客户端ssid广播
ssid广播 时间:2021-05-19 阅读:()
欺诈行为图表共同性无线问题目录简介使用的组件简要PEM状态显示客户端输出情形1:WPA/WPA2PSK验证的不正确的配置的密码短语在客户端方案2:无线电话Handsets(792x/9971)不能与无线"分支服务区域"产生关联情形3:WPA的为WPA2仅配置的客户机中配置,但是AP场景4:解析AAA返回或答复代码.
场景5:客户端不能联合到AP场景6:客户端分离由于空闲超时场景7:客户端分离由于会话超时方案8:客户端分离由于WLAN更改方案9:客户端分离由于从WLC的手工的删除方案10:客户端分离由于验证超时方案11:客户端分离由于重置的AP无线电(电源/信道)方案12:Symantec与802.
1X'timeoutEvt的'客户端问题方案13:空气打印服务没为有mDNS的客户端出现监听打开了方案14:Apple无法IOS的客户端'加入由于的网络'禁用快速SSID更改方案15:成功的客户端LDAP关联方案16:在LDAP失败的客户端验证方案17:客户端关联问题由于LDAP在WLC被不正确配置方案18:客户端关联问题,当LDAP服务器是不可得到的方案19:漫游问题的Apple客户端由于未命中粘贴漫游配置方案20:验证法塞特安全漫游(FSR)与CCKM方案21:验证法塞特安全漫游(FSR)用WPA2PMKID缓存方案22:正在验证的法塞特安全漫游用积极的关键缓存方案23:验证法塞特安全漫游(FSR)与802.
11r简介本文描述通过调试的欺诈行为图表(通常"调试客户端解析").
要解析通过"请显示客户端",并且调试将要求我们对首先明白一些PEM状态和APF状态.
贡献用尚卡尔Ramanathan,CiscoTAC工程师.
使用的组件在此documemt的信息根据所有"AireOS"控制器.
控制器440x,5508,5520,75xx,85xx,2504和vWLC以及Wisms.
q虽然许多概念是相同的在聚合的访问IOS-XE控制器和交换机,本文不适用于他们作为输出,并且调试是完全不同的.
q本文档中的信息都是基于特定实验室环境中的设备编写的.
本文档中使用的所有设备最初均采用原始(默认)配置.
如果您的网络处于活动状态,请确保您了解所有命令的潜在影响.
向PEM状态介绍显示客户端输出开始—新的客户端条目的最初的状态.
qAUTHCHECK—WLAN具有要强制执行的L2认证策略.
q8021X_REQD—客户端必须完成802.
1x验证.
qL2AUTHCOMPLETE—客户端顺利地完成L2策略.
该进程现在可继续执行L3策略(地址识别、Web认证等).
此时,控制器发送移动声明以从其他控制器获得L3信息(如果这是位于同一移动组中的漫游客户端).
qWEP_REQD—客户端必须完成WEP身份验证.
qDHCP_REQD—控制器需要了解从客户端的L3地址,由ARP请求完成,DHCP请求或由从在移动组的其他控制器了解的信息更新,或者.
如果WLAN上标记有DHCPRequired,则仅使用DHCP或移动信息.
qWEBAUTH_REQD—客户端必须完成Web验证.
(L3策略)qCENTRAL_WEBAUTH_REQD--客户端必须完成CWA登录,WLC等待接收CoAqRAN—客户端顺利地完成需要的L2和L3策略,并且能当前传输流量到网络.
q给的方案显示普通的误配置的关键调试线路在无线设置,那突出显示在粗体的关键参数.
情形1:WPA/WPA2PSK验证的不正确的配置的密码短语在客户端(CiscoController)>showclientdetail24:77:03:19:fb:70ClientMACAddress.
24:77:03:19:fb:70ClientUsernameN/AAPMACAddress.
ec:c8:82:a4:5b:c0APName.
Shankar_AP_1042APradioslotId.
1ClientState.
AssociatedClientNACOOBState.
AccessWirelessLANId.
5Hotspot(802.
11u)NotSupportedBSSID.
ec:c8:82:a4:5b:cbConnectedFor0secsChannel.
44IPAddress.
UnknownGatewayAddress.
UnknownNetmask.
UnknownAssociationId.
1AuthenticationAlgorithm.
OpenSystemReasonCode.
1StatusCode.
0SessionTimeout.
0ClientCCXversion.
4ClientE2Eversion.
1QoSLevel.
SilverAvgdataRate.
0BurstdataRate.
0AvgRealtimedataRate.
0BurstRealTimedataRate.
0802.
1PPriorityTag.
2CTSSecurityGroupTag.
NotApplicableKTSCACCapability.
NoWMMSupport.
EnabledAPSDACs.
BKBEVIVOPowerSave.
OFFCurrentRate.
m15SupportedRates.
6.
0,9.
0,12.
0,18.
0,24.
0,36.
0,48.
0,54.
0MobilityState.
NoneMobilityMoveCount.
0SecurityPolicyCompleted.
NoPolicyManagerState.
8021X_REQD//ThisprovesclientisstrugglingtoclearLayer-2authentication.
ItmeanswehavetomovetodebugtounderstandwhereinL-2wearefailingPolicyManagerRuleCreated.
YesAuditSessionID.
noneAAARoleType.
noneLocalPolicyApplied.
noneIPv4ACLName.
noneFlexConnectACLAppliedStatus.
UnavailableIPv4ACLAppliedStatus.
UnavailableIPv6ACLName.
noneIPv6ACLAppliedStatus.
UnavailableLayer2ACLName.
noneLayer2ACLAppliedStatus.
UnavailablemDNSStatus.
EnabledmDNSProfileName.
default-mdns-profileNo.
ofmDNSServicesAdvertised.
0PolicyType.
WPA2AuthenticationKeyManagement.
PSKEncryptionCipher.
CCMP(AES)ProtectedManagementFrameNoManagementFrameProtection.
NoEAPType.
UnknownInterface.
vlan21VLAN.
21QuarantineVLAN.
0AccessVLAN.
21ClientCapabilities:CFPollable.
NotimplementedCFPollRequest.
NotimplementedShortPreamble.
NotimplementedPBCC.
NotimplementedChannelAgility.
NotimplementedListenInterval.
10FastBSSTransition.
NotimplementedClientWifiDirectCapabilities:WFDcapable.
NoMangedWFDcapable.
NoCrossConnectionCapable.
NoSupportConcurrentOperation.
NoFastBSSTransitionDetails:ClientStatistics:NumberofBytesReceived.
423NumberofBytesSent.
429NumberofPacketsReceived.
3NumberofPacketsSent.
4NumberofInterim-UpdateSent.
0NumberofEAPIdRequestMsgTimeouts.
.
.
.
.
.
0NumberofEAPIdRequestMsgFailures.
.
.
.
.
.
0NumberofEAPRequestMsgTimeouts.
0NumberofEAPRequestMsgFailures.
0NumberofEAPKeyMsgTimeouts.
0NumberofEAPKeyMsgFailures.
0NumberofDataRetries.
0NumberofRTSRetries.
0NumberofDuplicateReceivedPackets.
.
.
.
.
.
.
0NumberofDecryptFailedPackets.
0NumberofMicFailuredPackets.
0NumberofMicMissingPackets.
0NumberofRAPacketsDropped.
0NumberofPolicyErrors.
0RadioSignalStrengthIndicator.
18dBmSignaltoNoiseRatio.
40dBClientRateLimitingStatistics:NumberofDataPacketsRecieved.
0NumberofDataRxPacketsDropped.
0NumberofDataBytesRecieved.
0NumberofDataRxBytesDropped.
0NumberofRealtimePacketsRecieved.
0NumberofRealtimeRxPacketsDropped.
.
.
.
.
.
0NumberofRealtimeBytesRecieved.
0NumberofRealtimeRxBytesDropped.
0NumberofDataPacketsSent.
0NumberofDataTxPacketsDropped.
0NumberofDataBytesSent.
0NumberofDataTxBytesDropped.
0NumberofRealtimePacketsSent.
0NumberofRealtimeTxPacketsDropped.
.
.
.
.
.
0NumberofRealtimeBytesSent.
0NumberofRealtimeTxBytesDropped.
0NearbyAPStatistics:Shankar_AP_1602(slot0)antenna0:0secsago.
25dBmantenna1:0secsago.
40dBmShankar_AP_1602(slot1)antenna0:1secsago.
41dBmantenna1:1secsago.
27dBmShankar_AP_3502(slot0)antenna0:0secsago.
90dBmantenna1:0secsago.
83dBmShankar_AP_1042(slot0)antenna0:0secsago.
32dBmantenna1:0secsago.
41dBmShankar_AP_1042(slot1)antenna0:0secsago.
50dBmantenna1:0secsago.
42dBmDNSServerdetails:DNSserverIP0.
0.
0.
0DNSserverIP0.
0.
0.
0AssistedRoamingPredictionListdetails:ClientDhcpRequired:FalseAllowed(URL)IPAddresses调试客户端分析(CiscoController)>debugclient24:77:03:19:fb:70*apfMsConnTask_4:May0717:03:56.
060:24:77:03:19:fb:70AssociationreceivedfrommobileonBSSID08:cc:68:67:1f:fb//ClienthasinitiatedassociationforAPwithBSSID08:cc:68:67:1f:fb*apfMsConnTask_4:May0717:03:56.
060:24:77:03:19:fb:70Global200ClientsareallowedtoAPradio*apfMsConnTask_4:May0717:03:56.
060:24:77:03:19:fb:70MaxClientTrapThreshold:0cur:0*apfMsConnTask_4:May0717:03:56.
060:24:77:03:19:fb:70Rfprofile600ClientsareallowedtoAPwlan*apfMsConnTask_4:May0717:03:56.
060:24:77:03:19:fb:70ApplyingInterfacepolicyonMobile,roleUnassociated.
MsNACState2QuarantineVlan0AccessVlan21*apfMsConnTask_4:May0717:03:56.
060:24:77:03:19:fb:70Re-applyinginterfacepolicyforclient*apfMsConnTask_4:May0717:03:56.
060:24:77:03:19:fb:700.
0.
0.
0START(0)ChangingIPv4ACL'none'(ACLID255)===>'none'(ACLID255)---(callerapf_policy.
c:2202)*apfMsConnTask_4:May0717:03:56.
060:24:77:03:19:fb:700.
0.
0.
0START(0)ChangingIPv6ACL'none'(ACLID255)===>'none'(ACLID255)---(callerapf_policy.
c:2223)*apfMsConnTask_4:May0717:03:56.
060:24:77:03:19:fb:70apfApplyWlanPolicy:ApplyWLANPolicyoverPMIPv6ClientMobilityType*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70InprocessSsidIE:4795settingCentralswitchedtoTRUE*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70InprocessSsidIE:4798apVapId=5andSplitAclId=65535*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70Applyingsite-specificLocalBridgingoverrideforstation24:77:03:19:fb:70-vapId5,site'default-group',interface'vlan21'*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70ApplyingLocalBridgingInterfacePolicyforstation24:77:03:19:fb:70-vlan21,interfaceid14,interface'vlan21'*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70processSsidIEstatusCodeis0andstatusis0*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70processSsidIEssid_done_flagis0finish_flagis0*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70STA-rates(8):14018243648729610800000000*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70suppRatesstatusCodeis0andgotSuppRatesElementis1*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70ProcessingRSNIEtype48,length22formobile24:77:03:19:fb:70*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70pemApfDeleteMobileStation2:APF_MS_PEM_WAIT_L2_AUTH_COMPLETE=0.
*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:700.
0.
0.
0START(0)DeletedmobileLWAPPruleonAP[ec:c8:82:a4:5b:c0]*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70UpdatedlocationforstationoldAPec:c8:82:a4:5b:c0-1,newAP08:cc:68:67:1f:f0-1*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70UpdatingAIDforREAPAPClient08:cc:68:67:1f:f0-AID===>1*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:700.
0.
0.
0START(0)Initializingpolicy*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:700.
0.
0.
0START(0)ChangestatetoAUTHCHECK(2)laststateSTART(0)*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:700.
0.
0.
0AUTHCHECK(2)Changestateto8021X_REQD(3)laststateAUTHCHECK(2)//CliententeringL2authenticationstage*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70CentralswitchisTRUE*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70NotUsingWMMCompliancecodeqosCap00*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:700.
0.
0.
08021X_REQD(3)PlumbedmobileLWAPPruleonAP08:cc:68:67:1f:f0vapId5apVapId5flex-acl-name:*apfMsConnTask_4:May0717:03:56.
062:24:77:03:19:fb:70apfMsAssoStateInc*apfMsConnTask_4:May0717:03:56.
062:24:77:03:19:fb:70apfPemAddUser2(apf_policy.
c:333)Changingstateformobile24:77:03:19:fb:70onAP08:cc:68:67:1f:f0fromDisassociatedtoAssociated*apfMsConnTask_4:May0717:03:56.
062:24:77:03:19:fb:70apfPemAddUser2:sessiontimeoutforstation24:77:03:19:fb:70-SessionTout0,apfMsTimeOut'0'andsessionTimerRunningflagis0*apfMsConnTask_4:May0717:03:56.
062:24:77:03:19:fb:70StoppingdeletionofMobileStation:(callerId:48)*apfMsConnTask_4:May0717:03:56.
062:24:77:03:19:fb:70Func:apfPemAddUser2,MsTimeout=0,SessionTimeout=0*apfMsConnTask_4:May0717:03:56.
062:24:77:03:19:fb:70SendingAssocResponsetostationonBSSID08:cc:68:67:1f:fb(status0)ApVapId5Slot1*apfMsConnTask_4:May0717:03:56.
062:24:77:03:19:fb:70apfProcessAssocReq(apf_80211.
c:8292)Changingstateformobile24:77:03:19:fb:70onAP08:cc:68:67:1f:f0fromAssociatedtoAssociated*spamApTask3:May0717:03:56.
065:24:77:03:19:fb:70Sent1xinitiatemessagetomultithreadtaskformobile24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
065:24:77:03:19:fb:70CreatingaPKCPMKIDCacheentryforstation24:77:03:19:fb:70(RSN2)*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70ResettingMSCBPMKCacheEntry0forstation24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70RemovingBSSIDec:c8:82:a4:5b:cbfromPMKIDcacheofstation24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70Settingactivekeycacheindex0--->8*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70Settingactivekeycacheindex8--->0*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70AddingBSSID08:cc:68:67:1f:fbtoPMKIDcacheatindex0forstation24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
066:NewPMKID:(16)*Dot1x_NW_MsgTask_0:May0717:03:56.
066:[0000]d7578eff2b27014e93390b1c1f46d2da*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70InitiatingRSNPSKtomobile24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70EAP-PARAMDebug-eap-paramsforWlan-Id:5isdisabled-applyingGlobaleaptimersandretries*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70dot1x-movingmobile24:77:03:19:fb:70intoForceAuthstate*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70EAPOLHeader:*Dot1x_NW_MsgTask_0:May0717:03:56.
066:00000000:0203005f.
.
.
_*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70FoundancacheentryforBSSID08:cc:68:67:1f:fbinPMKIDcacheatindex0ofstation24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70FoundancacheentryforBSSID08:cc:68:67:1f:fbinPMKIDcacheatindex0ofstation24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
066:IncludingPMKIDinM1(16)*Dot1x_NW_MsgTask_0:May0717:03:56.
066:[0000]d7578eff2b27014e93390b1c1f46d2da*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70Startingkeyexchangetomobile24:77:03:19:fb:70,datapacketswillbedropped*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70SendingEAPOL-KeyMessagetomobile24:77:03:19:fb:70stateINITPMK(message1),replaycounter00.
00.
00.
00.
00.
00.
00.
00*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70SendingEAPOL-KeyMessagetomobile24:77:03:19:fb:70stateINITPMK(message1),replaycounter00.
00.
00.
00.
00.
00.
00.
00*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70AllocatingEAPPktforretransmissiontomobile24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70mscb->apfMsLwappLradNhMac=b0:fa:eb:b8:f5:12mscb->apfMsLradSlotId=1mscb->apfMsLradJumbo=0mscb->apfMsintIfNum=1*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70mscb->apfMsBssid=08:cc:68:67:1f:f0mscb->apfMsAddress=24:77:03:19:fb:70mscb->apfMsApVapId=5*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70dot1xcb->snapOrg=000000dot1xcb->eapolWepBit=0mscb->apfMsLwappLradVlanId=0mscb->apfMsLwappMwarInet.
ipv4.
addr=181004965*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70mscb->apfMsLwappMwarPort=5246mscb->apfMsLwappLradInet.
ipv4.
addr=181004985mscb->apfMsLwappLradPort=36690*Dot1x_NW_MsgTask_0:May0717:03:56.
069:24:77:03:19:fb:70ReceivedEAPOL-Keyfrommobile24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
069:24:77:03:19:fb:70IgnoringinvalidEAPOLversion(1)inEAPOL-keymessagefrommobile24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
069:24:77:03:19:fb:70ReceivedEAPOL-keyinPTK_STARTstate(message2)frommobile24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
069:24:77:03:19:fb:70ReceivedEAPOL-keyM2withinvalidMICfrommobile24:77:03:19:fb:70version2*osapiBsnTimer:May0717:03:56.
364:24:77:03:19:fb:70802.
1x'timeoutEvt'Timerexpiredforstation24:77:03:19:fb:70andformessage=M2!
---MICerrorduetowrongpresharedkey*dot1xMsgTask:May0717:03:56.
364:24:77:03:19:fb:70Retransmit1ofEAPOL-KeyM1(length121)formobile24:77:03:19:fb:70*dot1xMsgTask:May0717:03:56.
364:24:77:03:19:fb:70mscb->apfMsLwappLradNhMac=b0:fa:eb:b8:f5:12mscb->apfMsLradSlotId=1mscb->apfMsLradJumbo=0mscb->apfMsintIfNum=1*dot1xMsgTask:May0717:03:56.
364:24:77:03:19:fb:70mscb->apfMsBssid=08:cc:68:67:1f:f0mscb->apfMsAddress=24:77:03:19:fb:70mscb->apfMsApVapId=5*dot1xMsgTask:May0717:03:56.
365:24:77:03:19:fb:70dot1xcb->snapOrg=000000dot1xcb->eapolWepBit=0mscb->apfMsLwappLradVlanId=0mscb->apfMsLwappMwarInet.
ipv4.
addr=181004965*dot1xMsgTask:May0717:03:56.
365:24:77:03:19:fb:70mscb->apfMsLwappMwarPort=5246mscb->apfMsLwappLradInet.
ipv4.
addr=181004985mscb->apfMsLwappLradPort=36690*Dot1x_NW_MsgTask_0:May0717:03:56.
366:24:77:03:19:fb:70ReceivedEAPOL-Keyfrommobile24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
366:24:77:03:19:fb:70IgnoringinvalidEAPOLversion(1)inEAPOL-keymessagefrommobile24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
366:24:77:03:19:fb:70ReceivedEAPOL-keyinPTK_STARTstate(message2)frommobile24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
366:24:77:03:19:fb:70ReceivedEAPOL-keyM2withinvalidMICfrommobile24:77:03:19:fb:70version2*osapiBsnTimer:May0717:03:56.
