troubleshooting wireless lans with centralized controllers · wireless sniff - some tips •...
TRANSCRIPT
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Troubleshooting Wireless LANs
with Centralized Controllers Javier Contreras Albesa
WNBU Escalation
BRKEWN-3011
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Troubleshooting Wireless LANs
• Troubleshooting 101
• Basic Concepts
• Getting it Right
• AP Troubleshooting
• Mobility
• IPv6
• Client Troubleshooting
3
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Troubleshooting 101
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Troubleshooting 101
• Problem definition
• Questions, questions, questions…
• Procedural
• Understanding the expected outcome, problem, question, and answer
• Tools
5
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Problem Definition
• Clear understanding of the problem means easier life
for the TAC engineer and you
• Examples:
‒ Good:
Client with an X card running Y driver version
has issues authenticating to a WLAN on
WLC version Z with WPA2-AES using PEAP/MS-CHAPv2
due to no EAP-Identity-Request from AP
‒ Bad:
client can’t connect to network
• Easy things can be seen as “isolated problems”.
• Complex deployment may need a
full view of the network/deployment.
6
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Defining Problem
Problem definition
Questions
Tests
Analysis
Solution(s)
7
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Questions
• The art of making questions
• Open vs. Closed
• May seem to state the obvious, but defining boundaries is critical
? ?
8
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Understanding
• The whys are very important
• What is expected:
positive tree vs. negative tree can show where the problem is
• Debugs + Captures of working scenarios
• How protocols work, how it was implemented
9
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Tools
What Is Needed:
• L1: Spectrum Expert
• L2/L3: Wireless sniffer trace:
‒ e.g.: Omnipeek, AirPcap (multichannel), Cisco AP, Wireshark, etc.
• Configuration analysis: WLC Config Analyzer (WLCCA)
• Grep/editor tools
• Custom made
• Proper Debugging
10
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Basic Concepts
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Key Concepts to proper Troubleshooting
• 802.11/802.1X/WPA
• Cisco Unified Architecture/CAPWAP
• Cisco Unified client mobility
• Radio Resource Management (RRM)
• Traffic forwarding
• Client states
12
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Steps to Building an 802.11 Connection
1. Listen for Beacons
2. Probe Request
3. Probe Response
4. Authentication Request
5. Authentication Response
6. Association Request
7. Association Response
(Optional: EAPOL Authentication)
8. (Optional: Encrypt Data)
9. Move User Data
State 1: Unauthenticated,
Unassociated
State 2: Authenticated, Unassociated
State 3: Authenticated,
Associated
802.11
AP
WLC
14
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
802.1X Authentication
Server
EAP-ID-Request
Rest of the EAP Conversation
Radius-Access-Accept
(Key) EAP-Success
EAPOL-START
EAP-ID-Response RADIUS (EAP-ID_Response)
Supplicant Authenticator
Session Key
15
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Cisco Centralized WLAN Model
Ingress/Egress Point from/to Upstream
Switched/Routed Wired Network (802.1Q Trunk)
Control Messages Data Encapsulation
Access Points Are Lightweight Controlled by a Centralized
WLAN Controller
Much of the Traditional WLAN Functionality Moved from
Access Points to Centralized WLAN Controller
CAPWAP Defines Control Messaging and Data Encapsulation Between Access
Points and Centralized WLAN Controller
Lightweight Access Point
Wireless LAN Controller
CAPWAP Tunnel
Switched/Routed Wired Network
16
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Layer 3 CAPWAP Architecture
Ingress/Egress Point from/to Upstream
Switched/Routed Wired Network (802.1Q Trunk)
Data Encapsulation—UDP 5246 Control Messages—UDP 5247
Lightweight Access Point
Wireless LAN Controller
CAPWAP Tunnel
Layer 2/3 Wired Network— Single or Multiple Broadcast Domains
• Access points require IPv4 addressing
• APs can communicate with WLC across routed boundaries
17
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
0 1
Service
Port
AP Client
WLC Architecture (5500)
Simplified View—AP Traffic
Slow Path Fast Path
Network
Multicore CPU (Control)
6 7
PCIe Switch
Multicore CPU (Data)
I/O Subsystem
18
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
PEM - Client Forwarding
Name Description
RUN Normal Client Traffic Forwarding
DHCP_REQ IP Learning State. One Packet from this Client Is Sent
to CPU in Order to Learn the IP Address Used
WEBAUTH_REQ Web Authentication Pending
8021X_REQ 802.1x Authentication Taking Place
19
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
0 1
Service
Port
AP
WLC Architecture (5500)
Client traffic, not RUN
Slow Path Fast Path
Network
Multicore CPU (Control)
6 7
PCIe Switch
Multicore CPU (Data)
I/O Subsystem
CAPWAP Control
Client Traffic
Client
20
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
0 1
Service
Port
AP
WLC Architecture (5500)
Client traffic, RUN
Slow Path Fast Path
Network
Multicore CPU (Control)
6 7
PCIe Switch
Multicore CPU (Data)
I/O Subsystem
CAPWAP Control
Client Traffic
Client
21
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Radio Resource Management Refresher
• Dynamic Channel Assignment (DCA)
‒ Selects channels for the radios to use
‒ Changes in “air quality” are monitored, AP channel assignment changed when deemed appropriate (based on DCA cost function)
• Transmit Power Control (TPC)
‒ Reduces radio power, to ensure power on each AP in relation to the tx-power-
thresh value. Can adjust for missing radio, increasing power
• Coverage Hole Detection and Mitigation (CHDM)
‒ Detects coverage holes, by identifying clients from which we are receiving a
poor signal, and accordingly increases radio power, to compensate
22
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Getting It Right
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Build Out Your Infrastructure
• Use the right wired network
• RRM tuning tips
• Bonus! WLC Config Analyzer
• Best practices
24
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Wired Network Requirements
AP to WLC (CAPWAP Path)
• Network RTT:
‒ Data: <= 300 msec
‒ Voice: <= 100 msec
• Bandwidth >= 128 kbps per AP
• APs can be NATed, as well as 5500/WiSM2 WLCs
• Trust/set QoS marking as needed for voice - TCLAS available in 5.1+
CAPWAP
AP WLC
25
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
LAG Can’t Reassemble Fragments
from Multiple Ports
• src-dst-ip is recommended
5508
Up to 8x 1G
Link
Aggregation
Bundle
WiSM-2
1x 10G (pre-7.2)
2x 10G (7.2+)
Link Aggregation
Bundle
26
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Radio Resource Management – auto RF
• The Power Threshold is the master fader for radio power
config advanced 802.11[a|b] tx-power-control-thresh
• Configurable between –80 to –50 dBm
Thresh
–68
Thresh
–73
Default:
-70 dBm
Use lower
values for high
density
deployments
27
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Radio Resource Management - Detune CHD
• Detune coverage hole detection if too many APs are at
power one in a dense environment (sticky client problem)
‒ Shrink coverage threshold (e.g. to 6 dB)
‒ Boost min clients (e.g. to 5)
• See “Radio Resource Management under Unified Wireless
Networks”, Document ID 71113, cisco.com I Can’t Hear this Client too Well— Better Boost My
Power!
