E.F70A  - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
  Sep 16 10:54:56.520: 8853.2E9E.F70A Applying site-specific override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
  Sep 16 10:54:56.520: 8853.2E9E.F70A STA - rates (8): 1 wcm:  140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
  Sep 16 10:54:56.520: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: - vapId 4, site 'renova', interface 'RNVDOS'
  Sep 16 10:54:56.520: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from Authenticated to AAA Pending
  Sep 16 10:54:56.520: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 20) in 10 seconds
  Sep 16 10:54:56.521: 8853.2E9E.F70A
  client incoming attribute size are 0 1 wcm:   (callerId: 20) in 10 seconds
  Sep 16 10:54:56.521: 8853.2E9E.F70A Sending Assoc Response to station on BSSID  0C68.03EA.4070  (status 256) ApVapId 2 Slot 1 1 wcm: 68.03EA.4070  from Authenticated to AAA Pending
  Sep 16 10:54:56.521: 8853.2E9E.F70A apfProcessRadiusAssocResp (apf_80211.c: 1 wcm: 2149) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from AAA Pending to Authenticated
  Sep 16 10:54:56.521: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 18) in 10 seconds
  Sep 16 10:54:56.729: 8853.2E9E.F70A Association received from mobile on AP  0C68.03EA.4070  1 wcm: n 10 seconds
  Sep 16 10:54:56.729: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: onds
  Sep 16 10:54:56.729: 8853.2E9E.F70A apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: A  on AP  0C68.03EA.4070  from AAA Pending to Authenticated
  Sep 16 10:54:56.729: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm:  ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
  Sep 16 10:54:56.729: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm:  0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
  Sep 16 10:54:56.729: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
  Sep 16 10:54:56.729: 8853.2E9E.F70A Applying site-specific IPv6 override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: from AAA Pending to Authenticated
  Sep 16 10:54:56.729: 8853.2E9E.F70A Applying local bridging Interface Policy for station  8853.2E9E.F70A  - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
  Sep 16 10:54:56.729: 8853.2E9E.F70A Applying site-specific override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
  Sep 16 10:54:56.729: 8853.2E9E.F70A STA - rates (8): 1 wcm:  140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
  Sep 16 10:54:56.729: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: - vapId 4, site 'renova', interface 'RNVDOS'
  Sep 16 10:54:56.729: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from Authenticated to AAA Pending
  Sep 16 10:54:56.729: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 20) in 10 seconds
  Sep 16 10:54:56.730: 8853.2E9E.F70A
  client incoming attribute size are 0 1 wcm:   (callerId: 20) in 10 seconds
  Sep 16 10:54:56.730: 8853.2E9E.F70A Sending Assoc Response to station on BSSID  0C68.03EA.4070  (status 256) ApVapId 2 Slot 1 1 wcm: 68.03EA.4070  from Authenticated to AAA Pending
  Sep 16 10:54:56.730: 8853.2E9E.F70A apfProcessRadiusAssocResp (apf_80211.c: 1 wcm: 2149) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from AAA Pending to Authenticated
  Sep 16 10:54:56.730: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 18) in 10 seconds
  Sep 16 10:54:56.937: 8853.2E9E.F70A Association received from mobile on AP  0C68.03EA.4070  1 wcm: n.t^Gwseconds
  Sep 16 10:54:56.937: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: onds
  Sep 16 10:54:56.937: 8853.2E9E.F70A apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: H^Cnz^Gw  0C68.03EA.4070  f^G$h\225v^K
  Sep 16 10:54:56.937: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm:  ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
  Sep 16 10:54:56.937: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm:  0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
  Sep 16 10:54:56.937: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
  Sep 16 10:54:56.937: 8853.2E9E.F70A Applying site-specific IPv6 override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: f^G$h\225v^K
  Sep 16 10:54:56.937: 8853.2E9E.F70A Applying local bridging Interface Policy for station  8853.2E9E.F70A  - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
  Sep 16 10:54:56.937: 8853.2E9E.F70A Applying site-specific override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
  Sep 16 10:54:56.937: 8853.2E9E.F70A STA - rates (8): 1 wcm:  140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
  Sep 16 10:54:56.937: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: - vapId 4, site 'renova', interface 'RNVDOS'
  Sep 16 10:54:56.937: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from Authenticated to AAA Pending
  Sep 16 10:54:56.937: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 20) in 10 seconds
  Sep 16 10:54:56.937: 8853.2E9E.F70A
  client incoming attribute size are 0 1 wcm:   (callerId: 20) in 10 seconds
