802.1X Authentication failed without 802.1X authentication enabled
Hi,
we are using 2 WISMs, with version 4.2.207 and a WCS to control them.
It seemed to work fine for about 2 weeks, and now we detected the following problem in some users. They were connected to the wireless without problems, and then they lost the connection. For authentication we use WPA2, we also use mac-filter.
When they lost the connection we can see the following error:
Message:
Client 'mac address' which was associated with AP 'mac address', interface '1' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'.
Message:
Client 'mac' which was associated with AP 'mac', interface '0' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'.
I also attach an output of the troubleshoot mac address...
Can some help me with this?
Thank you.
Best regards,
Hi Kirbus,
we open a TAC and we were advised for now to do the following changes:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
1. please make sure to disable Aironet extensions (if present) , on the WLAN advanced configuration
2. disable management frame protection (MFP) signature generation (if present) , MFP also on the WLAN advanced configuration
3. on the WLC general configuration , can you please disable aggressive load balancing
4. on the security tab on the WLC , please wireless protection policies > disable client exclusion policies
5. on the AP network configuration please disable short preamble the original standard was long preambles
6. Wireless -> disable auto-RRM channel & power assignment & try "on demand"
7. apply these modification on the WLC CLI
Config advanced eap identity-request-timeout 20
Config advanced eap identity-request-retries 10
Config advanced eap request-timeout 20
Config advanced eap request-retries 10
Save config, and see if you still face the problem.
We are still monitoring the solution, but until now we didn't face the problem again.
Let me now how it goes for you.
Thank you.
Best regards,
Similar Messages
-
CNA 5.8.7 can't reset authentication after "authentication failed"
I have had a successful setp up of a community in CNA 5.8.7. I went to include another new device (add to community) that had a different authentication than all the other community switches. In adding the device I added by attempting with wrong credentials and got the "authentication failed" for the right reason. When I discovered the correct credentials I again attempted to re-add the device and I keep getting "authentication failed" without the opportunity to reauthentciate with my newly discovered credentials. An authentication loop is occuring without me being able to correct it.
Hi Anthony,
I have tried to reproduce the issue like what you have explained in issue description. CNA working fine to me.
Could you please verify device credentials once again and check wheather http/https are enabled on the device or not?
Please let me know your comments on this.
Thank you
Regards,
Srikanth Achanta -
Proxy authentication failed in MAc OS 10.8.3
I am using firefox 21.0 in Mac os 10.8.3.We are using proxy server for browsing.While browsing internet firefox prompts for proxy username and password,after entering the correct user name and password it shows proxy authentication failed,Another round of authentication required.The same user name and pssword in working fine in safari in the same mac book.
Plz HelpHi There!
Please check the solution mentioned here:
http://kb.globalscape.com/KnowledgebaseArticle10522.aspx
I remember someone else also suggested setting this option '''network.automatic-ntlm-auth.allow-proxies''' to '''false '''as well.
Hope this helps!
Have a good one!
Dawid -
i have a juniper device linux operating system on that we have radius server configured and i am trying to integrate my WLC with that radius
i have added WLC as a host there in radius
on wlc i have configured authentication like radius ip shared secret key and done
its working i can ping radius server
also in wlc i configured on Wlan aaa allow override check box and also hited the WPA2 802.1x layer2 security and radius server option brought on top.
i also configured my windows wireless adaptor as PEAP MSCHAP v2
i am trying to connect this ssid and its asking for my AD accounts but when i enter that its not authenticating users and giving this logs.