764:24:77:03:19:fb:70802.
1x'timeoutEvt'Timerexpiredforstation24:77:03:19:fb:70andformessage=M2!
---MICerrorduetowrongpresharedkey被总结的结论虽然"timeoutEvt'M2密钥的可能也归结于driver/NIC错误,一个多数常见问题是进入PSK密码的用户(未接区分大小写/特殊cahracters的不正确凭证等等)和无法连接.
方案2:无线电话Handsets(792x/9971)不能与无线"分支服务区域"产生关联参考:https://supportforums.
cisco.
com/document/12068061/7925g-handsets-failing-association-ap-call-failed-tspec-qos-policy-does-not-match拓扑与CiscoUnified无线IP电话的WLAN问题详细资料AIR-CT5508-50-K9//升级电话的固件,并且无线控制器不接受电话注册调试和日志apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxAssociationreceivedfrommobileonAP3x:xx:cx:9x:x0:x0*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xx0.
0.
0.
0START(0)ChangingIPv4ACL'none'(ACLIDxxx)===>'none'(ACLIDxxx)---(callerapf_policy.
c:1x09)*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xx0.
0.
0.
0START(0)ChangingIPv6ACL'none'(ACLIDxxx5)===>'none'(ACLIDxxx)---(callerapf_policy.
c:18x6)*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxApplyingsite-specificLocalBridgingoverrideforstation1x:xx:1x:xx:xx:xx-vapId1,site'default-group',interface'xwirex'*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxApplyingLocalBridgingInterfacePolicyforstation1x:xx:1x:xx:xx:xx-vlan510,interfaceid12,interface'xwirex'*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxprocessSsidIEstatusCodeis0andstatusis0*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxprocessSsidIEssid_done_flagis0finish_flagis0*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxSTA-rates(4):130132139150000000000000*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxsuppRatesstatusCodeis0andgotSuppRatesElementis1*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxSTA-rates(12):130132139150121824364872961080000*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxextSuppRatesstatusCodeis0andgotExtSuppRatesElementis1*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxProcessingRSNIEtype48,length22formobile1x:xx:1x:xx:xx:xx*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxCCKM:MobileisusingCCKM*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxReceivedRSNIEwith0PMKIDsfrommobile1x:xx:1x:xx:xx:xx*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxSettingactivekeycacheindex8--->8*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxunsettingPmkIdValidatedByAp*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxSendingAssocResponsetostationonBSSID3x:xx:cx:9x:x0:x0(status201)ApVapId1Slot0*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxSchedulingdeletionofMobileStation:(callerId:22)in3secondsVoIPCallFailure:'1x:xx:1x:xx:xx:xx'client,detectedby'xx-xx-xx'APonradiotype'802.
11b/g'.
Reason:'Callfailed:TSPECQOSPolicydoesnotmatch'.
MeansplatinumQoSwasnotconfiguredonWLAN1x:xxPMClientExcluded:MACAddress:1x:xx:1x:xx:xx:xxBaseRadioMAC:3x:xx:cx:9x:x0:x0Slot:1UserName:dwpv\mtl7925IpAddress:xx.
xx.
x.
xxReason:802.
11Associationfailedrepeatedly.
ReasonCode:2结论在WLC的调试显示7925G失效关联作为APreturns关联状态码201.
这归结于从拒绝的话筒的一TSPEC(流量规格)请求由于WLAN配置.
WLAN7925G尝试连接配置与银QoS配置文件(0,3),而不是白金服务(6,7)如所需求.
这导致语音流量/操作帧交换的一TSPEC不匹配从话筒通过WLAN和根本地拒绝从AP.
特别地创建与白金服务QoS配置文件的一新的WLAN7925G话筒的和配置根据已建立最佳实践和如对7925G部署指南定义:http://www.
cisco.
com/en/US/docs/voice_ip_comm/cuipph/7925g/7_0/english/deployment/guide/7925dply.
pdf一旦配置,问题是解决的.
情形3:WPA的为WPA2仅配置的客户机中配置,但是AP调试客户端WedMay710:51:372014:xx.
xx.
xx.
xx.
xx.
xxSchedulingdeletionofMobileStation:(callerId:23)in5secondsWedMay710:51:372014:xx.
xx.
xx.
xx.
xx.
xxapfProcessProbeReq(apf_80211.
c:4057)Changingstateformobilexx.
xx.
xx.
xx.
xx.
xxonAPfromIdletoProbeControlleraddsthenewclient,movingintoprobingstatusWedMay710:51:372014:xx.
xx.
xx.
xx.
xx.
xxSchedulingdeletionofMobileStation:(callerId:24)in5secondsWedMay710:51:382014:xx.
xx.
xx.
xx.
xx.
xxSchedulingdeletionofMobileStation:(callerId:24)in5secondsWedMay710:51:382014:xx.
xx.
xx.
xx.
xx.
xxSchedulingdeletionofMobileStation:(callerId:24)in5secondsAPisreportingprobeactivityevery500msasconfiguredWedMay710:51:412014:xx.
xx.
xx.
xx.
xx.
xxSchedulingdeletionofMobileStation:(callerId:24)in5secondsWedMay710:51:412014:xx.
xx.
xx.
xx.
xx.
xxSchedulingdeletionofMobileStation:(callerId:24)in5secondsWedMay710:51:412014:xx.
xx.
xx.
xx.
xx.
xxSchedulingdeletionofMobileStation:(callerId:24)in5secondsWedMay710:51:412014:xx.
xx.
xx.
xx.
xx.
xxSchedulingdeletionofMobileStation:(callerId:24)in5secondsWedMay710:51:442014:xx.
xx.
xx.
xx.
xx.
xxSchedulingdeletionofMobileStation:(callerId:24)in5secondsWedMay710:51:442014:xx.
xx.
xx.
xx.
xx.
xxSchedulingdeletionofMobileStation:(callerId:24)in5secondsWedMay710:51:442014:xx.
xx.
xx.
xx.
xx.
xxSchedulingdeletionofMobileStation:(callerId:24)in5secondsWedMay710:51:442014:xx.
xx.
xx.
xx.
xx.
xxSchedulingdeletionofMobileStation:(callerId:24)in5secondsWedMay710:51:492014:xx.
xx.
xx.
xx.
xx.
xxapfMsExpireCallback(apf_ms.
c:433)ExpiringMobile!
WedMay710:51:492014:xx.
xx.
xx.
xx.
xx.
xx0.
0.
0.
0START(0)DeletedmobileLWAPPruleonAP[]WedMay710:51:492014:xx.
xx.
xx.
xx.
xx.
xxDeletingmobileonAP(0)After5secondsofinactivity,clientisdeleted,nevermovedintoauthenticationorassociationphases.
场景4:解析AAA返回或答复代码.
对收集预计日志的RAN的需要的调试:(Cisco控制器)>debugMAC地址(Cisco控制器)>debugaaa事件enable(event)(或)(Cisco控制器)>debug客户端(Cisco控制器)>debugaaa事件enable(event)(Cisco控制器)>debugaaa错误enable(event)如果陷阱启用,AAA连通性故障形成SNMP陷阱.
示例debug输出*radiusTransportThread:Mar2617:54:58.
054:70:f1:a1:69:7b:e7InvalidRADIUSmessageauthenticatorformobile70:f1:a1:69:7b:e7*radiusTransportThread:Mar2617:54:58.
054:70:f1:a1:69:7b:e7RADIUSmessageverificationfailedfromserver10.
50.
0.
74withid=213.
Possiblesecretmismatchformobile70:f1:a1:69:7b:e7*radiusTransportThread:Mar2617:54:58.
054:70:f1:a1:69:7b:e7ReturningAAAError'AuthenticationFailed'(-4)formobile70:f1:a1:69:7b:e7*radiusTransportThread:Mar2617:54:58.
054:AuthorizationResponse:0x4259f944ReturningAAAError'Success'(0)formobileSuccessfulAuthenticationhappened,AAAreturnsaccess-acceptpriortoSuccess(0)toconfirmthesame.
ReturningAAAError'OutofMemory'(-2)formobileit'stherarereason.
CSCud12582ProcessingAAAError'OutofMemory'ReturningAAAError'AuthenticationFailed'(-4)formobileitsthemostcommonreasonseen可能的来源:无效用户帐户和密码1.
计算机域的不是成员,在AD侧发出.
2.
证书服务工作不正常3.
超时的服务器证书或不在使用中4.
不正确地配置的RADIUS5.
不正确地被输入的访问密钥-区分大小写(因此是SSID)6.
更新Microsoft补丁.
7.
EAP计时器.
8.
在客户端/服务器配置的不正确eap方法.
9.
客户端证书超时或不在使用中.
10.
回归AAA错误'超时'(-5)莫比尔的AAA服务器不可达的,跟随由客户端deauth.
示例:WedOct2620:08:502011:00:13:ce:1a:92:41MaxretransmissionofAccess-Request(id100)to155.
43.
129.
216reachedformobile00:13:ce:1a:92:41WedOct2620:08:502011:00:13:ce:1a:92:41[Error]Clientrequestednoretriesformobile00:13:CE:1A:92:41WedOct2620:08:502011:00:13:ce:1a:92:41ReturningAAAError'Timeout'(-5)formobile00:13:ce:1a:92:41WedOct2620:08:502011:00:13:ce:1a:92:41ProcessingAAAError'Timeout'(-5)formobile00:13:ce:1a:92:41WedOct2620:08:502011:00:13:ce:1a:92:41SentDeauthenticatetomobileonBSSID00:0b:85:76:d3:e0slot1(caller1x_auth_pae.
c:1033)WedOct2620:08:502011:00:13:ce:1a:92:41SchedulingdeletionofMobileStation:(callerId:65)in10seconds回归AAA错误'内部错误'(-6)莫比尔的AAA/()/WLCWLC''DeauthCSCum83894AAA''w/unknown示例:*radiusTransportThread:Feb2112:14:36.
109:AbortingATTRprocessing599(avp26/6)*radiusTransportThread:Feb2112:14:36.
109:40:f0:2f:11:a9:fdInvalidRADIUSresponsereceivedfromserver192.
168.
0.
206withid=9formobile40:f0:2f:11:a9:fd*radiusTransportThread:Feb2112:14:36.
109:40:f0:2f:11:a9:fd[Error]Clientrequestednoretriesformobile40:F0:2F:11:A9:FD*radiusTransportThread:Feb2112:14:36.
109:40:f0:2f:11:a9:fdReturningAAAError'InternalError'(-6)formobile40:f0:2f:11:a9:fd*radiusTransportThread:Feb2112:14:36.
109:resultCode.
6*Dot1x_NW_MsgTask_5:Feb2112:14:36.
109:40:f0:2f:11:a9:fdProcessingAAAError'InternalError'(-6)formobile40:f0:2f:11:a9:fd返回AAA错误没有服务器(-7)移动的Radius没有适当地配置和或不支持的配置在使用中.
示例:*Jun2220:32:10.
229:00:21:e9:57:3c:bfReturningAAAError'NoServer'(-7)formobile00:21:e9:57:3c:bf*Jun2220:32:10.
229:AuthorizationResponse:0x1eebb3ec场景5:客户端不能联合到AP调试运行了调试客户端解析的日志发送Assoc答复驻防在BSSID00:26:cb:94:44:c0(状态0)ApVapId1Slot0Slot0=B/G(2.
4)无线电qSlot1=A(5)无线电发送Assoc答复状态0=成功q任何除状态0之外是失败同盟会答复状态码可以在https://supportforums.
cisco.
com/document/141136/80211-association-status-80211-deauth-reason-codes找到场景6:客户端分离由于空闲超时调试运行了调试客户端解析的日志从AP00:26:cb:94:44:c0的已接收Idle-timeout,STA的00:1e:8c:0f:a4:57slot0apfMsDeleteByMscb删除的日程安排移动与deleteReason4,reasonCode4移动站点的安排的删除:(callerId:30)以1秒超时莫比尔的apfMsExpireCallback(apf_ms.
c:608)!
对移动的发送的解除验证在BSSID00:26:cb:94:44:c0slot0(callerapf_ms.
c:5094)条件在从客户端接收的没有流量以后发生默认持续时间是300秒解决方法增加空闲超时二者之一全局表WLCGUI>>Controller>>General或每从WLCGUI>>WLAN>>ID>>Advanced的WLAN场景7:客户端分离由于会话超时调试运行了调试客户端解析的日志apfMsExpireCallback(apf_ms.
c:608)ExpiringMobile!
apfMsExpireMobileStation(apf_ms.
c:5009)Changingstateformobile00:1e:8c:0f:a4:57onAP00:26:cb:94:44:c0fromAssociatedtoDisassociatedSchedulingdeletionofMobileStation:(callerId:45)in10secondsapfMsExpireCallback(apf_ms.
c:608)ExpiringMobile!
SentDeauthenticatetomobileonBSSID00:26:cb:94:44:c0slot0(callerapf_ms.
c:5094)条件发生在被安排的持续时间(默认1800秒)它再迫使WEBAUTH用户对WEBAUTH.
解决方法增加或禁用会话超时每从WLCGUI>>WLAN>>ID>>Advanced的WLAN方案8:客户端分离由于WLAN更改调试运行了调试客户端解析的日志apfSendDisAssocMsgDebug(apf_80211.
c:1855)Changingstateformobile00:1e:8c:0f:a4:57onAP00:26:cb:94:44:c0fromAssociatedtoDisassociatedSentDisassociatetomobileonAP00:26:cb:94:44:c0-0(reason1,callerapf_ms.
c:4983)SentDeauthenticatetomobileonBSSID00:26:cb:94:44:c0slot0(callerapf_ms.
c:5094)条件无论如何修改在功能失效和renablesWLAN的一WLAN解决方法这是预料之中的行为.
当有做时的WLAN变动,客户端取消关联并且重新关联.
方案9:客户端分离由于从WLC的手工的删除调试运行了调试客户端解析的日志apfMsDeleteByMscbSchedulingmobilefordeletionwithdeleteReason6,reasonCode1SchedulingdeletionofMobileStation:(callerId:30)in1secondsapfMsExpireCallback(apf_ms.
c:608)ExpiringMobile!
apfMsExpireMobileStation(apf_ms.
c:5009)Changingstateformobile00:1e:8c:0f:a4:57onAP00:26:cb:94:44:c0fromAssociatedtoDisassociatedSentDeauthenticatetomobileonBSSID00:26:cb:94:44:c0slot0(callerapf_ms.
c:5094)条件从GUI:删除客户端从CLI:设置客户端解除验证方案10:客户端分离由于验证超时调试运行了调试客户端解析的日志RetransmitfailureforEAPOL-KeyM3tomobile00:1e:8c:0f:a4:57,retransmitcount3,mscbdeauthcount0SentDeauthenticatetomobileonBSSID00:26:cb:94:44:c0slot0(caller1x_ptsm.
c:534)条件被到达的验证或密钥交换MAX重新传输解决方法检查/更新客户端驱动程序、安全设置,证书等.
方案11:客户端分离由于重置的AP无线电(电源/信道)调试运行了调试客户端解析的日志CleaningupstateforSTA00:1e:8c:0f:a4:57duetoeventforAP00:26:cb:94:44:c0(0)apfSendDisAssocMsgDebug(apf_80211.
c:1855)Changingstateformobile00:1e:8c:0f:a4:57onAP00:26:cb:94:44:c0fromAssociatedtoDisassociatedSentDisassociatetomobileonAP00:26:cb:94:44:c0-0(reason1,callerapf_ms.
c:4983)条件AP取消关联客户端,但是WLC没有Delete条目.
解决方法预料之中的行为.
方案12:Symantec与802.
1X'timeoutEvt的'客户端问题问题客户端运行的Symantec软件用消息802.
1X'为消息=M3超时的为站点和timeoutEvt'计时器取消关联EAP/Eapol进程idoes没有g完成,不考虑A/G无线电在Intel/Broadcom卡没有使用.
没有问题,当它是使用的wep,WPA-PSK.
条件WLC代码不重要.
AP-所有模拟-所有在本地传送方式.
WLAN3-WPA2+802.
1XPEAP+mshcapv2ssid广播.
RADIUS服务器NP2008年Symantec防病毒软件在所有PCs安装使用Asus,Braodcom,Intel-win7,成功XP受影响的OS-windows7和xp受影响的无线适配器-Intel(6205)和Broadcom受影响的驱动程序/请求方-15.
2.
0.
19,使用本地请求方.
修正/应急方案:禁用Symantec网络保护和防火墙在win7和xp.
它是与Win7和XPOS的Symantec问题.
Debug输出*dot1xMsgTask:Apr1211:45:39.
335:84:3a:4b:7a:d5:acRetransmit1ofEAPOL-KeyM3(length155)formobile84:3a:4b:7a:d5:ac*osapiBsnTimer:Apr1211:45:44.
336:84:3a:4b:7a:d5:ac802.
1x'timeoutEvt'Timerexpiredforstation84:3a:4b:7a:d5:acandformessage=M3*dot1xMsgTask:Apr1211:45:44.
336:84:3a:4b:7a:d5:acRetransmit2ofEAPOL-KeyM3(length155)formobile84:3a:4b:7a:d5:ac*osapiBsnTimer:Apr1211:45:49.
336:84:3a:4b:7a:d5:ac802.
1x'timeoutEvt'Timerexpiredforstation84:3a:4b:7a:d5:acandformessage=M3*dot1xMsgTask:Apr1211:45:49.
336:84:3a:4b:7a:d5:acRetransmit3ofEAPOL-KeyM3(length155)formobile84:3a:4b:7a:d5:ac*osapiBsnTimer:Apr1211:45:54.
336:84:3a:4b:7a:d5:ac802.
1x'timeoutEvt'Timerexpiredforstation84:3a:4b:7a:d5:acandformessage=M3*dot1xMsgTask:Apr1211:45:54.
337:84:3a:4b:7a:d5:acRetransmit4ofEAPOL-KeyM3(length155)formobile84:3a:4b:7a:d5:ac*osapiBsnTimer:Apr1211:45:59.
336:84:3a:4b:7a:d5:ac802.
1x'timeoutEvt'Timerexpiredforstation84:3a:4b:7a:d5:acandformessage=M3*dot1xMsgTask:Apr1211:45:59.
336:84:3a:4b:7a:d5:acRetransmitfailureforEAPOL-KeyM3tomobile84:3a:4b:7a:d5:ac,retransmitcount5,mscbdeauthcount0*dot1xMsgTask:Apr1211:45:59.
338:84:3a:4b:7a:d5:acSentDeauthenticatetomobileonBSSIDc8:f9:f9:89:15:60slot1(caller注意:在15.
2有综合症状(也看到在更早版本)去类似:-客户端从AP获得M1-客户端发送M2-客户端从AP获得M3在派出M4前,-客户端测量深度成对地新建的密钥-客户端传送M4加密与新密钥AP,丢弃M4消息作为"解密错误"-WLC'调试客户端'显示我们在M3重新传输时间.
明显,这是在Microsoft和Symantec之间的一问题,不是Intel特定.
应急方案是删除Symantec.
很可能在windows的这确实是bug,触发由Symantec.
调整EAP计时器不调整此问题关于此问题,CiscoTAC将转发受影响的客户对Symantec和Microsoft.
