Question

XCC Dynamic VLAN Assignment

  • 13 September 2021
  • 18 replies
  • 119 views

Userlevel 4
  • Extreme Hero
  • 150 replies

Hi Guys,

I'm working on a customer deployment and got some issues using ExtremeControl and XCC (5.36.03).

If I send RFC3580 Vlan Attributes to XCC from the Control, the 802.1x session from the client can't authenticate, even with the VLAN created under Policy > Vlans and the same vlan associated to the Device Group's Profile.

Taking the "Guest Access" role as example, it is configured on the XCC to use the "Default Network VLAN" (as it is in sync with the policy domain, applied to the wired infrastructure too). I've created the VLAN 40 and marked as Bridge@AP Tagged and associated it with the Device Group's Profile (https://extremeportal.force.com/ExtrArticleDetail?an=000094691),

If I send only the FilterID 'policy=Guest Access' the client, the client get's authenticated, but still on the default WLAN VLAN (120). If I send the VTA attributes as follows, the same client can't authenticate:

Filter-Id=Enterasys:version=1:%MANAGEMENT%policy=%POLICY_NAME%
Login-LAT-Port=%LOGIN_LAT_PORT%
Service-Type=%MGMT_SERV_TYPE%
Tunnel-Private-Group-Id=%VLAN_ID%:%VLAN_TUNNEL_TAG%
Tunnel-Type=13:%VLAN_TUNNEL_TAG%
Tunnel-Medium-Type=6:%VLAN_TUNNEL_TAG%

 

The policy mapping is done on the Control for the dynamic vlan I want to apply.

Any ideas?

 


18 replies

Userlevel 7
Badge +1

Hi Leo,

For the re-authentication, I send the following: “RFC 3576 - Extreme IdentiFi Wireless”:

Mig

Userlevel 4

Hi Mig,

I've tried this config, but no luck…

 

I see the device authenticated on Control, and the RADIUS attributes are sent, but it seems that XCC is not working as expected.

 

Best regards,

 

-Leo

Userlevel 7
Badge +1

Leo,

The integration of XCC with Control requires a lot of steps.

Did you double checked the deployment guide?

Mig

Userlevel 5

Leo,

How is your AAA configured on the XCC? You can either integrate with radius server/NAC directly without engaging the onboard XCC NAC OR go through the NAC radius client in XCC. If you have configured the AAA under Onboard > AAA it would engage the onboard NAC and there is additional configuration required to make either RFC3580 or RFC3576 work without which the CoA won’t work. Though, this method is no more recommended for NAC integration. 

The XCC now supports direct integration with Radius/NAC when the AAA policy is created under Configuration > AAA Policy.  

Also make sure the time on the NAC and XCC is in sync, I have seen it way too many times and it causes all sorts of authentication issues. 

 

Regards,

Ovais

Userlevel 4

Hi Ovais,

 

I'm using direct integration with NAC using Configuration > AAA Policy.

 

Time is in sync, and it works flawlessly (using the default WLAN VLAN) if I send only the FilterID.

 

Now if I use the RFC3580 RADIUS Attributes to assign a different VLAN (note that this other VLAN is already created and associated to the Device Group on XCC), the client (802.1x) simply can't connect (even showing successfully authenticated and authorized on NAC).

 

I've already double-checked the Deployment Guide, bot I couldn't find anything wrong.

 

Best regards,

 

-Leo

Userlevel 5

So, looks like there is something wrong with the policy assignment: 

If I send only the FilterID 'policy=Guest Access' the client, the client get's authenticated, but still on the default WLAN VLAN (120). If I send the VTA attributes as follows, the same client can't authenticate:

Filter-Id=Enterasys:version=1:%MANAGEMENT%policy=%POLICY_NAME%
Login-LAT-Port=%LOGIN_LAT_PORT%
Service-Type=%MGMT_SERV_TYPE%
Tunnel-Private-Group-Id=%VLAN_ID%:%VLAN_TUNNEL_TAG%
Tunnel-Type=13:%VLAN_TUNNEL_TAG%
Tunnel-Medium-Type=6:%VLAN_TUNNEL_TAG%

 

When the guest authenticates, do you see it getting “Guest Access” role in XCC “Clients” tab? the only reason it should fall back to the default WLAN VLAN is when one of the following is true:

  1. The XCC didn’t receive the correct filter-id for the role, therefore it puts the client on default WLAN VLAN.
  2. It received the filter-id but the AP profile does not have this roles assigned/mapped on it. 
  3. You are using the attributes to pass VLAN ID, may be you don’t have VLAN configured in policy mapping settings. 

I was wondering why do you need to use RFC3580 and pass the VLAN ID as an attribute, not saying it doesn’t work that way, it does, I have done it many time with RFC3576 and passing VLAN as an attribute like following when the requirement is to assign same user Role but different VLANs based on location for instance. 

Filter-Id=Enterasys:%POLICY_NAME%
Login-LAT-Port=%LOGIN_LAT_PORT%
Tunnel-Private-Group-Id=%VLAN_ID%:%VLAN_TUNNEL_TAG%
Tunnel-Type=13:%VLAN_TUNNEL_TAG%
Tunnel-Medium-Type=6:%VLAN_TUNNEL_TAG%

In case, you just need to use diff. Roles each with diff. VLAN, passing the Role as a filter-id to XCC should do the trick since XCC already has the VLAN defined within the Role. If that’s not happening, I will delete the VLAN configuration on the XCC and re-create it. 

Regards,

Ovais

Userlevel 4

Hi Ovais,

  1. The XCC didn’t receive the correct filter-id for the role, therefore it puts the client on default WLAN VLAN.

The XCC should be receiving the correct attributes (as I state on item B below), and I ran an TCPDUMP on NAC, and the RADIUS packets seems to be OK.

  1. It received the filter-id but the AP profile does not have this roles assigned/mapped on it. 

The AP receives the same Filter-ID, but when I choose to send the other Radius Attributes, the client is unable to authenticate. Simply changing the NAC's response attributes back, without VLAN related attributes, it works, so the Roles ate already at XCC.

  1. You are using the attributes to pass VLAN ID, may be you don’t have VLAN configured in policy mapping settings.

I've configured them at the Policy Mapping (and tested on the wired side, with EXOS, and it works es expected).

  1. I was wondering why do you need to use RFC3580 and pass the VLAN ID as an attribute, not saying it doesn’t work that way, it does, I have done it many time with RFC3576 and passing VLAN as an attribute like following when the requirement is to assign same user Role but different VLANs based on location for instance.