28
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
WLC Config Analyzer
• Windows GUI program, analyzes the output of show run-config
‒ Get over telnet/ssh
‒ Try to hit return right away when prompted
‒ Recommended to use “config paging disable”
• Provides warnings about the configuration
• Displays key aspects of the configuration, and of AP RF info
• WLCCA Homepage at Cisco Support Forums:
https://supportforums.cisco.com/docs/DOC-1373
29
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
WLC Config Analyzer - Warnings
30
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
RF Analysis
• Nearby data
31
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
RF Analysis
• RF groups—non voice
32
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
RF Analysis
• RF Problem finder – RF Index
33
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Best Practices - RF
• Site survey, in case of doubts, site survey, after installation, site survey
…
• Site survey must be meaningful
‒ Same device types
‒ Same coverage band
‒ Same intended service
• Reduce unneeded WLANs
• Fine tune AutoRF
• Avoid aggressive load balancing, unless high-density and never use with
voice
• Band Select not to be used for voice deployments
‒ See also: https://supportforums.cisco.com/docs/DOC-20630
34
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Best Practices - Network
• Do not use STP on controllers (old)
• Filter VLANs toward WLC that are not in use
• LAG config on switch side must be consistent
• If no LAG, one AP manager per physical port
• Use multicast mode
‒ Check multicast routing!
‒ Avoid using application multicast address
35
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Best Practices—Network
• For fastest failover, AP ports should be configured for:
‒ Local mode:
spanningtree portfast and switchport mode access
- H-REAP / FlexConnect mode:
spanningtree portfast and switchport mode access
spanningtree portfast trunk and switchport mode trunk (VLAN support)
36
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Best Practices - Mobility
• Do not create unnecessary big mobility groups
• Same virtual gateway address across all members
• VG address should not be routable
‒ address 1.1.1.1 has been allocated, use 192.0.2.1 instead (RFC 5737)
• Same CAPWAP mode, symmetric setting, group name
• Use symmetric mobility (only option as of 5.2)
• Use multicast mobility group
• Same Bridge Group Name (BGN) on Mesh tree
37
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Best Practices - Security
• Increase RADIUS timeout (e.g. 5 seconds)
• Change SNMPv3 users
• Avoid proxy for WebAuth if possible, or use WebAuth Proxy (as of
7.0.116.0)
• Increase EAP identity timeout, not EAP retries!
• Increase AP authentication threshold
• NTP: must have for context-aware/location, MFP
‒ And debugging!
NTP is the easiest way to automatically synchronize debugs on multiple
controllers, sniffer captures, etc.
38
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Best Practices - Administration
• Back up before upgrade
• Downgrade is not supported (no longer true since XML configuration in
4.2+, however, practice caution anyway)
• Always set controller name on AP for join process
‒ At least primary, preferably secondary and tertiary as well.
No reason to have to hunt for the AP across your network when you need to
check something
• Enable and set syslog server on APs
• Enable telnet/SSH and set up local credentials on AP
• Make sure AP name is representative of location
39
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
AP Troubleshooting
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
AP Troubleshooting
• CAPWAP state machine
• Typical problems
‒ Address assignment
‒ Discovery/Join
‒ Time set at WLC
‒ SSC issues
‒ Regulatory domain issues
41
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
AP Join Troubleshooting
• First, the AP must hunt for the IP addresses of possible WLCs to join
• Next, the AP sends discover messages to all the WLCs, to find out which
ones are alive
• Then the AP picks the best WLC and tries to join it
• For details, see the “Controlling Lightweight Access Points” section of the
WLC configuration guide.
42
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
CAPWAP State Machine
START
IDLE DISCOVERY
DTLS Init
DTLS Connect
Authorize Tear Down
DEAD
JOIN
Configure
Image Data
Validation
RUN
Reset
Sulking
43
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
L3 WLC Address Hunting
1. Discovery broadcast on local subnet
‒ Can use ip helper-address, ip forward-protocol
2. Locally-stored controller IP addresses
3. DHCP vendor specific option 43
IP address should be management interface IP
e.g.: option 43 hex f108.c0a8.0001.c0a8.0004
4. DNS resolution of:
‒ “CISCO-CAPWAP-CONTROLLER.localdomain”
‒ “CISCO-LWAPP-CONTROLLER.localdomain”
should resolve to the management interface IP
5. If no controller found, start over
Note: The Actual Order of This Process Is Irrelevant Because Each AP Goes Through All Steps Before Proceeding to the Next Phase. Some Steps May Never Happen
AP Goes Through the Following Steps to Compile a Single List of WLAN Controllers
44
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
L3 WLC Discovery
X
AP Tries to Send Discover Messages to All the WLC Addresses
that Its Hunting Process Turned Up
Discover
45
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
L3 WLC Controller - Discovery Algorithm
• Once a list of WLAN controllers is compiled, the AP sends
a unicast CAPWAP discovery request message
to each of the controllers in the list
• WLAN controllers receiving the CAPWAP discovery messages
respond with an CAPWAP discovery response
• CAPWAP discovery response contains
important information:
‒ Controller name, controller type, AP capacity, current AP load,
master controller status, AP-manager IP address(es)
• AP waits for its discovery interval to expire, then selects a controller
and sends an CAPWAP join request
to that controller 46
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
WLAN Controller Selection Algorithm
1. If the AP has been configured with primary, secondary, and/or
tertiary controller, the AP will attempt to join these first (this is
resolved
in the controller system name field in the CAPWAP discovery
response)
2. Attempt to join a WLAN controller configured
as a master controller
3. Attempt to join the WLAN controller with the greatest excess AP
capacity
The AP Selects the Controller to Join Using the Following Criteria
Note: This Last Step Provides the Whole System with Automatic AP/WLC Load-Balancing Functionality
47
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
WLAN Controller Join Process
Mutual Authentication • AP CAPWAP Join request contains the AP’s signed X.509 certificate
• WLAN controller validates the certificate before sending an CAPWAP
join response
‒ Manufacture Installed Certificate (MIC) all Cisco Aironet APs manufactured
after July 18, 2005
‒ Self-Signed Certificate (SSC) - Lightweight upgraded Cisco Aironet APs
manufactured prior to July 18, 2005
‒ SSC APs must be authorized on the WLAN controller
Join Request
AP WLC
AP
Certificate
48
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
WLAN Controller Join Process
Mutual Authentication • If AP is validated, the WLAN controller sends the CAPWAP join
response which contains the controller’s signed X.509 certificate
• If the AP validates the WLAN controller, it will download firmware
(if necessary) and then request its configuration from the
WLAN controller
Join Response
AP WLC
WLC
Certificate
49
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Troubleshooting Lightweight APs
• Can the AP and the WLC communicate?
• Make sure the AP is getting an address from DHCP (check the DHCP
server leases for the AP’s MAC address)
• If the AP’s address is statically set, ensure it is correctly configured
• Try pinging the AP from the controller (not for mesh until 7.4!)
• If pings are successful, ensure the AP has at least one method by which
to discovery at least a single WLC
• Console or telnet/ssh into the controller to run debugs
Check the Basics First
50
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Set the WLC’s Time
• Make sure each controller has the correct time set
• Check the WLC’s time:
‒(WLC_CLI) >show time
• Manually set the time:
‒(WLC_CLI) >config time manual <MM/DD/YY> <HH:MM:SS>
• Or, use NTP:
‒(WLC_CLI) >config time ntp server <Index> <IP Address>
‒(WLC_CLI) >config time ntp interval <3600 - 604800 sec>
The Number One Reason APs Fail to Join Is Inaccurate Controller Time
Note: NTP Is not a Quick Fix Because It Is only Invoked at Controller Boot and at the NTP Interval 51
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Does Regulatory Domain Matter? Yes!
