Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cannot authenticate Radius via WLC

Trying to configure RADIUS client on Server 2012 using a 5508 series WLC.  Getting the following debug on the WLC:

(Cisco Controller) >*dot1xMsgTask: Dec 13 12:43:19.695: 74:e5:43:5d:48:78 Not sending EAP-Failure for STA 74:e5:43:5d:48:78
*apfMsConnTask_7: Dec 13 12:43:25.523: 74:e5:43:5d:48:78 Association received from mobile on BSSID 0c:68:03:b8:60:47
*apfMsConnTask_7: Dec 13 12:43:25.523: 74:e5:43:5d:48:78 Global 200 Clients are allowed to AP radio

*apfMsConnTask_7: Dec 13 12:43:25.523: 74:e5:43:5d:48:78 Max Client Trap Threshold: 0  cur: 9

*apfMsConnTask_7: Dec 13 12:43:25.523: 74:e5:43:5d:48:78 Rf profile 600 Clients are allowed to AP wlan

*apfMsConnTask_7: Dec 13 12:43:25.523: 74:e5:43:5d:48:78 Deleting client immediately since WLAN has changed
*apfMsConnTask_7: Dec 13 12:43:25.523: 74:e5:43:5d:48:78 Scheduling deletion of Mobile Station:  (callerId: 50) in 1 seconds
*Dot1x_NW_MsgTask_0: Dec 13 12:43:25.550: 74:e5:43:5d:48:78 Ignoring any event(1), since client is marked for deletion
*osapiBsnTimer: Dec 13 12:43:26.494: 74:e5:43:5d:48:78 apfMsExpireCallback (apf_ms.c:615) Expiring Mobile!
*apfReceiveTask: Dec 13 12:43:26.494: 74:e5:43:5d:48:78 apfMsExpireMobileStation (apf_ms.c:5827) Changing state for mobile 74:e5:43:5d:48:78 on AP 0c:68:03:b8:60:40 from Associated to Disassociated

*apfReceiveTask: Dec 13 12:43:26.494: 74:e5:43:5d:48:78 apfMsAssoStateDec
*apfReceiveTask: Dec 13 12:43:26.494: 74:e5:43:5d:48:78 apfMsExpireMobileStation (apf_ms.c:5959) Changing state for mobile 74:e5:43:5d:48:78 on AP 0c:68:03:b8:60:40 from Disassociated to Idle

*apfReceiveTask: Dec 13 12:43:26.494: 74:e5:43:5d:48:78 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfReceiveTask: Dec 13 12:43:26.494: 74:e5:43:5d:48:78 0.0.0.0 8021X_REQD (3) Deleted mobile LWAPP rule on AP [0c:68:03:b8:60:40]
*apfReceiveTask: Dec 13 12:43:26.494: 74:e5:43:5d:48:78 Deleting mobile on AP 0c:68:03:b8:60:40(0)
*apfMsConnTask_7: Dec 13 12:43:31.820: 74:e5:43:5d:48:78 Adding mobile on LWAPP AP 0c:68:03:d7:c7:90(0)
*apfMsConnTask_7: Dec 13 12:43:31.820: 74:e5:43:5d:48:78 Reassociation received from mobile on BSSID 0c:68:03:d7:c7:97
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 Global 200 Clients are allowed to AP radio

*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 Max Client Trap Threshold: 0  cur: 3

*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 Rf profile 600 Clients are allowed to AP wlan

*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0

*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 Re-applying interface policy for client

*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2018)
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2246)
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 In processSsidIE:4210 setting Central switched to TRUE
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 In processSsidIE:4213 apVapId = 8 and Split Acl Id = 65535
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 Applying site-specific Local Bridging override for station 74:e5:43:5d:48:78 - vapId 8, site 'default-group', interface 'management'
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 Applying Local Bridging Interface Policy for station 74:e5:43:5d:48:78 - vlan 219, interface id 0, interface 'management'
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 processSsidIE  statusCode is 0 and status is 0
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 processSsidIE  ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 STA - rates (4): 130 132 139 150 0 0 0 0 0 0 0 0 0 0 0 0
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 suppRates  statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 extSuppRates  statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 Processing RSN IE type 48, length 20 for mobile 74:e5:43:5d:48:78
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 Received RSN IE with 0 PMKIDs from mobile 74:e5:43:5d:48:78
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 Setting active key cache index 8 ---> 8
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 unsetting PmkIdValidatedByAp
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)

