wifi_stig

Tuesday 15 October 2013

DHCP Related Configurations

From the perspective of the LAB I doubt very much Microsoft DHCP server related configurations will be tested. Therefore, my focus would be to enable DHCP services and associated features on IOS devices and WLCs.

DHCP and WLC

WLC support both internal and external DHCP servers

With external DHCP servers, WLC DHCP configuration has two o flavours. Namely, dhcp proxy mode and dhcp bridging mode.

DHCP proxy mode

Much secure as virtual IP is used to forward dhcp packets therefore server IP not exposed.
Enabled by default.
Required for option 82
If there are firewalls in play may need to disable DHCP proxy on the WLC
Need to configure the DHCP server IPs on the WLC interfaces

Configuration :

Config dhcp proxy enable

Config interface dhcp management primary 10.10.10.100

Config interface dhcp dynamic-interface data primary 10.10.20.100

Verification:

Cisco Controller) >show dhcp proxy

DHCP Proxy Behaviour: enabled

debug dhcp message enable

DHCP bridging mode.

WLC just bridges the client packed to the appropriate VLAN and the client performs a normal DHCP transaction.That is to say that the forwarding is done by the vlans L3 interfaceTherefore SVIs needs to be configured with DHCP servers using ip helper-address command
Dhcp proxy must be disabled

Configuration:

config dhcp proxy disable

show dhcp proxy

L3 device:

interface vl 100

ip helper-address 10.10.10.100

Internal DHCP server

When configuring the internal DHCP server, the DHCP server address needs to be the management IP of the wlc.
DHCP proxy needs to be enabled.
Internal DHCP IP(management IP) can be as part of the dynamic interface configuration or as DHCP override option

cli configuration:

Verification

IOS DHCP server

The following example configure DHCP on the IOS device which provides IP addresses for Cisco 3500 series APs.The WLC management IP is 1

ip dhcp pool TST1

network 172.16.100.0 255.255.255.0

default-router 172.16.100.100

option 60 ascii "Cisco AP c3500"

option 43 hex f104.0a0a.0a01

ip dhcp-excluded address 10.10.10.1

ip dhcp-excluded address 10.10.10.2

dhcp options 43 –provides the WLC management IP for WLC discovery as a TLV

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808714fe.shtml#tab

I will discuss this in WLC discovery section.

dhcp option 60 –restricts the forwarding of option 43 to devices that are defined under Vendor Class Identifier(VCI).VCI defines the AP model class. The above URL also lists the VCIs for Cisco AP

Therefore due the configuration of option 60, WLC IP address (option 43) will be provided by the DHCP server for Cisco 3500 series APs. other non-3500 device connected on the same vlan will not receive this info.

Note. I tested this and can confrim that option 60 does not work on IOS.Raised this on CLN and one of the CCIEWs confrimed that for option 60 will only work in a windows server.,

Note. For the VoWLAN the IP that is allocated for the handsets needs to be configured with

option 150 ip 10.10.10.101 where 10.10.10.101 is the IP address of the CME.

ip dhcp-excluded address 10.10.10.1

ip dhcp-excluded address 10.10.10.2

The above 2 statements will prevent any DHCP assignment of any IPs that are already defined statically.

DHCP Option 82

This option is enabled to prevent any rogue DHCP servers from issuing IP addresses and also to prevent rogue client devices from obtaining legit IP addresses. ID is used to identify the devices participating in the DHCP transaction. If no matching ID is found for the relay agent, DHCP offers will not be sent. Therefore WLC and DHCP server both need to be configured.

On the server classes are defined on L3 switch per device.

Each class will contain the WLC identifier + AP base MAC which makes a unique ID.

WLC identifier is common for all Cisco WLC which 0104000000000206 in hex

APs and IP address allocation prior to Option 82 implementation:

R1(config)#do sh ip dhcp bind
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
172.16.100.1        0140.5539.8e2a.2c       Jan 02 1970 12:39 AM    Automatic
172.16.100.2        0100.1de5.56e5.b0       Jan 02 1970 12:40 AM    Automatic

The objective here is to use option-82 so that AP3500 get an IP from 172.16.100.120- .140 range and
AP1130 to get an IP from 172.16.100.20 - .40 range

