Guest

Preview Tool

Cisco Bug: CSCur57909 - Client misses to override vlan after shifting wlan.

Last Modified

Sep 11, 2019

Products (1)

  • Cisco 5500 Series Wireless Controllers

Known Affected Releases

7.6(130.0) 8.0(120.0) 8.0(122.27)

Description (partial)

Symptom:
Step 1:
Client connects Wlan-1/802.1x/interface:vlan2016/AAA override enable
AP mode is local mode

show client detail xx:xx:xx:xx:xx:xx
~~
Client Username ................................. user10
Authentication Key Management.................... 802.1x
Encryption Cipher................................ CCMP (AES)
Protected Management Frame ...................... No
Management Frame Protection...................... No
EAP Type......................................... PEAP
Interface........................................ vlan3023 <<< the vlan be overrided by radius
VLAN............................................. 3023
Quarantine VLAN.................................. 0
Access VLAN...................................... 3023
~~

Step 2:
The same Client shifts to connect Wlan-7/PSK/interface:managment//AAA override enable

show client detail xx:xx:xx:xx:xx:xx
~~
Client Username ................................. user10
Authentication Key Management.................... PSK
Encryption Cipher................................ CCMP (AES)
Protected Management Frame ...................... No
Management Frame Protection...................... No
EAP Type......................................... Unknown
Interface........................................ vlan3023
VLAN............................................. 3023
Quarantine VLAN.................................. 0
Access VLAN...................................... 3023
~~

In debug, I found these strange messages. It looks that WLC keeps using client's information from wlan-1 to connect another Wlan-7
*****
*Dot1x_NW_MsgTask_0:xx:xx:xx:xx:xx:xx EAP-PARAM Debug - eap-params for Wlan-Id :7 is disabled - applying Global eap timers and retries
*Dot1x_NW_MsgTask_0:xx:xx:xx:xx:xx:xx Disable re-auth, use PMK lifetime. 
*Dot1x_NW_MsgTask_0:xx:xx:xx:xx:xx:xx dot1x - moving mobile xx:xx:xx:xx:xx:xx into Force Auth state
*Dot1x_NW_MsgTask_0:xx:xx:xx:xx:xx:xx Skipping EAP-Success to mobile xx:xx:xx:xx:xx:xx
*Dot1x_NW_MsgTask_0:xx:xx:xx:xx:xx:xx Username entry (user10) already exists in name table, length = 253
*Dot1x_NW_MsgTask_0:xx:xx:xx:xx:xx:xx Username entry (user10) created in mscb for mobile, length = 253
*Dot1x_NW_MsgTask_0: xx:xx:xx:xx:xx:xx Applying cached RADIUS Override values for mobile xx:xx:xx:xx:xx:xx(caller 1x_auth_pae.c:717)
*****

Conditions:
using 7.6.130.0

Related Community Discussions

SSID 切り替え後も端末が元のVLANに割り当てられる問題
2015年4月24日(初版) TAC SR Collection 主な問題 無線端末が802.1x 認証のSSID からPSK のSSID へ接続を切り替えた場合、端末のvlan が元のSSID で割り当てられたvlan のままになる問題が発生します。 端末が802.1x 認証のSSID に接続した際に、vlan A が割り当てられる。 | Show client detail XX:XX:XX:XX:XX:XX: Wireless LAN Id………………………… 1 Authentication key Management ……. 802.1x Access VLAN………………………………A   PSK のSSID | に接続を切り替えると、このSSID に紐づく vlan B が割り当てられず、vlan A が割り当てられたままになる。 | Show client detail XX:XX:XX:XX:XX:XX Wireless LAN Id………………………… 7 Authentication key Management ……. PSK Access VLAN………………………………A ...
Latest activity: Apr 24, 2015
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.