73406-anchor - Cisco Support Community
advertisement
(Cisco Controller) > (Cisco Controller) > (Cisco Controller) >show debug MAC address ................................ 00:0e:35:f3:60:53 Debug Flags Enabled: aaa detail enabled. aaa events enabled. aaa packet enabled. aaa packet enabled. aaa ldap enabled. aaa local-auth db enabled. aaa local-auth eap framework errors enabled. aaa local-auth eap framework events enabled. aaa local-auth eap framework packets enabled. aaa local-auth eap framework state machine enabled. aaa local-auth eap method errors enabled. aaa local-auth eap method events enabled. aaa local-auth eap method packets enabled. aaa local-auth eap method state machine enabled. aaa local-auth shim enabled. aaa tacacs enabled. dhcp message enabled. dhcp packet enabled. --More-- or (q)uit dot11 mobile enabled. dot11 state enabled dot1x events enabled. dot1x states enabled. pem events enabled. pem state enabled. pm ssh-appgw enabled. pm ssh-tcp enabled. (Cisco Controller) > (Cisco Controller) > (Cisco Controller) >Sat Sep 27 10:45:15 2008: dhcpd: Received 300 byte dhcp packet from 0xc0a80019 192.168.0.25:68 Sat Sep 27 10:45:20 2008: dhcpd: Received 300 byte dhcp packet from 0xc0a80019 192.168.0.25:68 Sat Sep 27 10:45:39 2008: 00:0e:35:f3:60:53 Adding mobile on Remote AP 00:00:00:00:00:00(0) The anchor controller is informed of the association request from the client by the foreign controller. However, the anchor is not aware of the AP to which the client is associating, since the L1 and L2 parts of the connection are managed by the foreign controller. Sat Sep 27 10:45:39 2008: 00:0e:35:f3:60:53 0.0.0.0 START (0) Initializing policy Sat Sep 27 10:45:39 2008: 00:0e:35:f3:60:53 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2) Sat Sep 27 10:45:39 2008: 00:0e:35:f3:60:53 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4) Sat Sep 27 10:45:39 2008: 00:0e:35:f3:60:53 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7) Sat Sep 27 10:45:39 2008: 00:0e:35:f3:60:53 Stopping deletion of Mobile Station: (callerId: 53) Sat Sep 27 10:45:39 2008: 00:0e:35:f3:60:53 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpAnchor Sat Sep 27 10:45:39 2008: 00:0e:35:f3:60:53 0.0.0.0 DHCP_REQD (7) Change state to DHCP_REQD (7) last state DHCP_REQD (7) Sat Sep 27 10:45:39 2008: 00:0e:35:f3:60:53 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 3949, Adding TMP rule Sat Sep 27 10:45:39 2008: 00:0e:35:f3:60:53 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule type = Airespace AP - Learn IP address on AP 00:00:00:00:00:00, slot 0, interface = 1, QOS = 0 ACL Id = 255, Jumbo Frames = NO, 802.1P = 0, DSCP = 0, TokenID = 5006 Sat Sep 27 10:45:39 2008: 00:0e:35:f3:60:53 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255) Sat Sep 27 10:45:39 2008: 00:0e:35:f3:60:53 Set bi-dir guest tunnel for 00:0e:35:f3:60:53 as in Export Anchor role The anchor controller is being informed that the client passed the L2 authentication and that, after successful association, it is now going into the DHCP_REQD state. Also, the controller is updating its status to be the Export Anchor for this client. Sat Sep 27 10:45:39 2008: 00:0e:35:f3:60:53 0.0.0.0 Added NPU entry of type 9 The client entry is added to the Network Processing Unit (NPU) of the controller with an IP address of 0.0.0.0: this means that the client is successfully associated, but it does not have an IP address yet. Sat Sep 27 10:45:39 2008: 00:0e:35:f3:60:53 Sent an XID frame Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP received op BOOTREQUEST (1) (len 308, port 1, encap 0xec00) The anchor controller is called into the game only after the client completes the association through the foreign controller and after the client entry is correctly passed through the EoIP mobility tunnel. Starting from the IP address assignment (static or via DHCP), all the rest is managed by the anchor controller. This is important for troubleshooting: - If the client can associate, but cannot obtain an IP address or fails the authentication, look at the configuration/debugs on the anchor controller. - If the client cannot even associate, look at the configuration/debugs on both controllers and eventually at the EoIP mobility tunnel setup. Sat Sat Sat Sat Sat Sat Sat Sat Sat Sep Sep Sep Sep Sep Sep Sep Sep Sep 27 27 27 27 27 27 27 27 27 10:45:41 10:45:41 10:45:41 10:45:41 10:45:41 10:45:41 10:45:41 10:45:41 10:45:41 2008: 00:0e:35:f3:60:53 DHCP option len (including the magic cookie) 72 2008: 00:0e:35:f3:60:53 DHCP option: message type = DHCP DISCOVER 2008: 00:0e:35:f3:60:53 DHCP option: 116 (len 1) - skipping 2008: 00:0e:35:f3:60:53 DHCP option: 61 (len 7) - skipping 2008: 00:0e:35:f3:60:53 DHCP option: 12 (len 7) - skipping 2008: 00:0e:35:f3:60:53 DHCP option: vendor class id = MSFT 5.0 (len 8) 2008: 00:0e:35:f3:60:53 DHCP option: 55 (len 11) - skipping 2008: 00:0e:35:f3:60:53 DHCP options end, len 72, actual 64 2008: 00:0e:35:f3:60:53 DHCP selecting relay 1 - control block settings: dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 0.0.0.0 VLAN: 0 Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP selected relay 1 - 192.168.51.1 (local address 192.168.51.203, gateway 192.168.51.1, VLAN 601, port 1) Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP transmitting DHCP DISCOVER (1) Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1 Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP xid: 0xd5771135 (3581350197), secs: 0, flags: 0 Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP chaddr: 00:0e:35:f3:60:53 Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0 Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP siaddr: 0.0.0.0, giaddr: 192.168.51.203 Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP Forwarding DHCP packet (332 octets) -packet received on direct-connect port requires forwarding to external DHCP server. Next-hop is 192.168.51.1 Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP sending REQUEST to 192.168.51.1 (len 350, port 1, vlan 601) Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP selecting relay 2 - control block settings: dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 192.168.51.203 VLAN: 601 Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP selected relay 2 - NONE Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP received op BOOTREPLY (2) (len 308, port 1, encap 0xec00) Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP option len (including the magic cookie) 72 Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP option: message type = DHCP OFFER Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP option: server id = 192.168.51.1 Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP option: lease time = 86035 seconds Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP option: 58 (len 4) - skipping Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP option: 59 (len 4) - skipping Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP option: netmask = 255.255.255.0 Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP option: gateway = 192.168.51.1 Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP option: DNS server, cnt = 1, first = 144.254.10.123 Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP options end, len 72, actual 64 Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP setting server from OFFER (server 192.168.51.1, yiaddr 192.168.51.23) Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP sending packet in EoIP tunnel to foreign 192.168.9.2 (len 346) Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP transmitting DHCP OFFER (2) Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0 Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP xid: 0xd5771135 (3581350197), secs: 0, flags: 0 Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP chaddr: 00:0e:35:f3:60:53 Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP ciaddr: 0.0.0.0, yiaddr: 192.168.51.23 Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0 Sat Sep 27 10:45:41 2008: 00:0e:35:f3:60:53 DHCP server id: 1.1.1.1 rcvd server id: 192.168.51.1 Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP received op BOOTREQUEST (1) (len 327, port 1, encap 0xec00) Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP option len (including the magic cookie) 91 Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP option: message type = DHCP REQUEST Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP option: 61 (len 7) - skipping Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP option: requested ip = 192.168.51.23 Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP option: server id = 1.1.1.1 Sat Sat Sat Sat Sat Sat Sep Sep Sep Sep Sep Sep 27 27 27 27 27 27 10:45:45 10:45:45 10:45:45 10:45:45 10:45:45 10:45:45 2008: 00:0e:35:f3:60:53 DHCP option: 12 (len 7) - skipping 2008: 00:0e:35:f3:60:53 DHCP option: 81 (len 20) - skipping 2008: 00:0e:35:f3:60:53 DHCP option: vendor class id = MSFT 5.0 (len 8) 2008: 00:0e:35:f3:60:53 DHCP option: 55 (len 11) - skipping 2008: 00:0e:35:f3:60:53 DHCP options end, len 91, actual 83 2008: 00:0e:35:f3:60:53 DHCP selecting relay 1 - control block settings: dhcpServer: 192.168.51.1, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 192.168.51.203 VLAN: 601 Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP selected relay 1 - 192.168.51.1 (local address 192.168.51.203, gateway 192.168.51.1, VLAN 601, port 1) Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP transmitting DHCP REQUEST (3) Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1 Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP xid: 0xd5771135 (3581350197), secs: 0, flags: 0 Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP chaddr: 00:0e:35:f3:60:53 Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0 Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP siaddr: 0.0.0.0, giaddr: 192.168.51.203 Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP requested ip: 192.168.51.23 Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP server id: 192.168.51.1 rcvd server id: 1.1.1.1 Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP Forwarding DHCP packet (348 octets) -packet received on direct-connect port requires forwarding to external DHCP server. Next-hop is 192.168.51.1 Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP sending REQUEST to 192.168.51.1 (len 366, port 1, vlan 601) Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP selecting relay 2 - control block settings: dhcpServer: 192.168.51.1, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 192.168.51.203 VLAN: 601 Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP selected relay 2 - NONE Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP received op BOOTREPLY (2) (len 308, port 1, encap 0xec00) Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP option len (including the magic cookie) 72 Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP option: message type = DHCP ACK Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP option: server id = 192.168.51.1 Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP option: lease time = 86400 seconds Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP option: 58 (len 4) - skipping Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP option: 59 (len 4) - skipping Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP option: netmask = 255.255.255.0 Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP option: gateway = 192.168.51.1 Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP option: DNS server, cnt = 1, first = 144.254.10.123 Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 DHCP options end, len 72, actual 64 Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 192.168.51.23 DHCP_REQD (7) Change state to WEBAUTH_REQD (8) last state WEBAUTH_REQD (8) Sat Sep 27 10:45:45 2008: 00:0e:35:f3:60:53 192.168.51.23 WEBAUTH_REQD (8) pemAdvanceState2 4616, Adding TMP rule Sat Sep 27 10:45:49 2008: 00:0e:35:f3:60:53 192.168.51.23 WEBAUTH_REQD (8) Replacing Fast Path rule type = Airespace AP Client - ACL passthru on AP 00:00:00:00:00:00, slot 0, interface = 1, QOS = 0 ACL Id = 255, Jumbo Frames = NO, 802.1P = 0, DSCP = 0, TokenID = 5006 Sat Sep 27 10:45:49 2008: 00:0e:35:f3:60:53 192.168.51.23 WEBAUTH_REQD (8) Successfully plumbed mobile rule (ACL ID 255) Sat Sep 27 10:45:49 2008: 00:0e:35:f3:60:53 Plumbing web-auth redirect rule due to user logout Sat Sep 27 10:45:49 2008: 00:0e:35:f3:60:53 Adding Web RuleID 3415 for mobile 00:0e:35:f3:60:53 Sat Sep 27 10:45:49 2008: 00:0e:35:f3:60:53 Assigning Address 192.168.51.23 to mobile Sat Sep 27 10:45:49 2008: 00:0e:35:f3:60:53 DHCP sending packet in EoIP tunnel to foreign 192.168.9.2 (len 346) Sat Sep 27 10:45:49 2008: 00:0e:35:f3:60:53 DHCP transmitting DHCP ACK (5) Sat Sep 27 10:45:49 2008: 00:0e:35:f3:60:53 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0 Sat Sep 27 10:45:49 2008: 00:0e:35:f3:60:53 DHCP xid: 0xd5771135 (3581350197), secs: 0, flags: 0 Sat Sep 27 10:45:49 2008: 00:0e:35:f3:60:53 DHCP chaddr: 00:0e:35:f3:60:53 Sat Sep 27 10:45:49 2008: 00:0e:35:f3:60:53 DHCP ciaddr: 0.0.0.0, yiaddr: 192.168.51.23 Sat Sep 27 10:45:49 2008: 00:0e:35:f3:60:53 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0 Sat Sep 27 10:45:49 2008: 00:0e:35:f3:60:53 DHCP server id: 1.1.1.1 rcvd server id: 192.168.51.1 The DHCP address assignment completes successfully, the DHCP ACK is sent back to the client via the EoIP tunnel and through the foreign controller. Sat Sep 27 10:45:49 2008: 00:0e:35:f3:60:53 Set bi-dir guest tunnel for 00:0e:35:f3:60:53 as in Export Anchor role Sat Sep 27 10:45:49 2008: 