odewulf
asked on
Roaming issue with cisco WLC and radius wireless
I have a cisco WLC 2504 that has been working great and I can walk around the office without issues. Roaming works fine among the APs.
But I did setup a new wireless that is using Radius authentication.
I can connect to the new SSID but when I walk around the office and get passed to a different AP, then I lose connection and the computer reconnects to the other AP. it does it automatically but this is not transparent to the users as you will drop a call if you were for example on Skype.
the Radius and the DHCP server is on a windows 2008 server.
tomorrow night when everyone is gone I will enable DHCP proxy but was wondering if anyone else had that issue before or is it normal behavior (hope not) when using radius
thank you
Gaetan
But I did setup a new wireless that is using Radius authentication.
I can connect to the new SSID but when I walk around the office and get passed to a different AP, then I lose connection and the computer reconnects to the other AP. it does it automatically but this is not transparent to the users as you will drop a call if you were for example on Skype.
the Radius and the DHCP server is on a windows 2008 server.
tomorrow night when everyone is gone I will enable DHCP proxy but was wondering if anyone else had that issue before or is it normal behavior (hope not) when using radius
thank you
Gaetan
ASKER
no I didn't. I will need to check that some other time as I already came home.
I did enable DHCP proxy and roaming was perfect then. the issue with that is that it took forever to get an IP address.
I let you know when I test next week (or might try to stop by tomorrow)
thank you
I did enable DHCP proxy and roaming was perfect then. the issue with that is that it took forever to get an IP address.
I let you know when I test next week (or might try to stop by tomorrow)
thank you
If it takes a while when using proxy try disabling option 82 support and check that your DHCP server hasits firewall configured correctly.
ASKER
ok I disabled proxy and check DHCP addr assignment. unfortunately that didn't help. I believe this is related to the fact that I had to move DHCP on the server instead of the router.
under the interface, should I set the DHCP server as the gateway or the DHCP server (set up like that now)
thx
under the interface, should I set the DHCP server as the gateway or the DHCP server (set up like that now)
thx
The DHCP server address should be the DHCP server's IP.
Don't check DHCP required, that will only confuse the issue.
Don't check DHCP required, that will only confuse the issue.
ASKER
ok so now I am back to where I started
no dhcp proxy
no dhcp required.
it just so weird that every time i connect to a different AP, I need to re-authenticate
no dhcp proxy
no dhcp required.
it just so weird that every time i connect to a different AP, I need to re-authenticate
At the WLC CLI can you issue the debug client <MACADDRESS> command while roaming and post the output?
ASKER
there is nothing coming after I typed that command
ASKER
sorry here is the result
(Cisco Controller) >debug client 44:2a:60:f2:8a:b4
(Cisco Controller) >*DHCP Socket Task: Apr 01 10:47:22.791: 44:2a:60:f2:8a:b4 DHCP successfully bridged packet to STA
*apfMsConnTask_0: Apr 01 10:49:54.411: 44:2a:60:f2:8a:b4 Reassociation received from mobile on AP 2c:36:f8:60:22:10
*apfMsConnTask_0: Apr 01 10:49:54.411: 44:2a:60:f2:8a:b4 10.28.95.159 RUN (20) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Apr 01 10:49:54.411: 44:2a:60:f2:8a:b4 Applying site-specific IPv6 override for station 44:2a:60:f2:8a:b4 - vapId 3, site 'default-group', interface 'data'
*apfMsConnTask_0: Apr 01 10:49:54.411: 44:2a:60:f2:8a:b4 Applying IPv6 Interface Policy for station 44:2a:60:f2:8a:b4 - vlan 95, interface id 4, interface 'data'
*apfMsConnTask_0: Apr 01 10:49:54.411: 44:2a:60:f2:8a:b4 STA - rates (6): 152 36 48 72 96 108 108 0 0 0 0 0 0 0 0 0
*apfMsConnTask_0: Apr 01 10:49:54.412: 44:2a:60:f2:8a:b4 Processing RSN IE type 48, length 20 for mobile 44:2a:60:f2:8a:b4
*apfMsConnTask_0: Apr 01 10:49:54.412: 44:2a:60:f2:8a:b4 Received RSN IE with 0 PMKIDs from mobile 44:2a:60:f2:8a:b4
*apfMsConnTask_0: Apr 01 10:49:54.412: 44:2a:60:f2:8a:b4 pemApfDeleteMobileStation2 : APF_MS_PEM_WAIT_L2_AUTH_CO MPLETE = 0.
*apfMsConnTask_0: Apr 01 10:49:54.412: 44:2a:60:f2:8a:b4 10.28.95.159 RUN (20) Deleted mobile LWAPP rule on AP [2c:36:f8:0f:5e:80]
*apfMsConnTask_0: Apr 01 10:49:54.412: 44:2a:60:f2:8a:b4 Updated location for station old AP 2c:36:f8:0f:5e:80-1, new AP 2c:36:f8:60:22:10-1
*apfMsConnTask_0: Apr 01 10:49:54.412: 44:2a:60:f2:8a:b4 apfMsRunStateDec
*apfMsConnTask_0: Apr 01 10:49:54.412: 44:2a:60:f2:8a:b4 apfMs1xStateDec
*apfMsConnTask_0: Apr 01 10:49:54.412: 44:2a:60:f2:8a:b4 10.28.95.159 RUN (20) Change state to START (0) last state RUN (20)
*apfMsConnTask_0: Apr 01 10:49:54.412: 44:2a:60:f2:8a:b4 pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_CO MPLETE = 0.
*apfMsConnTask_0: Apr 01 10:49:54.412: 44:2a:60:f2:8a:b4 10.28.95.159 START (0) Initializing policy
*apfMsConnTask_0: Apr 01 10:49:54.412: 44:2a:60:f2:8a:b4 10.28.95.159 START (0) Change state to AUTHCHECK (2) last state RUN (20)
*apfMsConnTask_0: Apr 01 10:49:54.412: 44:2a:60:f2:8a:b4 10.28.95.159 AUTHCHECK (2) Change state to 8021X_REQD (3) last state RUN (20)
*apfMsConnTask_0: Apr 01 10:49:54.413: 44:2a:60:f2:8a:b4 10.28.95.159 8021X_REQD (3) DHCP required on AP 2c:36:f8:60:22:10 vapId 3 apVapId 3for this client
*apfMsConnTask_0: Apr 01 10:49:54.413: 44:2a:60:f2:8a:b4 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Apr 01 10:49:54.413: 44:2a:60:f2:8a:b4 10.28.95.159 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 2c:36:f8:60:22:10 vapId 3 apVapId 3
*apfMsConnTask_0: Apr 01 10:49:54.413: 44:2a:60:f2:8a:b4 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 44:2a:60:f2:8a:b4 on AP 2c:36:f8:60:22:10 from Associated to Associated
*apfMsConnTask_0: Apr 01 10:49:54.413: 44:2a:60:f2:8a:b4 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_0: Apr 01 10:49:54.413: 44:2a:60:f2:8a:b4 Sending Assoc Response to station on BSSID 2c:36:f8:60:22:10 (status 0) ApVapId 3 Slot 1
*apfMsConnTask_0: Apr 01 10:49:54.413: 44:2a:60:f2:8a:b4 apfProcessAssocReq (apf_80211.c:5276) Changing state for mobile 44:2a:60:f2:8a:b4 on AP 2c:36:f8:60:22:10 from Associated to Associated
*dot1xMsgTask: Apr 01 10:49:54.416: 44:2a:60:f2:8a:b4 Disable re-auth, use PMK lifetime.
*dot1xMsgTask: Apr 01 10:49:54.425: 44:2a:60:f2:8a:b4 dot1x - moving mobile 44:2a:60:f2:8a:b4 into Connecting state
*dot1xMsgTask: Apr 01 10:49:54.425: 44:2a:60:f2:8a:b4 Sending EAP-Request/Identity to mobile 44:2a:60:f2:8a:b4 (EAP Id 1)
*pemReceiveTask: Apr 01 10:49:54.429: 44:2a:60:f2:8a:b4 10.28.95.159 Removed NPU entry.
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.429: 44:2a:60:f2:8a:b4 Received EAPOL EAPPKT from mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.430: 44:2a:60:f2:8a:b4 Received Identity Response (count=1) from mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.430: 44:2a:60:f2:8a:b4 EAP State update from Connecting to Authenticating for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.430: 44:2a:60:f2:8a:b4 dot1x - moving mobile 44:2a:60:f2:8a:b4 into Authenticating state
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.430: 44:2a:60:f2:8a:b4 Entering Backend Auth Response state for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.440: 44:2a:60:f2:8a:b4 Processing Access-Challenge for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.440: 44:2a:60:f2:8a:b4 Entering Backend Auth Req state (id=2) for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.440: 44:2a:60:f2:8a:b4 Sending EAP Request from AAA to mobile 44:2a:60:f2:8a:b4 (EAP Id 2)
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.447: 44:2a:60:f2:8a:b4 Received EAPOL EAPPKT from mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.447: 44:2a:60:f2:8a:b4 Received EAP Response from mobile 44:2a:60:f2:8a:b4 (EAP Id 2, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.448: 44:2a:60:f2:8a:b4 Entering Backend Auth Response state for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.450: 44:2a:60:f2:8a:b4 Processing Access-Challenge for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.450: 44:2a:60:f2:8a:b4 Entering Backend Auth Req state (id=3) for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.450: 44:2a:60:f2:8a:b4 Sending EAP Request from AAA to mobile 44:2a:60:f2:8a:b4 (EAP Id 3)
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.063: 44:2a:60:f2:8a:b4 Received EAPOL EAPPKT from mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.063: 44:2a:60:f2:8a:b4 Received EAP Response from mobile 44:2a:60:f2:8a:b4 (EAP Id 3, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.063: 44:2a:60:f2:8a:b4 Entering Backend Auth Response state for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.068: 44:2a:60:f2:8a:b4 Processing Access-Challenge for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.068: 44:2a:60:f2:8a:b4 Entering Backend Auth Req state (id=6) for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.068: 44:2a:60:f2:8a:b4 WARNING: updated EAP-Identifier 3 ===> 6 for STA 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.068: 44:2a:60:f2:8a:b4 Sending EAP Request from AAA to mobile 44:2a:60:f2:8a:b4 (EAP Id 6)
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.070: 44:2a:60:f2:8a:b4 Received EAPOL EAPPKT from mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.070: 44:2a:60:f2:8a:b4 Received EAP Response from mobile 44:2a:60:f2:8a:b4 (EAP Id 6, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.070: 44:2a:60:f2:8a:b4 Entering Backend Auth Response state for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.072: 44:2a:60:f2:8a:b4 Processing Access-Accept for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.073: 44:2a:60:f2:8a:b4 Resetting web acl from 255 to 255
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.073: 44:2a:60:f2:8a:b4 Setting re-auth timeout to 1800 seconds, got from WLAN config.
