无线 : 思科 5700 系列无线 LAN 控制器

在聚合的访问和统一的访问WLCs配置示例的中央Web验证

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 5 月 1 日) | 反馈

简介

本文描述如何配置中央Web验证在聚合的访问无线局域网控制器(WLC)并且在聚合的访问WLC和统一的访问WLC之间(5760并且在5760和5508之间)。

贡献用Surendra BG, Cisco TAC工程师。

先决条件

要求

Cisco 建议您了解以下主题:

  • 基础知识思科WLC 5508, 5760, 3850
  • 基础知识身份服务引擎(ISE)
  • 无线移动性基础知识
  • 基础知识访客停住

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • WLC运行Cisco IOS XE版本3.3.3的5760
  • WLC运行Cisco Aironet OS版本7.6的5508
  • 运行Cisco IOS XE版本3.3.3的交换机3850
  • 运行版本1.2的思科ISE

配置

注意:使用命令查找工具仅限注册用户)可获取有关本部分所使用命令的详细信息。

流包括这些步骤:

  1. 用户联合到Web验证服务设备识别器(SSID),实际上是open+macfiltering和没有第3层安全。

  2. 用户打开浏览器。

  3. 对访客门户的WLC重定向。

  4. 用户在门户验证。

  5. ISE发送RADIUS授权(CoA崔凡吉莱- UDP波尔特1700)为了表明到控制器用户有效和最终推送RADIUS属性例如访问控制表(ACL)。

  6. 用户是被提示的重试原始URL。

思科用途包括所有不同的方案完成中央Web验证的三个不同的部署设置(CWA)。

拓扑 1

5760 WLC作为一独立WLC,并且接入点在同样5760 WLC终止。客户端连接对无线局域网(WLAN)和验证对ISE。

拓扑 2

停住在与作为移动性控制器和其他作为移动性代理程序的一个的聚合的访问WLC之间的访客。移动性代理程序是外国WLC,并且移动性控制器是锚点。

拓扑 3

停住在Cisco Unified WLC 5508和与作为移动性控制器和其他作为移动性代理程序的一个的聚合的访问WLC 5760/3850之间的访客。移动性代理程序/移动性控制器是外国WLC,并且5508移动性控制器是锚点。

注意:有锚点是移动性控制器的很多部署,并且外国WLC是从另一个移动性控制器获取许可证的移动性代理程序。在这种情况下,外国WLC只有一个锚点,并且该锚点是推送策略的那个。因为没有预计运转那个方式,不支持双停住和不工作。

示例

WLC 5508作为锚点,并且WLC 5760作为作为移动性代理程序的3850交换机的移动性控制器。对于锚点外国WLAN, WLC 5508将是3850外国WLAN的锚点。没有需要配置在WLC 5760的该WLAN。如果指向3850交换机5760锚点,然后从此WLC 5760 WLC 5508,因为一个双锚点,它不会工作,因为这变为停住的双,并且策略在5508锚点。

如果有包括WLC 5508作为锚点, WLC 5760作为移动性控制器和3850交换机作为移动性代理程序和外国WLC的一个设置,则在任意时候时刻锚点的3850交换机将是WLC 5760或WLC 5508。它不可以同时是,并且双锚点不工作。

拓扑1配置示例

请参阅拓扑1关于网络图和说明。

配置是两步过程:

  1. 在ISE的配置。
  2. 在WLC的配置。

WLC 5760作为一独立WLC,并且用户得到验证对ISE。

在ISE的配置

  1. 选择ISE GUI > Administration >网络资源>网络设备列表>Add为了添加在ISE的WLC作为验证、授权和统计(AAA)客户端。保证您回车在RADIUS服务器被添加的同样在WLC的共享的机密。

    注意:当您部署锚点外国时,您需要添加外国WLC。没有需要添加在ISE的锚点WLC作为AAA客户端。同一ISE配置使用所有其他部署方案在本文。

  2. 从ISE GUI,请选择策略>验证> MAB > Edit为了创建验证策略。验证策略接受客户端的MAC地址,指向内部端点。

    选择在选项列表的这些选择:

    • 从,如果验证失败下拉列表,选择拒绝
    • 从,如果用户没被找到的下拉列表,选择请继续
    • 从,如果进程失败下拉列表,请选择丢弃

    当您配置与这些选项时,出故障MAC授权的客户端继续进行访客门户。

  3. 从ISE GUI,请选择策略>授权>结果>授权Profiles>添加。填写详细信息并且点击“Save”为了创建授权配置文件。

    此配置文件帮助客户端重新定向到重定向URL在MAC验证以后,客户端输入访客用户名/密码。

  4. 从ISE GUI,请选择策略>授权>结果>授权Profiles>添加为了创建另一授权配置文件允许对用户的访问有正确凭证的。

  5. 创建授权策略。

    授权策略‘Guest_Wireless’推送重定向URL和重定向ACL给客户端会话。推送的配置文件此处是CWA如以前显示。

    授权策略‘Guest_Wireless-Sucess’给对通过访客门户顺利地验证的来宾用户的完全权限。在用户在访客门户后顺利地验证,动态授权由WLC发送。这重新鉴别有属性‘网络访问的客户端会话:Usecase等于访客流’。

    最终授权策略看起来:

  6. 可选:在这种情况下使用默认multiportal配置。凭需求,同样在GUI可以更改。

    从ISE GUI,请选择Administration > Web门户管理>多Portal配置> DefaultGuestPortal

    允许内部的Guest_Portal_sequence创建,访客和AD用户。

  7. 从ISE GUI,请选择访客>多PORTAL配置> DefaultGuestPortal。从识别存储顺序下拉列表,请选择Guest_Portal_Sequence

在WLC的配置

  1. 定义在WLC 5760的ISE RADIUS服务器。
  2. 配置RADIUS服务器、服务器组和方法列表与CLI。
    dot1x system-auth-control
     
    radius server ISE
    address ipv4 10.106.73.69 auth-port 1645 acct-port 1646
    timeout 10
    retransmit 3
     key Cisco123

     
    aaa group server radius ISE
    server name ISE
    deadtime 10

    aaa authentication dot1x ISE group ISE
    aaa authorization network ISE group ISE

    aaa authorization network MACFILTER group ISE
    aaa accounting identity ISE start-stop group ISE
    !

    aaa server radius dynamic-author
    client 10.106.73.69 server-key Cisco123
    auth-type any
  3. 配置与CLI的WLAN。
    wlan CWA_NGWC 10 CWA_NGWC
    aaa-override
    accounting-list ISE
    client vlan VLAN0012
    no exclusionlist
    mac-filtering MACFILTER
    nac
    no security wpa
    no security wpa akm dot1x
    no security wpa wpa2
     no security wpa wpa2 ciphers aes
    security dot1x authentication-list ISE
     session-timeout 1800
     no shutdown
  4. 配置与CLI的重定向ACL。

    这是ISE返回作为AAA覆盖与访客门户重定向的重定向URL一起的url-redirect-acl。在Unified体系结构当前使用的它是直接ACL。是有点儿反向ACL您通常会使用Unified体系结构的这是‘平底船’ ACL。您需要阻止对DHCP、DHCP服务器、DNS、DNS服务器和ISE服务器的访问。只请允许www, 443和8443当必要时。此ISE访客门户使用端口8443,并且重定向仍然与显示的ACL一起使用此处。此处ICMP根据您能拒绝或允许的安全规则启用,但是。

    ip access-list extended REDIRECT
    deny icmp any any
    deny udp any any eq bootps
    deny udp any any eq bootpc
    deny udp any any eq domain
    deny ip any host 10.106.73.69
    permit tcp any any eq www
    permit tcp any any eq 443

    警告:当您启用HTTPS时,也许导致一些高CPU问题由于可扩展性。除非由思科设计小组,推荐请勿启用此。

  5. 从无线控制器GUI,请选择AAA > RADIUS>服务器。配置RADIUS服务器、服务器组和方法列表在GUI。

    填装所有参数并且保证共享塞克雷配置此处匹配在此设备的ISE配置的那个。从RFC 3576下拉列表的支持,请选择Enable (event)