1. workout the relay information string based on the radio-mac

AP 1130 radio mac 00:21:55:4d:6e:00
relay information string is : 01040000000002060021554d6e00
AP 3500 radio mac 1c:aa:07:43:7a:90

realy information string is : 01040000000002061caa07437a90

2. define classes for each AP type

I could not configure the class option on 3560 so instead I used 1841 for testing

ip dhcp pool TST1
   network 172.16.100.0 255.255.255.0
   default-router 172.16.100.100
   option 43 hex f104.0a0a.0a01
   class 1130
      address range 172.16.100.20 172.16.100.40
   class 3500
      address range 172.16.100.120 172.16.100.140
!
!
ip dhcp class 1130
   relay agent information
      relay-information hex 01040000000002060021554d6e00
!
ip dhcp class 3500
   relay agent information
      relay-information hex 01040000000002061caa07437a90
3. check shcp proxy is enabled on the WLC

4. enable option 82 on the cli

(wlc01) >config interface dhcp dynamic-interface op82_test option-82

Verification

WLC

(wlc01) >show interface detailed op82_test

Interface Name................................... op82_test
MAC Address...................................... 00:1b:d5:68:88:07
IP Address....................................... 172.16.100.1
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 172.16.100.100
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. 100
Quarantine-vlan.................................. 0
Active Physical Port............................. LAG (29)
Primary Physical Port............................ LAG (29)
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. 172.16.100.100
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Enabled
Remote ID format................................. ap-mac
ACL.............................................. Unconfigured
AP Manager....................................... No
Guest Interface.................................. No
L2 Multicast..................................... Enabled

Router

*Jan 1 01:39:34.179: DHCPD: Seeing if there is an internally specified pool class:
*Jan 1 01:39:34.179:   DHCPD: htype 1 chaddr e0f5.c602.5eb1
*Jan 1 01:39:34.179:   DHCPD: remote id 020a0000ac10646400000000
*Jan 1 01:39:34.179:   DHCPD: circuit id 00000000
*Jan 1 01:39:34.179: DHCPD: Searching for a match to '      relay-information 01040000000002061caa07437a90' in class 1130
*Jan 1 01:39:34.179: DHCPD: Searching for a match to '      relay-information 01040000000002061caa07437a90' in class 3500
*Jan 1 01:39:34.179: DHCPD: input pattern '      relay-information 01040000000002061caa07437a90' matches class 3500
*Jan 1 01:39:34.179: DHCPD: input matches class 3500
*Jan 1 01:39:36.179: DHCPD: Adding binding to radix tree (172.16.100.121)
*Jan 1 01:39:36.179: DHCPD: Adding binding to hash tree
*Jan 1 01:39:36.179: DHCPD: assigned IP address 172.16.100.121 to client 01e0.f5c6.025e.b1.
*Jan 1 01:39:36.179: DHCPD: Sending notification of DISCOVER:
*Jan 1 01:39:36.179:   DHCPD: htype 1 chaddr e0f5.c602.5eb1
*Jan 1 01:39:36.179:   DHCPD: remote id 020a0000ac10646400000000
*Jan 1 01:39:36.179:   DHCPD: circuit id 00000000
*Jan 1 01:39:36.179: DHCPD: Seeing if there is an internally specified pool class:
*Jan 1 01:39:36.179:   DHCPD: htype 1 chaddr e0f5.c602.5eb1
*Jan 1 01:39:36.179:   DHCPD: remote id 020a0000ac10646400000000
*Jan 1 01:39:36.179:   DHCPD: circuit id 00000000
*Jan 1 01:39:37.231: DHCPD: Sending notification of ASSIGNMENT:
*Jan 1 01:39:37.231: DHCPD: address 172.16.100.121 mask 255.255.255.0
*Jan 1 01:39:37.231:   DHCPD: htype 1 chaddr e0f5.c602.5eb1
*Jan 1 01:39:37.231:   DHCPD: lease time remaining (secs) = 86400

I also noticed a debug on the WLC states that option 82 as skipping. I the skpping is applicable for parameters that are not relevant.