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.073: 44:2a:60:f2:8a:b4 Station 44:2a:60:f2:8a:b4 setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.073: 44:2a:60:f2:8a:b4 Creating a PKC PMKID Cache entry for station 44:2a:60:f2:8a:b4 (RSN 2)
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.074: 44:2a:60:f2:8a:b4 Adding BSSID 2c:36:f8:60:22:1d to PMKID cache for station 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.074: New PMKID: (16)
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.074: [0000] 15 40 32 28 23 b3 01 08 c0 ea 89 da ab 7e e9 24
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.074: 44:2a:60:f2:8a:b4 Disabling re-auth since PMK lifetime can take care of same.
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.075: 44:2a:60:f2:8a:b4 PMK sent to mobility group
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.075: 44:2a:60:f2:8a:b4 Sending EAP-Success to mobile 44:2a:60:f2:8a:b4 (EAP Id 6)
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.075: Including PMKID in M1 (16)
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.075: [0000] 15 40 32 28 23 b3 01 08 c0 ea 89 da ab 7e e9 24
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.075: 44:2a:60:f2:8a:b4 Starting key exchange to mobile 44:2a:60:f2:8a:b4, data packets will be dropped
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.076: 44:2a:60:f2:8a:b4 Sending EAPOL-Key Message to mobile 44:2a:60:f2:8a:b4
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.076: 44:2a:60:f2:8a:b4 Entering Backend Auth Success state (id=6) for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.076: 44:2a:60:f2:8a:b4 Received Auth Success while in Authenticating state for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.076: 44:2a:60:f2:8a:b4 dot1x - moving mobile 44:2a:60:f2:8a:b4 into Authenticated state
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.078: 44:2a:60:f2:8a:b4 Received EAPOL-Key from mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.078: 44:2a:60:f2:8a:b4 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.078: 44:2a:60:f2:8a:b4 Received EAPOL-key in PTK_START state (message 2) from mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.078: 44:2a:60:f2:8a:b4 PMK: Sending cache add
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.078: 44:2a:60:f2:8a:b4 Stopping retransmission timer for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.079: 44:2a:60:f2:8a:b4 Sending EAPOL-Key Message to mobile 44:2a:60:f2:8a:b4
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.080: 44:2a:60:f2:8a:b4 Received EAPOL-Key from mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.080: 44:2a:60:f2:8a:b4 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.080: 44:2a:60:f2:8a:b4 Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.081: 44:2a:60:f2:8a:b4 apfMs1xStateInc
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.081: 44:2a:60:f2:8a:b4 10.28.95.159 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state RUN (20)
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.081: 44:2a:60:f2:8a:b4 10.28.95.159 L2AUTHCOMPLETE (4) DHCP required on AP 2c:36:f8:60:22:10 vapId 3 apVapId 3for this client
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.081: 44:2a:60:f2:8a:b4 Not Using WMM Compliance code qosCap 00
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.082: 44:2a:60:f2:8a:b4 10.28.95.159 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 2c:36:f8:60:22:10 vapId 3 apVapId 3
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.082: 44:2a:60:f2:8a:b4 apfMsRunStateInc
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.082: 44:2a:60:f2:8a:b4 10.28.95.159 L2AUTHCOMPLETE (4) Change state to RUN (20) last state RUN (20)
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.082: 44:2a:60:f2:8a:b4 10.28.95.159 RUN (20) Reached PLUMBFASTPATH: from line 4947
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.082: 44:2a:60:f2:8a:b4 10.28.95.159 RUN (20) Adding Fast Path rule
type = Airespace AP Client
on AP 2c:36:f8:60:22:10, slot 1, interface = 1, QOS = 0
ACL Id = 255, Jumbo Frames = NO
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.083: 44:2a:60:f2:8a:b4 10.28.95.159 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 1506 IPv6 Vlan = 95, IPv6 intf id = 4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.084: 44:2a:60:f2:8a:b4 10.28.95.159 RUN (20) Successfully plumbed mobile rule (ACL ID 255)
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.084: 44:2a:60:f2:8a:b4 Stopping retransmission timer for mobile 44:2a:60:f2:8a:b4
*pemReceiveTask: Apr 01 10:50:04.099: 44:2a:60:f2:8a:b4 10.28.95.159 Added NPU entry of type 1, dtlFlags 0x0
*DHCP Socket Task: Apr 01 10:50:05.250: 44:2a:60:f2:8a:b4 DHCP received op BOOTREQUEST (1) (len 308,vlan 75, port 1, encap 0xec03)
*DHCP Socket Task: Apr 01 10:50:05.250: 44:2a:60:f2:8a:b4 DHCP processing DHCP DISCOVER (1)
*DHCP Socket Task: Apr 01 10:50:05.250: 44:2a:60:f2:8a:b4 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Apr 01 10:50:05.251: 44:2a:60:f2:8a:b4 DHCP xid: 0x5d3d1ac (97767852), secs: 2560, flags: 0
*DHCP Socket Task: Apr 01 10:50:05.251: 44:2a:60:f2:8a:b4 DHCP chaddr: 44:2a:60:f2:8a:b4
*DHCP Socket Task: Apr 01 10:50:05.251: 44:2a:60:f2:8a:b4 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Apr 01 10:50:05.251: 44:2a:60:f2:8a:b4 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Apr 01 10:50:05.252: 44:2a:60:f2:8a:b4 DHCP successfully bridged packet to DS
*DHCP Socket Task: Apr 01 10:50:05.253: 44:2a:60:f2:8a:b4 DHCP received op BOOTREPLY (2) (len 317,vlan 95, port 1, encap 0xec00)
*DHCP Socket Task: Apr 01 10:50:05.253: 44:2a:60:f2:8a:b4 DHCP processing DHCP OFFER (2)
*DHCP Socket Task: Apr 01 10:50:05.253: 44:2a:60:f2:8a:b4 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Apr 01 10:50:05.254: 44:2a:60:f2:8a:b4 DHCP xid: 0x5d3d1ac (97767852), secs: 0, flags: 0
*DHCP Socket Task: Apr 01 10:50:05.254: 44:2a:60:f2:8a:b4 DHCP chaddr: 44:2a:60:f2:8a:b4
*DHCP Socket Task: Apr 01 10:50:05.254: 44:2a:60:f2:8a:b4 DHCP ciaddr: 0.0.0.0, yiaddr: 10.28.95.159
*DHCP Socket Task: Apr 01 10:50:05.255: 44:2a:60:f2:8a:b4 DHCP siaddr: 10.28.95.20, giaddr: 0.0.0.0
*DHCP Socket Task: Apr 01 10:50:05.255: 44:2a:60:f2:8a:b4 DHCP server id: 10.28.95.20 rcvd server id: 10.28.95.20
*DHCP Socket Task: Apr 01 10:50:05.255: 44:2a:60:f2:8a:b4 DHCP successfully bridged packet to STA
*DHCP Socket Task: Apr 01 10:50:05.256: 44:2a:60:f2:8a:b4 DHCP received op BOOTREPLY (2) (len 317,vlan 95, port 1, encap 0xec00)
*DHCP Socket Task: Apr 01 10:50:05.256: 44:2a:60:f2:8a:b4 DHCP processing DHCP OFFER (2)
*DHCP Socket Task: Apr 01 10:50:05.256: 44:2a:60:f2:8a:b4 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Apr 01 10:50:05.256: 44:2a:60:f2:8a:b4 DHCP xid: 0x5d3d1ac (97767852), secs: 0, flags: 0
*DHCP Socket Task: Apr 01 10:50:05.257: 44:2a:60:f2:8a:b4 DHCP chaddr: 44:2a:60:f2:8a:b4