  6. 从无线控制器GUI,请选择AAA >Server Groups> Radius。添加在服务器组上的以前已创建RADIUS服务器。

  7. 从无线控制器GUI,请选择AAA >方法列表>General。检查Dot1x系统验证控制复选框。如果禁用此选项, AAA不工作。

  8. 从无线控制器GUI,请选择AAA >方法列表>验证。创建类型dot1x的一验证方法列表。组类型是组。映射它对ISE。

  9. 从无线控制器GUI,请选择AAA >方法列表>核算。建立类型标识的会计方法列表。映射它对ISE。

  10. 从无线控制器GUI,请选择AAA >方法列表>授权。建立类型网络的一授权方法列表。映射它对ISE。

  11. 可选,因为有在失败支持的MAC。创建类型网络的一授权方法列表MACFILTER。映射它对ISE。

  12. 从无线控制器GUI,请选择WLAN > WLAN。创建与表示的参数的一新的配置此处。

  13. 选择安全> Layer2。在过滤字段的MAC中,请输入MACFILTER

  14. 配置第3层是不必要的。

  15. 选择安全>AAA服务器。从认证方法下拉列表,请选择ISE。从会计方法下拉列表,请选择ISE

  16. 选择先进。检查允许AAA覆盖复选框。检查美洲台状态检查复选框。

  17. 配置在WLC的重定向ACL在GUI。

拓扑2配置示例

请参阅拓扑2关于网络图和说明。

此配置也是两步过程。

在ISE的配置

在ISE的配置是相同的象为拓扑1配置。

没有需要添加在ISE的锚点控制器。您需要添加在ISE的外国WLC,定义了在外国WLC的RADIUS服务器,并且映射授权策略在WLAN下。在锚点上您需要启用MAC过滤。

在本例中配置示例,有作为外国的锚点的两WLC 5760s。万一要使用WLC 5760作为锚点,并且3850交换机作为外国的锚点,是移动性代理程序,对另一个移动性控制器然后相同的配置是正确。然而,没有需要配置在3850交换机获得许可证的第二个移动性控制器的WLAN。您需要指向作为锚点的3850交换机WLC 5760。

在WLC的配置

  1. 在外国,请配置有AAA方法列表的ISE服务器AAA的并且映射WLAN对MAC过滤器授权。

    注意:配置在锚点和外国并且MAC过滤的重定向ACL。

    dot1x system-auth-control

    radius server ISE
    address ipv4 10.106.73.69 auth-port 1645 acct-port 1646
    timeout 10
    retransmit 3
    key Cisco123


    aaa group server radius ISE
    server name ISE
    deadtime 10


    aaa authentication dot1x ISE group ISE

    aaa authorization network ISE group ISE

    aaa authorization network MACFILTER group ISE
    aaa accounting identity ISE start-stop group ISE
    !

    aaa server radius dynamic-author
    client 10.106.73.69 server-key Cisco123
    auth-type any

    wlan MA-MC 11 MA-MC
    aaa-override
    accounting-list  ISE
    client vlan VLAN0012
    mac-filtering MACFILTER
    mobility anchor 10.105.135.244
    nac
    no security wpa
    no security wpa akm dot1x
    no security wpa wpa2
    no security wpa wpa2 ciphers aes
    security dot1x authentication-list ISE
    session-timeout 1800
    no shutdown
  2. 配置与CLI的重定向ACL。

    这是ISE返回作为AAA覆盖与访客门户重定向的重定向URL一起的url-redirect-acl。在Unified体系结构当前使用的它是直接ACL。是有点儿反向ACL您通常会使用Unified体系结构的这是‘平底船’ ACL。您需要阻止对DHCP、DHCP服务器、DNS、DNS服务器和ISE服务器的访问。只请允许www, 443和8443当必要时。此ISE访客门户使用端口8443,并且重定向仍然与显示的ACL一起使用此处。此处ICMP根据您能拒绝或允许的安全规则启用,但是。

    ip access-list extended REDIRECT
     deny icmp any any
    deny udp any any eq bootps
     deny udp any any eq bootpc
     deny udp any any eq domain
    deny ip any host 10.106.73.69
     permit tcp any any eq www
     permit tcp any any eq 443

    警告:当您启用HTTPS时,也许导致一些高CPU问题由于可扩展性。除非由思科设计小组,推荐请勿启用此。

  3. 配置在锚点的移动性。
    wireless mobility group member ip 10.105.135.244 public-ip 10.105.135.244 group surbg

    注意:如果用3850交换机配置同样象外国,则请保证您定义了在移动性控制器的交换机对等组和反过来也是一样地在移动性控制器。然后请配置在3850交换机的上述CWA配置。

  4. 在锚点的配置。

    在锚点上,没有需要配置所有ISE配置。您需要WLAN配置。

    wlan MA-MC 6 MA-MC
     aaa-override
     client vlan VLAN0012
     mac-filtering MACFILTER
     mobility anchor
    nac
     nbsp;no security wpa
     no security wpa akm dot1x
     no security wpa wpa2
     no security wpa wpa2 ciphers aes
     session-timeout 1800
     no shutdown
  5. 配置在锚点的移动性。

    定义另一WLC作为此WLC的移动性成员。

    wireless mobility group member ip 10.105.135.178 public-ip 10.105.135.178 group surbg
  6. 配置与CLI的重定向ACL。

    这是ISE返回作为AAA覆盖与访客门户重定向的重定向URL一起的url-redirect-acl。在Unified体系结构当前使用的它是直接ACL。是有点儿反向ACL您通常会使用Unified体系结构的这是‘平底船’ ACL。您需要阻止对DHCP、DHCP服务器、DNS、DNS服务器和ISE服务器的访问。只请允许www, 443和8443当必要时。此ISE访客门户使用端口8443,并且重定向仍然与显示的ACL一起使用此处。此处ICMP根据您能拒绝或允许的安全规则启用,但是。

    ip access-list extended REDIRECT
     deny icmp any any
     deny udp any any eq bootps
     deny udp any any eq bootpc
     deny udp any any eq domain
     deny ip any host 10.106.73.69
     permit tcp any any eq www
     permit tcp any any eq 443

    警告:当您启用HTTPS时,也许导致一些高CPU问题由于可扩展性。除非由思科设计小组,推荐请勿启用此。

拓扑3配置示例

请参阅拓扑3关于网络图和说明。

这也是两步过程。

在ISE的配置

在ISE的配置是相同的象为拓扑1配置。

没有需要添加在ISE的锚点控制器。您需要添加在ISE的外国WLC,定义了在外国WLC的RADIUS服务器,并且映射授权策略在WLAN下。在锚点上您需要启用MAC过滤。

在本例中作为锚点和WLC 5760作为一外国WLC的,有WLC 5508。如果要使用WLC 5508作为锚点,并且3850交换机和外国WLC,是移动性代理程序,对另一个移动性控制器然后相同的配置是正确。然而,没有需要配置在3850交换机获得许可证的第二个移动性控制器的WLAN。您需要指向作为锚点的3850交换机5508 WLC。

在WLC的配置

  1. 在外国WLC,请配置有AAA方法列表的ISE服务器AAA的并且映射WLAN对MAC过滤器授权。这在锚点没有必要。

    注意:配置在锚点的重定向ACL和外国WLC并且MAC过滤。

  2. 从WLC 5508 GUI,请选择WLAN >New为了配置锚点5508。填写详细信息为了启用MAC过滤。

  3. 配置Layer2选项是不必要的。

  4. 配置第3层选项是不必要的。

  5. 映射AAA服务器是不必要的。

  6. 选择WLAN > WLAN > Edit >Advanced。检查允许AAA覆盖复选框。从美洲台状态下拉列表,请选择Radius美洲台

  7. 添加此作为WLAN的锚点。

  8. 在它指向本地后,应该用UP/UP的控制和的数据路径查找此。

  9. 创建在WLC的重定向ACL。这拒绝DHCP和DNS。它允许HTTP/HTTPs。

    这是如何照看ACL创建。

  10. 定义在WLC 5760的ISE RADIUS服务器。
  11. 配置RADIUS服务器、服务器组和方法列表与CLI。
    dot1x system-auth-control

    radius server ISE
     address ipv4 10.106.73.69 auth-port 1645 acct-port 1646
     timeout 10
     retransmit 3
     key Cisco123


    aaa group server radius ISE
    server name ISE
     deadtime 10

    aaa authentication dot1x ISE group ISE

    aaa authorization network ISE group ISE

    aaa authorization network MACFILTER group ISE

    aaa accounting identity ISE start-stop group ISE

    !