Maybe I wasn't clear, sorry, but I've just configured something like the screenshot provided, and already used it on EXOS and IdentiFi several times, but never with XCC. The goal is really to use the same Role, but assign different VLANs based on the NAC rules, keeping the policy domain consistent across wired/wireless. Passing just the policy in the Filter-ID is not enough, because we don't want to have "Contain to VLAN" Roles, because we use different VLANS, depending on the environment (wired/wireless), departments, AD user groups, etc… But the VLAN attributes seems to be not working… I've ran a test on an old IdentiFi controller, and it works…

  1. In case, you just need to use diff. Roles each with diff. VLAN, passing the Role as a filter-id to XCC should do the trick since XCC already has the VLAN defined within the Role. If that’s not happening, I will delete the VLAN configuration on the XCC and re-create it. 

Unfortunately it's not the case (and I've tested this scenario and selecting the VLAN on the Role make it work perfectly, as soon as I don't pass any VLAN attributes. If I set the VLAN on the Role and send the VLAN attributes, it doesn't work as well). The customer, as stated before, want to use the same Roles, but applying different VLANs depending on the NAC Rules they defined…

 

It seems an issue with XCC…

 

Best regards,

 

-Leo

 

Userlevel 5

I see, its a bit more clear now. If you have not tried the following already, give it a go. I think this configuration can help you.

I have recently implemented the exact same scenario with XCC version 5.26 for few different deployments. I assign same role to users but flip VLAN based on the user’s location, location could be a building or a floor etc. Assuming you are something similar. To achieve this, I used RFC3576 with the attributes I mentioned in my previous post. This use case is addressed a bit differently in XCC, unlike identifi HYBRID mode where we could use RFC3580 and pass role and VLAN as two separate attributes, XCC needs a bit more config. I am not sure what your deployments looks like and how granular the VLAN assignment is. This config example is based on one VLAN per building, therefore “location” is used as a key differentiator. Likewise, you can have one VLAN per floor/device group/AP etc.

You can use “Location” tab in Site configuration to configure location/zone information, you will use this as a match condition for VLAN assignment, you can either use the name of the SITE itself or one of the following location parameters:

 Then, make change to AAA policy in XCC and configure either site name/city/region/ as Called station ID to the NAC (based on how granular the VLAN assignment is).  XCC will replace original Called station ID with the one you specify here while sending the authentication request to the NAC.

On the NAC, create “location groups” and specify the “Site Name” or whatever parameter you used as Called Station ID. NAC will match this with the incoming Called Station ID.

As for the Policy Mapping, you can create Policy Mappings with the same Role name and specify different “Map to location” value for each of them. This will allow NAC to determine which VLAN to return based on location while still using the same Policy Role.  

Regards,

Ovais

Userlevel 4

Hi Ovais,

I'll try this approach and let you know if it works!

Thank you so much for the detailed explanation. I appreciate that!

Best regards,

 

-Leo

 

Userlevel 4

Hi Ovais,

I've just tested your suggestion, but it's not working for me, and now I think I figured out the pinpointed scenario.

The tip about the policy mapping based on location worked perfectly (I never had tested it before, awesome), BUT, when I choose the RADIUS Attributes to send, the client just can't connect, even the NAC sending the attributes… 

I've discovered that the config you suggested worked perfectly when I send a Bridge@AC VLAN configured on the XCC, BUT, when I send a BRIDGE@AP VLAN, it doesn't work, even if the VLAN is created on XCC and added to the Device Group's Profile (unchecking the "Additional" don't work as well… I don't know why the SECUREIT Vlan shows as REFERENCED, because it is not configured on any WLAN, ROLE, etc).

Best regards,

 

-Leo

Userlevel 4

Hi Guys,

Running more tests, I could find that the VLAN Attributes only work for B@AC Topologies, but not for B@AP.

Maybe I'm still missing something, or there's any "magic trick".

 

Any ideas?

 

Best regards,

 

-Leo

Userlevel 7

Hi Leo.

probably a stupid question. When you say “can not authenticate” do you refer to the Client state in XCC or to the windows response?

Is the VLAN configured on the switch where the AP is connected? I mean is the L2 path correct?

Another idea: do you have the B@AP topology created in XCC?

Another idea: Have you asked GTAC?

Userlevel 4

Hi Z,

When I say "can not authenticate" I mean that the initial role applied is UNREGISTERED, and the client can connect to VLAN 1121, get an IP address, is redirected to the NAC's Captive Portal for registration without problems, BUT, after registration, NAC sends the RADIUS ATTRIBUTES including the VLAN atributes for the new Role and VLAN 101 (B@AP Tagged) and the client simply can't connect.

The VLAN is created as B@AP at the XCC and configured on the Switch, as if I set the VLAN on the role statically on the XCC and don't send the VLAN attributes from the NAC it works perfectly.

I haven't asked GTAC yet, because maybe I'm missing something stupid and decided to ask here before bothering the GTAC Guys.

I've just captured some screenshots and an AP Log (because XCC logs are not good, IMHO)

 

######################## CONNECTING TO THE SEPLAG_DOT1X WLAN AND RECEIVING THE UNREGISTERED POLICY FROM NAC FOR REGISTRATION #########################

 

Sep 17 11:57:19 krn: ieee80211_mlme.c:445/wlan_mlme_disassoc_request_with_callback()-ath6/C0:BD:D1:DD:CB:77 wlan_vap_is_pmf_enabled=0

Sep 17 11:57:19 krn: ieee80211_mlme.c:499/wlan_mlme_disassoc_request_with_callback()-ath6/C0:BD:D1:DD:CB:77 defer_cleanup=1 ni_pmf=0 key_valid=1

Sep 17 11:57:19 krn: ieee80211_mgmt.c:993/ieee80211_send_disassoc_with_callback()-ath6 DISASSOC C0:BD:D1:DD:CB:77 reason=8

Sep 17 11:57:19 krn: ieee80211_node_ap.c:274/_ieee80211_node_leave()-ath6/C0:BD:D1:DD:CB:77 stassoc=1 ni=e6e8fee0 aid=1 kvalid=1 keyix=5 ncount=2 tm=88569 rss=-41 refcnt=2 rtChRegUtil=13

Sep 17 11:57:19 krn: ieee80211_node_ap.c:413/_ieee80211_node_leave()-ath6 C0:BD:D1:DD:CB:77 ieee80211_crypto_delkey AID=1

Sep 17 11:57:19 krn: ieee80211_node_ap.c:80/chk_ic_counters()-wifi0 Correcting ht40_sta_assoc! orig=65535 new=0

Sep 17 11:57:19 krn: ieee80211_node_ap.c:81/chk_ic_counters()-wifi0 num_corrected=1

Sep 17 11:57:19 hostapd0: 1631879839.814660: ath6: STA c0:bd:d1:dd:cb:77 IEEE 802.11: disassociated

Sep 17 11:57:23 krn: ieee80211_mgmt_ap.c:1125/ieee80211_recv_asreq()-ni_flags=a rs_nrates=16