00:0e:35:f3:60:53 192.168.51.23 Added NPU entry of type 2 The current controller is again confirmed as the Export Anchor one and the client entry is added to the NPU with the corresponding IP address. Sat Sep 27 10:45:49 2008: 00:0e:35:f3:60:53 Sat Sep 27 10:45:49 2008: 00:0e:35:f3:60:53 Sat Sep 27 10:45:49 2008: 00:0e:35:f3:60:53 Sat Sep 27 10:45:49 2008: 00:0e:35:f3:60:53 w:0x0 aalg:0x0, PMState: WEBAUTH_REQD Sent Copy Copy Copy an XID frame AP LOCP - mode:0 slotId:0, apMac 0x0:0:0:0:0:0 WLAN LOCP EssIndex:3 aid:0 ssid:GuestTunnel Security LOCP ecypher:0x3 ptype:0x4, p:0x1, eaptype:0x6 Sat Sep 27 statuscode Sat Sep 27 Sat Sep 27 10:45:49 2008: 00:0e:35:f3:60:53 Copy 802.11 LOCP a:0x0 b:0x0 c:0x0 d:0x0 e:0x0 protocol2:0x5 0, reasoncode 99, status 3 10:45:49 2008: 00:0e:35:f3:60:53 Copy IP LOCP: 0xc0a83317 10:45:49 2008: 00:0e:35:f3:60:53 Copy MobilityData LOCP status:4, anchorip:0xc0a80902 Location protocol (LOCP) data are updated and among these we have: - apMac of the AP to which the client is associated to; the anchor controller is not aware of the AP to which the client is associated, since the L1 and L2 parts of the connection are managed by the foreign controller. - Extended Service Set Index is the WLAN Id of the client on the anchor. - Servive Set Identifier to which the client is associated to. - Policy Manager State (PMState) showing the status of the client. - Copy IP LOCP is the IP address of the guest client in hexadecimal values (0xc0a83317 = 192.168.51.23). - Anchorip in this case indicates the management IP address of the foreign controller in hexadecimal values (0xc0a80902 = 192.168.9.2). Sat Sep 27 10:46:07 2008: dhcpd: Received 300 byte dhcp packet from 0xc0a80019 192.168.0.25:68 (Cisco Controller) > (Cisco Controller) >show client summary Number of Clients................................ 1 MAC Address AP Name Status WLAN Auth Protocol Port Wired ----------------- ----------------- ------------- ---- ---- -------- ---- ----00:0e:35:f3:60:53 192.168.9.2 Associated 3 No Mobile 1 No (Cisco Controller) >Sat Sep 27 10:46:12 2008: dhcpd: Received 300 byte dhcp packet from 0xc0a80019 192.168.0.25:68 (Cisco (Cisco (Cisco Client Client AP MAC Client Controller) > Controller) > Controller) >show client detail 00:0e:35:f3:60:53 MAC Address............................... 00:0e:35:f3:60:53 Username ................................. N/A Address................................... 00:00:00:00:00:00 State..................................... Associated Wireless LAN Id.................................. BSSID............................................ Channel.......................................... IP Address....................................... Association Id................................... Authentication Algorithm......................... Reason Code...................................... Status Code...................................... Session Timeout.................................. Client CCX version............................... 3 00:00:00:00:00:02 N/A 192.168.51.23 0 Open System 0 0 1800 No CCX support On the foreign controller, the CCX version of the client is correctly shown as ‘3’. However, the anchor does not know it because this is part of the L1/L2 connectivity, which is managed by the foreign. Mirroring........................................ QoS Level........................................ Diff Serv Code Point (DSCP)...................... 802.1P Priority Tag.............................. WMM Support...................................... Mobility State................................... Mobility Foreign IP Address...................... Disabled Silver disabled disabled Disabled Export Anchor 192.168.9.2 In the client details we can see the Mobility State of the controller for this client: Export Anchor means that the controller from where we took the client details is the foreign one for this client. The Mobility Foreign IP Address tells us which the foreign controller for this client is. Mobility Move Count.............................. 1 --More-- or (q)uit Security Policy Completed........................ No Policy Manager State............................. WEBAUTH_REQD The client at this point didn’t authenticate via the web browse yet, so its state is marked as WEBAUTH_REQD. Policy Manager Rule Created...................... NPU Fast Fast Notified........................... Policy Type...................................... Encryption Cipher................................ Yes Yes N/A None Management Frame Protection...................... EAP Type......................................... Interface........................................ VLAN............................................. Client Capabilities: CF Pollable................................ CF Poll Request............................ Short Preamble............................. PBCC....................................... Channel Agility............................ Listen Interval............................ Client Statistics: Number of Bytes Received................... Number of Bytes Sent....................... Number of Packets Received................. Number of Packets Sent..................... Number of Policy Errors.................... --More-- or (q)uit Radio Signal Strength Indicator............ Signal to Noise Ratio...................... Nearby AP Statistics: TxExcessiveRetries: 0 TxRetries: 0 RtsSuccessCnt: 0 RtsFailCnt: 0 TxFiltered: 0 TxRateProfile: [0,0,0,0,0,0,0,0,0,0,0,0] No Unknown client1 601 Not Not Not Not Not 0 implemented implemented implemented implemented implemented 0 0 0 0 0 Unavailable Unavailable Here we have no information on which AP the client is associated to. Only the foreign controller takes care of all the steps up to the successful client association, so the AP is unknown to the anchor controller. (Cisco (Cisco (Cisco (Cisco (Cisco Controller) Controller) Controller) Controller) Controller) > > > > > (Cisco Controller) >Sat Sep 27 10:46:39 2008: SshPmAppgw/pm_appgw.c:1234/ssh_pm_appgw_request: New application gateway request for `alg-http@ssh.com': 192.168.51.23.41605 > 1.1.1.1.80 (nat: 1.1.1.1.80) tcp ft=0x00000000 tt=0x00000000 Here I opened a web browser and I typed in the address http://1.1.1.1/login.html “192.168.51.23.41605 > 1.1.1.1.80 (nat: 1.1.1.1.80) tcp” means that there is a TCP request from 192.168.51.23 (port 41605) to 1.1.1.1 (port 80) Sat Sep 27 10:46:39 2008: SshPmAppgw/pm_appgw.c:1239/ssh_pm_appgw_request: Packet attributes: trigger_rule=0x4eb8, tunnel_id=0x0, trd_index=0xddffffff, prev_trd_index=0xddffffff Sat Sep 27 10:46:39 2008: SshPmAppgw/pm_appgw.c:1240/ssh_pm_appgw_request: Packet: Sat Sep 27 10:46:39 2008: 00000000: 4500 0030 ac45 4000 8006 58c1 c0a8 3317 E..0.E@...X...3. Sat Sep 27 10:46:39 2008: 00000010: 0101 0101 a285 0050 4496 d72c 0000 0000 .......PD..,.... Sat Sep 27 10:46:39 2008: 00000020: 7002 4000 8ec5 0000 0204 05b4 0101 0402 p.