(WLC_CLI) >debug mac addr 00:12:80:ad:7a:9c
(WLC_CLI) >debug capwap events enable
[TIME]: * spamVerifyRegDomain:6202 AP 00:12:80:ad:7a:9c 80211bg Regulatory Domain (-A) does not match with country (BE) reg. domain -BE for slot 0
[TIME]: DEBU CTRLR spamVerifyRegDomain:6167 spamVerifyRegDomain RegDomain set for slot 1 code 0 regstring -A regDfromCb -E
[TIME]: * spamVerifyRegDomain:6202 AP 00:12:80:ad:7a:9c 80211a Regulatory Domain (-A) does not match with country (BE) reg. domain -BE for slot 1
[TIME]: DEBU CTRLR spamVerifyRegDomain:6210 spamVerifyRegDomain AP RegDomain check for the country BE failed
[TIME]: * spamProcessConfigRequest:1730 AP 00:12:80:ad:7a:9c: Regulatory Domain check Completely FAILED. The AP will not be allowed to join.
The fix? Make sure you match your APs’ regulatory domain with your WLCs.
Make sure to understand—RRM will use the lowest common denominator for channels
How do you know how to make sure you do? Search CCO for Wireless LAN Compliance Status
52
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
When Does AP Fail Over?
What Happens Then?
• APs will failover to other WLCs if the control plane is interrupted after
either:
‒ A missed heartbeat to WLC
30 seconds interval or configurable Fast Heartbeat
Fast Heartbeat can be configured differently for Local mode and H-REAP APs
‒ A non-ACKd control packet
‒ Then:
The AP will send five successive heartbeats (each a second apart)
‒ If no reply is received, the AP/WLC path is assumed down
and the AP will attempt to join another controller
• Likely causes:
‒ Wired network transmission problem
‒ AP/WLC bug (key rotation problem, buffer leak)
53
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Get Your APs to Join
• So, make sure ALL WLCs in the cluster will properly allow all APs to join
‒ Make sure all WLCs run the same software version
‒ Make sure all WLCs are set to the correct time
‒ Make sure all WLCs have all upgraded APs’ SSC hashes
‒ Check for potential MTU Issues
• See cisco.com document ID: 99948,
“Troubleshoot a Lightweight Access Point Not Joining a Wireless LAN
Controller”
54
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
CAPWAP Troubleshooting
• WLC side debug commands:
(Cisco Controller) >debug capwap ?
events Configures debug of CAPWAP events and state
errors Configures debug of CAPWAP errors
detail Configures debug of CAPWAP detail
info Configures debug of CAPWAP info
packet Configures debug of CAPWAP packet
payload Configures debug of CAPWAP payloads
hexdump Configures debug of CAPWAP payloads
55
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
CAPWAP Join
(Cisco Controller) >debug capwap events enable *Jan 09 05:02:07.952: 00:17:df:a8:bf:00 Discovery Request from 192.168.100.103:41824
*Jan 09 05:02:07.952: 00:17:df:a8:bf:00 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 6, joined Aps =0
*Jan 09 05:02:07.952: 00:17:df:a8:bf:00 Discovery Response sent to 192.168.100.103:41824
*Jan 09 05:02:18.949: DTLS connection not found, creating new connection for 192:168:100:103 (41824) 192:168:100:4 (5246)
*Jan 09 05:02:19.881: DTLS connection established
*Jan 09 05:02:19.881: DTLS Session established server (192.168.100.4:5246), client (192.168.100.103:41824)
*Jan 09 05:02:19.881: Starting wait join timer for DTLS connection 0xc332dbc!, AP: 192.168.100.103:41824
*Jan 09 05:02:19.884: 00:17:df:a8:bf:00 Join Request from 192.168.100.103:41824
*Jan 09 05:02:19.884: DTL Adding AP 3 - 192.168.100.103
*Jan 09 05:02:19.884: Join Version: = 84057344
*Jan 09 05:02:19.885: Join resp: CAPWAP Maximum Msg element len = 91
*Jan 09 05:02:19.885: CAPWAP State: Configure
56
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
CAPWAP Failure
*Jan 09 07:44:45.781: 00:17:df:a8:bf:00 Discovery Request from 192.168.100.104:41825 *Jan 09 07:44:45.781: 00:17:df:a8:bf:00 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 6, joined Aps =0 *Jan 09 07:44:45.781: 00:17:df:a8:bf:00 Discovery Response sent to 192.168.100.104:41825 *Jan 09 07:44:55.779: DTLS connection not found, creating new connection for 192:168:100:104 (41825) 192:168:100:4 (5246) *Jan 09 07:44:56.710: DTLS connection established *Jan 09 07:44:56.710: DTLS Session established server (192.168.100.4:5246), client (192.168.100.104:41825) *Jan 09 07:44:56.710: Starting wait join timer for DTLS connection 0xc332dbc!, AP: 192.168.100.104:41825 *Jan 09 07:44:56.713: 00:17:df:a8:bf:00 Join Request from 192.168.100.104:41825 *Jan 09 07:44:56.714: 00:17:df:a8:bf:00 In AAA state 'Idle' for AP 00:17:df:a8:bf:00 *Jan 09 07:44:56.714: 00:17:df:a8:bf:00 State machine handler: Failed to process msg type = 3 state = 0 from 192.168.100.104:41825 *Jan 09 07:44:56.714: Failed to process CAPWAP packet from 192.168.100.104:41825 *Jan 09 07:44:56.714: Failed to process packet from 192.168.100.104:41825 *Jan 09 07:44:56.715: Disconnecting DTLS session 0xc332dbc for AP 00:17:df:a8:bf:00 (192:168:100:104/41825) *Jan 09 07:44:56.715: CAPWAP State: Dtls tear down
57
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Mobility
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Mobility—Intra-Controller
• Client roams between two APs on the same controller
59
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Mobility—Inter-Controller (Layer 2)
• Client roams between two APs that are connected to two different
controllers
• Client connects to a WLAN on a controller that has a different controller as
a WLAN anchor Layer 2 roaming:
‒ New WLC has an interface configured on the same network as WLC the client
is coming from
‒ Client session information completely transferred from old WLC to new WLC,
and client entry is deleted from old WLC
60
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Mobility—Inter-Controller (Layer 2)
61
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Mobility - Supported Scenarios
• Clients can roam between two APs that are configured as one of the
following modes:
‒ Local
‒ H-REAP / FlexConnect
Locally-switched WLAN
Centrally-switched WLAN
APs part of the same H-REAP group joined to the same WLC for OKC /
CCKM
• Roaming is not supported between Local and H-REAP mode
APs.
• Mobility is based on VLAN ID as of version 7.2:
‒ VLAN tagging is required for roaming to work!
