Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CWA using ISE and mobility anchor

My team is trying to demo wireless guest access using CWA with an ISE server.  We appear to be hitting an issue when combining this with mobility anchoring.

When we don't use a mobility anchor the authentication goes off without a hitch seemingly proving that the ISE configuration is sound.  The test laptop associates and gets redirected, auths, moves to the RUN state and access to the network is granted.

When the mobility anchor is enabled, the test laptop does get redirected, authentication is successful, but the process does not fully complete, as on the foreign controller the user is in RUN state whereas on the anchor the user is still stuck at CWA required.

Now, I've read the L2 auth occurs between the foreign controller and ISE, and the L3 auth occurs between the anchor controller and ISE, but this does not appear to borne out in packet captures of the process where both parts of the auth seems to go to and from the foreign controller and ISE.

I'm curious to know if anyone else has come across this issue, or has ideas where I should be looking in the config or debugs to find the root cause.

When setting up the controllers and ISE this guide (linked below) was used and the controllers are 2504 controllers on 7.5 series software and ISE is on the latest 1.2 patches:

http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

To me it seems to be mobility related, but the authentication flow does seem to be off compared with what the guide says.

3 REPLIES
New Member

CWA using ISE and mobility anchor

Extra pertinent information.

The guide does in fact say that all the auth happens between the foreign controller and the ISE.  The CoA is successfully sent and ACKed, but the anchor is never told about it (my impression of what is happening).

I'll also attach client debugs from the foreign and anchor if that helps.

New Member

CWA using ISE and mobility anchor

FOREIGN

*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Adding mobile on LWAPP AP 0c:d9:96:ba:7d:20(1)

*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Association received from mobile on BSSID 0c:d9:96:ba:7d:2f

*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Global 200 Clients are allowed to AP radio

*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Max Client Trap Threshold: 0  cur: 0

*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Rf profile 600 Clients are allowed to AP wlan

*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0

*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Re-applying interface policy for client

*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)

*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)

*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile

*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type

*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4565 setting Central switched to TRUE

*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4568 apVapId = 1 and Split Acl Id = 65535

*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying site-specific Local Bridging override for station 00:1e:c2:c0:96:05 - vapId 1, site 'AP-Group-CHEC.default', interface 'management'

*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying Local Bridging Interface Policy for station 00:1e:c2:c0:96:05 - vlan 84, interface id 0, interface 'management'

*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE  statusCode is 0 and status is 0

*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE  ssid_done_flag is 0 finish_flag is 0

*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0

*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 suppRates  statusCode is 0 and gotSuppRatesElement is 1

*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfProcessAssocReq (apf_80211.c:7830) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Idle to AAA Pending

*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds

*radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created for mobile, length = 253

*radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created in mscb for mobile, length = 253

*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Received SGT for this Client.

*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0

*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 255 to 255

*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535

*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 84

*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Re-applying interface policy for client

*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)

*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)

*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 0 on mobile

*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type

*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile

MAC: 00:1e:c2:c0:96:05, source 2

*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Initializing policy

*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)

*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)

*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00

*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:

*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)

*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfMsAssoStateInc

*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated

*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 1800, apfMsTimeOut '1800' and sessionTimerRunning flag is  0

*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 49) in 1800 seconds

*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 1800

*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1

*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated

*DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)

*DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff

*DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'

*DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)

*DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff

*DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'

*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED

*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 apfMsRunStateInc

*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)

*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 5793

*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Adding Fast Path rule

  type = Airespace AP Client

  on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0

  IPv4 ACL ID = 255, IPv6 ACL ID = 255,

*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0

*mmMaListen: Jan 28 23:05:02.363: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)

*pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role

*pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4

*pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 0.0.0.0 plumbing in FP SCB

*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)

*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff

*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP processing DHCP REQUEST (3)

*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0

*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 5, flags: 0

*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05

*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0

*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0

*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   requested ip: 10.130.98.8

*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP received op BOOTREPLY (2) (len 320,vlan 84, port 13, encap 0xec07)

*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP processing DHCP ACK (5)

*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0

*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 0, flags: 0

*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05

*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 10.130.98.8

*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   siaddr: 10.30.4.173,  giaddr: 0.0.0.0

*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   server id: 1.1.1.2  rcvd server id: 1.1.1.2

*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) DHCP Address Re-established

*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Reached PLUMBFASTPATH: from line 6978

*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule

  type = Airespace AP Client

  on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0

  IPv4 ACL ID = 255, IPv6 ACL ID

*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0

*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)

*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 Assigning Address 10.130.98.8 to mobile

*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.