    aaa server radius dynamic-author
     client 10.106.73.69 server-key Cisco123
     auth-type any
  12. 配置从CLI的WLAN。
    wlan 5508-MA 15 5508-MA
     aaa-override
     accounting-list ISE
     client vlan VLAN0012
     mac-filtering MACFILTER
     mobility anchor 10.105.135.151
     nac
     no security wpa
     no security wpa akm dot1x
     no security wpa wpa2
     no security wpa wpa2 ciphers aes
     security dot1x authentication-list ISE
     session-timeout 1800
     shutdown
  13. 定义另一WLC作为此WLC的移动性成员。
    wireless mobility group member ip 10.105.135.151public-ip 10.105.135.151 group Mobile-1

    注意:如果用WLC 3850配置同样象外国,则请保证您定义了在移动性控制器的交换机对等组和反过来也是一样地在移动性控制器。然后请配置在WLC 3850的上一个CWA配置。

  14. 配置与CLI的重定向ACL。

    这是ISE返回作为AAA覆盖与访客门户重定向的重定向URL一起的url-redirect-acl。在Unified体系结构当前使用的它是直接ACL。是有点儿反向ACL您通常会使用Unified体系结构的这是‘平底船’ ACL。您需要阻止对DHCP、DHCP服务器、DNS、DNS服务器和ISE服务器的访问。只请允许www, 443和8443当必要时。此ISE访客门户使用端口8443,并且重定向仍然与显示的ACL一起使用此处。此处ICMP根据您能拒绝或允许的安全规则启用,但是。

    ip access-list extended REDIRECT
     deny icmp any any
     deny udp any any eq bootps
     deny udp any any eq bootpc
     deny udp any any eq domain
     deny ip any host 10.106.73.69
     permit tcp any any eq www
     permit tcp any any eq 443

    警告:当您启用HTTPS时,也许导致一些高CPU问题由于可扩展性。除非由思科设计小组,推荐请勿启用此。

验证

使用本部分可确认配置能否正常运行。

命令输出解释程序工具仅限注册用户)支持某些 show 命令。请使用Output Interpreter Tool为了查看show命令输出分析。

联络客户端对已配置的SSID。一旦收到IP地址,并且,当客户端去Web验证要求的状态时,请打开浏览器。在门户进入您的客户机证书的。

在成功认证以后,请检查接受条款和条件复选框。单击 Accept

您将收到确认消息,并且当前能浏览到互联网。

在ISE,客户端流如下所示:

故障排除

本部分提供的信息可用于对配置进行故障排除。

命令输出解释程序工具仅限注册用户)支持某些 show 命令。请使用Output Interpreter Tool为了查看show命令输出分析。

注意:使用 debug 命令之前,请参阅有关 Debug 命令的重要信息

在聚合的访问WLC,推荐运行跟踪而不是调试。在Aironet OS 5508 WLC您需要输入调试客户端<client mac>调试webauth重定向enable (event) mac <client mac>

set trace group-wireless-client level debug
set trace group-wireless-secure level debug

set trace group-wireless-client filter mac 0017.7c2f.b69a
set trace group-wireless-secure filter mac 0017.7c2f.b69a

在Cisco IOS XE的一些已知缺陷和Aironet OS在Cisco Bug ID CSCun38344包括。

这是成功的CWA如何流看起来在跟踪:

[05/09/14 13:13:15.951 IST 63d7 8151] 0017.7c2f.b69a Association received from mobile
on AP c8f9.f983.4260

[05/09/14 13:13:15.951 IST 63d8 8151] 0017.7c2f.b69a qos upstream policy is unknown
and downstream policy is unknown

[05/09/14 13:13:15.951 IST 63e0 8151] 0017.7c2f.b69a Applying site-specific IPv6
override for station  0017.7c2f.b69a  - vapId 15, site 'default-group', interface
'VLAN0012'

[05/09/14 13:13:15.951 IST 63e1 8151] 0017.7c2f.b69a Applying local bridging Interface
Policy for station  0017.7c2f.b69a  - vlan 12, interface 'VLAN0012'
[05/09/14 13:13:15.951 IST 63e2 8151] 0017.7c2f.b69a
  **** Inside applyLocalProfilingPolicyAction ****

[05/09/14 13:13:15.951 IST 63e3 8151] 0017.7c2f.b69a *** Client State = START
instance = 1 instance Name POLICY_PROFILING_80211_ASSOC, OverrideEnable = 1
deviceTypeLen=0, deviceType=(null), userRoleLen=0, userRole=(null

[05/09/14 13:13:15.951 IST 63eb 8151] 0017.7c2f.b69a AAAS: Submitting mac filter
request for user 00177c2fb69a, uniqueId=280 mlist=MACFILTER

[05/09/14 13:13:15.951 IST 63ec 8151] 0017.7c2f.b69a AAAS: auth request sent
05/09/14 13:13:15.951 IST 63ed 8151] 0017.7c2f.b69a apfProcessAssocReq
(apf_80211.c:6149) Changing state for mobile  0017.7c2f.b69a  on AP  c8f9.f983.4260
  from Idle to AAA Pending


[05/09/14 13:13:15.951 IST 63ee 8151] 0017.7c2f.b69a Reason code 0, Preset 4, AAA cause 1
[05/09/14 13:13:15.951 IST 63ef 8151] 0017.7c2f.b69a Scheduling deletion of Mobile
Station: (callerId: 20) in 10 seconds
[05/09/14 13:13:15.951 IST 63f0 211] Parsed CLID MAC Address = 0:23:124:47:182:154
[05/09/14 13:13:15.951 IST 63f1 211] AAA SRV(00000118): process author req
[05/09/14 13:13:15.951 IST 63f2 211] AAA SRV(00000118): Author method=SERVER_GROUP Zubair_ISE
[05/09/14 13:13:16.015 IST 63f3 220] AAA SRV(00000118): protocol reply PASS for Authorization
[05/09/14 13:13:16.015 IST 63f4 220] AAA SRV(00000118): Return Authorization status=PASS
[05/09/14 13:13:16.015 IST 63f5 8151] 0017.7c2f.b69a AAAS: received response, cid=266
[05/09/14 13:13:16.015 IST 63f6 8151] 0017.7c2f.b69a AAAS: deleting context, cid=266
[05/09/14 13:13:16.015 IST 63f7 8151] 0017.7c2f.b69a Not comparing because the ACLs have
not been sent yet.
[05/09/14 13:13:16.015 IST 63f8 8151] 0017.7c2f.b69a Final flag values are, epmSendAcl 1,
epmSendAclDone 0
[05/09/14 13:13:16.015 IST 63f9 8151] 0017.7c2f.b69a
client incoming attribute size are 193
[05/09/14 13:13:16.015 IST 63fa 8151] 0017.7c2f.b69a AAAS: mac filter callback
status=0 uniqueId=280

[05/09/14 13:13:16.015 IST 63fb 8151] 0017.7c2f.b69a AAA Override Url-Redirect
'https://10.106.73.69:8443/guestportal/gateway?sessionId=0a6987b2536c871300000118&action=cwa'
set

[05/09/14 13:13:16.015 IST 63fc 8151] 0017.7c2f.b69a Redirect URL received for
client from RADIUS. for redirection.

[05/09/14 13:13:16.015 IST 63fd 8151] 0017.7c2f.b69a Setting AAA Override
Url-Redirect-Acl 'REDIRECT'
[05/09/14 13:13:16.015 IST 63fe 8151] 0017.7c2f.b69a AAA Override Url-Redirect-Acl
'REDIRECT'
[05/09/14 13:13:16.015 IST 63ff 8151] 0017.7c2f.b69a Local Policy: At the start of
apfApplyOverride2. Client State START

[05/09/14 13:13:16.015 IST 6400 8151] 0017.7c2f.b69a Applying new AAA override for
station  0017.7c2f.b69a
[05/09/14 13:13:16.015 IST 6401 8151] 0017.7c2f.b69a Local Policy: Applying new
AAA override for station
[05/09/14 13:13:16.015 IST 6402 8151] 0017.7c2f.b69a Override Values: source: 2,
valid_bits: 0x0000, qosLevel: -1 dscp: 0xffffffff, dot1pTag: 0xffffffff,
sessionTimeout: -1
[05/09/14 13:13:16.015 IST 6403 8151] 0017.7c2f.b69a dataAvgC: -1, rTAvgC: -1,
dataBurstC: -1 rTimeBurstC: -1, vlanIfName: , aclName:
[05/09/14 13:13:16.015 IST 6404 8151] 0017.7c2f.b69a Local Policy: Applying
override policy
[05/09/14 13:13:16.015 IST 6405 8151] 0017.7c2f.b69a Clearing Dhcp state for
station  ---
[05/09/14 13:13:16.015 IST 6406 8151] 0017.7c2f.b69a Local Policy: Before
Applying WLAN policy AccessVLAN = 12 and SessionTimeout  is 1800 and
apfMsTimeout is 1800