63
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Mobility - Messaging Flow
• When a client connects to a WLC for the first time,
the following happens:
‒ New WLC sends MOBILE_ANNOUNCE to all controllers in the mobility group
when client connects (note: if possible, configure multicast mobility to lower CPU
load and handoff times)
‒ Old WLC sends HANDOFF_REQUEST, telling the new WLC
I have an entry for this client, here is the client status
‒ New WLC sends HANDOFF_REPLY, telling the old WLC OK
64
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
IPv6
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
IPv6 support on WLC
• Dual Stack and IPv6 only clients support
• Global Multicast Mode not required for IPv6 unicast support
• IPv6 addresses learning and tracking
‒ NDP/DHCPv6
• IPv6 features:
‒ Mobility
‒ Security
‒ Quality of Service (QoS)
‒ Multicast
‒ Guest Access
• Network Efficiency
‒ IPv6 control traffic multicast->unicast over the air
What’s new in release 7.2?
66
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
IPv6 support on WLC
• No new configuration required
• Based on VLAN info (not on IPv4 subnet or IPv6 prefix)
‒ VLAN tagging required!
• L3 Roaming
‒ RA tunneled to Foreign WLC
‒ RA converted to unicast at the AP
Mobility features overview
CAPWAP Tunnel
CAPWAP Tunnel
Mobility Tunnel
RA
RA
67
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
IPv6 support on WLC
• RA Filtering
‒ Dropping Router Announcements coming from wireless clients
‒ Enabled by default
• DHCPv6 Server Guard
‒ Dropping any DHCPv6 advertisement coming from Wireless clients
‒ No config required; enabled by default
• IPv6 Source Guard
‒ Client can not send traffic unless the IPv6 address is learned with
NDP or DHCPv6 packets."
‒ Static IPv6 clients also sends NDP (NS,NA) packets before using
that IPv6 address for data traffic.
• IPv6 Access Control Lists
‒ Up to 64 unique IPv6 ACLs and 64 IPv4 ACLs
Security features overview
Don’t miss
BRKSEC-2003
and BKRSEC-
3003 for
additional IPv6
Security info!
68
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
IPv6 support on WLC
• QoS
‒ IPv6 Traffic Class value mapped to IPv4 DSCP on CAPWAP IP Header
‒ Enabled by default
• Multicast
‒ MLD snooping (MLDv1)
‒ QUERY and REPORT packets from EUI-64 format IPv6 address for dynamic
interface
• Guest Access
‒ Redirecting IPv6 clients to IPv6-translated virtual interface address:
e.g.: IPv4 address 192.0.2.1 would translate into IPv6 [::ffff:192.0.2.1]
• Network Efficiency
‒ Neighbor Discovery Caching
‒ Router Advertisement Throttling
Other features overview
69
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
IPv6 address learning
• Debug client
‒ Same command as in previous releases, now adds IPv6 client info:
*IPv6_Msg_Task: Dec 30 10:29:14.952: 68:7f:74:b9:12:f5 Pushing IPv6: fe80:0000:0000:0000: 948c:912b:3f93:d4d8 , and MAC:
68:7F:74:B9:12:F5 , Binding to Data Plane. SUCCESS !!
*DHCP Socket Task: Dec 30 10:29:15.276: 68:7f:74:b9:12:f5 192.168.72.165 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255,
IPv6 ACL ID 255)
*DHCP Socket Task: Dec 30 10:29:15.276: 68:7f:74:b9:12:f5 Assigning Address 192.168.72.165 to mobile
*IPv6_Msg_Task: Dec 30 10:29:15.458: 68:7f:74:b9:12:f5 Pushing IPv6: 2001:0db8:0000:0000: 948c:912b:3f93:d4d8 , and MAC:
68:7F:74:B9:12:F5 , Binding to Data Plane. SUCCESS !!
*IPv6_Msg_Task: Dec 30 10:29:25.687: 68:7f:74:b9:12:f5 Pushing IPv6: 2001:0db8:0000:0000: 744a:09c9:6e58:b3c9 , and MAC:
68:7F:74:B9:12:F5 , Binding to Data Plane. SUCCESS !!
70
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
IPv6 Client details
• Show client detail (Cisco Controller) >show client detail 68:7f:74:b9:12:f5
Client MAC Address............................... 68:7f:74:b9:12:f5
~
IP Address....................................... 192.168.72.165
IPv6 Address..................................... fe80::948c:912b:3f93:d4d8
IPv6 Address..................................... 2001:db8::948c:912b:3f93:d4d8
IPv6 Address..................................... 2001:db8::744a:9c9:6e58:b3c9
Association Id................................... 1
~
Policy Manager State............................. RUN
~
IPv4 ACL Name.................................... none
IPv4 ACL Applied Status.......................... Unavailable
IPv6 ACL Name.................................... none
IPv6 ACL Applied Status.......................... Unavailable
Dual Stack
Up to 16 IPv6
addresses per client
71
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
IPv6 Client details
• Show client detail (Cisco Controller) >show client detail 68:7f:74:b9:12:f5
Client MAC Address............................... 68:7f:74:b9:12:f5
~
IP Address....................................... Unknown
IPv6 Address..................................... fe80::948c:912b:3f93:d4d8
IPv6 Address..................................... 2001:db8::948c:912b:3f93:d4d8
IPv6 Address..................................... 2001:db8::744a:9c9:6e58:b3c9
Association Id................................... 1
~
Policy Manager State............................. RUN
~
IPv4 ACL Name.................................... none
IPv4 ACL Applied Status.......................... Unavailable
IPv6 ACL Name.................................... none
IPv6 ACL Applied Status.......................... Unavailable
IPv6 only
72
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public 73
IPv6 Client details
GUI Example
73
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
RA Filtering
• WLC: show network summary (Cisco Controller)>show network summary
...
IP/MAC Addr Binding Check .................. Enabled
IPv6 RA Filtering .......................... Enabled
• AP: show capwap client rcb AdminState : ADMIN_ENABLED
~
ApMode : Local
ApSubMode : Not Configured
OperationState : DISCOVERY
CAPWAP Path MTU : 576
~
RA Filtering Status : Enabled
Configuration and client statistics
WLC: Show client detail (Cisco Controller) >show client detail 68:7f:74:b9:12:f5
Client MAC Address............................... 68:7f:74:b9:12:f5
~
Client Statistics:
Number of Bytes Received................... 11700
Number of Bytes Sent....................... 1398
Number of Packets Received................. 109
Number of Packets Sent..................... 9
~
Number of Duplicate Received Packets....... 2
Number of Decrypt Failed Packets........... 0
Number of Mic Failured Packets............. 0
Number of Mic Missing Packets.............. 0
Number of RA Packets Dropped............... 6
Number of Policy Errors.................... 0
Radio Signal Strength Indicator............ -56 dBm
Signal to Noise Ratio...................... 37 dB
74
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Source Guard
• Configuration
(Cisco Controller) >config network ip-mac-binding [enable|disable]
• Show status
(Cisco Controller) >show network summary
Web Auth Redirect Ports .................... 80
Web Auth Proxy Redirect ................... Disable
Fast SSID Change ........................... Disabled
IP/MAC Addr Binding Check .................. Enabled
IPv6 RA Filtering .......................... Disabled
Configuration and show status
75
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Troubleshooting Clients
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Troubleshooting Clients
• Connectivity issues
‒ Can not connect to network
• Intermittent issues
‒ Low performance
‒ Packet loss
‒ Client card problems
77
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Anatomy of a Ping
• What it takes for your wireless client to ping (assuming EAP and DHCP)
‒ 1. Client probes for the SSID
‒ 2. Client authenticates/associates in 802.11 to an AP
‒ 3. EAP takes place
‒ 3.1 EAP dialog between client and Authenticator (WLC)
‒ 3.2 Authentication Server (RADIUS) dialog to end-user DB
‒ 4. DHCP address negotiation
‒ 5. Client reaches RUN state
IP
DHCP WLC
IP
ACS /
ISE
CAPWAP EO
IP
802.11 Data
CAPWAP
RADIUS
su
pp
.