方案13:空气打印服务没为有mDNS的客户端出现监听打开了在Apple手持式客户端设备提供AirPrint服务不能的客户端发现设备,当mDNS监听打开.
条件运行7.
6.
100.
0的5508WLC.
当mDNS监听打开,我们有设备提供AirPrint服务列出了在关于WLC的服务部分下.
各自mDNS配置文件正确地被映射对WLAN&接口.
无法能发现在客户端的AirPrint设备.
调试运行了调试客户端调试mdns全部启用*Bonjour_Msg_Task:Apr1515:29:35.
640:b0:65:bd:df:f8:71QueryServiceName:_universal.
_sub.
_ipp.
_tcp.
local.
,Type:C,Class:1.
*Bonjour_Msg_Task:Apr1515:29:35.
640:qNameStr:_universal.
_sub.
_ipp.
_tcp.
local.
,bonjServiceNameStr:_universal.
_sub.
_ipp.
_tcp.
local.
,bonjSpNameStr:_dns-sd.
_udp.
YVG.
local.
*Bonjour_Msg_Task:Apr1515:29:35.
640:ServiceName:HP_Photosmart_Printer_1ServiceString:_universal.
_sub.
_ipp.
_tcp.
local.
issupportedinMSAL-DB*Bonjour_Msg_Task:Apr1515:29:35.
640:b0:65:bd:df:f8:71Service:_universal.
_sub.
_ipp.
_tcp.
local.
issupportedbyclient'sprofile:default-mdns-profile*Bonjour_Msg_Task:Apr1515:29:35.
640:processBonjourPacket:986AP-MAC=C8:4C:75:D1:77:20hasap-group=GBH*Bonjour_Msg_Task:Apr1515:29:35.
640:SendingBonjourResponse*Bonjour_Msg_Task:Apr1515:29:35.
640:ServiceProviderName:_dns-sd.
_udp.
YVG.
local.
,MsalServiceName:HP_Photosmart_Printer_1*Bonjour_Msg_Task:Apr1515:29:35.
640:SendingQueryResponsebonjSpNameStr:_dns-sd.
_udp.
YVG.
local.
,bonjMsalServiceName:HP_Photosmart_Printer_1,bonjourMsgId:0,dstMac:B0:65:BD:DF:F8:71dstIP:172.
29.
0.
100*Bonjour_Msg_Task:Apr1515:29:35.
640:vlanId:909,allvlan:0,isMcast:1,toSta:1*Bonjour_Msg_Task:Apr1515:29:35.
640:b0:65:bd:df:f8:71Successfullysentresponseforservice:_universal.
_sub.
_ipp.
_tcp.
local.
.
*Bonjour_Process_Task:Apr1515:29:35.
641:InsidebuildBonjourQueryResponsePld,available_len=1366*Bonjour_Process_Task:Apr1515:29:35.
641:Notabletoattachanyrecord*Bonjour_Process_Task:Apr1515:29:35.
641:ErrorbuildingtheBonjourPacket!
!
说明客户端为'_universal.
_sub.
_ipps.
_tcp.
local会要求'.
或者'_universal.
_sub.
_ipp.
_tcp.
local'.
而不是'_ipp.
_tcp.
local'.
或者'_ipp.
_tcp.
local'.
字符串.
没因此已添加AirPrint服务会工作.
它识别将被映射的请求的服务字符串对'HP_Photosmart_Printer_1同一服务在被映射的配置文件被添加了到WLAN,并且仍有为设备列出的没有服务.
发现由于域名被添附的和查询'dnsSD.
_udp.
YVG.
local的客户端'.
当域名被添附WLC没有能处理Bonjour数据包作为'dnsSD.
_udp.
YVG.
local'.
在数据库不存在.
识别给的增强bug关于同样-CSCuj32157解决方法唯一的工作是禁用DHCP选项15(域名)或删除域名从客户端.
方案14:Apple无法IOS的客户端'加入由于的网络'禁用快速SSID更改条件多数AppleIOS设备有问题移动从一WLAN到另一个在同样CiscoWLC以默认"禁用的快速ssid更改'.
设置导致控制器解除验证从一次存在客户端尝试联合到另一个的WLAN的客户端.
典型的结果是在IOS设备的一个"无法加入网络'消息显示客户端(jk-2504-116)>show网络摘要快速SSID更改.
禁用调试运行了(jk-2504-116)>debugclient1c:e6:2b:cd:da:9d(jk-2504-116)>*apfMsConnTask_7:Jan3021:33:14.
544:1c:e6:2b:cd:da:9dAssociationreceivedfrommobileonBSSID00:21:a0:e3:fd:beAppleClientinitiatingswitchfromonewlantoanother.
*apfMsConnTask_7:Jan3021:33:14.
544:1c:e6:2b:cd:da:9dGlobal200ClientsareallowedtoAPradio*apfMsConnTask_7:Jan3021:33:14.
544:1c:e6:2b:cd:da:9dMaxClientTrapThreshold:0cur:1*apfMsConnTask_7:Jan3021:33:14.
544:1c:e6:2b:cd:da:9dRfprofile600ClientsareallowedtoAPwlan*apfMsConnTask_7:Jan3021:33:14.
544:1c:e6:2b:cd:da:9dDeletingclientimmediatelysinceWLANhaschanged//WLCremovingappleclientfromoriginalWLAN*apfMsConnTask_7:Jan3021:33:14.
544:1c:e6:2b:cd:da:9dSchedulingdeletionofMobileStation:(callerId:50)in1seconds*osapiBsnTimer:Jan3021:33:15.
375:1c:e6:2b:cd:da:9dapfMsExpireCallback(apf_ms.
c:625)ExpiringMobile!
*apfReceiveTask:Jan3021:33:15.
375:1c:e6:2b:cd:da:9dapfMsExpireMobileStation(apf_ms.
c:6632)Changingstateformobile1c:e6:2b:cd:da:9donAP00:21:a0:e3:fd:b0fromAssociatedtoDisassociated*apfReceiveTask:Jan3021:33:15.
375:1c:e6:2b:cd:da:9dSentDeauthenticatetomobileonBSSID00:21:a0:e3:fd:b0slot1(callerapf_ms.
c:6726)*apfReceiveTask:Jan3021:33:15.
375:1c:e6:2b:cd:da:9dFoundancacheentryforBSSID00:21:a0:e3:fd:bfinPMKIDcacheatindex0ofstation1c:e6:2b:cd:da:9d*apfReceiveTask:Jan3021:33:15.
375:1c:e6:2b:cd:da:9dRemovingBSSID00:21:a0:e3:fd:bffromPMKIDcacheofstation1c:e6:2b:cd:da:9d*apfReceiveTask:Jan3021:33:15.
375:1c:e6:2b:cd:da:9dResettingMSCBPMKCacheEntry0forstation1c:e6:2b:cd:da:9d*apfReceiveTask:Jan3021:33:15.
375:1c:e6:2b:cd:da:9dSettingactivekeycacheindex0--->8*apfReceiveTask:Jan3021:33:15.
375:1c:e6:2b:cd:da:9dDeletingthePMKcachewhende-authenticatingtheclient.
*apfReceiveTask:Jan3021:33:15.
375:1c:e6:2b:cd:da:9dGlobalPMKCachedeletionfailed.
*apfReceiveTask:Jan3021:33:15.
376:1c:e6:2b:cd:da:9dapfMsAssoStateDec*apfReceiveTask:Jan3021:33:15.
376:1c:e6:2b:cd:da:9dapfMsExpireMobileStation(apf_ms.
c:6764)Changingstateformobile1c:e6:2b:cd:da:9donAP00:21:a0:e3:fd:b0fromDisassociatedtoIdle*apfReceiveTask:Jan3021:33:15.
376:1c:e6:2b:cd:da:9dpemApfDeleteMobileStation2:APF_MS_PEM_WAIT_L2_AUTH_COMPLETE=0.
*apfReceiveTask:Jan3021:33:15.
376:1c:e6:2b:cd:da:9d192.
168.
165.
31START(0)DeletedmobileLWAPPruleonAP[00:21:a0:e3:fd:b0]*apfReceiveTask:Jan3021:33:15.
376:1c:e6:2b:cd:da:9dDeletingmobileonAP00:21:a0:e3:fd:b0(1)*pemReceiveTask:Jan3021:33:15.
377:1c:e6:2b:cd:da:9d192.
168.
165.
31RemovedNPUentry.
*apfMsConnTask_7:Jan3021:33:23.
890:1c:e6:2b:cd:da:9dAddingmobileonLWAPPAP00:21:a0:e3:fd:b0(1)Noclientactivityfor>7secduetofast-ssidchangedisabled*apfMsConnTask_7:Jan3021:33:23.
890:1c:e6:2b:cd:da:9dAssociationreceivedfrommobileonBSSID00:21:a0:e3:fd:bf*apfMsConnTask_7:Jan3021:33:23.
890:1c:e6:2b:cd:da:9dGlobal200ClientsareallowedtoAPradio*apfMsConnTask_7:Jan3021:33:23.
891:1c:e6:2b:cd:da:9dSendingAssocResponsetostationonBSSID00:21:a0:e3:fd:bf(status0)ApVapId1Slot1*apfMsConnTask_7:Jan3021:33:23.
892:1c:e6:2b:cd:da:9dapfProcessAssocReq(apf_80211.
c:8292)Changingstateformobile1c:e6:2b:cd:da:9donAP00:21:a0:e3:fd:b0fromAssociatedtoAssociated解决方法Enable(event)从WLCGUI>>Controller>>General的法塞特ssid更改方案15:成功的客户端LDAP关联巩固使用TLS的控制器和LDAP服务器之间的连接的安全LDAP帮助.
此功能支持与控制器软件版本7.
6以上.
有可以由控制器发送到LDAP服务器查询的两种类型:1.
匿名:在此类型,当客户端需要获得authenticatied时,控制器发送认证请求到LDAP服务器.
LDAP服务器回应查询的结果.
在此交换期间包括客户端用户名/密码的所有信息在明文发送.
只要捆绑用户名/密码被添加,LDAP服务器将回应对从任何人的一查询.
已验证:在此方法控制器配置与使用用LDAP服务器验证本身的用户名和密码.
密码加密与MD5SASL和被发送到LDAP服务器在认证过程中.
这正确地帮助LDAP服务器识别认证请求的来源.
然而,即使控制器的标识保护客户端详细信息在明文发送.
2.
LDAP的实际需求在TLS来由于客户端验证数据和处理其余无危险发生的两个这两个方法摆在的安全漏洞.
要求运行软件版本7.
6的WLC以上执行LDAP的Microsoft服务器调试运行了debugaaaldapenable(event)*LDAPDBTask1:Feb0612:28:12.
912:ldapAuthRequest[1]calledlcapi_querybase="CN=Users,DC=gceaaa,DC=com"type="person"attr="sAMAccountName"user="Ishaan"(rc=0-Success)*LDAPDBTask1:Feb0612:28:12.
912:AttemptinguserbindwithusernameCN=Ishaan,CN=Users,DC=gceaaa,DC=com*LDAPDBTask1:Feb0612:28:12.
914:LDAPATTR>dn=CN=Ishaan,CN=Users,DC=gceaaa,DC=com(size35)*LDAPDBTask1:Feb0612:28:12.
914:HandlingLDAPresponseSuccess//indicatespassedLDAPauth.
方案16:在LDAP失败的客户端验证调试运行debugaaaldapenable(event)*LDAPDBTask1:Feb0717:19:46.
535:LDAP_CLIENT:Receivednoreferralsinsearchresultmsg*LDAPDBTask1:Feb0717:19:46.
535:LDAP_CLIENT:Received1attributesinsearchresultmsg*LDAPDBTask1:Feb0717:19:46.
535:ldapAuthRequest[1]calledlcapi_querybase="CN=Users,DC=gceaaa,DC=com"type="person"attr="sAMAccountName"user="ish"(rc=0-Success)*LDAPDBTask1:Feb0717:19:46.
535:HandlingLDAPresponseAuthenticationFailed//Failedauth*LDAPDBTask1:Feb0717:19:46.
536:Authenticatedbind:Closingthebindedsession解决方法检查LDAP服务器拒绝原因.
方案17:客户端关联问题由于LDAP在WLC被不正确配置调试运行了debugaaaldapenable(event)*LDAPDBTask1:Feb0717:21:26.
710:ldapInitAndBind[1]calledlcapi_init(rc=0-Success)*LDAPDBTask1:Feb0717:21:26.
712:ldapInitAndBind[1]configuredMethodAuthenticatedlcapi_bind(rc=49-Invalidcredentials)*LDAPDBTask1:Feb0717:21:26.
787:ldapClose[1]calledlcapi_close(rc=0-Success)*LDAPDBTask1:Feb0717:21:26.
787:LDAPserver1changedstatetoIDLE*LDAPDBTask1:Feb0717:21:26.
787:LDAPserver1changedstatetoERROR*LDAPDBTask1:Feb0717:21:26.
787:HandlingLDAPresponseInternalError解决方法验证在client/WLC和LDAP服务器间的凭证.
方案18:客户端关联问题,当LDAP服务器是不可得到的调试运行了debugaaaldapenable(event)*LDAPDBTask2:Feb0717:26:45.
874:ldapInitAndBind[2]configuredMethodAnonymouslcapi_bind(rc=1005-LDAPbindfailed)*LDAPDBTask2:Feb0717:26:45.
874:ldapClose[2]calledlcapi_close(rc=0-Success)*LDAPDBTask2:Feb0717:26:45.
875:LDAPserver2changedstatetoIDLE*LDAPDBTask2:Feb0717:26:45.
875:LDAPserver2changedstatetoERROR*LDAPDBTask2:Feb0717:26:45.
875:HandlingLDAPresponseInternalError解决方法检查WLC和LDAP服务器网络连通性问题.
方案19:漫游问题的Apple客户端由于未命中粘贴漫游配置条件AIR-CT5508-K9/7.
4.
100.
0Apple从使用以下的无线网络的设备断开:WPA2策略WPA2加密AES启用的验证802.
1X认证和授权通过CiscoISEApple设备从广播的SSID周期地断开.
示例是丢弃的IP电话,当另一个电话在同一个位置依然是已连接时.
所以,随机地发生(时间和电话).
没有问题的笔记本电脑客户端.
他们连接对同样SSID.
此问题在正常操作时发生,没有漫游,没有备用模式.
WLAN已经删除可能导致问题的所有可能的设置(Aironetext).
调试运行了调试客户端*apfMsConnTask_5:Jun1116:12:56.
342:f0:d1:a9:bb:2d:faReceivedRSNIEwith0PMKIDsfrommobilef0:d1:a9:bb:2d:faAt16:12:56inthedebugsweseeaclientre-association.
FromtheretheAPisexpectingtheclienttopresentitsoldPMKID(PairwiseMasterKeyIdentifiers).
Atthispointitdoesn't!
FromtheabovemessagetheAP/WLCdidn'treceiveaPMKIDfromtheiPhone.
Thisiskindofexpectedfromthistypeofclient.
AppledevicesdonotusetheopportunistickeycachingwhichallowsclientstousetheSAMEPMKIDatallAps.
AppledevicesuseakeycachemethodofStickyKeyCaching.
ThisinturnmeansthattheclienthastobuildaPMKIDatEACHAPinordertosuccessfullyroamtotheAP.
Aswecanseetheclientdidn'tpresentaPMKIDtousesowesentitthroughlayer2security/EAPagain.
TheclientthenhitsasnagintheEAPprocesswheretheclientfailstorespondtotheEAPIDorrequestforcredentialsuntilthesecondattempt*dot1xMsgTask:Jun1116:12:56.
345:f0:d1:a9:bb:2d:faSendingEAP-Request/Identitytomobilef0:d1:a9:bb:2d:fa(EAPId1)*osapiBsnTimer:Jun1116:13:26.
288:f0:d1:a9:bb:2d:fa802.
1x'txWhen'Timerexpiredforstationf0:d1:a9:bb:2d:faandformessage=M0Afterthissnagtheclientisallowedbackontothenetworkallinapprox.
1.
5seconds.
ThisisgoingtobenormalandEXPECTEDbehaviorcurrentlywithStickykeycacheclients.
解决方法什么我们能为有SKC的客户当前执行(粘贴关键高速缓冲存储)客户端并且有WLC代码7.
2和更加高是enable(event)漫游SKC的(粘贴关键缓存)支持.
默认情况下仅WLC支持OKC(机会主义的关键高速缓冲存储).
为了允许客户端使用它生成在每个AP的其旧有PMKIDs我们必须通过WLCCLI启用它.
设置WLAN安全WPAwpa2缓存粘贴enable(event)请记住此不会改善初始漫游由于SKC的本质;然而,它将改进随后漫游对同样Aps(8由书).
步行沿着向下与8Aps的一楼道的Imagine.
第一个初排将包括全双工assocations在与大约1-2秒滞后的每个AP.
当您到达末端并且走上一步客户端将提交8唯一PMKIDs,当移动回到同样Aps,并且不会必须通过一全双工验证,如果SKC支持启用.
因而删除滞后和客户端将看上去坚持已连接.
方案20:验证法塞特安全漫游(FSR)与CCKMhttp://www.
cisco.
com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116493-technote-technology-00.
html调试运行调试客户端*apfMsConnTask_2:Jun2515:43:33.
749:00:40:96:b7:ab:5cCCKM:ReceivedREASSOCREQIE*apfMsConnTask_2:Jun2515:43:33.
749:00:40:96:b7:ab:5cReassociationreceivedfrommobileonBSSID84:78:ac:f0:2a:93*apfMsConnTask_2:Jun2515:43:33.
750:00:40:96:b7:ab:5cProcessingWPAIEtype221,length22formobile00:40:96:b7:ab:5c*apfMsConnTask_2:Jun2515:43:33.
750:00:40:96:b7:ab:5cCCKM:MobileisusingCCKMTheReassociationRequestisreceivedfromtheclient,whichprovidestheCCKMinformationneededinordertoderivethenewkeyswithafast-secureroam.
*apfMsConnTask_2:Jun2515:43:33.
750:00:40:96:b7:ab:5cSettingactivekeycacheindex0--->8*apfMsConnTask_2:Jun2515:43:33.
750:00:40:96:b7:ab:5cCCKM:ProcessingREASSOCREQIE*apfMsConnTask_2:Jun2515:43:33.
750:00:40:96:b7:ab:5cCCKM:usingHMACMD5tocomputeMICWLCcomputestheMICusedforthisCCKMfast-roamingexchange.
*apfMsConnTask_2:Jun2515:43:33.
750:00:40:96:b7:ab:5cCCKM:ReceivedavalidREASSOCREQIE*apfMsConnTask_2:Jun2515:43:33.
751:00:40:96:b7:ab:5cCCKM:InitializingPMKcacheentrywithanewPTKThenewPTKisderived.
*apfMsConnTask_2:Jun2515:43:33.
751:00:40:96:b7:ab:5cSettingactivekeycacheindex8--->8*apfMsConnTask_2:Jun2515:43:33.
751:00:40:96:b7:ab:5cSettingactivekeycacheindex8--->8*apfMsConnTask_2:Jun2515:43:33.
751:00:40:96:b7:ab:5cSettingactivekeycacheindex8--->0*apfMsConnTask_2:Jun2515:43:33.