*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.

*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP successfully bridged packet to STA

*pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role

*pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4

*pemReceiveTask: Jan 28 23:05:03.890: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 10.130.98.8 plumbing in FP SCB

*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Received SGT for this Client.

*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 0 to 255

*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535

*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 AAA redirect is NULL. Skipping Web-auth for Radius NAC enabled WLAN.

*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile

*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type

*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile

MAC: 00:1e:c2:c0:96:05, source 2

*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05

*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile

*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Applying cached RADIUS Override values for mobile 00:1e:c2:c0:96:05 (caller pem_api.c:2307)

*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05

*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile

*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Applied RADIUS override policy

*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule

  type = Airespace AP Client

  on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0

  IPv4 ACL ID = 255, IPv6 ACL ID

*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0

*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)

*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00

*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:

*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Change state to RUN (20) last state RUN (20)

*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfMsAssoStateInc

*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated

*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 3600, apfMsTimeOut '1800' and sessionTimerRunning flag is  1

*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 49) in 3600 seconds

*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 3600

*apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1

*apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated

*pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role

*pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4

New Member

CWA using ISE and mobility anchor

ANCHOR

*mmMaListen: Jan 29 10:04:56.512: 00:1e:c2:c0:96:05 Adding mobile on Remote AP 00:00:00:00:00:00(0)

*mmMaListen: Jan 29 10:04:56.512: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0

*mmMaListen: Jan 29 10:04:56.512: 00:1e:c2:c0:96:05 Re-applying interface policy for client

*mmMaListen: Jan 29 10:04:56.512: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)

*mmMaListen: Jan 29 10:04:56.512: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)

*mmMaListen: Jan 29 10:04:56.512: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile

*mmMaListen: Jan 29 10:04:56.512: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type

*mmMaListen: Jan 29 10:04:56.512: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 3096

*mmMaListen: Jan 29 10:04:56.512: 00:1e:c2:c0:96:05 Re-applying interface policy for client

*mmMaListen: Jan 29 10:04:56.512: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)

*mmMaListen: Jan 29 10:04:56.512: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)

*mmMaListen: Jan 29 10:04:56.512: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Initializing policy

*mmMaListen: Jan 29 10:04:56.512: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)

*mmMaListen: Jan 29 10:04:56.512: 00:1e:c2:c0:96:05 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)

*mmMaListen: Jan 29 10:04:56.512: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)

*mmMaListen: Jan 29 10:04:56.512: 00:1e:c2:c0:96:05 Applying post-handoff policy for station 00:1e:c2:c0:96:05 - valid mask 0x0

*mmMaListen: Jan 29 10:04:56.512: 00:1e:c2:c0:96:05     QOS Level: -1, DSCP: -1, dot1p: -1,

    Data Avg: -1, realtime Avg: -1, Data Burst -1, Realtime Burst -1

*mmMaListen: Jan 29 10:04:56.512: 00:1e:c2:c0:96:05     Session: -1, User session: -1, User elapsed -1

    Interface: N/A, IPv4 ACL: N/A, IPv6 ACL: N/A.

*mmMaListen: Jan 29 10:04:56.512: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Export Anchor. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 3096

*mmMaListen: Jan 29 10:04:56.512: 00:1e:c2:c0:96:05 Re-applying interface policy for client

*mmMaListen: Jan 29 10:04:56.512: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)

*mmMaListen: Jan 29 10:04:56.512: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)

*mmMaListen: Jan 29 10:04:56.513: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile

*mmMaListen: Jan 29 10:04:56.513: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type

*mmMaListen: Jan 29 10:04:56.513: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile

MAC: 00:1e:c2:c0:96:05, source 16

*mmMaListen: Jan 29 10:04:56.513: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 255 to 0