*DHCP Socket Task: Apr 01 10:50:05.257: 44:2a:60:f2:8a:b4 DHCP ciaddr: 0.0.0.0, yiaddr: 10.28.95.159
*DHCP Socket Task: Apr 01 10:50:05.257: 44:2a:60:f2:8a:b4 DHCP siaddr: 10.28.95.20, giaddr: 10.28.95.5
*DHCP Socket Task: Apr 01 10:50:05.257: 44:2a:60:f2:8a:b4 DHCP server id: 10.28.95.20 rcvd server id: 10.28.95.20
*DHCP Socket Task: Apr 01 10:50:05.258: 44:2a:60:f2:8a:b4 DHCP successfully bridged packet to STA
*DHCP Socket Task: Apr 01 10:50:06.259: 44:2a:60:f2:8a:b4 DHCP received op BOOTREQUEST (1) (len 308,vlan 75, port 1, encap 0xec03)
*DHCP Socket Task: Apr 01 10:50:06.260: 44:2a:60:f2:8a:b4 DHCP processing DHCP REQUEST (3)
*DHCP Socket Task: Apr 01 10:50:06.260: 44:2a:60:f2:8a:b4 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Apr 01 10:50:06.261: 44:2a:60:f2:8a:b4 DHCP xid: 0x5d3d1ac (97767852), secs: 2816, flags: 0
*DHCP Socket Task: Apr 01 10:50:06.261: 44:2a:60:f2:8a:b4 DHCP chaddr: 44:2a:60:f2:8a:b4
*DHCP Socket Task: Apr 01 10:50:06.261: 44:2a:60:f2:8a:b4 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Apr 01 10:50:06.261: 44:2a:60:f2:8a:b4 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Apr 01 10:50:06.262: 44:2a:60:f2:8a:b4 DHCP requested ip: 10.28.95.159
*DHCP Socket Task: Apr 01 10:50:06.262: 44:2a:60:f2:8a:b4 DHCP server id: 10.28.95.20 rcvd server id: 10.28.95.20
*DHCP Socket Task: Apr 01 10:50:06.262: 44:2a:60:f2:8a:b4 DHCP successfully bridged packet to DS
*DHCP Socket Task: Apr 01 10:50:06.264: 44:2a:60:f2:8a:b4 DHCP received op BOOTREPLY (2) (len 317,vlan 95, port 1, encap 0xec00)
*DHCP Socket Task: Apr 01 10:50:06.264: 44:2a:60:f2:8a:b4 DHCP processing DHCP ACK (5)
*DHCP Socket Task: Apr 01 10:50:06.264: 44:2a:60:f2:8a:b4 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Apr 01 10:50:06.264: 44:2a:60:f2:8a:b4 DHCP xid: 0x5d3d1ac (97767852), secs: 0, flags: 0
*DHCP Socket Task: Apr 01 10:50:06.265: 44:2a:60:f2:8a:b4 DHCP chaddr: 44:2a:60:f2:8a:b4
*DHCP Socket Task: Apr 01 10:50:06.265: 44:2a:60:f2:8a:b4 DHCP ciaddr: 0.0.0.0, yiaddr: 10.28.95.159
*DHCP Socket Task: Apr 01 10:50:06.265: 44:2a:60:f2:8a:b4 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Apr 01 10:50:06.265: 44:2a:60:f2:8a:b4 DHCP server id: 10.28.95.20 rcvd server id: 10.28.95.20
*DHCP Socket Task: Apr 01 10:50:06.266: 44:2a:60:f2:8a:b4 DHCP successfully bridged packet to STA
*DHCP Socket Task: Apr 01 10:50:06.266: 44:2a:60:f2:8a:b4 DHCP received op BOOTREPLY (2) (len 317,vlan 95, port 1, encap 0xec00)
*DHCP Socket Task: Apr 01 10:50:06.266: 44:2a:60:f2:8a:b4 DHCP processing DHCP ACK (5)
*DHCP Socket Task: Apr 01 10:50:06.267: 44:2a:60:f2:8a:b4 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Apr 01 10:50:06.267: 44:2a:60:f2:8a:b4 DHCP xid: 0x5d3d1ac (97767852), secs: 0, flags: 0
*DHCP Socket Task: Apr 01 10:50:06.267: 44:2a:60:f2:8a:b4 DHCP chaddr: 44:2a:60:f2:8a:b4
*DHCP Socket Task: Apr 01 10:50:06.267: 44:2a:60:f2:8a:b4 DHCP ciaddr: 0.0.0.0, yiaddr: 10.28.95.159
*DHCP Socket Task: Apr 01 10:50:06.268: 44:2a:60:f2:8a:b4 DHCP siaddr: 0.0.0.0, giaddr: 10.28.95.5
*DHCP Socket Task: Apr 01 10:50:06.268: 44:2a:60:f2:8a:b4 DHCP server id: 10.28.95.20 rcvd server id: 10.28.95.20
(Cisco Controller) >
(Cisco Controller) >debug client 44:2a:60:f2:8a:b4
(Cisco Controller) >*DHCP Socket Task: Apr 01 10:47:22.791: 44:2a:60:f2:8a:b4 DHCP successfully bridged packet to STA
*apfMsConnTask_0: Apr 01 10:49:54.411: 44:2a:60:f2:8a:b4 Reassociation received from mobile on AP 2c:36:f8:60:22:10
*apfMsConnTask_0: Apr 01 10:49:54.411: 44:2a:60:f2:8a:b4 10.28.95.159 RUN (20) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Apr 01 10:49:54.411: 44:2a:60:f2:8a:b4 Applying site-specific IPv6 override for station 44:2a:60:f2:8a:b4 - vapId 3, site 'default-group', interface 'data'
*apfMsConnTask_0: Apr 01 10:49:54.411: 44:2a:60:f2:8a:b4 Applying IPv6 Interface Policy for station 44:2a:60:f2:8a:b4 - vlan 95, interface id 4, interface 'data'
*apfMsConnTask_0: Apr 01 10:49:54.411: 44:2a:60:f2:8a:b4 STA - rates (6): 152 36 48 72 96 108 108 0 0 0 0 0 0 0 0 0
*apfMsConnTask_0: Apr 01 10:49:54.412: 44:2a:60:f2:8a:b4 Processing RSN IE type 48, length 20 for mobile 44:2a:60:f2:8a:b4
*apfMsConnTask_0: Apr 01 10:49:54.412: 44:2a:60:f2:8a:b4 Received RSN IE with 0 PMKIDs from mobile 44:2a:60:f2:8a:b4
*apfMsConnTask_0: Apr 01 10:49:54.412: 44:2a:60:f2:8a:b4 pemApfDeleteMobileStation2
*apfMsConnTask_0: Apr 01 10:49:54.412: 44:2a:60:f2:8a:b4 10.28.95.159 RUN (20) Deleted mobile LWAPP rule on AP [2c:36:f8:0f:5e:80]
*apfMsConnTask_0: Apr 01 10:49:54.412: 44:2a:60:f2:8a:b4 Updated location for station old AP 2c:36:f8:0f:5e:80-1, new AP 2c:36:f8:60:22:10-1
*apfMsConnTask_0: Apr 01 10:49:54.412: 44:2a:60:f2:8a:b4 apfMsRunStateDec
*apfMsConnTask_0: Apr 01 10:49:54.412: 44:2a:60:f2:8a:b4 apfMs1xStateDec
*apfMsConnTask_0: Apr 01 10:49:54.412: 44:2a:60:f2:8a:b4 10.28.95.159 RUN (20) Change state to START (0) last state RUN (20)
*apfMsConnTask_0: Apr 01 10:49:54.412: 44:2a:60:f2:8a:b4 pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_CO
*apfMsConnTask_0: Apr 01 10:49:54.412: 44:2a:60:f2:8a:b4 10.28.95.159 START (0) Initializing policy
*apfMsConnTask_0: Apr 01 10:49:54.412: 44:2a:60:f2:8a:b4 10.28.95.159 START (0) Change state to AUTHCHECK (2) last state RUN (20)
*apfMsConnTask_0: Apr 01 10:49:54.412: 44:2a:60:f2:8a:b4 10.28.95.159 AUTHCHECK (2) Change state to 8021X_REQD (3) last state RUN (20)
*apfMsConnTask_0: Apr 01 10:49:54.413: 44:2a:60:f2:8a:b4 10.28.95.159 8021X_REQD (3) DHCP required on AP 2c:36:f8:60:22:10 vapId 3 apVapId 3for this client
*apfMsConnTask_0: Apr 01 10:49:54.413: 44:2a:60:f2:8a:b4 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Apr 01 10:49:54.413: 44:2a:60:f2:8a:b4 10.28.95.159 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 2c:36:f8:60:22:10 vapId 3 apVapId 3
*apfMsConnTask_0: Apr 01 10:49:54.413: 44:2a:60:f2:8a:b4 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 44:2a:60:f2:8a:b4 on AP 2c:36:f8:60:22:10 from Associated to Associated
*apfMsConnTask_0: Apr 01 10:49:54.413: 44:2a:60:f2:8a:b4 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_0: Apr 01 10:49:54.413: 44:2a:60:f2:8a:b4 Sending Assoc Response to station on BSSID 2c:36:f8:60:22:10 (status 0) ApVapId 3 Slot 1
*apfMsConnTask_0: Apr 01 10:49:54.413: 44:2a:60:f2:8a:b4 apfProcessAssocReq (apf_80211.c:5276) Changing state for mobile 44:2a:60:f2:8a:b4 on AP 2c:36:f8:60:22:10 from Associated to Associated
*dot1xMsgTask: Apr 01 10:49:54.416: 44:2a:60:f2:8a:b4 Disable re-auth, use PMK lifetime.
*dot1xMsgTask: Apr 01 10:49:54.425: 44:2a:60:f2:8a:b4 dot1x - moving mobile 44:2a:60:f2:8a:b4 into Connecting state
*dot1xMsgTask: Apr 01 10:49:54.425: 44:2a:60:f2:8a:b4 Sending EAP-Request/Identity to mobile 44:2a:60:f2:8a:b4 (EAP Id 1)
*pemReceiveTask: Apr 01 10:49:54.429: 44:2a:60:f2:8a:b4 10.28.95.159 Removed NPU entry.
