Cisco Cisco 2000 Series Wireless LAN Controller Guia De Informação
Q. Once I reboot the WLC, I get the
Mon Jul 17 15:23:28 2006 MFP
Anomaly Detected − 3023 Invalid MIC event(s) found as
violated by the radio 00:XX:XX:XX:XX and detected by the
dot11 interface at slot 0 of AP 00:XX:XX:XX:XX in 300
seconds when observing Probe responses, Beacon Frames
error
message. Why does this error occur and how do I get rid of it?
A. This error message is seen when frames with incorrect MIC values are detected by MFP
enabled LAPs. Refer to Infrastructure Management Frame Protection (MFP) with WLC and
LAP Configuration Example for more information on MFP. Complete one of these four steps:
enabled LAPs. Refer to Infrastructure Management Frame Protection (MFP) with WLC and
LAP Configuration Example for more information on MFP. Complete one of these four steps:
Check and remove any rogue or invalid APs or clients in your network, which
generate invalid frames.
generate invalid frames.
1.
Disable the Infrastructure MFP, if MFP is not enabled on other members of the
Mobility group as LAPs can hear management frames from LAPs of other WLCs in
the group that do not have MFP enabled. Refer to Wireless LAN Controller (WLC)
Mobility Groups FAQ for more information on Mobility Group.
Mobility group as LAPs can hear management frames from LAPs of other WLCs in
the group that do not have MFP enabled. Refer to Wireless LAN Controller (WLC)
Mobility Groups FAQ for more information on Mobility Group.
2.
The fix for this error message is available in the WLC releases 4.2.112.0 and
5.0.148.2. Upgrade the WLCs to either of these releases.
5.0.148.2. Upgrade the WLCs to either of these releases.
3.
As a last option, try to reload the LAP that generates this error message.
4.
Q. Client AIR−PI21AG−E−K9 successfully associates with an access
point (AP) using Extensible Authentication Protocol−Flexible
Authentication via Secure Tunneling (EAP−FAST). However, when the
associated AP is switched off, the client does not roam to another AP.
This message appears continuously in the controller message log:
point (AP) using Extensible Authentication Protocol−Flexible
Authentication via Secure Tunneling (EAP−FAST). However, when the
associated AP is switched off, the client does not roam to another AP.
This message appears continuously in the controller message log:
"Fri
Jun 2 14:48:49 2006 [SECURITY] 1x_auth_pae.c 1922: Unable
to allow user into the system − perhaps the user is
already logged onto the system? Fri Jun 2 14:48:49 2006
[SECURITY] apf_ms.c 2557: Unable to delete username for
mobile 00:40:96:ad:75:f4"
. Why?
A. When the client card needs to do roaming, it sends an authentication request, but it does
not correctly handle keys (does not inform AP/controller, does not answer reauthentications).
not correctly handle keys (does not inform AP/controller, does not answer reauthentications).
This is documented in Cisco bug ID CSCsd02837 (
registered customers only
) . This bug has been
fixed with Cisco Aironet 802.11a/b/g client adapters Install Wizard 3.5.
In general, the
Unable to delete username for mobile
message also occurs due
to any of these reasons:
The particular username is used on more than one client device.
♦
Authentication method used for that WLAN has an external anonymous identity. For
example, in PEAP−GTC or in EAP−FAST, it is possible to define a generic username
as external (visible) identity, and the real username is hidden inside the TLS tunnel
between client and radius server, so the controller cannot see it and use it. In such
cases, this message can appear. This issue is seen more commonly with some third
party and some old firmware client.
example, in PEAP−GTC or in EAP−FAST, it is possible to define a generic username
as external (visible) identity, and the real username is hidden inside the TLS tunnel
between client and radius server, so the controller cannot see it and use it. In such
cases, this message can appear. This issue is seen more commonly with some third
party and some old firmware client.
♦