Roaming and Radius authentication problem Flexconnect AP's with WLC2504/WLC4404 7.0

istvan.kelemen1 · ‎08-09-2015

Hello Guys,

I have a little Cisco Wireless testlab. WLC4404, WLC2504, AP3502i, AP1142

Code is 7.0.252 (also tested with 7.6 and 8.1 on wlc2504, made no difference...)

AAA server is Cisco ACS 5.4

The AP's are grouped together in an H-REAP group.

DHCP Required option is turned off.

There are few scenarios... Let's see the fist one.

In all scenarios WLC's are using the same config/code. Local switching is enabled, authentication is central with local fallback.

Auth: WPA2 + dot1.x +CCKM

AP's are in local mode connected to WLC2504 - no issues, roaming is fast, AAA auth works.

AP's are in local mode connected to WLC4404 - roaming works, however WLC uses local auth, faild to auth against Cisco ACS

AP's are in H-REAP mode connected to WLC2504 - AAA works, roaming is strange.. when clients associates with the AP after roaming, the session is broken, need to restart the session to get it working. (eg: Speedtest android app) However if the client roams back to it's original AP where it associated at the first time, the session continues.

AP's are in H-REAP mode connected to WLC4404 - nothing works, same issue with roaming

OK, Let's see how is with WPA2+PSK

Same issue with roaming...

Any ideas?

Br,

István

Rasika Nayanajith · ‎08-09-2015

Hi

Auth: WPA2 + dot1.x +CCKM

AP's are in local mode connected to WLC2504 - no issues, roaming is fast, AAA auth works.

AP's are in local mode connected to WLC4404 - roaming works, however WLC uses local auth, faild to auth against Cisco ACS

Does all your clients support CCKM ? In 4404 case, what is the "debug client <mac_addr>" output looks like and what is the ACS log says ?

AP's are in H-REAP mode connected to WLC2504 - AAA works, roaming is strange.. when clients associates with the AP after roaming, the session is broken, need to restart the session to get it working. (eg: Speedtest android app) However if the client roams back to it's original AP where it associated at the first time, the session continues.

With regards to H-REAP/FlexConnect, in 7.0.x FlexConnect Group supports CCKM/OKC. If your client is CCX then you can see CCKM in use. Otherwise it is simply OKC which is a fast-roam back (if client come back to original AP only roam will fast, otherwise full re-authentication)

This is the document you should refer when it comes to fast roaming on Cisco

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116493-technote-technology-00.html

HTH

Rasika

*** Pls rate all useful responses ***

George Stefanick · ‎08-09-2015

Roaming and 802.1X is a different beast. Clients and controllers need to support the same. The most universal is OKC. While 802.11r is the standard since 2008 few clients support it ..

what clients are you using ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

istvan.kelemen1 · ‎08-10-2015

Test client is Samsung Galaxy S6 EDGE Droid 5.1.1.

"Clients and controllers need to support the same." - they do, both controllers are identical except the hardware model

istvan.kelemen1 · ‎08-10-2015

Hello Rasika,

1.

a;

Yes, I used Galaxy S6 EDGE for testing. It is CCXv4 device.

b;

(Cisco Controller) >*apfMsConnTask_0: Jul 04 22:10:49.505: 00:26:c7:6e:6e:7c Adding mobile on LWAPP AP 64:ae:0c:25:0a:00(0)
*apfMsConnTask_0: Jul 04 22:10:49.505: 00:26:c7:6e:6e:7c Association received from mobile on AP 64:ae:0c:25:0a:00
*apfMsConnTask_0: Jul 04 22:10:49.505: 00:26:c7:6e:6e:7c 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Jul 04 22:10:49.506: 00:26:c7:6e:6e:7c Applying site-specific IPv6 override for station 00:26:c7:6e:6e:7c - vapId 1, site 'default-group', interface 'vlan10'
*apfMsConnTask_0: Jul 04 22:10:49.506: 00:26:c7:6e:6e:7c Applying IPv6 Interface Policy for station 00:26:c7:6e:6e:7c - vlan 10, interface id 8, interface 'vlan10'
*apfMsConnTask_0: Jul 04 22:10:49.506: 00:26:c7:6e:6e:7c STA - rates (6): 152 36 48 72 96 108 0 0 0 0 0 0 0 0 0 0
*apfMsConnTask_0: Jul 04 22:10:49.506: 00:26:c7:6e:6e:7c Processing RSN IE type 48, length 22 for mobile 00:26:c7:6e:6e:7c
*apfMsConnTask_0: Jul 04 22:10:49.506: 00:26:c7:6e:6e:7c Received RSN IE with 0 PMKIDs from mobile 00:26:c7:6e:6e:7c
*apfMsConnTask_0: Jul 04 22:10:49.506: 00:26:c7:6e:6e:7c 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_0: Jul 04 22:10:49.506: 00:26:c7:6e:6e:7c 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)