Sep 17 11:57:23 krn: ieee80211_node_ap.c:863/ieee80211_node_join()-ath6/C0:BD:D1:DD:CB:77 sta=1 ni=e6e90f90 aid=1 refcnt=2 ncnt=2 rss=-48 mfp=0

Sep 17 11:57:23 krn: ol_if_mgmt.c:720/ol_ath_net80211_newassoc()-C0:BD:D1:DD:CB:77 ni_flags=1000000a ni_wds_tx_policy=0 isnew=1 ni=e6e90f90

Sep 17 11:57:23 krn: ieee80211_mgmt_ap.c:1359/ieee80211_recv_asreq()-exit

Sep 17 11:57:23 hostapd0: 1631879843.486044: ath6: STA c0:bd:d1:dd:cb:77 IEEE 802.11: associated

Sep 17 11:57:23 hostapd0: 1631879843.486137: ath6: STA c0:bd:d1:dd:cb:77 WPA: wpa_validate_wpa_ie776 key_mgmt 01 num_pmkid=0 pmksa=(nil)

Sep 17 11:57:23 hostapd0: 1631879843.486387: ath6: STA c0:bd:d1:dd:cb:77 WPA: wpa_validate_wpa_ie PW_EAP_PMKID_NOTIFY sent to driver

Sep 17 11:57:23 krn: mu_assoc_tab.c:1206/wassp_mu_assoc_handler()-C0:BD:D1:DD:CB:77 ALLOWED

Sep 17 11:57:23 krn: wassp_mu_assoc_decode: C0:BD:D1:DD:CB:77 transId 1631535228 filter name Unregistered rule num 7

Sep 17 11:57:23 krn: wassp_mu_assoc_decode 3323 unicast filter extentions

Sep 17 11:57:23 krn:   decodeFilterRulesExtBlock: Optional tlv EID_FILTER_RULE_FIXED_APP_ID not present

Sep 17 11:57:23 krn:   decodeFilterRulesExtBlock: Optional tlv EID_FILTER_RULES_APP_SIG_GROUP_ID not present

Sep 17 11:57:23 krn:   decodeFilterRulesExtBlock: Optional tlv EID_FILTER_RULES_APP_SIG_DISP_ID not present

Sep 17 11:57:23 krn:   decodeFilterRulesExtBlock: Optional tlv EID_IPV6_ADDR not present

Sep 17 11:57:23 krn: mu_assoc_tab.c:3341/wassp_mu_assoc_decode()-decode topo array len 56

Sep 17 11:57:23 krn: decodeTopologyArray 4004 EID_TOPOLOGY_ARRAY TLV len:56

Sep 17 11:57:23 krn: decodeFilterConfigStruct: EID_FILTER_RULES not present

Sep 17 11:57:23 krn: decodeTopologyStruct 3981 success!

Sep 17 11:57:23 krn:   decodeTopologyArray: decoding EID_TOPOLOGY_ARRAY success struct count:1  

Sep 17 11:57:23 krn: topology array - entry count:1       p:e2200000

Sep 17 11:57:23 krn: topology struct - vlanId:1121 isBridged:yes isTagged:yes isArpProxy:yes

Sep 17 11:57:23 krn: filterName:VLAN-BAP-CORP-Grupo1    ruleCount:0

Sep 17 11:57:23 krn: sessMgmt_utils.c:4317/ssmHandleAC2APMuIP()-RESP has IP=10.1.121.2 old linger node IP=0.0.0.0

Sep 17 11:57:23 krn: chantry_arppxy_node.c:143/chantry_arppxy_node_add_ipv4()-Setting c0:bd:d1:dd:cb:77 10.1.121.2

Sep 17 11:57:23 krn: wassp_mu_assoc_decode: Success: chantry6: apply filter Unregistered with 7 rules

Sep 17 11:57:23 krn: mu_assoc_tab.c:3509/wassp_mu_assoc_decode()-li_vlanid_count 1 li_controller_vlanid_count 0

Sep 17 11:57:23 krn: dev_ident_drv.c:92/devIdentUpdateLiAndSiteSess()-C0:BD:D1:DD:CB:77 devIdent old 0 0 0 new 290 104 15

Sep 17 11:57:23 krn: [19/1] FWLOG: [84827658] RATE: ChainMask 3, peer_mac cb:77, phymode 8, ni_flags 0x02211006, vht_mcs_set 0xfffa, ht_mcs_set 0xffff, legacy_rate_set 0x0ff0

Sep 17 11:57:23 krn: [31/5] FWLOG: [84827659] RTT_REPORT ( 0x2804, 0x3, 0x479, 0x0, 0x9 )

Sep 17 11:57:29 krn: wassp_mu_update_handler 2404

Sep 17 11:57:29 krn:   decodeFilterRulesExtBlock: Optional tlv EID_FILTER_RULE_FIXED_APP_ID not present

Sep 17 11:57:29 krn:   decodeFilterRulesExtBlock: Optional tlv EID_FILTER_RULES_APP_SIG_GROUP_ID not present

Sep 17 11:57:29 krn:   decodeFilterRulesExtBlock: Optional tlv EID_FILTER_RULES_APP_SIG_DISP_ID not present

Sep 17 11:57:29 krn:   decodeFilterRulesExtBlock: Optional tlv EID_IPV6_ADDR not present

Sep 17 11:57:29 krn: decodeTopologyArray 4004 EID_TOPOLOGY_ARRAY TLV len:56

Sep 17 11:57:29 krn: decodeFilterConfigStruct: EID_FILTER_RULES not present

Sep 17 11:57:29 krn: decodeTopologyStruct 3981 success!

Sep 17 11:57:29 krn:   decodeTopologyArray: decoding EID_TOPOLOGY_ARRAY success struct count:1  

Sep 17 11:57:29 krn: topology array - entry count:1       p:e2200000

Sep 17 11:57:29 krn: topology struct - vlanId:1121 isBridged:yes isTagged:yes isArpProxy:yes

Sep 17 11:57:29 krn: filterName:VLAN-BAP-CORP-Grupo1    ruleCount:0

Sep 17 11:57:29 krn: mu_assoc_tab.c:2592/wassp_mu_update_handler()-chantry6 C0:BD:D1:DD:CB:77 filterName: "Unregistered" numRule 7

Sep 17 11:57:29 hostapd0: 1631879849.972798: ath6: STA c0:bd:d1:dd:cb:77 WPA: pairwise key handshake completed (RSN)

Sep 17 11:57:29 hostapd0: 1631879849.972860: ====> AUTHENTICATED sm_AUTH_PAE_AUTHENTICATED_Enter 342

Sep 17 11:57:29 hostapd0: 1631879849.972860: ====> sm_AUTH_PAE_AUTHENTICATED_Enter 343 sm->eap_type_supp 25 eap_type_authsrv 0

