Viten Patel

Viten Patel

A technology blog tailored towards Wireless (802.11) and other related technologies

What debugs to collect for 5760/3850 CWA issue with ISE

Below are some useful debugs to collect while working with TAC for CWA issue.

Description: these debugs are mainly for a scenario in which the end device is stuck in a redirect loop. Clients connect to CWA ssid and gets the AUP page with accept button. clicks on accept button and gets the AUP page again.


Here are the debugs/traces/show commands we plan to use on 5760, ISE and client side.

5760:

set trace group-wireless-secure filter mac xxxx.xxxx.xxxx

set trace aaa wireless events level debug

set trace aaa wireless events filter mac xxxx.xxxx.xxxx

set trace group-wireless-secure level debug

debug client mac-address

debug aaa wireless all

debug ip http transactions

debug ip http url

debug ip socket error

debug authentication all

debug authentication feature spi al

debug epm all

debug epm plugin acl all

debug epm plugin redirect all

debug epm plugin redirect detail

“log to buffer" “save to ftp" “confirm debug level"

logging buffered 16000000

no logging rate-limit

show wireless client mac-address detail

show authentication session mac detail

show platform acl le | be

CLIENT SIDE:

Wireshark if possible on laptop during failure and working.

Client mac address, model, ios and browser type on all clients being tested/reported.

Verify it works when opening new tab or new browser and if original browser fails does it work if you go back to original browser.

ISE:

GUI > Administration > logging > debug log config > click on node > runtime-aaa = debug.

GUI > Administration > logging > debug log config > click on node > > guestportal = debug

GUI > Administration > logging > debug log config > click on node >> guestauth = debug

After issue happen go to Operations > download logs > click on node > click on ‘include debug logs’ and ‘include monitoring and reporting logs.

Add encryption key then create support bundle. After completion, download the bundle.

TCPDump > operations > troubleshoot > tools > tcpdump > select node > filter = udp port 1700.

Reports,

Operations > reports > Radius Authentications > filter = endpoint ID = mac address > RUN.


Published by Viten Patel on

comments powered by Disqus