WLC 4402 - clients connection to AP problem

Unanswered Question
Jun 26th, 2008

Hi, have a problem with clients connection to AP. On WLC can see status Probing, sometimes associated but no IP received. It was working for a month but stopped for some reason. Am slightly not sure on the steps how it all works ? First authentication takes the place and then IP assignment by DHCP, correct ? Could you please help in pinpointing the problem ? Radius reachable from WLC, AP's have IP's assigned by DHCP server from another subnet

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fella Thu, 06/26/2008 - 12:42

Well best thing to do is create a new ssid and leave it open for testing. See if you can associate an dobtain an ip address. this will eliminate that dhcp is an issue. Then configure authentication on the new ssid to what you had in the existing ssid. Then see if you can authenticate and obtain an ip address. Look at the logs on the wlc and on acs. Post the logs if you still can't find out what the issue might be.

arunas.usonis Thu, 06/26/2008 - 13:07

In the WLC logs I have 2 types of errors:

Client Excluded: MACAddress:00:1c:26:1a:d6:45

Base Radio MAC :00:21:1c:7a:b2:70 Slot: 0 Reason:802.1x Authentication failed 3 times. ReasonCode: 3

Client Deauthenticated: MACAddress:00:12:f0:69:43:4e

Base Radio MAC:00:21:1c:7a:b7:60 Slot: 0 Reason:Unspecified ReasonCode: 1

Scott Fella Thu, 06/26/2008 - 13:31

The client excluded, means that the device is not passing authentication. Look at the device setting once again. After 3 attempt, the wlc puts the device in client exclusion for 60 seconds (default unless you change it or remove client exclusion). But if the device keeps trying, that device will be stuck in client exclusion.

willy.wijaya.seagate Sun, 06/29/2008 - 20:03

Hi,

You can turn off the client exclusion and aironetIE under the wireless lan setting.

You can also set to allow longer time out:

config advanced eap eapol-key-timeout 5

config advanced eap eapol-key-retries 4

Below is the Reason code Meaning

0 Reserved

1 Unspecified reason

2 Previous authentication no longer valid

3 Deauthenticated because sending STA is leaving (or has left) IBSS or ESS

4 Disassociated due to inactivity

5 Disassociated because AP is unable to handle all currently associated STAs

6 Class 2 frame received from nonauthenticated STA

7 Class 3 frame received from nonassociated STA

8 Disassociated because sending STA is leaving (or has left) BSS

9 STA requesting (re)association is not authenticated with responding STA

10 Disassociated because the information in the Power Capability element is unacceptable

11 Disassociated because the information in the Supported Channels element is unacceptable

12 Reserved

13 Invalid information element, i.e., an information element defined in this standard for

which the content does not meet the specifications in Clause 7

14 Message integrity code (MIC) failure

15 4-Way Handshake timeout

16 Group Key Handshake timeout

17 Information element in 4-Way Handshake different from (Re)Association Request/Probe

Response/Beacon frame

18 Invalid group cipher

19 Invalid pairwise cipher

20 Invalid AKMP

21 Unsupported RSN information element version

22 Invalid RSN information element capabilities

23 IEEE 802.1X authentication failed

24 Cipher suite rejected because of the security policy

25-31 Reserved

32 Disassociated for unspecified, QoS-related reason

33 Disassociated because QoS AP lacks sufficient bandwidth for this QoS STA

34 Disassociated because excessive number of frames need to be acknowledged, but are not

acknowledged due to AP transmissions and/or poor channel conditions

35 Disassociated because STA is transmitting outside the limits of its TXOPs

36 Requested from peer STA as the STA is leaving the BSS (or resetting)

37 Requested from peer STA as it does not want to use the mechanism

38 Requested from peer STA as the STA received frames using the mechanism for which a

setup is required

39 Requested from peer STA due to timeout

45 Peer STA does not support the requested cipher suite

46-65535 Reserved

Actions

This Discussion