Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Clients are not able to connect to one of SSID

Hi Experts,

I have one wlc configured with Two ssid :

One SSID which i have configured with [WPA2][Auth(802.1X)] security policies and added AAA server under security tab ( respective WLAN ) , it is not working .

I have shared below output of debug client < mac address >

(Cisco Controller) >*osapiBsnTimer: jan 21 08:24:55.690: xx:xx:xx:xx:xx:07 802.1x 'txWhen' Timer expired for station xx:xx:xx:xx:xx:07
*dot1xMsgTask: jan 21 08:24:55.691: xx:xx:xx:xx:xx:07 dot1x - moving mobile xx:xx:xx:xx:xx:07 into Connecting state
*dot1xMsgTask: jan 21 08:24:55.691: xx:xx:xx:xx:xx:07 Sending EAP-Request/Identity to mobile xx:xx:xx:xx:xx:07 (EAP Id 3)
*dot1xMsgTask: jan 21 08:24:55.692: xx:xx:xx:xx:xx:07 Reached Max EAP-Identity Request retries (3) for STA xx:xx:xx:xx:xx:07
*dot1xMsgTask: jan 21 08:24:55.692: xx:xx:xx:xx:xx:07 Sent Deauthenticate to mobile on BSSID a4:0x:cv:91:43:b0 slot 0(caller 1x_auth_pae.c:2943)
*dot1xMsgTask: jan 21 08:24:55.693: xx:xx:xx:xx:xx:07 Scheduling deletion of Mobile Station:  (callerId: 6) in 10 seconds
*dot1xMsgTask: jan 21 08:24:55.693: xx:xx:xx:xx:xx:07 dot1x - moving mobile xx:xx:xx:xx:xx:07 into Disconnected state
*dot1xMsgTask: jan 21 08:24:55.693: xx:xx:xx:xx:xx:07 Not sending EAP-Failure for STA xx:xx:xx:xx:xx:07
*apfMsConnTask_0: jan 21 08:24:55.806: xx:xx:xx:xx:xx:07 Association received from mobile on AP a4:0c:c3:90:46:b0
*apfMsConnTask_0: jan 21 08:24:55.806: xx:xx:xx:xx:xx:07 0.0.0.0 8021X_REQD (3) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1393)
*apfMsConnTask_0: jan 21 08:24:55.806: xx:xx:xx:xx:xx:07 Applying site-specific IPv6 override for station xx:xx:xx:xx:xx:07 - vapId 2, site 'default-group', interface 'management'
*apfMsConnTask_0: jan 21 08:24:55.806: xx:xx:xx:xx:xx:07 0.0.0.0 8021X_REQD (3) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1393)
*apfMsConnTask_0: jan 21 08:24:55.807: xx:xx:xx:xx:xx:07 Applying IPv6 Interface Policy for station xx:xx:xx:xx:xx:07 - vlan 0, interface id 0, interface 'management'
*apfMsConnTask_0: jan 21 08:24:55.807: xx:xx:xx:xx:xx:07 STA - rates (8): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: jan 21 08:24:55.807: xx:xx:xx:xx:xx:07 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: jan 21 08:24:55.807: xx:xx:xx:xx:xx:07 Processing RSN IE type 48, length 22 for mobile xx:xx:xx:xx:xx:07
*apfMsConnTask_0: jan 21 08:24:55.807: xx:xx:xx:xx:xx:07 Received RSN IE with 0 PMKIDs from mobile xx:xx:xx:xx:xx:07
*apfMsConnTask_0: jan 21 08:24:55.807: xx:xx:xx:xx:xx:07 0.0.0.0 8021X_REQD (3) Initializing policy
*apfMsConnTask_0: jan 21 08:24:55.807: xx:xx:xx:xx:xx:07 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)

*apfMsConnTask_0: jan 21 08:24:55.807: xx:xx:xx:xx:xx:07 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)

*apfMsConnTask_0: jan 21 08:24:55.807: xx:xx:xx:xx:xx:07 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP a4:0x:cv:91:43:b0 vapId 2 apVapId 2
*apfMsConnTask_0: jan 21 08:24:55.807: xx:xx:xx:xx:xx:07 apfPemAddUser2 (apf_policy.c:222) Changing state for mobile xx:xx:xx:xx:xx:07 on AP a4:0x:cv:91:43:b0 from Associated to Associated

