Here is the final part of WLC client debug series. Yes it took very long time for me to publish it (many of you asked for it 
& I could not ignore your request)
I have used Cisco 3702 AP (managed via 8540 with 8.3.112.0) and Google Pixel is my wireless client. EAP method in use is “PEAP – Protected EAP”, hence frame exchange described below is specific to PEAP.
1. Open System Authentication (Request initiate by client)
2. Open system Authentication (Response by AP)
3. Association Request (sent by client)
4. Association Response (send by AP)
5. EAP Identity Request
6. EAP Identity Response
7. EAP Request (EAP-Type = PEAP, TLS, TTLS)
8. EAP Response (Client Hello)
9. EAP Request (Server_Hello,Certificate,Server_Hello_Done)
10. EAP Response (Client_Key_Exchange, Chane_Cipher_Spec, Handshake)
11. EAP Request (Change_Cipher_Spec, Encrypted_Handshake_Message)
12. EAP-Response (PEAP – Phase 1 completion)
13. EAP/MSCHAPv2 Identity Request (Inside TLS tunnel – PEAP Phase 2 start)
14. EAP/MSCHAPv2 Identity Response
15. EAP/MSCHAPv2 Challenge Request
16. EAP/MSCHAPv2 Challenge Response
17. EAP/MSCHAPv2 Success Request
18. EAP/MSCHAPv2 Success Response
19. EAP/MSCHAPv2 Request
20. EAP/MSCHAPv2 Response
21. EAP Success
22. 4-Way Handshake – EAPoL Key Exchange Message 1
23. 4-Way Handshake – EAPoL Key Exchange Message 2
24. 4-Way Handshake – EAPoL Key Exchange Message 3
25. 4-Way Handshake – EAPoL Key Exchange Message 4
26. DHCP Discover (send by client to L2 broadcast)
27. DHCP Offer (send by DHCP server)
28. DHCP Reqeust (send by client to L2 broadcast)
29. DHCP ACK (send by DHCP server to client)
Here is a basic flow of those frame exchanges in any EAP process.
Here is the wireless capture in wireshark (Note that I have filtered ACK and Beacon frames for simplicity. (Refer this CSC thread for colorize packets scheme I used). Included “Sequence Number” field & “EAP ID” field to easily correlate wireshark frames going between AP & Client & those WLC debug messages.
Here is the frame exchange in a diagram
You can enable “debug client <mac_addr>” on WLC while client is trying to connect to see details of frame exchange. Here is the debug output messages with wireshark packet captures for greater understanding the process.
(8540-TEST) >debug client ac:37:43:4d:4b:b7 May 05 10:59:16.629: ac:37:43:4d:4b:b7 Processing assoc-req station:ac:37:43:4d:4b:b7 AP:a8:9d:21:9b:72:40-01 thread:1c59fc20
First in the debug you should see “Association Request” coming from client device (after open auth req/response). AP will respond with “Association Response” frame (#54) that got and “AID-Association” ID value.
May 05 10:59:16.642: ac:37:43:4d:4b:b7 Received EAPOL EAPPKT from mobile ac:37:43:4d:4b:b7
May 05 10:59:16.642: ac:37:43:4d:4b:b7 Received Identity Response (count=1) from mobile ac:37:43:4d:4b:b7
10:59:16.642: ac:37:43:4d:4b:b7 Resetting reauth count 1 to 0 for mobile ac:37:43:4d:4b:b7
10:59:16.642: ac:37:43:4d:4b:b7 EAP State update from Connecting to Authenticating for mobile ac:37:43:4d:4b:b7
10:59:16.642: ac:37:43:4d:4b:b7 dot1x - moving mobile ac:37:43:4d:4b:b7 into Authenticating state
Once “Association Response” is sent by AP, it should send the “EAP Identity Request“message (frame #56) where Client has to respond with “EAP Identity Response” (frame #58)
10:59:16.642: ac:37:43:4d:4b:b7 Entering Backend Auth Response state for mobile ac:37:43:4d:4b:b7
10:59:16.643: ac:37:43:4d:4b:b7 Created Acct-Session-ID (590bce64/ac:37:43:4d:4b:b7/127) for the mobile
10:59:16.645: ac:37:43:4d:4b:b7 Processing Access-Challenge for mobile ac:37:43:4d:4b:b7
10:59:16.645: ac:37:43:4d:4b:b7 Entering Backend Auth Req state (id=218) for mobile ac:37:43:4d:4b:b7
10:59:16.645: ac:37:43:4d:4b:b7 WARNING: updated EAP-Identifier 1 ===> 218 for STA ac:37:43:4d:4b:b7
10:59:16.645: ac:37:43:4d:4b:b7 Sending EAP Request from AAA to mobile ac:37:43:4d:4b:b7 (EAP Id 218)
Once “Identity Response” is passed onto Auth Server, it should send “PEAP Identity Request” message (frame #60) with EAP Type as “PEAP”. You noticed that EAP ID has been changed to 218
10:59:16.645: ac:37:43:4d:4b:b7 Allocating EAP Pkt for retransmission to mobile ac:37:43:4d:4b:b7
10:59:16.647: ac:37:43:4d:4b:b7 Received EAPOL EAPPKT from mobile ac:37:43:4d:4b:b7
10:59:16.647: ac:37:43:4d:4b:b7 Received EAP Response from mobile ac:37:43:4d:4b:b7 (EAP Id 218, EAP Type 25)
Client will respond with “Client Hello” message (frame #62) that includes TLS version, Cipher Suites, Signature Algorithms that client support.
Subsequently you will see multiple EAP Request/Response frames (#64/66, #68/70, #72/74, #76/78 & #80/82) with corresponding EAP ID 219,220,221,222 & 223 respectively. These EAP-Request messages are fragmented frames that contain “Server Hello, Certificate & Server_Hello_Done” information.