*apfMsConnTask_7: Dec 13 12:43:31.821: 74:e5:43:5d:48:78 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)

*apfMsConnTask_7: Dec 13 12:43:31.822: 74:e5:43:5d:48:78 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_7: Dec 13 12:43:31.822: 74:e5:43:5d:48:78 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 0c:68:03:d7:c7:90 vapId 8 apVapId 8 flex-acl-name:
*apfMsConnTask_7: Dec 13 12:43:31.822: 74:e5:43:5d:48:78 apfMsAssoStateInc
*apfMsConnTask_7: Dec 13 12:43:31.822: 74:e5:43:5d:48:78 apfPemAddUser2 (apf_policy.c:276) Changing state for mobile 74:e5:43:5d:48:78 on AP 0c:68:03:d7:c7:90 from Idle to Associated

*apfMsConnTask_7: Dec 13 12:43:31.822: 74:e5:43:5d:48:78 apfPemAddUser2:session timeout forstation 74:e5:43:5d:48:78 - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is  0
*apfMsConnTask_7: Dec 13 12:43:31.822: 74:e5:43:5d:48:78 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_7: Dec 13 12:43:31.822: 74:e5:43:5d:48:78 Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0

*apfMsConnTask_7: Dec 13 12:43:31.822: 74:e5:43:5d:48:78 Sending Assoc Response to station on BSSID 0c:68:03:d7:c7:97 (status 0) ApVapId 8 Slot 0
*apfMsConnTask_7: Dec 13 12:43:31.822: 74:e5:43:5d:48:78 apfProcessAssocReq (apf_80211.c:7399) Changing state for mobile 74:e5:43:5d:48:78 on AP 0c:68:03:d7:c7:90 from Associated to Associated

*apfMsConnTask_7: Dec 13 12:43:31.822: 74:e5:43:5d:48:78 Updating AID for REAP AP Client 0c:68:03:d7:c7:90 - AID ===> 3
*dot1xMsgTask: Dec 13 12:43:31.825: 74:e5:43:5d:48:78 Station 74:e5:43:5d:48:78 setting dot1x reauth timeout = 1800
*dot1xMsgTask: Dec 13 12:43:31.825: 74:e5:43:5d:48:78 dot1x - moving mobile 74:e5:43:5d:48:78 into Connecting state
*dot1xMsgTask: Dec 13 12:43:31.825: 74:e5:43:5d:48:78 Sending EAP-Request/Identity to mobile 74:e5:43:5d:48:78 (EAP Id 1)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:31.831: 74:e5:43:5d:48:78 Received EAPOL START from mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:31.831: 74:e5:43:5d:48:78 dot1x - moving mobile 74:e5:43:5d:48:78 into Connecting state
*Dot1x_NW_MsgTask_0: Dec 13 12:43:31.831: 74:e5:43:5d:48:78 Sending EAP-Request/Identity to mobile 74:e5:43:5d:48:78 (EAP Id 2)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.346: 74:e5:43:5d:48:78 Received EAPOL EAPPKT from mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.346: 74:e5:43:5d:48:78 Received Identity Response (count=2) from mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.346: 74:e5:43:5d:48:78 EAP State update from Connecting to Authenticating for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.346: 74:e5:43:5d:48:78 dot1x - moving mobile 74:e5:43:5d:48:78 into Authenticating state
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.346: 74:e5:43:5d:48:78 Entering Backend Auth Response state for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.350: 74:e5:43:5d:48:78 Processing Access-Challenge for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.350: 74:e5:43:5d:48:78 Entering Backend Auth Req state (id=3) for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.350: 74:e5:43:5d:48:78 Sending EAP Request from AAA to mobile 74:e5:43:5d:48:78 (EAP Id 3)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.358: 74:e5:43:5d:48:78 Received EAPOL EAPPKT from mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.358: 74:e5:43:5d:48:78 Received EAP Response from mobile 74:e5:43:5d:48:78 (EAP Id 3, EAP Type 25)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.358: 74:e5:43:5d:48:78 Entering Backend Auth Response state for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.360: 74:e5:43:5d:48:78 Processing Access-Challenge for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.360: 74:e5:43:5d:48:78 Entering Backend Auth Req state (id=4) for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.360: 74:e5:43:5d:48:78 Sending EAP Request from AAA to mobile 74:e5:43:5d:48:78 (EAP Id 4)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.514: 74:e5:43:5d:48:78 Received EAPOL EAPPKT from mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.514: 74:e5:43:5d:48:78 Received EAP Response from mobile 74:e5:43:5d:48:78 (EAP Id 4, EAP Type 25)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.514: 74:e5:43:5d:48:78 Entering Backend Auth Response state for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.516: 74:e5:43:5d:48:78 Processing Access-Challenge for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.516: 74:e5:43:5d:48:78 Entering Backend Auth Req state (id=5) for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:37.516: 74:e5:43:5d:48:78 Sending EAP Request from AAA to mobile 74:e5:43:5d:48:78 (EAP Id 5)
*apfMsConnTask_7: Dec 13 12:43:42.724: 74:e5:43:5d:48:78 Client stats update: Time now in sec 1386956622, Last Acct Msg Sent at 0 sec
*apfMsConnTask_7: Dec 13 12:43:42.724: 74:e5:43:5d:48:78 Requested to send acct interim update request msg to APF task for client 74:e5:43:5d:48:78

