Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Problems with 802.1x and Atheros cards

We have just discovered a problem with 802.1x authentication and Atheros cards.

We have seen this on both MAC OS X 10.6.0 systems and an XP System

This appears to be a DHCP problem in that clients don't get an IP address unless they reboot- which usually fixes it. Sometimes the controller will think the client is connected with a valid IP but the client doesn't actually get the address (never sends an ACK to the offer)

Then it will work until they try to reconnect again after a suspend or roaming to a new AP

Anybody seen this? It's making our network look bad since we have a lot of MACs with Atheros cards...

thanks,

Lynne

22 REPLIES

Re: Problems with 802.1x and Atheros cards

Try disabling dhcp by proxy. That tends to slow down the dhcp process significantly and disabling it allows you to track dhcp requests and lease times easier. In the WLC gui go to controller, advanced, dhcp, and then take the check mark out of the box. This will stop the dhcp relay mechanism where all dhcp requests appear to the dhcp server to come from the virtual interface of the controller.

sin
Community Member

Re: Problems with 802.1x and Atheros cards

I have seen this problem a couple of time. Try setting session-timeout under Wlan->Advanced to 65535. This could very well solve it. If you try pleas post feedback here. I'm trying to gather info on this bug.

Community Member

Re: Problems with 802.1x and Atheros cards

We also are having simliar issues. Did you find a resolution?

Community Member

Re: Problems with 802.1x and Atheros cards

I would also like to know the answer to this.  I ran into this same problem a few days ago with a Mac, but I'll need to verify if it's an Atheros card.  I'll try the suggested fixes if so.  Does your debug look something like this by any chance?

..........

*Mar 26 13:52:43.439: 00:21:e9:e2:e0:04 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
*Mar 26 13:52:43.439: 00:21:e9:e2:e0:04 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4473, Adding TMP rule
*Mar 26 13:52:43.439: 00:21:e9:e2:e0:04 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
  type = Airespace AP - Learn IP address
  on AP 00:0f:34:89:42:30, slot 0, interface = 29, QOS = 0
  ACL Id = 255, Jumbo F
*Mar 26 13:52:43.439: 00:21:e9:e2:e0:04 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*Mar 26 13:52:43.439: 00:21:e9:e2:e0:04 Stopping retransmission timer for mobile 00:21:e9:e2:e0:04
*Mar 26 13:52:43.445: 00:21:e9:e2:e0:04 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*Mar 26 13:52:43.445: 00:21:e9:e2:e0:04 Sent an XID frame
*Mar 26 13:52:45.423: 00:21:e9:e2:e0:04 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*Mar 26 13:52:45.423: 00:21:e9:e2:e0:04 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4154, Adding TMP rule
*Mar 26 13:52:45.423: 00:21:e9:e2:e0:04 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
  type = Airespace AP - Learn IP address
  on AP 00:0f:34:89:42:30, slot 0, interface = 29, QOS = 0
  ACL Id = 255, Jumb
*Mar 26 13:52:45.423: 00:21:e9:e2:e0:04 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*Mar 26 13:52:45.429: 00:21:e9:e2:e0:04 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*Mar 26 13:52:45.429: 00:21:e9:e2:e0:04 Sent an XID frame
*Mar 26 13:53:07.105: CCKM: Send CCKM cache entry
*Mar 26 13:53:13.499: CCKM: Send CCKM cache entry
*Mar 26 13:53:15.076: CCKM: Send CCKM cache entry
*Mar 26 13:53:45.877: CCKM: Send CCKM cache entry
*Mar 26 13:53:46.676: CCKM: Send CCKM cache entry
*Mar 26 13:53:57.197: CCKM: Send CCKM cache entry
*Mar 26 13:54:02.345: CCKM: Send CCKM cache entry
*Mar 26 13:54:35.889: CCKM: Send CCKM cache entry
*Mar 26 13:54:43.312: CCKM: Send CCKM cache entry
*Mar 26 13:54:43.424: 00:21:e9:e2:e0:04 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout
*Mar 26 13:54:43.424: 00:21:e9:e2:e0:04 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.
*Mar 26 13:54:43.424: 00:21:e9:e2:e0:04 Scheduling deletion of Mobile Station:  (callerId: 12) in 10 seconds
*Mar 26 13:54:53.427: 00:21:e9:e2:e0:04 apfMsExpireCallback (apf_ms.c:418) Expiring Mobile!
*Mar 26 13:54:53.427: 00:21:e9:e2:e0:04 apfMsExpireMobileStation (apf_ms.c:4413) Changing state for mobile 00:21:e9:e2:e0:04 on AP 00:0f:34:89:42:30 from Associated to Disassociated

........