  Sep 16 10:54:56.937: 8853.2E9E.F70A Sending Assoc Response to station on BSSID  0C68.03EA.4070  (status 256) ApVapId 2 Slot 1 1 wcm: 68.03EA.4070  from Authenticated to AAA Pending
  Sep 16 10:54:56.937: 8853.2E9E.F70A apfProcessRadiusAssocResp (apf_80211.c: 1 wcm: 2149) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from AAA Pending to Authenticated
  Sep 16 10:54:56.937: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 18) in 10 seconds
  Sep 16 10:54:57.143: 8853.2E9E.F70A Association received from mobile on AP  0C68.03EA.4070  1 wcm: n.t^Gwseconds
  Sep 16 10:54:57.143: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: onds
  Sep 16 10:54:57.143: 8853.2E9E.F70A apChanged 1 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: H^Cnz^Gw  0C68.03EA.4070  f^G$h\225v^K
  Sep 16 10:54:57.143: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm:  ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
  Sep 16 10:54:57.143: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm:  0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
  Sep 16 10:54:57.143: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
  Sep 16 10:54:57.143: 8853.2E9E.F70A Applying site-specific IPv6 override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: f^G$h\225v^K
  Sep 16 10:54:57.143: 8853.2E9E.F70A Applying local bridging Interface Policy for station  8853.2E9E.F70A  - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
  Sep 16 10:54:57.143: 8853.2E9E.F70A Applying site-specific override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
  Sep 16 10:54:57.143: 8853.2E9E.F70A STA - rates (8): 1 wcm:  130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
  Sep 16 10:54:57.143: 8853.2E9E.F70A STA - rates (12): 1 wcm:  130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
  Sep 16 10:54:57.144:  8853.2E9E.F70A  0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [ 0C68.03EA.4070 ] 1 wcm:  site 'renova', interface 'RNVDOS'
  Sep 16 10:54:57.144: 8853.2E9E.F70A Updated location for station old AP  0C68.03EA.4070 -1, new AP  0C68.03EA.4070 -0 1 wcm: va', interface 'RNVDOS'
  Sep 16 10:54:57.144: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: P  0C68.03EA.4070 -0
  Sep 16 10:54:57.144: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from Authenticated to AAA Pending
  Sep 16 10:54:57.144: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 20) in 10 seconds
  Sep 16 10:54:57.144: 8853.2E9E.F70A
  client incoming attribute size are 0 1 wcm:   (callerId: 20) in 10 seconds
  Sep 16 10:54:57.145: 8853.2E9E.F70A Sending Assoc Response to station on BSSID  0C68.03EA.4070  (status 256) ApVapId 2 Slot 0 1 wcm: 68.03EA.4070  from Authenticated to AAA Pending
  Sep 16 10:54:57.145: 8853.2E9E.F70A apfBlacklistMobileStationEntry2 (apf_ms.c: 1 wcm: 6129) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from AAA Pending to Exclusion-list (1)
  Sep 16 10:54:57.145: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 44) in 10 seconds
  Sep 16 10:54:57.145: 8853.2E9E.F70A client is added to the exclusion list, reason 1 1 wcm: d: 44) in 10 seconds
  Sep 16 10:54:57.145: *apfReceiveTask: 1 wcm:  %APF-4-ADD_TO_BLACKLIST_REASON: Client 8853.2E9E.F70A (AuditSessionID: 0afe01fb5236e37f000000de) was added to exclusion list. Reason: 802.11 association failure 
  Sep 16 10:54:57.836: 8853.2E9E.F70A Ignoring assoc request due to mobile in exclusion list or marked for deletion  1 wcm: fbtQ^GwH^Cnz^Gw00de) was added to ^G$h\225v^K
  Sep 16 10:54:58.533: 8853.2E9E.F70A Ignoring assoc request due to mobile in exclusion list or marked for deletion  1 wcm: fbtQ^GwH^Cnz^Gw00de) was added to ^G$h\225v^K
  Sep 16 10:54:59.231: 8853.2E9E.F70A Ignoring assoc request due to mobile in exclusion list or marked for deletion  1 wcm: fbtQ^GwH^Cnz^Gw00de) was added to ^G$h\225v^K
  Sep 16 10:54:59.922: 8853.2E9E.F70A Ignoring assoc request due to mobile in exclusion list or marked for deletion  1 wcm: fbtQ^GwH^Cnz^Gw00de) was added to ^G$h\225v^K
  Sep 16 10:55:06.972: 8853.2E9E.F70A apfMsExpireCallback (apf_ms.c: 1 wcm: 664) Expiring Mobile!
  Sep 16 10:55:06.972: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 46) in 60 seconds
  Sep 16 10:55:06.972: 8853.2E9E.F70A apfMsExpireMobileStation (apf_ms.c: 1 wcm: 7067) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from Exclusion-list (1) to Exclusion-list (2)
  Sep 16 10:55:06.972:  8853.2E9E.F70A  0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [ 0C68.03EA.4070 ] 1 wcm: 3.2E9E.F70A  on AP  0C68.03EA.4070  from Exclusion-list (1) to Exclusion-list (2)
  Sep 16 10:55:06.972:  8853.2E9E.F70A  0.0.0.0 START (0) FastSSID for the client [ 0C68.03EA.4070 ] NOTENABLED 1 wcm: E9E.F70A  on AP  0C68.03EA.4070  from Exclusion-list (1) to Exclusion-list (2)
  Sep 16 10:55:06.972: 8853.2E9E.F70A Incrementing the Reassociation Count 1 for client (of interface RNVDOS) 1 wcm: D
  Sep 16 10:55:06.972: 8853.2E9E.F70A Clearing Dhcp state for station  ---  1 wcm:  for client (of interface RNVDOS)
  WLC1#
  WLC1#
  Kind Regards,
  Vasco

