Wireless Access

hello experts, 

 

please help me with the troubleshooting of the wireless client which is not able to connect to the ssid "SCCorp", i am attaching the client debug and configuration of the ssid as well, the ssid has mac filtering + bandwidth contracts of 2 mbps.

 

i am aslo seeing this error message ":bd:ad:7f:e1 (vlan:702) Detecting Wireless-user AAA-Profile mismatch 

 

(UAM-COCL1-MB00MDF-WC01) #show local-userdb

User Summary
------------
Name Password Role E-Mail Enabled Expiry Status Sponsor-Name Remote-IP Grantor-Name
---- -------- ---- ------ ------- ------ ------ ------------ --------- ------------

28:B2:BD:AD:7F:E1 ******** SCCorp-user-role Yes Active 0.0.0.0 admin

 

the mac address of the client is 28:B2:BD:AD:7F:E1

 

my topology looks like below

 

ap <<<<<< controller <<<<< core switch (which has the svi for ssid vlan and ip helpers are defined) <<<<<< WAN <<<<< mpls <<<<< remote dhcp server.

Hi,

Whats is your initial role in the aaa profile and what policy and rules is used by that role?

there you go , some outputs that you might be interested in.

the client only gets seen in "show station-table" and in the login role only, it is not seen in the "show user-table " output

 

(UAM-COCL1-MB00MDF-WC01) #show aaa profile aaa-pf-SCCorp

AAA Profile "aaa-pf-SCCorp"
---------------------------
Parameter Value
--------- -----
Initial role SCCorp-logon-role
MAC Authentication Profile mac-auth-pf-SCCorp
MAC Authentication Default Role SCCorp-user-role
MAC Authentication Server Group sg-SCCorp
802.1X Authentication Profile dot1x-auth-pf-SCCorp
802.1X Authentication Default Role guest
802.1X Authentication Server Group N/A
Download Role from CPPM Disabled
Set username from dhcp option 12 Disabled
L2 Authentication Fail Through Disabled
Multiple Server Accounting Disabled
User idle timeout N/A
Max IPv4 for wireless user 2
RADIUS Accounting Server Group N/A
RADIUS Roaming Accounting Disabled
RADIUS Interim Accounting Disabled
XML API server N/A
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
SIP authentication role N/A
Device Type Classification Enabled
Enforce DHCP Enabled
PAN Firewall Integration Disabled
Open SSID radius accounting Disabled

 

 

(UAM-COCL1-MB00MDF-WC01) #show rights SCCorp-logon-role

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'SCCorp-logon-role'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 0
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 102/0
Openflow: Disabled
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-SCCorp-logon-role-sacl session
3 denyall session

global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
apprf-SCCorp-logon-role-sacl
----------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
denyall
-------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any any deny Low 4
2 any any any-v6 deny Low 6

Expired Policies (due to time constraints) = 0

(UAM-COCL1-MB00MDF-WC01) #

 

 

(UAM-COCL1-MB00MDF-WC01) #show rights SCCorp-user-role

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'SCCorp-user-role'
Up BW contract = SCCorp-bw-ctr (2000000 bits/sec) Down BW contract = SCCorp-bw-ctr (2000000 bits/sec)
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 0
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 104/0
Openflow: Disabled
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-SCCorp-user-role-sacl session
3 logon-control session
4 allowall session

global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
apprf-SCCorp-user-role-sacl
---------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
logon-control
-------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user any udp 68 deny Low 4
2 any any svc-icmp permit Low 4
3 any any svc-dns permit Low 4
4 any any svc-dhcp permit Low 4
5 any any svc-natt permit Low 4
6 any 169.254.0.0 255.255.0.0 any deny Low 4
7 any 240.0.0.0 240.0.0.0 any deny Low 4
allowall
--------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any any permit Low 4
2 any any any-v6 permit Low 6

Expired Policies (due to time constraints) = 0

(UAM-COCL1-MB00MDF-WC01) #

Your initial role SCCorp-logon-role got a deny policy in it that block any traffic on rule 3.

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-SCCorp-logon-role-sacl session
3 denyall session

thanks for enlightening me on this one, i edited the logon rule now .

i hope it will work now , correct ?

 

(UAM-COCL1-MB00MDF-WC01) (config) #show rights SCCorp-logon-role

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'SCCorp-logon-role'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 0
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 102/0
Openflow: Disabled
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-SCCorp-logon-role-sacl session
3 allowall session

global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
apprf-SCCorp-logon-role-sacl
----------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
allowall
--------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any any permit Low 4
2 any any any-v6 permit Low 6

Expired Policies (due to time constraints) = 0

Seems fine, good for testing. But reminder you want bring some extra acl’s for example block controller access for guests. or not allow guest to run a dhcp server on their client. Default use the “logon” role if no enhancements are needed.

well this ssid is just for connecting handheld scanners , who will use a simple pre-shared key to connect to this ssid.

 

we are mac filtering for this , so that no other machines could connect.

i will test the ssid and will let you know how it goes.