Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

iPhones not taking ipv4 addresses on Unified Wireless (WLC 5508 and AP 3602)

This is a really odd one...

Earlier this week we started having issues with our BYOD wireless network (802.1x, WPA2+AES) but only with Apple devices (iphone and ipad). Employees with Android or Windows phones are not having any problems at all.

A brief summary of what's observable for the issue:

  • Radius authentication succeeds (PASS observable in ACS logs)
  • IPhone status viewed on both controllers (foreign anchor in DMZ as well as corporate WLC) shows phone associated.
  • Debug client output shows an IPv4 address is actually being assigned to the phone however it appears to ignore it and restart the DHCP request process so debug output shows what looks to be a loop of DHCP request and offer stages.

Infrastructure notes

Cisco WLC 5508s are all running 7.4.121.0 (tried rolling back to 7.2.110.0 .....didn't help)
APs are all 3602I-N-K9
DHCP for the BYOD network is running on the anchor in the DMZ however this was temporarily moved to a switch (had no effect).


Any ideas?

 

DHCP Loop:

*mmListen: Apr 30 11:44:50.476: a4:c3:61:7a:1a:4f 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 93, Local Bridging intf id = 12
*mmListen: Apr 30 11:44:50.476: a4:c3:61:7a:1a:4f 0.0.0.0 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255)
*pemReceiveTask: Apr 30 11:44:50.476: a4:c3:61:7a:1a:4f Set bi-dir guest tunnel for a4:c3:61:7a:1a:4f as in Export Anchor role
*pemReceiveTask: Apr 30 11:44:50.476: a4:c3:61:7a:1a:4f 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4
*pemReceiveTask: Apr 30 11:44:50.476: a4:c3:61:7a:1a:4f Pushing IPv6: fe80:0000:0000:0000: 0c00:0c94:459e:a9db , and MAC: A4:C3:61:7A:1A:4F , Binding to Data Plane. SUCCESS !!
*DHCP Socket Task: Apr 30 11:44:50.479: a4:c3:61:7a:1a:4f DHCP received op BOOTREQUEST (1) (len 308,vlan 92, port 13, encap 0xec05)
*DHCP Socket Task: Apr 30 11:44:50.479: a4:c3:61:7a:1a:4f DHCP selecting relay 1 - control block settings:
                        dhcpServer: 172.24.13.251, dhcpNetmask: 0.0.0.0,
                        dhcpGateway: 0.0.0.0, dhcpRelay: 172.24.16.251  VLAN: 93
*DHCP Socket Task: Apr 30 11:44:50.479: a4:c3:61:7a:1a:4f DHCP selected relay 1 - 172.24.13.251 (local address 172.24.16.251, gateway 172.24.16.254, VLAN 93, port 13)
*DHCP Socket Task: Apr 30 11:44:50.479: a4:c3:61:7a:1a:4f DHCP transmitting DHCP DISCOVER (1)
*DHCP Socket Task: Apr 30 11:44:50.479: a4:c3:61:7a:1a:4f DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
*DHCP Socket Task: Apr 30 11:44:50.479: a4:c3:61:7a:1a:4f DHCP   xid: 0x7e549f4a (2119475018), secs: 0, flags: 0
*DHCP Socket Task: Apr 30 11:44:50.479: a4:c3:61:7a:1a:4f DHCP   chaddr: a4:c3:61:7a:1a:4f
*DHCP Socket Task: Apr 30 11:44:50.479: a4:c3:61:7a:1a:4f DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
*DHCP Socket Task: Apr 30 11:44:50.479: a4:c3:61:7a:1a:4f DHCP   siaddr: 0.0.0.0,  giaddr: 172.24.16.251