*apfMsConnTask_0: jan 21 08:24:55.807: xx:xx:xx:xx:xx:07 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_0: jan 21 08:24:55.807: xx:xx:xx:xx:xx:07 Sending Assoc Response to station on BSSID a4:0x:cv:91:43:b0 (status 0)
*apfMsConnTask_0: jan 21 08:24:55.807: xx:xx:xx:xx:xx:07 apfProcessAssocReq (apf_80211.c:4587) Changing state for mobile xx:xx:xx:xx:xx:07 on AP a4:0x:cv:91:43:b0 from Associated to Associated

*dot1xMsgTask: jan 21 08:24:55.815: xx:xx:xx:xx:xx:07 Disable re-auth, use PMK lifetime.
*dot1xMsgTask: jan 21 08:24:55.815: xx:xx:xx:xx:xx:07 Station xx:xx:xx:xx:xx:07 setting dot1x reauth timeout = 0
*dot1xMsgTask: jan 21 08:24:55.816: xx:xx:xx:xx:xx:07 Stopping reauth timeout for xx:xx:xx:xx:xx:07
*dot1xMsgTask: jan 21 08:24:55.816: xx:xx:xx:xx:xx:07 dot1x - moving mobile xx:xx:xx:xx:xx:07 into Connecting state
*dot1xMsgTask: jan 21 08:24:55.816: xx:xx:xx:xx:xx:07 Sending EAP-Request/Identity to mobile xx:xx:xx:xx:xx:07 (EAP Id 1)
*Dot1x_NW_MsgTask_0: jan 21 08:24:55.826: xx:xx:xx:xx:xx:07 Received EAPOL START from mobile xx:xx:xx:xx:xx:07
*Dot1x_NW_MsgTask_0: jan 21 08:24:55.826: xx:xx:xx:xx:xx:07 dot1x - moving mobile xx:xx:xx:xx:xx:07 into Connecting state
*Dot1x_NW_MsgTask_0: jan 21 08:24:55.827: xx:xx:xx:xx:xx:07 Sending EAP-Request/Identity to mobile xx:xx:xx:xx:xx:07 (EAP Id 2)
*Dot1x_NW_MsgTask_0: jan 21 08:24:55.835: xx:xx:xx:xx:xx:07 Received EAPOL START from mobile xx:xx:xx:xx:xx:07
*Dot1x_NW_MsgTask_0: jan 21 08:24:55.836: xx:xx:xx:xx:xx:07 dot1x - moving mobile xx:xx:xx:xx:xx:07 into Connecting state
*Dot1x_NW_MsgTask_0: jan 21 08:24:55.836: xx:xx:xx:xx:xx:07 Sending EAP-Request/Identity to mobile xx:xx:xx:xx:xx:07 (EAP Id 3)
*Dot1x_NW_MsgTask_0: jan 21 08:24:55.836: xx:xx:xx:xx:xx:07 Reached Max EAP-Identity Request retries (3) for STA xx:xx:xx:xx:xx:07
*Dot1x_NW_MsgTask_0: jan 21 08:24:55.837: xx:xx:xx:xx:xx:07 Sent Deauthenticate to mobile on BSSID a4:0x:cv:91:43:b0 slot 0(caller 1x_auth_pae.c:2943)
*Dot1x_NW_MsgTask_0: jan 21 08:24:55.837: xx:xx:xx:xx:xx:07 Scheduling deletion of Mobile Station:  (callerId: 6) in 10 seconds
*Dot1x_NW_MsgTask_0: jan 21 08:24:55.838: xx:xx:xx:xx:xx:07 dot1x - moving mobile xx:xx:xx:xx:xx:07 into Disconnected state
*Dot1x_NW_MsgTask_0: jan 21 08:24:55.838: xx:xx:xx:xx:xx:07 Not sending EAP-Failure for STA xx:xx:xx:xx:xx:07
*spamReceiveTask: jan 21 08:24:57.514: CCKM: Send CCKM cache entry
*apfLbsTask: jan 21 08:25:02.089: xx:xx:xx:xx:xx:07 Copy AP LOCP - mode:0 slotId:0, apMac 0xa4:c:c3:90:46:b0
*apfLbsTask: jan 21 08:25:02.090: xx:xx:xx:xx:xx:07 Copy WLAN LOCP EssIndex:2 aid:10 ssid:alconeapf
*apfLbsTask: jan 21 08:25:02.090: xx:xx:xx:xx:xx:07 Copy Security LOCP ecypher:0x0 ptype:0x2, p:0x1, eaptype:0x6 w:0x1 aalg:0x0, PMState: 8021X_REQD
*apfLbsTask: jan 21 08:25:02.090: xx:xx:xx:xx:xx:07 Copy 802.11 LOCP a:0x0 b:0x0 c:0x0 d:0x0 e:0x1 protocol2:0x3 statuscode 0, reasoncode 1, status 3
*apfLbsTask: jan 21 08:25:02.090: xx:xx:xx:xx:xx:07 Copy CCX LOCP 4
*apfLbsTask: jan 21 08:25:02.090: xx:xx:xx:xx:xx:07 Copy e2e LOCP 0x1
*apfLbsTask: jan 21 08:25:02.090: xx:xx:xx:xx:xx:07 Copy MobilityData LOCP status:0, anchorip:0x0
*osapiBsnTimer: jan 21 08:25:05.688: xx:xx:xx:xx:xx:07 apfMsExpireCallback (apf_ms.c:599) Expiring Mobile!
*apfReceiveTask: jan 21 08:25:05.688: xx:xx:xx:xx:xx:07 apfMsExpireMobileStation (apf_ms.c:4888) Changing state for mobile xx:xx:xx:xx:xx:07 on AP a4:0x:cv:91:43:b0 from Associated to Disassociated