driv
er
rad
io
Chan. 1
su
pp
.
driv
er
rad
io
802.11 Management
802.11 Management
EAP
IP
78
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Connectivity Issues
• Typical problem: client(s) can not connect to the network
• Where to look (assuming basic steps were already taken):
policy manager state and status
CLI: show client detail <MAC>
79
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Dissecting Connectivity Problems
Remember to Reduce Scope
• Probing client/WLAN configuration, IE not understood
• 8021X_REQD something went wrong on authentication
• DHCP_REQD address negotiation (DHCP / ARP)
• WebAuth_REQD waiting for webauth to happen
80
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Autopsy of a Ping
• What If we do not reduce scope of the problem?
• Full picture of what would be needed to find out what went wrong
Driver Debugs/ Adapter Capture
Wireless Sniff
AP Debugs
Wired Sniff
WLC Debugs
Wired Sniff
ACS/ISE
Logs
DHCP Logs
Spectrum Analysis
NTP
Wireless
Sniff
Supplicant Logs
IP
DHCP WLC
IP
ACS /
ISE
CAPWAP EO
IP
802.11 Data
CAPWAP
RADIUS
su
pp
.
driv
er
rad
io
Chan. 1
su
pp
.
driv
er
rad
io
802.11 Management
802.11 Management
EAP
IP
81
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Autopsy Tools - Supplicant
• Supplicant logs are needed to figure out what the client EAP supplicant is thinking. How to turn them on, and what they say, is entirely supplicant-specific
‒ WZC supplicant log:
netsh ras set tracing * enabled —logs in c:\windows\tracing
see http://www.microsoft.com/technet/network/wifi/wlansupp.mspx
‒ PROSet supplicant log: under hklm\software\intel\wireless\settings
1xconfigdbg=wwxyz; 1xDebugLevel=dword:0x18;1xLogLevel=dword:0x18
logs in c:\ (subject to change without warning)
‒ ADU: see CSCsi16921
‒ CSSC/AnyConnect: see Log Packager utility on cisco.com
IP
DHCP WLC
IP
ACS /
ISE
CAPWAP EO
IP
802.11 Data
CAPWAP
RADIUS
su
pp
.
driv
er
rad
io
Chan. 1
su
pp
.
driv
er
rad
io
802.11 Management
802.11 Management
EAP
IP
82
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Autopsy Tools - Client Driver
• Driver debugs — use only under medical supervision (probably need a special driver build)
• Client adapter capture — capture a packet trace from the wireless adapter using Wireshark/windump in non-promiscuous mode (Windows) ‒ Shows Ethernet-II packets at the NDIS layer (e.g., all IP packets sent to/
from this client)
‒ Shows EAPOL packets (usually), so very helpful for EAP/supplicant troubleshooting
‒ Does not show 802.11 management frames (no beacons, probes, authentication/association)
Driver Debugs/ Adapter Capture
IP
DHCP WLC
IP
ACS /
ISE CAPWAP E
OIP
802.11 Data
CAPWAP
RADIUS Chan. 1
802.11 Management
802.11 Management
EAP
IP
su
pp
.
driv
er
rad
io
83
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Wireless Sniff Wireless Sniff
Autopsy Tools - Wireless Sniff
• Wireless packet capture is essential for 802.11 support
• Good options (Windows PCs):
‒ Omnipeek from Wildpackets (Linksys WUSB600N, CB21AG,..)
‒ Wireshark with CACE Technologies AirPcap adapters
USB adapters nice for multichannel sniff
‒ AirMagnet
• Cisco LAPs can also be used (sniffer mode – not serving clients)
IP
DHCP WLC
IP
ACS /
ISE
CAPWAP EO
IP
802.11 Data
CAPWAP
RADIUS Chan. 1
802.11 Management
802.11 Management
EAP
IP
su
pp
.
driv
er
rad
io
84
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Wireless Sniff - Some Tips
• Separate packet capture per wireless channel of interest –scanning across multiple
channels is only useful for device discovery.
• Multi-channel capture using multiple adapters
‒ e.g.: 3x AirPcap adapters, or multiple Cisco APs listening on different channels
• Take unfiltered captures
‒ unless you know there are no RF issues (need to see beacons, ACKs)
• Cut a new file every 20–30 MB
• Do not display updated packet during capture
‒ reduce CPU load and minimize drops
• Roaming client: need multiple analyzers moving with the test client
‒ put everything on a cart and get some good exercise
• NTP sync everything
• See also: https://supportforums.cisco.com/docs/DOC-19232
85
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Autopsy Tools - Spectrum Analysis
• Use spectrum analysis to capture RF spectrum behavior—necessary
to identify/track down non-802.11 interference sources
• Cisco’s product: Spectrum Expert
(Standalone or CleanAir AP in SE-Mode)
• Must have for voice deployments
Spectrum Analysis
IP
DHCP WLC
IP
ACS /
ISE
CAPWAP EO
IP
802.11 Data
CAPWAP
RADIUS Chan. 1
802.11 Management
802.11 Management
EAP
IP
su
pp
.
driv
er
rad
io
86
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
SpEx Spectrogram
Very Low Power/Activity
Microwave Oven
Active AP
Mouse Hover Reveals Channel Position, Sweep Time/Date, and Top Five
Devices Color Indicates Power, Red = –
35 dBm
High Power, Bursting over Time
87
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
SpEx Tips
• When capturing, be sure to have an 802.11 adapter installed, enabled, but
configured not to associate
to a WLAN
‒ Spectrum expert cannot identify 802.11 devices (MAC address, etc.) without an
802.11 adapter’s aid
• NTP sync your Spectrum Expert host!
• Always use external antenna
• If searching for Interferers, good idea to turn off your wireless
network
• Kill your phones! (bluetooth, wi-fi on mobile..)
88
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
CAPWAP (IOS) AP Debugs
Autopsy Tools - AP Debugs
To Collect Debugs from CAPWAP Cisco IOS APs, you can:
• Connect via AP console (use hidden debug capwap console cli then conf
t to set the console speed to 115200)
• From WLC CLI, use:
‒ debug ap enable APname
debug ap command “debug command” APname
• in 5.x can use Telnet/SSH to connect to an Lightweight Cisco APs
IP
DHCP WLC
IP
ACS /
ISE
CAPWAP EO
IP
802.11 Data
CAPWAP
RADIUS Chan. 1
802.11 Management
802.11 Management
EAP
IP
su
pp
.
driv
er
rad
io
89
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
AP Debugs - Tips
• By default, radio debugs (debug dot11 dot11radiox)
appear only on the console.