  Hi Patrick,
  Thank you for sharing your solution. It didn't solved entirely the problem but you pointed to the right direction!
  They are caused, because the system searches for an aaa authorization list, which is not configured.
  To resolve this configure the following
  aaa authorization network mac-filter local
  where mac-filter is the name you defined in the SSID.
  I've used your sugestion to create an aaa local authorization list but instead of naming it with the SSID, I've used the name of the attribute list ( macauth ) and it solved the problem:
  aaa authorization network macauth local
  username 88532e9ef70a mac aaa attribute list macauth
  wlan RNVDOS 4 RNVDOS
  client vlan RNVDOS
  mac-filtering macauth
  WLC1#sh wireless client summ
  Number of Local Clients : 1
  MAC Address    AP Name                          WLAN State              Protocol
  8853.2e9e.f70a APf872.ead7.31da                 4    UP                 11n(5)  
  Cheers,
  Vasco

• Radius server web authentication using ISE

  Hi,
  Can anyone point me in the direction of a guide to implement radius server web authentication using ISE?
  I need this to be layer 3 Web Auth with all authentication requests coming from the wireless anchor controller, therefore don't think I can implement central web auth on ISE as detailed in the user guide as its layer 2 and auth requests come from the foreign controller.
  The following link explains "Radius Server Web Authentication" using ACS.  I need to find something similar for ISE - http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-config.html  
  Thanks,

  Hi,
  Please check these:
  Central Web Authentication on the WLC and ISE Configuration Example
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
  Regards
  Dont forget to rate helpful posts

• WLC 5760

  Since  i mentioned new to this tech,i deployed 2 WLC 5760 in network i connected one  of Stack wise 480 cable in ring type.but my port is down state
  when i give show switch stack-port summary both controllers are down state.
  What could be the issue can any one suggest me.
  Apart from the above issue i configured few of configuration please vlaidate it
  wlan Guest-WbAuth 3 Guest-WbAuth
  client vlan 100
  mobility anchor 192.168.5.1
  no security wpa
  no security wpa akm dot1x
  no security wpa wpa2
  no security wpa wpa2 ciphers aes
  security web-auth
  security web-auth authentication-list EXT_AUTH ---- need more information ?
  security web-auth parameter-map webparalocal -need more information ?
  no shutdown
  2. Redudancy configuration
  conf t
  service internal
  redundancy
  main-cpu
  standby console enable
  end
  session standby ios
  please validate this 