10:59:16.647: ac:37:43:4d:4b:b7 Resetting reauth count 0 to 0 for mobile ac:37:43:4d:4b:b7
10:59:16.647: ac:37:43:4d:4b:b7 Entering Backend Auth Response state for mobile ac:37:43:4d:4b:b7
10:59:16.652: ac:37:43:4d:4b:b7 Processing Access-Challenge for mobile ac:37:43:4d:4b:b7
10:59:16.652: ac:37:43:4d:4b:b7 Entering Backend Auth Req state (id=219) for mobile ac:37:43:4d:4b:b7
10:59:16.652: ac:37:43:4d:4b:b7 Sending EAP Request from AAA to mobile ac:37:43:4d:4b:b7 (EAP Id 219)
10:59:16.652: ac:37:43:4d:4b:b7 Reusing allocated memory for EAP Pkt for retransmission to mobile ac:37:43:4d:4b:b7
10:59:16.653: ac:37:43:4d:4b:b7 Received EAPOL EAPPKT from mobile ac:37:43:4d:4b:b7
10:59:16.653: ac:37:43:4d:4b:b7 Received EAP Response from mobile ac:37:43:4d:4b:b7 (EAP Id 219, EAP Type 25)
10:59:16.653: ac:37:43:4d:4b:b7 Resetting reauth count 0 to 0 for mobile ac:37:43:4d:4b:b7
10:59:16.653: ac:37:43:4d:4b:b7 Entering Backend Auth Response state for mobile ac:37:43:4d:4b:b7
10:59:16.655: ac:37:43:4d:4b:b7 Processing Access-Challenge for mobile ac:37:43:4d:4b:b7
10:59:16.655: ac:37:43:4d:4b:b7 Sending EAP Request from AAA to mobile ac:37:43:4d:4b:b7 (EAP Id 220)
10:59:16.655: ac:37:43:4d:4b:b7 Reusing allocated memory for EAP Pkt for retransmission to mobile ac:37:43:4d:4b:b7
10:59:16.657: ac:37:43:4d:4b:b7 Received EAPOL EAPPKT from mobile ac:37:43:4d:4b:b7
10:59:16.657: ac:37:43:4d:4b:b7 Received EAP Response from mobile ac:37:43:4d:4b:b7 (EAP Id 220, EAP Type 25)
10:59:16.657: ac:37:43:4d:4b:b7 Entering Backend Auth Response state for mobile ac:37:43:4d:4b:b7
10:59:16.658: ac:37:43:4d:4b:b7 Processing Access-Challenge for mobile ac:37:43:4d:4b:b7
10:59:16.658: ac:37:43:4d:4b:b7 Sending EAP Request from AAA to mobile ac:37:43:4d:4b:b7 (EAP Id 221)
10:59:16.658: ac:37:43:4d:4b:b7 Reusing allocated memory for EAP Pkt for retransmission to mobile ac:37:43:4d:4b:b7
10:59:16.660: ac:37:43:4d:4b:b7 Received EAPOL EAPPKT from mobile ac:37:43:4d:4b:b7
10:59:16.660: ac:37:43:4d:4b:b7 Received EAP Response from mobile ac:37:43:4d:4b:b7 (EAP Id 221, EAP Type 25)
10:59:16.660: ac:37:43:4d:4b:b7 Entering Backend Auth Response state for mobile ac:37:43:4d:4b:b7
10:59:16.662: ac:37:43:4d:4b:b7 Processing Access-Challenge for mobile ac:37:43:4d:4b:b7
10:59:16.662: ac:37:43:4d:4b:b7 Entering Backend Auth Req state (id=222) for mobile ac:37:43:4d:4b:b7
10:59:16.662: ac:37:43:4d:4b:b7 Sending EAP Request from AAA to mobile ac:37:43:4d:4b:b7 (EAP Id 222)
10:59:16.662: ac:37:43:4d:4b:b7 Reusing allocated memory for EAP Pkt for retransmission to mobile ac:37:43:4d:4b:b7
10:59:16.663: ac:37:43:4d:4b:b7 Received EAPOL EAPPKT from mobile ac:37:43:4d:4b:b7
10:59:16.663: ac:37:43:4d:4b:b7 Received EAP Response from mobile ac:37:43:4d:4b:b7 (EAP Id 222, EAP Type 25)
10:59:16.663: ac:37:43:4d:4b:b7 Resetting reauth count 0 to 0 for mobile ac:37:43:4d:4b:b7
10:59:16.663: ac:37:43:4d:4b:b7 Entering Backend Auth Response state for mobile ac:37:43:4d:4b:b7
10:59:16.664: ac:37:43:4d:4b:b7 Processing Access-Challenge for mobile ac:37:43:4d:4b:b7
10:59:16.664: ac:37:43:4d:4b:b7 Entering Backend Auth Req state (id=223) for mobile ac:37:43:4d:4b:b7
10:59:16.664: ac:37:43:4d:4b:b7 Sending EAP Request from AAA to mobile ac:37:43:4d:4b:b7 (EAP Id 223)
10:59:16.664: ac:37:43:4d:4b:b7 Reusing allocated memory for EAP Pkt for retransmission to mobile ac:37:43:4d:4b:b7
10:59:16.670: ac:37:43:4d:4b:b7 Received EAPOL EAPPKT from mobile ac:37:43:4d:4b:b7
10:59:16.670: ac:37:43:4d:4b:b7 Received EAP Response from mobile ac:37:43:4d:4b:b7 (EAP Id 223, EAP Type 25)
Here are the first (#64) & last fragment (#80) of that EAP-Request message. You can see “More Fragment set to False” & EAP-ID is 223 in the last frame. Also note that Auth Server specify Cipher Suite to use, provide its certificate details with roots/subordinate certificates of CA signed its certificate.
Then Client respond with “Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message” frame #82 which is the response to last EAP Request fragment (hence it got same EAP-ID 223)
Then Auth server sends EAP-Request frame (#84) that contain “Change Cipher Sepc & Encrypted Handshake Message” to complete TLS tunnel setup. Client will responds with EAP-Response (#86)
10:59:16.670: ac:37:43:4d:4b:b7 Resetting reauth count 0 to 0 for mobile ac:37:43:4d:4b:b7
10:59:16.670: ac:37:43:4d:4b:b7 Entering Backend Auth Response state for mobile ac:37:43:4d:4b:b7
10:59:16.681: ac:37:43:4d:4b:b7 Processing Access-Challenge for mobile ac:37:43:4d:4b:b7
10:59:16.681: ac:37:43:4d:4b:b7 Entering Backend Auth Req state (id=224) for mobile ac:37:43:4d:4b:b7
10:59:16.681: ac:37:43:4d:4b:b7 Sending EAP Request from AAA to mobile ac:37:43:4d:4b:b7 (EAP Id 224)
10:59:16.681: ac:37:43:4d:4b:b7 Reusing allocated memory for EAP Pkt for retransmission to mobile ac:37:43:4d:4b:b7
10:59:16.682: ac:37:43:4d:4b:b7 Received EAPOL EAPPKT from mobile ac:37:43:4d:4b:b7
10:59:16.682: ac:37:43:4d:4b:b7 Received EAP Response from mobile ac:37:43:4d:4b:b7 (EAP Id 224, EAP Type 25)
10:59:16.682: ac:37:43:4d:4b:b7 Resetting reauth count 0 to 0 for mobile ac:37:43:4d:4b:b7
10:59:16.682: ac:37:43:4d:4b:b7 Entering Backend Auth Response state for mobile ac:37:43:4d:4b:b7
10:59:16.683: ac:37:43:4d:4b:b7 Processing Access-Challenge for mobile ac:37:43:4d:4b:b7
Once TLS tunnel setup, client & Auth Server has to go through EAP exchange process inside secure TLS tunnel. In this communication, you will not able to see inside details as everything is encrypted in TLS. Depend on the PEAP Inner methods (MsCHAPv2, GTC,TLS), number of frame exchange will differ.
