×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Static VLAN assignment with EAP-TLS ACS v5.0

Unanswered Question
Nov 3rd, 2010
User Badges:

Hi All,


I am having some difficulties with statically assigning the VLAN ID and assigning DHCP through our wireless network.


This is not yet in production.


WCS

WLC 5508

ACS 5.0.0.21


CAP3502


All CAPs are associated with the WLC - see attached


Problem is when I try to connect to the WLAN from the client, unless the WLAN Profile is configured for the management interface, the RADIUS does not see the request, and has no hits against the Access Policies.


Any suggestions?


Dan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Serge Yasmine Mon, 11/08/2010 - 04:19
User Badges:
  • Cisco Employee,

Hi Dan,


Make sure that:

1- network user is checked next to the radius server you want to use and that it is enabled under SECURITY -> RADIUS -> Authentication

2- make sure to point the SSID toward the radius Server under WLAN -> SSID in use -> SECURITY -> AAA Server


If still not working, ssh to WLC,  debug client while reproducing the problem. Paste here.


Cheers,
Serge

dancarrick Mon, 11/08/2010 - 17:55
User Badges:

Serge,


Please note that I have enabled AAA Override at the moment to allow the RADIUS to return the VLAN tag with the RADIUS Response.


I will follow up with the capture of the debug.


Regards,


Dan

dancarrick Mon, 11/08/2010 - 18:16
User Badges:

Serge,


I have cleared the logs and enabled debug client 00:21:60:2f:f7:20.



*apfMsConnTask_5: Nov 09 11:45:23.991: %LOG-6-Q_IND: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored. [...It occurred 11 times.!]
   *apfProbeThread: Nov 09 11:45:23.668: %APF-6-PROC_DOT11_MAC_MGMT_DATA_FAILED: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored.
*Dot1x_NW_MsgTask_0: Nov 09 11:45:23.658: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2914 Max EAP identity request retries (3) exceeded for client 00:21:6a:2f:f7:20
*Dot1x_NW_MsgTask_0: Nov 09 11:45:23.658: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:21:6a:2f:f7:20
*apfMsConnTask_5: Nov 09 11:45:05.626: %LOG-6-Q_IND: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored. [...It occurred 11 times.!]
   *apfProbeThread: Nov 09 11:45:05.303: %APF-6-PROC_DOT11_MAC_MGMT_DATA_FAILED: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored.
*Dot1x_NW_MsgTask_0: Nov 09 11:45:05.296: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2914 Max EAP identity request retries (3) exceeded for client 00:21:6a:2f:f7:20
*Dot1x_NW_MsgTask_0: Nov 09 11:45:05.296: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:21:6a:2f:f7:20
*apfMsConnTask_5: Nov 09 11:44:47.266: %LOG-6-Q_IND: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored. [...It occurred 5 times.!]
  *apfProbeThread: Nov 09 11:44:46.941: %APF-6-PROC_DOT11_MAC_MGMT_DATA_FAILED: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored.
*Dot1x_NW_MsgTask_0: Nov 09 11:44:46.934: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2914 Max EAP identity request retries (3) exceeded for client 00:21:6a:2f:f7:20
*Dot1x_NW_MsgTask_0: Nov 09 11:44:46.934: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:21:6a:2f:f7:20
*apfMsConnTask_5: Nov 09 11:44:28.889: %LOG-6-Q_IND: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored. [...It occurred 4 times.!]
  *apfProbeThread: Nov 09 11:44:28.561: %APF-6-PROC_DOT11_MAC_MGMT_DATA_FAILED: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored. [...It occurred 3 times/sec!.]

dancarrick Mon, 11/08/2010 - 18:19
User Badges:

*radiusTransportThread: Nov 09 11:47:42.402: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server 10.64.96.220:1812 failed to respond to request(ID 152) for STA 00:21:6a:2f:f7:20 / user 'unknownUser'

*radiusTransportThread: Nov 09 11:47:24.050: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server 10.64.96.220:1812 failed to respond to request(ID 151) for STA 00:21:6a:2f:f7:20 / user 'unknownUser'

*radiusTransportThread: Nov 09 11:47:05.682: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server 10.64.96.220:1812 failed to respond to request(ID 150) for STA 00:21:6a:2f:f7:20 / user 'unknownUser'

*radiusTransportThread: Nov 09 11:47:05.682: %LOG-6-Q_IND: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored. [...It occurred 7 times.!]