To see radio debugs in your telnet/ssh/WLC CLI session, use the
command no debug dot11 dot11radiox printf
where x is 0 or 1
• Useful radio debugs: debug dot11 dot11radiox trace print
mgmt keys client beacon rcv xmt
(beacon, rcv, xmt can be extremely verbose!)
• Useful CAPWAP join debugs:
debug dhcp
debug ip udp
debug capwap client {config, error, event, detail, packet}
debug dtls client {error, event}
90
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Autopsy Tools - Wired Sniff
Wired Capture
• When capturing from trunk ports, best to capture with 802.1q tags (watch out for
packets in the wrong VLANs). You may need to touch driver config to see the
VLAN information
• Cut new file every 20/30 MB; don’t display packet updates in
real time
• NTP sync your sniffers!
WLC
IP
DHCP WLC
IP
ACS /
ISE
CAPWAP EO
IP
802.11 Data
CAPWAP
RADIUS Chan. 1
802.11 Management
802.11 Management
EAP
IP
su
pp
.
driv
er
rad
io
91
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
WLC Debugs
Autopsy Tools – WLC Debugs
• Capture WLC debugs from a telnet/ssh or console (115200 bps) session
• Simplest debug for one client under test: debug client MACaddress
enables basic dot11, dot1x, pem and dhcp debugs
debug client MACaddress1 MACaddress2
Dual MAC Address “debug client” introduced on WLC version 7.2
IP
DHCP WLC
IP
ACS /
ISE
CAPWAP EO
IP
802.11 Data
CAPWAP
RADIUS Chan. 1
802.11 Management
802.11 Management
EAP
IP
su
pp
.
driv
er
rad
io
92
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
WLC Debugs
• More general client debugging options:
debug dot11
debug dot1x
debug aaa <= use for RADIUS troubleshooting
debug pem
debug mobility handoff <= roaming
debug dhcp
• Use debug mac MACaddr to filter on a single client
• Correlate with info on logs:
show msglog
show traplog
• NTP sync your WLC!
93
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
RADIUS Logs
Autopsy Tools - RADIUS Logs
• See Monitoring and Reporting section on ACS 5.x or ISE
• If debugging is needed, enable runtime debugging on CLI:
(config-acs)# debug-log runtime level debug
• Read the runtime debug file directly on the CLI or download the support
bundle:
admin# show acs-logs filename acsRuntime.log
• NTP sync your ACS/ISE!
IP
DHCP WLC
IP
ACS /
ISE
CAPWAP EO
IP
802.11 Data
CAPWAP
RADIUS Chan. 1
802.11 Management
802.11 Management
EAP
IP
su
pp
.
driv
er
rad
io
94
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
DHCP Logs
Autopsy Tools - DHCP Logs
• Cisco IOS DHCP server:
‒ debug ip dhcp server events
debug ip dhcp server packet
IP
DHCP WLC
IP
ACS /
ISE
CAPWAP EO
IP
802.11 Data
CAPWAP
RADIUS Chan. 1
802.11 Management
802.11 Management
EAP
IP
su
pp
.
driv
er
rad
io
95
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
IP
DHCP WLC
IP
ACS /
ISE
CAPWAP EO
IP
802.11 Mgmt
CAPWAP
RADIUS Chan. 1
802.11 Management
802.11 Management
EAP
IP
su
pp
.
driv
er
rad
io
Anatomy of a Ping - Probing
1. Client probes for the SSID
2. Client authenticates/associates in 802.11 to an AP
3. EAP takes place
3.1 EAP dialog between client and authenticator
3.2 Authenticator (radius) dialog to end-user DB
4. DHCP address negotiation
5. Client reaches RUN state
Probe Req
Probe Req Probe Req
Probe Resp
96
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Autopsy - Probing
• Clients broadcasts a probe for the SSID of interest
• AP hopefully unicasts back a probe response
• Probe response includes interesting facts (information elements)
about the service
97
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Problems at Probing Stage
• What if the client never sends out a probe?
‒ Is it configured for the SSID of interest?
• What if the AP doesn’t send back the probe response?
‒ Is it (WLC) configured for the SSID of interest?
‒ Do you have RF coverage from this AP? (can you see beacons from it?)
• Check the probing clients on WLC
(WLC_CLI) > show client probing
• What if the client never moves beyond probing?
‒ Does it like the IEs that the AP is sending out?
‒ Try different crypto settings;
‒ disable Aironet extensions;
‒ try different basic rates; etc.
98
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
IP
DHCP WLC
IP
ACS /
ISE
CAPWAP EO
IP
802.11 Mgmt
CAPWAP
RADIUS Chan. 1
802.11 Management
802.11 Management
EAP
IP
su
pp
.
driv
er
rad
io
Anatomy - 802.11 Auth/Assoc
1. Client probes for the SSID
2. Client authenticates/associates in 802.11 to an AP
3. EAP takes place
‒ 3.1 EAP dialog between client and authenticator
‒ 3.2 Authenticator (radius) dialog to end-user DB
4. DHCP address negotiation
5. Client reaches RUN state
Wireless Sniff WLC Debugs
(re)Association
Authentication
Authentication
(re)Association
PEM State:
ASSOCIATED
8021X_REQD
99
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Autopsy - 802.11 Auth/Assoc
• Client and AP authenticate to each other (normally just open
authentication nowadays, some devices don’t even do this)
• Client tries to associate to the AP, hopefully gets a status=0
(successful) response
• What if unsuccessful?
‒ Check status code
‒ Run debugs on WLC
100
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
IP
DHCP
WLC IP
ACS /
ISE
CAPWAP EO
IP
802.11
CAPWAP
RADIUS Chan. 1
802.11 Management
802.11 Management
EAP
IP
su
pp
.
