Wireless - troubleshooting wireless clients on a WLC

When implementing a wireless network using a wireless controller (WLC), there are several things one can do to troubleshoot various problems with wireless clients.

For clients that are disconnecting intermittently, the best approach would be to perform some debugging on the WLC for a particular client during its disconnects. This will give you the reason behind the drops and will help you to move on to additional troubleshooting steps. A couple of debug commands that would be helpful include:

debug client <mac-address>

Here you can add the MAC address of the particular client you are examining. An example of some output you may see is found below:

WLC>debug client 00:0a:95:9d:68:16 *apfReceiveTask: Jun 23 20:33:40.493: 00:0a:95:9d:68:16 Received Disassociate from mobile on AP 00:0b:85:59:2a:20 *apfReceiveTask: Jun 23 20:33:40.493: 00:0a:95:9d:68:16 Deleting client on AP 00:0b:85:59:2a:20(0) *apfReceiveTask: Jun 23 20:33:40.493: 00:0a:95:9d:68:16 State machine transition from Disassociated to Idle *apfReceiveTask: Jun 23 20:33:40.493: 00:0a:95:9d:68:16 Skipping L2 roam because state is not L2Associated *apfReceiveTask: Jun 23 20:33:40.493: 00:0a:95:9d:68:16 Not Using WMM Compliance code qosCap 00. *apfReceiveTask: Jun 23 20:33:40.493: 00:0a:95:9d:68:16 Ignoring mobile, downlink packet

In this example, you can see that the client with MAC address 00:0a:95:9d:68:16 sent a Disassociate message to the AP it was connected to (00:0b:85:59:2a:20). This triggered a transition from the Disassociated state to the Idle state.

Similarly, you can debug the AAA operations to examine if the client is failing during the authentication process, using the following command:

debug aaa all enable

An example of output you may see includes:

WLC>debug aaa all enable *aaaQueueReader: Jun 24 14:25:43.108: 00:0a:95:9d:68:16 Trying to authenticate with Radius server *aaaQueueReader: Jun 24 14:25:43.110: 00:0a:95:9d:68:16 Sending RADIUS packet to server with ID 164 *aaaQueueReader: Jun 24 14:25:43.212: 00:0a:95:9d:68:16 Received RADIUS packet from server with ID 164 *aaaQueueReader: Jun 24 14:25:43.212: 00:0a:95:9d:68:16 Received RADIUS response code 3 (Access-Reject) for mobile 00:0a:95:9d:68:16 *aaaQueueReader: Jun 24 14:25:43.212: 00:0a:95:9d:68:16 RADIUS server has returned Access-Reject for user host/MyLaptop.domain.com *aaaQueueReader: Jun 24 14:25:43.212: 00:0a:95:9d:68:16 AAA Authentication Failure for UserName:host/MyLaptop.domain.com User Type: WLAN USER

In this example, the client with MAC address 00:0a:95:9d:68:16 tries to authenticate with the RADIUS server. The WLC sends a RADIUS packet to the server. However, the server responds with a Access-Reject response. This typically indicates that the credentials provided by the client (username/password or certificate, depending on the authentication method) were not correct.

For more debug commands that may be helpful, take a look at the Cisco command reference link below.