Solved: 5508- Internal DHCP - Two SSID

GERALD LECAILLIER · ‎06-29-2012

Hi,

We have something strange...

We created the management interface, an internal DHCP scope in same subnet, and Two SSID tied to the same management interface:

- when we connect to the first SSID we have and IP address

- but when we connect to the secone SSID: impossible to get an ip address - auth and association are OK

Is this a limitation or do you have a clue to solve this problem ?

Thanks,

Regards,

Scott Fella · ‎07-05-2012

You need to see the client authenticated and the policy manager state as RUN. I would just stick with WPA2/AES, because since this is for iPhones in particular and the WLAN is broadcasting, the iPhone will use wpa2-PSK (wpa2/aes automatically). If theses devices are switching from one SSID to another, make sure fast SSID change is enabled. If you still have issues, I would delete the SSID and recreate it. If your not out there to be able to test, it makes it hard. You should rdp into a laptop out there connected in the wired side and test using the pre shared key they give you.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

Saravanan Lakshmanan · ‎06-29-2012

there is no limitation of how many SSIDs can use one interface and or internal dhcp server.

get WLC>debug client

GERALD LECAILLIER · ‎07-03-2012

Hello,

Thanks for your reply, for information the device which cannot connect to this second SSID, successfully joined the same SSID on another WLC (but this other WLC use external DHCP srv).

The auth is open and use WPA2-PSK

this is the debug:

*dot1xMsgTask: Jun 29 16:01:42.160: 7X:XX:XX:XX:XX:9Y Initiating RSN PSK to mobile 7X:XX:XX:XX:XX:9Y
*dot1xMsgTask: Jun 29 16:01:42.160: 7X:XX:XX:XX:XX:9Y dot1x - moving mobile 7X:XX:XX:XX:XX:9Y into Force Auth state
*dot1xMsgTask: Jun 29 16:01:42.160: 7X:XX:XX:XX:XX:9Y Skipping EAP-Success to mobile 7X:XX:XX:XX:XX:9Y
*dot1xMsgTask: Jun 29 16:01:42.160: Including PMKID in M1 (16)

*dot1xMsgTask: Jun 29 16:01:42.160: [0000] ec 76 b7 f1 34 ee 1a 01 62 b1 3f 14 a4 58 43 28

*dot1xMsgTask: Jun 29 16:01:42.161: 7X:XX:XX:XX:XX:9Y Starting key exchange to mobile 7X:XX:XX:XX:XX:9Y, data packets will be dropped
*dot1xMsgTask: Jun 29 16:01:42.161: 7X:XX:XX:XX:XX:9Y Sending EAPOL-Key Message to mobile 7X:XX:XX:XX:XX:9Y
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_0: Jun 29 16:01:42.193: 7X:XX:XX:XX:XX:9Y Received EAPOL-Key from mobile 7X:XX:XX:XX:XX:9Y
*Dot1x_NW_MsgTask_0: Jun 29 16:01:42.193: 7X:XX:XX:XX:XX:9Y Received EAPOL-key in PTK_START state (message 2) from mobile 7X:XX:XX:XX:XX:9Y
*Dot1x_NW_MsgTask_0: Jun 29 16:01:42.193: 7X:XX:XX:XX:XX:9Y Received EAPOL-key M2 with invalid MIC from mobile 7X:XX:XX:XX:XX:9Y
*osapiBsnTimer: Jun 29 16:01:43.179: 7X:XX:XX:XX:XX:9Y 802.1x 'timeoutEvt' Timer expired for station 7X:XX:XX:XX:XX:9Y and for message = M2
*dot1xMsgTask: Jun 29 16:01:43.179: 7X:XX:XX:XX:XX:9Y Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 7X:XX:XX:XX:XX:9Y
*Dot1x_NW_MsgTask_0: Jun 29 16:01:43.201: 7X:XX:XX:XX:XX:9Y Received EAPOL-Key from mobile 7X:XX:XX:XX:XX:9Y
*Dot1x_NW_MsgTask_0: Jun 29 16:01:43.201: 7X:XX:XX:XX:XX:9Y Received EAPOL-key in PTK_START state (message 2) from mobile 7X:XX:XX:XX:XX:9Y
*Dot1x_NW_MsgTask_0: Jun 29 16:01:43.201: 7X:XX:XX:XX:XX:9Y Received EAPOL-key M2 with invalid MIC from mobile 7X:XX:XX:XX:XX:9Y
*osapiBsnTimer: Jun 29 16:01:44.179: 7X:XX:XX:XX:XX:9Y 802.1x 'timeoutEvt' Timer expired for station 7X:XX:XX:XX:XX:9Y and for message = M2
*dot1xMsgTask: Jun 29 16:01:44.179: 7X:XX:XX:XX:XX:9Y Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 7X:XX:XX:XX:XX:9Y
*Dot1x_NW_MsgTask_0: Jun 29 16:01:44.199: 7X:XX:XX:XX:XX:9Y Received EAPOL-Key from mobile 7X:XX:XX:XX:XX:9Y
*Dot1x_NW_MsgTask_0: Jun 29 16:01:44.199: 7X:XX:XX:XX:XX:9Y Received EAPOL-key in PTK_START state (message 2) from mobile 7X:XX:XX:XX:XX:9Y
*Dot1x_NW_MsgTask_0: Jun 29 16:01:44.199: 7X:XX:XX:XX:XX:9Y Received EAPOL-key M2 with invalid MIC from mobile 7X:XX:XX:XX:XX:9Y
*osapiBsnTimer: Jun 29 16:01:45.179: 7X:XX:XX:XX:XX:9Y 802.1x 'timeoutEvt' Timer expired for station 7X:XX:XX:XX:XX:9Y and for message = M2
*dot1xMsgTask: Jun 29 16:01:45.179: 7X:XX:XX:XX:XX:9Y Retransmit failure for EAPOL-Key M1 to mobile 7X:XX:XX:XX:XX:9Y, retransmit count 3, mscb deauth count 0
*dot1xMsgTask: Jun 29 16:01:45.180: 7X:XX:XX:XX:XX:9Y Sent Deauthenticate to mobile on BSSID 40:f4:ec:11:11:11 slot 0(caller 1x_ptsm.c:534)