@............. Sat Sep 27 10:46:39 2008: SshPmStAppgw/pm_st_appgw.c:403/ssh_pm_st_appgw_start: Calling redirection callback Sat Sep 27 10:46:39 2008: SshPmAppgw/pm_appgw.c:155/ssh_appgw_redirect: Application gateway redirect: 1.1.1.1.80 -> 1.1.1.1.80 Here the web redirect to the login page starts. On the bottom of the window from the web browser (IE), we can see the indication “Opening page https://1.1.1.1/login.html?redirect=1.1.1.1/login.html...” Sat Sep 27 10:46:39 2008: SshPmStAppgw/pm_st_appgw.c:445/ssh_pm_st_appgw_mappings: Creating application gateway mappings: 192.168.51.23.41605 > 1.1.1.1.80 (1.1.1.1.80) Sat Sep 27 10:46:39 2008: SshPmStAppgw/pm_st_appgw.c:102/ssh_pm_appgw_mappings_cb: appgw connection cached: init flow_index=3644 resp flow_index=5254 event_cnt=209151 Sat Sep 27 10:46:39 2008: SshPmStAppgw/pm_st_appgw.c:493/ssh_pm_st_appgw_mappings_done: NAT on initiator side Sat Sep 27 10:46:39 2008: SshPmStAppgw/pm_st_appgw.c:583/ssh_pm_st_appgw_tcp_responder_stream_done: ssh_pm_st_appgw_tcp_responder_stream_done: conn->context.responder_stream=0x0 Sat Sep 27 10:46:39 2008: SshPmStAppgw/pm_st_appgw.c:624/ssh_pm_st_appgw_tcp_responder_stream_done: Opening initiator stream 192.168.51.23:40352 > 10.48.76.25:2012 Sat Sep 27 10:46:39 2008: SshPmStAppgw/pm_st_appgw.c:154/ssh_pm_appgw_i_flow_enabled: Initiator flow mode has now been set. Sat Sep 27 10:46:39 2008: SshPmAppgw/pm_appgw.c:507/ssh_appgw_tcp_listener_callback: New initiator stream: src=192.168.51.23:40352, dst=10.48.76.25:2012 Sat Sep 27 10:46:39 2008: SshPmStAppgw/pm_st_appgw.c:646/ssh_pm_st_appgw_tcp_open_initiator_stream: Initiator stream opened Sat Sep 27 10:46:39 2008: SshAppgwHttp/appgw_http.c:531/ssh_appgw_http_conn_cb: New TCP HTTP connection 192.168.51.23.41605 > 1.1.1.1.80 Sat Sep 27 10:46:39 2008: SshAppgwHttp/appgw_http.c:535/ssh_appgw_http_conn_cb: Responder sees initiator as `192.168.0.25.41605' Sat Sep 27 10:46:39 2008: SshAppgwHttp/appgw_http.c:539/ssh_appgw_http_conn_cb: Initiator sees responder as `1.1.1.1.80' Sat Sep 27 10:46:39 2008: SshAppgwHttp/appgw_http.c:99/ssh_appgw_http_st_wait_input: entering state st_wait_input: (i) reading_hdr 1 nmsgs 0 Sat Sep 27 10:46:39 2008: SshAppgwHttpState/appgw_http_state.c:2077/ssh_appgw_http_handle_state: handling: 0 bytes: Sat Sep 27 10:46:39 2008: SshAppgwHttp/appgw_http.c:136/ssh_appgw_http_st_wait_input: read 289 bytes (offset 0 data 0) Sat Sep 27 10:46:39 2008: SshAppgwHttpState/appgw_http_state.c:2077/ssh_appgw_http_handle_state: handling: 289 bytes: Sat Sep 27 10:46:39 2008: 00000000: 4745 5420 2f6c 6f67 696e 2e68 746d 6c20 GET /login.html Sat Sep 27 10:46:39 2008: 00000010: 4854 5450 2f31 2e31 0d0a 4163 6365 7074 HTTP/1.1..Accept Sat Sep 27 10:46:39 2008: 00000020: 3a20 696d 6167 652f 6769 662c 2069 6d61 : image/gif, ima Sat Sep 27 10:46:39 2008: 00000030: 6765 2f78 2d78 6269 746d 6170 2c20 696d ge/x-xbitmap, im Sat Sep 27 10:46:39 2008: 00000040: 6167 652f 6a70 6567 2c20 696d 6167 652f age/jpeg, image/ Sat Sep 27 10:46:39 2008: 00000050: 706a 7065 672c 2061 7070 6c69 6361 7469 pjpeg, applicati Sat Sep 27 10:46:39 2008: 00000060: 6f6e 2f78 2d73 686f 636b 7761 7665 2d66 on/x-shockwave-f Sat Sep 27 10:46:39 2008: 00000070: 6c61 7368 2c20 2a2f 2a0d 0a41 6363 6570 lash, */*..Accep Sat Sep 27 10:46:39 2008: 00000080: 742d 4c61 6e67 7561 6765 3a20 656e 2d75 t-Language: en-u Sat Sep 27 10:46:39 2008: 00000090: 730d 0a41 6363 6570 742d 456e 636f 6469 s..Accept-Encodi Sat Sep 27 10:46:39 2008: 000000a0: 6e67 3a20 677a 6970 2c20 6465 666c 6174 ng: gzip, deflat Sat Sep 27 10:46:43 2008: 000000b0: 650d 0a55 7365 722d 4167 656e 743a 204d e..User-Agent: M Sat Sep 27 10:46:43 2008: 000000c0: 6f7a 696c 6c61 2f34 2e30 2028 636f 6d70 ozilla/4.0 (comp Sat Sep 27 10:46:43 2008: 000000d0: 6174 6962 6c65 3b20 4d53 4945 2036 2e30 atible; MSIE 6.0 Sat Sep 27 10:46:43 2008: 000000e0: 3b20 5769 6e64 6f77 7320 4e54 2035 2e31 ; Windows NT 5.1 Sat Sep 27 10:46:43 2008: 000000f0: 3b20 5356 3129 0d0a 486f 7374 3a20 312e ; SV1)..Host: 1. Sat Sep 27 10:46:43 2008: 00000100: 312e 312e 310d 0a43 6f6e 6e65 6374 696f 1.1.1..Connectio Sat Sep 27 10:46:43 2008: 00000110: 6e3a 204b 6565 702d 416c 6976 650d 0a0d n: Keep-Alive... Sat Sep 27 10:46:43 2008: 00000120: 0a . Sat Sep 27 10:46:43 2008: SshAppgwHttpState/appgw_http_state.c:985/ssh_appgw_parse_request_line: parsing request line GET /login.html HTTP/1.1 Sat Sep 27 10:46:43 2008: SshAppgwHttpState/appgw_http_state.c:1018/ssh_appgw_parse_request_line: internal http version 3 Sat Sep 27 10:46:43 2008: SshAppgwHttpState/appgw_http_state.c:1155/ssh_appgw_add_method: caching method 2 for reply 0 Sat Sep 27 10:46:43 2008: SshAppgwHttpState/appgw_http_state.c:1604/ssh_appgw_check_msg: examining request using service id 10 Sat Sep 27 10:46:43 2008: SshAppgwHttpState/appgw_http_state.c:594/ssh_appgw_http_get_dst_host: destination host: 1.1.1.1 Sat Sep 27 10:46:43 2008: SshAppgwHttpState/appgw_http_state.c:1474/ssh_appgw_inject_reply: injecting 404 reply as msg 0 Sat Sep 27 10:46:43 2008: SshAppgwHttp/appgw_http.c:284/ssh_appgw_http_st_write_data: entering state st_write_data Sat Sep 27 10:46:43 2008: SshAppgwHttp/appgw_http.c:99/ssh_appgw_http_st_wait_input: entering state st_wait_input: (i) reading_hdr 1 nmsgs 1 Sat Sep 27 10:46:43 2008: SshAppgwHttpState/appgw_http_state.c:2077/ssh_appgw_http_handle_state: handling: 0 bytes: Sat Sep 27 10:46:43 2008: SshAppgwHttp/appgw_http.c:136/ssh_appgw_http_st_wait_input: read -1 bytes (offset 0 data 0) Sat Sep 27 10:46:43 2008: SshAppgwHttp/appgw_http.c:99/ssh_appgw_http_st_wait_input: entering state st_wait_input: (r) reading_hdr 1 nmsgs 0 Sat Sep 27 10:46:43 2008: SshAppgwHttpState/appgw_http_state.c:1851/ssh_appgw_http_is_inject: next inject is msg# 0 current msg# 0 Sat Sep 27 10:46:43 2008: SshAppgwHttp/appgw_http.c:207/ssh_appgw_http_st_inject: entering state st_inject (r): msgs 0 Sat Sep 27 10:46:43 2008: SshAppgwHttp/appgw_http.c:259/ssh_appgw_http_st_inject: closing connection after inject Sat Sep 27 10:46:43 2008: SshAppgwHttp/appgw_http.c:400/ssh_appgw_http_st_terminate: entering state st_terminate (r): teardown 0 terminate i: 1 r: 1 Sat Sep 27 10:47:01 2008: dhcpd: Received 300 byte dhcp packet from 0xc0a80019 192.168.0.25:68 Sat Sep 27 10:47:06 2008: dhcpd: Received 300 byte dhcp packet from 0xc0a80019 192.168.0.25:68 Sat Sep 27 10:47:27 2008: SshAppgwHttp/appgw_http.c:99/ssh_appgw_http_st_wait_input: entering state st_wait_input: (i) reading_hdr 1 nmsgs 1 Sat Sep 27 10:47:27 2008: SshAppgwHttpState/appgw_http_state.c:2077/ssh_appgw_http_handle_state: handling: 0 bytes: Sat Sep 27 10:47:27 2008: SshAppgwHttp/appgw_http.c:400/ssh_appgw_http_st_terminate: entering state st_terminate (i): teardown 0 terminate i: 1 r: 1 Sat Sep 27 10:47:27 2008: SshAppgwHttp/appgw_http.c:732/ssh_appgw_http_connection_terminate: service HTTPREDIR: TCP HTTP connection 192.168.51.23.41605 > 1.1.1.1.80 terminated This corresponds to the moment when we are prompted with the web login page to enter the guest user credentials, after I accepted the certificate security alert (I was using the default web server certificate installed on the anchor controller). Sat Sep 27 instance Sat Sep 27 Sat Sep 27 Sat Sep 27 Sat Sep 27 Sat Sep 27 Sat Sep 27 Sat Sep 27 Sat Sep 27 Sat Sep 27 Sat Sep 27 Sat Sep 27 bytes) Sat Sep 27 bytes) 10:47:27 2008: SshPmStAppgw/pm_st_appgw.c:1094/ssh_pm_st_appgw_terminate: terminating appgw 10:47:31 10:47:36 10:47:36 10:47:36 10:47:36 10:47:36 10:47:36 10:47:36 10:47:36 10:47:36 10:47:36 2008: 2008: 2008: 2008: 2008: 2008: 2008: 2008: 2008: 2008: 2008: dhcpd: Received 300 byte dhcp packet from 0xc0a80019 192.168.0.25:68 00:0e:35:f3:60:53 Username entry (guest) created for mobile User guest authenticated 00:0e:35:f3:60:53 Returning AAA Success for mobile 00:0e:35:f3:60:53 AuthorizationResponse: 0x375348f0 structureSize................................70 resultCode...................................0 protocolUsed.................................0x00000008 proxyState...................................00:0E:35:F3:60:53-00:00 Packet contains 2 AVPs: AVP[01] Service-Type.............................0x00000001 (1) (4 10:47:36 2008: AVP[02] Airespace / WLAN-Identifier..............0x00000003 (3) (4 The credentials were Username = guest Password = guest If the user <your_user> is authenticated successfully, we can see “User <your_user> authenticated”. Sat Sep 27 10:47:36 2008: Authentication failed for guest, Service Type: 1 Cosmetic / Crazy WLC Sat Sep 27 10:47:36 2008: 00:0e:35:f3:60:53 Applying new AAA override for station 00:0e:35:f3:60:53 Sat Sep 27 10:47:36 2008: 00:0e:35:f3:60:53 Override values for station 00:0e:35:f3:60:53 source: 48, valid bits: 0x1 qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1 dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1 vlanIfName: '', aclName: Sat Sep 27 10:47:36 2008: 00:0e:35:f3:60:53 Unable to apply override policy for station 00:0e:35:f3:60:53 VapAllowRadiusOverride is FALSE Sat Sep 27 10:47:36 2008: 00:0e:35:f3:60:53 192.168.51.23 WEBAUTH_REQD (8) Change state to WEBAUTH_NOL3SEC (14) last state WEBAUTH_NOL3SEC (14) Sat Sep 27 10:47:36 2008: 00:0e:35:f3:60:53 192.168.51.23 WEBAUTH_NOL3SEC (14) Change state to RUN (20) last state RUN (20) After the successful login, the PMState of the client changes from WEBAUTH_REQD to WEBAUTH_NOL3SEC. Then, it finally goes into the RUN state. Sat Sep 27 10:47:36 2008: 00:0e:35:f3:60:53 Session Timeout is 1800 - starting session timer for the mobile Sat Sep 27 10:47:36 2008: 00:0e:35:f3:60:53 192.168.51.23 RUN (20) Reached PLUMBFASTPATH: from line 4536 Sat Sep 27 10:47:36 2008: 00:0e:35:f3:60:53 192.168.51.23 RUN (20) Replacing Fast Path rule type = Airespace AP Client on AP 00:00:00:00:00:00, slot 0, interface = 1, QOS = 0 ACL Id = 255, Jumbo Frames = NO, 802.1P = 0, DSCP = 0, TokenID = 5006 Sat Sep 27 10:47:36 2008: 00:0e:35:f3:60:53 Sending Accounting request (0) for station 00:0e:35:f3:60:53 Sat Sep 27 10:47:36 2008: AccountingMessage Accounting Start: 0x151f3f80 Sat Sep 27 10:47:36 2008: Packet contains 14 AVPs: Sat Sep 27 10:47:36 2008: AVP[01] User-Name................................guest (5 bytes) Sat Sep 27 10:47:36 2008: AVP[02] Nas-Port.................................0x00000001 (1) (4 bytes) Sat Sep 27 10:47:36 2008: AVP[03] Nas-Ip-Address...........................0xc0a80019 (1062731751) (4 bytes) Sat Sep 27 10:47:36 2008: AVP[04] Framed-IP-Address........................0xc0a83317 (1062718697) (4 bytes) Sat Sep 27 10:47:36 2008: AVP[05] NAS-Identifier...........................w-4404-1 (8 bytes) Sat Sep 27 10:47:36 2008: AVP[06] Airespace / WLAN-Identifier..............0x00000003 (3) (4 bytes) Sat Sep 27 10:47:36 2008: AVP[07] Acct-SessionId..........................48ddf328/00:0e:35:f3:60:53/60 (29 bytes) Sat Sep 27 10:47:36 2008: AVP[08] Acct-Authentic...........................0x00000002 (2) (4 bytes) Sat Sep 27 10:47:36 2008: AVP[09] Tunnel-Type..............................0x0000000d (13) (4 bytes) Sat Sep 27 10:47:36 2008: AVP[10] Tunnel-Medium-Type.......................0x00000006 (6) (4 bytes) Sat Sep Sat Sep bytes) Sat Sep bytes) Sat Sep bytes) 27 10:47:36 2008: 27 10:47:36 2008: AVP[11] Tunnel-Group-Id..........................601 (3 bytes) AVP[12] Acct-Status-Type.........................0x00000001 (1) (4 27 10:47:36 2008: AVP[13] Calling-Station-Id.......................192.168.51.23 (13 27 10:47:36 2008: AVP[14] Called-Station-Id........................192.168.0.25 (12 A Radius Airespace accounting start packet is sent to the Radius server (in this case the controller itself) to indicate that the user session is starting. Note that “Calling-Station-Id” is the IP address of the client and the “Tunnel-Group-Id” is the vlan Id of the client: this matches the vlan Id of the interface on the anchor controller to which the guest WLAN is linked. Sat Sep 27 10:47:36 2008: 00:0e:35:f3:60:53 192.168.51.23 RUN (20) Successfully plumbed mobile rule (ACL ID 255) Sat Sep 27 10:47:40 2008: SshPmAppgw/pm_appgw.c:1139/ssh_pm_appgw_flow_free_notification: received flow free notification for flow index 5254 event cnt 209160 Sat Sep 27 10:47:40 2008: SshPmAppgw/pm_appgw.c:1145/ssh_pm_appgw_flow_free_notification: no valid appgw found for flow index 5254 event cnt 209160. Sat Sep 27 10:47:40 2008: SshPmAppgw/pm_appgw.c:1139/ssh_pm_appgw_flow_free_notification: received flow free notification for flow index 3644 event cnt 209161 Sat Sep 27 10:47:40 2008: SshPmAppgw/pm_appgw.c:1145/ssh_pm_appgw_flow_free_notification: no valid appgw found for flow index 3644 event cnt 209161. Sat Sep 27 10:47:40 2008: 00:0e:35:f3:60:53 Set bi-dir guest tunnel for 00:0e:35:f3:60:53 as in Export Anchor role Sat Sep 27 10:47:40 2008: 00:0e:35:f3:60:53 192.168.51.23 Added NPU entry of type 1 Sat Sep 27 10:47:40 2008: 00:0e:35:f3:60:53 Sending a gratuitous ARP for 192.168.51.23, VLAN Id 601 The client sends a gratuitous ARP for its own IP, in order to verify that there are no duplicate addresses. Sat Sep 27 10:47:40 2008: dhcpd: Received 300 byte dhcp packet from 0xc0a80019 192.168.0.25:68 Sat Sep 27 10:47:45 2008: 00:0e:35:f3:60:53 Copy AP LOCP - mode:0 slotId:0, apMac 0x0:0:0:0:0:0 Sat Sep 27 10:47:45 2008: 00:0e:35:f3:60:53 Copy WLAN LOCP EssIndex:3 aid:0 ssid:GuestTunnel Sat Sep 27 10:47:45 2008: 00:0e:35:f3:60:53 Copy Security LOCP ecypher:0x3 ptype:0x4, p:0x0, eaptype:0x6 w:0x0 aalg:0x0, PMState: RUN Sat Sep 27 10:47:45 2008: 00:0e:35:f3:60:53 Copy 802.11 LOCP a:0x0 b:0x0 c:0x0 d:0x0 e:0x0 protocol2:0x5 statuscode 0, reasoncode 99, status 3 Sat Sep 27 10:47:45 2008: 00:0e:35:f3:60:53 Copy Username LOCP : guest Sat Sep 27 10:47:45 2008: 00:0e:35:f3:60:53 Copy IP LOCP: 0xc0a83317 Sat Sep 27 10:47:45 2008: 00:0e:35:f3:60:53 Copy MobilityData LOCP status:4, anchorip:0xc0a80902 The Location Protocol data for the client are updated accordingly. Now we have the PMState updated to RUN and username of the client (Copy Username LOCP : (Cisco (Cisco (Cisco (Cisco Controller) Controller) Controller) Controller) > > > >show client summary Number of Clients................................ 