Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Static VLAN assignment with EAP-TLS ACS v5.0

Hi All,

I am having some difficulties with statically assigning the VLAN ID and assigning DHCP through our wireless network.

This is not yet in production.

WCS

WLC 5508

ACS 5.0.0.21

CAP3502

All CAPs are associated with the WLC - see attached

Problem is when I try to connect to the WLAN from the client, unless the WLAN Profile is configured for the management interface, the RADIUS does not see the request, and has no hits against the Access Policies.

Any suggestions?

Dan

8 REPLIES
Cisco Employee

Re: Static VLAN assignment with EAP-TLS ACS v5.0

Hi Dan,

Make sure that:

1- network user is checked next to the radius server you want to use and that it is enabled under SECURITY -> RADIUS -> Authentication

2- make sure to point the SSID toward the radius Server under WLAN -> SSID in use -> SECURITY -> AAA Server

If still not working, ssh to WLC,  debug client while reproducing the problem. Paste here.

Cheers,
Serge

Community Member

Re: Static VLAN assignment with EAP-TLS ACS v5.0

Community Member

Re: Static VLAN assignment with EAP-TLS ACS v5.0

Serge,

Please note that I have enabled AAA Override at the moment to allow the RADIUS to return the VLAN tag with the RADIUS Response.

I will follow up with the capture of the debug.

Regards,

Dan

Community Member

Re: Static VLAN assignment with EAP-TLS ACS v5.0

Serge,

I have cleared the logs and enabled debug client 00:21:60:2f:f7:20.

*apfMsConnTask_5: Nov 09 11:45:23.991: %LOG-6-Q_IND: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored. [...It occurred 11 times.!]
   *apfProbeThread: Nov 09 11:45:23.668: %APF-6-PROC_DOT11_MAC_MGMT_DATA_FAILED: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored.
*Dot1x_NW_MsgTask_0: Nov 09 11:45:23.658: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2914 Max EAP identity request retries (3) exceeded for client 00:21:6a:2f:f7:20
*Dot1x_NW_MsgTask_0: Nov 09 11:45:23.658: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:21:6a:2f:f7:20
*apfMsConnTask_5: Nov 09 11:45:05.626: %LOG-6-Q_IND: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored. [...It occurred 11 times.!]
   *apfProbeThread: Nov 09 11:45:05.303: %APF-6-PROC_DOT11_MAC_MGMT_DATA_FAILED: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored.
*Dot1x_NW_MsgTask_0: Nov 09 11:45:05.296: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2914 Max EAP identity request retries (3) exceeded for client 00:21:6a:2f:f7:20
*Dot1x_NW_MsgTask_0: Nov 09 11:45:05.296: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:21:6a:2f:f7:20
*apfMsConnTask_5: Nov 09 11:44:47.266: %LOG-6-Q_IND: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored. [...It occurred 5 times.!]
  *apfProbeThread: Nov 09 11:44:46.941: %APF-6-PROC_DOT11_MAC_MGMT_DATA_FAILED: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored.
*Dot1x_NW_MsgTask_0: Nov 09 11:44:46.934: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2914 Max EAP identity request retries (3) exceeded for client 00:21:6a:2f:f7:20
*Dot1x_NW_MsgTask_0: Nov 09 11:44:46.934: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:21:6a:2f:f7:20
*apfMsConnTask_5: Nov 09 11:44:28.889: %LOG-6-Q_IND: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored. [...It occurred 4 times.!]
  *apfProbeThread: Nov 09 11:44:28.561: %APF-6-PROC_DOT11_MAC_MGMT_DATA_FAILED: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored. [...It occurred 3 times/sec!.]

Community Member

Re: Static VLAN assignment with EAP-TLS ACS v5.0

*radiusTransportThread: Nov 09 11:47:42.402: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server 10.64.96.220:1812 failed to respond to request(ID 152) for STA 00:21:6a:2f:f7:20 / user 'unknownUser'

*radiusTransportThread: Nov 09 11:47:24.050: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server 10.64.96.220:1812 failed to respond to request(ID 151) for STA 00:21:6a:2f:f7:20 / user 'unknownUser'

*radiusTransportThread: Nov 09 11:47:05.682: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server 10.64.96.220:1812 failed to respond to request(ID 150) for STA 00:21:6a:2f:f7:20 / user 'unknownUser'

*radiusTransportThread: Nov 09 11:47:05.682: %LOG-6-Q_IND: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored. [...It occurred 7 times.!]