(Cisco Controller) >*dot1xMsgTask: Jun 29 16:01:45.180: 7X:XX:XX:XX:XX:9Y Scheduling deletion of Mobile Station: (callerId: 57) in 10 seconds
*osapiBsnTimer: Jun 29 16:01:55.179: 7X:XX:XX:XX:XX:9Y apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Jun 29 16:01:55.179: 7X:XX:XX:XX:XX:9Y apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile 7X:XX:XX:XX:XX:9Y on AP 40:f4:ec:11:11:11 from Associated to Disassociated

*apfReceiveTask: Jun 29 16:01:55.179: 7X:XX:XX:XX:XX:9Y Scheduling deletion of Mobile Station: (callerId: 45) in 10 seconds

(Cisco Controller) >debug disable-all

Thanks a lot,

Regards,

Gerald

Amjad Abdullah · ‎07-03-2012

Hi Gerald,

the debugs do not indicate any problem related to DHCP. the problem shown by the debugs is with the authentication process that ends with deauthenticating the client:

*dot1xMsgTask: Jun 29 16:01:45.180: 7X:XX:XX:XX:XX:9Y Sent Deauthenticate to mobile on BSSID 40:f4:ec:11:11:11 slot 0(caller 1x_ptsm.c:534)

If you are sure the problem is with the DHCP then make sure that:

- correct interface is mapped to the SSID.

- DHCP ip address configured under the interface is the management IP address of the WLC.

If the issue is not with DHCP but with Auth process:

- Try with other clients and make sure the problem is not clinet-related.

- Make sure that the RF is clear with no significan noise and/or interference.

Please try to collect debugs one more time that show the dhcp issue if the issue isolated to be a DHCP issue.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Saravanan Lakshmanan · ‎07-03-2012

802.1x 'timeoutEvt' Timer expired for station

*Dot1x_NW_MsgTask_0: Jun 29 16:01:43.201: 7X:XX:XX:XX:XX:9Y Received EAPOL-key M2 with invalid MIC from mobile 7X:XX:XX:XX:XX:9Y

802.1x 'timeoutEvt' Timer expired for station

it could be bad driver/supplicant on this particular client, Try with different wireless client device that doesn't see the above issue.

sure you could test with security - wep as it doesn't use Mx key exchanges or WPA-tkip that doesn't use client mfp.

Is client mfp turned ON on advanced WLAN and the trying wirless client supports ccx5?

GERALD LECAILLIER · ‎07-05-2012

Hello,

Thanks for your reply,

In fact different clients can't connect to this SSID. But they can connect on another SSID from same WLC, so it doesnt seem to be a driver problem.

It's mapped on the correct interface, and the MFP is optionnal.