  Please follow the startup procedure:
  http://www.cisco.com/c/en/us/td/docs/wireless/technology/5760_deploy/CT5760_Controller_Deployment_Guide/CT5760_Centralized_Configuration_eg.html#pgfId-1071864

• Wlc 5760 - wlan configuration

  I have a WLC 5760 and i did below configuration for WLAN:
  wlan 3 85 GUESTS
  client vlan 85
  no security wpa
  no security wpa akm dot1x
  no security wpa wpa2
  no security wpa wpa2 ciphers aes
  session-timeout 1800
  no shutdown
  the ap is joined with WLC:
  EFFAT-WLC#show ap summary
  Number of APs: 4
  Global AP User Name: Not configured
  Global AP Dot1x User Name: Not configured
  AP Name                           AP Model  Ethernet MAC    Radio MAC       State
  APAP16.0009.abdc                  3702I     1616.9999.8888  3c12.f123.0000  Registered
  * have changed the mac address
  but still i am not able to get the WLAN on the wireless clients. SSID is been broadcasted but when scanned on the client i am not getting it.

  Are you using any radius server ???
  if yes then use this commands: aaa-override
  Check this config :
  http://www.cisco.com/c/en/us/td/docs/wireless/technology/5760_deploy/CT5760_Controller_Deployment_Guide/Secure_WLAN_Configuration_on_Catalyst_3850WLC5508.html
  Hope it ehlps.
  Regards
  Dont forget to arte helpful posts

• I cant not control wlc 5760 (every thing CLI & GUI)

  After wlc 5760 reload (because of some problems.)
  I don't know this message. and I can not control wlc 5760 in CLI console.
  Please help me.
  %Error opening tftp://255.255.255.255/network-confg (Timed out)
  %Error opening tftp://255.255.255.255/cisconet.cfg (Timed out)
  %Error opening tftp://255.255.255.255/nx-5760-wlc01-confg (Timed out)
  .... again & again
  I try to booting. but I can't.
  I want to know : method 5760 Factory default or normal booting mode.
  + log
  FIPS: Flash Key Check : Begin
  FIPS: Flash Key Check : End, Not Found,FIPS Mode Not Enabled
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  cisco AIR-CT5760 (i686) processor with 10485760K bytes of physical memory.
  Processor board ID FOC1746V2AK
  2048K bytes of non-volatile configuration memory.
  10485760K bytes of physical memory.
  255000K bytes of Crash Files at crashinfo:.
  3612840K bytes of Flash at flash:.
  0K bytes of Dummy USB Flash at usbflash0:.
  0K bytes of  at webui:.
  Base Ethernet MAC Address          : 1c:1d:86:24:10:80
  Motherboard Assembly Number        : 73-14448-04
  Motherboard Serial Number          : FOC174577NZ
  Model Revision Number              : A0
  Model Number                       : AIR-CT5760
  System Serial Number               : FOC1746V2AK
  %Error opening tftp://255.255.255.255/network-confg (Timed out)
  %Error opening tftp://255.255.255.255/cisconet.cfg (Timed out)
  %Error opening tftp://255.255.255.255/nx-5760-wlc01-confg (Timed out)
  %Error opening tftp://255.255.255.255/network-confg (Timed out)
  %Error opening tftp://255.255.255.255/nx-5760-.cfg (Timed out)
  %Error opening tftp://255.255.255.255/cisconet.cfg (Timed out)
  %Error opening tftp://255.255.255.255/nx-5760-wlc01-confg (Timed out)
  %Error opening tftp://255.255.255.255/nx-5760-.cfg (Timed out)
  %Error opening tftp://255.255.255.255/network-confg (Timed out)
  %Error opening tftp://255.255.255.255/cisconet.cfg (Timed out)
  %Error opening tftp://255.255.255.255/nx-5760-wlc01-confg (Timed out)
  %Error opening tftp://255.255.255.255/nx-5760-.cfg (Timed out)
  %Error opening tftp://255.255.255.255/network-confg (Timed out)
  %Error opening tftp://255.255.255.255/cisconet.cfg (Timed out)
  %Error opening tftp://255.255.255.255/nx-5760-wlc01-confg (Timed out)

  I have same problem when i upgraded Cisco 3850 Switch to latest IOS. I have lost access to the console.
  can someone please help.
  Thanks