        *apfProbeThread: Nov 09 11:46:48.535: %APF-6-PROC_DOT11_MAC_MGMT_DATA_FAILED: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored.

*radiusTransportThread: Nov 09 11:46:47.326: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server 10.64.96.220:1812 failed to respond to request(ID 149) for STA 00:21:6a:2f:f7:20 / user 'unknownUser'

*radiusTransportThread: Nov 09 11:46:47.326: %LOG-6-Q_IND: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored.

*apfProbeThread: Nov 09 11:46:46.195: %APF-6-PROC_DOT11_MAC_MGMT_DATA_FAILED: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored.

*emWeb: Nov 09 11:46:29.364: %DEBUG-4-INVALID_MODULE: debug.c:1765 Unhandled debug module 264.

*emWeb: Nov 09 11:46:29.364: %DEBUG-4-INVALID_MODULE: debug.c:1765 Unhandled debug module 228.

*radiusTransportThread: Nov 09 11:46:28.958: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server 10.64.96.220:1812 failed to respond to request(ID 148) for STA 00:21:6a:2f:f7:20 / user 'unknownUser'

*radiusTransportThread: Nov 09 11:46:28.958: %LOG-6-Q_IND: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored. [...It occurred 8 times.!]

        *apfProbeThread: Nov 09 11:45:48.425: %APF-6-PROC_DOT11_MAC_MGMT_DATA_FAILED: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored.

*apfProbeThread: Nov 09 11:45:46.211: %APF-6-PROC_DOT11_MAC_MGMT_DATA_FAILED: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored.

*apfMsConnTask_5: Nov 09 11:45:42.353: %LOG-6-Q_IND: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored. [...It occurred 12 times.!]

   *apfProbeThread: Nov 09 11:45:42.028: %APF-6-PROC_DOT11_MAC_MGMT_DATA_FAILED: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored.

*Dot1x_NW_MsgTask_0: Nov 09 11:45:42.020: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2914 Max EAP identity request retries (3) exceeded for client 00:21:6a:2f:f7:20

*Dot1x_NW_MsgTask_0: Nov 09 11:45:42.020: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:21:6a:2f:f7:20

*apfMsConnTask_5: Nov 09 11:45:23.991: %LOG-6-Q_IND: apf_80211.c:7138 Could not Process 802.11 MAC mgmt Data. Invalid toDs/fromDs bit set - packet ignored. [...It occurred 11 times.!]

Cisco Employee

Re: Static VLAN assignment with EAP-TLS ACS v5.0

Hi Dan,

Please be aware that ACS 5.0 suffers from a major DDTS where it does not reply to RADIUS packets from WLCs.

The DDTS id is CSCsy17858 - Incorrect handling of Tunnel-Type & Tunnel-Client-Endpoint attrs.

I would upgrade to the latest ACS version or at least 5.0.0.21.6 (patch 6) where this was first fixed.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Community Member

Re: Static VLAN assignment with EAP-TLS ACS v5.0

Tiago,

Thanks for the suggestions.

I have not been able to upgrade my ACS 5.0 yet, still trying to get the maintenance sorted out so that I can upgrade to 5.2.

I have however pointed to another AAA server (v4.1) and I am able to successfully authenticate and remain in the statically configured VLAN (through the AP Group WLAN interface configuration). So it looks as though there is a bug issue with 5.0.0.21.

Once I have confirmed the upgrade to 5.2 and tested successfully I will add further information.

Dan

Cisco Employee

Re: Static VLAN assignment with EAP-TLS ACS v5.0

Dan, all I see on the logs you gave is that the client is not responding to EAP-Requests.

It is very weird that this works fine when WLAN is bound to management interface and doesn't work when WLAN is bound to dynamic interface. It could be due to the bug that Tiago mentioned earlier, not sure.

2169
Views
0
Helpful
8
Replies
CreatePlease to create content