*apfMsConnTask_7: Dec 13 12:43:42.725: 74:e5:43:5d:48:78 Client stats update: Time now in sec 1386956622, Last Acct Msg Sent at 0 sec
*apfMsConnTask_7: Dec 13 12:43:42.725: 74:e5:43:5d:48:78 Requested to send acct interim update request msg to APF task for client 74:e5:43:5d:48:78

*apfMsConnTask_7: Dec 13 12:43:42.726: 74:e5:43:5d:48:78 Client stats update: Time now in sec 1386956622, Last Acct Msg Sent at 0 sec
*apfMsConnTask_7: Dec 13 12:43:42.726: 74:e5:43:5d:48:78 Requested to send acct interim update request msg to APF task for client 74:e5:43:5d:48:78

*apfMsConnTask_7: Dec 13 12:43:42.727: 74:e5:43:5d:48:78 Association received from mobile on BSSID 0c:68:03:d7:c7:90
*apfMsConnTask_7: Dec 13 12:43:42.727: 74:e5:43:5d:48:78 Global 200 Clients are allowed to AP radio

*apfMsConnTask_7: Dec 13 12:43:42.728: 74:e5:43:5d:48:78 Max Client Trap Threshold: 0  cur: 4

*apfMsConnTask_7: Dec 13 12:43:42.728: 74:e5:43:5d:48:78 Rf profile 600 Clients are allowed to AP wlan

*apfMsConnTask_7: Dec 13 12:43:42.728: 74:e5:43:5d:48:78 Deleting client immediately since WLAN has changed
*apfMsConnTask_7: Dec 13 12:43:42.728: 74:e5:43:5d:48:78 Scheduling deletion of Mobile Station:  (callerId: 50) in 1 seconds
*apfMsConnTask_7: Dec 13 12:43:42.731: 74:e5:43:5d:48:78 Client stats update: Time now in sec 1386956622, Last Acct Msg Sent at 0 sec
*apfMsConnTask_7: Dec 13 12:43:42.731: 74:e5:43:5d:48:78 Requested to send acct interim update request msg to APF task for client 74:e5:43:5d:48:78