Sep 17 11:57:29 hostapd0: 1631879849.972860: ====> MAC: c0:bd:d1:dd:cb:77

Sep 17 11:57:29 hostapd0: 1631879849.973016: ath6: STA c0:bd:d1:dd:cb:77 IEEE 802.1X: authenticated - EAP type: 0 (unknown)

Sep 17 11:57:29 krn: ieee80211_wireless.c:9160/ieee80211_ioctl_setkey()-ath6 C0:BD:D1:DD:CB:77 keyix=65535

Sep 17 11:57:29 krn: ieee80211_wireless.c:9301/ieee80211_ioctl_setkey()-ath6 C0:BD:D1:DD:CB:77 error=0 keytype=3 keylen=16 keyix=65535

Sep 17 11:57:29 krn: m2MsgApp_TaskletHandler 425 hapd-->tsk-->AP OP_TASKLET_APP_HAPD_AUTH_TYPE from srcTid:36

Sep 17 11:57:29 krn: m3TaskHdlr.c:362/tskHdlr_muAuthType()-C0:BD:D1:DD:CB:77, eap type 25

Sep 17 11:57:29 krn: m3TaskHdlr.c:366/tskHdlr_muAuthType()-c0:bd:d1:dd:cb:77, size 1152

Sep 17 11:57:30 krn: [22/27] FWLOG: [84834297] WAL_DBGID_SECURITY_UCAST_KEY_SET ( 0xcb77, 0x0 )

Sep 17 11:57:30 krn: [22/29] FWLOG: [84834297] WAL_DBGID_SECURITY_ENCR_EN (  )

Sep 17 11:57:30 krn: [22/26] FWLOG: [84834297] WAL_DBGID_SECURITY_ALLOW_DATA ( 0x443ba4 )

Sep 17 11:57:30 krn: [22/35] FWLOG: [84834605] WAL_DBGID_TX_BA_SETUP ( 0x443ba4, 0xcb770006, 0xf, 0x40, 0x1 )

Sep 17 11:57:30 krn: [19/1] FWLOG: [84834606] RATE: ChainMask 3, peer_mac cb:77, phymode 10, ni_flags 0x02211006, vht_mcs_set 0xfffa, ht_mcs_set 0xffff, legacy_rate_set 0x0ff0

Sep 17 11:57:31 krn: [22/35] FWLOG: [84835061] WAL_DBGID_TX_BA_SETUP ( 0x443ba4, 0xcb770000, 0x0, 0x40, 0x1 )

Sep 17 11:57:33 cap: __delta__ deltaCounterUpdate 330 lastRead:0x8589934748 newRead:0x81 32bit roll over:0x200000000!!!

Sep 17 11:57:33 cap: __delta__ deltaCounterUpdate 330 lastRead:0x8589934709 newRead:0x57 32bit roll over:0x200000000!!!

Sep 17 11:57:33 cap: __delta__ deltaCounterUpdate 330 lastRead:0x8589966690 newRead:0x11416 32bit roll over:0x200000000!!!

Sep 17 11:57:33 cap: __delta__ deltaCounterUpdate 330 lastRead:0x8589979112 newRead:0x15121 32bit roll over:0x200000000!!!

Sep 17 11:57:33 cap: __delta__ muDeltaEntryEncode 3964  radio mismatch calling:0 map:1 C0:BD:D1:DD:CB:77

Sep 17 11:57:39 krn: vap-8(ath18):ieee80211_send_nulldata[356] cur chan 11 flags 0x10080  is not same as home chan 1 flags 0xa0 

Sep 17 11:57:39 krn: vap-8(ath8):ieee80211_send_nulldata[356] cur chan 149 flags 0x100100  is not same as home chan 36 flags 0x140 

          

 

################ CLIENT REDIRECTED TO THE NAC PORTAL FOR REGISTRATION... REGISTERING ########################

 

 

Sep 17 11:58:03 cap: __delta__ muDeltaEntryEncode 3964  radio mismatch calling:0 map:1 C0:BD:D1:DD:CB:77

Sep 17 11:58:30 sensor: excessive dpi packets, 20+21, from 10.1.121.2(45648) -> 10.100.0.251(443), TCP, dir=0 , displayId=0, are ignored

Sep 17 11:58:30 sensor: excessive dpi packets, 20+21, from 10.1.121.2(45647) -> 10.100.0.251(443), TCP, dir=0 , displayId=0, are ignored

Sep 17 11:58:30 sensor: excessive dpi packets, 19+21, from 10.1.121.2(45646) -> 10.100.0.251(443), TCP, dir=0 , displayId=0, are ignored

Sep 17 11:58:30 sensor: excessive dpi packets, 20+19, from 10.1.121.2(45645) -> 10.100.0.251(443), TCP, dir=0 , displayId=0, are ignored

Sep 17 11:58:30 sensor: excessive dpi packets, 19+21, from 10.1.121.2(45644) -> 10.100.0.251(443), TCP, dir=0 , displayId=0, are ignored

Sep 17 11:58:30 sensor: excessive dpi packets, 18+21, from 10.1.121.2(45641) -> 10.100.0.251(443), TCP, dir=0 , displayId=0, are ignored

Sep 17 11:58:33 cap: __delta__ muDeltaEntryEncode 3964  radio mismatch calling:0 map:1 C0:BD:D1:DD:CB:77

Sep 17 11:59:01 timesync: TIMESERVER=pool.ntp.org AP_MODE=0 DISCOV_MODE="On-Prem"

Sep 17 11:59:03 cap: __delta__ muDeltaEntryEncode 3964  radio mismatch calling:0 map:1 C0:BD:D1:DD:CB:77

Sep 17 11:59:33 cap: __delta__ muDeltaEntryEncode 3964  radio mismatch calling:0 map:1 C0:BD:D1:DD:CB:77

Sep 17 11:59:45 sensor: excessive dpi packets, 18+21, from 10.1.121.2(45665) -> 10.100.0.251(443), TCP, dir=0 , displayId=0, are ignored

Sep 17 11:59:45 sensor: excessive dpi packets, 20+19, from 10.1.121.2(45664) -> 10.100.0.251(443), TCP, dir=0 , displayId=0, are ignored

Sep 17 11:59:45 sensor: excessive dpi packets, 21+20, from 10.1.121.2(45663) -> 10.100.0.251(443), TCP, dir=0 , displayId=0, are ignored

Sep 17 11:59:45 sensor: excessive dpi packets, 18+16, from 10.1.121.2(45662) -> 10.100.0.251(443), TCP, dir=0 , displayId=0, are ignored

Sep 17 11:59:45 sensor: excessive dpi packets, 18+21, from 10.1.121.2(45661) -> 10.100.0.251(443), TCP, dir=0 , displayId=0, are ignored