*DHCP Socket Task: Apr 30 11:44:50.479: a4:c3:61:7a:1a:4f DHCP selecting relay 2 - control block settings:
                        dhcpServer: 172.24.13.251, dhcpNetmask: 0.0.0.0,
                        dhcpGateway: 0.0.0.0, dhcpRelay: 172.24.16.251  VLAN: 93
*DHCP Socket Task: Apr 30 11:44:50.479: a4:c3:61:7a:1a:4f DHCP selected relay 2 - NONE
*DHCP Proxy Task: Apr 30 11:44:50.479: a4:c3:61:7a:1a:4f DHCP received op BOOTREPLY (2) (len 572,vlan 0, port 0, encap 0x0)
*DHCP Proxy Task: Apr 30 11:44:50.479: a4:c3:61:7a:1a:4f DHCP sending packet in EoIP tunnel to foreign 10.65.31.8 (len 346)
*DHCP Proxy Task: Apr 30 11:44:50.479: a4:c3:61:7a:1a:4f DHCP transmitting DHCP OFFER (2)
*DHCP Proxy Task: Apr 30 11:44:50.479: a4:c3:61:7a:1a:4f DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Proxy Task: Apr 30 11:44:50.479: a4:c3:61:7a:1a:4f DHCP   xid: 0x7e549f4a (2119475018), secs: 0, flags: 0
*DHCP Proxy Task: Apr 30 11:44:50.480: a4:c3:61:7a:1a:4f DHCP   chaddr: a4:c3:61:7a:1a:4f
*DHCP Proxy Task: Apr 30 11:44:50.480: a4:c3:61:7a:1a:4f DHCP   ciaddr: 0.0.0.0,  yiaddr: 172.24.16.102
*DHCP Proxy Task: Apr 30 11:44:50.480: a4:c3:61:7a:1a:4f DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
*DHCP Proxy Task: Apr 30 11:44:50.480: a4:c3:61:7a:1a:4f DHCP   server id: 0.0.0.0  rcvd server id: 172.24.13.251
*DHCP Socket Task: Apr 30 11:44:51.649: a4:c3:61:7a:1a:4f DHCP received op BOOTREQUEST (1) (len 308,vlan 92, port 13, encap 0xec05)
*DHCP Socket Task: Apr 30 11:44:51.649: a4:c3:61:7a:1a:4f DHCP selecting relay 1 - control block settings:
                        dhcpServer: 172.24.13.251, dhcpNetmask: 0.0.0.0,
                        dhcpGateway: 0.0.0.0, dhcpRelay: 172.24.16.251  VLAN: 93
*DHCP Socket Task: Apr 30 11:44:51.649: a4:c3:61:7a:1a:4f DHCP selected relay 1 - 172.24.13.251 (local address 172.24.16.251, gateway 172.24.16.254, VLAN 93, port 13)
*DHCP Socket Task: Apr 30 11:44:51.649: a4:c3:61:7a:1a:4f DHCP transmitting DHCP DISCOVER (1)
*DHCP Socket Task: Apr 30 11:44:51.649: a4:c3:61:7a:1a:4f DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
*DHCP Socket Task: Apr 30 11:44:51.649: a4:c3:61:7a:1a:4f DHCP   xid: 0x7e549f4a (2119475018), secs: 1, flags: 0
*DHCP Socket Task: Apr 30 11:44:51.649: a4:c3:61:7a:1a:4f DHCP   chaddr: a4:c3:61:7a:1a:4f
*DHCP Socket Task: Apr 30 11:44:51.649: a4:c3:61:7a:1a:4f DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
*DHCP Socket Task: Apr 30 11:44:51.649: a4:c3:61:7a:1a:4f DHCP   siaddr: 0.0.0.0,  giaddr: 172.24.16.251
*DHCP Socket Task: Apr 30 11:44:51.649: a4:c3:61:7a:1a:4f DHCP selecting relay 2 - control block settings:
                        dhcpServer: 172.24.13.251, dhcpNetmask: 0.0.0.0,
                        dhcpGateway: 0.0.0.0, dhcpRelay: 172.24.16.251  VLAN: 93
*DHCP Socket Task: Apr 30 11:44:51.649: a4:c3:61:7a:1a:4f DHCP selected relay 2 - NONE
*DHCP Proxy Task: Apr 30 11:44:51.649: a4:c3:61:7a:1a:4f DHCP received op BOOTREPLY (2) (len 572,vlan 0, port 0, encap 0x0)
*DHCP Proxy Task: Apr 30 11:44:51.649: a4:c3:61:7a:1a:4f DHCP sending packet in EoIP tunnel to foreign 10.65.31.8 (len 346)