[05/09/14 13:13:16.015 IST 6407 8151] 0017.7c2f.b69a Local Policy:Setting
Interface name e VLAN0012

[05/09/14 13:13:16.015 IST 6408 8151] 0017.7c2f.b69a Local Policy:Setting local
bridging VLAN  name VLAN0012 and VLAN ID  12


[05/09/14 13:13:16.015 IST 6409 8151] 0017.7c2f.b69a Applying WLAN ACL
policies to client
[05/09/14 13:13:16.015 IST 640a 8151] 0017.7c2f.b69a No Interface ACL
used for Wireless client in WCM(NGWC)
[05/09/14 13:13:16.015 IST 640b 8151] 0017.7c2f.b69a apfApplyWlanPolicy:
Retaining the ACL recieved in AAA attributes 255 on mobile
[05/09/14 13:13:16.015 IST 640c 8151] 0017.7c2f.b69a Local Policy: After
Applying WLAN policy AccessVLAN = 12 and SessionTimeout  is 1800 and
apfMsTimeout is 1800

[05/09/14 13:13:16.015 IST 641a 8151] 0017.7c2f.b69a WCDB_ADD: Platform
ID allocated successfully ID:259
[05/09/14 13:13:16.015 IST 641b 8151] 0017.7c2f.b69a WCDB_ADD: Adding
opt82 len 0
[05/09/14 13:13:16.015 IST 641c 8151] 0017.7c2f.b69a WCDB_ADD: ssid
5508-MA bssid c8f9.f983.4260 vlan 12 auth=ASSOCIATION(0)
wlan(ap-group/global) 15/15 client 0 assoc 1 mob=Unassoc(0) radio 0
m_vlan 12 ip 0.0.0.0 src 0x506c800000000f dst 0x0 cid 0x47ad4000000145
glob rsc id 259dhcpsrv  0.0.0
[05/09/14 13:13:16.015 IST 641d 8151] 0017.7c2f.b69a Change state to
AUTHCHECK (2) last state START (0)

[05/09/14 13:13:16.015 IST 641e 8151] 0017.7c2f.b69a Change state to
L2AUTHCOMPLETE (4) last state AUTHCHECK (2)


[05/09/14 13:13:16.015 IST 641f 8151] 0017.7c2f.b69a WCDB_AUTH: Adding opt82 len 0
[05/09/14 13:13:16.015 IST 6420 8151] 0017.7c2f.b69a WCDB_LLM: NoRun Prev Mob 0,
Curr Mob 0 llmReq 1, return False
[05/09/14 13:13:16.015 IST 6421 207] [WCDB] ==Add event: type Regular Wireless client
(0017.7c2f.b69a) client id (0x47ad4000000145) client index (259) vlan (12)
auth_state (ASSOCIATION) mob_state (INIT)
[05/09/14 13:13:16.015 IST 6422 207] [WCDB] ===intf src/dst (0x506c800000000f)/(0x0)
radio_id (0) p2p_state (P2P_BLOCKING_DISABLE) switch/asic (1/0)
[05/09/14 13:13:16.015 IST 6423 8151] 0017.7c2f.b69a WCDB_CHANGE: auth=L2_AUTH(1)
vlan 12 radio 0 client_id 0x47ad4000000145 mobility=Unassoc(0) src_int
0x506c800000000f dst_int 0x0 ackflag 0 reassoc_client 0 llm_notif 0 ip  0.0.0.0
ip_learn_type 0
[05/09/14 13:13:16.015 IST 6424 8151] 0017.7c2f.b69a WCDB_CHANGE: In L2 auth
but l2ack waiting lfag not set,so set
[05/09/14 13:13:16.015 IST 6425 8151] 0017.7c2f.b69a Not Using WMM Compliance code
qosCap 00
[05/09/14 13:13:16.016 IST 6426 8151] 0017.7c2f.b69a Change state to DHCP_REQD (7)
last state L2AUTHCOMPLETE (4)



[05/09/14 13:13:16.016 IST 6434 8151] 0017.7c2f.b69a Sending Assoc Response to
station on BSSID  c8f9.f983.4260  (status 0) ApVapId 15 Slot 0
[05/09/14 13:13:16.016 IST 6435 8151] 0017.7c2f.b69a apfProcessRadiusAssocResp
(apf_80211.c:2316) Changing state for mobile  0017.7c2f.b69a  on AP 
c8f9.f983.4260  from Associated to Associated

[05/09/14 13:13:16.016 IST 6436 8151] 0017.7c2f.b69a 1XA: Session Push for
Non-dot1x wireless client
[05/09/14 13:13:16.016 IST 6437 8151] 0017.7c2f.b69a 1XA: Calling Auth Mgr
to Push wireless session for client  47ad4000000145 uid 280
[05/09/14 13:13:16.016 IST 6438 8151] 0017.7c2f.b69a Session Push for
wireless client

[05/09/14 13:13:16.016 IST 6439 8151] 0017.7c2f.b69a Session Manager Call
Client 47ad4000000145, uid 280, capwap id 506c800000000f,Flag 1 Audit-Session
ID 0a6987b2536c871300000118 policy name (null)

[05/09/14 13:13:16.016 IST 643a 22] ACCESS-CORE-SM-CLIENT-SPI-NOTF:
[0017.7c2f.b69a, Ca2] Session start request from Client[1] for
0017.7c2f.b69a (method: No method, method list: none, aaa id:
0x00000118) - session-push,  policy
[05/09/14 13:13:16.016 IST 643b 22] ACCESS-CORE-SM-CLIENT-SPI-NOTF:
[0017.7c2f.b69a, Ca2]  - client iif_id: 47AD4000000145, session ID:
0a6987b2536c871300000118 for 0017.7c2f.b69a
[05/09/14 13:13:16.016 IST 643c 243] ACCESS-CORE-SM-SYNC-NOTF:
[0017.7c2f.b69a, Ca2] Delay add/update sync of auth-domain for
0017.7c2f.b69a / 0xFE000110
[05/09/14 13:13:16.017 IST 643d 243] ACCESS-CORE-SM-CLIENT-DOT11-ERR:
[0017.7c2f.b69a, Ca2] Invalid client authorization notification: NO method
[05/09/14 13:13:16.017 IST 643e 243] ACCESS-CORE-SM-SYNC-NOTF:
[0017.7c2f.b69a, Ca2] Delay add/update sync of dc-profile-name for
0017.7c2f.b69a / 0xFE000110
[05/09/14 13:13:16.017 IST 643f 243] ACCESS-CORE-SM-SYNC-NOTF:
[0017.7c2f.b69a, Ca2] Delay add/update sync of dc-device-name for
0017.7c2f.b69a / 0xFE000110
[05/09/14 13:13:16.017 IST 6440 243] ACCESS-CORE-SM-SYNC-NOTF:
[0017.7c2f.b69a, Ca2] Delay add/update sync of
dc-device-class-tag for 0017.7c2f.b69a / 0xFE000110
[05/09/14 13:13:16.017 IST 6441 243] ACCESS-CORE-SM-SYNC-NOTF:
[0017.7c2f.b69a, Ca2] Delay add/update sync of dc-certainty-metric for
0017.7c2f.b69a / 0xFE000110
[05/09/14 13:13:16.017 IST 6442 243] ACCESS-CORE-SM-SYNC-NOTF:
[0017.7c2f.b69a, Ca2] Delay add/update sync of dc-opaque for
0017.7c2f.b69a / 0xFE000110
[05/09/14 13:13:16.017 IST 6443 243] ACCESS-CORE-SM-SYNC-NOTF:
[0017.7c2f.b69a, Ca2] Delay add/update sync of dc-protocol-map for
0017.7c2f.b69a / 0xFE000110
[05/09/14 13:13:16.017 IST 6444 22] [WCDB] wcdb_ffcp_add_cb: client (0017.7c2f.b69a)
client (0x47ad4000000145): FFCP operation (CREATE) return code (0)
[05/09/14 13:13:16.017 IST 6445 22] [WCDB] wcdb_send_add_notify_callback_event:
Notifying other features about client add
[05/09/14 13:13:16.017 IST 6446 22] [WCDB] wcdb_sisf_client_add_notify:
Notifying SISF of DEASSOC to DOWN any old entry for 0017.7c2f.b69a
[05/09/14 13:13:16.017 IST 6447 22] [WCDB] wcdb_sisf_client_add_notify:
Notifying SISF of new Association for 0017.7c2f.b69a
[05/09/14 13:13:16.017 IST 6448 8151] 0017.7c2f.b69a WCDB SPI response msg handler
client code 0 mob state 0
[05/09/14 13:13:16.017 IST 6449 8151] 0017.7c2f.b69a WcdbClientUpdate: L2 Auth ACK
from WCDB
[05/09/14 13:13:16.017 IST 644a 8151] 0017.7c2f.b69a WCDB_L2ACK: wcdbAckRecvdFlag
updated
[05/09/14 13:13:16.017 IST 644b 8151] 0017.7c2f.b69a WCDB_AUTH: Adding opt82 len 0
[05/09/14 13:13:16.017 IST 644c 8151] 0017.7c2f.b69a WCDB_CHANGE: Suppressing SPI
(Mobility state not known) pemstate 7 state LEARN_IP(2) vlan 12 client_id
0x47ad4000000145 mob=Unassoc(0) ackflag 2 dropd 1
[05/09/14 13:13:18.796 IST 644d 8151] 0017.7c2f.b69a Local Policy:
apf_ms_radius_override.c apfMsSumOverride 447  Returning fail from apfMsSumOverride  
[05/09/14 13:13:18.802 IST 644e 8151] 0017.7c2f.b69a Applying post-handoff policy
for station  0017.7c2f.b69a  - valid mask 0x0