10:59:16.683: ac:37:43:4d:4b:b7 Entering Backend Auth Req state (id=225) for mobile ac:37:43:4d:4b:b7
10:59:16.683: ac:37:43:4d:4b:b7 Sending EAP Request from AAA to mobile ac:37:43:4d:4b:b7 (EAP Id 225)
10:59:16.683: ac:37:43:4d:4b:b7 Reusing allocated memory for EAP Pkt for retransmission to mobile ac:37:43:4d:4b:b7
10:59:16.685: ac:37:43:4d:4b:b7 Received EAPOL EAPPKT from mobile ac:37:43:4d:4b:b7
10:59:16.685: ac:37:43:4d:4b:b7 Received EAP Response from mobile ac:37:43:4d:4b:b7 (EAP Id 225, EAP Type 25)
10:59:16.685: ac:37:43:4d:4b:b7 Resetting reauth count 0 to 0 for mobile ac:37:43:4d:4b:b7
10:59:16.685: ac:37:43:4d:4b:b7 Entering Backend Auth Response state for mobile ac:37:43:4d:4b:b7
10:59:16.686: ac:37:43:4d:4b:b7 Processing Access-Challenge for mobile ac:37:43:4d:4b:b7
10:59:16.686: ac:37:43:4d:4b:b7 Entering Backend Auth Req state (id=226) for mobile ac:37:43:4d:4b:b7
10:59:16.686: ac:37:43:4d:4b:b7 Sending EAP Request from AAA to mobile ac:37:43:4d:4b:b7 (EAP Id 226)
10:59:16.686: ac:37:43:4d:4b:b7 Reusing allocated memory for EAP Pkt for retransmission to mobile ac:37:43:4d:4b:b7
10:59:16.688: ac:37:43:4d:4b:b7 Received EAPOL EAPPKT from mobile ac:37:43:4d:4b:b7
10:59:16.688: ac:37:43:4d:4b:b7 Received EAP Response from mobile ac:37:43:4d:4b:b7 (EAP Id 226, EAP Type 25)
10:59:16.688: ac:37:43:4d:4b:b7 Resetting reauth count 0 to 0 for mobile ac:37:43:4d:4b:b7
10:59:16.688: ac:37:43:4d:4b:b7 Entering Backend Auth Response state for mobile ac:37:43:4d:4b:b7
10:59:16.698: ac:37:43:4d:4b:b7 Processing Access-Challenge for mobile ac:37:43:4d:4b:b7
10:59:16.698: ac:37:43:4d:4b:b7 Entering Backend Auth Req state (id=227) for mobile ac:37:43:4d:4b:b7
10:59:16.698: ac:37:43:4d:4b:b7 Sending EAP Request from AAA to mobile ac:37:43:4d:4b:b7 (EAP Id 227)
10:59:16.698: ac:37:43:4d:4b:b7 Reusing allocated memory for EAP Pkt for retransmission to mobile ac:37:43:4d:4b:b7
10:59:16.699: ac:37:43:4d:4b:b7 Received EAPOL EAPPKT from mobile ac:37:43:4d:4b:b7
10:59:16.699: ac:37:43:4d:4b:b7 Received EAP Response from mobile ac:37:43:4d:4b:b7 (EAP Id 227, EAP Type 25)
10:59:16.699: ac:37:43:4d:4b:b7 Resetting reauth count 0 to 0 for mobile ac:37:43:4d:4b:b7
10:59:16.699: ac:37:43:4d:4b:b7 Entering Backend Auth Response state for mobile ac:37:43:4d:4b:b7
10:59:16.701: ac:37:43:4d:4b:b7 Processing Access-Challenge for mobile ac:37:43:4d:4b:b7
10:59:16.701: ac:37:43:4d:4b:b7 Entering Backend Auth Req state (id=228) for mobile ac:37:43:4d:4b:b7
10:59:16.701: ac:37:43:4d:4b:b7 Sending EAP Request from AAA to mobile ac:37:43:4d:4b:b7 (EAP Id 228)
10:59:16.701: ac:37:43:4d:4b:b7 Reusing allocated memory for EAP Pkt for retransmission to mobile ac:37:43:4d:4b:b7
10:59:16.702: ac:37:43:4d:4b:b7 Received EAPOL EAPPKT from mobile ac:37:43:4d:4b:b7
10:59:16.702: ac:37:43:4d:4b:b7 Received EAP Response from mobile ac:37:43:4d:4b:b7 (EAP Id 228, EAP Type 25)
10:59:16.702: ac:37:43:4d:4b:b7 Resetting reauth count 0 to 0 for mobile ac:37:43:4d:4b:b7
10:59:16.702: ac:37:43:4d:4b:b7 Entering Backend Auth Response state for mobile ac:37:43:4d:4b:b7
Here is capture of frame#88 relate to EAP-ID 225. You see payload is TLS encrypted & you cannot see the detail. This is the “Identity Request” message going from AP to Client as the first frame of EAP Exhange inside TLS tunnel.