(wlc01) >
(wlc01) >*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.581: e0:f5:c6:02:5e:b1 DHCP option len (including the magic cookie) 72
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.581: e0:f5:c6:02:5e:b1 DHCP option: message type = DHCP DISCOVER
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.581: e0:f5:c6:02:5e:b1 DHCP option: 55 (len 6) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.581: e0:f5:c6:02:5e:b1 DHCP option: 57 (len 2) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.582: e0:f5:c6:02:5e:b1 DHCP option: 61 (len 7) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.582: e0:f5:c6:02:5e:b1 DHCP option: lease time = 7776000 seconds
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.582: e0:f5:c6:02:5e:b1 DHCP option: 12 (len 7) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.582: e0:f5:c6:02:5e:b1 DHCP options end, len 72, actual 64
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.582: e0:f5:c6:02:5e:b1 DHCP Forwarding DHCP packet (428 octets)                      -- packet received on direct-connect port requires forwarding to external DHCP server. Next-hop is 172.16.100.100
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.584: e0:f5:c6:02:5e:b1 DHCP option len (including the magic cookie) 72
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.585: e0:f5:c6:02:5e:b1 DHCP option: message type = DHCP OFFER
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.585: e0:f5:c6:02:5e:b1 DHCP option: server id = 172.16.100.100
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.585: e0:f5:c6:02:5e:b1 DHCP option: lease time = 86266 seconds
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.585: e0:f5:c6:02:5e:b1 DHCP option: 58 (len 4) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.585: e0:f5:c6:02:5e:b1 DHCP option: 59 (len 4) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.585: e0:f5:c6:02:5e:b1 DHCP option: netmask = 255.255.255.0
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.585: e0:f5:c6:02:5e:b1 DHCP option: gateway = 172.16.100.100
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.585: e0:f5:c6:02:5e:b1 DHCP option: 82 (len 14) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.585: e0:f5:c6:02:5e:b1 DHCP options end, len 72, actual 64
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.621: e0:f5:c6:02:5e:b1 DHCP option len (including the magic cookie) 72
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.621: e0:f5:c6:02:5e:b1 DHCP option: message type = DHCP REQUEST
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.621: e0:f5:c6:02:5e:b1 DHCP option: 55 (len 6) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.621: e0:f5:c6:02:5e:b1 DHCP option: 57 (len 2) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.622: e0:f5:c6:02:5e:b1 DHCP option: 61 (len 7) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.622: e0:f5:c6:02:5e:b1 DHCP option: requested ip = 172.16.100.121
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.622: e0:f5:c6:02:5e:b1 DHCP option: server id = 10.0.0.1
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.622: e0:f5:c6:02:5e:b1 DHCP option: 12 (len 7) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.622: e0:f5:c6:02:5e:b1 DHCP options end, len 72, actual 64
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.622: e0:f5:c6:02:5e:b1 DHCP Forwarding DHCP packet (428 octets)                      -- packet received on direct-connect port requires forwarding to external DHCP server. Next-hop is 172.16.100.100
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.624: e0:f5:c6:02:5e:b1 DHCP option len (including the magic cookie) 72
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.624: e0:f5:c6:02:5e:b1 DHCP option: message type = DHCP ACK
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.625: e0:f5:c6:02:5e:b1 DHCP option: server id = 172.16.100.100
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.625: e0:f5:c6:02:5e:b1 DHCP option: lease time = 86400 seconds
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.625: e0:f5:c6:02:5e:b1 DHCP option: 58 (len 4) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.625: e0:f5:c6:02:5e:b1 DHCP option: 59 (len 4) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.625: e0:f5:c6:02:5e:b1 DHCP option: netmask = 255.255.255.0
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.625: e0:f5:c6:02:5e:b1 DHCP option: gateway = 172.16.100.100
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.625: e0:f5:c6:02:5e:b1 DHCP option: 82 (len 14) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.625: e0:f5:c6:02:5e:b1 DHCP options end, len 72, actual 64
Client associates to AP3500 and obtains the intended IP.

R1#sh ip dhcp bind
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
172.16.100.121      01e0.f5c6.025e.b1       Jan 02 1970 01:41 AM    Automatic

AP3500 was disconnected and therefore client got associated with AP1130.Received IP from the intended range.