*DHCP Proxy Task: Apr 30 11:44:51.649: a4:c3:61:7a:1a:4f DHCP transmitting DHCP OFFER (2)
*DHCP Proxy Task: Apr 30 11:44:51.649: a4:c3:61:7a:1a:4f DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Proxy Task: Apr 30 11:44:51.650: a4:c3:61:7a:1a:4f DHCP   xid: 0x7e549f4a (2119475018), secs: 0, flags: 0
*DHCP Proxy Task: Apr 30 11:44:51.650: a4:c3:61:7a:1a:4f DHCP   chaddr: a4:c3:61:7a:1a:4f
*DHCP Proxy Task: Apr 30 11:44:51.650: a4:c3:61:7a:1a:4f DHCP   ciaddr: 0.0.0.0,  yiaddr: 172.24.16.102
*DHCP Proxy Task: Apr 30 11:44:51.650: a4:c3:61:7a:1a:4f DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
*DHCP Proxy Task: Apr 30 11:44:51.650: a4:c3:61:7a:1a:4f DHCP   server id: 0.0.0.0  rcvd server id: 172.24.13.251
*DHCP Socket Task: Apr 30 11:44:53.754: a4:c3:61:7a:1a:4f DHCP received op BOOTREQUEST (1) (len 308,vlan 92, port 13, encap 0xec05)
*DHCP Socket Task: Apr 30 11:44:53.755: a4:c3:61:7a:1a:4f DHCP selecting relay 1 - control block settings:
                        dhcpServer: 172.24.13.251, dhcpNetmask: 0.0.0.0,
                        dhcpGateway: 0.0.0.0, dhcpRelay: 172.24.16.251  VLAN: 93
*DHCP Socket Task: Apr 30 11:44:53.755: a4:c3:61:7a:1a:4f DHCP selected relay 1 - 172.24.13.251 (local address 172.24.16.251, gateway 172.24.16.254, VLAN 93, port 13)
*DHCP Socket Task: Apr 30 11:44:53.755: a4:c3:61:7a:1a:4f DHCP transmitting DHCP DISCOVER (1)
*DHCP Socket Task: Apr 30 11:44:53.755: a4:c3:61:7a:1a:4f DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
*DHCP Socket Task: Apr 30 11:44:53.755: a4:c3:61:7a:1a:4f DHCP   xid: 0x7e549f4a (2119475018), secs: 3, flags: 0
*DHCP Socket Task: Apr 30 11:44:53.755: a4:c3:61:7a:1a:4f DHCP   chaddr: a4:c3:61:7a:1a:4f
*DHCP Socket Task: Apr 30 11:44:53.755: a4:c3:61:7a:1a:4f DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
*DHCP Socket Task: Apr 30 11:44:53.755: a4:c3:61:7a:1a:4f DHCP   siaddr: 0.0.0.0,  giaddr: 172.24.16.251
*DHCP Socket Task: Apr 30 11:44:53.755: a4:c3:61:7a:1a:4f DHCP selecting relay 2 - control block settings:
                        dhcpServer: 172.24.13.251, dhcpNetmask: 0.0.0.0,
                        dhcpGateway: 0.0.0.0, dhcpRelay: 172.24.16.251  VLAN: 93
*DHCP Socket Task: Apr 30 11:44:53.755: a4:c3:61:7a:1a:4f DHCP selected relay 2 - NONE
*DHCP Proxy Task: Apr 30 11:44:53.755: a4:c3:61:7a:1a:4f DHCP received op BOOTREPLY (2) (len 572,vlan 0, port 0, encap 0x0)
*DHCP Proxy Task: Apr 30 11:44:53.755: a4:c3:61:7a:1a:4f DHCP sending packet in EoIP tunnel to foreign 10.65.31.8 (len 346)
*DHCP Proxy Task: Apr 30 11:44:53.755: a4:c3:61:7a:1a:4f DHCP transmitting DHCP OFFER (2)
*DHCP Proxy Task: Apr 30 11:44:53.755: a4:c3:61:7a:1a:4f DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Proxy Task: Apr 30 11:44:53.755: a4:c3:61:7a:1a:4f DHCP   xid: 0x7e549f4a (2119475018), secs: 0, flags: 0
*DHCP Proxy Task: Apr 30 11:44:53.755: a4:c3:61:7a:1a:4f DHCP   chaddr: a4:c3:61:7a:1a:4f
*DHCP Proxy Task: Apr 30 11:44:53.755: a4:c3:61:7a:1a:4f DHCP   ciaddr: 0.0.0.0,  yiaddr: 172.24.16.102