751:00:40:96:b7:ab:5cCreatingaPKCPMKIDCacheentryforstation00:40:96:b7:ab:5c(RSN0)onBSSID84:78:ac:f0:2a:93ThenewPMKIDcacheentryiscreatedforthisnewAP-to-clientassociation.
*apfMsConnTask_2:Jun2515:43:33.
751:00:40:96:b7:ab:5cCCKM:usingHMACMD5tocomputeMIC*apfMsConnTask_2:Jun2515:43:33.
751:00:40:96:b7:ab:5cIncludingCCKMResponseIE(length62)inAssocResptomobile*apfMsConnTask_2:Jun2515:43:33.
751:00:40:96:b7:ab:5cSendingAssocResponsetostationonBSSID84:78:ac:f0:2a:93(status0)ApVapId4Slot0TheReassociationResponseissentfromtheWLC/APtotheclient,whichincludestheCCKMinformationrequiredinordertoconfirmthenewfast-roamandkeyderivation.
*dot1xMsgTask:Jun2515:43:33.
757:00:40:96:b7:ab:5cSkippingEAP-Successtomobile00:40:96:b7:ab:5cEAPisskippedduetothefastroaming,andCCKMdoesnotrequirefurtherkeyhandshakes.
TheclientisnowreadytopassencrypteddataframesonthenewAP.
如显示的,法塞特安全漫游执行避免EAP验证帧和更加4方式握手,因为新的加密密钥仍然派生,但是根据CCKM协商方案.
这完成与客户端和WLC和信息早先缓存的漫游再聚集帧.
方案21:验证法塞特安全漫游(FSR)用WPA2PMKID缓存调试运行了调试客户端*apfMsConnTask_0:Jun2200:26:40.
787:ec:85:2f:15:39:32ReassociationreceivedfrommobileonBSSID84:78:ac:f0:68:d2ThisistheReassociationRequestfromtheclient.
*apfMsConnTask_0:Jun2200:26:40.
787:ec:85:2f:15:39:32ProcessingRSNIEtype48,length38formobileec:85:2f:15:39:32TheWLC/APfindsanInformationElementthatclaimsPMKIDCachingsupportontheAssociationrequestthatissentfromtheclient.
*apfMsConnTask_0:Jun2200:26:40.
787:ec:85:2f:15:39:32ReceivedRSNIEwith1PMKIDsfrommobileec:85:2f:15:39:32TheReassociationRequestfromtheclientcomeswithonePMKID.
*apfMsConnTask_0:Jun2200:26:40.
787:ReceivedPMKID:(16)*apfMsConnTask_0:Jun2200:26:40.
788:[0000]c94d0d9703aaa90f1bc8337301f118f5ThisisthePMKIDthatisreceived*apfMsConnTask_0:Jun2200:26:40.
788:ec:85:2f:15:39:32SearchingforPMKIDinMSCBPMKIDcacheformobileec:85:2f:15:39:32WLCsearchesforamatchingPMKIDonthedatabase.
*apfMsConnTask_0:Jun2200:26:40.
788:ec:85:2f:15:39:32FoundancacheentryforBSSID84:78:ac:f0:68:d2inPMKIDcacheatindex0ofstationec:85:2f:15:39:32*apfMsConnTask_0:Jun2200:26:40.
788:ec:85:2f:15:39:32FoundavalidPMKIDintheMSCBPMKIDcacheformobileec:85:2f:15:39:32TheWLCvalidatesthePMKIDprovidedbytheclient,andconfirmsthatithasavalidPMKcacheforthisclient-and-APpair.
*apfMsConnTask_0:Jun2200:26:40.
788:ec:85:2f:15:39:32Settingactivekeycacheindex1--->0*apfMsConnTask_0:Jun2200:26:40.
788:ec:85:2f:15:39:32SendingAssocResponsetostationonBSSID84:78:ac:f0:68:d2(status0)ApVapId3Slot0TheReassociationResponseissenttotheclient,whichvalidatesthefast-roamwithSKC.
*dot1xMsgTask:Jun2200:26:40.
795:ec:85:2f:15:39:32InitiatingRSNwithexistingPMKtomobileec:85:2f:15:39:32WLCinitiatesaRobustSecureNetworkassociationwiththisclient-and-APpairbasedonthecachedPMKfound.
Hence,EAPisavoidedasperthenextmessage.
*dot1xMsgTask:Jun2200:26:40.
795:ec:85:2f:15:39:32SkippingEAP-Successtomobileec:85:2f:15:39:32*dot1xMsgTask:Jun2200:26:40.
795:ec:85:2f:15:39:32FoundancacheentryforBSSID84:78:ac:f0:68:d2inPMKIDcacheatindex0ofstationec:85:2f:15:39:32*dot1xMsgTask:Jun2200:26:40.
795:IncludingPMKIDinM1(16)ThehashedPMKIDisincludedontheMessage-1oftheWPA/WPA24-Wayhandshake.
*dot1xMsgTask:Jun2200:26:40.
795:[0000]c94d0d9703aaa90f1bc8337301f118f5ThePMKIDishashed.
ThenextmessagesarethesameWPA/WPA24-Wayhandshakemessagesdescribedthusfarthatareusedinordertofinishtheencryptionkeysgeneration/installation.
*dot1xMsgTask:Jun2200:26:40.
795:ec:85:2f:15:39:32SendingEAPOL-KeyMessagetomobileec:85:2f:15:39:32stateINITPMK(message1),replaycounter00.
00.
00.
00.
00.
00.
00.
00*Dot1x_NW_MsgTask_2:Jun2200:26:40.
811:ec:85:2f:15:39:32ReceivedEAPOL-Keyfrommobileec:85:2f:15:39:32*Dot1x_NW_MsgTask_2:Jun2200:26:40.
812:ec:85:2f:15:39:32ReceivedEAPOL-keyinPTK_STARTstate(message2)frommobileec:85:2f:15:39:32*Dot1x_NW_MsgTask_2:Jun2200:26:40.
812:ec:85:2f:15:39:32PMK:Sendingcacheadd*Dot1x_NW_MsgTask_2:Jun2200:26:40.
812:ec:85:2f:15:39:32SendingEAPOL-KeyMessagetomobileec:85:2f:15:39:32statePTKINITNEGOTIATING(message3),replaycounter00.
00.
00.
00.
00.
00.
00.
01*Dot1x_NW_MsgTask_2:Jun2200:26:40.
820:ec:85:2f:15:39:32ReceivedEAPOL-Keyfrommobileec:85:2f:15:39:32*Dot1x_NW_MsgTask_2:Jun2200:26:40.
820:ec:85:2f:15:39:32ReceivedEAPOL-keyinPTKINITNEGOTIATINGstate(message4)frommobileec:85:2f:15:39:32方案22:正在验证的法塞特安全漫游用积极的关键缓存调试运行了调试客户端*apfMsConnTask_2:Jun2121:48:50.
562:00:40:96:b7:ab:5cReassociationreceivedfrommobileonBSSID84:78:ac:f0:2a:92ThisistheReassociationRequestfromtheclient.
*apfMsConnTask_2:Jun2121:48:50.
563:00:40:96:b7:ab:5cProcessingRSNIEtype48,length38formobile00:40:96:b7:ab:5cTheWLC/APfindsandInformationElementthatclaimsPMKIDCachingsupportontheAssociationrequestthatissentfromtheclient.
*apfMsConnTask_2:Jun2121:48:50.
563:00:40:96:b7:ab:5cReceivedRSNIEwith1PMKIDsfrommobile00:40:96:b7:ab:5cTheReassociationRequestfromtheclientcomeswithonePMKID.
*apfMsConnTask_2:Jun2121:48:50.
563:ReceivedPMKID:(16)*apfMsConnTask_2:Jun2121:48:50.
563:[0000]9165c3fbfc4475486790d5dadfaa71e9*apfMsConnTask_2:Jun2121:48:50.
563:00:40:96:b7:ab:5cSearchingforPMKIDinMSCBPMKIDcacheformobile00:40:96:b7:ab:5c*apfMsConnTask_2:Jun2121:48:50.
563:00:40:96:b7:ab:5cNovalidPMKIDfoundintheMSCBPMKIDcacheformobile00:40:96:b7:ab:5AstheclienthasneverauthenticatedwiththisnewAP,theWLCcannotfindavalidPMKIDtomatchtheoneprovidedbytheclient.
However,sincetheclientperformsPKC/OKCandnotSKC(asperthefollowingmessages),theWLCcomputesanewPMKIDbasedontheinformationgathered(thecachedPMK,theclientMACaddress,andthenewAPMACaddress).
*apfMsConnTask_2:Jun2121:48:50.
563:00:40:96:b7:ab:5cTryingtocomputeaPMKIDfromMSCBPMKcacheformobile00:40:96:b7:ab:5c*apfMsConnTask_2:Jun2121:48:50.
563:CCKM:FindPMKincache:BSSID=(6)*apfMsConnTask_2:Jun2121:48:50.
563:[0000]8478acf02a90*apfMsConnTask_2:Jun2121:48:50.
563:CCKM:FindPMKincache:realAA=(6)*apfMsConnTask_2:Jun2121:48:50.
563:[0000]8478acf02a92*apfMsConnTask_2:Jun2121:48:50.
563:CCKM:FindPMKincache:PMKID=(16)*apfMsConnTask_2:Jun2121:48:50.
563:[0000]9165c3fbfc4475486790d5dadfaa71e9*apfMsConnTask_2:Jun2121:48:50.
563:CCKM:AA(6)*apfMsConnTask_2:Jun2121:48:50.
563:[0000]8478acf02a92*apfMsConnTask_2:Jun2121:48:50.
563:CCKM:SPA(6)*apfMsConnTask_2:Jun2121:48:50.
563:[0000]004096b7ab5c*apfMsConnTask_2:Jun2121:48:50.
563:00:40:96:b7:ab:5cAddingBSSID84:78:ac:f0:2a:92toPMKIDcacheatindex0forstation00:40:96:b7:ab:5c*apfMsConnTask_2:Jun2121:48:50.
563:NewPMKID:(16)*apfMsConnTask_2:Jun2121:48:50.
563:[0000]9165c3fbfc4475486790d5dadfaa71e9*apfMsConnTask_2:Jun2121:48:50.
563:00:40:96:b7:ab:5cComputedavalidPMKIDfromMSCBPMKcacheformobile00:40:96:b7:ab:5cThenewPMKIDiscomputedandvalidatedtomatchtheoneprovidedbytheclient,whichisalsocomputedwiththesameinformation.
Hence,thefast-secureroamispossible.
*apfMsConnTask_2:Jun2121:48:50.
563:00:40:96:b7:ab:5cSettingactivekeycacheindex0--->0*apfMsConnTask_2:Jun2121:48:50.
564:00:40:96:b7:ab:5cSendingAssocResponsetostationonBSSID84:78:ac:f0:2a:92(status0)ApVapId3SlotTheReassociationresponseissenttotheclient,whichvalidatesthefast-roamwithPKC/OKC.
*dot1xMsgTask:Jun2121:48:50.
570:00:40:96:b7:ab:5cInitiatingRSNwithexistingPMKtomobile00:40:96:b7:ab:5cWLCinitiatesaRobustSecureNetworkassociationwiththisclient-andAPpairwiththecachedPMKfound.
Hence,EAPisavoided,asperthethenextmessage.
*dot1xMsgTask:Jun2121:48:50.
570:00:40:96:b7:ab:5cSkippingEAP-Successtomobile00:40:96:b7:ab:5c*dot1xMsgTask:Jun2121:48:50.
570:00:40:96:b7:ab:5cFoundancacheentryforBSSID84:78:ac:f0:2a:92inPMKIDcacheatindex0ofstation00:40:96:b7:ab:5c*dot1xMsgTask:Jun2121:48:50.
570:IncludingPMKIDinM1(16)ThehashedPMKIDisincludedontheMessage-1oftheWPA/WPA24-Wayhandshake.
*dot1xMsgTask:Jun2121:48:50.
570:[0000]9165c3fbfc4475486790d5dadfaa71e9ThePMKIDishashed.
ThenextmessagesarethesameWPA/WPA24-Wayhandshakemessagesdescribedthusfar,whichareusedinordertofinishtheencryptionkeysgeneration/installation.
*dot1xMsgTask:Jun2121:48:50.
570:00:40:96:b7:ab:5cSendingEAPOL-KeyMessagetomobile00:40:96:b7:ab:5cstateINITPMK(message1),replaycounter00.
00.
00.
00.
00.
00.
00.
00*Dot1x_NW_MsgTask_4:Jun2121:48:50.
589:00:40:96:b7:ab:5ReceivedEAPOL-Keyfrommobile00:40:96:b7:ab:5c*Dot1x_NW_MsgTask_4:Jun2121:48:50.
589:00:40:96:b7:ab:5cReceivedEAPOL-keyinPTK_STARTstate(message2)frommobile00:40:96:b7:ab:5c*Dot1x_NW_MsgTask_4:Jun2121:48:50.
589:00:40:96:b7:ab:5cPMK:Sendingcacheadd*Dot1x_NW_MsgTask_4:Jun2121:48:50.
590:00:40:96:b7:ab:5cSendingEAPOL-KeyMessagetomobile00:40:96:b7:ab:5cstatePTKINITNEGOTIATING(message3),replaycounter00.
00.
00.
00.
00.
00.
00.
01*Dot1x_NW_MsgTask_4:Jun2121:48:50.
610:00:40:96:b7:ab:5cReceivedEAPOL-Keyfrommobile00:40:96:b7:ab:5c*Dot1x_NW_MsgTask_4:Jun2121:48:50.
610:00:40:96:b7:ab:5cReceivedEAPOL-keyinPTKINITNEGOTIATINGstate(message4)frommobile00:40:96:b7:ab:5cPMKID,在从客户端的再聚集请求接收后,如显示在调试初,必须计算.
这是需要的为了验证PMKID和确认被缓存的PMK与WPA24方式握手一起使用派生加密密钥和完成法塞特安全漫游.
请勿混淆在调试的CCKM条目;这没有用于为了执行CCKM,然而PKC/OKC,如以前解释.
此处CCKM是WLC的名称用于那些输出,例如处理值为了计算PMKID功能的名称.
方案23:验证法塞特安全漫游(FSR)与802.
11r调试运行调试客户端*apfMsConnTask_2:Jun2719:25:48.
751:ec:85:2f:15:39:32DoingpreauthforthisclientovertheAirWLCbeginsFTfast-secureroamingover-the-Airwiththisclientandperformsatypeofpreauthentication,becausetheclientasksforthiswithFTontheAuthenticationframethatissenttothenewAPover-the-Air(beforetheReassociationRequest).
*apfMsConnTask_2:Jun2719:25:48.
751:ec:85:2f:15:39:32Doinglocalroamingfordestinationaddress84:78:ac:f0:2a:96WLCperformsthelocalroamingeventwiththenewAPtowhichtheclientroams.
*apfMsConnTask_2:Jun2719:25:48.
751:ec:85:2f:15:39:32Got1AKMsinRSNIE*apfMsConnTask_2:Jun2719:25:48.
751:ec:85:2f:15:39:32RSNIEAKMmatcheswithPMKcacheentry:0x3WLCreceivesonePMKfromthisclient(knownasAKMhere),whichmatchesthePMKcacheentryholdforthisclient.
*apfMsConnTask_2:Jun2719:25:48.
751:ec:85:2f:15:39:32CreatedanewpreauthentryforAP:84:78:ac:f0:2a:96*apfMsConnTask_2:Jun2719:25:48.
751:AddingMDIE,IDis:0xaaf0WLCcreatesanewpreauthentryforthisAP-and-Clientpair,andaddstheMDIEinformation.
*apfMsConnTask_2:Jun2719:25:48.
763:Processingassoc-reqstation:ec:85:2f:15:39:32AP:84:78:ac:f0:2a:90-00thread:144bef38*apfMsConnTask_2:Jun2719:25:48.
763:ec:85:2f:15:39:32ReassociationreceivedfrommobileonBSSID84:78:ac:f0:2a:96OncetheclientreceivestheAuthenticationframereplyfromtheWLC/AP,theReassociationrequestissent,whichisreceivedatthenewAPtowhichtheclientroams.
*apfMsConnTask_2:Jun2719:25:48.
764:ec:85:2f:15:39:32MarkingthismobileasTGrcapable.
*apfMsConnTask_2:Jun2719:25:48.
764:ec:85:2f:15:39:32ProcessingRSNIEtype48,length38formobileec:85:2f:15:39:32*apfMsConnTask_2:Jun2719:25:48.
765:ec:85:2f:15:39:32Roamingsucceedforthisclient.
WLCconfirmsthattheFTfast-secureroamingissuccessfulforthisclient.
*apfMsConnTask_2:Jun2719:25:48.
765:Sendingassoc-respstation:ec:85:2f:15:39:32AP:84:78:ac:f0:2a:90-00thread:144bef38*apfMsConnTask_2:Jun2719:25:48.
766:AddingMDIE,IDis:0xaaf0*apfMsConnTask_2:Jun2719:25:48.
766:ec:85:2f:15:39:32IncludingFTMobilityDomainIE(length5)inreassociationassocResptomobile*apfMsConnTask_2:Jun2719:25:48.
766:ec:85:2f:15:39:32SendingAssocResponsetostationonBSSID84:78:ac:f0:2a:96(status0)ApVapId7Slot0TheReassociationresponseissenttotheclient,whichincludestheFTMobilityDomainIE.
*dot1xMsgTask:Jun2719:25:48.
769:ec:85:2f:15:39:32FinishingFTroamingformobileec:85:2f:15:39:32FTroamingfinishesandEAPisskipped(aswellasanyotherkeymanagementhandshake),sotheclientisreadytopassencrypteddataframeswiththecurrentAP.
*dot1xMsgTask:Jun2719:25:48.
769:ec:85:2f:15:39:32SkippingEAP-Successtomobileec:85:2f:15:39:32
场景5:客户端不能联合到AP场景6:客户端分离由于空闲超时场景7:客户端分离由于会话超时方案8:客户端分离由于WLAN更改方案9:客户端分离由于从WLC的手工的删除方案10:客户端分离由于验证超时方案11:客户端分离由于重置的AP无线电(电源/信道)方案12:Symantec与802.
1X'timeoutEvt的'客户端问题方案13:空气打印服务没为有mDNS的客户端出现监听打开了方案14:Apple无法IOS的客户端'加入由于的网络'禁用快速SSID更改方案15:成功的客户端LDAP关联方案16:在LDAP失败的客户端验证方案17:客户端关联问题由于LDAP在WLC被不正确配置方案18:客户端关联问题,当LDAP服务器是不可得到的方案19:漫游问题的Apple客户端由于未命中粘贴漫游配置方案20:验证法塞特安全漫游(FSR)与CCKM方案21:验证法塞特安全漫游(FSR)用WPA2PMKID缓存方案22:正在验证的法塞特安全漫游用积极的关键缓存方案23:验证法塞特安全漫游(FSR)与802.
11r简介本文描述通过调试的欺诈行为图表(通常"调试客户端解析").
要解析通过"请显示客户端",并且调试将要求我们对首先明白一些PEM状态和APF状态.