Sep 17 11:59:45 sensor: excessive dpi packets, 21+18, from 10.1.121.2(45648) -> 10.100.0.251(443), TCP, dir=0 , displayId=0, are ignored

Sep 17 12:00:03 cap: __delta__ muDeltaEntryEncode 3964  radio mismatch calling:0 map:1 C0:BD:D1:DD:CB:77

Sep 17 12:00:31 krn: wassp_mu_update_handler 2404

Sep 17 12:00:31 krn:   decodeFilterRulesExtBlock: Optional tlv EID_FILTER_RULE_FIXED_APP_ID not present

Sep 17 12:00:31 krn:   decodeFilterRulesExtBlock: Optional tlv EID_FILTER_RULES_APP_SIG_GROUP_ID not present

Sep 17 12:00:31 krn:   decodeFilterRulesExtBlock: Optional tlv EID_FILTER_RULES_APP_SIG_DISP_ID not present

Sep 17 12:00:31 krn:   decodeFilterRulesExtBlock: Optional tlv EID_IPV6_ADDR not present

Sep 17 12:00:31 krn: decodeTopologyArray 4004 EID_TOPOLOGY_ARRAY TLV len:56

Sep 17 12:00:31 krn: decodeFilterConfigStruct: EID_FILTER_RULES not present

Sep 17 12:00:31 krn: decodeTopologyStruct 3981 success!

Sep 17 12:00:31 krn:   decodeTopologyArray: decoding EID_TOPOLOGY_ARRAY success struct count:1  

Sep 17 12:00:31 krn: topology array - entry count:1       p:e2200000

Sep 17 12:00:31 krn: topology struct - vlanId:1121 isBridged:yes isTagged:yes isArpProxy:yes

Sep 17 12:00:31 krn: filterName:VLAN-BAP-CORP-Grupo1    ruleCount:0

Sep 17 12:00:31 krn: mu_assoc_tab.c:2592/wassp_mu_update_handler()-chantry6 C0:BD:D1:DD:CB:77 filterName: "Unregistered" numRule 7

Sep 17 12:00:31 hostapd0: 1631880031.103882: ====> AUTHENTICATED sm_AUTH_PAE_AUTHENTICATED_Enter 342

Sep 17 12:00:31 hostapd0: 1631880031.103913: ====> sm_AUTH_PAE_AUTHENTICATED_Enter 343 sm->eap_type_supp 25 eap_type_authsrv 0

Sep 17 12:00:31 hostapd0: 1631880031.103944: ====> MAC: c0:bd:d1:dd:cb:77

Sep 17 12:00:31 hostapd0: 1631880031.104069: ath6: STA c0:bd:d1:dd:cb:77 IEEE 802.1X: authenticated - EAP type: 0 (unknown)

Sep 17 12:00:31 krn: m2MsgApp_TaskletHandler 425 hapd-->tsk-->AP OP_TASKLET_APP_HAPD_AUTH_TYPE from srcTid:36

Sep 17 12:00:31 krn: m3TaskHdlr.c:362/tskHdlr_muAuthType()-C0:BD:D1:DD:CB:77, eap type 25

Sep 17 12:00:31 krn: m3TaskHdlr.c:366/tskHdlr_muAuthType()-c0:bd:d1:dd:cb:77, size 1152

Sep 17 12:00:32 hostapd0: 1631880032.755866: ath6: STA c0:bd:d1:dd:cb:77 WPA: pairwise key handshake completed (RSN)

Sep 17 12:00:32 krn: ieee80211_wireless.c:9160/ieee80211_ioctl_setkey()-ath6 C0:BD:D1:DD:CB:77 keyix=65535

Sep 17 12:00:32 krn: ieee80211_wireless.c:9301/ieee80211_ioctl_setkey()-ath6 C0:BD:D1:DD:CB:77 error=0 keytype=3 keylen=16 keyix=65535

Sep 17 12:00:33 cap: __delta__ muDeltaEntryEncode 3964  radio mismatch calling:0 map:1 C0:BD:D1:DD:CB:77

Sep 17 12:00:33 krn: [22/27] FWLOG: [85021367] WAL_DBGID_SECURITY_UCAST_KEY_SET ( 0xcb77, 0x0 )

Sep 17 12:00:33 krn: [22/29] FWLOG: [85021367] WAL_DBGID_SECURITY_ENCR_EN (  )

Sep 17 12:00:33 krn: [22/26] FWLOG: [85021367] WAL_DBGID_SECURITY_ALLOW_DATA ( 0x443ba4 )

Sep 17 12:01:00 sensor: excessive dpi packets, 21+20, from 10.1.121.2(45692) -> 10.100.0.251(443), TCP, dir=0 , displayId=0, are ignored

Sep 17 12:01:00 sensor: excessive dpi packets, 17+20, from 10.1.121.2(45691) -> 10.100.0.251(443), TCP, dir=0 , displayId=0, are ignored

Sep 17 12:01:00 sensor: excessive dpi packets, 22+21, from 10.1.121.2(45690) -> 10.100.0.251(443), TCP, dir=0 , displayId=0, are ignored

Sep 17 12:01:00 sensor: excessive dpi packets, 18+24, from 10.1.121.2(45648) -> 10.100.0.251(443), TCP, dir=0 , displayId=0, are ignored

Sep 17 12:02:03 cap: __delta__ muDeltaEntryEncode 3964  radio mismatch calling:0 map:1 C0:BD:D1:DD:CB:77

 

 

############### CLIENT DEVICE REGISTERED, SHOULD RECEIVE ROLE MOBILE AND VLAN 101 B@AP TAGGED ###############

 

Sep 17 12:02:10 hostapd0: 03897:chantry_client.c:455/ieee8021x_purge_pmk_allhostapd()-EAP PURGE  cb 77 at hapd f9 76

Sep 17 12:02:10 hostapd0: 03897:chantry_client.c:455/ieee8021x_purge_pmk_allhostapd()-EAP PURGE  cb 77 at hapd f9 76

Sep 17 12:02:10 hostapd0: 03897:chantry_client.c:455/ieee8021x_purge_pmk_allhostapd()-EAP PURGE  cb 77 at hapd f9 76

Sep 17 12:02:10 hostapd0: 03897:chantry_client.c:455/ieee8021x_purge_pmk_allhostapd()-EAP PURGE  cb 77 at hapd f9 76

Sep 17 12:02:10 hostapd0: 03897:chantry_client.c:455/ieee8021x_purge_pmk_allhostapd()-EAP PURGE  cb 77 at hapd f9 76

Sep 17 12:02:10 hostapd0: 03897:chantry_client.c:455/ieee8021x_purge_pmk_allhostapd()-EAP PURGE  cb 77 at hapd f9 76

Sep 17 12:02:10 hostapd0: 03897:chantry_client.c:455/ieee8021x_purge_pmk_allhostapd()-EAP PURGE  cb 77 at hapd f9 76

