Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Client can't get the DHCP address when On-MAC-Filter-failure, MAC Filtering

Hello Sir,

The wireless client can't get the DHCP address when I enable the On-MAC-Filter-failure, MAC Filtering and Web Auth. Client can get the DHCP address when I only enable the Web Auth in the same WLAN SSID. The WiSM verion is v7.0.235.0. Does any body have the same problem?

The debug client mac info below:

(WiSM-slot7-1) >*apfMsConnTask_0: Aug 23 11:54:25.780: 00:13:ce:b0:81:0c Adding mobile on LWAPP AP 00:1a:30:30:dd:f0(0)
*apfMsConnTask_0: Aug 23 11:54:25.780: 00:13:ce:b0:81:0c Association received from mobile on AP 00:1a:30:30:dd:f0
*apfMsConnTask_0: Aug 23 11:54:25.780: 00:13:ce:b0:81:0c 0.0.0.0 START (0) Changing ACL 'Guest-ACL' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Aug 23 11:54:25.780: 00:13:ce:b0:81:0c Applying site-specific IPv6 override for station 00:13:ce:b0:81:0c - vapId 3, site 'default-group', interface 'wlan-test'
*apfMsConnTask_0: Aug 23 11:54:25.780: 00:13:ce:b0:81:0c Applying IPv6 Interface Policy for station 00:13:ce:b0:81:0c - vlan 175, interface id 10, interface 'wlan-test'
*apfMsConnTask_0: Aug 23 11:54:25.780: 00:13:ce:b0:81:0c STA - rates (8): 130 132 139 12 18 150 24 36 0 0 0 0 0 0 0 0
*apfMsConnTask_0: Aug 23 11:54:25.780: 00:13:ce:b0:81:0c STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Aug 23 11:54:25.780: 00:13:ce:b0:81:0c apfProcessAssocReq (apf_80211.c:5153) Changing state for mobile 00:13:ce:b0:81:0c on AP 00:1a:30:30:dd:f0 from Idle to AAA Pending

*apfMsConnTask_0: Aug 23 11:54:25.780: 00:13:ce:b0:81:0c Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
*apfMsConnTask_0: Aug 23 11:54:26.015: 00:13:ce:b0:81:0c Association received from mobile on AP 00:1d:a1:74:6a:e0
*apfMsConnTask_0: Aug 23 11:54:26.015: 00:13:ce:b0:81:0c 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Aug 23 11:54:26.016: 00:13:ce:b0:81:0c Applying site-specific IPv6 override for station 00:13:ce:b0:81:0c - vapId 3, site 'none', interface 'wlan-test'
*apfMsConnTask_0: Aug 23 11:54:26.016: 00:13:ce:b0:81:0c Applying IPv6 Interface Policy for station 00:13:ce:b0:81:0c - vlan 175, interface id 10, interface 'wlan-test'
*apfMsConnTask_0: Aug 23 11:54:26.016: 00:13:ce:b0:81:0c STA - rates (8): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Aug 23 11:54:26.016: 00:13:ce:b0:81:0c STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Aug 23 11:54:26.016: 00:13:ce:b0:81:0c pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfMsConnTask_0: Aug 23 11:54:26.016: 00:13:ce:b0:81:0c 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [00:1a:30:30:dd:f0]
*apfMsConnTask_0: Aug 23 11:54:26.016: 00:13:ce:b0:81:0c Updated location for station old AP 00:1a:30:30:dd:f0-0, new AP 00:1d:a1:74:6a:e0-0
*apfMsConnTask_0: Aug 23 11:54:26.016: 00:13:ce:b0:81:0c apfProcessAssocReq (apf_80211.c:5153) Changing state for mobile 00:13:ce:b0:81:0c on AP 00:1d:a1:74:6a:e0 from AAA Pending to AAA Pending