• Central Web Auth with Anchor Controller and ISE

  Hi All
  I have a 5508 WLC on the corporate LAN and another 5508 sat in a DMZ as an anchor controller.
  I also have an ISE sat on the corporate LAN.
  Authenticate is working fine to the ISE and the client tries to re-direct to the ISE Portal but doesn't get there.
  DNS is working fine and the client can resolve the URL of the ISE to the correct IP address.
  I have a redirect ACL configured on the foreign controller which permits DNS, DHCP and traffic to and from the ISE.
  My questions are:
  1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
  2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
  3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL - I don't believe it does.
  4. Is ICMP still blocked by the WLC until the web authentication is complete?
  Thanks.
  Regards
  Roger

  Hi Roger,
  Thanks for your brief explanation here are the answers for your queries.
  1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
  The only catch is that since this web authentication method is Layer 2, you have to be aware that it will be the foreign WLC that does all of the RADIUS work. Only the foreign WLC contacts the ISE, and the redirection ACL must be present also on the foreign WLC.
  2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
  Yes, you have to configure the ISE server address on the anchor WLC.
  3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL
  Yes, you should override AAA under advanced tab of WLAN as ACL will be present on the foreign WLC.
  4. Yes, ICMP will work only after the sucessful web auth is complete.
  Please do go through the link below to understand the Anchor-Foreigh Scenario.
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11
  Regards
  Salma

• External AAA for WLC 5760

  Hi, I have WLC 5760 on mode Centralized because I don't have Switch 3850. I need to implement dot1x authentication using external AAA Server which is in my case is Active Directory on Windows 2012 Server. You can see my configuration in pictures i attached bellow. My problem is authentication is always failed. 
  Can you give me a hint ?
  AAA Server
  Authentication
  LDAP
  WLAN Security L2
  WLAN Security L3
  ERROR Log
  Thanks

  Complete these steps in order to add the WLC as an AAA client in the ACS.
  From the ACS GUI, choose the Network Configuration tab.
  Under AAA Clients, click Add Entry.
  In the Add AAA Client window, enter the WLC host name, the IP address of the WLC, and a shared secret key. See the example diagram under step 5.
  From the Authenticate Using drop-down menu, choose RADIUS .
  Click Submit + Restart in order to save the configuration.

• Custom WebAuth WLC 5760

  I want to setup a custom webauth for my WLC 5760. I already downloaded the webauth bundle and put it in WLC via Command Download in WLC GUI. According to Guide, after the download completed, the custom page will appear in custom page dropdown for web parameter map.
  But in my case it shows nothing. So where did I miss ?
  Thank You

  Hi
  Pls refer this document 
  http://www.cisco.com/c/en/us/support/docs/wireless/5700-series-wireless-lan-controllers/117728-configure-wlc-00.html
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Wlc 5760 design

  I have a new deployement with WLC 5760.
  total number of aps are 150 with 4 WLANs.
  each WLAN is mapped to a sperate VLAN. I have a couple of design questions:
       - the switchport configuration of the AP will be trunk or access ?
         if access, then port should be memeber of which VLAN ?
       - mobility configuration for single WLC design ?
       - I would like to make two groups in which group 1 will advertise WLAN 1,2 and 3 while the group 2 will advertise only WLAN 4.
         is it possible ?
  really apprecite your response.
  Regards

  Hi,
  Here is my responses
     - the switchport configuration of the AP will be trunk or access ?       if access, then port should be memeber of which VLAN ?
  5760 only support Local mode APs. So all your AP connected switchports (in access layer) should be configured as access ports. You can put that in a different AP management vlan.
       - mobility configuration for single WLC design ?
  You can configure a mobility group name even though no any other controllers.
       - I would like to make two groups in which group 1 will advertise WLAN 1,2 and 3 while the group 2 will advertise only WLAN 4.        is it possible ?
  Yes, you can create two AP groups & map these WLANs. Then add APs into these two AP groups according to your requirement.
  These posts should give you some reference
  http://mrncciew.com/2013/12/16/5760-in-ca-cuwn/
  http://mrncciew.com/2013/12/12/getting-started-with-5760/
  http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
  HTH
  Rasika
  **** Pls rate all useful responses *****