        *apfProbeThread: Nov 09 11:46:48.535: %APF-6-PROC_DOT11_MAC_MGMT_DATA_FAILED: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored.

*radiusTransportThread: Nov 09 11:46:47.326: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server 10.64.96.220:1812 failed to respond to request(ID 149) for STA 00:21:6a:2f:f7:20 / user 'unknownUser'

*radiusTransportThread: Nov 09 11:46:47.326: %LOG-6-Q_IND: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored.

*apfProbeThread: Nov 09 11:46:46.195: %APF-6-PROC_DOT11_MAC_MGMT_DATA_FAILED: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored.

*emWeb: Nov 09 11:46:29.364: %DEBUG-4-INVALID_MODULE: debug.c:1765 Unhandled debug module 264.

*emWeb: Nov 09 11:46:29.364: %DEBUG-4-INVALID_MODULE: debug.c:1765 Unhandled debug module 228.

*radiusTransportThread: Nov 09 11:46:28.958: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server 10.64.96.220:1812 failed to respond to request(ID 148) for STA 00:21:6a:2f:f7:20 / user 'unknownUser'

*radiusTransportThread: Nov 09 11:46:28.958: %LOG-6-Q_IND: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored. [...It occurred 8 times.!]

        *apfProbeThread: Nov 09 11:45:48.425: %APF-6-PROC_DOT11_MAC_MGMT_DATA_FAILED: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored.

*apfProbeThread: Nov 09 11:45:46.211: %APF-6-PROC_DOT11_MAC_MGMT_DATA_FAILED: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored.

*apfMsConnTask_5: Nov 09 11:45:42.353: %LOG-6-Q_IND: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored. [...It occurred 12 times.!]

   *apfProbeThread: Nov 09 11:45:42.028: %APF-6-PROC_DOT11_MAC_MGMT_DATA_FAILED: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored.

*Dot1x_NW_MsgTask_0: Nov 09 11:45:42.020: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2914 Max EAP identity request retries (3) exceeded for client 00:21:6a:2f:f7:20

*Dot1x_NW_MsgTask_0: Nov 09 11:45:42.020: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:21:6a:2f:f7:20

*apfMsConnTask_5: Nov 09 11:45:23.991: %LOG-6-Q_IND: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored. [...It occurred 11 times.!]

Tiago Antunes Tue, 11/09/2010 - 05:51
User Badges:
  • Cisco Employee,

Hi Dan,


Please be aware that ACS 5.0 suffers from a major DDTS where it does not reply to RADIUS packets from WLCs.

The DDTS id is CSCsy17858 - Incorrect handling of Tunnel-Type & Tunnel-Client-Endpoint attrs.


I would upgrade to the latest ACS version or at least 5.0.0.21.6 (patch 6) where this was first fixed.


HTH,

Tiago


--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

dancarrick Sun, 11/21/2010 - 14:57
User Badges:

Tiago,


Thanks for the suggestions.


I have not been able to upgrade my ACS 5.0 yet, still trying to get the maintenance sorted out so that I can upgrade to 5.2.


I have however pointed to another AAA server (v4.1) and I am able to successfully authenticate and remain in the statically configured VLAN (through the AP Group WLAN interface configuration). So it looks as though there is a bug issue with 5.0.0.21.


Once I have confirmed the upgrade to 5.2 and tested successfully I will add further information.


Dan

Serge Yasmine Tue, 11/09/2010 - 06:41
User Badges:
  • Cisco Employee,

Dan, all I see on the logs you gave is that the client is not responding to EAP-Requests.


It is very weird that this works fine when WLAN is bound to management interface and doesn't work when WLAN is bound to dynamic interface. It could be due to the bug that Tiago mentioned earlier, not sure.

Actions

This Discussion