Once EAP Exchange completes within TLS tunnel, Auth Server should sends “Access-Accept” message to client. Noticed in frame #104 (with EAP-ID 228), EAP message code is “Success”
10:59:16.714: ac:37:43:4d:4b:b7 Processing Access-Accept for mobile ac:37:43:4d:4b:b7
10:59:16.714: ac:37:43:4d:4b:b7 Username entry (rnayanaxxx) created for mobile, length = 253
10:59:16.714: ac:37:43:4d:4b:b7 Username entry (rnayanaxxx) created in mscb for mobile, length = 253
10:59:16.714: ac:37:43:4d:4b:b7 Received MPPE_SEND_KEY: KeyLen: 32
10:59:16.714: ac:37:43:4d:4b:b7 Received MPPE_RECV_KEY: KeyLen: 32
10:59:16.714: ac:37:43:4d:4b:b7 override for default ap group, marking intgrp NULL
10:59:16.714: ac:37:43:4d:4b:b7 Applying Interface(wln-gus-10) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 1430
10:59:16.714: ac:37:43:4d:4b:b7 Re-applying interface policy for client
10:59:16.714: ac:37:43:4d:4b:b7 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2931)
10:59:16.714: ac:37:43:4d:4b:b7 0.0.0.0 8021X_REQD (3) Changing Url ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2951)
10:59:16.714: ac:37:43:4d:4b:b7 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2972)
10:59:16.714: ac:37:43:4d:4b:b7 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0
10:59:16.714: ac:37:43:4d:4b:b7 override from ap group, removing intf group from mscb
10:59:16.714: ac:37:43:4d:4b:b7 Applying site-specific override for station ac:37:43:4d:4b:b7 - vapId 101, site 'Test-ABC', interface 'wln-gus-10'
10:59:16.714: ac:37:43:4d:4b:b7 Applying Interface(wln-gus-10) policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 1430
10:59:16.714: ac:37:43:4d:4b:b7 Re-applying interface policy for client
10:59:16.714: ac:37:43:4d:4b:b7 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2931)
10:59:16.714: ac:37:43:4d:4b:b7 0.0.0.0 8021X_REQD (3) Changing Url ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2951)
10:59:16.714: ac:37:43:4d:4b:b7 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2972)
10:59:16.714: ac:37:43:4d:4b:b7 Inserting AAA Override struct for mobile MAC: ac:37:43:4d:4b:b7, source 4
10:59:16.714: ac:37:43:4d:4b:b7 Applying override policy from source Override Summation: with value 200
10:59:16.714: ac:37:43:4d:4b:b7 Setting re-auth timeout to 1800 seconds, got from WLAN config.
10:59:16.714: ac:37:43:4d:4b:b7 Station ac:37:43:4d:4b:b7 setting dot1x reauth timeout = 1800
10:59:16.714: ac:37:43:4d:4b:b7 Creating a PKC PMKID Cache entry for station ac:37:43:4d:4b:b7 (RSN 2)
10:59:16.714: ac:37:43:4d:4b:b7 Resetting MSCB PMK Cache Entry 0 for station ac:37:43:4d:4b:b7
10:59:16.714: ac:37:43:4d:4b:b7 Setting active key cache index 8 ---> 8
10:59:16.714: ac:37:43:4d:4b:b7 Setting active key cache index 8 ---> 0
10:59:16.714: ac:37:43:4d:4b:b7 Adding BSSID a8:9d:21:9b:72:4e to PMKID cache at index 0 for station ac:37:43:4d:4b:b7
10:59:16.714: New PMKID: (16)
10:59:16.714: [0000] 2b f5 0e 3b 85 7c 63 96 a3 41 98 37 75 86 5c d7
10:59:16.714: ac:37:43:4d:4b:b7 unsetting PmkIdValidatedByAp
10:59:16.714: ac:37:43:4d:4b:b7 Updating AAA Overrides from local for station
10:59:16.714: ac:37:43:4d:4b:b7 Adding Audit session ID payload in Mobility handoff
10:59:16.714: ac:37:43:4d:4b:b7 0 PMK-update groupcast messages sent
10:59:16.714: ac:37:43:4d:4b:b7 PMK sent to mobility group10:59:16.714: ac:37:43:4d:4b:b7 Disabling re-auth since PMK lifetime can take care of same. 10:59:16.714: ac:37:43:4d:4b:b7 Sending EAP-Success to mobile ac:37:43:4d:4b:b7 (EAP Id 228)
10:59:16.714: ac:37:43:4d:4b:b7 key Desc Version FT - 0
10:59:16.714: ac:37:43:4d:4b:b7 Found an cache entry for BSSID a8:9d:21:9b:72:4e in PMKID cache at index 0 of station ac:37:43:4d:4b:b7
10:59:16.714: ac:37:43:4d:4b:b7 Found an cache entry for BSSID a8:9d:21:9b:72:4e in PMKID cache at index 0 of station ac:37:43:4d:4b:b7 10:59:16.714: Including PMKID in M1 (16)
10:59:16.714: [0000] 2b f5 0e 3b 85 7c 63 96 a3 41 98 37 75 86 5c d7 10:59:16.714: M1 - Key Data: (22)
10:59:16.714: [0000] dd 14 00 0f ac 04 2b f5 0e 3b 85 7c 63 96 a3 41 10:59:16.714: [0016] 98 37 75 86 5c d7
At this stage, both Client & Authentication server derive its PMK (Pairwise Master Key). Authentication Server will send this PMK to WLC/AP (Authenticator). Then AP & Client go through 4-way handshake process to create encryption keys (PTK Pairwise Transient Key-for Unicast traffic, GTK Group Temporal Key-for Broadcast/multicast traffic) for that session. In the first message (M1), AP sends ANonce (Authenticator Number used Once) which will allow Client to derive its PTK which derive using PMK, ANonce, SNonce, Supplicant Address (SA) & Authenticator Address (AA)
10:59:16.714: ac:37:43:4d:4b:b7 Starting key exchange to mobile ac:37:43:4d:4b:b7, data packets will be dropped 10:59:16.714: ac:37:43:4d:4b:b7 Sending EAPOL-Key Message to mobile ac:37:43:4d:4b:b7 state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00 10:59:16.714: ac:37:43:4d:4b:b7 Reusing allocated memory for EAP Pkt for retransmission to mobile ac:37:43:4d:4b:b7 10:59:16.714: ac:37:43:4d:4b:b7 Entering Backend Auth Success state (id=228) for mobile ac:37:43:4d:4b:b7
10:59:16.714: ac:37:43:4d:4b:b7 Received Auth Success while in Authenticating state for mobile ac:37:43:4d:4b:b7
10:59:16.714: ac:37:43:4d:4b:b7 dot1x - moving mobile ac:37:43:4d:4b:b7 into Authenticated state *dot1xSocketTask:
10:59:16.718: ac:37:43:4d:4b:b7 validating eapol pkt: key version = 2 10:59:16.718: ac:37:43:4d:4b:b7 Received EAPOL-Key from mobile ac:37:43:4d:4b:b7
10:59:16.718: ac:37:43:4d:4b:b7 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile ac:37:43:4d:4b:b7
10:59:16.718: ac:37:43:4d:4b:b7 key Desc Version FT - 0
Here is the message 2 where supplicant is sending its SNonce to AP. Since Supplicant derived PTK, it will add MIC to M2 which will used by AP to validate client’s PTK. Also note that this message contain RSN information that specify client’s capability.