Sep 17 12:02:10 hostapd0: 03897:chantry_client.c:455/ieee8021x_purge_pmk_allhostapd()-EAP PURGE  cb 77 at hapd f9 76

Sep 17 12:02:10 hostapd0: 03897:chantry_client.c:455/ieee8021x_purge_pmk_allhostapd()-EAP PURGE  cb 77 at hapd f9 76

Sep 17 12:02:10 hostapd0: 03897:chantry_client.c:455/ieee8021x_purge_pmk_allhostapd()-EAP PURGE  cb 77 at hapd f9 76

Sep 17 12:02:10 cap: 01123:wassp_prot_input.c:1586/wassp_mu_discon_handler()-C0:BD:D1:DD:CB:77 EID_STATUS="DAS_REQ" (15) 

Sep 17 12:02:10 hostapd0: 03897:chantry_client.c:455/ieee8021x_purge_pmk_allhostapd()-EAP PURGE  cb 77 at hapd f9 76

Sep 17 12:02:10 hostapd0: 03897:chantry_client.c:455/ieee8021x_purge_pmk_allhostapd()-EAP PURGE  cb 77 at hapd f9 76

Sep 17 12:02:10 krn: chantry_ext_ioctl.c:412/ioctl_kickmacbyattr()-ath0 DISASSOC C0:BD:D1:DD:CB:77 reason=8

Sep 17 12:02:10 krn: Skipping domlme for STA C0:BD:D1:DD:CB:77 (li->li_vap->io_dev ath6 != vns ath0 ) (li->li_vap->dev: chantry6)

Sep 17 12:02:10 krn: chantry_ext_ioctl.c:412/ioctl_kickmacbyattr()-ath3 DISASSOC C0:BD:D1:DD:CB:77 reason=8

Sep 17 12:02:10 krn: Skipping domlme for STA C0:BD:D1:DD:CB:77 (li->li_vap->io_dev ath6 != vns ath3 ) (li->li_vap->dev: chantry6)

Sep 17 12:02:10 krn: chantry_ext_ioctl.c:412/ioctl_kickmacbyattr()-ath4 DISASSOC C0:BD:D1:DD:CB:77 reason=8

Sep 17 12:02:10 krn: Skipping domlme for STA C0:BD:D1:DD:CB:77 (li->li_vap->io_dev ath6 != vns ath4 ) (li->li_vap->dev: chantry6)

Sep 17 12:02:10 krn: chantry_ext_ioctl.c:412/ioctl_kickmacbyattr()-ath5 DISASSOC C0:BD:D1:DD:CB:77 reason=8

Sep 17 12:02:10 krn: Skipping domlme for STA C0:BD:D1:DD:CB:77 (li->li_vap->io_dev ath6 != vns ath5 ) (li->li_vap->dev: chantry6)

Sep 17 12:02:10 krn: chantry_ext_ioctl.c:412/ioctl_kickmacbyattr()-ath6 DISASSOC C0:BD:D1:DD:CB:77 reason=8

Sep 17 12:02:10 krn: chantry_export.c:2792/chantry_domlme()-DISASSOC C0:BD:D1:DD:CB:77 reason=8

Sep 17 12:02:10 krn: ieee80211_mlme.c:445/wlan_mlme_disassoc_request_with_callback()-ath6/C0:BD:D1:DD:CB:77 wlan_vap_is_pmf_enabled=0

Sep 17 12:02:10 cap: wlanDisconnectClientsR: C0:BD:D1:DD:CB:77, cat VNS_CAT_ALL

Sep 17 12:02:10 cap: Send 22 bytes mu cb 77 disconnect response data to AC

Sep 17 12:02:10 krn: ieee80211_mlme.c:499/wlan_mlme_disassoc_request_with_callback()-ath6/C0:BD:D1:DD:CB:77 defer_cleanup=1 ni_pmf=0 key_valid=1

Sep 17 12:02:10 krn: ieee80211_mgmt.c:993/ieee80211_send_disassoc_with_callback()-ath6 DISASSOC C0:BD:D1:DD:CB:77 reason=8

Sep 17 12:02:10 krn: chantry_ext_ioctl.c:412/ioctl_kickmacbyattr()-ath7 DISASSOC C0:BD:D1:DD:CB:77 reason=8

Sep 17 12:02:10 krn: Skipping domlme for STA C0:BD:D1:DD:CB:77 (li->li_vap->io_dev ath6 != vns ath7 ) (li->li_vap->dev: chantry6)

Sep 17 12:02:10 krn: chantry_ext_ioctl.c:412/ioctl_kickmacbyattr()-ath10 DISASSOC C0:BD:D1:DD:CB:77 reason=8

Sep 17 12:02:10 krn: Skipping domlme for STA C0:BD:D1:DD:CB:77 (li->li_vap->io_dev ath6 != vns ath10 ) (li->li_vap->dev: chantry6)

Sep 17 12:02:10 krn: chantry_ext_ioctl.c:412/ioctl_kickmacbyattr()-ath13 DISASSOC C0:BD:D1:DD:CB:77 reason=8

Sep 17 12:02:10 krn: Skipping domlme for STA C0:BD:D1:DD:CB:77 (li->li_vap->io_dev ath6 != vns ath13 ) (li->li_vap->dev: chantry6)

Sep 17 12:02:10 krn: chantry_ext_ioctl.c:412/ioctl_kickmacbyattr()-ath14 DISASSOC C0:BD:D1:DD:CB:77 reason=8

Sep 17 12:02:10 krn: Skipping domlme for STA C0:BD:D1:DD:CB:77 (li->li_vap->io_dev ath6 != vns ath14 ) (li->li_vap->dev: chantry6)

Sep 17 12:02:10 krn: chantry_ext_ioctl.c:412/ioctl_kickmacbyattr()-ath15 DISASSOC C0:BD:D1:DD:CB:77 reason=8

Sep 17 12:02:10 krn: Skipping domlme for STA C0:BD:D1:DD:CB:77 (li->li_vap->io_dev ath6 != vns ath15 ) (li->li_vap->dev: chantry6)

Sep 17 12:02:10 krn: chantry_ext_ioctl.c:412/ioctl_kickmacbyattr()-ath16 DISASSOC C0:BD:D1:DD:CB:77 reason=8

Sep 17 12:02:10 krn: Skipping domlme for STA C0:BD:D1:DD:CB:77 (li->li_vap->io_dev ath6 != vns ath16 ) (li->li_vap->dev: chantry6)

Sep 17 12:02:10 krn: chantry_ext_ioctl.c:412/ioctl_kickmacbyattr()-ath17 DISASSOC C0:BD:D1:DD:CB:77 reason=8