[05/09/14 13:13:18.802 IST 644f 8151] 0017.7c2f.b69a     QOS Level: -1, DSCP: -1,
dot1p: -1, Data Avg: -1, realtime Avg: -1, Data Burst -1, Realtime Burst -1
 --More--    

[05/09/14 13:13:18.802 IST 6450 8151] 0017.7c2f.b69a     Session: -1,
User session: -1, User elapsed -1
    Interface: N/A ACL: N/A Qos Pol Down   Qos Pol Up

[05/09/14 13:13:18.802 IST 6451 8151] 0017.7c2f.b69a Local Policy: At the start of
apfApplyOverride2. Client State DHCP_REQD

[05/09/14 13:13:18.802 IST 6452 8151] 0017.7c2f.b69a Applying new AAA override for
station  0017.7c2f.b69a
[05/09/14 13:13:18.802 IST 6453 8151] 0017.7c2f.b69a Local Policy: Applying new AAA
override for station
[05/09/14 13:13:18.802 IST 6454 8151] 0017.7c2f.b69a Override Values: source: 16,
valid_bits: 0x0000, qosLevel: -1 dscp: 0xffffffff, dot1pTag: 0xffffffff,
sessionTimeout: -1
[05/09/14 13:13:18.802 IST 6455 8151] 0017.7c2f.b69a dataAvgC: -1, rTAvgC: -1,
dataBurstC: -1 rTimeBurstC: -1, vlanIfName: , aclName:
[05/09/14 13:13:18.802 IST 6456 8151] 0017.7c2f.b69a Local Policy: Applying
override policy
[05/09/14 13:13:18.802 IST 6457 8151] 0017.7c2f.b69a Clearing Dhcp state for
station  ---
[05/09/14 13:13:18.802 IST 6458 8151] 0017.7c2f.b69a Local Policy: Before Applying
WLAN policy AccessVLAN = 12 and SessionTimeout  is 1800 and apfMsTimeout is 1800

[05/09/14 13:13:18.802 IST 6459 8151] 0017.7c2f.b69a Local Policy:Setting Interface
name e VLAN0012

[05/09/14 13:13:18.802 IST 645a 8151] 0017.7c2f.b69a Local Policy:Setting local
bridging VLAN  name VLAN0012 and VLAN ID  12

[05/09/14 13:13:18.802 IST 645b 8151] 0017.7c2f.b69a Applying WLAN ACL policies
to client
[05/09/14 13:13:18.802 IST 645c 8151] 0017.7c2f.b69a No Interface ACL used for
Wireless client in WCM(NGWC)
[05/09/14 13:13:18.802 IST 645d 8151] 0017.7c2f.b69a apfApplyWlanPolicy:
Retaining the ACL recieved in AAA attributes 255 on mobile
[05/09/14 13:13:18.802 IST 645e 8151] 0017.7c2f.b69a Local Policy: After
Applying WLAN policy AccessVLAN = 12 and SessionTimeout  is 1800 and
apfMsTimeout is 1800

[05/09/14 13:13:18.802 IST 645f 8151] 0017.7c2f.b69a Local Policy: After Applying
Site Override  policy AccessVLAN = 12 and SessionTimeout  is 1800 and
apfMsTimeout is 1800

[05/09/14 13:13:18.802 IST 6460 8151] 0017.7c2f.b69a Inserting AAA Override struct
for mobile MAC:  0017.7c2f.b69a , source 16

[05/09/14 13:13:18.802 IST 6461 8151] 0017.7c2f.b69a Inserting new RADIUS override
into chain for station  0017.7c2f.b69a
[05/09/14 13:13:18.802 IST 6462 8151] 0017.7c2f.b69a Override Values: source: 16,
valid_bits: 0x0000, qosLevel: -1 dscp: 0xffffffff, dot1pTag: 0xffffffff,
sessionTimeout: -1
[05/09/14 13:13:18.802 IST 6463 8151] 0017.7c2f.b69a dataAvgC: -1, rTAvgC: -1,
dataBurstC: -1 rTimeBurstC: -1, vlanIfName: , aclName:
[05/09/14 13:13:18.802 IST 6464 8151] 0017.7c2f.b69a Local Policy: After ovr
check continuation
[05/09/14 13:13:18.802 IST 6465 8151] 0017.7c2f.b69a Local Policy:
apf_ms_radius_override.c apfMsSumOverride 447  Returning fail from
apfMsSumOverride  
[05/09/14 13:13:18.802 IST 6466 8151] 0017.7c2f.b69a Local Policy: Calling
applyLocalProfilingPolicyAction from Override2

[05/09/14 13:13:18.802 IST 6467 8151] 0017.7c2f.b69a
  **** Inside applyLocalProfilingPolicyAction ****

[05/09/14 13:13:18.802 IST 6468 8151] 0017.7c2f.b69a *** Client State =
DHCP_REQD instance = 2 instance Name POLICY_PROFILING_L2_AUTH,
OverrideEnable = 1 deviceTypeLen=0, deviceType=(null), userRoleLen=0,
userRole=(null)

[05/09/14 13:13:18.802 IST 6469 8151] 0017.7c2f.b69a     Local Profiling Values :
isValidVlan = 0, vlan = 0, isVlanRecdInDelete = 0, isValidSessionTimeout = 0,
  sessionTimeout=0, isSessionTORecdInDelete = 0  ProtocolMap = 0 ,applyPolicyAtRun= 0
[05/09/14 13:13:18.802 IST 646a 8151] 0017.7c2f.b69a          ipv4ACL = [],
ipv6ACL = [], inQoS = [unknown], outQoS = [unknown]
[05/09/14 13:13:18.802 IST 646b 8151] 0017.7c2f.b69a Local Policy: At the End
AccessVLAN = 12 and SessionTimeout  is 1800 and apfMsTimeout is 1800

[05/09/14 13:13:18.802 IST 646c 8151] 0017.7c2f.b69a apfMsRunStateInc
[05/09/14 13:13:18.802 IST 646d 8151] 0017.7c2f.b69a Session Update for Non-dot1x client

[05/09/14 13:13:18.802 IST 646e 8151] 0017.7c2f.b69a 1XA: Session Push for Non-dot1x
wireless client
[05/09/14 13:13:18.802 IST 646f 8151] 0017.7c2f.b69a 1XA: Calling Auth Mgr to Push
wireless session for client  47ad4000000145 uid 280
 --More--
[05/09/14 13:13:18.802 IST 6470 8151] 0017.7c2f.b69a Session Update for Pushed Sessions

[05/09/14 13:13:18.802 IST 6471 8151] 0017.7c2f.b69a Session Manager Call Client
47ad4000000145, uid 280, capwap id 506c800000000f,Flag 0 Audit-Session ID
0a6987b2536c871300000118 policy name (null)

