Unable to connect with Cisco WLC 5508

[Chellappan]

So far I have not got any issue while setup Wireless 802.1x also I am not having any issue with client authenticating by making use of user id and password. Currently I am using Wireless XP Client which is connecting with LWAP and further it connects to WLC 5508, after that connects with Cisco ACS for authentication. When I am putting user credentials with correct password, I don’t get anything and simply it is asking about to enter the password.
Can you tell me what is wrong happening into my situation?

[Haleema]

Well after learning the entire thing I wanted to tell you that you should use rule based selection and you should not use NDG rather than that of the IP address of the AAA client. Because NDG will not work at all and I think it will check for the policy. Also tell me if you had added radius server to WLC and WLAN with shared secret? Do you have added WLC to radius server?

[DamarisK]

You should simply run debug client < mac address>. It will allow you to know interaction between WLC and AAA server which you are using.

[Chellappan]

Yes I have added radius server on WLC and WLAN, including shared secret.

Code:

(Cisco Controller) >debug client 001B77859E46
(Cisco Controller) >*Dec 16 16:53:18.646: 00:1b:77:85:9e:46 802.1x 'txWhen' Timer expired for station 00:1b:77:85:9e:46
*Dec 16 16:53:18.646: 00:1b:77:85:9e:46 dot1x - moving mobile 00:1b:77:85:9e:46 into Connecting state
*Dec 16 16:53:18.646: 00:1b:77:85:9e:46 Sending EAP-Request/Identity to mobile 00:1b:77:85:9e:46 (EAP Id 3)
*Dec 16 16:53:48.646: 00:1b:77:85:9e:46 802.1x 'txWhen' Timer expired for station 00:1b:77:85:9e:46
*Dec 16 16:53:48.646: 00:1b:77:85:9e:46 Reached Max EAP-Identity Request retries (3) for STA 00:1b:77:85:9e:46
*Dec 16 16:53:48.647: 00:1b:77:85:9e:46 Sent Deauthenticate to mobile on BSSID b4:a4:e3:1e:3a:80 slot 1(caller 1x_auth_pae.c:2901)
*Dec 16 16:53:48.647: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station:  (callerId: 6) in 10 seconds
*Dec 16 16:53:48.647: 00:1b:77:85:9e:46 dot1x - moving mobile 00:1b:77:85:9e:46 into Disconnected state
*Dec 16 16:53:48.647: 00:1b:77:85:9e:46 Not sending EAP-Failure for STA 00:1b:77:85:9e:46
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 Association received from mobile on AP b4:a4:e3:1e:3a:80
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 Applying site-specific IPv6 override for station 00:1b:77:85:9e:46 - vapId 1, site 'Sadowski', interface 'demsecureinternal'
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 Applying IPv6 Interface Policy for station 00:1b:77:85:9e:46 - vlan 245, interface id 12, interface 'demsecureinternal'
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 STA - rates (8): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 Processing RSN IE type 48, length 22 for mobile 00:1b:77:85:9e:46
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 Received RSN IE with 0 PMKIDs from mobile 00:1b:77:85:9e:46
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 0.0.0.0 8021X_REQD (3) Deleted mobile LWAPP rule on AP [b4:a4:e3:1e:3a:80]
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 Updated location for station old AP b4:a4:e3:1e:3a:80-1, new AP b4:a4:e3:1e:3a:80-0
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 0.0.0.0 8021X_REQD (3) Initializing policy
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*Dec 16 16:53:48.891: 00:1b:77:85:9e:46 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP b4:a4:e3:1e:3a:80 vapId 1 apVapId 1
*Dec 16 16:53:48.891: 00:1b:77:85:9e:46 apfPemAddUser2 (apf_policy.c:213) Changing state for mobile 00:1b:77:85:9e:46 on AP b4:a4:e3:1e:3a:80 from Associated to Associated
*Dec 16 16:53:48.891: 00:1b:77:85:9e:46 Stopping deletion of Mobile Station: (callerId: 48)
*Dec 16 16:53:48.891: 00:1b:77:85:9e:46 Sending Assoc Response to station on BSSID b4:a4:e3:1e:3a:80 (status 0) Vap Id 1 Slot 0
*Dec 16 16:53:48.891: 00:1b:77:85:9e:46 apfProcessAssocReq (apf_80211.c:4389) Changing state for mobile 00:1b:77:85:9e:46 on AP b4:a4:e3:1e:3a:80 from Associated to Associated
*Dec 16 16:53:48.893: 00:1b:77:85:9e:46 Station 00:1b:77:85:9e:46 setting dot1x reauth timeout = 1800
*Dec 16 16:53:48.893: 00:1b:77:85:9e:46 dot1x - moving mobile 00:1b:77:85:9e:46 into Connecting state
*Dec 16 16:53:48.893: 00:1b:77:85:9e:46 Sending EAP-Request/Identity to mobile 00:1b:77:85:9e:46 (EAP Id 1)
*Dec 16 16:53:48.896: 00:1b:77:85:9e:46 Received EAPOL START from mobile 00:1b:77:85:9e:46
*Dec 16 16:53:48.896: 00:1b:77:85:9e:46 dot1x - moving mobile 00:1b:77:85:9e:46 into Connecting state
*Dec 16 16:53:48.896: 00:1b:77:85:9e:46 Sending EAP-Request/Identity to mobile 00:1b:77:85:9e:46 (EAP Id 2)
*Dec 16 16:54:18.847: 00:1b:77:85:9e:46 802.1x 'txWhen' Timer expired for station 00:1b:77:85:9e:46
*Dec 16 16:54:18.847: 00:1b:77:85:9e:46 dot1x - moving mobile 00:1b:77:85:9e:46 into Connecting state

[AliyaK]

Tell me if you are using WZC? If so than native windows supplicant is supposed to send username/password which is going to be used to login to password though you have not mentioned about to do so. By using IntelProset you will be able to set username which supposed to supplicant send to AAA.
Well I am wondering that the response getting from supplicant and it will start to ask the radius server. You should simply check the ACS server and let me know about the same.

[KirtiPatel]

As far as I know SecureWireless Access service is disabled. Well to fix the same you will need to create new Service Selection Rule and point the same to SecureWireless. Once done you have to use the rule based selection for the SecureWireless and select NDG or NAS IP Address from the WLC of yours. after that you should simply use the Deminternal in order to identify yours source. You should do the same appropretaly so ACS will be able to differentiate between policy and SecureWireless.

[CamilleT]

Do you have resolved the problem???? If your answer is no than I am suggesting that you should contact the Cisco technical support team to resolve the issue which you have stated over here.