Sep 17 12:02:10 krn: Skipping domlme for STA C0:BD:D1:DD:CB:77 (li->li_vap->io_dev ath6 != vns ath17 ) (li->li_vap->dev: chantry6)

Sep 17 12:02:10 krn: ieee80211_node_ap.c:274/_ieee80211_node_leave()-ath6/C0:BD:D1:DD:CB:77 stassoc=1 ni=e6e90f90 aid=1 kvalid=1 keyix=5 ncount=2 tm=286776 rss=-41 refcnt=2 rtChRegUtil=14

Sep 17 12:02:10 krn: ieee80211_node_ap.c:413/_ieee80211_node_leave()-ath6 C0:BD:D1:DD:CB:77 ieee80211_crypto_delkey AID=1

Sep 17 12:02:10 krn: ieee80211_node_ap.c:80/chk_ic_counters()-wifi0 Correcting ht40_sta_assoc! orig=65535 new=0

Sep 17 12:02:10 krn: ieee80211_node_ap.c:81/chk_ic_counters()-wifi0 num_corrected=1

Sep 17 12:02:10 hostapd0: 1631880130.261770: ath6: STA c0:bd:d1:dd:cb:77 IEEE 802.11: disassociated

Sep 17 12:02:17 krn: ieee80211_mgmt_ap.c:1125/ieee80211_recv_asreq()-ni_flags=a rs_nrates=16

Sep 17 12:02:17 krn: ieee80211_node_ap.c:863/ieee80211_node_join()-ath6/C0:BD:D1:DD:CB:77 sta=1 ni=e6e92040 aid=1 refcnt=2 ncnt=2 rss=-47 mfp=0

Sep 17 12:02:17 krn: ol_if_mgmt.c:720/ol_ath_net80211_newassoc()-C0:BD:D1:DD:CB:77 ni_flags=1000000a ni_wds_tx_policy=0 isnew=1 ni=e6e92040

Sep 17 12:02:17 krn: ieee80211_mgmt_ap.c:1359/ieee80211_recv_asreq()-exit

Sep 17 12:02:17 hostapd0: 1631880137.432373: ath6: STA c0:bd:d1:dd:cb:77 IEEE 802.11: associated

Sep 17 12:02:17 hostapd0: 1631880137.432435: ath6: STA c0:bd:d1:dd:cb:77 WPA: wpa_validate_wpa_ie776 key_mgmt 01 num_pmkid=1 pmksa=(nil)

Sep 17 12:02:17 hostapd0: 1631880137.432685: ath6: STA c0:bd:d1:dd:cb:77 WPA: wpa_validate_wpa_ie PW_EAP_PMKID_NOTIFY sent to driver

Sep 17 12:02:17 krn: mu_assoc_tab.c:1206/wassp_mu_assoc_handler()-C0:BD:D1:DD:CB:77 Not allowed

Sep 17 12:02:17 krn: mu_assoc_tab.c:1215/wassp_mu_assoc_handler()-chantry6 C0:BD:D1:DD:CB:77 DEAUTHed from ASSOC RSP! status=0

Sep 17 12:02:17 krn: chantry_export.c:2310/madwifi_send_deauth_imp()-chantry6/C0:BD:D1:DD:CB:77 reason=9

Sep 17 12:02:17 hostapd0: 1631880137.454678: ath6: STA c0:bd:d1:dd:cb:77 IEEE 802.11: disassociated

Sep 17 12:02:17 krn: chantry_export.c:2338/madwifi_send_deauth_imp()-chantry6 wireless_handlers is NULL, will try to convert to a chantry device...

Sep 17 12:02:17 hostapd0: 03897:chantry_client.c:455/ieee8021x_purge_pmk_allhostapd()-EAP PURGE  cb 77 at hapd f9 76

Sep 17 12:02:17 krn: chantry_export.c:2353/madwifi_send_deauth_imp()-Deauthing C0:BD:D1:DD:CB:77 on ath6

Sep 17 12:02:17 krn: ieee80211_wireless.c:2781/ieee80211_ioctl_setmlme()-ath6 DISASSOC/DEAUTH! C0:BD:D1:DD:CB:77 op=3

Sep 17 12:02:17 krn: ieee80211_wireless.c:2823/ieee80211_ioctl_setmlme()-ath6/C0:BD:D1:DD:CB:77 ATH_SUPPORT_DEFERRED_NODE_CLEANUP!

Sep 17 12:02:17 krn: ieee80211_mlme.c:445/wlan_mlme_disassoc_request_with_callback()-ath6/C0:BD:D1:DD:CB:77 wlan_vap_is_pmf_enabled=0

Sep 17 12:02:17 krn: ieee80211_mlme.c:499/wlan_mlme_disassoc_request_with_callback()-ath6/C0:BD:D1:DD:CB:77 defer_cleanup=1 ni_pmf=0 key_valid=0

Sep 17 12:02:17 krn: ieee80211_mgmt.c:993/ieee80211_send_disassoc_with_callback()-ath6 DISASSOC C0:BD:D1:DD:CB:77 reason=9

Sep 17 12:02:17 krn: ieee80211_wireless.c:2835/ieee80211_ioctl_setmlme()-DISASSOC rc=0

Sep 17 12:02:17 krn: ieee80211_node_ap.c:274/_ieee80211_node_leave()-ath6/C0:BD:D1:DD:CB:77 stassoc=1 ni=e6e92040 aid=1 kvalid=0 keyix=65535 ncount=2 tm=22 rss=-47 refcnt=2 rtChRegUtil=11

Sep 17 12:02:17 krn: ieee80211_node_ap.c:80/chk_ic_counters()-wifi0 Correcting ht40_sta_assoc! orig=65535 new=0

Sep 17 12:02:17 krn: ieee80211_node_ap.c:81/chk_ic_counters()-wifi0 num_corrected=1

Sep 17 12:02:17 krn: [19/1] FWLOG: [85128501] RATE: ChainMask 3, peer_mac cb:77, phymode 8, ni_flags 0x02211006, vht_mcs_set 0xfffa, ht_mcs_set 0xffff, legacy_rate_set 0x0ff0

Sep 17 12:02:17 krn: [31/5] FWLOG: [85128501] RTT_REPORT ( 0x2804, 0x3, 0x479, 0x0, 0x9 )

Sep 17 12:02:26 krn: ieee80211_mgmt_ap.c:1125/ieee80211_recv_asreq()-ni_flags=a rs_nrates=16

Sep 17 12:02:26 krn: ieee80211_node_ap.c:863/ieee80211_node_join()-ath6/C0:BD:D1:DD:CB:77 sta=1 ni=e6e930f0 aid=1 refcnt=2 ncnt=2 rss=-44 mfp=0

Sep 17 12:02:26 krn: ol_if_mgmt.c:720/ol_ath_net80211_newassoc()-C0:BD:D1:DD:CB:77 ni_flags=1000000a ni_wds_tx_policy=0 isnew=1 ni=e6e930f0