*DHCP Proxy Task: Apr 30 11:44:53.755: a4:c3:61:7a:1a:4f DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
*DHCP Proxy Task: Apr 30 11:44:53.755: a4:c3:61:7a:1a:4f DHCP   server id: 0.0.0.0  rcvd server id: 172.24.13.251
*DHCP Socket Task: Apr 30 11:44:58.594: a4:c3:61:7a:1a:4f DHCP received op BOOTREQUEST (1) (len 308,vlan 92, port 13, encap 0xec05)
*DHCP Socket Task: Apr 30 11:44:58.594: a4:c3:61:7a:1a:4f DHCP selecting relay 1 - control block settings:
                        dhcpServer: 172.24.13.251, dhcpNetmask: 0.0.0.0,
                        dhcpGateway: 0.0.0.0, dhcpRelay: 172.24.16.251  VLAN: 93
*DHCP Socket Task: Apr 30 11:44:58.594: a4:c3:61:7a:1a:4f DHCP selected relay 1 - 172.24.13.251 (local address 172.24.16.251, gateway 172.24.16.254, VLAN 93, port 13)
*DHCP Socket Task: Apr 30 11:44:58.594: a4:c3:61:7a:1a:4f DHCP transmitting DHCP DISCOVER (1)
*DHCP Socket Task: Apr 30 11:44:58.594: a4:c3:61:7a:1a:4f DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
*DHCP Socket Task: Apr 30 11:44:58.594: a4:c3:61:7a:1a:4f DHCP   xid: 0x7e549f4a (2119475018), secs: 8, flags: 0
*DHCP Socket Task: Apr 30 11:44:58.594: a4:c3:61:7a:1a:4f DHCP   chaddr: a4:c3:61:7a:1a:4f
*DHCP Socket Task: Apr 30 11:44:58.594: a4:c3:61:7a:1a:4f DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
*DHCP Socket Task: Apr 30 11:44:58.594: a4:c3:61:7a:1a:4f DHCP   siaddr: 0.0.0.0,  giaddr: 172.24.16.251
*DHCP Socket Task: Apr 30 11:44:58.595: a4:c3:61:7a:1a:4f DHCP selecting relay 2 - control block settings:
                        dhcpServer: 172.24.13.251, dhcpNetmask: 0.0.0.0,
                        dhcpGateway: 0.0.0.0, dhcpRelay: 172.24.16.251  VLAN: 93
*DHCP Socket Task: Apr 30 11:44:58.595: a4:c3:61:7a:1a:4f DHCP selected relay 2 - NONE
*DHCP Proxy Task: Apr 30 11:44:58.595: a4:c3:61:7a:1a:4f DHCP received op BOOTREPLY (2) (len 572,vlan 0, port 0, encap 0x0)
*DHCP Proxy Task: Apr 30 11:44:58.595: a4:c3:61:7a:1a:4f DHCP sending packet in EoIP tunnel to foreign 10.65.31.8 (len 346)
*DHCP Proxy Task: Apr 30 11:44:58.595: a4:c3:61:7a:1a:4f DHCP transmitting DHCP OFFER (2)
*DHCP Proxy Task: Apr 30 11:44:58.595: a4:c3:61:7a:1a:4f DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Proxy Task: Apr 30 11:44:58.595: a4:c3:61:7a:1a:4f DHCP   xid: 0x7e549f4a (2119475018), secs: 0, flags: 0
*DHCP Proxy Task: Apr 30 11:44:58.595: a4:c3:61:7a:1a:4f DHCP   chaddr: a4:c3:61:7a:1a:4f
*DHCP Proxy Task: Apr 30 11:44:58.595: a4:c3:61:7a:1a:4f DHCP   ciaddr: 0.0.0.0,  yiaddr: 172.24.16.102
*DHCP Proxy Task: Apr 30 11:44:58.595: a4:c3:61:7a:1a:4f DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
*DHCP Proxy Task: Apr 30 11:44:58.595: a4:c3:61:7a:1a:4f DHCP   server id: 0.0.0.0  rcvd server id: 172.24.13.251
*DHCP Socket Task: Apr 30 11:45:07.059: a4:c3:61:7a:1a:4f DHCP received op BOOTREQUEST (1) (len 308,vlan 92, port 13, encap 0xec05)
*DHCP Socket Task: Apr 30 11:45:07.059: a4:c3:61:7a:1a:4f DHCP selecting relay 1 - control block settings:
                        dhcpServer: 172.24.13.251, dhcpNetmask: 0.0.0.0,