*apfMsConnTask_0: Aug 23 11:54:26.016: 00:13:ce:b0:81:0c Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
*apfMsConnTask_0: Aug 23 11:54:26.251: 00:13:ce:b0:81:0c Association received from mobile on AP 00:1a:30:30:dd:f0
*apfMsConnTask_0: Aug 23 11:54:26.251: 00:13:ce:b0:81:0c 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Aug 23 11:54:26.251: 00:13:ce:b0:81:0c Applying site-specific IPv6 override for station 00:13:ce:b0:81:0c - vapId 3, site 'default-group', interface 'wlan-test'
*apfMsConnTask_0: Aug 23 11:54:26.251: 00:13:ce:b0:81:0c Applying IPv6 Interface Policy for station 00:13:ce:b0:81:0c - vlan 175, interface id 10, interface 'wlan-test'
*apfMsConnTask_0: Aug 23 11:54:26.251: 00:13:ce:b0:81:0c STA - rates (8): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Aug 23 11:54:26.251: 00:13:ce:b0:81:0c STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Aug 23 11:54:26.251: 00:13:ce:b0:81:0c pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfMsConnTask_0: Aug 23 11:54:26.251: 00:13:ce:b0:81:0c 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [00:1d:a1:74:6a:e0]
*apfMsConnTask_0: Aug 23 11:54:26.251: 00:13:ce:b0:81:0c Updated location for station old AP 00:1d:a1:74:6a:e0-0, new AP 00:1a:30:30:dd:f0-0
*apfMsConnTask_0: Aug 23 11:54:26.251: 00:13:ce:b0:81:0c apfProcessAssocReq (apf_80211.c:5153) Changing state for mobile 00:13:ce:b0:81:0c on AP 00:1a:30:30:dd:f0 from AAA Pending to AAA Pending

*apfMsConnTask_0: Aug 23 11:54:26.251: 00:13:ce:b0:81:0c Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
*apfMsConnTask_0: Aug 23 11:54:26.482: 00:13:ce:b0:81:0c Association received from mobile on AP 00:1a:30:30:dd:f0
*apfMsConnTask_0: Aug 23 11:54:26.483: 00:13:ce:b0:81:0c 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Aug 23 11:54:26.483: 00:13:ce:b0:81:0c Applying site-specific IPv6 override for station 00:13:ce:b0:81:0c - vapId 3, site 'default-group', interface 'wlan-test'
*apfMsConnTask_0: Aug 23 11:54:26.483: 00:13:ce:b0:81:0c Applying IPv6 Interface Policy for station 00:13:ce:b0:81:0c - vlan 175, interface id 10, interface 'wlan-test'
*apfMsConnTask_0: Aug 23 11:54:26.483: 00:13:ce:b0:81:0c STA - rates (8): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Aug 23 11:54:26.483: 00:13:ce:b0:81:0c STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Aug 23 11:54:26.483: 00:13:ce:b0:81:0c apfProcessAssocReq (apf_80211.c:5153) Changing state for mobile 00:13:ce:b0:81:0c on AP 00:1a:30:30:dd:f0 from AAA Pending to AAA Pending

*apfMsConnTask_0: Aug 23 11:54:26.483: 00:13:ce:b0:81:0c Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
*apfMsConnTask_0: Aug 23 11:54:26.716: 00:13:ce:b0:81:0c Association received from mobile on AP 00:1a:30:30:dd:f0
*apfMsConnTask_0: Aug 23 11:54:26.716: 00:13:ce:b0:81:0c 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Aug 23 11:54:26.716: 00:13:ce:b0:81:0c Applying site-specific IPv6 override for station 00:13:ce:b0:81:0c - vapId 3, site 'default-group', interface 'wlan-test'
*apfMsConnTask_0: Aug 23 11:54:26.716: 00:13:ce:b0:81:0c Applying IPv6 Interface Policy for station 00:13:ce:b0:81:0c - vlan 175, interface id 10, interface 'wlan-test'
*apfMsConnTask_0: Aug 23 11:54:26.716: 00:13:ce:b0:81:0c STA - rates (8): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Aug 23 11:54:26.716: 00:13:ce:b0:81:0c STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Aug 23 11:54:26.716: 00:13:ce:b0:81:0c apfProcessAssocReq (apf_80211.c:5153) Changing state for mobile 00:13:ce:b0:81:0c on AP 00:1a:30:30:dd:f0 from AAA Pending to AAA Pending

*apfMsConnTask_0: Aug 23 11:54:26.716: 00:13:ce:b0:81:0c Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
*apfMsConnTask_0: Aug 23 11:54:26.947: 00:13:ce:b0:81:0c Association received from mobile on AP 00:1a:30:30:dd:f0
*apfMsConnTask_0: Aug 23 11:54:26.947: 00:13:ce:b0:81:0c 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Aug 23 11:54:26.947: 00:13:ce:b0:81:0c Applying site-specific IPv6 override for station 00:13:ce:b0:81:0c - vapId 3, site 'default-group', interface 'wlan-test'
*apfMsConnTask_0: Aug 23 11:54:26.947: 00:13:ce:b0:81:0c Applying IPv6 Interface Policy for station 00:13:ce:b0:81:0c - vlan 175, interface id 10, interface 'wlan-test'
*apfMsConnTask_0: Aug 23 11:54:26.947: 00:13:ce:b0:81:0c STA - rates (8): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Aug 23 11:54:26.947: 00:13:ce:b0:81:0c STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Aug 23 11:54:26.947: 00:13:ce:b0:81:0c apfProcessAssocReq (apf_80211.c:5153) Changing state for mobile 00:13:ce:b0:81:0c on AP 00:1a:30:30:dd:f0 from AAA Pending to AAA Pending