10:59:16.718: ac:37:43:4d:4b:b7 Received EAPOL-key in PTK_START state (message 2) from mobile ac:37:43:4d:4b:b7 10:59:16.718: ac:37:43:4d:4b:b7 Encryption Policy: 4, PTK Key Length: 48 10:59:16.718: ac:37:43:4d:4b:b7 Successfully computed PTK from PMK!!! 10:59:16.718: ac:37:43:4d:4b:b7 Received valid MIC in EAPOL Key Message M2!!!!!
10:59:16.718: 00000000: 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 0...............
10:59:16.718: 00000010: 00 0f ac 01 28 00 ....(.
10:59:16.718: 00000000: 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ................
10:59:16.718: 00000010: ac 01 28 00 ..(.
10:59:16.718: ac:37:43:4d:4b:b7 Not Flex client. Do not distribute PMK Key cache.
10:59:16.718: ac:37:43:4d:4b:b7 Stopping retransmission timer for mobile ac:37:43:4d:4b:b7
10:59:16.718: ac:37:43:4d:4b:b7 key Desc Version FT - 0
Once M2 received by AP, it should be able to ejaculate its PTK as Snonce parameter came with M2. Since this point both AP will able to encrypt Unicast traffic between client & AP. However they still need encryption key for Broadcast/Multicast traffic. This key is derived by Authenticator (WLC/AP) & pass it onto client as part of M3.
10:59:16.718: ac:37:43:4d:4b:b7 Sending EAPOL-Key Message to mobile ac:37:43:4d:4b:b7 state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
10:59:16.718: ac:37:43:4d:4b:b7 Reusing allocated memory for EAP Pkt for retransmission to mobile ac:37:43:4d:4b:b7 *dot1xSocketTask:
10:59:16.723: ac:37:43:4d:4b:b7 validating eapol pkt: key version = 2 10:59:16.723: ac:37:43:4d:4b:b7 Received EAPOL-Key from mobile ac:37:43:4d:4b:b7
10:59:16.723: ac:37:43:4d:4b:b7 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile ac:37:43:4d:4b:b7 10:59:16.723: ac:37:43:4d:4b:b7 key Desc Version FT - 0
Here is the message 4 decode where client is confirming that it got GTK installed & ready to start communicating with traffic encryption.
10:59:16.723: ac:37:43:4d:4b:b7 Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile ac:37:43:4d:4b:b7
10:59:16.723: ac:37:43:4d:4b:b7 Stopping retransmission timer for mobile ac:37:43:4d:4b:b7
10:59:16.723: ac:37:43:4d:4b:b7 Freeing EAP Retransmit Bufer for mobile ac:37:43:4d:4b:b7
10:59:16.723: ac:37:43:4d:4b:b7 apfMs1xStateInc 10:59:16.723: ac:37:43:4d:4b:b7 apfMsPeapSimReqCntInc
10:59:16.723: ac:37:43:4d:4b:b7 apfMsPeapSimReqSuccessCntInc
10:59:16.723: ac:37:43:4d:4b:b7 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state 8021X_REQD (3)
Then you will see client go through DHCP. Note that once 4-Way handshake completes, client data traffic get encrypted, so you won’t able to see below DHCP transactions in your wireless capture. It all appeared as “Encrypted Data”. Also note that client states change to DHCP_REQD (7) from L2AUTHCOMPLETE (4) states.
10:59:16.723: ac:37:43:4d:4b:b7 Mobility query, PEM State: L2AUTHCOMPLETE 10:59:16.723: ac:37:43:4d:4b:b7 0.0.0.0 L2AUTHCOMPLETE (4) NO release MSCB 10:59:16.723: ac:37:43:4d:4b:b7 Building Mobile Announce : 10:59:16.723: ac:37:43:4d:4b:b7 Building Client Payload: 10:59:16.723: ac:37:43:4d:4b:b7 Client Ip: 0.0.0.0 10:59:16.723: ac:37:43:4d:4b:b7 Client Vlan Ip: 10.143.127.249, Vlan mask : 255.255.240.0 10:59:16.723: ac:37:43:4d:4b:b7 Client Vap Security: 16448 10:59:16.723: ac:37:43:4d:4b:b7 Virtual Ip: 192.0.2.1 10:59:16.723: ac:37:43:4d:4b:b7 ssid: eduroam2 10:59:16.723: ac:37:43:4d:4b:b7 Building VlanIpPayload. 10:59:16.723: ac:37:43:4d:4b:b7 Not Using WMM Compliance code qosCap 00 10:59:16.723: ac:37:43:4d:4b:b7 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP a8:9d:21:9b:72:40 vapId 101 apVapId 2 flex-acl-name: 10:59:16.723: ac:37:43:4d:4b:b7 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4) 10:59:16.723: ac:37:43:4d:4b:b7 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 6682, Adding TMP rule 10:59:16.723: ac:37:43:4d:4b:b7 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule type = Airespace AP - Learn IP address on AP a8:9d:21:9b:72:40, slot 1, interface = 8, QOS = 2 IPv4 ACL ID = 255, IPv 10:59:16.723: ac:37:43:4d:4b:b7 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 64206, IntfId = 11 Local Bridging Vlan = 1430, Local Bridging intf id = 11 10:59:16.723: ac:37:43:4d:4b:b7 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 4, AppToken = 64206 AverageRate = 0, BurstRate = 0 10:59:16.723: ac:37:43:4d:4b:b7 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 4, AppToken = 64206 AverageRate = 0, BurstRate = 0 10:59:16.723: ac:37:43:4d:4b:b7 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 4, AppToken = 64206 AverageRate = 0, BurstRate = 0 10:59:16.723: ac:37:43:4d:4b:b7 0.0.0.0 DHCP_REQD (7) NO release MSCB 10:59:16.723: ac:37:43:4d:4b:b7 Successfully Plumbed PTK session Keysfor mobile ac:37:43:4d:4b:b7 *spamApTask1: 10:59:16.723: ac:37:43:4d:4b:b7 Successful transmission of LWAPP Add-Mobile to AP a8:9d:21:9b:72:40 *apfReceiveTask: 10:59:16.723: ac:37:43:4d:4b:b7 0.0.0.0 DHCP_REQD (7) mobility role update request from Unassociated to Local Peer = 0.0.0.0, Old Anchor = 0.0.0.0, New Anchor = 10.10.0.100 *apfReceiveTask: 