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.429: 44:2a:60:f2:8a:b4 Received EAPOL EAPPKT from mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.430: 44:2a:60:f2:8a:b4 Received Identity Response (count=1) from mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.430: 44:2a:60:f2:8a:b4 EAP State update from Connecting to Authenticating for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.430: 44:2a:60:f2:8a:b4 dot1x - moving mobile 44:2a:60:f2:8a:b4 into Authenticating state
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.430: 44:2a:60:f2:8a:b4 Entering Backend Auth Response state for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.440: 44:2a:60:f2:8a:b4 Processing Access-Challenge for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.440: 44:2a:60:f2:8a:b4 Entering Backend Auth Req state (id=2) for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.440: 44:2a:60:f2:8a:b4 Sending EAP Request from AAA to mobile 44:2a:60:f2:8a:b4 (EAP Id 2)
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.447: 44:2a:60:f2:8a:b4 Received EAPOL EAPPKT from mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.447: 44:2a:60:f2:8a:b4 Received EAP Response from mobile 44:2a:60:f2:8a:b4 (EAP Id 2, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.448: 44:2a:60:f2:8a:b4 Entering Backend Auth Response state for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.450: 44:2a:60:f2:8a:b4 Processing Access-Challenge for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.450: 44:2a:60:f2:8a:b4 Entering Backend Auth Req state (id=3) for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:49:54.450: 44:2a:60:f2:8a:b4 Sending EAP Request from AAA to mobile 44:2a:60:f2:8a:b4 (EAP Id 3)
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.063: 44:2a:60:f2:8a:b4 Received EAPOL EAPPKT from mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.063: 44:2a:60:f2:8a:b4 Received EAP Response from mobile 44:2a:60:f2:8a:b4 (EAP Id 3, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.063: 44:2a:60:f2:8a:b4 Entering Backend Auth Response state for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.068: 44:2a:60:f2:8a:b4 Processing Access-Challenge for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.068: 44:2a:60:f2:8a:b4 Entering Backend Auth Req state (id=6) for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.068: 44:2a:60:f2:8a:b4 WARNING: updated EAP-Identifier 3 ===> 6 for STA 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.068: 44:2a:60:f2:8a:b4 Sending EAP Request from AAA to mobile 44:2a:60:f2:8a:b4 (EAP Id 6)
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.070: 44:2a:60:f2:8a:b4 Received EAPOL EAPPKT from mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.070: 44:2a:60:f2:8a:b4 Received EAP Response from mobile 44:2a:60:f2:8a:b4 (EAP Id 6, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.070: 44:2a:60:f2:8a:b4 Entering Backend Auth Response state for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.072: 44:2a:60:f2:8a:b4 Processing Access-Accept for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.073: 44:2a:60:f2:8a:b4 Resetting web acl from 255 to 255
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.073: 44:2a:60:f2:8a:b4 Setting re-auth timeout to 1800 seconds, got from WLAN config.
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.073: 44:2a:60:f2:8a:b4 Station 44:2a:60:f2:8a:b4 setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.073: 44:2a:60:f2:8a:b4 Creating a PKC PMKID Cache entry for station 44:2a:60:f2:8a:b4 (RSN 2)
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.074: 44:2a:60:f2:8a:b4 Adding BSSID 2c:36:f8:60:22:1d to PMKID cache for station 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.074: New PMKID: (16)
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.074: [0000] 15 40 32 28 23 b3 01 08 c0 ea 89 da ab 7e e9 24
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.074: 44:2a:60:f2:8a:b4 Disabling re-auth since PMK lifetime can take care of same.
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.075: 44:2a:60:f2:8a:b4 PMK sent to mobility group
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.075: 44:2a:60:f2:8a:b4 Sending EAP-Success to mobile 44:2a:60:f2:8a:b4 (EAP Id 6)
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.075: Including PMKID in M1 (16)
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.075: [0000] 15 40 32 28 23 b3 01 08 c0 ea 89 da ab 7e e9 24
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.075: 44:2a:60:f2:8a:b4 Starting key exchange to mobile 44:2a:60:f2:8a:b4, data packets will be dropped
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.076: 44:2a:60:f2:8a:b4 Sending EAPOL-Key Message to mobile 44:2a:60:f2:8a:b4
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.076: 44:2a:60:f2:8a:b4 Entering Backend Auth Success state (id=6) for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.076: 44:2a:60:f2:8a:b4 Received Auth Success while in Authenticating state for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.076: 44:2a:60:f2:8a:b4 dot1x - moving mobile 44:2a:60:f2:8a:b4 into Authenticated state
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.078: 44:2a:60:f2:8a:b4 Received EAPOL-Key from mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.078: 44:2a:60:f2:8a:b4 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.078: 44:2a:60:f2:8a:b4 Received EAPOL-key in PTK_START state (message 2) from mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.078: 44:2a:60:f2:8a:b4 PMK: Sending cache add
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.078: 44:2a:60:f2:8a:b4 Stopping retransmission timer for mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.079: 44:2a:60:f2:8a:b4 Sending EAPOL-Key Message to mobile 44:2a:60:f2:8a:b4
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.080: 44:2a:60:f2:8a:b4 Received EAPOL-Key from mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.080: 44:2a:60:f2:8a:b4 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.080: 44:2a:60:f2:8a:b4 Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 44:2a:60:f2:8a:b4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.081: 44:2a:60:f2:8a:b4 apfMs1xStateInc
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.081: 44:2a:60:f2:8a:b4 10.28.95.159 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state RUN (20)
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.081: 44:2a:60:f2:8a:b4 10.28.95.159 L2AUTHCOMPLETE (4) DHCP required on AP 2c:36:f8:60:22:10 vapId 3 apVapId 3for this client
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.081: 44:2a:60:f2:8a:b4 Not Using WMM Compliance code qosCap 00
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.082: 44:2a:60:f2:8a:b4 10.28.95.159 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 2c:36:f8:60:22:10 vapId 3 apVapId 3
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.082: 44:2a:60:f2:8a:b4 apfMsRunStateInc
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.082: 44:2a:60:f2:8a:b4 10.28.95.159 L2AUTHCOMPLETE (4) Change state to RUN (20) last state RUN (20)
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.082: 44:2a:60:f2:8a:b4 10.28.95.159 RUN (20) Reached PLUMBFASTPATH: from line 4947
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.082: 44:2a:60:f2:8a:b4 10.28.95.159 RUN (20) Adding Fast Path rule
type = Airespace AP Client
on AP 2c:36:f8:60:22:10, slot 1, interface = 1, QOS = 0
ACL Id = 255, Jumbo Frames = NO
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.083: 44:2a:60:f2:8a:b4 10.28.95.159 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 1506 IPv6 Vlan = 95, IPv6 intf id = 4
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.084: 44:2a:60:f2:8a:b4 10.28.95.159 RUN (20) Successfully plumbed mobile rule (ACL ID 255)
*Dot1x_NW_MsgTask_0: Apr 01 10:50:04.084: 44:2a:60:f2:8a:b4 Stopping retransmission timer for mobile 44:2a:60:f2:8a:b4
*pemReceiveTask: Apr 01 10:50:04.099: 44:2a:60:f2:8a:b4 10.28.95.159 Added NPU entry of type 1, dtlFlags 0x0
*DHCP Socket Task: Apr 01 10:50:05.250: 44:2a:60:f2:8a:b4 DHCP received op BOOTREQUEST (1) (len 308,vlan 75, port 1, encap 0xec03)
*DHCP Socket Task: Apr 01 10:50:05.250: 44:2a:60:f2:8a:b4 DHCP processing DHCP DISCOVER (1)
*DHCP Socket Task: Apr 01 10:50:05.250: 44:2a:60:f2:8a:b4 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Apr 01 10:50:05.251: 44:2a:60:f2:8a:b4 DHCP xid: 0x5d3d1ac (97767852), secs: 2560, flags: 0
*DHCP Socket Task: Apr 01 10:50:05.251: 44:2a:60:f2:8a:b4 DHCP chaddr: 44:2a:60:f2:8a:b4
*DHCP Socket Task: Apr 01 10:50:05.251: 44:2a:60:f2:8a:b4 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Apr 01 10:50:05.251: 44:2a:60:f2:8a:b4 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Apr 01 10:50:05.252: 44:2a:60:f2:8a:b4 DHCP successfully bridged packet to DS
*DHCP Socket Task: Apr 01 10:50:05.253: 44:2a:60:f2:8a:b4 DHCP received op BOOTREPLY (2) (len 317,vlan 95, port 1, encap 0xec00)
*DHCP Socket Task: Apr 01 10:50:05.253: 44:2a:60:f2:8a:b4 DHCP processing DHCP OFFER (2)
*DHCP Socket Task: Apr 01 10:50:05.253: 44:2a:60:f2:8a:b4 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Apr 01 10:50:05.254: 44:2a:60:f2:8a:b4 DHCP xid: 0x5d3d1ac (97767852), secs: 0, flags: 0
*DHCP Socket Task: Apr 01 10:50:05.254: 44:2a:60:f2:8a:b4 DHCP chaddr: 44:2a:60:f2:8a:b4
*DHCP Socket Task: Apr 01 10:50:05.254: 44:2a:60:f2:8a:b4 DHCP ciaddr: 0.0.0.0, yiaddr: 10.28.95.159
*DHCP Socket Task: Apr 01 10:50:05.255: 44:2a:60:f2:8a:b4 DHCP siaddr: 10.28.95.20, giaddr: 0.0.0.0