*apfReceiveTask: jan 21 08:25:05.688: xx:xx:xx:xx:xx:07 Scheduling deletion of Mobile Station:  (callerId: 45) in 10 seconds
*apfMsConnTask_0: jan 21 08:25:08.970: xx:xx:xx:xx:xx:07 Association received from mobile on AP a4:0c:c3:90:46:b0
*apfMsConnTask_0: jan 21 08:25:08.971: xx:xx:xx:xx:xx:07 0.0.0.0 8021X_REQD (3) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1393)
*apfMsConnTask_0: jan 21 08:25:08.971: xx:xx:xx:xx:xx:07 Applying site-specific IPv6 override for station xx:xx:xx:xx:xx:07 - vapId 2, site 'default-group', interface 'management'
*apfMsConnTask_0: jan 21 08:25:08.971: xx:xx:xx:xx:xx:07 0.0.0.0 8021X_REQD (3) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1393)
*apfMsConnTask_0: jan 21 08:25:08.971: xx:xx:xx:xx:xx:07 Applying IPv6 Interface Policy for station xx:xx:xx:xx:xx:07 - vlan 0, interface id 0, interface 'management'
*apfMsConnTask_0: jan 21 08:25:08.971: xx:xx:xx:xx:xx:07 STA - rates (8): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: jan 21 08:25:08.971: xx:xx:xx:xx:xx:07 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: jan 21 08:25:08.971: xx:xx:xx:xx:xx:07 Processing RSN IE type 48, length 22 for mobile xx:xx:xx:xx:xx:07
*apfMsConnTask_0: jan 21 08:25:08.971: xx:xx:xx:xx:xx:07 Received RSN IE with 0 PMKIDs from mobile xx:xx:xx:xx:xx:07
*apfMsConnTask_0: jan 21 08:25:08.971: xx:xx:xx:xx:xx:07 0.0.0.0 8021X_REQD (3) Initializing policy
*apfMsConnTask_0: jan 21 08:25:08.971: xx:xx:xx:xx:xx:07 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)

*apfMsConnTask_0: jan 21 08:25:08.971: xx:xx:xx:xx:xx:07 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)

*apfMsConnTask_0: jan 21 08:25:08.971: xx:xx:xx:xx:xx:07 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP a4:0x:cv:91:43:b0 vapId 2 apVapId 2
*apfMsConnTask_0: jan 21 08:25:08.971: xx:xx:xx:xx:xx:07 apfMsAssoStateInc
*apfMsConnTask_0: jan 21 08:25:08.971: xx:xx:xx:xx:xx:07 apfPemAddUser2 (apf_policy.c:222) Changing state for mobile xx:xx:xx:xx:xx:07 on AP a4:0x:cv:91:43:b0 from Disassociated to Associated