10:59:16.723: ac:37:43:4d:4b:b7 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED *apfReceiveTask: 10:59:16.723: ac:37:43:4d:4b:b7 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 6320, Adding TMP rule *apfReceiveTask: 10:59:16.723: ac:37:43:4d:4b:b7 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule type = Airespace AP - Learn IP address on AP a8:9d:21:9b:72:40, slot 1, interface = 8, QOS = 2 IPv4 ACL ID = 255, *apfReceiveTask: 10:59:16.723: ac:37:43:4d:4b:b7 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 64206, IntfId = 11 Local Bridging Vlan = 1430, Local Bridging intf id = 11 *apfReceiveTask: 10:59:16.723: ac:37:43:4d:4b:b7 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 4, AppToken = 64206 AverageRate = 0, BurstRate = 0 *apfReceiveTask: 10:59:16.723: ac:37:43:4d:4b:b7 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 4, AppToken = 64206 AverageRate = 0, BurstRate = 0 *apfReceiveTask: 10:59:16.723: ac:37:43:4d:4b:b7 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 4, AppToken = 64206 AverageRate = 0, BurstRate = 0 *apfReceiveTask: 10:59:16.723: ac:37:43:4d:4b:b7 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255,URL ACL ID 255) *apfReceiveTask: 10:59:16.723: ac:37:43:4d:4b:b7 0.0.0.0 DHCP_REQD (7) NO release MSCB *pemReceiveTask: 10:59:16.723: ac:37:43:4d:4b:b7 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0 *pemReceiveTask: 10:59:16.723: ac:37:43:4d:4b:b7 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0 *pemReceiveTask: 10:59:16.723: ac:37:43:4d:4b:b7 Sent an XID frame *DHCP Socket Task: 10:59:17.203: ac:37:43:4d:4b:b7 DHCP received op BOOTREQUEST (1) (len 324,vlan 1000, port 8, encap 0xec03, xid 0xf2742c97) *DHCP Socket Task: 10:59:17.203: ac:37:43:4d:4b:b7 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff *DHCP Socket Task: 10:59:17.203: ac:37:43:4d:4b:b7 DHCP selecting relay 1 - control block settings: dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 0.0.0.0 VLAN: 0 *DHCP Socket Task: 10:59:17.203: ac:37:43:4d:4b:b7 DHCP selected relay 1 - 131.x.x.100 (local address 10.143.127.249, gateway 10.143.127.250, VLAN 1430, port 8) *DHCP Socket Task: 10:59:17.203: ac:37:43:4d:4b:b7 DHCP selecting relay 2 - control block settings: dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 10.143.127.249 VLAN: 1430 *DHCP Socket Task: 10:59:17.203: ac:37:43:4d:4b:b7 DHCP selected relay 2 - 131.x.x.200 (local address 10.143.127.249, gateway 10.143.127.250, VLAN 1430, port 8) *DHCP Socket Task: 10:59:17.203: ac:37:43:4d:4b:b7 DHCP selecting relay 1 - control block settings: dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 10.143.127.249 VLAN: 1430 *DHCP Socket Task: 10:59:17.203: ac:37:43:4d:4b:b7 DHCP selected relay 1 - 131.x.x.100 (local address 10.143.127.249, gateway 10.143.127.250, VLAN 1430, port 8) *DHCP Socket Task: 10:59:17.203: ac:37:43:4d:4b:b7 DHCP transmitting DHCP DISCOVER (1) *DHCP Socket Task: 10:59:17.203: ac:37:43:4d:4b:b7 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1 *DHCP Socket Task: 10:59:17.203: ac:37:43:4d:4b:b7 DHCP xid: 0x972c74f2 (2536273138), secs: 0, flags: 0 *DHCP Socket Task: 10:59:17.203: ac:37:43:4d:4b:b7 DHCP chaddr: ac:37:43:4d:4b:b7 *DHCP Socket Task: 10:59:17.203: ac:37:43:4d:4b:b7 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0 *DHCP Socket Task: 10:59:17.203: ac:37:43:4d:4b:b7 DHCP siaddr: 0.0.0.0, giaddr: 10.143.127.249 *DHCP Socket Task: 10:59:17.203: ac:37:43:4d:4b:b7 DHCP ARPing for 10.143.127.250 (SPA 10.143.127.249, vlanId 1430) *DHCP Socket Task: 10:59:17.203: ac:37:43:4d:4b:b7 DHCP selecting relay 2 - control block settings: dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 10.143.127.249 VLAN: 1430 *DHCP Socket Task: 10:59:17.203: ac:37:43:4d:4b:b7 DHCP selected relay 2 - 131.x.x.200 (local address 10.143.127.249, gateway 10.143.127.250, VLAN 1430, port 8) *DHCP Socket Task: 10:59:17.203: ac:37:43:4d:4b:b7 DHCP transmitting DHCP DISCOVER (1) *DHCP Socket Task: 10:59:17.203: ac:37:43:4d:4b:b7 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 2 *DHCP Socket Task: 10:59:17.203: ac:37:43:4d:4b:b7 DHCP xid: 0x972c74f2 (2536273138), secs: 0, flags: 0 *DHCP Socket Task: 10:59:17.203: ac:37:43:4d:4b:b7 DHCP chaddr: ac:37:43:4d:4b:b7 *DHCP Socket Task: 10:59:17.203: ac:37:43:4d:4b:b7 DHCP siaddr: 0.0.0.0, giaddr: 10.143.127.249 *DHCP Socket Task: 10:59:17.203: ac:37:43:4d:4b:b7 DHCP ARPing for 10.143.127.250 (SPA 10.143.127.249, vlanId 1430) *IPv6_Msg_Task: 10:59:18.053: ac:37:43:4d:4b:b7 Link Local address fe80::ae37:43ff:fe4d:4bb7 updated to mscb. Not Advancing pem state.Current state: mscb in apfMsMmInitial mobility state and client state APF_MS_STATE_A *DHCP Socket Task: 10:59:19.140: ac:37:43:4d:4b:b7 DHCP received op BOOTREQUEST (1) (len 324,vlan 1000, port 8, encap 0xec03, xid 0xf2742c97) *DHCP Socket Task: 10:59:19.140: ac:37:43:4d:4b:b7 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff *DHCP Socket Task: 10:59:19.140: ac:37:43:4d:4b:b7 DHCP selecting relay 1 - control block settings: dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 