[05/09/14 13:13:18.802 IST 6472 8151] 0017.7c2f.b69a Change state to RUN (20) last
state DHCP_REQD (7)

[05/09/14 13:13:18.802 IST 6473 8151] 0017.7c2f.b69a WCDB_AUTH: Adding opt82 len 0
[05/09/14 13:13:18.802 IST 6474 8151] 0017.7c2f.b69a WCDB_LLM: prev Mob state 0 curr
Mob State 3 llReq flag 1
[05/09/14 13:13:18.802 IST 6475 8151] 0017.7c2f.b69a WCDB_LLM: prev Mob state 0
currMob State 3 afd action 1
[05/09/14 13:13:18.802 IST 6476 8151] 0017.7c2f.b69a WCDB_LLM: pl handle 259 vlan_id
12 auth RUN(4) mobility 3 client_id 0x47ad4000000145 src_interface 0x506c800000000f
dst_interface 0x75e18000000143 client_type 0 p2p_type 1 bssid c8f9.f983.4260 radio_id
0 wgbid 0000.0000.0000
[05/09/14 13:13:18.802 IST 6477 8151] 0017.7c2f.b69a WCDB_CHANGE: auth=RUN(4) vlan
12 radio 0 client_id 0x47ad4000000145 mobility=ExpForeign(3) src_int 0x506c800000000f
dst_int 0x75e18000000143 ackflag 2 reassoc_client 0 llm_notif 1 ip  0.0.0.0
ip_learn_type 0
[05/09/14 13:13:18.802 IST 6478 22] ACCESS-CORE-SM-CLIENT-SPI-NOTF:
[0017.7c2f.b69a, Ca2] Session update from Client[1] for 0017.7c2f.b69a,
ID list 0x00000000, policy
[05/09/14 13:13:18.802 IST 6479 8151] 0017.7c2f.b69a WCDB_AUTH: Adding opt82 len 0
[05/09/14 13:13:18.802 IST 647a 8151] 0017.7c2f.b69a WCDB_LLM: prev Mob state 3
curr Mob State 3 llReq flag 0
[05/09/14 13:13:18.802 IST 647b 8151] 0017.7c2f.b69a WCDB_CHANGE: auth=RUN(4)
vlan 12 radio 0 client_id 0x47ad4000000145 mobility=ExpForeign(3) src_int
0x506c800000000f dst_int 0x75e18000000143 ackflag 2 reassoc_client 0 llm_notif 0
ip  0.0.0.0 ip_learn_type 0
[05/09/14 13:13:18.802 IST 647c 8151] 0017.7c2f.b69a AAAS: creating accounting start
record using method list Zubair_ISE, passthroughMode 1
[05/09/14 13:13:18.802 IST 647d 8151] 0017.7c2f.b69a AAAS: initialised accounting
start request, uid=280 passthrough=1
[05/09/14 13:13:18.802 IST 647e 8151] 0017.7c2f.b69a AAAS: accounting request sent
[05/09/14 13:13:18.803 IST 647f 207] [WCDB] ==Update event: client (0017.7c2f.b69a)
client id:(0x47ad4000000145) vlan (12->12) global_wlan (15->15) auth_state
(L2_AUTH_DONE->RUN) mob_st<truncated>
[05/09/14 13:13:18.803 IST 6480 207] [WCDB] ===intf src/dst
(0x506c800000000f->0x506c800000000f)/(0x0->0x75e18000000143)
radio/bssid (0->0)/(c8f9.f983.4260->c8f9.f983.4260) llm_notify (true) addr v4/v6
(<truncated>
[05/09/14 13:13:18.803 IST 6481 207] [WCDB] Foreign client add. Final llm
notified = false
[05/09/14 13:13:18.803 IST 6482 207] [WCDB] wcdb_client_mcast_update_notify:
No mcast action reqd
[05/09/14 13:13:18.803 IST 6483 207] [WCDB] wcdb_ffcp_wcdb_client_update_notify
client (0017.7c2f.b69a) id 0x47ad4000000145 ffcp update with flags=0x0
[05/09/14 13:13:18.803 IST 6484 207] [WCDB] wcdb_client_state_change_notify:
update flags = 0x3
[05/09/14 13:13:18.803 IST 6485 8151] 0017.7c2f.b69a aaa attribute list length is 79
[05/09/14 13:13:18.803 IST 6486 207] ACCESS-CORE-SM-CLIENT-DOT11-NOTF: [0017.7c2f.b69a]
WCDB RUN notification for 0017.7c2f.b69a
[05/09/14 13:13:18.803 IST 6487 8151] 0017.7c2f.b69a Sending SPI
spi_epm_epm_session_create successfull
[05/09/14 13:13:18.803 IST 6488 8151] 0017.7c2f.b69a 0.0.0.0, auth_state 20
mmRole ExpForeign !!!
[05/09/14 13:13:18.803 IST 6489 8151] 0017.7c2f.b69a 0.0.0.0, auth_state 20 mmRole
ExpForeign, updating wcdb not needed
[05/09/14 13:13:18.803 IST 648a 8151] 0017.7c2f.b69a Tclas Plumb needed: 0
[05/09/14 13:13:18.803 IST 648b 207] [WCDB] wcdb_sisf_client_update_notify:
Notifying SISF to remove assoc in Foreign
[05/09/14 13:13:18.803 IST 648c 207] [WCDB] ==Update event: client (0017.7c2f.b69a)
client id:(0x47ad4000000145) vlan (12->12) global_wlan (15->15) auth_state (RUN->RUN)
mob_st<truncated>
[05/09/14 13:13:18.803 IST 648d 207] [WCDB] ===intf src/dst
(0x506c800000000f->0x506c800000000f)/(0x75e18000000143->0x75e18000000143)
radio/bssid (0->0)/(c8f9.f983.4260->c8f9.f983.4260) llm_notify (false)
addr v4/v6 (<truncated>
[05/09/14 13:13:18.803 IST 648e 207] [WCDB] wcdb_client_mcast_update_notify:
No mcast action reqd
[05/09/14 13:13:18.803 IST 648f 207] [WCDB] wcdb_ffcp_wcdb_client_update_notify
client (0017.7c2f.b69a) id 0x47ad4000000145 ffcp update with flags=0x0
[05/09/14 13:13:18.803 IST 6490 207] [WCDB] wcdb_client_state_change_notify:
update flags = 0x2
[05/09/14 13:13:18.803 IST 6491 207] ACCESS-CORE-SM-CLIENT-DOT11-NOTF:
[0017.7c2f.b69a] WCDB RUN notification for 0017.7c2f.b69a
[05/09/14 13:13:18.803 IST 6492 207] [WCDB] wcdb_sisf_client_update_notify:
Notifying SISF to remove assoc in Foreign
[05/09/14 13:13:18.803 IST 6493 386] [WCDB] wcdb_ffcp_cb: client (0017.7c2f.b69a)
client (0x47ad4000000145): FFCP operation (UPDATE) return code (0)
[05/09/14 13:13:18.803 IST 6494 386] [WCDB] wcdb_ffcp_cb: client (0017.7c2f.b69a)
client (0x47ad4000000145): FFCP operation (UPDATE) return code (0)
[05/09/14 13:13:18.803 IST 6495 243] ACCESS-CORE-SM-SYNC-NOTF: [0017.7c2f.b69a, Ca2]
Delay add/update sync of iif-id for 0017.7c2f.b69a / 0xFE000110
[05/09/14 13:13:18.803 IST 6496 243] ACCESS-CORE-SM-SYNC-NOTF: [0017.7c2f.b69a, Ca2]
Delay add/update sync of audit-session-id for 0017.7c2f.b69a / 0xFE000110
[05/09/14 13:13:18.803 IST 6497 8151] 0017.7c2f.b69a Received session_create_response
for client handle 20175213735969093
[05/09/14 13:13:18.803 IST 6498 8151] 0017.7c2f.b69a Received session_create_response
with EPM session handle 4261413136
[05/09/14 13:13:18.803 IST 6499 8151] 0017.7c2f.b69a Splash Page redirect client
or posture client
 --More--
[05/09/14 13:13:18.803 IST 649a 8151] 0017.7c2f.b69a REDIRECT ACL present in the
attribute list
[05/09/14 13:13:18.803 IST 649b 8151] 0017.7c2f.b69a Setting AAA Override
Url-Redirect-Acl 'REDIRECT'
[05/09/14 13:13:18.803 IST 649c 8151] 0017.7c2f.b69a AAA Override Url-Redirect-Acl
'REDIRECT'