*Dot1x_NW_MsgTask_0: Dec 13 12:43:42.744: 74:e5:43:5d:48:78 Ignoring any event(1), since client is marked for deletion
*osapiBsnTimer: Dec 13 12:43:43.694: 74:e5:43:5d:48:78 apfMsExpireCallback (apf_ms.c:615) Expiring Mobile!
*apfReceiveTask: Dec 13 12:43:43.694: 74:e5:43:5d:48:78 apfMsExpireMobileStation (apf_ms.c:5827) Changing state for mobile 74:e5:43:5d:48:78 on AP 0c:68:03:d7:c7:90 from Associated to Disassociated

*apfReceiveTask: Dec 13 12:43:43.694: 74:e5:43:5d:48:78 apfMsAssoStateDec
*apfReceiveTask: Dec 13 12:43:43.694: 74:e5:43:5d:48:78 apfMsExpireMobileStation (apf_ms.c:5959) Changing state for mobile 74:e5:43:5d:48:78 on AP 0c:68:03:d7:c7:90 from Disassociated to Idle

*apfReceiveTask: Dec 13 12:43:43.694: 74:e5:43:5d:48:78 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfReceiveTask: Dec 13 12:43:43.695: 74:e5:43:5d:48:78 0.0.0.0 8021X_REQD (3) Deleted mobile LWAPP rule on AP [0c:68:03:d7:c7:90]
*apfReceiveTask: Dec 13 12:43:43.695: 74:e5:43:5d:48:78 Deleting mobile on AP 0c:68:03:d7:c7:90(0)
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 Adding mobile on LWAPP AP 0c:68:03:b8:60:40(0)
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 Reassociation received from mobile on BSSID 0c:68:03:b8:60:40
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 Global 200 Clients are allowed to AP radio

*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 Max Client Trap Threshold: 0  cur: 9

*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 Rf profile 600 Clients are allowed to AP wlan

*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0

*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 Re-applying interface policy for client

*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2018)
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2246)
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 In processSsidIE:4210 setting Central switched to TRUE
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 In processSsidIE:4213 apVapId = 1 and Split Acl Id = 65535
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 Applying site-specific Local Bridging override for station 74:e5:43:5d:48:78 - vapId 1, site 'default-group', interface 'management'
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 Applying Local Bridging Interface Policy for station 74:e5:43:5d:48:78 - vlan 219, interface id 0, interface 'management'
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 processSsidIE  statusCode is 0 and status is 0
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 processSsidIE  ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 STA - rates (4): 130 132 139 150 0 0 0 0 0 0 0 0 0 0 0 0
*apfMsConnTask_7: Dec 13 12:43:49.065: 74:e5:43:5d:48:78 suppRates  statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 extSuppRates  statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 Processing RSN IE type 48, length 20 for mobile 74:e5:43:5d:48:78
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 Received RSN IE with 0 PMKIDs from mobile 74:e5:43:5d:48:78
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 Setting active key cache index 8 ---> 8
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 unsetting PmkIdValidatedByAp
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)

*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)

*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 0c:68:03:b8:60:40 vapId 1 apVapId 1 flex-acl-name:
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 apfMsAssoStateInc
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 apfPemAddUser2 (apf_policy.c:276) Changing state for mobile 74:e5:43:5d:48:78 on AP 0c:68:03:b8:60:40 from Idle to Associated

*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 apfPemAddUser2:session timeout forstation 74:e5:43:5d:48:78 - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is  0
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0

*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 Sending Assoc Response to station on BSSID 0c:68:03:b8:60:40 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_7: Dec 13 12:43:49.066: 74:e5:43:5d:48:78 apfProcessAssocReq (apf_80211.c:7399) Changing state for mobile 74:e5:43:5d:48:78 on AP 0c:68:03:b8:60:40 from Associated to Associated