*apfMsConnTask_0: jan 21 08:25:08.971: xx:xx:xx:xx:xx:07 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_0: jan 21 08:25:08.972: xx:xx:xx:xx:xx:07 Sending Assoc Response to station on BSSID a4:0x:cv:91:43:b0 (status 0)
*apfMsConnTask_0: jan 21 08:25:08.972: xx:xx:xx:xx:xx:07 apfProcessAssocReq (apf_80211.c:4587) Changing state for mobile xx:xx:xx:xx:xx:07 on AP a4:0x:cv:91:43:b0 from Associated to Associated

*dot1xMsgTask: jan 21 08:25:08.975: xx:xx:xx:xx:xx:07 Disable re-auth, use PMK lifetime.
*dot1xMsgTask: jan 21 08:25:08.976: xx:xx:xx:xx:xx:07 Station xx:xx:xx:xx:xx:07 setting dot1x reauth timeout = 0
*dot1xMsgTask: jan 21 08:25:08.976: xx:xx:xx:xx:xx:07 Stopping reauth timeout for xx:xx:xx:xx:xx:07
*dot1xMsgTask: jan 21 08:25:08.976: xx:xx:xx:xx:xx:07 dot1x - moving mobile xx:xx:xx:xx:xx:07 into Connecting state
*dot1xMsgTask: jan 21 08:25:08.976: xx:xx:xx:xx:xx:07 Sending EAP-Request/Identity to mobile xx:xx:xx:xx:xx:07 (EAP Id 1)
*Dot1x_NW_MsgTask_0: jan 21 08:25:09.012: xx:xx:xx:xx:xx:07 Received EAPOL START from mobile xx:xx:xx:xx:xx:07
*Dot1x_NW_MsgTask_0: jan 21 08:25:09.012: xx:xx:xx:xx:xx:07 dot1x - moving mobile xx:xx:xx:xx:xx:07 into Connecting state
*Dot1x_NW_MsgTask_0: jan 21 08:25:09.013: xx:xx:xx:xx:xx:07 Sending EAP-Request/Identity to mobile xx:xx:xx:xx:xx:07 (EAP Id 2)
*apfLbsTask: jan 21 08:25:10.088: xx:xx:xx:xx:xx:07 Copy AP LOCP - mode:0 slotId:0, apMac 0xa4:c:c3:90:46:b0
*apfLbsTask: jan 21 08:25:10.088: xx:xx:xx:xx:xx:07 Copy WLAN LOCP EssIndex:2 aid:10 ssid:alconeapf
*apfLbsTask: jan 21 08:25:10.089: xx:xx:xx:xx:xx:07 Copy Security LOCP ecypher:0x0 ptype:0x2, p:0x1, eaptype:0x6 w:0x1 aalg:0x0, PMState: 8021X_REQD
*apfLbsTask: jan 21 08:25:10.089: xx:xx:xx:xx:xx:07 Copy 802.11 LOCP a:0x0 b:0x0 c:0x0 d:0x0 e:0x1 protocol2:0x3 statuscode 0, reasoncode 1, status 3
*apfLbsTask: jan 21 08:25:10.089: xx:xx:xx:xx:xx:07 Copy CCX LOCP 4
*apfLbsTask: jan 21 08:25:10.089: xx:xx:xx:xx:xx:07 Copy e2e LOCP 0x1

Can anybody suggest , what could be the issue ?

5 REPLIES

Re: Clients are not able to connect to one of SSID

vinodjad1234,

Can you post your WLC config?

show run-config commands

Also, have you configured your AAA server with the management IP of your controller and do you have matching secrets on both the WLC and AAA server?

Justin

Bronze

Re: Clients are not able to connect to one of SSID

I would check the auth log on AAA server to see if any errors about the authentication.

New Member

Re: Clients are not able to connect to one of SSID

Hi,

Thanks for your reply.

I am not getting any logs on AAA server for the same ......

Bronze

Re: Clients are not able to connect to one of SSID

Can you verity the connectivity between your WLC and AAA server? WLC need to be able to talk to AAA server on Radius ports(UDP ports 1812,1813,1645,1646).  The fact you don't see any logs on AAA may indicate the auth packets cannot reach the AAA server at all. You may want to run packet capture on AAA server to verify that.

Also TAC suggested following configurations for EAP authentication:

config advanced eap identity-request-timeout 120

config advanced eap identity-request-retries 20

config advanced eap request-timeout 120

config advanced eap request-retries 20

Re: Clients are not able to connect to one of SSID

can you post the output of "debug aaa events enable"

610
Views
0
Helpful
5
Replies
CreatePlease login to create content