I’ve moved this situation to my lab for greater flexibility by adding a controller in as a local, then moving it to the lab and making it a master so it has the same configs.
Colin,
Thanks for the advice, but i'm pretty sure thats not it...
My wlan clients get put in the authenticated role, which has an “any any any” permission assigned to it, my phone is connected to the dot1x vap, has any any any permissions, and i've been using "broadcast filter arp" not "broadcast filter all". No luck. Please see snips below...
wlan virtual-ap "tunneled-dot1x-vap-ase_rf"
aaa-profile "dot1x>authenticated"
ssid-profile “dot1x-ssid-ase_rf"
vlan 10
band-steering
dynamic-mcast-optimization
dos-prevention
no mobile-ip
!
wlan virtual-ap "tunneled-psk-vap-ase_rf"
aaa-profile "psk>authenticated"
ssid-profile “psk-ssid-ase_rf"
vlan 10
band-steering
dynamic-mcast-optimization
dos-prevention
no mobile-ip
vlan-mobility
show rights authenticated
Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'authenticated'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 90
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
ACL Number = 103/0
Max Sessions = 65535
Check CP Profile for Accounting = TRUE
Application Exception List
--------------------------
Name Type
---- ----
Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------
access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-authenticated-sacl session
3 ra-guard session
4 allowall session
5 v6-allowall session
global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
apprf-authenticated-sacl
------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
ra-guard
--------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user any icmpv6 rtr-adv deny Low 6
allowall
--------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any any permit Low 4
v6-allowall
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any any-v6 permit Low 6
Expired Policies (due to time constraints) = 0
show user
10.1.15.4 80:be:05:31:34:7b jim authenticated 00:00:00 802.1x Lab Wireless dot1x/9c:1c:12:88:2e:f2/a-VHT dot1x>authenticated tunnel iPhone Jims-iPhone-6
show datapath session table 10.1.15.4
show datapath session table 10.1.15.4
Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
r - Route Nexthop
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- --------- --------- ---------------
17.133.232.9 10.1.15.4 6 993 49839 0/0 0 24 0 tunnel 49 7 25 7130
17.133.232.9 10.1.15.4 6 993 49837 0/0 0 24 0 tunnel 49 c 27 7351
10.1.15.4 10.1.13.10 17 50515 53 0/0 6 56 0 tunnel 49 3 1 76 FTCI
10.1.15.4 10.1.13.10 17 51026 53 0/0 6 56 1 tunnel 49 c 1 71 FTCI
10.1.15.4 10.1.13.10 17 55734 53 0/0 6 56 1 tunnel 49 c 1 60 FTCI
10.1.15.4 10.1.13.10 17 61078 53 0/0 6 56 0 tunnel 49 3 1 88 FTCI
10.1.15.4 10.1.13.10 17 58304 53 0/0 6 56 0 tunnel 49 3 1 83 FTCI
10.1.15.4 10.1.13.10 17 64911 53 0/0 6 56 0 tunnel 49 7 1 60 FTCI
10.1.15.4 10.1.13.10 17 62066 53 0/0 1 8 1 tunnel 49 c 1 66 FTCI
10.1.15.4 10.1.13.10 17 63361 53 0/0 6 56 1 tunnel 49 c 1 66 FTCI
134.170.0.200 10.1.15.4 6 443 49836 0/0 0 8 0 tunnel 49 c 10 4099
165.254.42.97 10.1.15.4 6 80 49840 0/0 0 24 0 tunnel 49 7 4 504 F
10.1.13.10 10.1.15.4 17 53 51026 0/0 0 56 1 tunnel 49 c 1 87 FI
10.1.13.10 10.1.15.4 17 53 50515 0/0 0 56 0 tunnel 49 3 1 141 FI
10.1.15.4 74.125.20.109 6 49838 993 0/0 0 24 1 tunnel 49 c 49 3802 TC
10.1.15.4 74.125.20.108 6 49841 993 0/0 0 24 0 tunnel 49 6 43 3557 TC
10.1.13.10 10.1.15.4 17 53 55734 0/0 0 56 1 tunnel 49 c 1 126 FI
10.1.13.10 10.1.15.4 17 53 58304 0/0 0 56 0 tunnel 49 3 1 163 FI
10.1.13.10 10.1.15.4 17 53 61078 0/0 0 56 0 tunnel 49 3 1 168 FI
10.1.13.10 10.1.15.4 17 53 62066 0/0 0 8 1 tunnel 49 c 1 82 FI
10.1.13.10 10.1.15.4 17 53 63361 0/0 0 56 1 tunnel 49 d 1 127 FI
74.125.20.109 10.1.15.4 6 993 49838 0/0 0 24 1 tunnel 49 d 47 16731
74.125.20.108 10.1.15.4 6 993 49841 0/0 0 24 0 tunnel 49 7 41 8166
10.1.13.10 10.1.15.4 17 53 64911 0/0 0 56 1 tunnel 49 8 1 199 FI
10.1.15.4 134.170.0.200 6 49836 443 0/0 1 8 1 tunnel 49 d 15 4185 TC
10.1.15.4 165.254.42.97 6 49840 80 0/0 1 24 1 tunnel 49 8 6 620 FTC
10.1.15.4 17.133.232.9 6 49837 993 0/0 0 24 1 tunnel 49 d 29 2939 TC
10.1.15.4 17.133.232.9 6 49839 993 0/0 0 24 1 tunnel 49 8 26 2661 TC
10.1.15.4 224.0.0.22 2 2 2 0/0 0 24 0 tunnel 49 c 2 80 FTCI
10.1.15.4 224.0.0.251 17 5353 5353 0/0 0 24 0 tunnel 49 4e 10 3069 FTCI