*apfMsConnTask_0: Jul 04 22:10:49.506: 00:26:c7:6e:6e:7c 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)

*apfMsConnTask_0: Jul 04 22:10:49.506: 00:26:c7:6e:6e:7c 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 64:ae:0c:25:0a:00 vapId 1 apVapId 1for this client
*apfMsConnTask_0: Jul 04 22:10:49.506: 00:26:c7:6e:6e:7c Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Jul 04 22:10:49.506: 00:26:c7:6e:6e:7c 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 64:ae:0c:25:0a:00 vapId 1 apVapId 1
*apfMsConnTask_0: Jul 04 22:10:49.506: 00:26:c7:6e:6e:7c apfMsAssoStateInc
*apfMsConnTask_0: Jul 04 22:10:49.506: 00:26:c7:6e:6e:7c apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 00:26:c7:6e:6e:7c on AP 64:ae:0c:25:0a:00 from Idle to Associated

*apfMsConnTask_0: Jul 04 22:10:49.506: 00:26:c7:6e:6e:7c Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_0: Jul 04 22:10:49.506: 00:26:c7:6e:6e:7c Sending Assoc Response to station on BSSID 64:ae:0c:25:0a:00 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_0: Jul 04 22:10:49.506: 00:26:c7:6e:6e:7c apfProcessAssocReq (apf_80211.c:5284) Changing state for mobile 00:26:c7:6e:6e:7c on AP 64:ae:0c:25:0a:00 from Associated to Associated