*Jan 1 01:45:50.107:   DHCPD: htype 1 chaddr e0f5.c602.5eb1
*Jan 1 01:45:50.107:   DHCPD: remote id 020a0000ac10646400000000
*Jan 1 01:45:50.107:   DHCPD: circuit id 00000000
*Jan 1 01:45:50.107: DHCPD: Searching for a match to '      relay-information 01040000000002060021554d6e00' in class 1130
*Jan 1 01:45:50.107: DHCPD: input pattern '      relay-information 01040000000002060021554d6e00' matches class 1130
*Jan 1 01:45:50.107: DHCPD: input matches class 1130
*Jan 1 01:45:52.107: DHCPD: Adding binding to radix tree (172.16.100.20)
*Jan 1 01:45:52.107: DHCPD: Adding binding to hash tree
*Jan 1 01:45:52.107: DHCPD: assigned IP address 172.16.100.20 to client 01e0.f5c6.025e.b1.
*Jan 1 01:46:05.503: DHCPD: Sending notification of DISCOVER:
*Jan 1 01:46:05.503:   DHCPD: htype 1 chaddr e0f5.c602.5eb1
*Jan 1 01:46:05.503:   DHCPD: remote id 020a0000ac10646400000000
*Jan 1 01:46:05.503:   DHCPD: circuit id 00000000
*Jan 1 01:46:05.503: DHCPD: Seeing if there is an internally specified pool class:
*Jan 1 01:46:05.503:   DHCPD: htype 1 chaddr e0f5.c602.5eb1
*Jan 1 01:46:05.503:   DHCPD: remote id 020a0000ac10646400000000
*Jan 1 01:46:05.503:   DHCPD: circuit id 00000000
*Jan 1 01:46:06.535: DHCPD: Sending notification of ASSIGNMENT:
*Jan 1 01:46:06.535: DHCPD: address 172.16.100.20 mask 255.255.255.0
*Jan 1 01:46:06.535:   DHCPD: htype 1 chaddr e0f5.c602.5eb1
*Jan 1 01:46:06.535:   DHCPD: lease time remaining (secs) = 86400

R1#sh ip dhcp bind
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
172.16.100.20       01e0.f5c6.025e.b1       Jan 02 1970 01:46 AM    Automatic

WLC Discovery

Following are the methods for APs to discover a WLC.OTAP was there in the past not too sure this is in play anymore.

option 43
broadcast
dns method
previous config
manual config of the WLC Ip on the AP (when you are really desperate!!)

DHCP option 43 –typically when AP and WLC in different subnet

configuration:

ip dhcp pool TST1

network 172.16.100.0 255.255.255.0

default-router 172.16.100.100

option 43 hex f104.0a0a.0a01

AP output:

Mar 1 00:00:41.682: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.10.10.1 obtained through DHCP

Translating "CISCO-LWAPP-CONTROLLER"...domain server (255.255.255.255)

wmmAC status is FALSE

*Aug 15 09:38:36.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.10.2 peer_port: 5246

*Aug 15 09:38:36.001: %CAPWAP-5-CHANGED: CAPWAP changed state to

*Aug 15 09:38:37.427: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.10.10.2 peer_port: 5246

*Aug 15 09:38:37.428: %CAPWAP-5-SENDJOIN: sending Join Request to 10.10.10.2

*Aug 15 09:38:37.428: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN

*Aug 15 09:38:37.577: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG

*Aug 15 09:38:37.684: %CAPWAP-5-CHANGED: CAPWAP changed state to UP

*Aug 15 09:38:37.736: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller WLC1

*Aug 15 09:38:37.782: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to down

*Aug 15 09:38:37.784: %LWAPP-3-CLIENTEVENTLOG: SSID testv added to the slot[0]

*Aug 15 09:38:37.786: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset

*Aug 15 09:38:37.787: %LWAPP-3-CLIENTEVENTLOG: SSID testv added to the slot[1]

*Aug 15 09:38:37.797: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated

*Aug 15 09:38:37.803: %WIDS-5-ENABLED: IDS Signature is loaded and enabled

*Aug 15 09:38:37.856: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up

DNS method

configure “A record” with WLC management IP cisco
can utilise multiple IPs pointing to CISCO-CAPWAP-CONTROLLER.yyyyy.con

Broadcast forwarding

UDP forwarding of CAPWAP control packet is required
The SVI (AP management) to be configured with ip helper-address which is the WLC management IP.

Previous Configuration

Any previous config on the AP that contain the primary,secondary and tertiary WLC IPs

This configuration is typically done on the AP or the WLC.

AP-1130-1#capwap ap secondary-base wlc02 100.100.100.100

(wlc01) >config ap secondary-base wlc02 AP-1130-1 192.168.10.100

Static configuration of the WLC address

capwap ap controller ip address 10.10.10.1

if not allowed to enter a static IP then clear the private-config

AP Joining process

With the 4402 WLCS I use the AP establishes a peer session with the AP-manager IP address during DTLS establishment. With the 5508 this will achieved via the management IP as there is no concept of an AP-manager interface.