 


 


 

Everyone's tags (4)
6 REPLIES
Hall of Fame Super Silver

Can you post the show WLAN

Can you post the show WLAN <WLAN id> On bothe the foreign and anchor. 

-Scott
*** Please rate helpful posts ***
New Member

Thanks Scott,  here you go...

Thanks Scott,  here you go...

 

On Foreign:

WLAN Identifier.................................. 2
Profile Name..................................... BAI-Beta
Network Name (SSID).............................. BAI-Beta
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Disabled
AAA Policy Override.............................. Disabled
Network Admission Control
  Client Profiling Status ....................... Disabled
   DHCP ......................................... Disabled
   HTTP ......................................... Disabled
  Radius-NAC State............................... Disabled
  SNMP-NAC State................................. Disabled
  Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 42
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 86400 seconds
User Idle Timeout................................ 300 seconds

--More-- or (q)uit
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... CHTWLC
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
mDNS Status...................................... Enabled
mDNS Profile Name................................ default-mdns-profile
DHCP Server...................................... Default
DHCP Address Assignment Required................. Enabled
Static IP client tunneling....................... Disabled
PMIPv6 Mobility Type............................. none
Quality of Service............................... Bronze
Per-SSID Rate Limits............................. Upstream      Downstream
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Per-Client Rate Limits........................... Upstream      Downstream
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0

--More-- or (q)uit
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Scan Defer Priority.............................. 5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Disabled
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ 172.24.13.20 1812
   Accounting.................................... Disabled
   Dynamic Interface............................. Disabled
   Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled

--More-- or (q)uit
Security

   802.11 Authentication:........................ Open System
   FT Support.................................... Disabled
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Enabled
      WPA (SSN IE)............................... Disabled
      WPA2 (RSN IE).............................. Enabled
         TKIP Cipher............................. Disabled
         AES Cipher.............................. Enabled
                                                               Auth Key Management
         802.1x.................................. Enabled
         PSK..................................... Disabled
         CCKM.................................... Disabled
         FT-1X(802.11r).......................... Disabled
         FT-PSK(802.11r)......................... Disabled
         PMF-1X(802.11w)......................... Disabled
         PMF-PSK(802.11w)........................ Disabled
      FT Reassociation Timeout................... 20
      FT Over-The-DS mode........................ Enabled
      GTK Randomization.......................... Disabled
      SKC Cache Support.......................... Disabled