贡献用尚卡尔Ramanathan,CiscoTAC工程师.
使用的组件在此documemt的信息根据所有"AireOS"控制器.
控制器440x,5508,5520,75xx,85xx,2504和vWLC以及Wisms.
q虽然许多概念是相同的在聚合的访问IOS-XE控制器和交换机,本文不适用于他们作为输出,并且调试是完全不同的.
q本文档中的信息都是基于特定实验室环境中的设备编写的.
本文档中使用的所有设备最初均采用原始(默认)配置.
如果您的网络处于活动状态,请确保您了解所有命令的潜在影响.
向PEM状态介绍显示客户端输出开始—新的客户端条目的最初的状态.
qAUTHCHECK—WLAN具有要强制执行的L2认证策略.
q8021X_REQD—客户端必须完成802.
1x验证.
qL2AUTHCOMPLETE—客户端顺利地完成L2策略.
该进程现在可继续执行L3策略(地址识别、Web认证等).
此时,控制器发送移动声明以从其他控制器获得L3信息(如果这是位于同一移动组中的漫游客户端).
qWEP_REQD—客户端必须完成WEP身份验证.
qDHCP_REQD—控制器需要了解从客户端的L3地址,由ARP请求完成,DHCP请求或由从在移动组的其他控制器了解的信息更新,或者.
如果WLAN上标记有DHCPRequired,则仅使用DHCP或移动信息.
qWEBAUTH_REQD—客户端必须完成Web验证.
(L3策略)qCENTRAL_WEBAUTH_REQD--客户端必须完成CWA登录,WLC等待接收CoAqRAN—客户端顺利地完成需要的L2和L3策略,并且能当前传输流量到网络.
q给的方案显示普通的误配置的关键调试线路在无线设置,那突出显示在粗体的关键参数.
情形1:WPA/WPA2PSK验证的不正确的配置的密码短语在客户端(CiscoController)>showclientdetail24:77:03:19:fb:70ClientMACAddress.
24:77:03:19:fb:70ClientUsernameN/AAPMACAddress.
ec:c8:82:a4:5b:c0APName.
Shankar_AP_1042APradioslotId.
1ClientState.
AssociatedClientNACOOBState.
AccessWirelessLANId.
5Hotspot(802.
11u)NotSupportedBSSID.
ec:c8:82:a4:5b:cbConnectedFor0secsChannel.
44IPAddress.
UnknownGatewayAddress.
UnknownNetmask.
UnknownAssociationId.
1AuthenticationAlgorithm.
OpenSystemReasonCode.
1StatusCode.
0SessionTimeout.
0ClientCCXversion.
4ClientE2Eversion.
1QoSLevel.
SilverAvgdataRate.
0BurstdataRate.
0AvgRealtimedataRate.
0BurstRealTimedataRate.
0802.
1PPriorityTag.
2CTSSecurityGroupTag.
NotApplicableKTSCACCapability.
NoWMMSupport.
EnabledAPSDACs.
BKBEVIVOPowerSave.
OFFCurrentRate.
m15SupportedRates.
6.
0,9.
0,12.
0,18.
0,24.
0,36.
0,48.
0,54.
0MobilityState.
NoneMobilityMoveCount.
0SecurityPolicyCompleted.
NoPolicyManagerState.
8021X_REQD//ThisprovesclientisstrugglingtoclearLayer-2authentication.
ItmeanswehavetomovetodebugtounderstandwhereinL-2wearefailingPolicyManagerRuleCreated.
YesAuditSessionID.
noneAAARoleType.
noneLocalPolicyApplied.
noneIPv4ACLName.
noneFlexConnectACLAppliedStatus.
UnavailableIPv4ACLAppliedStatus.
UnavailableIPv6ACLName.
noneIPv6ACLAppliedStatus.
UnavailableLayer2ACLName.
noneLayer2ACLAppliedStatus.
UnavailablemDNSStatus.
EnabledmDNSProfileName.
default-mdns-profileNo.
ofmDNSServicesAdvertised.
0PolicyType.
WPA2AuthenticationKeyManagement.
PSKEncryptionCipher.
CCMP(AES)ProtectedManagementFrameNoManagementFrameProtection.
NoEAPType.
UnknownInterface.
vlan21VLAN.
21QuarantineVLAN.
0AccessVLAN.
21ClientCapabilities:CFPollable.
NotimplementedCFPollRequest.
NotimplementedShortPreamble.
NotimplementedPBCC.
NotimplementedChannelAgility.
NotimplementedListenInterval.
10FastBSSTransition.
NotimplementedClientWifiDirectCapabilities:WFDcapable.
NoMangedWFDcapable.
NoCrossConnectionCapable.
NoSupportConcurrentOperation.
NoFastBSSTransitionDetails:ClientStatistics:NumberofBytesReceived.
423NumberofBytesSent.
429NumberofPacketsReceived.
3NumberofPacketsSent.
4NumberofInterim-UpdateSent.
0NumberofEAPIdRequestMsgTimeouts.
.
.
.
.
.
0NumberofEAPIdRequestMsgFailures.
.
.
.
.
.
0NumberofEAPRequestMsgTimeouts.
0NumberofEAPRequestMsgFailures.
0NumberofEAPKeyMsgTimeouts.
0NumberofEAPKeyMsgFailures.
0NumberofDataRetries.
0NumberofRTSRetries.
0NumberofDuplicateReceivedPackets.
.
.
.
.
.
.
0NumberofDecryptFailedPackets.
0NumberofMicFailuredPackets.
0NumberofMicMissingPackets.
0NumberofRAPacketsDropped.
0NumberofPolicyErrors.
0RadioSignalStrengthIndicator.
18dBmSignaltoNoiseRatio.
40dBClientRateLimitingStatistics:NumberofDataPacketsRecieved.
0NumberofDataRxPacketsDropped.
0NumberofDataBytesRecieved.
0NumberofDataRxBytesDropped.
0NumberofRealtimePacketsRecieved.
0NumberofRealtimeRxPacketsDropped.
.
.
.
.
.
0NumberofRealtimeBytesRecieved.
0NumberofRealtimeRxBytesDropped.
0NumberofDataPacketsSent.
0NumberofDataTxPacketsDropped.
0NumberofDataBytesSent.
0NumberofDataTxBytesDropped.
0NumberofRealtimePacketsSent.
0NumberofRealtimeTxPacketsDropped.
.
.
.
.
.
0NumberofRealtimeBytesSent.
0NumberofRealtimeTxBytesDropped.
0NearbyAPStatistics:Shankar_AP_1602(slot0)antenna0:0secsago.
25dBmantenna1:0secsago.
40dBmShankar_AP_1602(slot1)antenna0:1secsago.
41dBmantenna1:1secsago.
27dBmShankar_AP_3502(slot0)antenna0:0secsago.
90dBmantenna1:0secsago.
83dBmShankar_AP_1042(slot0)antenna0:0secsago.
32dBmantenna1:0secsago.
41dBmShankar_AP_1042(slot1)antenna0:0secsago.
50dBmantenna1:0secsago.
42dBmDNSServerdetails:DNSserverIP0.
0.
0.
0DNSserverIP0.
0.
0.
0AssistedRoamingPredictionListdetails:ClientDhcpRequired:FalseAllowed(URL)IPAddresses调试客户端分析(CiscoController)>debugclient24:77:03:19:fb:70*apfMsConnTask_4:May0717:03:56.
060:24:77:03:19:fb:70AssociationreceivedfrommobileonBSSID08:cc:68:67:1f:fb//ClienthasinitiatedassociationforAPwithBSSID08:cc:68:67:1f:fb*apfMsConnTask_4:May0717:03:56.
060:24:77:03:19:fb:70Global200ClientsareallowedtoAPradio*apfMsConnTask_4:May0717:03:56.
060:24:77:03:19:fb:70MaxClientTrapThreshold:0cur:0*apfMsConnTask_4:May0717:03:56.
060:24:77:03:19:fb:70Rfprofile600ClientsareallowedtoAPwlan*apfMsConnTask_4:May0717:03:56.
060:24:77:03:19:fb:70ApplyingInterfacepolicyonMobile,roleUnassociated.
MsNACState2QuarantineVlan0AccessVlan21*apfMsConnTask_4:May0717:03:56.
060:24:77:03:19:fb:70Re-applyinginterfacepolicyforclient*apfMsConnTask_4:May0717:03:56.
060:24:77:03:19:fb:700.
0.
0.
0START(0)ChangingIPv4ACL'none'(ACLID255)===>'none'(ACLID255)---(callerapf_policy.
c:2202)*apfMsConnTask_4:May0717:03:56.
060:24:77:03:19:fb:700.
0.
0.
0START(0)ChangingIPv6ACL'none'(ACLID255)===>'none'(ACLID255)---(callerapf_policy.
c:2223)*apfMsConnTask_4:May0717:03:56.
060:24:77:03:19:fb:70apfApplyWlanPolicy:ApplyWLANPolicyoverPMIPv6ClientMobilityType*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70InprocessSsidIE:4795settingCentralswitchedtoTRUE*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70InprocessSsidIE:4798apVapId=5andSplitAclId=65535*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70Applyingsite-specificLocalBridgingoverrideforstation24:77:03:19:fb:70-vapId5,site'default-group',interface'vlan21'*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70ApplyingLocalBridgingInterfacePolicyforstation24:77:03:19:fb:70-vlan21,interfaceid14,interface'vlan21'*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70processSsidIEstatusCodeis0andstatusis0*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70processSsidIEssid_done_flagis0finish_flagis0*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70STA-rates(8):14018243648729610800000000*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70suppRatesstatusCodeis0andgotSuppRatesElementis1*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70ProcessingRSNIEtype48,length22formobile24:77:03:19:fb:70*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70pemApfDeleteMobileStation2:APF_MS_PEM_WAIT_L2_AUTH_COMPLETE=0.
*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:700.
0.
0.
0START(0)DeletedmobileLWAPPruleonAP[ec:c8:82:a4:5b:c0]*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70UpdatedlocationforstationoldAPec:c8:82:a4:5b:c0-1,newAP08:cc:68:67:1f:f0-1*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70UpdatingAIDforREAPAPClient08:cc:68:67:1f:f0-AID===>1*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:700.
0.
0.
0START(0)Initializingpolicy*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:700.
0.
0.
0START(0)ChangestatetoAUTHCHECK(2)laststateSTART(0)*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:700.
0.
0.
0AUTHCHECK(2)Changestateto8021X_REQD(3)laststateAUTHCHECK(2)//CliententeringL2authenticationstage*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70CentralswitchisTRUE*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:70NotUsingWMMCompliancecodeqosCap00*apfMsConnTask_4:May0717:03:56.
061:24:77:03:19:fb:700.
0.
0.
08021X_REQD(3)PlumbedmobileLWAPPruleonAP08:cc:68:67:1f:f0vapId5apVapId5flex-acl-name:*apfMsConnTask_4:May0717:03:56.
062:24:77:03:19:fb:70apfMsAssoStateInc*apfMsConnTask_4:May0717:03:56.
062:24:77:03:19:fb:70apfPemAddUser2(apf_policy.
c:333)Changingstateformobile24:77:03:19:fb:70onAP08:cc:68:67:1f:f0fromDisassociatedtoAssociated*apfMsConnTask_4:May0717:03:56.
062:24:77:03:19:fb:70apfPemAddUser2:sessiontimeoutforstation24:77:03:19:fb:70-SessionTout0,apfMsTimeOut'0'andsessionTimerRunningflagis0*apfMsConnTask_4:May0717:03:56.
062:24:77:03:19:fb:70StoppingdeletionofMobileStation:(callerId:48)*apfMsConnTask_4:May0717:03:56.
062:24:77:03:19:fb:70Func:apfPemAddUser2,MsTimeout=0,SessionTimeout=0*apfMsConnTask_4:May0717:03:56.
062:24:77:03:19:fb:70SendingAssocResponsetostationonBSSID08:cc:68:67:1f:fb(status0)ApVapId5Slot1*apfMsConnTask_4:May0717:03:56.
062:24:77:03:19:fb:70apfProcessAssocReq(apf_80211.
c:8292)Changingstateformobile24:77:03:19:fb:70onAP08:cc:68:67:1f:f0fromAssociatedtoAssociated*spamApTask3:May0717:03:56.
065:24:77:03:19:fb:70Sent1xinitiatemessagetomultithreadtaskformobile24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
065:24:77:03:19:fb:70CreatingaPKCPMKIDCacheentryforstation24:77:03:19:fb:70(RSN2)*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70ResettingMSCBPMKCacheEntry0forstation24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70RemovingBSSIDec:c8:82:a4:5b:cbfromPMKIDcacheofstation24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70Settingactivekeycacheindex0--->8*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70Settingactivekeycacheindex8--->0*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70AddingBSSID08:cc:68:67:1f:fbtoPMKIDcacheatindex0forstation24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
066:NewPMKID:(16)*Dot1x_NW_MsgTask_0:May0717:03:56.
066:[0000]d7578eff2b27014e93390b1c1f46d2da*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70InitiatingRSNPSKtomobile24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70EAP-PARAMDebug-eap-paramsforWlan-Id:5isdisabled-applyingGlobaleaptimersandretries*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70dot1x-movingmobile24:77:03:19:fb:70intoForceAuthstate*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70EAPOLHeader:*Dot1x_NW_MsgTask_0:May0717:03:56.
066:00000000:0203005f.
.
.
_*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70FoundancacheentryforBSSID08:cc:68:67:1f:fbinPMKIDcacheatindex0ofstation24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70FoundancacheentryforBSSID08:cc:68:67:1f:fbinPMKIDcacheatindex0ofstation24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
066:IncludingPMKIDinM1(16)*Dot1x_NW_MsgTask_0:May0717:03:56.
066:[0000]d7578eff2b27014e93390b1c1f46d2da*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70Startingkeyexchangetomobile24:77:03:19:fb:70,datapacketswillbedropped*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70SendingEAPOL-KeyMessagetomobile24:77:03:19:fb:70stateINITPMK(message1),replaycounter00.
00.
00.
00.
00.
00.
00.
00*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70SendingEAPOL-KeyMessagetomobile24:77:03:19:fb:70stateINITPMK(message1),replaycounter00.
00.
00.
00.
00.
00.
00.
00*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70AllocatingEAPPktforretransmissiontomobile24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70mscb->apfMsLwappLradNhMac=b0:fa:eb:b8:f5:12mscb->apfMsLradSlotId=1mscb->apfMsLradJumbo=0mscb->apfMsintIfNum=1*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70mscb->apfMsBssid=08:cc:68:67:1f:f0mscb->apfMsAddress=24:77:03:19:fb:70mscb->apfMsApVapId=5*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70dot1xcb->snapOrg=000000dot1xcb->eapolWepBit=0mscb->apfMsLwappLradVlanId=0mscb->apfMsLwappMwarInet.
ipv4.
addr=181004965*Dot1x_NW_MsgTask_0:May0717:03:56.
066:24:77:03:19:fb:70mscb->apfMsLwappMwarPort=5246mscb->apfMsLwappLradInet.
ipv4.
addr=181004985mscb->apfMsLwappLradPort=36690*Dot1x_NW_MsgTask_0:May0717:03:56.
069:24:77:03:19:fb:70ReceivedEAPOL-Keyfrommobile24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
069:24:77:03:19:fb:70IgnoringinvalidEAPOLversion(1)inEAPOL-keymessagefrommobile24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
069:24:77:03:19:fb:70ReceivedEAPOL-keyinPTK_STARTstate(message2)frommobile24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
069:24:77:03:19:fb:70ReceivedEAPOL-keyM2withinvalidMICfrommobile24:77:03:19:fb:70version2*osapiBsnTimer:May0717:03:56.
364:24:77:03:19:fb:70802.
1x'timeoutEvt'Timerexpiredforstation24:77:03:19:fb:70andformessage=M2!
---MICerrorduetowrongpresharedkey*dot1xMsgTask:May0717:03:56.
364:24:77:03:19:fb:70Retransmit1ofEAPOL-KeyM1(length121)formobile24:77:03:19:fb:70*dot1xMsgTask:May0717:03:56.
364:24:77:03:19:fb:70mscb->apfMsLwappLradNhMac=b0:fa:eb:b8:f5:12mscb->apfMsLradSlotId=1mscb->apfMsLradJumbo=0mscb->apfMsintIfNum=1*dot1xMsgTask:May0717:03:56.
364:24:77:03:19:fb:70mscb->apfMsBssid=08:cc:68:67:1f:f0mscb->apfMsAddress=24:77:03:19:fb:70mscb->apfMsApVapId=5*dot1xMsgTask:May0717:03:56.
365:24:77:03:19:fb:70dot1xcb->snapOrg=000000dot1xcb->eapolWepBit=0mscb->apfMsLwappLradVlanId=0mscb->apfMsLwappMwarInet.
ipv4.
addr=181004965*dot1xMsgTask:May0717:03:56.
365:24:77:03:19:fb:70mscb->apfMsLwappMwarPort=5246mscb->apfMsLwappLradInet.
ipv4.
addr=181004985mscb->apfMsLwappLradPort=36690*Dot1x_NW_MsgTask_0:May0717:03:56.
366:24:77:03:19:fb:70ReceivedEAPOL-Keyfrommobile24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
366:24:77:03:19:fb:70IgnoringinvalidEAPOLversion(1)inEAPOL-keymessagefrommobile24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
366:24:77:03:19:fb:70ReceivedEAPOL-keyinPTK_STARTstate(message2)frommobile24:77:03:19:fb:70*Dot1x_NW_MsgTask_0:May0717:03:56.
366:24:77:03:19:fb:70ReceivedEAPOL-keyM2withinvalidMICfrommobile24:77:03:19:fb:70version2*osapiBsnTimer:May0717:03:56.
764:24:77:03:19:fb:70802.
1x'timeoutEvt'Timerexpiredforstation24:77:03:19:fb:70andformessage=M2!
---MICerrorduetowrongpresharedkey被总结的结论虽然"timeoutEvt'M2密钥的可能也归结于driver/NIC错误,一个多数常见问题是进入PSK密码的用户(未接区分大小写/特殊cahracters的不正确凭证等等)和无法连接.
方案2:无线电话Handsets(792x/9971)不能与无线"分支服务区域"产生关联参考:https://supportforums.
cisco.
com/document/12068061/7925g-handsets-failing-association-ap-call-failed-tspec-qos-policy-does-not-match拓扑与CiscoUnified无线IP电话的WLAN问题详细资料AIR-CT5508-50-K9//升级电话的固件,并且无线控制器不接受电话注册调试和日志apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxAssociationreceivedfrommobileonAP3x:xx:cx:9x:x0:x0*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xx0.
0.
0.
0START(0)ChangingIPv4ACL'none'(ACLIDxxx)===>'none'(ACLIDxxx)---(callerapf_policy.
c:1x09)*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xx0.
0.
0.