driv
er
rad
io
Anatomy - EAP takes place
1. Client probes for the SSID
2. Client authenticates/associates in 802.11 to an AP
3. EAP takes place
3.1 EAP dialog between client and authenticator
3.2 Authenticator (radius) dialog to end-user DB
4. DHCP address negotiation
5. Client reaches RUN state
EAPOL Start
Driver Debugs/ Adapter Capture
Supplicant Logs WLC
Debugs RADIUS
Logs
EAP Request ID
EAP ID Response RADIUS Access-Request
EAP conversation
EAP SUCCESS
Pass Keys All Around the Place
RADIUS Access-Accept
PEM State:
8021X_REQD
DHCP_REQD
101
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Wireshark Capture of MS-PEAP (WPA2)
102
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Successful 802.1X Client Authentication
(WLC_CLI) >debug mac addr 00:13:ce:57:2b:84
(WLC_CLI) >debug dot1x events enable
[TIME]: * dot1x_auth_txReqId:2827 Sending EAP-Request/Identity to mobile 00:13:ce:57:2b:84 (EAP Id 1)
[TIME]: * dot1x_authsm_capture_supp:675 Received EAPOL START from mobile 00:13:ce:57:2b:84
[TIME]: * dot1x_handle_eapsupp:1962 Received Identity Response (count=n) from mobile 00:13:ce:57:2b:84
<SNIP> Series of 802.1X EAP Requests/Responses </SNIP>
[TIME]: * dot1x_process_aaa:898 Processing Access-Challenge for mobile 00:13:ce:57:2b:84
[TIME]: * dot1x_bauthsm_txReq:465 Sending EAP Request from AAA to mobile 00:13:ce:57:2b:84 (EAP Id 19)
[TIME]: * dot1x_handle_eapsupp:1997 Received EAP Response from mobile 00:13:ce:57:2b:84 (EAP Id 19, EAP Type 25)
[TIME]: * dot1x_process_aaa:906 Processing Access-Accept for mobile 00:13:ce:57:2b:84
[TIME]: * createNewPmkCacheEntry:691 Creating a new PMK Cache Entry for station 00:13:ce:57:2b:84 (RSN 0)
[TIME]: * dot1x_auth_txCannedSuccess:2594 Sending EAP-Success to mobile 00:13:ce:57:2b:84 (EAP Id 19)
[TIME]: * sendDefaultRc4Key:450 Sending default RC4 key to mobile 00:13:ce:57:2b:84
[TIME]: * sendKeyMappingRc4Key:325 Sending Key-Mapping RC4 key to mobile 00:13:ce:57:2b:84
[TIME]: * dot1x_trans_authsm:2448 Received Auth Success while in Authenticating state for mobile 00:13:ce:57:2b:84
debug dot1x events
103
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Failed 802.1X Client Authentication
(WLC_CLI) >debug mac addr 00:13:ce:57:2b:84
(WLC_CLI) >debug dot1x events enable
[TIME]: * dot1x_auth_txReqId:2827 Sending EAP-Request/Identity to mobile 00:13:ce:57:2b:84 (EAP Id 1)
[TIME]: * dot1x_authsm_capture_supp:675 Received EAPOL START from mobile 00:13:ce:57:2b:84
[TIME]: * dot1x_handle_eapsupp:1962 Received Identity Response (count=n) from mobile 00:13:ce:57:2b:84
<SNIP> Series of 802.1X EAP Requests/Responses </SNIP>
[TIME]: * dot1x_process_aaa:898 Processing Access-Challenge for mobile 00:13:ce:57:2b:84
[TIME]: * dot1x_bauthsm_txReq:465 Sending EAP Request from AAA to mobile 00:13:ce:57:2b:84 (EAP Id 14)
[TIME]: * dot1x_handle_eapsupp:1997 Received EAP Response from mobile 00:13:ce:57:2b:84 (EAP Id 14, EAP Type 25)
[TIME]: * dot1x_process_aaa:928 Processing Access-Reject for mobile 00:13:ce:57:2b:84
[TIME]: * dot1x_auth_txCannedFail:2865 Sending EAP-Failure to mobile 00:13:ce:57:2b:84 (EAP Id 14)
debug dot1x events—Username/Password Failure
104
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Check Client Record for Details
In the WLC GUI, Go to: Wireless | Clients and Select Details for the Client of Choice
105
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Successful 802.1X Client Authentication
(WLC_CLI) >debug mac addr 00:13:ce:57:2b:84
(WLC_CLI) >debug aaa events enable
[TIME]: * sendRadiusMessage:2494 Successful transmission of Authentication Packet (id 49) to 10.48.76.71:1812, proxy state 00:13:ce:57:2b:84-ce:57
[TIME]: DEBU CTRLR processIncomingMessages:3480 ****Enter processIncomingMessages: response code=11
[TIME]: DEBU CTRLR processRadiusResponse:3053 ****Enter processRadiusResponse: response code=11
[TIME]: * processRadiusResponse:3325 Access-Challenge received from RADIUS server 10.48.76.71 for mobile 00:13:ce:57:2b:84 receiveId = 2
[TIME]: * sendRadiusMessage:2494 Successful transmission of Authentication Packet (id 59) to 10.48.76.71:1812, proxy state 00:13:ce:57:2b:84-ce:57
[TIME]: DEBU CTRLR processIncomingMessages:3480 ****Enter processIncomingMessages: response code=2
[TIME]: DEBU CTRLR processRadiusResponse:3053 ****Enter processRadiusResponse: response code=2
[TIME]: * processRadiusResponse:3325 Access-Accept received from RADIUS server 10.48.76.71 for mobile 00:13:ce:57:2b:84 receiveId = 2
* <SNIP> DEBU STA 00:13:ce:57:2b:84 </SNIP>
debug aaa events
106
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
(Cisco Controller) >debug mac addr 00:13:ce:57:2b:84
(Cisco Controller) >debug aaa events enable
[TIME]: * sendRadiusMessage:2494 Successful transmission of Authentication Packet (id 66) to 10.48.76.71:1812, proxy state 00:13:ce:57:2b:84-ce:57
[TIME]: * sendRadiusMessage:2494 Successful transmission of Authentication Packet (id 66) to 10.48.76.71:1812, proxy state 00:13:ce:57:2b:84-ce:57
[TIME]: * sendRadiusMessage:2494 Successful transmission of Authentication Packet (id 66) to 10.48.76.71:1812, proxy state 00:13:ce:57:2b:84-ce:57
[TIME]: * sendRadiusMessage:2494 Successful transmission of Authentication Packet (id 66) to 10.48.76.71:1812, proxy state 00:13:ce:57:2b:84-ce:57
[TIME]: * sendRadiusMessage:2494 Successful transmission of Authentication Packet (id 66) to 10.48.76.71:1812, proxy state 00:13:ce:57:2b:84-ce:57
[TIME]: * sendRadiusMessage:2494 Successful transmission of Authentication Packet (id 66) to 10.48.76.71:1812, proxy state 00:13:ce:57:2b:84-ce:57
[TIME]: * radiusProcessQueue:2735 Max retransmission of Access-Request (id 66) to 10.48.76.71 reached for mobile 00:13:ce:57:2b:84
[TIME]: * sendAAAError:323 Returning AAA Error 'Timeout' (-5) for mobile 00:13:ce:57:2b:84
* <SNIP> DEBU STA 00:13:ce:57:2b:84 </SNIP>
Failed 802.1X Client Authentication
• AAA connectivity failure will generate an SNMP trap
debug aaa events - AAA Server Unreachable
In the WLC GUI, Go to: Management | SNMP Trap Logs
107
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Verify Complete 802.11/
802.1X Connectivity
(WLC_CLI) >debug mac addr 00:13:ce:57:2b:84
(WLC_CLI) >debug pem state enable
[TIME]: pem_api.c:1780 - State Update 00:13:ce:57:2b:84 from RUN (20) to START (0)
[TIME]: pem_api.c:1836 - State Update 00:13:ce:57:2b:84 from START (0) to AUTHCHECK (2)
[TIME]: pem_api.c:1859 - State Update 00:13:ce:57:2b:84 from AUTHCHECK (2) to 8021X_REQD (3)
[TIME]: pem_api.c:3977 - State Update 00:13:ce:57:2b:84 from 8021X_REQD (3) to L2AUTHCOMPLETE (4)
[TIME]: pem_api.c:4152 - State Update 00:13:ce:57:2b:84 from L2AUTHCOMPLETE (4) to RUN (20)
debug pem state
108
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Troubleshooting 802.1X
• Make sure the RADIUS server is properly configured
Make Sure the Correct Shared Secret Is Input
Select the Correct RADIUS Port (Common Ports Are 1812 and 1645)
Status Must Be Enabled
Network User Auth Has to Be Enabled for This AAA Server to Be Used Globally, Otherwise, Select on WLAN
In the WLC GUI, Go to: Security | AAA | RADIUS Authentication and Then Select Edit or New
Timeout May Be too Short
109
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Troubleshooting 802.1X
• Make sure the proper security policy is enabled
for both encryption and authentication
Step (1): Select the Desired Layer 2 Security Configuration
In the WLC GUI, Go to: WLANs | WLANs | WLANs and Then Select Edit for the WLAN of Interest
Step (2): Check Radius list per WLAN or Use Global list
110
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Troubleshooting 802.1X – ACS 5.x
• Enabled Logging in your ACS 5.x server to identify where issues might lie
with backend authentication
111
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Troubleshooting 802.1X – ISE 1.x
• Enabled Logging in your ISE 1.x to identify where issues might lie with
backend authentication
112
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Troubleshooting 802.1X – Common issues
• SSL Handshake failure (e.g. PEAP, EAP-TLS)
‒ Verify the certificate trust settings on the client side
‒ For EAP-TLS, the ACS must also trust the client certificate
• User unknown or wrong password / unsupported auth method
‒ Correct Access-Service / Identity Store?