[05/09/14 13:13:18.803 IST 649d 8151] 0017.7c2f.b69a AAA Override Url-Redirect
'https://10.106.73.69:8443/guestportal/gateway?sessionId=0a6987b2536c871300000118&action=cwa'
set

[05/09/14 13:13:18.803 IST 649e 8151] 0017.7c2f.b69a  Wireless Client mobility role
is not ExportAnchor/Local. Hence we are not sending request to EPM
[05/09/14 13:13:20.445 IST 649f 8151] 0017.7c2f.b69a WCDB_IP_UPDATE: new ipv4 0.0.0.0
ip_learn_type 0 deleted ipv4 0.0.0.0
[05/09/14 13:13:20.446 IST 64a0 207] [WCDB] wcdb_foreign_client_ip_addr_update:
Foreign client (0017.7c2f.b69a) ip addr update received.
[05/09/14 13:13:20.446 IST 64a1 207] [WCDB] SISF Update: IPV6 Addr[0] :
fe80::6c1a:b253:d711:c7f
[05/09/14 13:13:20.446 IST 64a2 207] [WCDB] SISF Update : Binding delete status
for V6: = 0
[05/09/14 13:13:20.446 IST 64a3 207] [WCDB] wcdb_sisf_client_update_notify:
Notifying SISF to remove assoc in Foreign
[05/09/14 13:13:20.448 IST 64a4 8151] 0017.7c2f.b69a MS got the IP,
resetting the Reassociation Count 0 for client
[05/09/14 13:13:20.448 IST 64a5 8151] 0017.7c2f.b69a AAAS: creating accounting interim
record using method list Zubair_ISE, passthroughMode 1
[05/09/14 13:13:20.449 IST 64a6 8151] 0017.7c2f.b69a AAAS: initialised accounting
interim request, uid=280 passthrough=1
[05/09/14 13:13:20.449 IST 64a7 8151] 0017.7c2f.b69a AAAS: accounting request sent
[05/09/14 13:13:20.449 IST 64a8 8151] 0017.7c2f.b69a Guest User()  assigned IP Address
(10.105.135.190)
[05/09/14 13:13:20.449 IST 64a9 8151] 0017.7c2f.b69a Assigning Address 10.105.135.190
to mobile
[05/09/14 13:13:20.449 IST 64aa 8151] 0017.7c2f.b69a WCDB_IP_UPDATE: new ipv4
10.105.135.190 ip_learn_type DHCP deleted ipv4 0.0.0.0
[05/09/14 13:13:20.449 IST 64ab 8151] 0017.7c2f.b69a AAAS: creating accounting
interim record using method list Zubair_ISE, passthroughMode 1
[05/09/14 13:13:20.449 IST 64ac 8151] 0017.7c2f.b69a AAAS: initialised accounting
interim request, uid=280 passthrough=1
[05/09/14 13:13:20.449 IST 64ad 8151] 0017.7c2f.b69a AAAS: accounting request sent
[05/09/14 13:13:20.449 IST 64ae 8151] 0017.7c2f.b69a 10.105.135.190, auth_state 20
mmRole ExpForeign !!!

[05/09/14 13:13:20.449 IST 64af 207] [WCDB] wcdb_foreign_client_ip_addr_update: Foreign
client (0017.7c2f.b69a) ip addr update received.

[05/09/14 13:13:20.449 IST 64b0 8151] 0017.7c2f.b69a 10.105.135.190, auth_state 20
mmRole ExpForeign, updating wcdb not needed

[05/09/14 13:13:20.449 IST 64b1 8151] 0017.7c2f.b69a Tclas Plumb needed: 0
[05/09/14 13:13:20.449 IST 64b2 207] [WCDB] SISF Update: IPV6 Addr[0] :
fe80::6c1a:b253:d711:c7f
[05/09/14 13:13:20.449 IST 64b3 207] [WCDB] SISF Update : Binding delete status for V6: = 0
[05/09/14 13:13:20.449 IST 64b4 207] [WCDB] wcdb_sisf_client_update_notify: Notifying SISF
to remove assoc in Foreign
[05/09/14 13:13:20.449 IST 64b5 243] ACCESS-CORE-SM-SYNC-NOTF: [0017.7c2f.b69a, Ca2] Delay
add/update sync of addr for 0017.7c2f.b69a / 0xFE000110
[05/09/14 13:13:49.429 IST 64b6 253] ACCESS-CORE-SM-CLIENT-SPI-NOTF: [0017.7c2f.b69a, Ca2]
Session authz update requested cmd 5, mac 0017.7c2f.b69a, attr-list 0x0 for Client[1]
[05/09/14 13:13:49.430 IST 64b7 253] ACCESS-CORE-SM-CLIENT-SPI-NOTF: [0017.7c2f.b69a, Ca2]
Session authz update request sent to Client[1]
[05/09/14 13:13:49.430 IST 64b8 8151] 0017.7c2f.b69a 1XA: Processing update request from
dot1x. COA type 5
[05/09/14 13:13:49.430 IST 64b9 8151] 0017.7c2f.b69a AAAS: authorization init, uid=280,
context=268
[05/09/14 13:13:49.430 IST 64ba 8151] 0017.7c2f.b69a AAAS: initialised auth request,
uinque id=280, context id = 268, context reqHandle 0xfefc172c
[05/09/14 13:13:49.430 IST 64bb 8151] 0017.7c2f.b69a AAAS: Submitting mac filter request
for user 00177c2fb69a, uniqueId=280 mlist=MACFILTER
[05/09/14 13:13:49.430 IST 64bc 8151] 0017.7c2f.b69a AAAS: auth request sent
[05/09/14 13:13:49.430 IST 64bd 8151] 0017.7c2f.b69a processing COA type 5
  was successful
[05/09/14 13:13:49.430 IST 64be 8151] 0017.7c2f.b69a processing COA type 5
  was successful
[05/09/14 13:13:49.430 IST 64bf 22] ACCESS-CORE-SM-CLIENT-SPI-NOTF: [0017.7c2f.b69a, Ca2]
Session authz update response received for Client[1]
[05/09/14 13:13:49.430 IST 64c0 211] Parsed CLID MAC Address = 0:23:124:47:182:154
[05/09/14 13:13:49.430 IST 64c1 211] AAA SRV(00000118): process author req
[05/09/14 13:13:49.430 IST 64c2 211] AAA SRV(00000118): Author method=SERVER_GROUP
Zubair_ISE

[05/09/14 13:13:49.430 IST 64c3 211] Parsed CLID MAC Address = 0:23:124:47:182:154
[05/09/14 13:13:49.430 IST 64c4 211]  AAA SRV(00000000): process response req
[05/09/14 13:13:49.469 IST 64c5 220] AAA SRV(00000118): protocol reply PASS for
Authorization

[05/09/14 13:13:49.469 IST 64c6 220] AAA SRV(00000118): Return Authorization status=PASS
[05/09/14 13:13:49.469 IST 64c7 8151] 0017.7c2f.b69a AAAS: received response, cid=268
[05/09/14 13:13:49.469 IST 64c8 8151] 0017.7c2f.b69a AAAS: deleting context, cid=268
[05/09/14 13:13:49.469 IST 64c9 8151] 0017.7c2f.b69a Not comparing because the ACLs
have not been sent yet.
[05/09/14 13:13:49.469 IST 64ca 8151] 0017.7c2f.b69a Final flag values are,
epmSendAcl 1, epmSendAclDone 0
[05/09/14 13:13:49.469 IST 64cb 8151] 0017.7c2f.b69a
client incoming attribute size are 77
 --More--
[05/09/14 13:13:49.469 IST 64cc 8151] 0017.7c2f.b69a AAAS: mac filter callback status=0
uniqueId=280

[05/09/14 13:13:49.469 IST 64cd 8151] 0017.7c2f.b69a Local Policy: At the start of
apfApplyOverride2. Client State RUN