0START(0)ChangingIPv6ACL'none'(ACLIDxxx5)===>'none'(ACLIDxxx)---(callerapf_policy.
c:18x6)*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxApplyingsite-specificLocalBridgingoverrideforstation1x:xx:1x:xx:xx:xx-vapId1,site'default-group',interface'xwirex'*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxApplyingLocalBridgingInterfacePolicyforstation1x:xx:1x:xx:xx:xx-vlan510,interfaceid12,interface'xwirex'*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxprocessSsidIEstatusCodeis0andstatusis0*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxprocessSsidIEssid_done_flagis0finish_flagis0*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxSTA-rates(4):130132139150000000000000*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxsuppRatesstatusCodeis0andgotSuppRatesElementis1*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxSTA-rates(12):130132139150121824364872961080000*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxextSuppRatesstatusCodeis0andgotExtSuppRatesElementis1*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxProcessingRSNIEtype48,length22formobile1x:xx:1x:xx:xx:xx*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxCCKM:MobileisusingCCKM*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxReceivedRSNIEwith0PMKIDsfrommobile1x:xx:1x:xx:xx:xx*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxSettingactivekeycacheindex8--->8*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxunsettingPmkIdValidatedByAp*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxSendingAssocResponsetostationonBSSID3x:xx:cx:9x:x0:x0(status201)ApVapId1Slot0*apfMsConnTask_1:xxxxxx:50:xx.
xxx:1x:xx:1x:xx:xx:xxSchedulingdeletionofMobileStation:(callerId:22)in3secondsVoIPCallFailure:'1x:xx:1x:xx:xx:xx'client,detectedby'xx-xx-xx'APonradiotype'802.
11b/g'.
Reason:'Callfailed:TSPECQOSPolicydoesnotmatch'.
MeansplatinumQoSwasnotconfiguredonWLAN1x:xxPMClientExcluded:MACAddress:1x:xx:1x:xx:xx:xxBaseRadioMAC:3x:xx:cx:9x:x0:x0Slot:1UserName:dwpv\mtl7925IpAddress:xx.
xx.
x.
xxReason:802.
11Associationfailedrepeatedly.
ReasonCode:2结论在WLC的调试显示7925G失效关联作为APreturns关联状态码201.
这归结于从拒绝的话筒的一TSPEC(流量规格)请求由于WLAN配置.
WLAN7925G尝试连接配置与银QoS配置文件(0,3),而不是白金服务(6,7)如所需求.
这导致语音流量/操作帧交换的一TSPEC不匹配从话筒通过WLAN和根本地拒绝从AP.
特别地创建与白金服务QoS配置文件的一新的WLAN7925G话筒的和配置根据已建立最佳实践和如对7925G部署指南定义:http://www.
cisco.
com/en/US/docs/voice_ip_comm/cuipph/7925g/7_0/english/deployment/guide/7925dply.
pdf一旦配置,问题是解决的.
情形3:WPA的为WPA2仅配置的客户机中配置,但是AP调试客户端WedMay710:51:372014:xx.
xx.
xx.
xx.
xx.
xxSchedulingdeletionofMobileStation:(callerId:23)in5secondsWedMay710:51:372014:xx.
xx.
xx.
xx.
xx.
xxapfProcessProbeReq(apf_80211.
c:4057)Changingstateformobilexx.
xx.
xx.
xx.
xx.
xxonAPfromIdletoProbeControlleraddsthenewclient,movingintoprobingstatusWedMay710:51:372014:xx.
xx.
xx.
xx.
xx.
xxSchedulingdeletionofMobileStation:(callerId:24)in5secondsWedMay710:51:382014:xx.
xx.
xx.
xx.
xx.
xxSchedulingdeletionofMobileStation:(callerId:24)in5secondsWedMay710:51:382014:xx.
xx.
xx.
xx.
xx.
xxSchedulingdeletionofMobileStation:(callerId:24)in5secondsAPisreportingprobeactivityevery500msasconfiguredWedMay710:51:412014:xx.
xx.
xx.
xx.
xx.
xxSchedulingdeletionofMobileStation:(callerId:24)in5secondsWedMay710:51:412014:xx.
xx.
xx.
xx.
xx.
xxSchedulingdeletionofMobileStation:(callerId:24)in5secondsWedMay710:51:412014:xx.
xx.
xx.
xx.
xx.
xxSchedulingdeletionofMobileStation:(callerId:24)in5secondsWedMay710:51:412014:xx.
xx.
xx.
xx.
xx.
xxSchedulingdeletionofMobileStation:(callerId:24)in5secondsWedMay710:51:442014:xx.
xx.
xx.
xx.
xx.
xxSchedulingdeletionofMobileStation:(callerId:24)in5secondsWedMay710:51:442014:xx.
xx.
xx.
xx.
xx.
xxSchedulingdeletionofMobileStation:(callerId:24)in5secondsWedMay710:51:442014:xx.
xx.
xx.
xx.
xx.
xxSchedulingdeletionofMobileStation:(callerId:24)in5secondsWedMay710:51:442014:xx.
xx.
xx.
xx.
xx.
xxSchedulingdeletionofMobileStation:(callerId:24)in5secondsWedMay710:51:492014:xx.
xx.
xx.
xx.
xx.
xxapfMsExpireCallback(apf_ms.
c:433)ExpiringMobile!
WedMay710:51:492014:xx.
xx.
xx.
xx.
xx.
xx0.
0.
0.
0START(0)DeletedmobileLWAPPruleonAP[]WedMay710:51:492014:xx.
xx.
xx.
xx.
xx.
xxDeletingmobileonAP(0)After5secondsofinactivity,clientisdeleted,nevermovedintoauthenticationorassociationphases.
场景4:解析AAA返回或答复代码.
对收集预计日志的RAN的需要的调试:(Cisco控制器)>debugMAC地址(Cisco控制器)>debugaaa事件enable(event)(或)(Cisco控制器)>debug客户端(Cisco控制器)>debugaaa事件enable(event)(Cisco控制器)>debugaaa错误enable(event)如果陷阱启用,AAA连通性故障形成SNMP陷阱.
示例debug输出*radiusTransportThread:Mar2617:54:58.
054:70:f1:a1:69:7b:e7InvalidRADIUSmessageauthenticatorformobile70:f1:a1:69:7b:e7*radiusTransportThread:Mar2617:54:58.
054:70:f1:a1:69:7b:e7RADIUSmessageverificationfailedfromserver10.
50.
0.
74withid=213.
Possiblesecretmismatchformobile70:f1:a1:69:7b:e7*radiusTransportThread:Mar2617:54:58.
054:70:f1:a1:69:7b:e7ReturningAAAError'AuthenticationFailed'(-4)formobile70:f1:a1:69:7b:e7*radiusTransportThread:Mar2617:54:58.
054:AuthorizationResponse:0x4259f944ReturningAAAError'Success'(0)formobileSuccessfulAuthenticationhappened,AAAreturnsaccess-acceptpriortoSuccess(0)toconfirmthesame.
ReturningAAAError'OutofMemory'(-2)formobileit'stherarereason.
CSCud12582ProcessingAAAError'OutofMemory'ReturningAAAError'AuthenticationFailed'(-4)formobileitsthemostcommonreasonseen可能的来源:无效用户帐户和密码1.
计算机域的不是成员,在AD侧发出.
2.
证书服务工作不正常3.
超时的服务器证书或不在使用中4.
不正确地配置的RADIUS5.
不正确地被输入的访问密钥-区分大小写(因此是SSID)6.
更新Microsoft补丁.
7.
EAP计时器.
8.
在客户端/服务器配置的不正确eap方法.
9.
客户端证书超时或不在使用中.
10.
回归AAA错误'超时'(-5)莫比尔的AAA服务器不可达的,跟随由客户端deauth.
示例:WedOct2620:08:502011:00:13:ce:1a:92:41MaxretransmissionofAccess-Request(id100)to155.
43.
129.
216reachedformobile00:13:ce:1a:92:41WedOct2620:08:502011:00:13:ce:1a:92:41[Error]Clientrequestednoretriesformobile00:13:CE:1A:92:41WedOct2620:08:502011:00:13:ce:1a:92:41ReturningAAAError'Timeout'(-5)formobile00:13:ce:1a:92:41WedOct2620:08:502011:00:13:ce:1a:92:41ProcessingAAAError'Timeout'(-5)formobile00:13:ce:1a:92:41WedOct2620:08:502011:00:13:ce:1a:92:41SentDeauthenticatetomobileonBSSID00:0b:85:76:d3:e0slot1(caller1x_auth_pae.
c:1033)WedOct2620:08:502011:00:13:ce:1a:92:41SchedulingdeletionofMobileStation:(callerId:65)in10seconds回归AAA错误'内部错误'(-6)莫比尔的AAA/()/WLCWLC''DeauthCSCum83894AAA''w/unknown示例:*radiusTransportThread:Feb2112:14:36.
109:AbortingATTRprocessing599(avp26/6)*radiusTransportThread:Feb2112:14:36.
109:40:f0:2f:11:a9:fdInvalidRADIUSresponsereceivedfromserver192.
168.
0.
206withid=9formobile40:f0:2f:11:a9:fd*radiusTransportThread:Feb2112:14:36.
109:40:f0:2f:11:a9:fd[Error]Clientrequestednoretriesformobile40:F0:2F:11:A9:FD*radiusTransportThread:Feb2112:14:36.
109:40:f0:2f:11:a9:fdReturningAAAError'InternalError'(-6)formobile40:f0:2f:11:a9:fd*radiusTransportThread:Feb2112:14:36.
109:resultCode.
6*Dot1x_NW_MsgTask_5:Feb2112:14:36.
109:40:f0:2f:11:a9:fdProcessingAAAError'InternalError'(-6)formobile40:f0:2f:11:a9:fd返回AAA错误没有服务器(-7)移动的Radius没有适当地配置和或不支持的配置在使用中.
示例:*Jun2220:32:10.
229:00:21:e9:57:3c:bfReturningAAAError'NoServer'(-7)formobile00:21:e9:57:3c:bf*Jun2220:32:10.
229:AuthorizationResponse:0x1eebb3ec场景5:客户端不能联合到AP调试运行了调试客户端解析的日志发送Assoc答复驻防在BSSID00:26:cb:94:44:c0(状态0)ApVapId1Slot0Slot0=B/G(2.
4)无线电qSlot1=A(5)无线电发送Assoc答复状态0=成功q任何除状态0之外是失败同盟会答复状态码可以在https://supportforums.
cisco.
com/document/141136/80211-association-status-80211-deauth-reason-codes找到场景6:客户端分离由于空闲超时调试运行了调试客户端解析的日志从AP00:26:cb:94:44:c0的已接收Idle-timeout,STA的00:1e:8c:0f:a4:57slot0apfMsDeleteByMscb删除的日程安排移动与deleteReason4,reasonCode4移动站点的安排的删除:(callerId:30)以1秒超时莫比尔的apfMsExpireCallback(apf_ms.
c:608)!
对移动的发送的解除验证在BSSID00:26:cb:94:44:c0slot0(callerapf_ms.
c:5094)条件在从客户端接收的没有流量以后发生默认持续时间是300秒解决方法增加空闲超时二者之一全局表WLCGUI>>Controller>>General或每从WLCGUI>>WLAN>>ID>>Advanced的WLAN场景7:客户端分离由于会话超时调试运行了调试客户端解析的日志apfMsExpireCallback(apf_ms.
c:608)ExpiringMobile!
apfMsExpireMobileStation(apf_ms.
c:5009)Changingstateformobile00:1e:8c:0f:a4:57onAP00:26:cb:94:44:c0fromAssociatedtoDisassociatedSchedulingdeletionofMobileStation:(callerId:45)in10secondsapfMsExpireCallback(apf_ms.
c:608)ExpiringMobile!
SentDeauthenticatetomobileonBSSID00:26:cb:94:44:c0slot0(callerapf_ms.
c:5094)条件发生在被安排的持续时间(默认1800秒)它再迫使WEBAUTH用户对WEBAUTH.
解决方法增加或禁用会话超时每从WLCGUI>>WLAN>>ID>>Advanced的WLAN方案8:客户端分离由于WLAN更改调试运行了调试客户端解析的日志apfSendDisAssocMsgDebug(apf_80211.
c:1855)Changingstateformobile00:1e:8c:0f:a4:57onAP00:26:cb:94:44:c0fromAssociatedtoDisassociatedSentDisassociatetomobileonAP00:26:cb:94:44:c0-0(reason1,callerapf_ms.
c:4983)SentDeauthenticatetomobileonBSSID00:26:cb:94:44:c0slot0(callerapf_ms.
c:5094)条件无论如何修改在功能失效和renablesWLAN的一WLAN解决方法这是预料之中的行为.
当有做时的WLAN变动,客户端取消关联并且重新关联.
方案9:客户端分离由于从WLC的手工的删除调试运行了调试客户端解析的日志apfMsDeleteByMscbSchedulingmobilefordeletionwithdeleteReason6,reasonCode1SchedulingdeletionofMobileStation:(callerId:30)in1secondsapfMsExpireCallback(apf_ms.
c:608)ExpiringMobile!
apfMsExpireMobileStation(apf_ms.
c:5009)Changingstateformobile00:1e:8c:0f:a4:57onAP00:26:cb:94:44:c0fromAssociatedtoDisassociatedSentDeauthenticatetomobileonBSSID00:26:cb:94:44:c0slot0(callerapf_ms.
c:5094)条件从GUI:删除客户端从CLI:设置客户端解除验证方案10:客户端分离由于验证超时调试运行了调试客户端解析的日志RetransmitfailureforEAPOL-KeyM3tomobile00:1e:8c:0f:a4:57,retransmitcount3,mscbdeauthcount0SentDeauthenticatetomobileonBSSID00:26:cb:94:44:c0slot0(caller1x_ptsm.
c:534)条件被到达的验证或密钥交换MAX重新传输解决方法检查/更新客户端驱动程序、安全设置,证书等.
方案11:客户端分离由于重置的AP无线电(电源/信道)调试运行了调试客户端解析的日志CleaningupstateforSTA00:1e:8c:0f:a4:57duetoeventforAP00:26:cb:94:44:c0(0)apfSendDisAssocMsgDebug(apf_80211.
c:1855)Changingstateformobile00:1e:8c:0f:a4:57onAP00:26:cb:94:44:c0fromAssociatedtoDisassociatedSentDisassociatetomobileonAP00:26:cb:94:44:c0-0(reason1,callerapf_ms.
c:4983)条件AP取消关联客户端,但是WLC没有Delete条目.
解决方法预料之中的行为.
方案12:Symantec与802.
1X'timeoutEvt的'客户端问题问题客户端运行的Symantec软件用消息802.
1X'为消息=M3超时的为站点和timeoutEvt'计时器取消关联EAP/Eapol进程idoes没有g完成,不考虑A/G无线电在Intel/Broadcom卡没有使用.
没有问题,当它是使用的wep,WPA-PSK.
条件WLC代码不重要.
AP-所有模拟-所有在本地传送方式.
WLAN3-WPA2+802.
1XPEAP+mshcapv2ssid广播.
RADIUS服务器NP2008年Symantec防病毒软件在所有PCs安装使用Asus,Braodcom,Intel-win7,成功XP受影响的OS-windows7和xp受影响的无线适配器-Intel(6205)和Broadcom受影响的驱动程序/请求方-15.
2.
0.
19,使用本地请求方.
修正/应急方案:禁用Symantec网络保护和防火墙在win7和xp.
它是与Win7和XPOS的Symantec问题.
Debug输出*dot1xMsgTask:Apr1211:45:39.
335:84:3a:4b:7a:d5:acRetransmit1ofEAPOL-KeyM3(length155)formobile84:3a:4b:7a:d5:ac*osapiBsnTimer:Apr1211:45:44.
336:84:3a:4b:7a:d5:ac802.
1x'timeoutEvt'Timerexpiredforstation84:3a:4b:7a:d5:acandformessage=M3*dot1xMsgTask:Apr1211:45:44.
336:84:3a:4b:7a:d5:acRetransmit2ofEAPOL-KeyM3(length155)formobile84:3a:4b:7a:d5:ac*osapiBsnTimer:Apr1211:45:49.
336:84:3a:4b:7a:d5:ac802.
1x'timeoutEvt'Timerexpiredforstation84:3a:4b:7a:d5:acandformessage=M3*dot1xMsgTask:Apr1211:45:49.
336:84:3a:4b:7a:d5:acRetransmit3ofEAPOL-KeyM3(length155)formobile84:3a:4b:7a:d5:ac*osapiBsnTimer:Apr1211:45:54.
336:84:3a:4b:7a:d5:ac802.
1x'timeoutEvt'Timerexpiredforstation84:3a:4b:7a:d5:acandformessage=M3*dot1xMsgTask:Apr1211:45:54.
337:84:3a:4b:7a:d5:acRetransmit4ofEAPOL-KeyM3(length155)formobile84:3a:4b:7a:d5:ac*osapiBsnTimer:Apr1211:45:59.
336:84:3a:4b:7a:d5:ac802.
1x'timeoutEvt'Timerexpiredforstation84:3a:4b:7a:d5:acandformessage=M3*dot1xMsgTask:Apr1211:45:59.
336:84:3a:4b:7a:d5:acRetransmitfailureforEAPOL-KeyM3tomobile84:3a:4b:7a:d5:ac,retransmitcount5,mscbdeauthcount0*dot1xMsgTask:Apr1211:45:59.
338:84:3a:4b:7a:d5:acSentDeauthenticatetomobileonBSSIDc8:f9:f9:89:15:60slot1(caller注意:在15.
2有综合症状(也看到在更早版本)去类似:-客户端从AP获得M1-客户端发送M2-客户端从AP获得M3在派出M4前,-客户端测量深度成对地新建的密钥-客户端传送M4加密与新密钥AP,丢弃M4消息作为"解密错误"-WLC'调试客户端'显示我们在M3重新传输时间.
明显,这是在Microsoft和Symantec之间的一问题,不是Intel特定.
应急方案是删除Symantec.
很可能在windows的这确实是bug,触发由Symantec.
调整EAP计时器不调整此问题关于此问题,CiscoTAC将转发受影响的客户对Symantec和Microsoft.
方案13:空气打印服务没为有mDNS的客户端出现监听打开了在Apple手持式客户端设备提供AirPrint服务不能的客户端发现设备,当mDNS监听打开.
条件运行7.
6.
100.
0的5508WLC.
当mDNS监听打开,我们有设备提供AirPrint服务列出了在关于WLC的服务部分下.
各自mDNS配置文件正确地被映射对WLAN&接口.
无法能发现在客户端的AirPrint设备.
调试运行了调试客户端调试mdns全部启用*Bonjour_Msg_Task:Apr1515:29:35.
640:b0:65:bd:df:f8:71QueryServiceName:_universal.
_sub.
_ipp.
_tcp.
local.
,Type:C,Class:1.
*Bonjour_Msg_Task:Apr1515:29:35.
640:qNameStr:_universal.
_sub.
_ipp.
_tcp.
local.
,bonjServiceNameStr:_universal.
_sub.
_ipp.
_tcp.
local.
,bonjSpNameStr:_dns-sd.
_udp.
YVG.
local.
*Bonjour_Msg_Task:Apr1515:29:35.
640:ServiceName:HP_Photosmart_Printer_1ServiceString:_universal.
_sub.
_ipp.
_tcp.
local.
issupportedinMSAL-DB*Bonjour_Msg_Task:Apr1515:29:35.
640:b0:65:bd:df:f8:71Service:_universal.