10.143.127.249 VLAN: 1430 *DHCP Socket Task: 10:59:19.140: ac:37:43:4d:4b:b7 DHCP selected relay 1 - 131.x.x.100 (local address 10.143.127.249, gateway 10.143.127.250, VLAN 1430, port 8) *DHCP Socket Task: 10:59:19.140: ac:37:43:4d:4b:b7 DHCP selecting relay 2 - control block settings: dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 10.143.127.249 VLAN: 1430 *DHCP Socket Task: 10:59:19.140: ac:37:43:4d:4b:b7 DHCP selected relay 2 - 131.x.x.200 (local address 10.143.127.249, gateway 10.143.127.250, VLAN 1430, port 8) *DHCP Socket Task: 10:59:19.140: ac:37:43:4d:4b:b7 DHCP selecting relay 1 - control block settings: dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 10.143.127.249 VLAN: 1430 *DHCP Socket Task: 10:59:19.140: ac:37:43:4d:4b:b7 DHCP selected relay 1 - 131.x.x.100 (local address 10.143.127.249, gateway 10.143.127.250, VLAN 1430, port 8) *DHCP Socket Task: 10:59:19.141: ac:37:43:4d:4b:b7 DHCP transmitting DHCP DISCOVER (1) *DHCP Socket Task: 10:59:19.141: ac:37:43:4d:4b:b7 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1 *DHCP Socket Task: 10:59:19.141: ac:37:43:4d:4b:b7 DHCP xid: 0x972c74f2 (2536273138), secs: 256, flags: 0 *DHCP Socket Task: 10:59:19.141: ac:37:43:4d:4b:b7 DHCP chaddr: ac:37:43:4d:4b:b7 *DHCP Socket Task: 10:59:19.141: ac:37:43:4d:4b:b7 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0 *DHCP Socket Task: 10:59:19.141: ac:37:43:4d:4b:b7 DHCP siaddr: 0.0.0.0, giaddr: 10.143.127.249 *DHCP Socket Task: 10:59:19.141: ac:37:43:4d:4b:b7 DHCP sending REQUEST to 10.143.127.250 (len 366, port 8, vlan 1430) *DHCP Socket Task: 10:59:19.141: ac:37:43:4d:4b:b7 DHCP selecting relay 2 - control block settings: dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 10.143.127.249 VLAN: 1430 *DHCP Socket Task: 10:59:19.141: ac:37:43:4d:4b:b7 DHCP selected relay 2 - 131.x.x.200 (local address 10.143.127.249, gateway 10.143.127.250, VLAN 1430, port 8) *DHCP Socket Task: 10:59:19.141: ac:37:43:4d:4b:b7 DHCP transmitting DHCP DISCOVER (1) *DHCP Socket Task: 10:59:19.141: ac:37:43:4d:4b:b7 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 2 *DHCP Socket Task: 10:59:19.141: ac:37:43:4d:4b:b7 DHCP xid: 0x972c74f2 (2536273138), secs: 256, flags: 0 *DHCP Socket Task: 10:59:19.141: ac:37:43:4d:4b:b7 DHCP chaddr: ac:37:43:4d:4b:b7 *DHCP Socket Task: 10:59:19.141: ac:37:43:4d:4b:b7 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0 *DHCP Socket Task: 10:59:19.141: ac:37:43:4d:4b:b7 DHCP siaddr: 0.0.0.0, giaddr: 10.143.127.249 *DHCP Socket Task: 10:59:19.141: ac:37:43:4d:4b:b7 DHCP sending REQUEST to 10.143.127.250 (len 366, port 8, vlan 1430) *DHCP Socket Task: 10:59:20.142: ac:37:43:4d:4b:b7 DHCP received op BOOTREPLY (2) (len 308,vlan 1430, port 8, encap 0xec00, xid 0xf2742c97) *DHCP Socket Task: 10:59:20.142: ac:37:43:4d:4b:b7 DHCP setting server from OFFER (server 131.x.x.100, yiaddr 10.143.120.253) *DHCP Socket Task: 10:59:20.142: ac:37:43:4d:4b:b7 DHCP sending REPLY to STA (len 418, port 8, vlan 1000) *DHCP Socket Task: 10:59:20.142: ac:37:43:4d:4b:b7 DHCP transmitting DHCP OFFER (2) *DHCP Socket Task: 10:59:20.142: ac:37:43:4d:4b:b7 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0 *DHCP Socket Task: 10:59:20.142: ac:37:43:4d:4b:b7 DHCP xid: 0x972c74f2 (2536273138), secs: 256, flags: 0 *DHCP Socket Task: 10:59:20.142: ac:37:43:4d:4b:b7 DHCP chaddr: ac:37:43:4d:4b:b7 *DHCP Socket Task: 10:59:20.142: ac:37:43:4d:4b:b7 DHCP ciaddr: 0.0.0.0, yiaddr: 10.143.120.253 *DHCP Socket Task: 10:59:20.142: ac:37:43:4d:4b:b7 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0 *DHCP Socket Task: 10:59:20.142: ac:37:43:4d:4b:b7 DHCP server id: 192.0.2.1 rcvd server id: 131.x.x.100 *DHCP Socket Task: 10:59:20.151: ac:37:43:4d:4b:b7 DHCP received op BOOTREQUEST (1) (len 336,vlan 1000, port 8, encap 0xec03, xid 0xf2742c97) *DHCP Socket Task: 10:59:20.151: ac:37:43:4d:4b:b7 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff *DHCP Socket Task: 10:59:20.151: ac:37:43:4d:4b:b7 DHCP selecting relay 1 - control block settings: dhcpServer: 131.x.x.100, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 10.143.127.249 VLAN: 1430 *DHCP Socket Task: 10:59:20.151: ac:37:43:4d:4b:b7 DHCP mscbVapLocalAddr=10.143.127.249 mscbVapLocalNetMask= 255.255.240.0 mscbdhcpRelay=10.143.127.249 *DHCP Socket Task: 10:59:20.151: ac:37:43:4d:4b:b7 DHCP selected relay 1 - 131.x.x.100 (local address 10.143.127.249, gateway 10.143.127.250, VLAN 1430, port 8) *DHCP Socket Task: 10:59:20.151: ac:37:43:4d:4b:b7 DHCP transmitting DHCP REQUEST (3) *DHCP Socket Task: 10:59:20.151: ac:37:43:4d:4b:b7 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1 *DHCP Socket Task: 10:59:20.151: ac:37:43:4d:4b:b7 DHCP xid: 0x972c74f2 (2536273138), secs: 512, flags: 0 *DHCP Socket Task: 10:59:20.151: ac:37:43:4d:4b:b7 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0 *DHCP Socket Task: 10:59:20.151: ac:37:43:4d:4b:b7 DHCP siaddr: 0.0.0.0, giaddr: 10.143.127.249 *DHCP Socket Task: 10:59:20.151: ac:37:43:4d:4b:b7 DHCP requested ip: 10.143.120.253 *DHCP Socket Task: 10:59:20.151: ac:37:43:4d:4b:b7 