UDP 5246- CAPWAP control
UDP 5247 –CAPWAP Data

AP join process involves the following steps

Discovery request
Discovery response
DTLS session establishment
Join request
Join response
Configuration status request
Configuration status response
Run (holy grail state!!)

Typical errors encountered during AP join process

source http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808c7234.shtml

I selected common problem items listed in the above document and created them in the home lab so I could see the actual cli output to get a better understanding of the AP join process. I think this is the most important topic as if the APs cannot join the WLC, we will be in big trouble at the lab and real life..

incorrect IP configured under option 43

the correct WLC Mgmt Ip 10.10.10.1 but we use 10.10.10.4 instead

*Mar 1 00:00:41.662: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.10.10.4 obtained through DHCP

Translating "CISCO-LWAPP-CONTROLLER"...domain server (255.255.255.255)

*Mar 1 00:01:49.668: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.

*Mar 1 00:01:50.668: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated

Not in Bound state.

*Mar 1 00:02:00.188: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination

NTP out of synch between the WLC and AP

*Aug 15 09:24:25.001: %CAPWAP-5-CHANGED: CAPWAP changed state to

*Aug 15 09:24:26.311: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.10.10.2

*Aug 15 09:24:26.312: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.

*Aug 15 09:24:26.312: %DTLS-5-PEER_DISCONNECT: Peer 10.10.10.2 has closed connection.

*Aug 15 09:24:26.312: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.10.2:5246

*Aug 15 09:24:26.313: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.

*Aug 15 09:24:26.315: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated

UDP broadcast are blocked

AP cli

Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)

*Mar 1 00:00:41.654: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.10.10.4 obtained through DHCP

Translating "CISCO-LWAPP-CONTROLLER"...domain server (255.255.255.255)

*Mar 1 00:01:49.661: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.

*Mar 1 00:01:50.661: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated

Not in Bound state.

*Mar 1 00:02:00.187: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination.

Aug 15 10:48:38.555: status of voice_diag_test from WLC is false

*Aug 15 10:48:49.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.10.2 peer_port: 5246

*Aug 15 10:48:49.001: %CAPWAP-5-CHANGED: CAPWAP changed state to

*Aug 15 10:48:50.427: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.10.10.2 peer_port: 5246

*Aug 15 10:48:50.429: %CAPWAP-5-SENDJOIN: sending Join Request to 10.10.10.2

*Aug 15 10:48:50.429: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN

*Aug 15 10:48:55.428: %CAPWAP-5-SENDJOIN: sending Join Request to 10.10.10.2

*Aug 15 10:48:55.430: %DTLS-5-ALERT: Received WARNING : Close notify alert from 10.10.10.2

*Aug 15 10:48:55.430: %DTLS-5-PEER_DISCONNECT: Peer 10.10.10.2 has closed connection.

*Aug 15 10:48:55.430: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.10.2:5246

*Aug 15 10:48:55.477: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY

*Aug 15 10:48:55.530: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down

*Aug 15 10:48:55.531: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down

*Aug 15 10:48:55.532: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up

WLC AP auth policy does not include the MIC

WLC CLI

*spamReceiveTask: Aug 15 10:50:56.974: 00:21:55:4d:6e:00 DTLS Session established server (10.10.10.2:5246), client (172.16.100.13:28253)

*spamReceiveTask: Aug 15 10:50:56.974: 00:21:55:4d:6e:00 Starting wait join timer for AP: 172.16.100.13:28253

*spamReceiveTask: Aug 15 10:50:56.978: 00:21:55:4d:6e:00 Join Request from 172.16.100.13:28253

*spamReceiveTask: Aug 15 10:50:56.980: 00:21:55:4d:6e:00 MIC AP is not allowed to join by config

*spamReceiveTask: Aug 15 10:51:01.976: 00:21:55:4d:6e:00 Join Request from 172.16.100.13:28253

*spamReceiveTask: Aug 15 10:51:01.976: 00:21:55:4d:6e:00 Join request received from AP which is already present. Deleting previous connection

172.16.100.13:28253

*spamReceiveTask: Aug 15 10:51:01.976: 00:21:55:4d:6e:00 Finding DTLS connection to delete for AP (172:16:100:13/28253)

*spamReceiveTask: Aug 15 10:51:01.976: 00:21:55:4d:6e:00 Disconnecting DTLS Capwap-Ctrl session 0x136b84e8 for AP (172:16:100:13/28253)