Re: Problems with 802.1x and Atheros cards

What version of WLC code are you running? Im betting 6.0.188?

Community Member

Re: Problems with 802.1x and Atheros cards

Yes, I'm running 6.0.188.  DHCP Required and DHCP proxy are disabled.  Weird thing is, the same user can connect just fine using another Mac. The user is connecting to the same controller in both instances.  Here's the debug from a successful attempt:

.......

*Mar 26 16:24:31.129: 00:21:e9:e6:f9:27 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4473, Adding TMP rule
*Mar 26 16:24:31.129: 00:21:e9:e6:f9:27 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
  type = Airespace AP - Learn IP address
  on AP 00:0f:34:89:42:30, slot 0, interface = 29, QOS = 0
  ACL Id = 255, Jumbo F
*Mar 26 16:24:31.129: 00:21:e9:e6:f9:27 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*Mar 26 16:24:31.129: 00:21:e9:e6:f9:27 Stopping retransmission timer for mobile 00:21:e9:e6:f9:27
*Mar 26 16:24:31.135: 00:21:e9:e6:f9:27 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*Mar 26 16:24:31.135: 00:21:e9:e6:f9:27 Sent an XID frame
*Mar 26 16:24:33.121: 00:21:e9:e6:f9:27 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*Mar 26 16:24:33.121: 00:21:e9:e6:f9:27 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4154, Adding TMP rule
*Mar 26 16:24:33.121: 00:21:e9:e6:f9:27 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
  type = Airespace AP - Learn IP address
  on AP 00:0f:34:89:42:30, slot 0, interface = 29, QOS = 0
  ACL Id = 255, Jumb
*Mar 26 16:24:33.121: 00:21:e9:e6:f9:27 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*Mar 26 16:24:33.127: 00:21:e9:e6:f9:27 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*Mar 26 16:24:33.127: 00:21:e9:e6:f9:27 Sent an XID frame
*Mar 26 16:24:34.300: CCKM: Send CCKM cache entry
*Mar 26 16:24:41.545: CCKM: Send CCKM cache entry
*Mar 26 16:25:05.125: CCKM: Send CCKM cache entry
*Mar 26 16:25:05.659: CCKM: Send CCKM cache entry
*Mar 26 16:25:06.332: CCKM: Send CCKM cache entry
*Mar 26 16:25:08.379: CCKM: Send CCKM cache entry
*Mar 26 16:25:18.367: CCKM: Send CCKM cache entry
*Mar 26 16:25:24.756: CCKM: Send CCKM cache entry
*Mar 26 16:25:42.158: CCKM: Send CCKM cache entry
*Mar 26 16:25:59.071: CCKM: Send CCKM cache entry
*Mar 26 16:26:02.631: CCKM: Send CCKM cache entry
*Mar 26 16:26:12.867: CCKM: Send CCKM cache entry
*Mar 26 16:26:31.121: 00:21:e9:e6:f9:27 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout
*Mar 26 16:26:31.121: 00:21:e9:e6:f9:27 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.
*Mar 26 16:26:31.121: 00:21:e9:e6:f9:27 Scheduling deletion of Mobile Station:  (callerId: 12) in 10 seconds
*Mar 26 16:26:34.258: 00:21:e9:e6:f9:27 Orphan Packet from 136.165.201.76 on mobile
*Mar 26 16:26:34.258: 00:21:e9:e6:f9:27 136.165.201.76 DHCP_REQD (7) Change state to RUN (20) last state RUN (20)

*Mar 26 16:26:34.259: 00:21:e9:e6:f9:27 136.165.201.76 RUN (20) Reached PLUMBFASTPATH: from line 4958
*Mar 26 16:26:34.259: 00:21:e9:e6:f9:27 136.165.201.76 RUN (20) Replacing Fast Path rule
  type = Airespace AP Client
  on AP 00:0f:34:89:42:30, slot 0, interface = 29, QOS = 0
  ACL Id = 255, Jumbo Frames =
*Mar 26 16:26:34.259: 00:21:e9:e6:f9:27 136.165.201.76 RUN (20) Successfully plumbed mobile rule (ACL ID 255)
*Mar 26 16:26:34.259: 00:21:e9:e6:f9:27 Assigning Address 136.165.201.76 to mobile

.........