*mmMaListen: Jan 29 10:04:56.513: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535

*mmMaListen: Jan 29 10:04:56.513: 00:1e:c2:c0:96:05 Stopping deletion of Mobile Station: (callerId: 53)

*mmMaListen: Jan 29 10:04:56.513: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule

  type = Airespace AP - Learn IP address

  on AP 00:00:00:00:00:00, slot 0, interface = 13, QOS = 0

  IPv4 ACL ID = 255, IP

*mmMaListen: Jan 29 10:04:56.513: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 3096, Local Bridging intf id = 12

*mmMaListen: Jan 29 10:04:56.513: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)

*mmMaListen: Jan 29 10:04:56.513: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpAnchor, client state=APF_MS_STATE_ASSOCIATED

*mmMaListen: Jan 29 10:04:56.513: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Change state to DHCP_REQD (7) last state DHCP_REQD (7)

*mmMaListen: Jan 29 10:04:56.513: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 5716, Adding TMP rule

*mmMaListen: Jan 29 10:04:56.513: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule

  type = Airespace AP - Learn IP address

  on AP 00:00:00:00:00:00, slot 0, interface = 13, QOS = 0

  IPv4 ACL ID = 255,

*mmMaListen: Jan 29 10:04:56.513: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 3096, Local Bridging intf id = 12

*mmMaListen: Jan 29 10:04:56.513: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)

*pemReceiveTask: Jan 29 10:04:56.516: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Anchor role

*pemReceiveTask: Jan 29 10:04:56.516: 00:1e:c2:c0:96:05 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x4

*pemReceiveTask: Jan 29 10:04:56.516: 00:1e:c2:c0:96:05 Sent an XID frame

*pemReceiveTask: Jan 29 10:04:56.516: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Anchor role

*pemReceiveTask: Jan 29 10:04:56.516: 00:1e:c2:c0:96:05 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x4

*mmMaListen: Jan 29 10:04:56.520: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule

  type = Airespace AP - Learn IP address

  on AP 00:00:00:00:00:00, slot 0, interface = 13, QOS = 0

  IPv4 ACL ID = 255,

*mmMaListen: Jan 29 10:04:56.520: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 3096, Local Bridging intf id = 12

*mmMaListen: Jan 29 10:04:56.520: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)

*pemReceiveTask: Jan 29 10:04:56.521: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Anchor role

*pemReceiveTask: Jan 29 10:04:56.521: 00:1e:c2:c0:96:05 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x4

*DHCP Socket Task: Jan 29 10:04:58.024: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 312,vlan 1031, port 13, encap 0xec07)

*DHCP Socket Task: Jan 29 10:04:58.024: 00:1e:c2:c0:96:05 DHCP (encap type 0xec07) mstype 3ff:ff:ff:ff:ff:ff

*DHCP Socket Task: Jan 29 10:04:58.024: 00:1e:c2:c0:96:05 DHCP selecting relay 1 - control block settings:

dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,

dhcpGateway: 0.0.0.0, dhcpRelay: 0.0.0.0  VLAN: 0

*DHCP Socket Task: Jan 29 10:04:58.024: 00:1e:c2:c0:96:05 DHCP selected relay 1 - 10.30.4.37 (local address 10.130.96.5, gateway 10.130.96.1, VLAN 3096, port 13)

*DHCP Socket Task: Jan 29 10:04:58.024: 00:1e:c2:c0:96:05 DHCP transmitting DHCP REQUEST (3)

*DHCP Socket Task: Jan 29 10:04:58.024: 00:1e:c2:c0:96:05 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1

*DHCP Socket Task: Jan 29 10:04:58.024: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 5, flags: 0

*DHCP Socket Task: Jan 29 10:04:58.024: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05

*DHCP Socket Task: Jan 29 10:04:58.024: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0

*DHCP Socket Task: Jan 29 10:04:58.024: 00:1e:c2:c0:96:05 DHCP   siaddr: 0.0.0.0,  giaddr: 10.130.96.5

*DHCP Socket Task: Jan 29 10:04:58.024: 00:1e:c2:c0:96:05 DHCP   requested ip: 10.130.98.8