*apfMsConnTask_0: Aug 23 11:54:26.947: 00:13:ce:b0:81:0c Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
*apfMsConnTask_0: Aug 23 11:54:27.179: 00:13:ce:b0:81:0c Association received from mobile on AP 00:1a:30:30:dd:f0
*apfMsConnTask_0: Aug 23 11:54:27.179: 00:13:ce:b0:81:0c 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Aug 23 11:54:27.179: 00:13:ce:b0:81:0c Applying site-specific IPv6 override for station 00:13:ce:b0:81:0c - vapId 3, site 'default-group', interface 'wlan-test'
*apfMsConnTask_0: Aug 23 11:54:27.179: 00:13:ce:b0:81:0c Applying IPv6 Interface Policy for station 00:13:ce:b0:81:0c - vlan 175, interface id 10, interface 'wlan-test'
*apfMsConnTask_0: Aug 23 11:54:27.179: 00:13:ce:b0:81:0c STA - rates (8): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Aug 23 11:54:27.179: 00:13:ce:b0:81:0c STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Aug 23 11:54:27.179: 00:13:ce:b0:81:0c apfProcessAssocReq (apf_80211.c:5153) Changing state for mobile 00:13:ce:b0:81:0c on AP 00:1a:30:30:dd:f0 from AAA Pending to AAA Pending

*apfMsConnTask_0: Aug 23 11:54:27.179: 00:13:ce:b0:81:0c Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
*apfMsConnTask_0: Aug 23 11:54:27.410: 00:13:ce:b0:81:0c Association received from mobile on AP 00:1a:30:30:dd:f0
*apfMsConnTask_0: Aug 23 11:54:27.410: 00:13:ce:b0:81:0c 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Aug 23 11:54:27.410: 00:13:ce:b0:81:0c Applying site-specific IPv6 override for station 00:13:ce:b0:81:0c - vapId 3, site 'default-group', interface 'wlan-test'
*apfMsConnTask_0: Aug 23 11:54:27.410: 00:13:ce:b0:81:0c Applying IPv6 Interface Policy for station 00:13:ce:b0:81:0c - vlan 175, interface id 10, interface 'wlan-test'
*apfMsConnTask_0: Aug 23 11:54:27.410: 00:13:ce:b0:81:0c STA - rates (8): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Aug 23 11:54:27.410: 00:13:ce:b0:81:0c STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Aug 23 11:54:27.410: 00:13:ce:b0:81:0c apfProcessAssocReq (apf_80211.c:5153) Changing state for mobile 00:13:ce:b0:81:0c on AP 00:1a:30:30:dd:f0 from AAA Pending to AAA Pending

*apfMsConnTask_0: Aug 23 11:54:27.410: 00:13:ce:b0:81:0c Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
*apfMsConnTask_0: Aug 23 11:54:27.641: 00:13:ce:b0:81:0c Association received from mobile on AP 00:1a:30:30:dd:f0
*apfMsConnTask_0: Aug 23 11:54:27.641: 00:13:ce:b0:81:0c 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Aug 23 11:54:27.641: 00:13:ce:b0:81:0c Applying site-specific IPv6 override for station 00:13:ce:b0:81:0c - vapId 3, site 'default-group', interface 'wlan-test'
*apfMsConnTask_0: Aug 23 11:54:27.642: 00:13:ce:b0:81:0c Applying IPv6 Interface Policy for station 00:13:ce:b0:81:0c - vlan 175, interface id 10, interface 'wlan-test'
*apfMsConnTask_0: Aug 23 11:54:27.642: 00:13:ce:b0:81:0c STA - rates (8): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Aug 23 11:54:27.642: 00:13:ce:b0:81:0c STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_0: Aug 23 11:54:27.642: 00:13:ce:b0:81:0c apfProcessAssocReq (apf_80211.c:5153) Changing state for mobile 00:13:ce:b0:81:0c on AP 00:1a:30:30:dd:f0 from AAA Pending to AAA Pending

