Security

when I add iphone device mac address to xxxx-MACADDR  SSID CLI acknowledges it in the database  but the iphone cannot connect to internet even after getting IP address.....I tried adding an android same way same AP  and it connected lickety split 

I turned oFF cellular....I forgot about this network.....no help

weird thing to me is that when I connect to different SSID that requires a portal   it works fine

should I just go home ? 

 

Are you using mac authentication?  Did you put the mac address in the right format?  Use "aaa user delete <mac address>" to remove it from the user table and try again.

Yes mac auth and I did try the aaa user delete several times and the iphone receives IP address in correct subnet etc but never advances beyond the Deny role...why would it work with the other authentications

Paul Crea
Network Engineer
Los Angeles County Office of Education
Technology Infrastructure Services
Technology Services
Office (562) 922-6669
Fax (562) 922-8841

Turn on client debugging:

 

config t

logging level debugging user-debug <mac of iphone>

aaa user delete mac <mac of iphone>

 

Try to connect and after you fail, type "show log user-debug 50" to see why the iPhone ends up in the Deny role.

 

 

Also, run the following to identify why the iPhone is in the "Deny" role it is.

 

show aaa state user x.x.x.x (IP of user in question)

 

Look for the Role Derivation line:

 

Name: chris, IP: 192.168.13.152, MAC: 40:0e:85:01:b5:69, Role: secure.user.all, ACL: 60/0, Age: 00:06:26
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: cppm-1.lab.net
Authentication Servers: dot1x authserver: cppm-1.lab.net, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: default for authentication type 802.1x
VLAN Derivation: Default VLAN
Idle timeout (global): 300 seconds, Age: 00:00:00
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
..........................