1 MAC Address AP Name Status WLAN Auth Protocol Port Wired ----------------- ----------------- ------------- ---- ---- -------- ---- ----00:0e:35:f3:60:53 192.168.9.2 Associated 3 Yes Mobile (Cisco Controller) > (Cisco Controller) > (Cisco Controller) >show client detail 00:0e:35:f3:60:53 Client MAC Address............................... 00:0e:35:f3:60:53 Client Username ................................. guest AP MAC Address................................... 00:00:00:00:00:00 Client State..................................... Associated Wireless LAN Id.................................. 3 BSSID............................................ 00:00:00:00:00:02 Channel.......................................... N/A IP Address....................................... 192.168.51.23 Association Id................................... 0 Authentication Algorithm......................... Open System Reason Code...................................... 0 Status Code...................................... 0 Session Timeout.................................. 1800 Client CCX version............................... No CCX support Mirroring........................................ Disabled QoS Level........................................ Silver 1 No guest) Diff Serv Code Point (DSCP)...................... 802.1P Priority Tag.............................. WMM Support...................................... Mobility State................................... Mobility Foreign IP Address...................... Mobility Move Count.............................. --More-- or (q)uit Security Policy Completed........................ Policy Manager State............................. disabled disabled Disabled Export Anchor 192.168.9.2 1 Yes RUN The security policy is now completed and the client is in the RUN state. Policy Manager Rule Created...................... NPU Fast Fast Notified........................... Policy Type...................................... Encryption Cipher................................ Management Frame Protection...................... EAP Type......................................... Interface........................................ VLAN............................................. Client Capabilities: CF Pollable................................ CF Poll Request............................ Short Preamble............................. PBCC....................................... Channel Agility............................ Listen Interval............................ Client Statistics: Number of Bytes Received................... Number of Bytes Sent....................... Number of Packets Received................. Number of Packets Sent..................... Number of Policy Errors.................... --More-- or (q)uit Radio Signal Strength Indicator............ Signal to Noise Ratio...................... Nearby AP Statistics: TxExcessiveRetries: 0 Yes Yes N/A None No Unknown client1 601 Not Not Not Not Not 0 implemented implemented implemented implemented implemented 0 0 0 0 0 Unavailable Unavailable TxRetries: 0 RtsSuccessCnt: 0 RtsFailCnt: 0 TxFiltered: 0 TxRateProfile: [0,0,0,0,0,0,0,0,0,0,0,0] (Cisco Controller) > (Cisco Controller) > (Cisco Controller) > (Cisco Controller) >Sat Sep 27 10:48:24 2008: dhcpd: Received 300 byte dhcp packet from 0xc0a80019 192.168.0.25:68 Sat Sep 27 10:48:29 2008: dhcpd: Received 300 byte dhcp packet from 0xc0a80019 192.168.0.25:68 Sat Sep 27 10:49:16 2008: dhcpd: Received 300 byte dhcp packet from 0xc0a80019 192.168.0.25:68 Sat Sep 27 10:49:21 2008: dhcpd: Received 300 byte dhcp packet from 0xc0a80019 192.168.0.25:68 Sat Sep 27 10:49:44 2008: 00:0e:35:f3:60:53 Sending Accounting request (2) for station 00:0e:35:f3:60:53 Now I log out from the web authentication by clicking on the Logout button. Sat Sep 27 10:49:44 2008: AccountingMessage Accounting Stop: 0x15073df4 Sat Sep 27 10:49:44 2008: Packet contains 21 AVPs: Sat Sep 27 10:49:44 2008: AVP[01] User-Name................................guest (5 bytes) Sat Sep 27 10:49:44 2008: AVP[02] Nas-Port.................................0x00000001 (1) (4 bytes) Sat Sep 27 10:49:44 2008: AVP[03] Nas-Ip-Address...........................0xc0a80019 (1062731751) (4 bytes) Sat Sep 27 10:49:44 2008: AVP[04] Framed-IP-Address........................0xc0a83317 (1062718697) (4 bytes) Sat Sep 27 10:49:44 2008: AVP[05] NAS-Identifier...........................w-4404-1 (8 bytes) Sat Sep 27 10:49:44 2008: AVP[06] Airespace / WLAN-Identifier..............0x00000003 (3) (4 bytes) Sat Sep 27 10:49:44 2008: AVP[07] Acct-SessionId..........................48ddf328/00:0e:35:f3:60:53/60 (29 bytes) Sat Sep 27 10:49:44 2008: AVP[08] Acct-Authentic...........................0x00000002 (2) (4 bytes) Sat Sep 27 10:49:44 2008: AVP[09] Tunnel-Type..............................0x0000000d (13) (4 bytes) Sat Sep 27 10:49:44 2008: AVP[10] Tunnel-Medium-Type.......................0x00000006 (6) (4 bytes) Sat Sep Sat Sep bytes) Sat Sep bytes) Sat Sep bytes) Sat Sep bytes) Sat Sep bytes) Sat Sep bytes) Sat Sep bytes) Sat Sep bytes) Sat Sep bytes) Sat Sep bytes) 27 10:49:44 2008: 27 10:49:44 2008: AVP[11] Tunnel-Group-Id..........................601 (3 bytes) AVP[12] Acct-Status-Type.........................0x00000002 (2) (4 27 10:49:44 2008: AVP[13] Acct-Input-Octets........................0x00000000 (0) (4 27 10:49:44 2008: AVP[14] Acct-Output-Octets.......................0x00000000 (0) (4 27 10:49:44 2008: AVP[15] Acct-Input-Packets.......................0x00000000 (0) (4 27 10:49:44 2008: AVP[16] Acct-Output-Packets......................0x00000000 (0) (4 27 10:49:44 2008: AVP[17] Acct-Terminate-Cause.....................0x00000001 (1) (4 27 10:49:44 2008: AVP[18] Acct-Session-Time........................0x00000080 (128) (4 27 10:49:44 2008: AVP[19] Acct-Delay-Time..........................0x00000000 (0) (4 27 10:49:44 2008: AVP[20] Calling-Station-Id.......................192.168.51.23 (13 27 10:49:44 2008: AVP[21] Called-Station-Id........................192.168.0.25 (12 An accounting stop packet is sent to indicate to the Radius server (in this case the controller itself) that the user session is finishing. Sat Sep 27 10:49:44 2008: 00:0e:35:f3:60:53 192.168.51.23 RUN (20) Change state to L2AUTHCOMPLETE (4) last state RUN (20) Sat Sep 27 10:49:44 2008: 00:0e:35:f3:60:53 192.168.51.23 