Sep 17 12:02:26 krn: ieee80211_mgmt_ap.c:1359/ieee80211_recv_asreq()-exit

Sep 17 12:02:26 hostapd0: 1631880146.437465: ath6: STA c0:bd:d1:dd:cb:77 IEEE 802.11: associated

Sep 17 12:02:26 hostapd0: 1631880146.437528: ath6: STA c0:bd:d1:dd:cb:77 WPA: wpa_validate_wpa_ie776 key_mgmt 01 num_pmkid=1 pmksa=(nil)

Sep 17 12:02:26 hostapd0: 1631880146.437777: ath6: STA c0:bd:d1:dd:cb:77 WPA: wpa_validate_wpa_ie PW_EAP_PMKID_NOTIFY sent to driver

Sep 17 12:02:26 krn: mu_assoc_tab.c:1206/wassp_mu_assoc_handler()-C0:BD:D1:DD:CB:77 Not allowed

Sep 17 12:02:26 krn: mu_assoc_tab.c:1215/wassp_mu_assoc_handler()-chantry6 C0:BD:D1:DD:CB:77 DEAUTHed from ASSOC RSP! status=0

Sep 17 12:02:26 krn: chantry_export.c:2310/madwifi_send_deauth_imp()-chantry6/C0:BD:D1:DD:CB:77 reason=9

Sep 17 12:02:26 krn: chantry_export.c:2338/madwifi_send_deauth_imp()-chantry6 wireless_handlers is NULL, will try to convert to a chantry device...

Sep 17 12:02:26 krn: chantry_export.c:2353/madwifi_send_deauth_imp()-Deauthing C0:BD:D1:DD:CB:77 on ath6

Sep 17 12:02:26 krn: ieee80211_wireless.c:2781/ieee80211_ioctl_setmlme()-ath6 DISASSOC/DEAUTH! C0:BD:D1:DD:CB:77 op=3

Sep 17 12:02:26 krn: ieee80211_wireless.c:2823/ieee80211_ioctl_setmlme()-ath6/C0:BD:D1:DD:CB:77 ATH_SUPPORT_DEFERRED_NODE_CLEANUP!

Sep 17 12:02:26 krn: ieee80211_mlme.c:445/wlan_mlme_disassoc_request_with_callback()-ath6/C0:BD:D1:DD:CB:77 wlan_vap_is_pmf_enabled=0

Sep 17 12:02:26 krn: ieee80211_mlme.c:499/wlan_mlme_disassoc_request_with_callback()-ath6/C0:BD:D1:DD:CB:77 defer_cleanup=1 ni_pmf=0 key_valid=0

Sep 17 12:02:26 krn: ieee80211_mgmt.c:993/ieee80211_send_disassoc_with_callback()-ath6 DISASSOC C0:BD:D1:DD:CB:77 reason=9

Sep 17 12:02:26 krn: ieee80211_wireless.c:2835/ieee80211_ioctl_setmlme()-DISASSOC rc=0

Sep 17 12:02:26 hostapd0: 03897:chantry_client.c:455/ieee8021x_purge_pmk_allhostapd()-EAP PURGE  cb 77 at hapd f9 76

Sep 17 12:02:26 krn: ieee80211_node_ap.c:274/_ieee80211_node_leave()-ath6/C0:BD:D1:DD:CB:77 stassoc=1 ni=e6e930f0 aid=1 kvalid=0 keyix=65535 ncount=2 tm=65 rss=-44 refcnt=2 rtChRegUtil=11

Sep 17 12:02:26 krn: ieee80211_node_ap.c:80/chk_ic_counters()-wifi0 Correcting ht40_sta_assoc! orig=65535 new=0

Sep 17 12:02:26 krn: ieee80211_node_ap.c:81/chk_ic_counters()-wifi0 num_corrected=1

Sep 17 12:02:26 hostapd0: 1631880146.502476: ath6: STA c0:bd:d1:dd:cb:77 IEEE 802.11: disassociated

Sep 17 12:02:26 krn: [19/1] FWLOG: [85137717] RATE: ChainMask 3, peer_mac cb:77, phymode 8, ni_flags 0x02211006, vht_mcs_set 0xfffa, ht_mcs_set 0xffff, legacy_rate_set 0x0ff0

Sep 17 12:02:26 krn: [31/5] FWLOG: [85137718] RTT_REPORT ( 0x2804, 0x3, 0x479, 0x0, 0x9 )

 

 

################## CLIENT CANT CONNECT ###################

 

Follows attached some screenshots about my config.

 

Best regards,

 

-Leo

 

 
Userlevel 4
Badge

I think this is a desgin-problem.

It’s always not a good idea to change vlan/ip-net during a active connection.

In this case, the client wired oder wireless needs a trigger to release the IP and Discovery for a new. In wired enviroment this can be triggered by link down and up. But in wireless, I think that shouldn’t be possible.

Userlevel 4

Hi PeterK,

This design works perfectly on Wired and on the IdentiFi solutions… There's no problem with the VLAN/Topology/Role change… The problem is, when NAC tells XCC to reauth user (and XCC "obeys") and the client tries to reauth receiving the new RADIUS ATTRIBUTES, the client simply can't connect.

If I don't send the VLAN Attributes (just the very same ROLE), and this role is set statically to the desired VLAN, it works flawlessly.

It seems that the XCC is not working fine with this attibutes on B@AP topologies.

By the way, as I stated in previous posts, it WORKS PERFECTLY FINE when, with the very same config BUT the topology is set to Bridge@AC, sending the very same VLAN ATTRIBUTES, it just crashes when the topology is set to Bridge@AP and we pass the VLAN attributes.

 

Best regards,

 

-Leo

Userlevel 4
Badge

oh, ok… good to know...

I always had a lot of trouble with vlan assignment at XCC.

AFAIK you need a policy role for every VLAN at the XCC, otherwise the tunnel-attribute is not accepted. I can’t see that in your screenshots and this is what was the solution for me...

Userlevel 4

Hi PeterK,

I've just posted the config where I got issues… In summary: B@AC works perfectly, B@AP don't work. Below follows more info...

As far as I discovered, the Dynamic VLAN assignment works without a "Role-to-VLAN pair" static creation on XCC, using RADIUS VLAN attributes, on B@AC topologies, but is not working o B@AP or FabricAttach topologies, even with the association of the VLANs to the Device Group's profile.

Creating the "Role-to-VLAN pairs" is not an option, as the customer is using a single Policy Domain for Wired and Wireless, and this solutions "would not fit" on the environment. Using B@AC solution is not an option as well.

Best regards,

-Leo

Userlevel 4
Badge

Hi Leo,

ok; understand.

In this case you should open a Case.

Reply