_sub.
_ipp.
_tcp.
local.
issupportedbyclient'sprofile:default-mdns-profile*Bonjour_Msg_Task:Apr1515:29:35.
640:processBonjourPacket:986AP-MAC=C8:4C:75:D1:77:20hasap-group=GBH*Bonjour_Msg_Task:Apr1515:29:35.
640:SendingBonjourResponse*Bonjour_Msg_Task:Apr1515:29:35.
640:ServiceProviderName:_dns-sd.
_udp.
YVG.
local.
,MsalServiceName:HP_Photosmart_Printer_1*Bonjour_Msg_Task:Apr1515:29:35.
640:SendingQueryResponsebonjSpNameStr:_dns-sd.
_udp.
YVG.
local.
,bonjMsalServiceName:HP_Photosmart_Printer_1,bonjourMsgId:0,dstMac:B0:65:BD:DF:F8:71dstIP:172.
29.
0.
100*Bonjour_Msg_Task:Apr1515:29:35.
640:vlanId:909,allvlan:0,isMcast:1,toSta:1*Bonjour_Msg_Task:Apr1515:29:35.
640:b0:65:bd:df:f8:71Successfullysentresponseforservice:_universal.
_sub.
_ipp.
_tcp.
local.
.
*Bonjour_Process_Task:Apr1515:29:35.
641:InsidebuildBonjourQueryResponsePld,available_len=1366*Bonjour_Process_Task:Apr1515:29:35.
641:Notabletoattachanyrecord*Bonjour_Process_Task:Apr1515:29:35.
641:ErrorbuildingtheBonjourPacket!
!
说明客户端为'_universal.
_sub.
_ipps.
_tcp.
local会要求'.
或者'_universal.
_sub.
_ipp.
_tcp.
local'.
而不是'_ipp.
_tcp.
local'.
或者'_ipp.
_tcp.
local'.
字符串.
没因此已添加AirPrint服务会工作.
它识别将被映射的请求的服务字符串对'HP_Photosmart_Printer_1同一服务在被映射的配置文件被添加了到WLAN,并且仍有为设备列出的没有服务.
发现由于域名被添附的和查询'dnsSD.
_udp.
YVG.
local的客户端'.
当域名被添附WLC没有能处理Bonjour数据包作为'dnsSD.
_udp.
YVG.
local'.
在数据库不存在.
识别给的增强bug关于同样-CSCuj32157解决方法唯一的工作是禁用DHCP选项15(域名)或删除域名从客户端.
方案14:Apple无法IOS的客户端'加入由于的网络'禁用快速SSID更改条件多数AppleIOS设备有问题移动从一WLAN到另一个在同样CiscoWLC以默认"禁用的快速ssid更改'.
设置导致控制器解除验证从一次存在客户端尝试联合到另一个的WLAN的客户端.
典型的结果是在IOS设备的一个"无法加入网络'消息显示客户端(jk-2504-116)>show网络摘要快速SSID更改.
禁用调试运行了(jk-2504-116)>debugclient1c:e6:2b:cd:da:9d(jk-2504-116)>*apfMsConnTask_7:Jan3021:33:14.
544:1c:e6:2b:cd:da:9dAssociationreceivedfrommobileonBSSID00:21:a0:e3:fd:beAppleClientinitiatingswitchfromonewlantoanother.
*apfMsConnTask_7:Jan3021:33:14.
544:1c:e6:2b:cd:da:9dGlobal200ClientsareallowedtoAPradio*apfMsConnTask_7:Jan3021:33:14.
544:1c:e6:2b:cd:da:9dMaxClientTrapThreshold:0cur:1*apfMsConnTask_7:Jan3021:33:14.
544:1c:e6:2b:cd:da:9dRfprofile600ClientsareallowedtoAPwlan*apfMsConnTask_7:Jan3021:33:14.
544:1c:e6:2b:cd:da:9dDeletingclientimmediatelysinceWLANhaschanged//WLCremovingappleclientfromoriginalWLAN*apfMsConnTask_7:Jan3021:33:14.
544:1c:e6:2b:cd:da:9dSchedulingdeletionofMobileStation:(callerId:50)in1seconds*osapiBsnTimer:Jan3021:33:15.
375:1c:e6:2b:cd:da:9dapfMsExpireCallback(apf_ms.
c:625)ExpiringMobile!
*apfReceiveTask:Jan3021:33:15.
375:1c:e6:2b:cd:da:9dapfMsExpireMobileStation(apf_ms.
c:6632)Changingstateformobile1c:e6:2b:cd:da:9donAP00:21:a0:e3:fd:b0fromAssociatedtoDisassociated*apfReceiveTask:Jan3021:33:15.
375:1c:e6:2b:cd:da:9dSentDeauthenticatetomobileonBSSID00:21:a0:e3:fd:b0slot1(callerapf_ms.
c:6726)*apfReceiveTask:Jan3021:33:15.
375:1c:e6:2b:cd:da:9dFoundancacheentryforBSSID00:21:a0:e3:fd:bfinPMKIDcacheatindex0ofstation1c:e6:2b:cd:da:9d*apfReceiveTask:Jan3021:33:15.
375:1c:e6:2b:cd:da:9dRemovingBSSID00:21:a0:e3:fd:bffromPMKIDcacheofstation1c:e6:2b:cd:da:9d*apfReceiveTask:Jan3021:33:15.
375:1c:e6:2b:cd:da:9dResettingMSCBPMKCacheEntry0forstation1c:e6:2b:cd:da:9d*apfReceiveTask:Jan3021:33:15.
375:1c:e6:2b:cd:da:9dSettingactivekeycacheindex0--->8*apfReceiveTask:Jan3021:33:15.
375:1c:e6:2b:cd:da:9dDeletingthePMKcachewhende-authenticatingtheclient.
*apfReceiveTask:Jan3021:33:15.
375:1c:e6:2b:cd:da:9dGlobalPMKCachedeletionfailed.
*apfReceiveTask:Jan3021:33:15.
376:1c:e6:2b:cd:da:9dapfMsAssoStateDec*apfReceiveTask:Jan3021:33:15.
376:1c:e6:2b:cd:da:9dapfMsExpireMobileStation(apf_ms.
c:6764)Changingstateformobile1c:e6:2b:cd:da:9donAP00:21:a0:e3:fd:b0fromDisassociatedtoIdle*apfReceiveTask:Jan3021:33:15.
376:1c:e6:2b:cd:da:9dpemApfDeleteMobileStation2:APF_MS_PEM_WAIT_L2_AUTH_COMPLETE=0.
*apfReceiveTask:Jan3021:33:15.
376:1c:e6:2b:cd:da:9d192.
168.
165.
31START(0)DeletedmobileLWAPPruleonAP[00:21:a0:e3:fd:b0]*apfReceiveTask:Jan3021:33:15.
376:1c:e6:2b:cd:da:9dDeletingmobileonAP00:21:a0:e3:fd:b0(1)*pemReceiveTask:Jan3021:33:15.
377:1c:e6:2b:cd:da:9d192.
168.
165.
31RemovedNPUentry.
*apfMsConnTask_7:Jan3021:33:23.
890:1c:e6:2b:cd:da:9dAddingmobileonLWAPPAP00:21:a0:e3:fd:b0(1)Noclientactivityfor>7secduetofast-ssidchangedisabled*apfMsConnTask_7:Jan3021:33:23.
890:1c:e6:2b:cd:da:9dAssociationreceivedfrommobileonBSSID00:21:a0:e3:fd:bf*apfMsConnTask_7:Jan3021:33:23.
890:1c:e6:2b:cd:da:9dGlobal200ClientsareallowedtoAPradio*apfMsConnTask_7:Jan3021:33:23.
891:1c:e6:2b:cd:da:9dSendingAssocResponsetostationonBSSID00:21:a0:e3:fd:bf(status0)ApVapId1Slot1*apfMsConnTask_7:Jan3021:33:23.
892:1c:e6:2b:cd:da:9dapfProcessAssocReq(apf_80211.
c:8292)Changingstateformobile1c:e6:2b:cd:da:9donAP00:21:a0:e3:fd:b0fromAssociatedtoAssociated解决方法Enable(event)从WLCGUI>>Controller>>General的法塞特ssid更改方案15:成功的客户端LDAP关联巩固使用TLS的控制器和LDAP服务器之间的连接的安全LDAP帮助.
此功能支持与控制器软件版本7.
6以上.
有可以由控制器发送到LDAP服务器查询的两种类型:1.
匿名:在此类型,当客户端需要获得authenticatied时,控制器发送认证请求到LDAP服务器.
LDAP服务器回应查询的结果.
在此交换期间包括客户端用户名/密码的所有信息在明文发送.
只要捆绑用户名/密码被添加,LDAP服务器将回应对从任何人的一查询.
已验证:在此方法控制器配置与使用用LDAP服务器验证本身的用户名和密码.
密码加密与MD5SASL和被发送到LDAP服务器在认证过程中.
这正确地帮助LDAP服务器识别认证请求的来源.
然而,即使控制器的标识保护客户端详细信息在明文发送.
2.
LDAP的实际需求在TLS来由于客户端验证数据和处理其余无危险发生的两个这两个方法摆在的安全漏洞.
要求运行软件版本7.
6的WLC以上执行LDAP的Microsoft服务器调试运行了debugaaaldapenable(event)*LDAPDBTask1:Feb0612:28:12.
912:ldapAuthRequest[1]calledlcapi_querybase="CN=Users,DC=gceaaa,DC=com"type="person"attr="sAMAccountName"user="Ishaan"(rc=0-Success)*LDAPDBTask1:Feb0612:28:12.
912:AttemptinguserbindwithusernameCN=Ishaan,CN=Users,DC=gceaaa,DC=com*LDAPDBTask1:Feb0612:28:12.
914:LDAPATTR>dn=CN=Ishaan,CN=Users,DC=gceaaa,DC=com(size35)*LDAPDBTask1:Feb0612:28:12.
914:HandlingLDAPresponseSuccess//indicatespassedLDAPauth.
方案16:在LDAP失败的客户端验证调试运行debugaaaldapenable(event)*LDAPDBTask1:Feb0717:19:46.
535:LDAP_CLIENT:Receivednoreferralsinsearchresultmsg*LDAPDBTask1:Feb0717:19:46.
535:LDAP_CLIENT:Received1attributesinsearchresultmsg*LDAPDBTask1:Feb0717:19:46.
535:ldapAuthRequest[1]calledlcapi_querybase="CN=Users,DC=gceaaa,DC=com"type="person"attr="sAMAccountName"user="ish"(rc=0-Success)*LDAPDBTask1:Feb0717:19:46.
535:HandlingLDAPresponseAuthenticationFailed//Failedauth*LDAPDBTask1:Feb0717:19:46.
536:Authenticatedbind:Closingthebindedsession解决方法检查LDAP服务器拒绝原因.
方案17:客户端关联问题由于LDAP在WLC被不正确配置调试运行了debugaaaldapenable(event)*LDAPDBTask1:Feb0717:21:26.
710:ldapInitAndBind[1]calledlcapi_init(rc=0-Success)*LDAPDBTask1:Feb0717:21:26.
712:ldapInitAndBind[1]configuredMethodAuthenticatedlcapi_bind(rc=49-Invalidcredentials)*LDAPDBTask1:Feb0717:21:26.
787:ldapClose[1]calledlcapi_close(rc=0-Success)*LDAPDBTask1:Feb0717:21:26.
787:LDAPserver1changedstatetoIDLE*LDAPDBTask1:Feb0717:21:26.
787:LDAPserver1changedstatetoERROR*LDAPDBTask1:Feb0717:21:26.
787:HandlingLDAPresponseInternalError解决方法验证在client/WLC和LDAP服务器间的凭证.
方案18:客户端关联问题,当LDAP服务器是不可得到的调试运行了debugaaaldapenable(event)*LDAPDBTask2:Feb0717:26:45.
874:ldapInitAndBind[2]configuredMethodAnonymouslcapi_bind(rc=1005-LDAPbindfailed)*LDAPDBTask2:Feb0717:26:45.
874:ldapClose[2]calledlcapi_close(rc=0-Success)*LDAPDBTask2:Feb0717:26:45.
875:LDAPserver2changedstatetoIDLE*LDAPDBTask2:Feb0717:26:45.
875:LDAPserver2changedstatetoERROR*LDAPDBTask2:Feb0717:26:45.
875:HandlingLDAPresponseInternalError解决方法检查WLC和LDAP服务器网络连通性问题.
方案19:漫游问题的Apple客户端由于未命中粘贴漫游配置条件AIR-CT5508-K9/7.
4.
100.
0Apple从使用以下的无线网络的设备断开:WPA2策略WPA2加密AES启用的验证802.
1X认证和授权通过CiscoISEApple设备从广播的SSID周期地断开.
示例是丢弃的IP电话,当另一个电话在同一个位置依然是已连接时.
所以,随机地发生(时间和电话).
没有问题的笔记本电脑客户端.
他们连接对同样SSID.
此问题在正常操作时发生,没有漫游,没有备用模式.
WLAN已经删除可能导致问题的所有可能的设置(Aironetext).
调试运行了调试客户端*apfMsConnTask_5:Jun1116:12:56.
342:f0:d1:a9:bb:2d:faReceivedRSNIEwith0PMKIDsfrommobilef0:d1:a9:bb:2d:faAt16:12:56inthedebugsweseeaclientre-association.
FromtheretheAPisexpectingtheclienttopresentitsoldPMKID(PairwiseMasterKeyIdentifiers).
Atthispointitdoesn't!
FromtheabovemessagetheAP/WLCdidn'treceiveaPMKIDfromtheiPhone.
Thisiskindofexpectedfromthistypeofclient.
AppledevicesdonotusetheopportunistickeycachingwhichallowsclientstousetheSAMEPMKIDatallAps.
AppledevicesuseakeycachemethodofStickyKeyCaching.
ThisinturnmeansthattheclienthastobuildaPMKIDatEACHAPinordertosuccessfullyroamtotheAP.
Aswecanseetheclientdidn'tpresentaPMKIDtousesowesentitthroughlayer2security/EAPagain.
TheclientthenhitsasnagintheEAPprocesswheretheclientfailstorespondtotheEAPIDorrequestforcredentialsuntilthesecondattempt*dot1xMsgTask:Jun1116:12:56.
345:f0:d1:a9:bb:2d:faSendingEAP-Request/Identitytomobilef0:d1:a9:bb:2d:fa(EAPId1)*osapiBsnTimer:Jun1116:13:26.
288:f0:d1:a9:bb:2d:fa802.
1x'txWhen'Timerexpiredforstationf0:d1:a9:bb:2d:faandformessage=M0Afterthissnagtheclientisallowedbackontothenetworkallinapprox.
1.
5seconds.
ThisisgoingtobenormalandEXPECTEDbehaviorcurrentlywithStickykeycacheclients.
解决方法什么我们能为有SKC的客户当前执行(粘贴关键高速缓冲存储)客户端并且有WLC代码7.
2和更加高是enable(event)漫游SKC的(粘贴关键缓存)支持.
默认情况下仅WLC支持OKC(机会主义的关键高速缓冲存储).
为了允许客户端使用它生成在每个AP的其旧有PMKIDs我们必须通过WLCCLI启用它.
设置WLAN安全WPAwpa2缓存粘贴enable(event)请记住此不会改善初始漫游由于SKC的本质;然而,它将改进随后漫游对同样Aps(8由书).
步行沿着向下与8Aps的一楼道的Imagine.
第一个初排将包括全双工assocations在与大约1-2秒滞后的每个AP.
当您到达末端并且走上一步客户端将提交8唯一PMKIDs,当移动回到同样Aps,并且不会必须通过一全双工验证,如果SKC支持启用.
因而删除滞后和客户端将看上去坚持已连接.
方案20:验证法塞特安全漫游(FSR)与CCKMhttp://www.
cisco.
com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116493-technote-technology-00.
html调试运行调试客户端*apfMsConnTask_2:Jun2515:43:33.
749:00:40:96:b7:ab:5cCCKM:ReceivedREASSOCREQIE*apfMsConnTask_2:Jun2515:43:33.
749:00:40:96:b7:ab:5cReassociationreceivedfrommobileonBSSID84:78:ac:f0:2a:93*apfMsConnTask_2:Jun2515:43:33.
750:00:40:96:b7:ab:5cProcessingWPAIEtype221,length22formobile00:40:96:b7:ab:5c*apfMsConnTask_2:Jun2515:43:33.
750:00:40:96:b7:ab:5cCCKM:MobileisusingCCKMTheReassociationRequestisreceivedfromtheclient,whichprovidestheCCKMinformationneededinordertoderivethenewkeyswithafast-secureroam.
*apfMsConnTask_2:Jun2515:43:33.
750:00:40:96:b7:ab:5cSettingactivekeycacheindex0--->8*apfMsConnTask_2:Jun2515:43:33.
750:00:40:96:b7:ab:5cCCKM:ProcessingREASSOCREQIE*apfMsConnTask_2:Jun2515:43:33.
750:00:40:96:b7:ab:5cCCKM:usingHMACMD5tocomputeMICWLCcomputestheMICusedforthisCCKMfast-roamingexchange.
*apfMsConnTask_2:Jun2515:43:33.
750:00:40:96:b7:ab:5cCCKM:ReceivedavalidREASSOCREQIE*apfMsConnTask_2:Jun2515:43:33.
751:00:40:96:b7:ab:5cCCKM:InitializingPMKcacheentrywithanewPTKThenewPTKisderived.
*apfMsConnTask_2:Jun2515:43:33.
751:00:40:96:b7:ab:5cSettingactivekeycacheindex8--->8*apfMsConnTask_2:Jun2515:43:33.
751:00:40:96:b7:ab:5cSettingactivekeycacheindex8--->8*apfMsConnTask_2:Jun2515:43:33.
751:00:40:96:b7:ab:5cSettingactivekeycacheindex8--->0*apfMsConnTask_2:Jun2515:43:33.
751:00:40:96:b7:ab:5cCreatingaPKCPMKIDCacheentryforstation00:40:96:b7:ab:5c(RSN0)onBSSID84:78:ac:f0:2a:93ThenewPMKIDcacheentryiscreatedforthisnewAP-to-clientassociation.
*apfMsConnTask_2:Jun2515:43:33.
751:00:40:96:b7:ab:5cCCKM:usingHMACMD5tocomputeMIC*apfMsConnTask_2:Jun2515:43:33.
751:00:40:96:b7:ab:5cIncludingCCKMResponseIE(length62)inAssocResptomobile*apfMsConnTask_2:Jun2515:43:33.
751:00:40:96:b7:ab:5cSendingAssocResponsetostationonBSSID84:78:ac:f0:2a:93(status0)ApVapId4Slot0TheReassociationResponseissentfromtheWLC/APtotheclient,whichincludestheCCKMinformationrequiredinordertoconfirmthenewfast-roamandkeyderivation.
*dot1xMsgTask:Jun2515:43:33.
757:00:40:96:b7:ab:5cSkippingEAP-Successtomobile00:40:96:b7:ab:5cEAPisskippedduetothefastroaming,andCCKMdoesnotrequirefurtherkeyhandshakes.
TheclientisnowreadytopassencrypteddataframesonthenewAP.