*apfMsConnTask_0: Aug 23 11:54:27.642: 00:13:ce:b0:81:0c Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
*spamReceiveTask: Aug 23 11:54:29.961: 00:13:ce:b0:81:0c Received Idle-Timeout from AP 00:1a:30:30:dd:f0, slot 0 for STA 00:13:ce:b0:81:0c
*spamReceiveTask: Aug 23 11:54:29.961: 00:13:ce:b0:81:0c apfMsDeleteByMscb Scheduling mobile for deletion with deleteReason 4, reasonCode 4

*spamReceiveTask: Aug 23 11:54:29.961: 00:13:ce:b0:81:0c Scheduling deletion of Mobile Station:  (callerId: 30) in 1 seconds
*apfReceiveTask: Aug 23 11:54:30.784: 00:13:ce:b0:81:0c 0.0.0.0 START (0) Initializing policy
*apfReceiveTask: Aug 23 11:54:30.784: 00:13:ce:b0:81:0c 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)

*apfReceiveTask: Aug 23 11:54:30.784: 00:13:ce:b0:81:0c 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)

*apfReceiveTask: Aug 23 11:54:30.784: 00:13:ce:b0:81:0c 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 00:1a:30:30:dd:f0 vapId 3 apVapId 3for this client
*apfReceiveTask: Aug 23 11:54:30.784: 00:13:ce:b0:81:0c Not Using WMM Compliance code qosCap 00
*apfReceiveTask: Aug 23 11:54:30.784: 00:13:ce:b0:81:0c 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:1a:30:30:dd:f0 vapId 3 apVapId 3
*apfReceiveTask: Aug 23 11:54:30.784: 00:13:ce:b0:81:0c 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)

*apfReceiveTask: Aug 23 11:54:30.784: 00:13:ce:b0:81:0c apfMsAssoStateInc
*apfReceiveTask: Aug 23 11:54:30.784: 00:13:ce:b0:81:0c apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 00:13:ce:b0:81:0c on AP 00:1a:30:30:dd:f0 from AAA Pending to Associated

*apfReceiveTask: Aug 23 11:54:30.784: 00:13:ce:b0:81:0c Scheduling deletion of Mobile Station:  (callerId: 49) in 1800 seconds
*apfReceiveTask: Aug 23 11:54:30.784: 00:13:ce:b0:81:0c Sending Assoc Response to station on BSSID 00:1a:30:30:dd:f0 (status 0) ApVapId 3 Slot 0
*apfReceiveTask: Aug 23 11:54:30.784: 00:13:ce:b0:81:0c apfProcessRadiusAssocResp (apf_80211.c:2166) Changing state for mobile 00:13:ce:b0:81:0c on AP 00:1a:30:30:dd:f0 from Associated to Associated

*apfReceiveTask: Aug 23 11:54:30.785: 00:13:ce:b0:81:0c 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*apfReceiveTask: Aug 23 11:54:30.785: 00:13:ce:b0:81:0c 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4494, Adding TMP rule
*apfReceiveTask: Aug 22 23:53:26.785: 00:13:ce:b0:81:0c 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
  type = Airespace AP - Learn IP address
  on AP 00:1a:30:30:dd:f0, slot 0, interface = 29, QOS = 0
  ACL Id = 255, Jumbo F
*apfReceiveTask: Aug 23 11:54:30.785: 00:13:ce:b0:81:0c 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 5006  IPv6 Vlan = 175, IPv6 intf id = 10
*apfReceiveTask: Aug 23 11:54:30.785: 00:13:ce:b0:81:0c 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*pemReceiveTask: Aug 23 11:54:30.797: 00:13:ce:b0:81:0c 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0

4 REPLIES

Re: Client can't get the DHCP address when On-MAC-Filter-failure

If you have foreign- anchor deployment make sure changes are updated on both controllers.

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"
New Member

Has anyone else run into this

Has anyone else run into this?  Some clients can MAC failure and get to Web Auth fine, others never get a DHCP address and get stuck in DHCP_REQD instead of WEBAUTH_REQD.

No foreign anchor maps here.

New Member

Got this working.  I was

Got this working.  I was trying to get Web Auth on MAC filter failure working between WLC 7.0 code and Aruba ClearPass.  Once I adjusted the RADIUS reject delay from 1 to 0 things started working a lot better:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Trick-to-get-MAC-Caching-working-on-Cisco-WLC-7-6-with-ClearPass/td-p/151866

http://community.arubanetworks.com/t5/tkb/articleprintpage/tkb-id/AAANACGuestAccessBYOD/article-id/432

Thank you for sharing the

Thank you for sharing the info.

Rating useful replies is more useful than saying "Thank you"
577
Views
5
Helpful
4
Replies