*apfMsConnTask_7: Dec 13 12:43:49.067: 74:e5:43:5d:48:78 Updating AID for REAP AP Client 0c:68:03:b8:60:40 - AID ===> 1
*dot1xMsgTask: Dec 13 12:43:49.068: 74:e5:43:5d:48:78 Station 74:e5:43:5d:48:78 setting dot1x reauth timeout = 1800
*dot1xMsgTask: Dec 13 12:43:49.068: 74:e5:43:5d:48:78 dot1x - moving mobile 74:e5:43:5d:48:78 into Connecting state
*dot1xMsgTask: Dec 13 12:43:49.068: 74:e5:43:5d:48:78 Sending EAP-Request/Identity to mobile 74:e5:43:5d:48:78 (EAP Id 1)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:49.075: 74:e5:43:5d:48:78 Received EAPOL START from mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:49.076: 74:e5:43:5d:48:78 dot1x - moving mobile 74:e5:43:5d:48:78 into Connecting state
debug client 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:49.076: 74:e5:43:5d:48:78 Sending EAP-Request/Identity to mobile 74:e5:43:5d:48:78 (EAP Id 2)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:58.993: 74:e5:43:5d:48:78 Received EAPOL EAPPKT from mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:58.993: 74:e5:43:5d:48:78 Received Identity Response (count=2) from mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:58.993: 74:e5:43:5d:48:78 EAP State update from Connecting to Authenticating for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:58.993: 74:e5:43:5d:48:78 dot1x - moving mobile 74:e5:43:5d:48:78 into Authenticating state
*Dot1x_NW_MsgTask_0: Dec 13 12:43:58.993: 74:e5:43:5d:48:78 Entering Backend Auth Response state for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.000: 74:e5:43:5d:48:78 Processing Access-Challenge for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.000: 74:e5:43:5d:48:78 Entering Backend Auth Req state (id=3) for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.000: 74:e5:43:5d:48:78 Sending EAP Request from AAA to mobile 74:e5:43:5d:48:78 (EAP Id 3)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.007: 74:e5:43:5d:48:78 Received EAPOL EAPPKT from mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.007: 74:e5:43:5d:48:78 Received EAP Response from mobile 74:e5:43:5d:48:78 (EAP Id 3, EAP Type 25)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.007: 74:e5:43:5d:48:78 Entering Backend Auth Response state for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.010: 74:e5:43:5d:48:78 Processing Access-Challenge for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.010: 74:e5:43:5d:48:78 Entering Backend Auth Req state (id=4) for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.010: 74:e5:43:5d:48:78 Sending EAP Request from AAA to mobile 74:e5:43:5d:48:78 (EAP Id 4)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.038: 74:e5:43:5d:48:78 Received EAPOL EAPPKT from mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.038: 74:e5:43:5d:48:78 Received EAP Response from mobile 74:e5:43:5d:48:78 (EAP Id 4, EAP Type 25)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.038: 74:e5:43:5d:48:78 Entering Backend Auth Response state for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.040: 74:e5:43:5d:48:78 Processing Access-Challenge for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.040: 74:e5:43:5d:48:78 Entering Backend Auth Req state (id=5) for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.040: 74:e5:43:5d:48:78 Sending EAP Request from AAA to mobile 74:e5:43:5d:48:78 (EAP Id 5)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.069: 74:e5:43:5d:48:78 Received EAPOL EAPPKT from mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.070: 74:e5:43:5d:48:78 Received EAP Response from mobile 74:e5:43:5d:48:78 (EAP Id 5, EAP Type 25)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.070: 74:e5:43:5d:48:78 Entering Backend Auth Response state for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.071: 74:e5:43:5d:48:78 Processing Access-Challenge for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.071: 74:e5:43:5d:48:78 Entering Backend Auth Req state (id=6) for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.071: 74:e5:43:5d:48:78 Sending EAP Request from AAA to mobile 74:e5:43:5d:48:78 (EAP Id 6)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.125: 74:e5:43:5d:48:78 Received EAPOL EAPPKT from mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.125: 74:e5:43:5d:48:78 Received EAP Response from mobile 74:e5:43:5d:48:78 (EAP Id 6, EAP Type 25)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.125: 74:e5:43:5d:48:78 Entering Backend Auth Response state for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.128: 74:e5:43:5d:48:78 Processing Access-Reject for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.128: 74:e5:43:5d:48:78 Removing PMK cache due to EAP-Failure for mobile 74:e5:43:5d:48:78 (EAP Id 6)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.128: 74:e5:43:5d:48:78 Sending EAP-Failure to mobile 74:e5:43:5d:48:78 (EAP Id 6)
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.128: 74:e5:43:5d:48:78 Entering Backend Auth Failure state (id=6) for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.128: 74:e5:43:5d:48:78 Setting quiet timer for 5 seconds for mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:43:59.128: 74:e5:43:5d:48:78 dot1x - moving mobile 74:e5:43:5d:48:78 into Unknown state
*apfMsConnTask_7: Dec 13 12:44:00.651: 74:e5:43:5d:48:78 Client stats update: Time now in sec 1386956640, Last Acct Msg Sent at 0 sec
*apfMsConnTask_7: Dec 13 12:44:00.651: 74:e5:43:5d:48:78 Requested to send acct interim update request msg to APF task for client 74:e5:43:5d:48:78