[05/09/14 13:13:49.469 IST 64ce 8151] 0017.7c2f.b69a Applying new AAA override for
station  0017.7c2f.b69a
[05/09/14 13:13:49.469 IST 64cf 8151] 0017.7c2f.b69a Local Policy: Applying new AAA
override for station
[05/09/14 13:13:49.469 IST 64d0 8151] 0017.7c2f.b69a Override Values: source: 2,
valid_bits: 0x0000, qosLevel: -1 dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
[05/09/14 13:13:49.469 IST 64d1 8151] 0017.7c2f.b69a dataAvgC: -1, rTAvgC: -1, dataBurstC:
-1 rTimeBurstC: -1, vlanIfName: , aclName:
[05/09/14 13:13:49.469 IST 64d2 8151] 0017.7c2f.b69a Local Policy: Applying override policy
[05/09/14 13:13:49.469 IST 64d3 8151] 0017.7c2f.b69a Clearing Dhcp state for station  ---
[05/09/14 13:13:49.469 IST 64d4 8151] 0017.7c2f.b69a Local Policy: Before Applying WLAN
policy AccessVLAN = 12 and SessionTimeout  is 1800 and apfMsTimeout is 1800

[05/09/14 13:13:49.469 IST 64d5 8151] 0017.7c2f.b69a Local Policy:Setting Interface name
e VLAN0012

[05/09/14 13:13:49.469 IST 64d6 8151] 0017.7c2f.b69a Local Policy:Setting local bridging
VLAN  name VLAN0012 and VLAN ID  12

[05/09/14 13:13:49.469 IST 64d7 8151] 0017.7c2f.b69a Applying WLAN ACL policies to client
[05/09/14 13:13:49.469 IST 64d8 8151] 0017.7c2f.b69a No Interface ACL used for Wireless
client in WCM(NGWC)
[05/09/14 13:13:49.469 IST 64d9 8151] 0017.7c2f.b69a apfApplyWlanPolicy: Retaining the
ACL recieved in AAA attributes 255 on mobile
[05/09/14 13:13:49.469 IST 64da 8151] 0017.7c2f.b69a Local Policy: After Applying WLAN
policy AccessVLAN = 12 and SessionTimeout  is 1800 and apfMsTimeout is 1800

[05/09/14 13:13:49.469 IST 64db 8151] 0017.7c2f.b69a Local Policy: After Applying Site
Override  policy AccessVLAN = 12 and SessionTimeout  is 1800 and apfMsTimeout is 1800

[05/09/14 13:13:49.469 IST 64dc 8151] 0017.7c2f.b69a Inserting AAA Override struct for mobile
    MAC:  0017.7c2f.b69a , source 2

[05/09/14 13:13:49.469 IST 64dd 8151] 0017.7c2f.b69a Inserting new RADIUS override into
chain for station  0017.7c2f.b69a
[05/09/14 13:13:49.469 IST 64de 8151] 0017.7c2f.b69a Override Values: source: 2, valid_bits:
0x0000, qosLevel: -1 dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
[05/09/14 13:13:49.469 IST 64df 8151] 0017.7c2f.b69a dataAvgC: -1, rTAvgC: -1, dataBurstC:
-1 rTimeBurstC: -1, vlanIfName: , aclName:
[05/09/14 13:13:49.469 IST 64e0 8151] 0017.7c2f.b69a Local Policy: After ovr check
continuation
[05/09/14 13:13:49.469 IST 64e1 8151] 0017.7c2f.b69a Local Policy: apf_ms_radius_override.c
apfMsSumOverride 447  Returning fail from apfMsSumOverride  
[05/09/14 13:13:49.469 IST 64e2 8151] 0017.7c2f.b69a Local Policy: Calling
applyLocalProfilingPolicyAction from Override2

[05/09/14 13:13:49.469 IST 64e3 8151] 0017.7c2f.b69a 
**** Inside applyLocalProfilingPolicyAction ****

[05/09/14 13:13:49.469 IST 64e4 8151] 0017.7c2f.b69a *** Client State = RUN instance = 2
instance Name POLICY_PROFILING_L2_AUTH, OverrideEnable = 1 deviceTypeLen=0,
deviceType=(null), userRoleLen=0, userRole=(null)

[05/09/14 13:13:49.469 IST 64e5 8151] 0017.7c2f.b69a     Local Profiling Values :
isValidVlan = 0, vlan = 0, isVlanRecdInDelete = 0, isValidSessionTimeout = 0,
  sessionTimeout=0, isSessionTORecdInDelete = 0  ProtocolMap = 0 ,applyPolicyAtRun= 0
[05/09/14 13:13:49.469 IST 64e6 8151] 0017.7c2f.b69a          ipv4ACL = [],
ipv6ACL = [], inQoS = [unknown], outQoS = [unknown]
[05/09/14 13:13:49.469 IST 64e7 8151] 0017.7c2f.b69a Local Policy: At the End AccessVLAN
= 12 and SessionTimeout  is 1800 and apfMsTimeout is 1800

[05/09/14 13:13:49.469 IST 64e8 8151] 0017.7c2f.b69a In >= L2AUTH_COMPLETE for station
0017.7c2f.b69a
[05/09/14 13:13:49.469 IST 64e9 8151] 0017.7c2f.b69a AAAS: creating accounting interim
record using method list Zubair_ISE, passthroughMode 1
[05/09/14 13:13:49.469 IST 64ea 8151] 0017.7c2f.b69a AAAS: initialised accounting interim
request, uid=280 passthrough=1
[05/09/14 13:13:49.469 IST 64eb 8151] 0017.7c2f.b69a AAAS: accounting request sent
[05/09/14 13:13:49.469 IST 64ec 8151] 0017.7c2f.b69a Not Using WMM Compliance code qosCap 00
[05/09/14 13:13:49.469 IST 64ed 8151] 0017.7c2f.b69a In SPI call for >= L2AUTH_COMPLETE
for station  0017.7c2f.b69a
[05/09/14 13:13:49.469 IST 64ee 8151] 0017.7c2f.b69a WCDB_AUTH: Adding opt82 len 0
[05/09/14 13:13:49.469 IST 64ef 8151] 0017.7c2f.b69a WCDB_LLM: prev Mob state 3 curr Mob
State 3 llReq flag 0
[05/09/14 13:13:49.469 IST 64f0 8151] 0017.7c2f.b69a WCDB_CHANGE: auth=RUN(4) vlan 12
radio 0 client_id 0x47ad4000000145 mobility=ExpForeign(3) src_int 0x506c800000000f
dst_int 0x75e18000000143 ackflag 2 reassoc_client 0 llm_notif 0 ip  10.105.135.190
ip_learn_type DHCP
 --More--
[05/09/14 13:13:49.469 IST 64f1 8151] 0017.7c2f.b69a apfMsAssoStateInc
[05/09/14 13:13:49.469 IST 64f2 8151] 0017.7c2f.b69a apfPemAddUser2 (apf_policy.c:197)
Changing state for mobile  0017.7c2f.b69a  on AP  c8f9.f983.4260  from AAA Pending to
Associated

[05/09/14 13:13:49.469 IST 64f3 8151] 0017.7c2f.b69a Reason code 0, Preset 4, AAA cause 1
[05/09/14 13:13:49.469 IST 64f4 8151] 0017.7c2f.b69a Scheduling deletion of Mobile Station:
  (callerId: 49) in 1800 seconds
[05/09/14 13:13:49.469 IST 64f5 8151] 0017.7c2f.b69a Ms Timeout = 1800,
Session Timeout = 1800

[05/09/14 13:13:49.469 IST 64f6 207] [WCDB] ==Update event: client (0017.7c2f.b69a)
client id:(0x47ad4000000145) vlan (12->12) global_wlan (15->15) auth_state (RUN->RUN)
mob_st<truncated>
[05/09/14 13:13:49.469 IST 64f7 207] [WCDB] ===intf src/dst
(0x506c800000000f->0x506c800000000f)/(0x75e18000000143->0x75e18000000143) radio/bssid
(0->0)/(c8f9.f983.4260->c8f9.f983.4260) llm_notify (false) addr v4/v6 (<truncated>
[05/09/14 13:13:49.469 IST 64f8 207] [WCDB] wcdb_client_mcast_update_notify: No mcast
action reqd
[05/09/14 13:13:49.469 IST 64f9 207] [WCDB] wcdb_ffcp_wcdb_client_update_notify client
(0017.7c2f.b69a) id 0x47ad4000000145 ffcp update with flags=0x0
[05/09/14 13:15:47.411 IST 650a 8151] 0017.7c2f.b69a Acct-interim update sent for
station 0017.7c2f.b69a

[05/09/14 13:16:38.431 IST 650b 8151] 0017.7c2f.b69a
Client stats update: Time now in sec 1399621598, Last Acct Msg Sent at 1399621547 sec

相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


Document ID: 117717