*DHCP Socket Task: Apr 01 10:50:05.255: 44:2a:60:f2:8a:b4 DHCP server id: 10.28.95.20 rcvd server id: 10.28.95.20
*DHCP Socket Task: Apr 01 10:50:05.255: 44:2a:60:f2:8a:b4 DHCP successfully bridged packet to STA
*DHCP Socket Task: Apr 01 10:50:05.256: 44:2a:60:f2:8a:b4 DHCP received op BOOTREPLY (2) (len 317,vlan 95, port 1, encap 0xec00)
*DHCP Socket Task: Apr 01 10:50:05.256: 44:2a:60:f2:8a:b4 DHCP processing DHCP OFFER (2)
*DHCP Socket Task: Apr 01 10:50:05.256: 44:2a:60:f2:8a:b4 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Apr 01 10:50:05.256: 44:2a:60:f2:8a:b4 DHCP xid: 0x5d3d1ac (97767852), secs: 0, flags: 0
*DHCP Socket Task: Apr 01 10:50:05.257: 44:2a:60:f2:8a:b4 DHCP chaddr: 44:2a:60:f2:8a:b4
*DHCP Socket Task: Apr 01 10:50:05.257: 44:2a:60:f2:8a:b4 DHCP ciaddr: 0.0.0.0, yiaddr: 10.28.95.159
*DHCP Socket Task: Apr 01 10:50:05.257: 44:2a:60:f2:8a:b4 DHCP siaddr: 10.28.95.20, giaddr: 10.28.95.5
*DHCP Socket Task: Apr 01 10:50:05.257: 44:2a:60:f2:8a:b4 DHCP server id: 10.28.95.20 rcvd server id: 10.28.95.20
*DHCP Socket Task: Apr 01 10:50:05.258: 44:2a:60:f2:8a:b4 DHCP successfully bridged packet to STA
*DHCP Socket Task: Apr 01 10:50:06.259: 44:2a:60:f2:8a:b4 DHCP received op BOOTREQUEST (1) (len 308,vlan 75, port 1, encap 0xec03)
*DHCP Socket Task: Apr 01 10:50:06.260: 44:2a:60:f2:8a:b4 DHCP processing DHCP REQUEST (3)
*DHCP Socket Task: Apr 01 10:50:06.260: 44:2a:60:f2:8a:b4 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Apr 01 10:50:06.261: 44:2a:60:f2:8a:b4 DHCP xid: 0x5d3d1ac (97767852), secs: 2816, flags: 0
*DHCP Socket Task: Apr 01 10:50:06.261: 44:2a:60:f2:8a:b4 DHCP chaddr: 44:2a:60:f2:8a:b4
*DHCP Socket Task: Apr 01 10:50:06.261: 44:2a:60:f2:8a:b4 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Apr 01 10:50:06.261: 44:2a:60:f2:8a:b4 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Apr 01 10:50:06.262: 44:2a:60:f2:8a:b4 DHCP requested ip: 10.28.95.159
*DHCP Socket Task: Apr 01 10:50:06.262: 44:2a:60:f2:8a:b4 DHCP server id: 10.28.95.20 rcvd server id: 10.28.95.20
*DHCP Socket Task: Apr 01 10:50:06.262: 44:2a:60:f2:8a:b4 DHCP successfully bridged packet to DS
*DHCP Socket Task: Apr 01 10:50:06.264: 44:2a:60:f2:8a:b4 DHCP received op BOOTREPLY (2) (len 317,vlan 95, port 1, encap 0xec00)
*DHCP Socket Task: Apr 01 10:50:06.264: 44:2a:60:f2:8a:b4 DHCP processing DHCP ACK (5)
*DHCP Socket Task: Apr 01 10:50:06.264: 44:2a:60:f2:8a:b4 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Apr 01 10:50:06.264: 44:2a:60:f2:8a:b4 DHCP xid: 0x5d3d1ac (97767852), secs: 0, flags: 0
*DHCP Socket Task: Apr 01 10:50:06.265: 44:2a:60:f2:8a:b4 DHCP chaddr: 44:2a:60:f2:8a:b4
*DHCP Socket Task: Apr 01 10:50:06.265: 44:2a:60:f2:8a:b4 DHCP ciaddr: 0.0.0.0, yiaddr: 10.28.95.159
*DHCP Socket Task: Apr 01 10:50:06.265: 44:2a:60:f2:8a:b4 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Apr 01 10:50:06.265: 44:2a:60:f2:8a:b4 DHCP server id: 10.28.95.20 rcvd server id: 10.28.95.20
*DHCP Socket Task: Apr 01 10:50:06.266: 44:2a:60:f2:8a:b4 DHCP successfully bridged packet to STA
*DHCP Socket Task: Apr 01 10:50:06.266: 44:2a:60:f2:8a:b4 DHCP received op BOOTREPLY (2) (len 317,vlan 95, port 1, encap 0xec00)
*DHCP Socket Task: Apr 01 10:50:06.266: 44:2a:60:f2:8a:b4 DHCP processing DHCP ACK (5)
*DHCP Socket Task: Apr 01 10:50:06.267: 44:2a:60:f2:8a:b4 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Apr 01 10:50:06.267: 44:2a:60:f2:8a:b4 DHCP xid: 0x5d3d1ac (97767852), secs: 0, flags: 0
*DHCP Socket Task: Apr 01 10:50:06.267: 44:2a:60:f2:8a:b4 DHCP chaddr: 44:2a:60:f2:8a:b4
*DHCP Socket Task: Apr 01 10:50:06.267: 44:2a:60:f2:8a:b4 DHCP ciaddr: 0.0.0.0, yiaddr: 10.28.95.159
*DHCP Socket Task: Apr 01 10:50:06.268: 44:2a:60:f2:8a:b4 DHCP siaddr: 0.0.0.0, giaddr: 10.28.95.5
*DHCP Socket Task: Apr 01 10:50:06.268: 44:2a:60:f2:8a:b4 DHCP server id: 10.28.95.20 rcvd server id: 10.28.95.20
(Cisco Controller) >
OK thanks can you post the show run-config commands output too please, and indicate which WLAN you're connecting to?
ASKER
the WLAN is the 2865SHR
(Cisco Controller) >show run-config commands
802.11a 11nSupport a-mpdu tx priority 1 enable
802.11a 11nSupport a-mpdu tx priority 2 enable
802.11a 11nSupport a-mpdu tx priority 3 enable
802.11a 11nSupport a-mpdu tx priority 6 enable
802.11a 11nSupport a-mpdu tx priority 7 enable
802.11a cac voice tspec-inactivity-timeout ignore
802.11a cac video tspec-inactivity-timeout ignore
802.11a cac voice sip codec g711 sample-interval 20
802.11a cac voice sip bandwidth 64 sample-interval 20
802.11a cac voice stream-size 84000 max-streams 2
802.11a rate disabled 6
--More-- or (q)uit
802.11a rate disabled 9
802.11a rate supported 24
802.11a tsm enable
802.11b cac voice tspec-inactivity-timeout ignore
802.11b cac video tspec-inactivity-timeout ignore
802.11b cac voice sip codec g711 sample-interval 20
802.11b cac voice sip bandwidth 64 sample-interval 20
802.11b cac voice stream-size 84000 max-streams 2
802.11b rate Disabled 1
802.11b rate Disabled 2
802.11b rate Disabled 5.5
802.11b rate Disabled 6
--More-- or (q)uit
802.11b rate Disabled 9
802.11h channelswitch enable 0
aaa auth mgmt local radius
advanced 802.11a channel delete 20
advanced 802.11a channel delete 26
advanced 802.11a channel add 157
advanced 802.11a channel add 161
location rssi-half-life tags 0
location rssi-half-life client 0
location rssi-half-life rogue-aps 0
location expiry tags 5
--More-- or (q)uit
location expiry client 5
location expiry calibrating-client 5
location expiry rogue-aps 5
advanced eap bcast-key-interval 3600
ap syslog host global 50.95.28.10
cdp advertise-v2 enable
database size 2048
dhcp proxy disable
dhcp opt-82 remote-id ap-mac
exclusionlist add ac:fd:ec:7c:97:e0 Jose's iphone
local-auth method fast server-key ****
--More-- or (q)uit
interface create 2875public 45
interface create data 95
interface create test 55
interface address dynamic-interface 2875public 10.28.45.2 255.255.255.0 10.28.45.1
interface address ap-manager 10.28.75.3 255.255.255.0 10.28.75.1
interface address dynamic-interface data 10.28.95.2 255.255.255.0 10.28.95.1
interface address management 10.28.75.2 255.255.255.0 10.28.75.1
interface address dynamic-interface test 10.28.55.2 255.255.252.0 10.28.55.1
interface address virtual 1.1.1.1
interface dhcp dynamic-interface 2875public primary 10.28.45.1
interface dhcp ap-manager primary 10.28.75.1
interface dhcp dynamic-interface data primary 10.28.95.20 secondary 10.28.95.1
--More-- or (q)uit
interface dhcp management primary 10.28.75.1
interface dhcp dynamic-interface test primary 10.28.55.20
interface vlan 2875public 45
interface vlan ap-manager 75
interface vlan data 95
interface vlan management 75
interface vlan test 55
interface port 2875public 1
interface port ap-manager 1
interface port data 1
interface port management 1
--More-- or (q)uit
interface port test 1
load-balancing aggressive enable
load-balancing window 5
apgroup add default-group
apgroup interface-mapping add default-group 1 test
apgroup interface-mapping add default-group 2 data
apgroup interface-mapping add default-group 3 data
apgroup interface-mapping add default-group 8 data
apgroup interface-mapping add default-group 9 2875public
apgroup interface-mapping add default-group 14 2875public
apgroup interface-mapping add default-group 15 2875public
--More-- or (q)uit
apgroup interface-mapping add default-group 16 data
wlan apgroup nac-snmp disable default-group 1
wlan apgroup nac-snmp disable default-group 2
wlan apgroup nac-snmp disable default-group 3
wlan apgroup nac-snmp disable default-group 8
wlan apgroup nac-snmp disable default-group 9
wlan apgroup nac-snmp disable default-group 14
wlan apgroup nac-snmp disable default-group 15
wlan apgroup nac-snmp disable default-group 16
logging buffered 6
logging console 6
logging syslog facility syslog
--More-- or (q)uit
logging syslog host 10.28.95.50
logging syslog level 6
msglog level verbose
memory monitor error enable
memory monitor leak thresholds 10000 30000
mesh security rad-mac-filter disable
mesh security rad-mac-filter disable
mesh security eap
mgmtuser add read-write
mobility group domain 2875SandHill
mobility group member add 70:81:05:af:b9:00 10.28.75.12 2875SandHill
mobility dscp 0
--More-- or (q)uit
network webmode enable
network telnet enable
network multicast global enable
network multicast mode multicast 234.4.3.3
network broadcast enable
network usertimeout 100000
network arptimeout 10000
network mgmt-via-wireless enable
network ap-priority disabled
network rf-network-name 2875S
radius acct add 1 10.28.95.20 1813 ascii ****
radius acct add 2 10.28.95.23 1813 ascii ****
--More-- or (q)uit
radius acct add 3 10.28.55.20 1813 ascii ****
radius auth add 1 10.28.95.20 1812 ascii ****
radius auth add 2 10.28.95.23 1812 ascii ****
radius auth add 3 10.28.55.20 1812 ascii ****
radius acct disable 2
radius acct disable 3
radius acct retransmit-timeout 1 20
radius acct network 2 disable
radius acct network 3 disable
radius auth rfc3576 enable 1
radius auth rfc3576 enable 3
--More-- or (q)uit
radius auth retransmit-timeout 1 10
radius auth disable 2
radius auth disable 3
radius auth network 2 disable
radius auth network 3 disable
radius auth management 2 disable
radius auth management 3 disable
radius fallback-test mode off
radius fallback-test username cisco-probe
radius fallback-test interval 300
rogue ap ssid alarm
rogue ap valid-client alarm
--More-- or (q)uit
rogue adhoc enable
rogue adhoc alert
rogue ap rldp disable
rogue detection monitor-ap report-interval 10
Not Supported.