(WiSM-slot24-1) >debug aaa events enable
(WiSM-slot24-1) >
(WiSM-slot24-1) >
(WiSM-slot24-1) >*apfMsConnTask_0: Dec 31 15:12:03.043: 00:13:e8:3e:26:bf Processing RSN IE type 48, length 22 for mobile 00:13:e8:3e:26:bf
*apfMsConnTask_0: Dec 31 15:12:03.043: 00:13:e8:3e:26:bf Received RSN IE with 0 PMKIDs from mobile 00:13:e8:3e:26:bf
*apfMsConnTask_0: Dec 31 15:12:03.043: 00:13:e8:3e:26:bf apfMsAssoStateInc
*dot1xMsgTask: Dec 31 15:12:03.044: 00:13:e8:3e:26:bf Station 00:13:e8:3e:26:bf setting dot1x reauth timeout = 1800
*dot1xMsgTask: Dec 31 15:12:03.044: 00:13:e8:3e:26:bf Sending EAP-Request/Identity to mobile 00:13:e8:3e:26:bf (EAP Id 1)
*Dot1x_NW_MsgTask_0: Dec 31 15:12:03.097: 00:13:e8:3e:26:bf Received EAPOL START from mobile 00:13:e8:3e:26:bf
*Dot1x_NW_MsgTask_0: Dec 31 15:12:03.097: 00:13:e8:3e:26:bf Sending EAP-Request/Identity to mobile 00:13:e8:3e:26:bf (EAP Id 2)
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.596: 00:13:e8:3e:26:bf Received EAPOL EAPPKT from mobile 00:13:e8:3e:26:bf
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.596: 00:13:e8:3e:26:bf Received Identity Response (count=2) from mobile 00:13:e8:3e:26:bf
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.596: 00:13:e8:3e:26:bf Audit Session ID added to the mscb: 0a8740e10000002e4efefc1c
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.596: Creating audit session ID (dot1x_aaa_eapresp_supp) and Radius Request
*aaaQueueReader: Dec 31 15:12:12.597: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*aaaQueueReader: Dec 31 15:12:12.597: 00:13:e8:3e:26:bf Successful transmission of Authentication Packet (id 202) to 10.34.11.2:1812, proxy state 00:13:e8:3e:26:bf-00:00
*radiusTransportThread: Dec 31 15:12:12.598: ****Enter processIncomingMessages: response code=11
*radiusTransportThread: Dec 31 15:12:12.598: ****Enter processRadiusResponse: response code=11
*radiusTransportThread: Dec 31 15:12:12.598: 00:13:e8:3e:26:bf Access-Challenge received from RADIUS server 10.34.11.2 for mobile 00:13:e8:3e:26:bf receiveId = 3
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.598: 00:13:e8:3e:26:bf Processing Access-Challenge for mobile 00:13:e8:3e:26:bf
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.598: 00:13:e8:3e:26:bf Sending EAP Request from AAA to mobile 00:13:e8:3e:26:bf (EAP Id 3)
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.600: 00:13:e8:3e:26:bf Received EAPOL EAPPKT from mobile 00:13:e8:3e:26:bf
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.600: 00:13:e8:3e:26:bf Received EAP Response from mobile 00:13:e8:3e:26:bf (EAP Id 3, EAP Type 3)
*aaaQueueReader: Dec 31 15:12:12.600: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*aaaQueueReader: Dec 31 15:12:12.600: 00:13:e8:3e:26:bf Successful transmission of Authentication Packet (id 203) to 10.34.11.2:1812, proxy state 00:13:e8:3e:26:bf-00:00
*radiusTransportThread: Dec 31 15:12:12.601: ****Enter processIncomingMessages: response code=3
*radiusTransportThread: Dec 31 15:12:12.601: ****Enter processRadiusResponse: response code=3
*radiusTransportThread: Dec 31 15:12:12.601: 00:13:e8:3e:26:bf Access-Reject received from RADIUS server 10.34.11.2 for mobile 00:13:e8:3e:26:bf receiveId = 3
*radiusTransportThread: Dec 31 15:12:12.601: 00:13:e8:3e:26:bf [Error] Client requested no retries for mobile 00:13:E8:3E:26:BF
*radiusTransportThread: Dec 31 15:12:12.601: 00:13:e8:3e:26:bf Returning AAA Error 'Authentication Failed' (-4) for mobile 00:13:e8:3e:26:bf
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.601: 00:13:e8:3e:26:bf Processing Access-Reject for mobile 00:13:e8:3e:26:bf
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.602: 00:13:e8:3e:26:bf Removing PMK cache due to EAP-Failure for mobile 00:13:e8:3e:26:bf (EAP Id 3)
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.602: 00:13:e8:3e:26:bf Sending EAP-Failure to mobile 00:13:e8:3e:26:bf (EAP Id 3)
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.602: 00:13:e8:3e:26:bf Setting quiet timer for 5 seconds for mobile 00:13:e8:3e:26:bf
*apfMsConnTask_0: Dec 31 15:12:15.319: 00:13:e8:3e:26:bf Processing RSN IE type 48, length 22 for mobile 00:13:e8:3e:26:bf
*apfMsConnTask_0: Dec 31 15:12:15.319: 00:13:e8:3e:26:bf Received RSN IE with 0 PMKIDs from mobile 00:13:e8:3e:26:bf
*dot1xMsgTask: Dec 31 15:12:15.320: 00:13:e8:3e:26:bf Sending EAP-Request/Identity to mobile 00:13:e8:3e:26:bf (EAP Id 1)
*Dot1x_NW_MsgTask_0: Dec 31 15:12:15.389: 00:13:e8:3e:26:bf Received EAPOL START from mobile 00:13:e8:3e:26:bf
*Dot1x_NW_MsgTask_0: Dec 31 15:12:15.389: 00:13:e8:3e:26:bf Sending EAP-Request/Identity to mobile 00:13:e8:3e:26:bf (EAP Id 2)
any idea to solve this problem?
or any one knows that how to configur a radius server on juniper linux operating system?
many thanks in advanceYou should post on the Juniper forums regarding your policy configuration. You should stick with using a radius than just doing ldap through the wlc. Here is a link for webauth using ldap, but should get you close. Again... you should look at getting your juniper radius configuration fixed first.
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a03e09.shtml -
802.1x - Authentication failed
Hello!