DHCP server id: 131.x.x.100 rcvd server id: 192.0.2.1 *DHCP Socket Task: 10:59:20.151: ac:37:43:4d:4b:b7 DHCP sending REQUEST to 10.143.127.250 (len 374, port 8, vlan 1430) *DHCP Socket Task: 10:59:20.151: ac:37:43:4d:4b:b7 DHCP selecting relay 2 - control block settings: dhcpServer: 131.x.x.100, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 10.143.127.249 VLAN: 1430 *DHCP Socket Task: 10:59:20.153: ac:37:43:4d:4b:b7 DHCP received op BOOTREPLY (2) (len 308,vlan 1430, port 8, encap 0xec00, xid 0xf2742c97) *DHCP Socket Task: 10:59:20.153: ac:37:43:4d:4b:b7 DHCP setting server from ACK (mscb=0x7f3ea6773628 ip=0xa8f78fd)(server 131.x.x.100, yiaddr 10.143.120.253) *DHCP Socket Task: 10:59:20.153: ac:37:43:4d:4b:b7 apfMsRunStateInc *DHCP Socket Task: 10:59:20.153: ac:37:43:4d:4b:b7 10.143.120.253 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7) *DHCP Socket Task: 10:59:20.153: ac:37:43:4d:4b:b7 10.143.120.253 RUN (20) Reached PLUMBFASTPATH: from line 7320, null *DHCP Socket Task: 10:59:20.153: ac:37:43:4d:4b:b7 10.143.120.253 RUN (20) Replacing Fast Path rule type = Airespace AP Client on AP a8:9d:21:9b:72:40, slot 1, interface = 8, QOS = 2 IPv4 ACL ID = 255, IPv6 ACL I *DHCP Socket Task: 10:59:20.153: ac:37:43:4d:4b:b7 10.143.120.253 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 64206, IntfId = 11 Local Bridging Vlan = 1430, Local Bridging intf id = 11 *DHCP Socket Task: 10:59:20.153: ac:37:43:4d:4b:b7 10.143.120.253 RUN (20) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 4, AppToken = 64206 AverageRate = 0, BurstRate = 0 *DHCP Socket Task: 10:59:20.153: ac:37:43:4d:4b:b7 10.143.120.253 RUN (20) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 4, AppToken = 64206 AverageRate = 0, BurstRate = 0 *DHCP Socket Task: 10:59:20.153: ac:37:43:4d:4b:b7 10.143.120.253 RUN (20) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 4, AppToken = 64206 AverageRate = 0, BurstRate = 0 *DHCP Socket Task: 10:59:20.153: ac:37:43:4d:4b:b7 Accounting NAI-Realm: rnayanajith@latrobe.edu.au, from Mscb username : rnayanajith@latrobe.edu.au *DHCP Socket Task: 10:59:20.153: ac:37:43:4d:4b:b7 10.143.120.253 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255,URL ACL ID 255) *DHCP Socket Task: 10:59:20.153: ac:37:43:4d:4b:b7 10.143.120.253 RUN (20) NO release MSCB *DHCP Socket Task: 10:59:20.153: ac:37:43:4d:4b:b7 Assigning Address 10.143.120.253 to mobile *DHCP Socket Task: 10:59:20.153: ac:37:43:4d:4b:b7 DHCP success event for client. Clearing dhcp failure count for interface wln-gus-10. *DHCP Socket Task: 10:59:20.153: ac:37:43:4d:4b:b7 DHCP success event for client. Clearing dhcp failure count for interface wln-gus-10. *DHCP Socket Task: 10:59:20.153: ac:37:43:4d:4b:b7 Client learned IP from Orphan Packet.Updated the GW and NW from interface for client.Ip 10.143.120.253, gateway 10.143.127.250,netmask 255.255.240.0 *DHCP Socket Task: 10:59:20.153: ac:37:43:4d:4b:b7 DHCP sending REPLY to STA (len 418, port 8, vlan 1000) *DHCP Socket Task: 10:59:20.153: ac:37:43:4d:4b:b7 DHCP transmitting DHCP ACK (5) *DHCP Socket Task: 10:59:20.153: ac:37:43:4d:4b:b7 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0 *DHCP Socket Task: 10:59:20.153: ac:37:43:4d:4b:b7 DHCP xid: 0x972c74f2 (2536273138), secs: 512, flags: 0 *DHCP Socket Task: 10:59:20.153: ac:37:43:4d:4b:b7 DHCP chaddr: ac:37:43:4d:4b:b7 *DHCP Socket Task: 10:59:20.153: ac:37:43:4d:4b:b7 DHCP ciaddr: 0.0.0.0, yiaddr: 10.143.120.253 *DHCP Socket Task: 10:59:20.153: ac:37:43:4d:4b:b7 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0 *DHCP Socket Task: 10:59:20.153: ac:37:43:4d:4b:b7 DHCP server id: 192.0.2.1 rcvd server id: 131.x.x.100 *pemReceiveTask: 10:59:20.153: ac:37:43:4d:4b:b7 10.143.120.253 Added NPU entry of type 1, dtlFlags 0x0
By looking at the frame header information, you can guess which frames are DHCP Discover, Offer, Request and ACK (DORA).
Since DHCP Discovery message is sent to destination of “broadcast” , frame 191 should be the DHCP Discovery.
Then after Block ACK, client is getting DHCP offer message
Then client is sending DHCP Request, again it is destined to “broadcast”. So frame 209 could be the DHCP Request message.
That completes WLC debug client series 
Herewith attached a pcap file (802.1X-PEAP.pcapng)that contain EAP-PEAP frame exchange (not the same capture I used for above). If you like to go through frame analysis then go through it find answer to below questions.
1. What is the certificate validity period of cert presented to client?
2. What PMKID is used in this client association?
3. How many Cipher suits supported by client?
4. Which Cipher suits chosen by Auth Server?
5. What differences are there in PEAP-Phase 2 in this capture compare to what is posted in blog post?
References
1. Cisco AP Debugs
2. PEAP – RFC
3. Understanding Debug Client on Wireless LAN Controllers (WLCs)
4. EAP-PEAP with Mschapv2: Decrypted and Decoded
5. https://tools.ietf.org/html/draft-kamath-pppext-eap-mschapv2-02
6. https://sites.google.com/site/amitsciscozone/home/switching/peap—protected-eap-protocol