snmp version v2c enable
snmp version v3 enable
snmp snmpEngineId 00003763000018c0024b1c0a
switchconfig strong-pwd case-check enabled
switchconfig strong-pwd consecutive-check enabled
switchconfig strong-pwd default-check enabled
switchconfig strong-pwd username-check enabled
--More-- or (q)uit
sysname 2865controller
time ntp interval 604800
time ntp server 1 216.218.192.202
time ntp server 2 204.74.68.55
trapflags linkmode disable
trapflags stpmode disable
trapflags client excluded disable
trapflags ap authFailure disable
trapflags ap register disable
trapflags ap interfaceUp disable
trapflags 802.11-Security wepDecryptError disable
--More-- or (q)uit
trapflags rrm-profile load disable
trapflags rrm-profile noise disable
trapflags rrm-profile interference disable
trapflags rrm-profile coverage disable
trapflags rogueap disable
trapflags mesh auth failure disable
trapflags mesh child excluded parent disable
trapflags mesh parent change disable
trapflags mesh child moved disable
trapflags mesh excessive parent change disable
trapflags mesh onset SNR disable
trapflags mesh abate SNR disable
--More-- or (q)uit
trapflags mesh console login disable
trapflags mesh excessive association disable
trapflags mesh default bridge group name disable
trapflags mesh excessive hop count disable
trapflags mesh excessive children disable
trapflags mesh sec backhaul change disable
trapflags configsave disable
wlan create 1 dhcptest 55
wlan create 3 2865SHR 2865SHR
--More-- or (q)uit
wlan create 9 2865Guest 2865Guest
wlan create 14 Academic Roundtable Academic Roundtable
wlan nac snmp disable 1
wlan nac snmp disable 2
wlan nac snmp disable 3
wlan nac snmp disable 8
wlan nac snmp disable 9
wlan nac snmp disable 14
wlan nac snmp disable 15
wlan nac snmp disable 16
--More-- or (q)uit
Max no. of clients 0Max no. of clients 0Max no. of clients 0Max no. of clients 0Max no. of clients 0Max no. of clients 0Max no. of clients 0Max no. of clients 0
wlan interface 1 test
wlan interface 2 data
wlan interface 3 data
wlan interface 8 data
wlan interface 9 2875public
wlan interface 14 2875public
wlan interface 15 2875public
wlan interface 16 data
wlan multicast interface 1 disable
wlan multicast interface 2 disable
wlan multicast interface 3 disable
--More-- or (q)uit
wlan multicast interface 8 disable
wlan multicast interface 9 disable
wlan multicast interface 14 disable
wlan multicast interface 15 disable
wlan multicast interface 16 disable
wlan exclusionlist 8 disabled
wlan exclusionlist 8 0
wlan dtim 802.11a 5 8
wlan dtim 802.11a 5 9
wlan dtim 802.11b 5 8
wlan dtim 802.11b 5 9
wlan session-timeout 1 1800
--More-- or (q)uit
wlan session-timeout 2 1800
wlan session-timeout 3 1800
wlan session-timeout 8 65535
wlan session-timeout 9 7200
wlan session-timeout 14 1800
wlan session-timeout 15 1800
wlan session-timeout 16 1800
wlan h-reap learn-ipaddr 1 enable
wlan h-reap learn-ipaddr 2 enable
wlan h-reap learn-ipaddr 3 enable
wlan h-reap learn-ipaddr 8 enable
--More-- or (q)uit
wlan h-reap learn-ipaddr 9 enable
wlan h-reap learn-ipaddr 14 enable
wlan h-reap learn-ipaddr 15 enable
wlan h-reap learn-ipaddr 16 enable
wlan wmm allow 1
wlan wmm allow 2
wlan wmm allow 3
wlan wmm allow 8
wlan wmm allow 9
wlan wmm allow 14
wlan wmm allow 15
wlan wmm allow 16
--More-- or (q)uit
wlan security wpa disable 15
wlan security 802.1X encryption 2 0
wlan radius_server auth add 1 1
wlan radius_server acct add 1 1
wlan radius_server auth add 2 1
wlan radius_server acct add 2 1
wlan radius_server auth add 3 1
wlan radius_server acct add 3 1
wlan radius_server auth add 16 1
wlan radius_server acct add 16 1
wlan radius_server overwrite-interface enable 1
--More-- or (q)uit
wlan radius_server overwrite-interface enable 2
wlan radius_server overwrite-interface enable 16
wlan security web-auth server-precedence 2 radius local
wlan security wpa akm 802.1x disable 1
wlan security wpa akm psk enable 1
wlan security wpa akm 802.1x disable 8
wlan security wpa akm psk enable 8
wlan security wpa akm 802.1x disable 9
wlan security wpa akm psk enable 9
wlan security wpa akm 802.1x disable 14
wlan security wpa akm psk enable 14
wlan security wpa akm 802.1x disable 15
--More-- or (q)uit
wlan security wpa akm ft reassociation-time 20 1
wlan security wpa akm ft over-the-air enable 1
wlan security wpa akm ft over-the-ds enable 1
wlan security wpa akm ft reassociation-time 20 2
wlan security wpa akm ft over-the-air enable 2
wlan security wpa akm ft over-the-ds enable 2
wlan security wpa akm ft reassociation-time 20 3
wlan security wpa akm ft over-the-air enable 3
wlan security wpa akm ft over-the-ds enable 3
wlan security wpa akm ft reassociation-time 20 8
wlan security wpa akm ft over-the-air enable 8
--More-- or (q)uit
wlan security wpa akm ft over-the-ds enable 8
wlan security wpa akm ft reassociation-time 20 9
wlan security wpa akm ft over-the-air enable 9
wlan security wpa akm ft over-the-ds enable 9
wlan security wpa akm ft reassociation-time 20 14
wlan security wpa akm ft over-the-air enable 14
wlan security wpa akm ft over-the-ds enable 14
wlan security wpa akm ft reassociation-time 20 15
wlan security wpa akm ft over-the-air enable 15
wlan security wpa akm ft over-the-ds enable 15
wlan security wpa akm ft reassociation-time 20 16
wlan security wpa akm ft over-the-air enable 16
--More-- or (q)uit
wlan security wpa akm ft over-the-ds enable 16
wlan security wpa wpa1 enable 8
wlan security wpa wpa1 enable 9
wlan security wpa wpa1 ciphers tkip enable 8
wlan security wpa wpa1 ciphers tkip enable 9
wlan exclusionlist 8 disabled
wlan exclusionlist 8 0
wlan dhcp_server 2 0.0.0.0 required
wlan dhcp_server 3 0.0.0.0 required
wlan enable 1
--More-- or (q)uit
wlan enable 3
wlan enable 8
license agent default authenticate none
license boot base
WMM-AC disabled
coredump disable
media-stream multicast-direct disable
media-stream message url
media-stream message email
media-stream message phone
media-stream message note denial
media-stream message state disable
--More-- or (q)uit