*apfMsConnTask_7: Dec 13 12:44:00.659: 74:e5:43:5d:48:78 Client stats update: Time now in sec 1386956640, Last Acct Msg Sent at 0 sec
*apfMsConnTask_7: Dec 13 12:44:00.660: 74:e5:43:5d:48:78 Requested to send acct interim update request msg to APF task for client 74:e5:43:5d:48:78

*apfMsConnTask_7: Dec 13 12:44:00.660: 74:e5:43:5d:48:78 Association received from mobile on BSSID 0c:68:03:b8:60:40
*apfMsConnTask_7: Dec 13 12:44:00.660: 74:e5:43:5d:48:78 Global 200 Clients are allowed to AP radio

*apfMsConnTask_7: Dec 13 12:44:00.660: 74:e5:43:5d:48:78 Max Client Trap Threshold: 0  cur: 10

*apfMsConnTask_7: Dec 13 12:44:00.660: 74:e5:43:5d:48:78 Rf profile 600 Clients are allowed to AP wlan

*apfMsConnTask_7: Dec 13 12:44:00.660: 74:e5:43:5d:48:78 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 219

*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 Re-applying interface policy for client

*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2018)
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2246)
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 In processSsidIE:4210 setting Central switched to TRUE
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 In processSsidIE:4213 apVapId = 1 and Split Acl Id = 65535
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 Applying site-specific Local Bridging override for station 74:e5:43:5d:48:78 - vapId 1, site 'default-group', interface 'management'
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 Applying Local Bridging Interface Policy for station 74:e5:43:5d:48:78 - vlan 219, interface id 0, interface 'management'
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 processSsidIE  statusCode is 0 and status is 0
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 processSsidIE  ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 STA - rates (4): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 suppRates  statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 extSuppRates  statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 Processing RSN IE type 48, length 20 for mobile 74:e5:43:5d:48:78
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 Received RSN IE with 0 PMKIDs from mobile 74:e5:43:5d:48:78
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 Setting active key cache index 8 ---> 8
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 unsetting PmkIdValidatedByAp
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 0.0.0.0 8021X_REQD (3) Initializing policy
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)

*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)

*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_7: Dec 13 12:44:00.661: 74:e5:43:5d:48:78 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 0c:68:03:b8:60:40 vapId 1 apVapId 1 flex-acl-name:
*apfMsConnTask_7: Dec 13 12:44:00.662: 74:e5:43:5d:48:78 apfPemAddUser2 (apf_policy.c:276) Changing state for mobile 74:e5:43:5d:48:78 on AP 0c:68:03:b8:60:40 from Associated to Associated

*apfMsConnTask_7: Dec 13 12:44:00.662: 74:e5:43:5d:48:78 apfPemAddUser2:session timeout forstation 74:e5:43:5d:48:78 - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is  0
*apfMsConnTask_7: Dec 13 12:44:00.662: 74:e5:43:5d:48:78 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_7: Dec 13 12:44:00.662: 74:e5:43:5d:48:78 Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0

*apfMsConnTask_7: Dec 13 12:44:00.662: 74:e5:43:5d:48:78 Sending Assoc Response to station on BSSID 0c:68:03:b8:60:40 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_7: Dec 13 12:44:00.662: 74:e5:43:5d:48:78 apfProcessAssocReq (apf_80211.c:7399) Changing state for mobile 74:e5:43:5d:48:78 on AP 0c:68:03:b8:60:40 from Associated to Associated