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state RUN (20) Sat Sep 27 10:49:44 2008: 00:0e:35:f3:60:53 192.168.51.23 DHCP_REQD (7) pemAdvanceState2 4744, Adding TMP rule Sat Sep 27 10:49:44 2008: 00:0e:35:f3:60:53 192.168.51.23 DHCP_REQD (7) Adding Fast Path rule type = Airespace AP - Learn IP address on AP 00:00:00:00:00:00, slot 0, interface = 1, QOS = 0 ACL Id = 255, Jumbo Frames = NO, 802.1P = 0, DSCP = 0, TokenID = 5006 Sat Sep 27 10:49:44 2008: 00:0e:35:f3:60:53 192.168.51.23 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255) Sat Sep 27 10:49:44 2008: 00:0e:35:f3:60:53 192.168.51.23 DHCP_REQD (7) Change state to WEBAUTH_REQD (8) last state RUN (20) The association and the IP address assignment are still valid, so L2 authentication and DHCP are reconfirmed. However, the client is no more web-authenticated, so its state changes back to WEBAUTH_REQD. Sat Sep 27 10:49:44 2008: 00:0e:35:f3:60:53 192.168.51.23 WEBAUTH_REQD (8) pemAdvanceState2 4761, Adding TMP rule Sat Sep 27 10:49:44 2008: 00:0e:35:f3:60:53 192.168.51.23 WEBAUTH_REQD (8) Replacing Fast Path rule type = Airespace AP Client - ACL passthru on AP 00:00:00:00:00:00, slot 0, interface = 1, QOS = 0 ACL Id = 255, Jumbo Frames = NO, 802.1P = 0, DSCP = 0, TokenID = 5006 Sat Sep 27 10:49:44 2008: 00:0e:35:f3:60:53 192.168.51.23 WEBAUTH_REQD (8) Successfully plumbed mobile rule (ACL ID 255) Sat Sep 27 10:49:44 2008: 00:0e:35:f3:60:53 Plumbing web-auth redirect rule due to user logout for 00:0e:35:f3:60:53 Sat Sep 27 10:49:44 2008: 00:0e:35:f3:60:53 Adding Web RuleID 3416 for mobile 00:0e:35:f3:60:53 Sat Sep 27 10:49:48 2008: 00:0e:35:f3:60:53 Username entry deleted for mobile The wireless client is no longer “linked” to the username that he used for the login. Sat Sep 27 10:49:48 2008: 00:0e:35:f3:60:53 Sat Sep 27 10:49:48 2008: 00:0e:35:f3:60:53 Anchor role Sat Sep 27 10:49:48 2008: 00:0e:35:f3:60:53 Sat Sep 27 10:49:48 2008: 00:0e:35:f3:60:53 Anchor role Sat Sep 27 10:49:48 2008: 00:0e:35:f3:60:53 Sat Sep 27 10:49:48 2008: 00:0e:35:f3:60:53 Sat Sep 27 10:49:48 2008: 00:0e:35:f3:60:53 Sat Sep 27 10:49:48 2008: 00:0e:35:f3:60:53 Sat Sep 27 10:49:48 2008: 00:0e:35:f3:60:53 w:0x0 aalg:0x0, PMState: WEBAUTH_REQD Sat Sep 27 10:49:48 2008: 00:0e:35:f3:60:53 statuscode 0, reasoncode 99, status 3 Sat Sep 27 10:49:48 2008: 00:0e:35:f3:60:53 Sat Sep 27 10:49:48 2008: 00:0e:35:f3:60:53 192.168.51.23 Removed NPU entry. Set bi-dir guest tunnel for 00:0e:35:f3:60:53 as in Export 192.168.51.23 Added NPU entry of type 9 Set bi-dir guest tunnel for 00:0e:35:f3:60:53 as in Export 192.168.51.23 Added NPU entry of type 2 Sent an XID frame Copy AP LOCP - mode:0 slotId:0, apMac 0x0:0:0:0:0:0 Copy WLAN LOCP EssIndex:3 aid:0 ssid:GuestTunnel Copy Security LOCP ecypher:0x3 ptype:0x4, p:0x1, eaptype:0x6 Copy 802.11 LOCP a:0x0 b:0x0 c:0x0 d:0x0 e:0x0 protocol2:0x5 Copy Username LOCP : guest Copy IP LOCP: 0xc0a83317 Sat Sep 27 10:49:48 2008: 00:0e:35:f3:60:53 Copy MobilityData LOCP status:4, anchorip:0xc0a80902 The Location Protocol info is updated. Now the PMState is set back to WEBAUTH_REQD and the old username used by the client can still be seen (Copy Username LOCP : guest). Sat Sep 27 10:49:48 2008: dhcpd: Received 300 byte dhcp packet from 0xc0a80019 192.168.0.25:68 Sat Sep 27 10:49:52 2008: dhcpd: Received 300 byte dhcp packet from 0xc0a80019 192.168.0.25:68 (Cisco Controller) > (Cisco Controller) >show client summary Number of Clients................................ 1 MAC Address AP Name Status WLAN Auth Protocol Port Wired ----------------- ----------------- ------------- ---- ---- -------- ---- ----00:0e:35:f3:60:53 192.168.9.2 Associated 3 No Mobile (Cisco Controller) > (Cisco Controller) > (Cisco Controller) >show client detail 00:0e:35:f3:60:53 Client MAC Address............................... 00:0e:35:f3:60:53 Client Username ................................. guest AP MAC Address................................... 00:00:00:00:00:00 Client State..................................... Associated Wireless LAN Id.................................. 3 BSSID............................................ 00:00:00:00:00:02 Channel.......................................... N/A IP Address....................................... 192.168.51.23 Association Id................................... 0 Authentication Algorithm......................... Open System Reason Code...................................... 0 Status Code...................................... 0 Session Timeout.................................. 1800 Client CCX version............................... No CCX support Mirroring........................................ Disabled QoS Level........................................ Silver 1 No Diff Serv Code Point (DSCP)...................... 802.1P Priority Tag.............................. WMM Support...................................... Mobility State................................... Mobility Foreign IP Address...................... Mobility Move Count.............................. --More-- or (q)uit Security Policy Completed........................ Policy Manager State............................. disabled disabled Disabled Export Anchor 192.168.9.2 1 No WEBAUTH_REQD The security policy changes back to uncompleted and the client goes into the WEBAUTH_REQD state again. Policy Manager Rule Created...................... NPU Fast Fast Notified........................... Policy Type...................................... Encryption Cipher................................ Management Frame Protection...................... EAP Type......................................... Interface........................................ VLAN............................................. Client Capabilities: CF Pollable................................ CF Poll Request............................ Short Preamble............................. PBCC....................................... Channel Agility............................ Listen Interval............................ Client Statistics: Number of Bytes Received................... Number of Bytes Sent....................... Number of Packets Received................. Number of Packets Sent..................... Number of Policy Errors.................... --More-- or (q)uit Radio Signal Strength Indicator............ Signal to Noise Ratio...................... Nearby AP Statistics: TxExcessiveRetries: 0 Yes Yes N/A None No Unknown client1 601 Not Not Not Not Not 0 implemented implemented implemented implemented implemented 0 0 0 0 0 Unavailable Unavailable TxRetries: 0 RtsSuccessCnt: 0 RtsFailCnt: 0 TxFiltered: 0 TxRateProfile: [0,0,0,0,0,0,0,0,0,0,0,0] (Cisco (Cisco (Cisco (Cisco Controller) Controller) Controller) Controller) > > > >show wlan summary Number of WLANs.................................. 