802.11a media-stream multicast-direct enable
802.11b media-stream multicast-direct enable
802.11a media-stream multicast-direct radio-maximum 0
802.11b media-stream multicast-direct radio-maximum 0
802.11a media-stream multicast-direct client-maximum 0
802.11b media-stream multicast-direct client-maximum 0
802.11a media-stream multicast-direct admission-besteffort disable
802.11b media-stream multicast-direct admission-besteffort disable
802.11a media-stream video-redirect enable
802.11b media-stream video-redirect enable
(Cisco Controller) >show run-config commands
802.11a 11nSupport a-mpdu tx priority 1 enable
802.11a 11nSupport a-mpdu tx priority 2 enable
802.11a 11nSupport a-mpdu tx priority 3 enable
802.11a 11nSupport a-mpdu tx priority 6 enable
802.11a 11nSupport a-mpdu tx priority 7 enable
802.11a cac voice tspec-inactivity-timeout ignore
802.11a cac video tspec-inactivity-timeout ignore
802.11a cac voice sip codec g711 sample-interval 20
802.11a cac voice sip bandwidth 64 sample-interval 20
802.11a cac voice stream-size 84000 max-streams 2
802.11a rate disabled 6
--More-- or (q)uit
802.11a rate disabled 9
802.11a rate supported 24
802.11a tsm enable
802.11b cac voice tspec-inactivity-timeout ignore
802.11b cac video tspec-inactivity-timeout ignore
802.11b cac voice sip codec g711 sample-interval 20
802.11b cac voice sip bandwidth 64 sample-interval 20
802.11b cac voice stream-size 84000 max-streams 2
802.11b rate Disabled 1
802.11b rate Disabled 2
802.11b rate Disabled 5.5
802.11b rate Disabled 6
--More-- or (q)uit
802.11b rate Disabled 9
802.11h channelswitch enable 0
aaa auth mgmt local radius
advanced 802.11a channel delete 20
advanced 802.11a channel delete 26
advanced 802.11a channel add 157
advanced 802.11a channel add 161
location rssi-half-life tags 0
location rssi-half-life client 0
location rssi-half-life rogue-aps 0
location expiry tags 5
--More-- or (q)uit
location expiry client 5
location expiry calibrating-client 5
location expiry rogue-aps 5
advanced eap bcast-key-interval 3600
ap syslog host global 50.95.28.10
cdp advertise-v2 enable
database size 2048
dhcp proxy disable
dhcp opt-82 remote-id ap-mac
exclusionlist add ac:fd:ec:7c:97:e0 Jose's iphone
local-auth method fast server-key ****
--More-- or (q)uit
interface create 2875public 45
interface create data 95
interface create test 55
interface address dynamic-interface 2875public 10.28.45.2 255.255.255.0 10.28.45.1
interface address ap-manager 10.28.75.3 255.255.255.0 10.28.75.1
interface address dynamic-interface data 10.28.95.2 255.255.255.0 10.28.95.1
interface address management 10.28.75.2 255.255.255.0 10.28.75.1
interface address dynamic-interface test 10.28.55.2 255.255.252.0 10.28.55.1
interface address virtual 1.1.1.1
interface dhcp dynamic-interface 2875public primary 10.28.45.1
interface dhcp ap-manager primary 10.28.75.1
interface dhcp dynamic-interface data primary 10.28.95.20 secondary 10.28.95.1
--More-- or (q)uit
interface dhcp management primary 10.28.75.1
interface dhcp dynamic-interface test primary 10.28.55.20
interface vlan 2875public 45
interface vlan ap-manager 75
interface vlan data 95
interface vlan management 75
interface vlan test 55
interface port 2875public 1
interface port ap-manager 1
interface port data 1
interface port management 1
--More-- or (q)uit
interface port test 1
load-balancing aggressive enable
load-balancing window 5
apgroup add default-group
apgroup interface-mapping add default-group 1 test
apgroup interface-mapping add default-group 2 data
apgroup interface-mapping add default-group 3 data
apgroup interface-mapping add default-group 8 data
apgroup interface-mapping add default-group 9 2875public
apgroup interface-mapping add default-group 14 2875public
apgroup interface-mapping add default-group 15 2875public
--More-- or (q)uit
apgroup interface-mapping add default-group 16 data
wlan apgroup nac-snmp disable default-group 1
wlan apgroup nac-snmp disable default-group 2
wlan apgroup nac-snmp disable default-group 3
wlan apgroup nac-snmp disable default-group 8
wlan apgroup nac-snmp disable default-group 9
wlan apgroup nac-snmp disable default-group 14
wlan apgroup nac-snmp disable default-group 15
wlan apgroup nac-snmp disable default-group 16
logging buffered 6
logging console 6
logging syslog facility syslog
--More-- or (q)uit
logging syslog host 10.28.95.50
logging syslog level 6
msglog level verbose
memory monitor error enable
memory monitor leak thresholds 10000 30000
mesh security rad-mac-filter disable
mesh security rad-mac-filter disable
mesh security eap
mgmtuser add read-write
mobility group domain 2875SandHill
mobility group member add 70:81:05:af:b9:00 10.28.75.12 2875SandHill
mobility dscp 0
--More-- or (q)uit
network webmode enable
network telnet enable
network multicast global enable
network multicast mode multicast 234.4.3.3
network broadcast enable
network usertimeout 100000
network arptimeout 10000
network mgmt-via-wireless enable
network ap-priority disabled
network rf-network-name 2875S
radius acct add 1 10.28.95.20 1813 ascii ****
radius acct add 2 10.28.95.23 1813 ascii ****
--More-- or (q)uit
radius acct add 3 10.28.55.20 1813 ascii ****
radius auth add 1 10.28.95.20 1812 ascii ****
radius auth add 2 10.28.95.23 1812 ascii ****
radius auth add 3 10.28.55.20 1812 ascii ****
radius acct disable 2
radius acct disable 3
radius acct retransmit-timeout 1 20
radius acct network 2 disable
radius acct network 3 disable
radius auth rfc3576 enable 1
radius auth rfc3576 enable 3
--More-- or (q)uit
radius auth retransmit-timeout 1 10
radius auth disable 2
radius auth disable 3
radius auth network 2 disable
radius auth network 3 disable
radius auth management 2 disable
radius auth management 3 disable
radius fallback-test mode off
radius fallback-test username cisco-probe
radius fallback-test interval 300
rogue ap ssid alarm
rogue ap valid-client alarm
--More-- or (q)uit
rogue adhoc enable
rogue adhoc alert
rogue ap rldp disable
rogue detection monitor-ap report-interval 10
Not Supported.