*dot1xMsgTask: Dec 13 12:44:00.664: 74:e5:43:5d:48:78 dot1x - moving mobile 74:e5:43:5d:48:78 into Connecting state
*dot1xMsgTask: Dec 13 12:44:00.664: 74:e5:43:5d:48:78 Sending EAP-Request/Identity to mobile 74:e5:43:5d:48:78 (EAP Id 1)
*Dot1x_NW_MsgTask_0: Dec 13 12:44:00.677: 74:e5:43:5d:48:78 Received EAPOL START from mobile 74:e5:43:5d:48:78
*Dot1x_NW_MsgTask_0: Dec 13 12:44:00.677: 74:e5:43:5d:48:78 dot1x - moving mobile 74:e5:43:5d:48:78 into Connecting state
*Dot1x_NW_MsgTask_0: Dec 13 12:44:00.677: 74:e5:43:5d:48:78 Sending EAP-Request/Identity to mobile 74:e5:43:5d:48:78 (EAP Id 2)

I setup wireshark to capture on all interfaces and am getting absolutely 0 packet data when I attempt to authenticate as well.

Thanks in advance,

-B

6 REPLIES
Hall of Fame Super Silver

Re: Cannot authenticate Radius via WLC

That's a long post. Next time attach the logs to the thread. I can't see the while process, but what does the radius server show and can you post your show WLAN

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: Cannot authenticate Radius via WLC

Thanks for the reply Scott...so sorry for the spammy post!

The radius server where the client is deployed is not displaying any sort of logs in any of the NPS log files.

Show WLAN 1 is as follows:

WLAN Identifier.................................. 1

Profile Name..................................... GHI

Network Name (SSID).............................. GHI

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Disabled

AAA Policy Override.............................. Disabled

Network Admission Control

  Client Profiling Status ....................... Enabled

   DHCP ......................................... Enabled

   HTTP ......................................... Disabled

  Radius-NAC State............................... Disabled

  SNMP-NAC State................................. Disabled

  Quarantine VLAN................................ 0

Maximum number of Associated Clients............. 0

Maximum number of Clients per AP Radio........... 200

Number of Active Clients......................... 0

Exclusionlist Timeout............................ 60 seconds

Session Timeout.................................. 1800 seconds

User Idle Timeout................................ 300 seconds

User Idle Threshold.............................. 0 Bytes

NAS-identifier................................... GHI_WLC

CHD per WLAN..................................... Enabled

Webauth DHCP exclusion........................... Disabled

Interface........................................ management

Multicast Interface.............................. Not Configured

WLAN IPv4 ACL.................................... unconfigured

WLAN IPv6 ACL.................................... unconfigured

mDNS Status...................................... Enabled

mDNS Profile Name................................ default-mdns-profile

DHCP Server...................................... Default

DHCP Address Assignment Required................. Enabled

Static IP client tunneling....................... Disabled

PMIPv6 Mobility Type............................. none

Quality of Service............................... Silver

Per-SSID Rate Limits............................. Upstream      Downstream

Average Data Rate................................   0             0

Average Realtime Data Rate.......................   0             0

Burst Data Rate..................................   0             0

Burst Realtime Data Rate.........................   0             0

Per-Client Rate Limits........................... Upstream      Downstream

Average Data Rate................................   0             0

Average Realtime Data Rate.......................   0             0

--More-- or (q)uit

Burst Data Rate..................................   0             0

Burst Realtime Data Rate.........................   0             0

Scan Defer Priority.............................. 4,5,6

Scan Defer Time.................................. 100 milliseconds

WMM.............................................. Allowed

WMM UAPSD Compliant Client Support............... Disabled

Media Stream Multicast-direct.................... Disabled

CCX - AironetIe Support.......................... Enabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