如显示的,法塞特安全漫游执行避免EAP验证帧和更加4方式握手,因为新的加密密钥仍然派生,但是根据CCKM协商方案.
这完成与客户端和WLC和信息早先缓存的漫游再聚集帧.
方案21:验证法塞特安全漫游(FSR)用WPA2PMKID缓存调试运行了调试客户端*apfMsConnTask_0:Jun2200:26:40.
787:ec:85:2f:15:39:32ReassociationreceivedfrommobileonBSSID84:78:ac:f0:68:d2ThisistheReassociationRequestfromtheclient.
*apfMsConnTask_0:Jun2200:26:40.
787:ec:85:2f:15:39:32ProcessingRSNIEtype48,length38formobileec:85:2f:15:39:32TheWLC/APfindsanInformationElementthatclaimsPMKIDCachingsupportontheAssociationrequestthatissentfromtheclient.
*apfMsConnTask_0:Jun2200:26:40.
787:ec:85:2f:15:39:32ReceivedRSNIEwith1PMKIDsfrommobileec:85:2f:15:39:32TheReassociationRequestfromtheclientcomeswithonePMKID.
*apfMsConnTask_0:Jun2200:26:40.
787:ReceivedPMKID:(16)*apfMsConnTask_0:Jun2200:26:40.
788:[0000]c94d0d9703aaa90f1bc8337301f118f5ThisisthePMKIDthatisreceived*apfMsConnTask_0:Jun2200:26:40.
788:ec:85:2f:15:39:32SearchingforPMKIDinMSCBPMKIDcacheformobileec:85:2f:15:39:32WLCsearchesforamatchingPMKIDonthedatabase.
*apfMsConnTask_0:Jun2200:26:40.
788:ec:85:2f:15:39:32FoundancacheentryforBSSID84:78:ac:f0:68:d2inPMKIDcacheatindex0ofstationec:85:2f:15:39:32*apfMsConnTask_0:Jun2200:26:40.
788:ec:85:2f:15:39:32FoundavalidPMKIDintheMSCBPMKIDcacheformobileec:85:2f:15:39:32TheWLCvalidatesthePMKIDprovidedbytheclient,andconfirmsthatithasavalidPMKcacheforthisclient-and-APpair.
*apfMsConnTask_0:Jun2200:26:40.
788:ec:85:2f:15:39:32Settingactivekeycacheindex1--->0*apfMsConnTask_0:Jun2200:26:40.
788:ec:85:2f:15:39:32SendingAssocResponsetostationonBSSID84:78:ac:f0:68:d2(status0)ApVapId3Slot0TheReassociationResponseissenttotheclient,whichvalidatesthefast-roamwithSKC.
*dot1xMsgTask:Jun2200:26:40.
795:ec:85:2f:15:39:32InitiatingRSNwithexistingPMKtomobileec:85:2f:15:39:32WLCinitiatesaRobustSecureNetworkassociationwiththisclient-and-APpairbasedonthecachedPMKfound.
Hence,EAPisavoidedasperthenextmessage.
*dot1xMsgTask:Jun2200:26:40.
795:ec:85:2f:15:39:32SkippingEAP-Successtomobileec:85:2f:15:39:32*dot1xMsgTask:Jun2200:26:40.
795:ec:85:2f:15:39:32FoundancacheentryforBSSID84:78:ac:f0:68:d2inPMKIDcacheatindex0ofstationec:85:2f:15:39:32*dot1xMsgTask:Jun2200:26:40.
795:IncludingPMKIDinM1(16)ThehashedPMKIDisincludedontheMessage-1oftheWPA/WPA24-Wayhandshake.
*dot1xMsgTask:Jun2200:26:40.
795:[0000]c94d0d9703aaa90f1bc8337301f118f5ThePMKIDishashed.
ThenextmessagesarethesameWPA/WPA24-Wayhandshakemessagesdescribedthusfarthatareusedinordertofinishtheencryptionkeysgeneration/installation.
*dot1xMsgTask:Jun2200:26:40.
795:ec:85:2f:15:39:32SendingEAPOL-KeyMessagetomobileec:85:2f:15:39:32stateINITPMK(message1),replaycounter00.
00.
00.
00.
00.
00.
00.
00*Dot1x_NW_MsgTask_2:Jun2200:26:40.
811:ec:85:2f:15:39:32ReceivedEAPOL-Keyfrommobileec:85:2f:15:39:32*Dot1x_NW_MsgTask_2:Jun2200:26:40.
812:ec:85:2f:15:39:32ReceivedEAPOL-keyinPTK_STARTstate(message2)frommobileec:85:2f:15:39:32*Dot1x_NW_MsgTask_2:Jun2200:26:40.
812:ec:85:2f:15:39:32PMK:Sendingcacheadd*Dot1x_NW_MsgTask_2:Jun2200:26:40.
812:ec:85:2f:15:39:32SendingEAPOL-KeyMessagetomobileec:85:2f:15:39:32statePTKINITNEGOTIATING(message3),replaycounter00.
00.
00.
00.
00.
00.
00.
01*Dot1x_NW_MsgTask_2:Jun2200:26:40.
820:ec:85:2f:15:39:32ReceivedEAPOL-Keyfrommobileec:85:2f:15:39:32*Dot1x_NW_MsgTask_2:Jun2200:26:40.
820:ec:85:2f:15:39:32ReceivedEAPOL-keyinPTKINITNEGOTIATINGstate(message4)frommobileec:85:2f:15:39:32方案22:正在验证的法塞特安全漫游用积极的关键缓存调试运行了调试客户端*apfMsConnTask_2:Jun2121:48:50.
562:00:40:96:b7:ab:5cReassociationreceivedfrommobileonBSSID84:78:ac:f0:2a:92ThisistheReassociationRequestfromtheclient.
*apfMsConnTask_2:Jun2121:48:50.
563:00:40:96:b7:ab:5cProcessingRSNIEtype48,length38formobile00:40:96:b7:ab:5cTheWLC/APfindsandInformationElementthatclaimsPMKIDCachingsupportontheAssociationrequestthatissentfromtheclient.
*apfMsConnTask_2:Jun2121:48:50.
563:00:40:96:b7:ab:5cReceivedRSNIEwith1PMKIDsfrommobile00:40:96:b7:ab:5cTheReassociationRequestfromtheclientcomeswithonePMKID.
*apfMsConnTask_2:Jun2121:48:50.
563:ReceivedPMKID:(16)*apfMsConnTask_2:Jun2121:48:50.
563:[0000]9165c3fbfc4475486790d5dadfaa71e9*apfMsConnTask_2:Jun2121:48:50.
563:00:40:96:b7:ab:5cSearchingforPMKIDinMSCBPMKIDcacheformobile00:40:96:b7:ab:5c*apfMsConnTask_2:Jun2121:48:50.
563:00:40:96:b7:ab:5cNovalidPMKIDfoundintheMSCBPMKIDcacheformobile00:40:96:b7:ab:5AstheclienthasneverauthenticatedwiththisnewAP,theWLCcannotfindavalidPMKIDtomatchtheoneprovidedbytheclient.
However,sincetheclientperformsPKC/OKCandnotSKC(asperthefollowingmessages),theWLCcomputesanewPMKIDbasedontheinformationgathered(thecachedPMK,theclientMACaddress,andthenewAPMACaddress).
*apfMsConnTask_2:Jun2121:48:50.
563:00:40:96:b7:ab:5cTryingtocomputeaPMKIDfromMSCBPMKcacheformobile00:40:96:b7:ab:5c*apfMsConnTask_2:Jun2121:48:50.
563:CCKM:FindPMKincache:BSSID=(6)*apfMsConnTask_2:Jun2121:48:50.
563:[0000]8478acf02a90*apfMsConnTask_2:Jun2121:48:50.
563:CCKM:FindPMKincache:realAA=(6)*apfMsConnTask_2:Jun2121:48:50.
563:[0000]8478acf02a92*apfMsConnTask_2:Jun2121:48:50.
563:CCKM:FindPMKincache:PMKID=(16)*apfMsConnTask_2:Jun2121:48:50.
563:[0000]9165c3fbfc4475486790d5dadfaa71e9*apfMsConnTask_2:Jun2121:48:50.
563:CCKM:AA(6)*apfMsConnTask_2:Jun2121:48:50.
563:[0000]8478acf02a92*apfMsConnTask_2:Jun2121:48:50.
563:CCKM:SPA(6)*apfMsConnTask_2:Jun2121:48:50.
563:[0000]004096b7ab5c*apfMsConnTask_2:Jun2121:48:50.
563:00:40:96:b7:ab:5cAddingBSSID84:78:ac:f0:2a:92toPMKIDcacheatindex0forstation00:40:96:b7:ab:5c*apfMsConnTask_2:Jun2121:48:50.
563:NewPMKID:(16)*apfMsConnTask_2:Jun2121:48:50.
563:[0000]9165c3fbfc4475486790d5dadfaa71e9*apfMsConnTask_2:Jun2121:48:50.
563:00:40:96:b7:ab:5cComputedavalidPMKIDfromMSCBPMKcacheformobile00:40:96:b7:ab:5cThenewPMKIDiscomputedandvalidatedtomatchtheoneprovidedbytheclient,whichisalsocomputedwiththesameinformation.
Hence,thefast-secureroamispossible.
*apfMsConnTask_2:Jun2121:48:50.
563:00:40:96:b7:ab:5cSettingactivekeycacheindex0--->0*apfMsConnTask_2:Jun2121:48:50.
564:00:40:96:b7:ab:5cSendingAssocResponsetostationonBSSID84:78:ac:f0:2a:92(status0)ApVapId3SlotTheReassociationresponseissenttotheclient,whichvalidatesthefast-roamwithPKC/OKC.
*dot1xMsgTask:Jun2121:48:50.
570:00:40:96:b7:ab:5cInitiatingRSNwithexistingPMKtomobile00:40:96:b7:ab:5cWLCinitiatesaRobustSecureNetworkassociationwiththisclient-andAPpairwiththecachedPMKfound.
Hence,EAPisavoided,asperthethenextmessage.
*dot1xMsgTask:Jun2121:48:50.
570:00:40:96:b7:ab:5cSkippingEAP-Successtomobile00:40:96:b7:ab:5c*dot1xMsgTask:Jun2121:48:50.
570:00:40:96:b7:ab:5cFoundancacheentryforBSSID84:78:ac:f0:2a:92inPMKIDcacheatindex0ofstation00:40:96:b7:ab:5c*dot1xMsgTask:Jun2121:48:50.
570:IncludingPMKIDinM1(16)ThehashedPMKIDisincludedontheMessage-1oftheWPA/WPA24-Wayhandshake.
*dot1xMsgTask:Jun2121:48:50.
570:[0000]9165c3fbfc4475486790d5dadfaa71e9ThePMKIDishashed.
ThenextmessagesarethesameWPA/WPA24-Wayhandshakemessagesdescribedthusfar,whichareusedinordertofinishtheencryptionkeysgeneration/installation.
*dot1xMsgTask:Jun2121:48:50.
570:00:40:96:b7:ab:5cSendingEAPOL-KeyMessagetomobile00:40:96:b7:ab:5cstateINITPMK(message1),replaycounter00.
00.
00.
00.
00.
00.
00.
00*Dot1x_NW_MsgTask_4:Jun2121:48:50.
589:00:40:96:b7:ab:5ReceivedEAPOL-Keyfrommobile00:40:96:b7:ab:5c*Dot1x_NW_MsgTask_4:Jun2121:48:50.
589:00:40:96:b7:ab:5cReceivedEAPOL-keyinPTK_STARTstate(message2)frommobile00:40:96:b7:ab:5c*Dot1x_NW_MsgTask_4:Jun2121:48:50.
589:00:40:96:b7:ab:5cPMK:Sendingcacheadd*Dot1x_NW_MsgTask_4:Jun2121:48:50.
590:00:40:96:b7:ab:5cSendingEAPOL-KeyMessagetomobile00:40:96:b7:ab:5cstatePTKINITNEGOTIATING(message3),replaycounter00.
00.
00.
00.
00.
00.
00.
01*Dot1x_NW_MsgTask_4:Jun2121:48:50.
610:00:40:96:b7:ab:5cReceivedEAPOL-Keyfrommobile00:40:96:b7:ab:5c*Dot1x_NW_MsgTask_4:Jun2121:48:50.
610:00:40:96:b7:ab:5cReceivedEAPOL-keyinPTKINITNEGOTIATINGstate(message4)frommobile00:40:96:b7:ab:5cPMKID,在从客户端的再聚集请求接收后,如显示在调试初,必须计算.
这是需要的为了验证PMKID和确认被缓存的PMK与WPA24方式握手一起使用派生加密密钥和完成法塞特安全漫游.
请勿混淆在调试的CCKM条目;这没有用于为了执行CCKM,然而PKC/OKC,如以前解释.
此处CCKM是WLC的名称用于那些输出,例如处理值为了计算PMKID功能的名称.
方案23:验证法塞特安全漫游(FSR)与802.
11r调试运行调试客户端*apfMsConnTask_2:Jun2719:25:48.
751:ec:85:2f:15:39:32DoingpreauthforthisclientovertheAirWLCbeginsFTfast-secureroamingover-the-Airwiththisclientandperformsatypeofpreauthentication,becausetheclientasksforthiswithFTontheAuthenticationframethatissenttothenewAPover-the-Air(beforetheReassociationRequest).
*apfMsConnTask_2:Jun2719:25:48.
751:ec:85:2f:15:39:32Doinglocalroamingfordestinationaddress84:78:ac:f0:2a:96WLCperformsthelocalroamingeventwiththenewAPtowhichtheclientroams.
*apfMsConnTask_2:Jun2719:25:48.
751:ec:85:2f:15:39:32Got1AKMsinRSNIE*apfMsConnTask_2:Jun2719:25:48.
751:ec:85:2f:15:39:32RSNIEAKMmatcheswithPMKcacheentry:0x3WLCreceivesonePMKfromthisclient(knownasAKMhere),whichmatchesthePMKcacheentryholdforthisclient.
*apfMsConnTask_2:Jun2719:25:48.
751:ec:85:2f:15:39:32CreatedanewpreauthentryforAP:84:78:ac:f0:2a:96*apfMsConnTask_2:Jun2719:25:48.
751:AddingMDIE,IDis:0xaaf0WLCcreatesanewpreauthentryforthisAP-and-Clientpair,andaddstheMDIEinformation.
*apfMsConnTask_2:Jun2719:25:48.
763:Processingassoc-reqstation:ec:85:2f:15:39:32AP:84:78:ac:f0:2a:90-00thread:144bef38*apfMsConnTask_2:Jun2719:25:48.
763:ec:85:2f:15:39:32ReassociationreceivedfrommobileonBSSID84:78:ac:f0:2a:96OncetheclientreceivestheAuthenticationframereplyfromtheWLC/AP,theReassociationrequestissent,whichisreceivedatthenewAPtowhichtheclientroams.
*apfMsConnTask_2:Jun2719:25:48.
764:ec:85:2f:15:39:32MarkingthismobileasTGrcapable.
*apfMsConnTask_2:Jun2719:25:48.
764:ec:85:2f:15:39:32ProcessingRSNIEtype48,length38formobileec:85:2f:15:39:32*apfMsConnTask_2:Jun2719:25:48.
765:ec:85:2f:15:39:32Roamingsucceedforthisclient.
WLCconfirmsthattheFTfast-secureroamingissuccessfulforthisclient.
*apfMsConnTask_2:Jun2719:25:48.
765:Sendingassoc-respstation:ec:85:2f:15:39:32AP:84:78:ac:f0:2a:90-00thread:144bef38*apfMsConnTask_2:Jun2719:25:48.
766:AddingMDIE,IDis:0xaaf0*apfMsConnTask_2:Jun2719:25:48.
766:ec:85:2f:15:39:32IncludingFTMobilityDomainIE(length5)inreassociationassocResptomobile*apfMsConnTask_2:Jun2719:25:48.
766:ec:85:2f:15:39:32SendingAssocResponsetostationonBSSID84:78:ac:f0:2a:96(status0)ApVapId7Slot0TheReassociationresponseissenttotheclient,whichincludestheFTMobilityDomainIE.
*dot1xMsgTask:Jun2719:25:48.
769:ec:85:2f:15:39:32FinishingFTroamingformobileec:85:2f:15:39:32FTroamingfinishesandEAPisskipped(aswellasanyotherkeymanagementhandshake),sotheclientisreadytopassencrypteddataframeswiththecurrentAP.
*dot1xMsgTask:Jun2719:25:48.
769:ec:85:2f:15:39:32SkippingEAP-Successtomobileec:85:2f:15:39:32
- 客户端ssid广播相关文档
- 实验ssid广播
- 海南海政招标有限公司(HZ2016-340)变更公告
- 淄博市公安局周村分局南郊派出所办公楼改造及室内弱电工程
- 支持2.5GbE局域网的思科WAP581Wireless-AC/N双频无线接入点
- 检查ssid广播
- 供应商ssid广播
GigsGigsCloud 春节优惠2022 指定云服务器VPS主机85折循环优惠码
GigsGigsCloud商家在之前介绍的还是比较多的,因为之前我一直有几台机器在使用,只是最近几年网站都陆续转型删除掉不少的网站和闲置域名,包括今年也都减少网站开始转型自媒体方向。GigsGigsCloud 商家产品还是比较有特色的,有提供香港、新加坡等亚洲机房的云服务器、VPS和独立服务器等。第一、新春优惠活动优惠码:CNY2022-15OFF截止到正月初二,我们可以使用上述优惠码在购买指定G...
美国cera机房 2核4G 19.9元/月 宿主机 E5 2696v2x2 512G
美国特价云服务器 2核4G 19.9元杭州王小玉网络科技有限公司成立于2020是拥有IDC ISP资质的正规公司,这次推荐的美国云服务器也是商家主打产品,有点在于稳定 速度 数据安全。企业级数据安全保障,支持异地灾备,数据安全系数达到了100%安全级别,是国内唯一一家美国云服务器拥有这个安全级别的商家。E5 2696v2x2 2核 4G内存 20G系统盘 10G数据盘 20M带宽 100G流量 1...
WHloud Date鲸云数据($9.00/月), 韩国,日本,香港
WHloud Date(鲸云数据),原做大数据和软件开发的团队,现在转变成云计算服务,面对海内外用户提供中国大陆,韩国,日本,香港等多个地方节点服务。24*7小时的在线支持,较为全面的虚拟化构架以及全方面的技术支持!官方网站:https://www.whloud.com/WHloud Date 韩国BGP云主机少量补货随时可以开通,随时可以用,两小时内提交退款,可在工作日期间全额原路返回!支持pa...
ssid广播为你推荐
-
1f20;BACKGROUND-COLOR:#4ae2f7">16-bitgeneratedgoogle之路androidboxiphone司机苹果5联通iphone4iphone4想换联通的卡 是普通联通的卡都能开通3G么 还是得换联通3G卡 联通都有什么套餐 我是北京的win7关闭135端口win7系统怎么关闭135端口?网上很多方法都不好用!css3按钮如何在html添加一个搜索框和一个按钮css选择器请给出三种Css选择器并举例说明ipad无法加入网络我的IPAD无法加入网络