--More-- or (q)uit
      CCKM TSF Tolerance......................... 1000
   WAPI.......................................... Disabled
   Wi-Fi Direct policy configured................ Disabled
   EAP-Passthrough............................... Disabled
   CKIP ......................................... Disabled
   Web Based Authentication...................... Disabled
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Enabled
   FlexConnect Local Switching................... Disabled
   flexconnect Central Dhcp Flag................. Disabled
   flexconnect nat-pat Flag...................... Disabled
   flexconnect Dns Override Flag................. Disabled
   FlexConnect Vlan based Central Switching ..... Disabled
   FlexConnect Local Authentication.............. Disabled
   FlexConnect Learn IP Address.................. Enabled
   Client MFP.................................... Optional
   PMF........................................... Disabled
   PMF Association Comeback Time................. 1
   PMF SA Query RetryTimeout..................... 200
   Tkip MIC Countermeasure Hold-down Timer....... 60
AVC Visibilty.................................... Disabled

--More-- or (q)uit
AVC Profile Name................................. None
Flow Monitor Name................................ None
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled

 Mobility Anchor List
 WLAN ID     IP Address            Status
 -------     ---------------       ------
 2           172.24.13.251        Up

802.11u........................................ Disabled

MSAP Services.................................. Disabled

 

On Anchor:

WLAN Identifier.................................. 1
Profile Name..................................... BAI-Beta
Network Name (SSID).............................. BAI-Beta
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Disabled
AAA Policy Override.............................. Disabled
Network Admission Control
  Client Profiling Status ....................... Disabled
   DHCP ......................................... Disabled
   HTTP ......................................... Disabled
  Radius-NAC State............................... Disabled
  SNMP-NAC State................................. Disabled
  Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 48
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 86400 seconds
User Idle Timeout................................ 300 seconds

--More-- or (q)uit
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... CHADWLC01
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ bai-beta
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
mDNS Status...................................... Enabled
mDNS Profile Name................................ default-mdns-profile
DHCP Server...................................... Default
DHCP Address Assignment Required................. Enabled
Static IP client tunneling....................... Disabled
PMIPv6 Mobility Type............................. none
Quality of Service............................... Bronze
Per-SSID Rate Limits............................. Upstream      Downstream
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Per-Client Rate Limits........................... Upstream      Downstream
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0

--More-- or (q)uit
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Scan Defer Priority.............................. 5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Disabled
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ 172.24.13.20 1812
   Accounting.................................... Disabled
   Dynamic Interface............................. Disabled
   Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled

--More-- or (q)uit
Security

   802.11 Authentication:........................ Open System
   FT Support.................................... Disabled
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Enabled
      WPA (SSN IE)............................... Disabled
      WPA2 (RSN IE).............................. Enabled
         TKIP Cipher............................. Disabled
         AES Cipher.............................. Enabled
                                                               Auth Key Management
         802.1x.................................. Enabled
         PSK..................................... Disabled
         CCKM.................................... Disabled
         FT-1X(802.11r).......................... Disabled
         FT-PSK(802.11r)......................... Disabled
         PMF-1X(802.11w)......................... Disabled
         PMF-PSK(802.11w)........................ Disabled
      FT Reassociation Timeout................... 20
      FT Over-The-DS mode........................ Enabled
      GTK Randomization.......................... Disabled
      SKC Cache Support.......................... Disabled