Community Member

Re: Problems with 802.1x and Atheros cards

Hello,

We are running 6.0.188. We are having the same issues with our Atheros cards but they are in PC tablets not MAC's. Has anyone found a work around that works or can pinpoint what and why this is happening?

Re: Problems with 802.1x and Atheros cards

Are you using DHCP REQUIRED!? If you are I would suggest un-checking this box. Lets see what happen.. Here is more  about DHCP requried...

http://www.my80211.com/cisco-wlc-cli-commands/2009/12/30/wlc-dhcp-address-assignment-required-option.html

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Community Member

Re: Problems with 802.1x and Atheros cards

Have you tried disabling OKC (Opportunistic Key Caching) -I'm not sure what the Cisco term for it is, and see

if that works - I've seen similar problem on other networks, and although not ideal for roaming, at least you can connect.

Re: Problems with 802.1x and Atheros cards

OK guys. Bump up to 6.0.196 and let me know if you still have the problems. I am hearing that there might be some dropped dhcp requests as an undocumented bug in.188. Let me know if this fixes your issues.

Community Member

Re: Problems with 802.1x and Atheros cards

We'll do that this weekend.  The Mac in question above is an Imac 8,1 and I believe it has an Atheros chipset (I read that Macs started using Broadcoms late 2008).  We had another ticket come in today about a user having the same problems with two other Macs and an XP machine. I'll update once we've upgraded.

Community Member

Re: Problems with 802.1x and Atheros cards

Hi Eric,

Please let us know how it goes this weekend.

Thanks,

Shellie

Community Member

Re: Problems with 802.1x and Atheros cards

Alright, we upgraded over the weekend and haven't had any tickets about this problem since.  It's hard to tell if the problem was 100% resolved since it was intermittent to begin with, but we're good so far.  The upgrade also got rid of the "ap draws low power" alarms. The upgrade went smoothly except for one controller on a WiSM locking up and one AP being stubborn and not joining a controller.

Community Member

Re: Problems with 802.1x and Atheros cards

Hi Eric,

We just upgraded last night and so far we have not seen any issues. We are crossing our fingers

Re: Problems with 802.1x and Atheros cards

I thought this would be a fix for you guys. Let me know if you have any continued problems. 6.0.196.0 fixed a lot of issues seen in 188. Please mark this as resolved if the problems are fixed so that others can search the database easier.

Community Member

Re: Problems with 802.1x and Atheros cards

Looks like since the upgrade we still have a few that are seeing this problem with the atherso 5004x cards. Has anyone else experienced any problems since the upgrade?

Community Member

Re: Problems with 802.1x and Atheros cards

II'm running 6.0.196.0. I'm having same problem with intel adapter.  Any update please let me know.


*Jun 29 13:15:06.336: 00:1b:77:81:b8:25 0.0.0.0 L2AUTHCOMPLETE (4) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*Jun 29 13:15:06.336: 00:1b:77:81:b8:25 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:25:84:90:36:50 vapId 3 apVapId 3
*Jun 29 13:15:06.337: 00:1b:77:81:b8:25 0.0.0.0 L2AUTHCOMPLETE (4) pemAdvanceState2 4457, Adding TMP rule
*Jun 29 13:15:06.337: 00:1b:77:81:b8:25 0.0.0.0 L2AUTHCOMPLETE (4) Adding Fast Path rule
  type = Airespace AP - Learn IP address
  on AP 00:25:84:90:36:50, slot 0, interface = 29, QOS = 0
  ACL Id = 255, Ju
*Jun 29 13:15:06.337: 00:1b:77:81:b8:25 0.0.0.0 L2AUTHCOMPLETE (4) Successfully plumbed mobile rule (ACL ID 255)
*Jun 29 13:15:06.337: 00:1b:77:81:b8:25 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)

