I've got a strange problem here. In the office, my OEAP 600 can join WLC if there is no MAC authentication. When i enable MAC authentication at WLC, AP will fail to register. However, I try it at home and it works with both MAC authentication enable or disable. I suspect it is because of firewall in my office, but there shouldn't have any different in discovery and joining procedure for AP with MAC authentication enable or disable. I'm confused here. Please help.
What do your AP Join Statistics tell you about this AP? Do you see any failure reasons? (WLC: Monitor -- Statistics -- AP Join)
Below is error summary from WLC:
Last Error Summary
Last AP Message Decryption Failure----
Last AP Connection Failure --------- Timed out while waiting for ECHO repsonse from the AP
Last Error Occurred --------- Lwapp join request rejected
Last Error Occurred Reason --------- RADIUS authorization is pending for the AP
The error reason is probaly because I haven't added AP MAC address to ACS. With the same AP, at home using ADSL link, i have no problem.
I add both the AP and Eithernet macs of the OEAP to the ap autoization list .. You have your MAC address on your ACS or on your WLC?
I have AP Ethernet MAC address in both WLC authorization list and ACS. When checking ACS log, I can see authentication is successful. What confused me is with the same AP, with MAC authentication enable, it can join WLC outside my office (e.g. home ADSL), but fail only in my office. It doesn't look like office firewall is the cause since without MAC authencation, AP can join WLC from my office.
Sorry, a little confused. So you are saying when you are at the office it doesnt join. But when you are home it does, correct?
For MAC authentication enable, that's correct. For MAC authentication disable, it's working both in my office and home.
If the OEAP600 is configured to join a public address it won't join when attempting to from behind your firewalls inside. The WLC will respond back with the public address configured and the AP will not know how to join properly.
Blake -- I have a outside IP address on my WLC and my 600's join on the inside.
Little odd, so this looks like a mac address autoization issue. That doesnt make much sense.
You can see from the log, MAC authorization is ok. AP is authenticated with ACS and i can see access-accept from debug output. Only when DTLS negotiation happens, it fails.
Wish I could help Alex... Im a little stumped on this one .. Did you open a TAC case?
I'm going to open a TAC case for this. But just wondering if there is any difference in DTLS negotiation between MAC authentication enable and MAC authentication disable.
Their could be, I personally never use MAC auth for anything seen as it can be spoofed, albeit that is hard to do on an AP level.
The MAC authentication could be hampering the DTLS connection to be setup in a timely manner. Have you tried not doing it on ACS but just using AP authorization lists on the WLC directly?
I am not aware of any difference. I am using ap authorization on my OE and I dont have any issues.
AP Authorization and MAC authentication are two different things though. The delay in the call to ACS server for MAC authentication could be causing the DTLS tunnel session to expire before it can be created.
I thought about that after I sent it and I think with the newer code they changed that a little bit so it responds with both IPs.
It seems more like it is failing on the DTLS tunnel setup from inside than MAC auth by looking at the limited debugs.
The issue has been resolved. The miracle happened when we used ISE server as the second radiuse server. Actually, i don't know why it suddenly works. But this probably will help if someone encounter the same issue.
For More information on OEAP-600, please watch the "Community Tech-Talk Series" Cisco Office Extend Access Point OEAP-600
Community Manager - Wireless