You wil find below the two WLANS configs, the first is OK, clients (laptops, iphone) can connect, on the second one the clients can't connect:

SSID OK:

***********

WLAN Identifier.................................. 3
Profile Name..................................... DATA
Network Name (SSID).............................. XXX_UTILISATEURS
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control

Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 5
Exclusionlist Timeout............................ 30 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ Global Servers
   Accounting.................................... Global Servers
   Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security

   802.11 Authentication:........................ Open System
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Enabled
      WPA (SSN IE)............................... Enabled
         TKIP Cipher............................. Enabled
         AES Cipher.............................. Enabled
      WPA2 (RSN IE).............................. Enabled
         TKIP Cipher............................. Enabled
         AES Cipher.............................. Enabled
      Auth Key Management
         802.1x.................................. Disabled
         PSK..................................... Enabled
         CCKM.................................... Disabled
         FT(802.11r)............................. Disabled
         FT-PSK(802.11r)......................... Disabled
FT Reassociation Timeout......................... 20
FT Over-The-Air mode............................. Enabled
FT Over-The-Ds mode.............................. Enabled
CCKM tsf Tolerance............................... 1000
   CKIP ......................................... Disabled
   IP Security................................... Disabled
   IP Security Passthru.......................... Disabled
   Web Based Authentication...................... Disabled
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   H-REAP Local Switching........................ Disabled
   H-REAP Local Authentication................... Disabled
   H-REAP Learn IP Address....................... Enabled
   Client MFP.................................... Optional
   Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled

SSID NOT OK:

*****************

Note that we tried to force dhcp server ip address as we thought that the problem came from the dhcp server...

WLAN Identifier.................................. 7
Profile Name..................................... Iphone
Network Name (SSID).............................. XXX_Smartphone
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control

Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 0
Exclusionlist.................................... Disabled
Session Timeout.................................. Infinity
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN ACL......................................... unconfigured
DHCP Server...................................... 128.10.1.20
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ Global Servers
   Accounting.................................... Global Servers
   Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security

   802.11 Authentication:........................ Open System
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Enabled
      WPA (SSN IE)............................... Disabled
      WPA2 (RSN IE).............................. Enabled
         TKIP Cipher............................. Disabled
         AES Cipher.............................. Enabled
      Auth Key Management
         802.1x.................................. Disabled
         PSK..................................... Enabled
         CCKM.................................... Disabled
         FT(802.11r)............................. Disabled
         FT-PSK(802.11r)......................... Disabled
FT Reassociation Timeout......................... 20
FT Over-The-Air mode............................. Enabled
FT Over-The-Ds mode.............................. Enabled
CCKM tsf Tolerance............................... 1000
   CKIP ......................................... Disabled
   IP Security................................... Disabled
   IP Security Passthru.......................... Disabled
   Web Based Authentication...................... Disabled
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   H-REAP Local Switching........................ Disabled
   H-REAP Local Authentication................... Disabled
   H-REAP Learn IP Address....................... Enabled
   Client MFP.................................... Optional
   Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled

I begin to believe that there is a mismatch with the WPA2-PSK key > the client has setup the WLC and SSID and gave me the WPA2-PSK...

Thanks a lot,

Best Regards,

Gerald

Amjad Abdullah · ‎07-05-2012

The main difference i see that working ssid has wpa and wpa2 both enabled with either aes or tkip while the problematic ssid has only wpa2aes enabled.

Your point of wrong PSK is totally valid and you. May isolate it be configuring the passphrase again on the WLC.

Make also sure that your clients successfully configured for wpa2-aes. OR you can enable wpa (aes and tkip) and wpa2-tkip on the wlc.

HTH

Amjad

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"

GERALD LECAILLIER · ‎07-05-2012

Hi,

I tried the SSID with only WPA2 and AES, I had the same problem.

I just asked the customer to hit the passphrase again.

Originally I thought it was a DHCP problem, see the attached piece: we can see the client is associated (so normally authenticated) but don't have IP address...

Is it possible the WLC says the client is associated, even if the authentication failed ?

Amjad Abdullah · ‎07-05-2012

Policy manager state is 802.1x_REQD which means it is authentication issue.

Associated state here indicates 802.11 association. However, "authenticated" state when mostly referred by cisco means that the client correctly connected and in RUN policy manager state. It does not mean 802.11 authentication that happens before 802.11 association. This is why if you have WCS you'll always find associated clients count more than authenticated client count.

Can you plz show us messages from msglog and traplog? Do they mention anything about the clients that could not connect?

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"

Scott Fella · ‎07-05-2012

You need to see the client authenticated and the policy manager state as RUN. I would just stick with WPA2/AES, because since this is for iPhones in particular and the WLAN is broadcasting, the iPhone will use wpa2-PSK (wpa2/aes automatically). If theses devices are switching from one SSID to another, make sure fast SSID change is enabled. If you still have issues, I would delete the SSID and recreate it. If your not out there to be able to test, it makes it hard. You should rdp into a laptop out there connected in the wired side and test using the pre shared key they give you.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

GERALD LECAILLIER · ‎07-05-2012

Hello,

Thanks, we are going to investigate this way, I will get back you.

(we dont need the iphone to switch from an SSID to another, it was just to test )

Thanks again

Regards,

GERALD LECAILLIER · ‎07-19-2012

Hello,

Finally our customer had deleted and recreated the WLAN > it's working...

Strange,

Thanks for your help