*Jun 29 13:15:06.337: 00:1b:77:81:b8:25 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4473, Adding TMP rule
*Jun 29 13:15:06.337: 00:1b:77:81:b8:25 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
  type = Airespace AP - Learn IP address
  on AP 00:25:84:90:36:50, slot 0, interface = 29, QOS = 0
  ACL Id = 255, Jumb
*Jun 29 13:15:06.337: 00:1b:77:81:b8:25 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*Jun 29 13:15:06.337: 00:1b:77:81:b8:25 Stopping retransmission timer for mobile 00:1b:77:81:b8:25
*Jun 29 13:15:06.340: 00:1b:77:81:b8:25 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*Jun 29 13:15:06.343: 00:1b:77:81:b8:25 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*Jun 29 13:16:20.840: CCKM: Send CCKM cache entry
*Jun 29 13:16:46.918: CCKM: Send CCKM cache entry
*Jun 29 13:17:06.229: 00:1b:77:81:b8:25 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout
*Jun 29 13:17:06.229: 00:1b:77:81:b8:25 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.
*Jun 29 13:17:06.229: 00:1b:77:81:b8:25 Scheduling deletion of Mobile Station:  (callerId: 12) in 10 seconds
*Jun 29 13:17:16.234: 00:1b:77:81:b8:25 apfMsExpireCallback (apf_ms.c:418) Expiring Mobile!
*Jun 29 13:17:16.234: 00:1b:77:81:b8:25 apfMsExpireMobileStation (apf_ms.c:4427) Changing state for mobile 00:1b:77:81:b8:25 on AP 00:25:84:90:36:50 from Associated to Disassociated

*Jun 29 13:17:16.234: 00:1b:77:81:b8:25 Scheduling deletion of Mobile Station:  (callerId: 45) in 10 seconds
*Jun 29 13:17:26.234: 00:1b:77:81:b8:25 apfMsExpireCallback (apf_ms.c:418) Expiring Mobile!
*Jun 29 13:17:26.236: 00:1b:77:81:b8:25 Sent Deauthenticate to mobile on BSSID 00:25:84:90:36:50 slot 0(caller apf_ms.c:4511)
*Jun 29 13:17:26.236: 00:1b:77:81:b8:25 apfMsExpireMobileStation (apf_ms.c:4548) Changing state for mobile 00:1b:77:81:b8:25 on AP 00:25:84:90:36:50 from Disassociated to Idle

*Jun 29 13:17:26.237: 00:1b:77:81:b8:25 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [00:25:84:90:36:50]
*Jun 29 13:17:26.237: 00:1b:77:81:b8:25 Username entry deleted for mobile
*Jun 29 13:17:26.237: 00:1b:77:81:b8:25 Deleting mobile on AP 00:25:84:90:36:50(0)
*Jun 29 13:17:26.242: 00:1b:77:81:b8:25 0.0.0.0 Removed NPU entry.
*Jun 29 13:17:26.244: 00:1b:77:81:b8:25 Adding mobile on LWAPP AP 00:25:84:90:36:50(0)
*Jun 29 13:17:26.244: 00:1b:77:81:b8:25 Scheduling deletion of Mobile Station:  (callerId: 23) in 5 seconds
*Jun 29 13:17:26.244: 00:1b:77:81:b8:25 apfProcessProbeReq (apf_80211.c:4694) Changing state for mobile 00:1b:77:81:b8:25 on AP 00:25:84:90:36:50 from Idle to Probe

Community Member

Re: Problems with 802.1x and Atheros cards

We are seeing the same issue and are on version 6.0.199.0 and have an Intel wireless card. I have a tac case open and trying to find the issue.

Community Member

Re: Problems with 802.1x and Atheros cards

If anyone has the Intel wireless card and is having issues they should try the fix from Dell named SetWiFiBT.exe. I think it can be found in R162289.exe

Let me know if this helps. I installed it on my HP/Compaq 2510p and so far so good.

Community Member

Re: Problems with 802.1x and Atheros cards

We are experiencing the same issues here. Has anyone found a solution? I have opened a TAC case but with this being intermittent, it may take a while before Cisco can advice me on correct solution.

Thanks

Community Member

Re: Problems with 802.1x and Atheros cards

We are hitting the bug CSCtd84852. This bug is fixed in WLC release 7.0 which is now available on CCO

Now, I'm running 7.0.98.0. The problem is never come again.

Hope this help.

Nuttawut.

Community Member

Re: Problems with 802.1x and Atheros cards

We are running in 7.0.98.0 but still hit the same error.... the case just happen on one ipod user

4438
Views
0
Helpful
22
Replies
CreatePlease to create content