Passive Client Feature........................... Disabled

Peer-to-Peer Blocking Action..................... Drop

Radio Policy..................................... All

DTIM period for 802.11a radio.................... 1

DTIM period for 802.11b radio.................... 1

Radius Servers

   Authentication................................ 172.18.0.44 1812

   Accounting.................................... Global Servers

      Interim Update............................. 600 Seconds

   Dynamic Interface............................. Enabled

   Dynamic Interface Priority.................... wlan

--More-- or (q)uit

Local EAP Authentication......................... Disabled

Security

   802.11 Authentication:........................ Open System

   FT Support.................................... Disabled

   Static WEP Keys............................... Disabled

   802.1X........................................ Disabled

   Wi-Fi Protected Access (WPA/WPA2)............. Enabled

      WPA (SSN IE)............................... Disabled

      WPA2 (RSN IE).............................. Enabled

         TKIP Cipher............................. Disabled

         AES Cipher.............................. Enabled

                                                               Auth Key Management

         802.1x.................................. Enabled

         PSK..................................... Disabled

         CCKM.................................... Disabled

         FT-1X(802.11r).......................... Disabled

         FT-PSK(802.11r)......................... Disabled

         PMF-1X(802.11w)......................... Disabled

         PMF-PSK(802.11w)........................ Disabled

      FT Reassociation Timeout................... 20

      FT Over-The-DS mode........................ Enabled

      GTK Randomization.......................... Disabled

      SKC Cache Support.......................... Disabled

      CCKM TSF Tolerance......................... 1000

   WAPI.......................................... Disabled

   Wi-Fi Direct policy configured................ Disabled

   EAP-Passthrough............................... Disabled

   CKIP ......................................... Disabled

   Web Based Authentication...................... Disabled

   Web-Passthrough............................... Disabled

   Conditional Web Redirect...................... Disabled

   Splash-Page Web Redirect...................... Disabled

   Auto Anchor................................... Disabled

   FlexConnect Local Switching................... Disabled

   flexconnect Central Dhcp Flag................. Disabled

   flexconnect nat-pat Flag...................... Disabled

   flexconnect Dns Override Flag................. Disabled

   FlexConnect Vlan based Central Switching ..... Disabled

   FlexConnect Local Authentication.............. Disabled

   FlexConnect Learn IP Address.................. Enabled

   Client MFP.................................... Optional

   PMF........................................... Disabled

   PMF Association Comeback Time................. 1

   PMF SA Query RetryTimeout..................... 200

   Tkip MIC Countermeasure Hold-down Timer....... 60

AVC Visibilty.................................... Disabled

AVC Profile Name................................. None

Flow Monitor Name................................ None

Call Snooping.................................... Disabled

Roamed Call Re-Anchor Policy..................... Disabled

SIP CAC Fail Send-486-Busy Policy................ Enabled

SIP CAC Fail Send Dis-Association Policy......... Disabled

KTS based CAC Policy............................. Disabled

Assisted Roaming Prediction Optimization......... Disabled

802.11k Neighbor List............................ Disabled

802.11k Neighbor List Dual Band.................. Disabled

Band Select...................................... Disabled

Load Balancing................................... Disabled

Multicast Buffer................................. Disabled

Mobility Anchor List

WLAN ID     IP Address            Status

-------     ---------------       ------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

Hope this helps and thanks again!

/r

B

Cisco Employee

Cannot authenticate Radius via WLC

uncheck account sever, there seem to be a hiccup bcoz of it.

radius server did not like something and sending access reject. debug dot1x on wlc and radius log might help here.

New Member

Cannot authenticate Radius via WLC

Thanks for the info...Where is this "account server" box that needs to be unchecked.  I scoured through the WLAN's/Authentication/Security tabs and the WLAN - Edit -> Security/QoS/Advanced tabs and still cannot find it.

Thanks so much again, i've been stuck on this problem for a week!

Cannot authenticate Radius via WLC

So, I'm seeing this:

Processing Access-Reject for mobile 74:e5:43:5d:48:78

There was a reject from the AAA server.  There should be something in the system logs on the NPS that tells why the cleint failed to authenticate

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Cannot authenticate Radius via WLC

Thanks again Stephen,

I am however not generating any lags on the NPS pertaining to authentication fails or anything else for that matter.

564
Views
8
Helpful
6
Replies
CreatePlease to create content