*spamReceiveTask: Jul 04 22:10:49.508: 00:26:c7:6e:6e:7c Sent 1x initiate message to multi thread task for mobile 00:26:c7:6e:6e:7c
*Dot1x_NW_MsgTask_0: Jul 04 22:10:49.509: 00:26:c7:6e:6e:7c Station 00:26:c7:6e:6e:7c setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_0: Jul 04 22:10:49.509: 00:26:c7:6e:6e:7c dot1x - moving mobile 00:26:c7:6e:6e:7c into Connecting state
*Dot1x_NW_MsgTask_0: Jul 04 22:10:49.509: 00:26:c7:6e:6e:7c Sending EAP-Request/Identity to mobile 00:26:c7:6e:6e:7c (EAP Id 1)
*Dot1x_NW_MsgTask_0: Jul 04 22:10:49.510: 00:26:c7:6e:6e:7c Received EAPOL START from mobile 00:26:c7:6e:6e:7c
*Dot1x_NW_MsgTask_0: Jul 04 22:10:49.510: 00:26:c7:6e:6e:7c dot1x - moving mobile 00:26:c7:6e:6e:7c into Connecting state
*Dot1x_NW_MsgTask_0: Jul 04 22:10:49.510: 00:26:c7:6e:6e:7c Sending EAP-Request/Identity to mobile 00:26:c7:6e:6e:7c (EAP Id 2)
*Dot1x_NW_MsgTask_0: Jul 04 22:11:00.580: 00:26:c7:6e:6e:7c Received EAPOL EAPPKT from mobile 00:26:c7:6e:6e:7c
*Dot1x_NW_MsgTask_0: Jul 04 22:11:00.580: 00:26:c7:6e:6e:7c Received Identity Response (count=2) from mobile 00:26:c7:6e:6e:7c
*Dot1x_NW_MsgTask_0: Jul 04 22:11:00.580: 00:26:c7:6e:6e:7c EAP State update from Connecting to Authenticating for mobile 00:26:c7:6e:6e:7c
*Dot1x_NW_MsgTask_0: Jul 04 22:11:00.580: 00:26:c7:6e:6e:7c dot1x - moving mobile 00:26:c7:6e:6e:7c into Authenticating state
*Dot1x_NW_MsgTask_0: Jul 04 22:11:00.580: 00:26:c7:6e:6e:7c Entering Backend Auth Response state for mobile 00:26:c7:6e:6e:7c
*Dot1x_NW_MsgTask_0: Jul 04 22:11:05.579: 00:26:c7:6e:6e:7c Received EAPOL START from mobile 00:26:c7:6e:6e:7c
*Dot1x_NW_MsgTask_0: Jul 04 22:11:05.579: 00:26:c7:6e:6e:7c dot1x - moving mobile 00:26:c7:6e:6e:7c into Aborting state
*Dot1x_NW_MsgTask_0: Jul 04 22:11:05.580: 00:26:c7:6e:6e:7c dot1x - moving mobile 00:26:c7:6e:6e:7c into Connecting state
*Dot1x_NW_MsgTask_0: Jul 04 22:11:05.580: 00:26:c7:6e:6e:7c Sending EAP-Request/Identity to mobile 00:26:c7:6e:6e:7c (EAP Id 4)
*Dot1x_NW_MsgTask_0: Jul 04 22:11:05.580: 00:26:c7:6e:6e:7c Reached Max EAP-Identity Request retries (3) for STA 00:26:c7:6e:6e:7c
*Dot1x_NW_MsgTask_0: Jul 04 22:11:05.581: 00:26:c7:6e:6e:7c Sent Deauthenticate to mobile on BSSID 64:ae:0c:25:0a:00 slot 0(caller 1x_auth_pae.c:3121)
*Dot1x_NW_MsgTask_0: Jul 04 22:11:05.581: 00:26:c7:6e:6e:7c Deleting the PMK cache when de-authenticating the client.
*Dot1x_NW_MsgTask_0: Jul 04 22:11:05.581: 00:26:c7:6e:6e:7c Global PMK Cache deletion failed.
*Dot1x_NW_MsgTask_0: Jul 04 22:11:05.582: 00:26:c7:6e:6e:7c Scheduling deletion of Mobile Station: (callerId: 6) in 10 seconds
*Dot1x_NW_MsgTask_0: Jul 04 22:11:05.582: 00:26:c7:6e:6e:7c dot1x - moving mobile 00:26:c7:6e:6e:7c into Disconnected state
*Dot1x_NW_MsgTask_0: Jul 04 22:11:05.582: 00:26:c7:6e:6e:7c Not sending EAP-Failure for STA 00:26:c7:6e:6e:7c
*apfMsConnTask_0: Jul 04 22:11:05.824: 00:26:c7:6e:6e:7c Association received from mobile on AP 64:ae:0c:25:0a:00
*apfMsConnTask_0: Jul 04 22:11:05.825: 00:26:c7:6e:6e:7c 0.0.0.0 8021X_REQD (3) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Jul 04 22:11:05.825: 00:26:c7:6e:6e:7c Applying site-specific IPv6 override for station 00:26:c7:6e:6e:7c - vapId 1, site 'default-group', interface 'vlan10'
*apfMsConnTask_0: Jul 04 22:11:05.825: 00:26:c7:6e:6e:7c Applying IPv6 Interface Policy for station 00:26:c7:6e:6e:7c - vlan 10, interface id 8, interface 'vlan10'
*apfMsConnTask_0: Jul 04 22:11:05.825: 00:26:c7:6e:6e:7c STA - rates (6): 152 36 48 72 96 108 0 0 0 0 0 0 0 0 0 0
*apfMsConnTask_0: Jul 04 22:11:05.825: 00:26:c7:6e:6e:7c Processing RSN IE type 48, length 22 for mobile 00:26:c7:6e:6e:7c
*apfMsConnTask_0: Jul 04 22:11:05.825: 00:26:c7:6e:6e:7c Received RSN IE with 0 PMKIDs from mobile 00:26:c7:6e:6e:7c
*apfMsConnTask_0: Jul 04 22:11:05.825: 00:26:c7:6e:6e:7c 0.0.0.0 8021X_REQD (3) Initializing policy
*apfMsConnTask_0: Jul 04 22:11:05.825: 00:26:c7:6e:6e:7c 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)