• Unknown NAS
‒ ACS ignores RADIUS requests coming from non configured AAA clients
‒ What is the source IP address of the RADIUS traffic sent by the WLC?
‒ Static routes on WLC? Service Port
‒ per-WLAN RADIUS source support? Dynamic Interface
113
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
IP
DHCP
WLC IP
ACS /
ISE
CAPWAP EO
IP
802.11
CAPWAP
RADIUS Chan. 1
802.11 Management
802.11 Management
EAP
IP
su
pp
.
driv
er
rad
io
Anatomy - DHCP Succeeds
1. Client probes for the SSID
2. Client authenticates/associates in 802.11 to an AP
3. EAP takes place
3.1 EAP dialog between client and authenticator
3.2 authenticator (radius) dialog to end-user DB
4. DHCP address negotiation
5. Client reaches RUN state
DHCP Offer
DHCP Discover
DHCP Request
DHCP Ack
PEM State:
DHCP_REQD
RUN
114
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Client IP Provisioning via DHCP
(WLC_CLI) >debug mac addr 00:13:ce:57:2b:84
(WLC_CLI) >debug dhcp message enable
[TIME]: dhcp option: received DHCP DISCOVER msg
<SNIP> DHCP Discover message details </SNIP>
[TIME]: Forwarding DHCP packet (332 octets) from 00:13:ce:57:2b:84
-- packet received on direct-connect port requires forwarding to external DHCP server. Next-hop is 20.20.20.1
[TIME]: dhcp option: received DHCP OFFER msg
[TIME]: dhcp option: server id = 20.20.20.1
[TIME]: dhcp option: netmask = 255.255.255.0
[TIME]: dhcp option: gateway = 20.20.20.1
<SNIP> DHCP Offer message details </SNIP>
[TIME]: dhcp option: received DHCP REQUEST msg
[TIME]: dhcp option: requested ip = 20.20.20.113
[TIME]: dhcp option: server id = 1.1.1.1
<SNIP> DHCP Request message details </SNIP>
[TIME]: Forwarding DHCP packet (340 octets) from 00:13:ce:57:2b:84
-- packet received on direct-connect port requires forwarding to external DHCP server. Next-hop is 20.20.20.1
[TIME]: dhcp option: received DHCP ACK msg
<SNIP> DHCP Ack message details </SNIP>
debug dhcp message
115
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Troubleshooting DHCP
• Clients are not configured for static addressing
• DHCP scopes are properly configured (either external or internal DHCP)
• External servers: need to support DHCP proxy—if they don’t, turn on DHCP bridging: ‒(WLC_CLI) >config dhcp proxy disable
• Internal DHCP server: after properly configuring the WLC’s scopes, each interface needs to have the WLC’s management IP as its DHCP server IP address, as below:
• The internal DHCP server is suitable for very small or test deployments only, otherwise it’s recommended to use external DHCP servers.
In the WLC GUI, Go to: Controller |
Interfaces and Select Edit for the Interface
of Choice For Internal DHCP, Input the WLC’s Management IP Address Here
If Clients Aren’t Getting Addresses Properly via DHCP, Ensure:
116
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
IP
DHCP
WLC IP
ACS /
ISE
CAPWAP EO
IP
802.11
CAPWAP
RADIUS Chan. 1
802.11 Management
802.11 Management
EAP
IP
su
pp
.
driv
er
rad
io
Anatomy—PING Succeeds!!
1. Client probes for the SSID
2. Client authenticates/associates in 802.11 to an AP
3. EAP takes place
3.1 EAP dialog between client and authenticator
‒ 3.2 authenticator (radius) dialog to end-user DB
4. DHCP address negotiation
5. Client reaches RUN state
PEM State:
RUN
117
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
• Take this …
• And move the client under test through it, in three dimensions, in real
time!
Now for the Hard Part—
Troubleshooting Roaming
IP
DHCP
WLC IP
ACS /
ISE CAPWAP E
OIP
802.11
CAPWAP
RADIUS Chan. 1
802.11 Management
802.11 Management
EAP
IP
su
pp
.
driv
er
rad
io
118
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Troubleshooting a Roaming Client in Situ Is Very Hard—You
Don’t Want to Do This
119
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
So Instead, Reduce Scope
• Does the roaming problem happen when using open auth/no crypto?
(factor out: EAP, CCKM, PMK caching, etc.)
• Does the roaming problem with intra-controller roams,
or only inter-controller?
(factor out: VLAN config problems, CAM table, L3 mobility problems,
mobility group config problems)
• Does the roaming problem occur only in specific locations?
(factor out: RF coverage issues)
• Does the problem happen when using one supplicant, but not another?
(factor out: specific supplicant issues)
120
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Do Some Clients Have Roaming Problems, and Others Not?
• Try tuning the client roaming behavior
‒ Intel: roaming aggressiveness knob
‒ 7921/5/6: lock to 802.11a if you have the coverage
‒ CB21ag: turn down Scan Valid, BSS Aging in Device Manager
(see “Optimize CB21AG/PI21AG Roaming Behavior”, Document ID 69403,
cisco.com)
• Try upgrading the client code
‒ 7921/5/6: recommended 1.4.2 (enhanced roaming algorithm w/ inter-band
roaming)
‒ Intel: drivers in latest 12.4 bundle
121
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
What if Some Clients Just Don’t Roam Right, No Matter What?
• Prove that another wireless adapter (CB21AG?) in the identical
application, works fine
• Escalate to your laptop/device vendor
• Open a case with Cisco, if TAC assistance is needed in setting up the
back end debugging
‒ At times, we can help with vendor communications (Broadcom, Intel) however,
do not rely solely on us
122
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Q&A
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Recommended Reading for BRKEWN-3011
124 124
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public
Call to Action
• Visit the Cisco Campus at the World of Solutions to experience Cisco innovations in action
• Get hands-on experience attending one of the Walk-in Labs
• Schedule face to face meeting with one of Cisco’s engineers
at the Meet the Engineer center
• Discuss your project’s challenges at the Technical Solutions Clinics
125
© 2013 Cisco and/or its affiliates. All rights reserved. BRKEWN-3011 Cisco Public 126