Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

5508 - iPad getting disconnected from WLAN Using EAP-TLS

We are seeing an issue with an ipad connecting to a WLAN configured for EAP-TLS using ISE 1.2, getting disconnected.  The ipad will hop top another SSID.  It will connect back to the other ssid when selected.  Any ideas? I have a debug client for when this happened.

 

*apfMsConnTask_0: Apr 08 14:03:57.508: Association request from the P2P Client Process P2P Ie and Upadte CB
*apfMsConnTask_7: Apr 08 14:04:57.855: Association request from the P2P Client Process P2P Ie and Upadte CB
*apfMsConnTask_5: Apr 08 14:05:17.345: 04:54:53:7b:9e:7a Association received from mobile on BSSID 54:78:1a:2f:84:56
*apfMsConnTask_5: Apr 08 14:05:17.345: 04:54:53:7b:9e:7a Global 200 Clients are allowed to AP radio

*apfMsConnTask_5: Apr 08 14:05:17.345: 04:54:53:7b:9e:7a Max Client Trap Threshold: 0  cur: 4

*apfMsConnTask_5: Apr 08 14:05:17.345: 04:54:53:7b:9e:7a Rf profile 600 Clients are allowed to AP wlan

*apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a 172.30.230.213 RUN (20) Skipping TMP rule add
*apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a apfMsRunStateDec
*apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a 172.30.230.213 RUN (20) Change state to DHCP_REQD (7) last state RUN (20)

*apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Complete to Mobility-Incomplete
*apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a 0.0.0.0 DHCP_REQD (7) Reached ERROR: from line 6355
*apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [54:78:1a:2f:84:50]
*apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 730

*apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a Re-applying interface policy for client 

*apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a 0.0.0.0 DHCP_REQD (7) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2018)
*apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a 0.0.0.0 DHCP_REQD (7) Changing IPv6 ACL 'none' (ACL ID 

3 REPLIES
New Member

It appears that what's

It appears that what's happening is when the ipad goes into sleep mode, or idle, it deauthenticates on the WLC.  Once the ipad is turned back on, it will reconnect, but not always to the previous ssid.

New Member

So after doing some further

So after doing some further testing, here is what were are seeing.  I would apprecitate any advice or feedback from others that may have seen this.  We are using 5508 WLC on 7.4Mr2 and ISE 1.2

1.) Users connecting to a SSID configured to auth agaionst ISE using WPA2/AES and EAP-TLS, get connected.

2.) When the ipad or iphone goes into sleep mode, the devices are reconnecting to the previous connected SSID.  This is the SSID setup for CWA for ISE provisioning.  I can select the SSID confogured for the EAP-TLS, and it will connect again.  If I forget the original SSID ir keeps reverting back to, then it will reconnect to the correct SSID.

We have been able to reproduce this over and over.  It seems that something is causing the client to get disconnected, so it tried the previously connected SSID.

 

 

Use profiles for the wifi

Use profiles for the wifi settings on the iPad

A reset of network settings will clear the network history, but the profile will add it back in automatically

http://images.apple.com/ipad/business/docs/iOS_Deployment_Technical_Reference_EN_Feb14.pdf

Great Cisco doc for BP and troubleshooting of Apple devices:

Enterprise Best Practices for Apple Mobile Devices on Cisco ...

Make sure the app uses URIPersistWifi call 
https://developer.apple.com/library/ios/documentation/iphone/conceptual/iphoneosprogrammingguide/PerformanceTuning/PerformanceTuning.html

316
Views
0
Helpful
3
Replies