3 WLAN ID ------1 2 3 WLAN Profile Name / SSID ------------------------------------serge-ssid-nds-1 / serge-ssid-nds-1 testssid / testssid GuestTunnel / GuestTunnel Status -------Disabled Disabled Enabled Interface Name -------------------management management client1 (Cisco Controller) > (Cisco Controller) >show wlan 3 WLAN Identifier.................................. Profile Name..................................... Network Name (SSID).............................. Status........................................... MAC Filtering.................................... Broadcast SSID................................... AAA Policy Override.............................. Number of Active Clients......................... Exclusionlist Timeout............................ Session Timeout.................................. Interface........................................ 3 GuestTunnel GuestTunnel Enabled Disabled Enabled Disabled 1 60 seconds 1800 seconds client1 The WLAN Id and the interface linked to the guest WLAN can be different between the foreign and the anchor controller. All the other settings have to be the same. The subnet/vlan where the guest client receives an IP address depends exclusively on the interface selected in the WLAN settings of the anchor controller. WLAN ACL......................................... DHCP Server...................................... DHCP Address Assignment Required................. Quality of Service............................... WMM.............................................. CCX - AironetIe Support.......................... CCX - Gratuitous ProbeResponse (GPR)............. CCX - Diagnostics Channel Capability............. Dot11-Phone Mode (7920).......................... --More-- or (q)uit Wired Protocol................................... IPv6 Support..................................... Peer-to-Peer Blocking Action..................... Radio Policy..................................... Local EAP Authentication......................... Security unconfigured Default Disabled Silver (best effort) Allowed Enabled Disabled Disabled Disabled None Disabled Disabled All Disabled 802.11 Authentication:........................ Open System Static WEP Keys............................... Disabled 802.1X........................................ Disabled Wi-Fi Protected Access (WPA/WPA2)............. Disabled CKIP ......................................... Disabled IP Security................................... Disabled IP Security Passthru.......................... Disabled Web Based Authentication...................... Enabled ACL............................................. Unconfigured Web-Passthrough............................... Disabled Conditional Web Redirect...................... Disabled Auto Anchor................................... Enabled Cranite Passthru.............................. Disabled Fortress Passthru............................. Disabled H-REAP Local Switching........................ Disabled Infrastructure MFP protection................. Enabled (Global Infrastructure MFP Disabled) --More-- or (q)uit Client MFP.................................... Optional but inactive (WPA2 not configured) Tkip MIC Countermeasure Hold-down Timer....... 60 Mobility Anchor List WLAN ID IP Address --------------------3 192.168.0.25 Status -----Up (Cisco Controller) > (Cisco Controller) >show mobility summary Symmetric Mobility Tunneling (current) .......... Symmetric Mobility Tunneling (after reboot) ..... Mobility Protocol Port........................... Mobility Security Mode........................... Default Mobility Domain.......................... Mobility Keepalive interval...................... Mobility Keepalive count......................... Mobility Group members configured................ Disabled Disabled 16666 Disabled NDS-IL 10 3 2 Controllers configured in the Mobility Group MAC Address IP Address Group Name 00:0b:85:40:8f:40 192.168.0.25 NDS-IL 00:15:2c:e8:b2:00 192.168.9.2 wlaaan Status Up Up The foreign and the anchor controller need to be both in the mobility list, but they do not have to be necessarily in the same mobility group. (Cisco Controller) >show interface detailed management Interface Name................................... MAC Address...................................... IP Address....................................... IP Netmask....................................... IP Gateway....................................... VLAN............................................. Active Physical Port............................. Primary Physical Port............................ management 00:0b:85:40:8f:40 192.168.0.25 255.255.255.0 192.168.0.1 10 1 1 Backup Physical Port............................. Primary DHCP Server.............................. Secondary DHCP Server............................ DHCP Option 82................................... ACL.............................................. AP Manager....................................... Guest Interface.................................. Unconfigured 192.168.0.1 Unconfigured Disabled Unconfigured No No (Cisco Controller) >show interface detailed virtual Interface Name................................... virtual MAC Address...................................... 00:0b:85:40:8f:40 IP Address....................................... 1.1.1.1 The IP address of the virtual interface must be the same for the foreign and for the anchor controller. DHCP Option 82................................... Virtual DNS Host Name............................ AP Manager....................................... Guest Interface.................................. Disabled Disabled No No (Cisco Controller) >show sysinfo Manufacturer's Name.............................. Product Name..................................... Product Version.................................. RTOS Version..................................... Bootloader Version............................... Build Type....................................... Cisco Systems Inc. Cisco Controller 4.2.130.0 4.2.130.0 4.2.112.0 DATA + WPS System Name...................................... System Location.................................. System Contact................................... System ObjectID.................................. IP Address....................................... System Up Time................................... w-4404-1 1.3.6.1.4.1.14179.1.1.4.3 192.168.0.25 38 days 1 hrs 3 mins 0 secs Configured Country............................... Multiple Countries:BE,US Operating Environment............................ Commercial (0 to 40 C) Internal Temp Alarm Limits....................... 0 to 65 C Internal Temperature............................. +38 C State of 802.11b Network......................... Disabled State of 802.11a Network......................... Disabled --More-- or (q)uit (Cisco Controller) >