*DHCP Socket Task: Jan 29 10:04:58.025: 00:1e:c2:c0:96:05 DHCP sending REQUEST to 10.130.96.1 (len 350, port 13, vlan 3096)

*DHCP Socket Task: Jan 29 10:04:58.025: 00:1e:c2:c0:96:05 DHCP selecting relay 2 - control block settings:

dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,

dhcpGateway: 0.0.0.0, dhcpRelay: 10.130.96.5  VLAN: 3096

*DHCP Socket Task: Jan 29 10:04:58.025: 00:1e:c2:c0:96:05 DHCP selected relay 2 - NONE

*DHCP Socket Task: Jan 29 10:04:58.040: 00:1e:c2:c0:96:05 DHCP received op BOOTREPLY (2) (len 320,vlan 3096, port 13, encap 0xec00)

*DHCP Socket Task: Jan 29 10:04:58.040: 00:1e:c2:c0:96:05 DHCP setting server from ACK (server 10.30.4.37, yiaddr 10.130.98.8)

*DHCP Socket Task: Jan 29 10:04:58.040: 00:1e:c2:c0:96:05 10.130.98.8 DHCP_REQD (7) Change state to WEBAUTH_REQD (8) last state DHCP_REQD (7)

*DHCP Socket Task: Jan 29 10:04:58.040: 00:1e:c2:c0:96:05 10.130.98.8 WEBAUTH_REQD (8) pemAdvanceState2 6592, Adding TMP rule

*DHCP Socket Task: Jan 29 10:04:58.040: 00:1e:c2:c0:96:05 10.130.98.8 WEBAUTH_REQD (8) Replacing Fast Path rule

  type = Airespace AP Client - ACL passthru

  on AP 00:00:00:00:00:00, slot 0, interface = 13, QOS = 0

  IPv4 ACL

*DHCP Socket Task: Jan 29 10:04:58.040: 00:1e:c2:c0:96:05 10.130.98.8 WEBAUTH_REQD (8) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 3096, Local Bridging intf id = 12

*DHCP Socket Task: Jan 29 10:04:58.040: 00:1e:c2:c0:96:05 10.130.98.8 WEBAUTH_REQD (8) Successfully plumbed mobile rule (IPv4 ACL ID 2, IPv6 ACL ID 255, L2 ACL ID 255)

*DHCP Socket Task: Jan 29 10:04:58.040: 00:1e:c2:c0:96:05 Plumbing web-auth redirect rule due to user logout

*DHCP Socket Task: Jan 29 10:04:58.040: 00:1e:c2:c0:96:05 apfAssignMscbIpAddr:1148 Assigning an Ip Addr 10.130.98.8 to the client in Anchor state update the foreign switch 10.128.84.10

*DHCP Socket Task: Jan 29 10:04:58.041: 00:1e:c2:c0:96:05 Assigning Address 10.130.98.8 to mobile

*DHCP Socket Task: Jan 29 10:04:58.041: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface guest.

*DHCP Socket Task: Jan 29 10:04:58.041: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface guest.

*DHCP Socket Task: Jan 29 10:04:58.041: 00:1e:c2:c0:96:05 DHCP transmitting DHCP ACK (5)

*DHCP Socket Task: Jan 29 10:04:58.041: 00:1e:c2:c0:96:05 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0

*DHCP Socket Task: Jan 29 10:04:58.041: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 0, flags: 0

*DHCP Socket Task: Jan 29 10:04:58.041: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05

*DHCP Socket Task: Jan 29 10:04:58.041: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 10.130.98.8

*DHCP Socket Task: Jan 29 10:04:58.041: 00:1e:c2:c0:96:05 DHCP   siaddr: 10.30.4.173,  giaddr: 0.0.0.0

*DHCP Socket Task: Jan 29 10:04:58.041: 00:1e:c2:c0:96:05 DHCP   server id: 1.1.1.2  rcvd server id: 10.30.4.37

*pemReceiveTask: Jan 29 10:04:58.042: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Anchor role

*pemReceiveTask: Jan 29 10:04:58.042: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 2, dtlFlags 0x4

Connection to 10.10.31.249 closed.

macbookho:~ mlymbery$

157
Views
0
Helpful
3
Replies
CreatePlease login to create content