*apfMsConnTask_0: Jul 04 22:11:05.825: 00:26:c7:6e:6e:7c 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)

*apfMsConnTask_0: Jul 04 22:11:05.825: 00:26:c7:6e:6e:7c 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 64:ae:0c:25:0a:00 vapId 1 apVapId 1for this client
*apfMsConnTask_0: Jul 04 22:11:05.825: 00:26:c7:6e:6e:7c Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Jul 04 22:11:05.825: 00:26:c7:6e:6e:7c 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 64:ae:0c:25:0a:00 vapId 1 apVapId 1
*apfMsConnTask_0: Jul 04 22:11:05.825: 00:26:c7:6e:6e:7c apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 00:26:c7:6e:6e:7c on AP 64:ae:0c:25:0a:00 from Associated to Associated

*apfMsConnTask_0: Jul 04 22:11:05.825: 00:26:c7:6e:6e:7c Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_0: Jul 04 22:11:05.825: 00:26:c7:6e:6e:7c Sending Assoc Response to station on BSSID 64:ae:0c:25:0a:00 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_0: Jul 04 22:11:05.825: 00:26:c7:6e:6e:7c apfProcessAssocReq (apf_80211.c:5284) Changing state for mobile 00:26:c7:6e:6e:7c on AP 64:ae:0c:25:0a:00 from Associated to Associated

*spamReceiveTask: Jul 04 22:11:05.827: 00:26:c7:6e:6e:7c Sent 1x initiate message to multi thread task for mobile 00:26:c7:6e:6e:7c
*Dot1x_NW_MsgTask_0: Jul 04 22:11:05.827: 00:26:c7:6e:6e:7c Station 00:26:c7:6e:6e:7c setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_0: Jul 04 22:11:05.827: 00:26:c7:6e:6e:7c dot1x - moving mobile 00:26:c7:6e:6e:7c into Connecting state
*Dot1x_NW_MsgTask_0: Jul 04 22:11:05.827: 00:26:c7:6e:6e:7c Sending EAP-Request/Identity to mobile 00:26:c7:6e:6e:7c (EAP Id 1)
*Dot1x_NW_MsgTask_0: Jul 04 22:11:05.829: 00:26:c7:6e:6e:7c Received EAPOL START from mobile 00:26:c7:6e:6e:7c
*Dot1x_NW_MsgTask_0: Jul 04 22:11:05.829: 00:26:c7:6e:6e:7c dot1x - moving mobile 00:26:c7:6e:6e:7c into Connecting state
*Dot1x_NW_MsgTask_0: Jul 04 22:11:05.829: 00:26:c7:6e:6e:7c Sending EAP-Request/Identity to mobile 00:26:c7:6e:6e:7c (EAP Id 2)

ACS log says:

http://s23.postimg.org/p1x57oj2h/ap1142success.png

It is the same when AP3502i in H-REAP mode and it is trying to do the auth against aaa.

On the ACS, all the supported protocols are enabled.

I've also found this, but I do not understand one thing.

The AAA client is the phone. WLC forwards it's auth request to AAA. There is no NAT in place between and WLC2504 does a successful auth, while WLC4404 fails... identical config

"

Problem: RADIUS/TACACS+ authentication failed with error "11007 Could not locate Network Device or AAA Client"

This error message is received on the ACS when an ASA sends a radius access-request message:

11007 Could not locate Network Device or AAA Client

Solution

This occurs because there is a mismatch between the IP of the ACS client and the interface IP that actually sends the request. Sometimes the firewall performs an address translation to this AAA client. Verify if the AAA client is properly configured with the correct translated IP address at this path:

"

So the solution did not work at all.

2.

The problem is the following and only occurs when the AP's are in H-REAP mode, regardless of the status, connected or standalone.

Client had associated with AP1, speed test app or ping is started, the connection is fine.

Then the client roams to AP2. After it had associated with AP2, the connection is broken, and stays broken until the app (speedtest, ping, whatever is restarted) However, if I let the old session hanging on, and the client goes back to AP1, the session gets resumed.

I found a discussion with a very similar issue yesterday:

https://supportforums.cisco.com/discussion/11808601/issue-clients-roaming-wlc-code-741000-flexconnect-mode

istvan.kelemen1 · ‎08-11-2015

Hmm, auth is fine with Win2012R2...