snmp version v2c enable
snmp version v3 enable
snmp snmpEngineId 00003763000018c0024b1c0a
switchconfig strong-pwd case-check enabled
switchconfig strong-pwd consecutive-check enabled
switchconfig strong-pwd default-check enabled
switchconfig strong-pwd username-check enabled
--More-- or (q)uit
sysname 2865controller
time ntp interval 604800
time ntp server 1 216.218.192.202
time ntp server 2 204.74.68.55
trapflags linkmode disable
trapflags stpmode disable
trapflags client excluded disable
trapflags ap authFailure disable
trapflags ap register disable
trapflags ap interfaceUp disable
trapflags 802.11-Security wepDecryptError disable
--More-- or (q)uit
trapflags rrm-profile load disable
trapflags rrm-profile noise disable
trapflags rrm-profile interference disable
trapflags rrm-profile coverage disable
trapflags rogueap disable
trapflags mesh auth failure disable
trapflags mesh child excluded parent disable
trapflags mesh parent change disable
trapflags mesh child moved disable
trapflags mesh excessive parent change disable
trapflags mesh onset SNR disable
trapflags mesh abate SNR disable
--More-- or (q)uit
trapflags mesh console login disable
trapflags mesh excessive association disable
trapflags mesh default bridge group name disable
trapflags mesh excessive hop count disable
trapflags mesh excessive children disable
trapflags mesh sec backhaul change disable
trapflags configsave disable
wlan create 1 dhcptest 55
wlan create 3 2865SHR 2865SHR
--More-- or (q)uit
wlan create 9 2865Guest 2865Guest
wlan create 14 Academic Roundtable Academic Roundtable
wlan nac snmp disable 1
wlan nac snmp disable 2
wlan nac snmp disable 3
wlan nac snmp disable 8
wlan nac snmp disable 9
wlan nac snmp disable 14
wlan nac snmp disable 15
wlan nac snmp disable 16
--More-- or (q)uit
Max no. of clients 0Max no. of clients 0Max no. of clients 0Max no. of clients 0Max no. of clients 0Max no. of clients 0Max no. of clients 0Max no. of clients 0
wlan interface 1 test
wlan interface 2 data
wlan interface 3 data
wlan interface 8 data
wlan interface 9 2875public
wlan interface 14 2875public
wlan interface 15 2875public
wlan interface 16 data
wlan multicast interface 1 disable
wlan multicast interface 2 disable
wlan multicast interface 3 disable
--More-- or (q)uit
wlan multicast interface 8 disable
wlan multicast interface 9 disable
wlan multicast interface 14 disable
wlan multicast interface 15 disable
wlan multicast interface 16 disable
wlan exclusionlist 8 disabled
wlan exclusionlist 8 0
wlan dtim 802.11a 5 8
wlan dtim 802.11a 5 9
wlan dtim 802.11b 5 8
wlan dtim 802.11b 5 9
wlan session-timeout 1 1800
--More-- or (q)uit
wlan session-timeout 2 1800
wlan session-timeout 3 1800
wlan session-timeout 8 65535
wlan session-timeout 9 7200
wlan session-timeout 14 1800
wlan session-timeout 15 1800
wlan session-timeout 16 1800
wlan h-reap learn-ipaddr 1 enable
wlan h-reap learn-ipaddr 2 enable
wlan h-reap learn-ipaddr 3 enable
wlan h-reap learn-ipaddr 8 enable
--More-- or (q)uit
wlan h-reap learn-ipaddr 9 enable
wlan h-reap learn-ipaddr 14 enable
wlan h-reap learn-ipaddr 15 enable
wlan h-reap learn-ipaddr 16 enable
wlan wmm allow 1
wlan wmm allow 2
wlan wmm allow 3
wlan wmm allow 8
wlan wmm allow 9
wlan wmm allow 14
wlan wmm allow 15
wlan wmm allow 16
--More-- or (q)uit
wlan security wpa disable 15
wlan security 802.1X encryption 2 0
wlan radius_server auth add 1 1
wlan radius_server acct add 1 1
wlan radius_server auth add 2 1
wlan radius_server acct add 2 1
wlan radius_server auth add 3 1
wlan radius_server acct add 3 1
wlan radius_server auth add 16 1
wlan radius_server acct add 16 1
wlan radius_server overwrite-interface enable 1
--More-- or (q)uit
wlan radius_server overwrite-interface enable 2
wlan radius_server overwrite-interface enable 16
wlan security web-auth server-precedence 2 radius local
wlan security wpa akm 802.1x disable 1
wlan security wpa akm psk enable 1
wlan security wpa akm 802.1x disable 8
wlan security wpa akm psk enable 8
wlan security wpa akm 802.1x disable 9
wlan security wpa akm psk enable 9
wlan security wpa akm 802.1x disable 14
wlan security wpa akm psk enable 14
wlan security wpa akm 802.1x disable 15
--More-- or (q)uit
wlan security wpa akm ft reassociation-time 20 1
wlan security wpa akm ft over-the-air enable 1
wlan security wpa akm ft over-the-ds enable 1
wlan security wpa akm ft reassociation-time 20 2
wlan security wpa akm ft over-the-air enable 2
wlan security wpa akm ft over-the-ds enable 2
wlan security wpa akm ft reassociation-time 20 3
wlan security wpa akm ft over-the-air enable 3
wlan security wpa akm ft over-the-ds enable 3
wlan security wpa akm ft reassociation-time 20 8
wlan security wpa akm ft over-the-air enable 8
--More-- or (q)uit
wlan security wpa akm ft over-the-ds enable 8
wlan security wpa akm ft reassociation-time 20 9
wlan security wpa akm ft over-the-air enable 9
wlan security wpa akm ft over-the-ds enable 9
wlan security wpa akm ft reassociation-time 20 14
wlan security wpa akm ft over-the-air enable 14
wlan security wpa akm ft over-the-ds enable 14
wlan security wpa akm ft reassociation-time 20 15
wlan security wpa akm ft over-the-air enable 15
wlan security wpa akm ft over-the-ds enable 15
wlan security wpa akm ft reassociation-time 20 16
wlan security wpa akm ft over-the-air enable 16
--More-- or (q)uit
wlan security wpa akm ft over-the-ds enable 16
wlan security wpa wpa1 enable 8
wlan security wpa wpa1 enable 9
wlan security wpa wpa1 ciphers tkip enable 8
wlan security wpa wpa1 ciphers tkip enable 9
wlan exclusionlist 8 disabled
wlan exclusionlist 8 0
wlan dhcp_server 2 0.0.0.0 required
wlan dhcp_server 3 0.0.0.0 required
wlan enable 1
--More-- or (q)uit
wlan enable 3
wlan enable 8
license agent default authenticate none
license boot base
WMM-AC disabled
coredump disable
media-stream multicast-direct disable
media-stream message url
media-stream message email
media-stream message phone
media-stream message note denial
media-stream message state disable
--More-- or (q)uit
802.11a media-stream multicast-direct enable
802.11b media-stream multicast-direct enable
802.11a media-stream multicast-direct radio-maximum 0
802.11b media-stream multicast-direct radio-maximum 0
802.11a media-stream multicast-direct client-maximum 0
802.11b media-stream multicast-direct client-maximum 0
802.11a media-stream multicast-direct admission-besteffort disable
802.11b media-stream multicast-direct admission-besteffort disable
802.11a media-stream video-redirect enable
802.11b media-stream video-redirect enable
A few of things...
1] I can't see in the config that WLAN 3 is using 802.1x
2] It looks like you have the DHCP Address Required option checked...
4] You have 2 WLCs - you didn't mention that. This is extremely important as it means you could have APs within the roaming area connected to different WLCs. This raises two immediate issues...
a] Are both WLCs configured EXACTLY the same? If not, expect problems.
b] This will increase the roam time as the WLCs have to maintain client information via the mobility group, so Fast Transition is going to help you here. BUT, I'd use one or the other (over-the-air or over-the-DS) but not both at the same time on the same WLAN. Pick one and see if it works, then try the other if you need to.
5] I think that your client devices are trying to use Computer or User Authentication. That's ok, but if you aren't doing Computer Authentication just set the client to use User Authentication, and vice-versa.
1] I can't see in the config that WLAN 3 is using 802.1x
2] It looks like you have the DHCP Address Required option checked...
wlan dhcp_server 3 0.0.0.0 required3] You're using old code (probably late v6 or early v7). You should upgrade to v7.4.121.0 if you can as it's AssureWave tested.
4] You have 2 WLCs - you didn't mention that. This is extremely important as it means you could have APs within the roaming area connected to different WLCs. This raises two immediate issues...
a] Are both WLCs configured EXACTLY the same? If not, expect problems.
b] This will increase the roam time as the WLCs have to maintain client information via the mobility group, so Fast Transition is going to help you here. BUT, I'd use one or the other (over-the-air or over-the-DS) but not both at the same time on the same WLAN. Pick one and see if it works, then try the other if you need to.
5] I think that your client devices are trying to use Computer or User Authentication. That's ok, but if you aren't doing Computer Authentication just set the client to use User Authentication, and vice-versa.
ASKER
thank you Craig
1. yes that WLAN is set up with 802.1x
2. sorry I wsa playing with it yesterday but that didn't change the issue
3. we are on 7.0.240. I wont be to do the upgrade for sometime :-/
4. sorry about not mentioning it, but they are in 2 different buildings and the APS in each building are associated with the right WLC. even if I walk through one office I will get disconnected while trying to reconnect.
5. let me check the radius server. on the client side, I don't really have an option, it just connects automatically
thank you again for your help
G
Screen-Shot-2014-04-02-at-7.08.0.png
1. yes that WLAN is set up with 802.1x
2. sorry I wsa playing with it yesterday but that didn't change the issue
3. we are on 7.0.240. I wont be to do the upgrade for sometime :-/
4. sorry about not mentioning it, but they are in 2 different buildings and the APS in each building are associated with the right WLC. even if I walk through one office I will get disconnected while trying to reconnect.
5. let me check the radius server. on the client side, I don't really have an option, it just connects automatically
thank you again for your help
G
Screen-Shot-2014-04-02-at-7.08.0.png
Ok what clients are you using? If they're Windows clients you can change this behaviour but you have to manually create the WLAN profile instead of using the automatically detected one. If you have a Windows domain this is easily achieved using a GPO.
ASKER
we are all on mac :-/
Ok well I would definitely suggest upgrading to at least v7.2MR1. This adds support for sticky PMKID caching. That should improve things.
ASKER
we will upgrade later on this month during our maitnenance window
ASKER
sorry for the delay...upgraded the WLC 2512 to 7.0.250. Unfortunately that didnt help as we are still having issues but after more testing the issue is only with apple computers.
windows, iphone and android are roaming fine.
opened a ticket with cisco support but right now no love... not sure what could be causing the issue between the mac and the cisco AP. it seems that the mac dont stick to the SSID and need to re-authenticate when they connect to another AP.
BTW Craig, I see that you are working on a similar issue with Jeff: https://www.experts-exchange.com/questions/28389889/802-1X-roaming-disconnects-issue.html
hope that we can find a solution :-)
thank you
gaetan
windows, iphone and android are roaming fine.
opened a ticket with cisco support but right now no love... not sure what could be causing the issue between the mac and the cisco AP. it seems that the mac dont stick to the SSID and need to re-authenticate when they connect to another AP.
BTW Craig, I see that you are working on a similar issue with Jeff: https://www.experts-exchange.com/questions/28389889/802-1X-roaming-disconnects-issue.html
hope that we can find a solution :-)
thank you
gaetan
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thank you Craig.
I will give it a try tomorrow morning and let you know how it goes
thank you so much
G
I will give it a try tomorrow morning and let you know how it goes
thank you so much
G
ASKER
that worked :-)
I cant believe that the cisco support guy has been spending 2 days trying to figure it out and didnt find anything with it. he kept telling me that it is the way it should be :-/
thank you so much
I cant believe that the cisco support guy has been spending 2 days trying to figure it out and didnt find anything with it. he kept telling me that it is the way it should be :-/
thank you so much
I'm not saying anything about TAC ;-)
My pleasure! Glad it worked for you :-)
My pleasure! Glad it worked for you :-)
If so, that's probably your issue.