*spamReceiveTask: Aug 15 10:51:01.976: 00:21:55:4d:6e:00 CAPWAP State: Dtls tear down

*spamReceiveTask: Aug 15 10:51:01.978: 00:21:55:4d:6e:00 DTLS connection not found. Ignoring join request from 172.16.100.13:28253

*spamReceiveTask: Aug 15 10:51:01.978: 00:21:55:4d:6e:00 DTLS connection closed event receivedserver (10:10:10:2/5246) client (172:16:100:13/2825

AP cli

*Aug 15 10:52:25.426: %CAPWAP-5-SENDJOIN: sending Join Request to 10.10.10.2

*Aug 15 10:52:25.426: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN

*Aug 15 10:52:30.425: %CAPWAP-5-SENDJOIN: sending Join Request to 10.10.10.2

*Aug 15 10:52:30.427: %DTLS-5-ALERT: Received WARNING : Close notify alert from 10.10.10.2

*Aug 15 10:52:30.427: %DTLS-5-PEER_DISCONNECT: Peer 10.10.10.2 has closed connection.

*Aug 15 10:52:30.427: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.10.2:5246

Mismatched regulatory domains

AP cli

*Aug 15 11:20:58.257: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY

*Aug 15 11:20:58.311: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down

*Aug 15 11:20:58.311: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down

*Aug 15 11:20:58.342: status of voice_diag_test from WLC is false

WLC GUI

AP on the 802.11a radio with Base Radio MAC 00:21:55:4d:6e:00 (AP001d.e556.e5b0) is unable to associate. The regulatory domain configured on it '-A' does not match the controller's regulatory domain: -N

WLC cli

debug capwap error enable

*spamReceiveTask: Aug 15 11:34:26.635: 00:21:55:4d:6e:00 AP 00:21:55:4d:6e:00: Country code is not configured(AU ).

*spamReceiveTask: Aug 15 11:34:26.635: 00:21:55:4d:6e:00 Regulatory Domain Mismatch: AP 00:21:55:4d:6e:00 not allowed to join. Regulatory Domain check failed.

AP not listed in the authorisation list

config auth-list ap-policy mic enable

on the AP

Aug 15 18:54:41.430: %CAPWAP-5-SENDJOIN: sending Join Request to 10.10.10.2

*Aug 15 18:54:41.431: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN

*Aug 15 18:54:41.434: %DTLS-5-ALERT: Received WARNING : Close notify alert from 10.10.10.2

*Aug 15 18:54:41.434: %DTLS-5-PEER_DISCONNECT: Peer 10.10.10.2 has closed connection.

*Aug 15 18:54:41.434: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.10.2:5246

*Aug 15 18:54:41.483: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY

WLC cli

The capwap debug did not throw any clue as to the possible culprit

(wlc01) >*spamReceiveTask: Aug 15 18:56:49.367: 00:1e:be:22:16:c2 DTLS Session established server (10.10.10.2:5246), client (172.16.100.4:28252)

*spamReceiveTask: Aug 15 18:56:49.367: 00:1e:be:22:16:c2 Starting wait join timer for AP: 172.16.100.4:28252

*spamReceiveTask: Aug 15 18:56:49.372: 00:21:55:4d:6e:00 Join Request from 172.16.100.4:28252

*spamReceiveTask: Aug 15 18:56:49.372: 00:21:55:4d:6e:00 In AAA state 'Idle' for AP 00:21:55:4d:6e:00

*spamReceiveTask: Aug 15 18:56:49.373: 00:21:55:4d:6e:00 Finding DTLS connection to delete for AP (172:16:100:4/28252)

*spamReceiveTask: Aug 15 18:56:49.373: 00:21:55:4d:6e:00 Disconnecting DTLS Capwap-Ctrl session 0x136bb4f0 for AP (172:16:100:4/28252)

*spamReceiveTask: Aug 15 18:56:49.373: 00:21:55:4d:6e:00 CAPWAP State: Dtls tear down

*spamReceiveTask: Aug 15 18:56:49.375: 00:21:55:4d:6e:00 DTLS connection closed event receivedserver (10:10:10:2/5246) client (172:16:100:4/28252)

on the WLC GUI

syslog entry on the GUI was spot on.

Thu Aug 15 18:52:03 2013

Failed to authorize AP Name AP001d.e556.e5b0 with Base Radio MAC 00:21:55:4d:6e:00. Authorization entry does not exist in AAA server.