I have set up an WPA2-EAP ssid and after installing the appropriate certificates on the controller and a test device (an iPhone), I am having trouble connecting the device to the SSID. Here's what I see in the logs:
iPhone MAC Address: 12:34:56:78:90:12
SSID: TEST-SSID
(Controller) #show log user-debug all | include 12:34:56:78:90:12
Feb 7 14:05:04 :501095: <NOTI> |stm| Assoc request @ 14:05:04.996208: 12:34:56:78:90:12 (SN 3563): AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP
Feb 7 14:05:04 :501095: <NOTI> |AP TESTAP@20.2.54.15 stm| Assoc request @ 14:05:04.893320: 12:34:56:78:90:12 (SN 3563): AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP
Feb 7 14:05:04 :501100: <NOTI> |stm| Assoc success @ 14:05:04.997018: 12:34:56:78:90:12: AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP
Feb 7 14:05:04 :501100: <NOTI> |AP TESTAP@20.2.54.15 stm| Assoc success @ 14:05:04.894158: 12:34:56:78:90:12: AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP
Feb 7 14:05:04 :501065: <DBUG> |stm| Sending STA 12:34:56:78:90:12 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr WPA2 8021X AES VLAN 0x32, wmm:1, rsn_cap:0
Feb 7 14:05:04 :500511: <DBUG> |mobileip| Station 12:34:56:78:90:12, 0.0.0.0: Received association on ESSID: TEST-SSID Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name TESTAP Group BSSID d8:c7:c8:11:b1:23, phy g, VLAN 50
Feb 7 14:05:04 :522035: <INFO> |authmgr| MAC=12:34:56:78:90:12 Station UP: BSSID=d8:c7:c8:11:b1:23 ESSID=TEST-SSID VLAN=50 AP-name=TESTAP
Feb 7 14:05:05 :522004: <DBUG> |authmgr| MAC=12:34:56:78:90:12 ingress 0x114c (tunnel 204), u_encr 64, m_encr 64, slotport 0x1040 , type: local, FW mode: 0, AP IP: 0.0.0.0
Feb 7 14:05:05 :501102: <NOTI> |stm| Disassoc from sta: 12:34:56:78:90:12: AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP Reason STA has left and is disassocisted
Feb 7 14:05:05 :501102: <NOTI> |AP TESTAP@20.2.54.15 stm| Disassoc from sta: 12:34:56:78:90:12: AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP Reason STA has left and is disassocisted
Feb 7 14:05:05 :501065: <DBUG> |stm| Sending STA 12:34:56:78:90:12 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr WPA2 8021X AES VLAN 0x32, wmm:1, rsn_cap:0
Feb 7 14:05:05 :501000: <DBUG> |AP TESTAP@20.2.54.15 stm| Station 12:34:56:78:90:12: Clearing state
Feb 7 14:05:05 :500511: <DBUG> |mobileip| Station 12:34:56:78:90:12, 0.0.0.0: Received disassociation on ESSID: TEST-SSID Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name TESTAP Group BSSID d8:c7:c8:11:b1:23, phy g, VLAN 50
Feb 7 14:05:05 :501000: <DBUG> |stm| Station 12:34:56:78:90:12: Clearing state
Feb 7 14:05:05 :522036: <INFO> |authmgr| MAC=12:34:56:78:90:12 Station DN: BSSID=d8:c7:c8:11:b1:23 ESSID=TEST-SSID VLAN=50 AP-name=TESTAP
Feb 7 14:05:05 :522004: <DBUG> |authmgr| MAC=12:34:56:78:90:12 ingress 0x114c (tunnel 204), u_encr 64, m_encr 64, slotport 0x1040 , type: local, FW mode: 0, AP IP: 0.0.0.0
Feb 7 14:05:05 :522004: <DBUG> |authmgr| MAC=12:34:56:78:90:12 Send Station delete message to mobility
Feb 7 14:09:48 :501095: <NOTI> |stm| Assoc request @ 14:09:48.888345: 12:34:56:78:90:12 (SN 1171): AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP
Feb 7 14:09:48 :501100: <NOTI> |stm| Assoc success @ 14:09:48.889623: 12:34:56:78:90:12: AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP
Feb 7 14:09:48 :501095: <NOTI> |AP TESTAP@20.2.54.15 stm| Assoc request @ 14:09:48.825938: 12:34:56:78:90:12 (SN 1171): AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP
Feb 7 14:09:48 :501065: <DBUG> |stm| Sending STA 12:34:56:78:90:12 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr WPA2 8021X AES VLAN 0x32, wmm:1, rsn_cap:0
Feb 7 14:09:48 :501100: <NOTI> |AP TESTAP@20.2.54.15 stm| Assoc success @ 14:09:48.826869: 12:34:56:78:90:12: AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP
Feb 7 14:09:48 :500511: <DBUG> |mobileip| Station 12:34:56:78:90:12, 0.0.0.0: Received association on ESSID: TEST-SSID Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name TESTAP Group BSSID d8:c7:c8:11:b1:23, phy g, VLAN 50
Feb 7 14:09:48 :522035: <INFO> |authmgr| MAC=12:34:56:78:90:12 Station UP: BSSID=d8:c7:c8:11:b1:23 ESSID=TEST-SSID VLAN=50 AP-name=TESTAP
Feb 7 14:09:48 :522004: <DBUG> |authmgr| MAC=12:34:56:78:90:12 ingress 0x114c (tunnel 204), u_encr 64, m_encr 64, slotport 0x1040 , type: local, FW mode: 0, AP IP: 0.0.0.0
Feb 7 14:09:49 :501102: <NOTI> |AP TESTAP@20.2.54.15 stm| Disassoc from sta: 12:34:56:78:90:12: AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP Reason STA has left and is disassocisted
Feb 7 14:09:49 :501000: <DBUG> |AP TESTAP@20.2.54.15 stm| Station 12:34:56:78:90:12: Clearing state
Feb 7 14:09:49 :501102: <NOTI> |stm| Disassoc from sta: 12:34:56:78:90:12: AP 20.2.54.15-d8:c7:c8:11:b1:23-TESTAP Reason STA has left and is disassocisted
Feb 7 14:09:49 :501065: <DBUG> |stm| Sending STA 12:34:56:78:90:12 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr WPA2 8021X AES VLAN 0x32, wmm:1, rsn_cap:0
Feb 7 14:09:49 :500511: <DBUG> |mobileip| Station 12:34:56:78:90:12, 0.0.0.0: Received disassociation on ESSID: TEST-SSID Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name TESTAP Group BSSID d8:c7:c8:11:b1:23, phy g, VLAN 50
Feb 7 14:09:49 :501000: <DBUG> |stm| Station 12:34:56:78:90:12: Clearing state
Feb 7 14:09:49 :522036: <INFO> |authmgr| MAC=12:34:56:78:90:12 Station DN: BSSID=d8:c7:c8:11:b1:23 ESSID=TEST-SSID VLAN=50 AP-name=TESTAP
Feb 7 14:09:49 :522004: <DBUG> |authmgr| MAC=12:34:56:78:90:12 ingress 0x114c (tunnel 204), u_encr 64, m_encr 64, slotport 0x1040 , type: local, FW mode: 0, AP IP: 0.0.0.0
Feb 7 14:09:49 :522004: <DBUG> |authmgr| MAC=12:34:56:78:90:12 Send Station delete message to mobility
(Controller) # show auth-tracebuf mac 12:34:56:78:90:12
Warning: user-debug is enabled on one or more specific MAC addresses;
only those MAC addresses appear in the trace buffer.
Auth Trace Buffer
-----------------
Feb 7 14:05:04 station-up * 12:34:56:78:90:12 d8:c7:c8:11:b1:23 - - wpa2 aes
Feb 7 14:05:04 station-term-start * 12:34:56:78:90:12 d8:c7:c8:11:b1:23 50 -
Feb 7 14:05:04 station-down * 12:34:56:78:90:12 d8:c7:c8:11:b1:23 - -
Feb 7 14:09:47 station-up * 12:34:56:78:90:12 d8:c7:c8:11:b1:23 - - wpa2 aes
Feb 7 14:09:47 station-term-start * 12:34:56:78:90:12 d8:c7:c8:11:b1:23 50 -
Feb 7 14:09:48 station-down * 12:34:56:78:90:12 d8:c7:c8:11:b1:23 - -
Any idea what could be going wrong?