--More-- or (q)uit
      CCKM TSF Tolerance......................... 1000
   WAPI.......................................... Disabled
   Wi-Fi Direct policy configured................ Disabled
   EAP-Passthrough............................... Disabled
   CKIP ......................................... Disabled
   Web Based Authentication...................... Disabled
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Enabled
   FlexConnect Local Switching................... Disabled
   flexconnect Central Dhcp Flag................. Disabled
   flexconnect nat-pat Flag...................... Disabled
   flexconnect Dns Override Flag................. Disabled
   FlexConnect Vlan based Central Switching ..... Disabled
   FlexConnect Local Authentication.............. Disabled
   FlexConnect Learn IP Address.................. Enabled
   Client MFP.................................... Optional
   PMF........................................... Disabled
   PMF Association Comeback Time................. 1
   PMF SA Query RetryTimeout..................... 200
   Tkip MIC Countermeasure Hold-down Timer....... 60
AVC Visibilty.................................... Disabled

--More-- or (q)uit
AVC Profile Name................................. None
Flow Monitor Name................................ None
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled

 Mobility Anchor List
 WLAN ID     IP Address            Status
 -------     ---------------       ------
 1           172.24.13.251        Up

802.11u........................................ Disabled

MSAP Services.................................. Disabled

Hi,Is  any specific reason

Hi,

Is  any specific reason you have disabled WMM?

Best practice config is to set WMM allowed or required.

I see that you have enabled FT over DS.

I think you should also enable FT 802.1x.

 

Take a look to this doc:

http://www.google.gr/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0CDsQFjAB&url=http%3A%2F%2Fwww.cisco.com%2Fc%2Fen%2Fus%2Ftd%2Fdocs%2Fwireless%2Ftechnology%2Fvowlan%2Fbestpractices%2FEntBP-AppMobDevs-on-Wlans.pdf&ei=mxBiU-2lK8mFtQbnoICgAg&usg=AFQjCNGPTwcWKm1D9af12s5nQJ7AqHRL9Q&sig2=APd9G-5SypwXtf0b0FdJIw&bvm=bv.65788261,d.Yms

 

Not sure if these actions will solve your problem but are the recommended.

 

Regards,

Christos.

Hall of Fame Super Silver

Be carful with enabling FT.

Be carful with enabling FT. The FT you see enabled is default setting, if you enable FT on the WLAN, only 802.11r clients or supported supplicants can join. Typically older iDevices and other windows devices will fail. WMM doesn't have to be enabled, you just will not get 802.11n rates. What I would test is breaking the anchor and seeing if authentication works. Typically you only anchor open networks for guest not really 802.1x. The layer 3 authentication and DHCP will happen on the foreign WLC, then when successful, the client will be auto anchored to the anchor WLC.  I would try to disable session timeout for now also. 

-Scott
*** Please rate helpful posts ***
New Member

Apologies for the late reply

Apologies for the late reply but have been working with our support vendor and recently some TAC engineers on this. Besides grabbing debug logs for the clients I managed to dump packets off the wireless interface of an iphone to see what it was seeing...handy guide for this is here...https://developer.apple.com/library/mac/qa/qa1176/_index.html#//apple_ref/doc/uid/DTS10001707-CH1-SECIOSPACKETTRACING

From the captures was able to see that the iPhone does in fact see the DHCP offer from the controller come through but responds almost immediately with a DHCP Discover packet.

I had tried making an open wlan and found that no matter what the security/auth settings the apple devices wouldn't join.

Went back to taking a much closer look at the DHCP packets comparing the association phase and address assignment phase when it joins our network against a SOHO network we have for testing (simple WPA2 PSK) and turns out the DHCP Offer on our side is missing some DHCP options...specifically options 58,59 and 12.
I'm trying to set these up on a switch as I can't see a way to enable them on the DHCP server on the WLC but at this point in time I'm assuming this is the problem (though how it was working beforehand is a mystery).

Just out of curiosity,  do

Just out of curiosity,  do you have the dhcp proxy function disabled?

If so, have you tried enabling it and noticed any difference?

Eric

915
Views
0
Helpful
6
Replies
CreatePlease to create content