There is a network layout: custom laptop, switch Cisco (model - Cisco WS-C3750-48PS-S, firmware version - 122-58.SE2) and Freeradius server.
The user is authenticated by MAC-address (switch sends MAC-address of the server as username and password).
On my computer, there is "Authentication failed".
Port mirroring was made and the traffic was checked by Wireshark.
It can be seen that the server responds Accept-message (screenshot attached), which transmits the number of vlan.
With the command "sh vlan" can be seen that the switch port assigned the desired vlan to port.
Port is mirrored towards the user. There are three Start messages from the user (screenshot attached), but the message Request-Identity from the switch are absent (no screenshot).
Therefore, the user does not receive a message from a switch that authentication passed, and does not work with the network (not sending a DHCP-query).
If you disable 802.1x on a PC, the PC works with a network.
The network was tested on 2 different switches with different firmware (). PCs are with Windows 7 and Windows 8.
Fa 1/0/18 - to PC.
Fa 1/0/47 - to Freeradius-server
What could be the problem?
Thanks in advance.
p.s. I attach config-file.No problem! Yes, you are correct, a switchport can be configured to support both mab and dot1x authentications. I am still trying to understanding the following:
1. When does authentication fail and when does it work. Please provide more details
2. Can you post screenshots of the supplicant(Windows) configurations
3. Please post the output of this command during both the failed and successful authentications:
how authentication session interface_name_number detail
4. I would also add the following commands to your access port:
dot1x pae authenticator
authentication event fail action next-method
authentication violation restrict
Thank you for rating helpful posts! -
VWLC 802.1x NPS authentication Fails
Hi Guys,
Hopefully someone can help me with the following problem i'm facing...
I've a vWLC running 7.3 deployed in our HQ site.
At the HQ we have a W2k8 R2 NPS deployed at works fine for VPN, Router and Switch Authentication
In a few remote branch offices which are connected to the HQ over DMVPN we have a couple of 3500's running in flexconnect mode with local switching.
These AP's register just fine through the VPN link back to the vWLC.
We deployed a few SSID's that are bound to AP groups.
All SSID's that use WPA2 with PSK work fine
All SSID's that use WPA2 with 802.1x Fail
The Security Settings for the failing SSID's are:
WPA2 Policy
WPA2 Encryption AES
Key Man 802.1x
AAA Server is pointing to the right NPS for Auth and Accounting
Radius overwrite IF is disabled
The settings of the NPS are:
Conditions:
Win Group: DOMAIN\Groupxx
NAS Port Type: Wireless - IEEE 802.11
Settings:
EAP Conf: Configured
Access Perm: Granted
EAP Method: MS PEAP
Auth Method: EAP
NAP Enforcement: Allow full access
Update non complient: True
Service Type: Login
When a laptop (Mac os 10.8) tries to connect to a 802.1x SSID It Prompts for a username and passwd.
Using DOMAIN\user + passwd the client tries to authenticate for a couple of times and fails
On the vWLC i can see trap:
AAA Authentication Failure for UserName:user User Type: WLAN USER
At the NPS i can see:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: DOMAIN\user
Account Name: user
Account Domain: DOMAIN
Fully Qualified Account Name: dom.com/OU/OU/OU/USER full name
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 34-a8-4e-70-0b-90:test.sec
Calling Station Identifier: 10-40-f3-8f-ac-62
NAS:
NAS IPv4 Address: IP vWLC
NAS IPv6 Address: -
NAS Identifier: VWLC001
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 1
RADIUS Client:
Client Friendly Name: vWLC001
Client IP Address: IP vWLC
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: Cisco WiFi
Authentication Provider: Windows
Authentication Server: FQDN NPS server
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 23
Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
Hopefully someone can point me in the right direction.
Cheers,
JPFind below the output of the debug:
(Cisco Controller) >
(Cisco Controller) >*Dot1x_NW_MsgTask_4: May 27 10:08:51.567: 00:21:6a:72:3c:ec apfMsRunStateInc
*apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 Processing RSN IE type 48, length 20 for mobile 10:40:f3:8f:ac:62
*apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 Received RSN IE with 0 PMKIDs from mobile 10:40:f3:8f:ac:62
*apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 Setting active key cache index 8 ---> 8
*apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 unsetting PmkIdValidatedByAp
*apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 apfMsAssoStateInc
*dot1xMsgTask: May 27 10:09:41.428: 10:40:f3:8f:ac:62 Station 10:40:f3:8f:ac:62 setting dot1x reauth timeout = 1800
*dot1xMsgTask: May 27 10:09:41.428: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 1)
*dot1xMsgTask: May 27 10:09:41.428: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
*dot1xMsgTask: May 27 10:09:41.429: 00000000: 02 00 00 32 01 01 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
*dot1xMsgTask: May 27 10:09:41.429: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
*dot1xMsgTask: May 27 10:09:41.429: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
*dot1xMsgTask: May 27 10:09:41.429: 00000030: 72 74 69 64 3d 31 rtid=1
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 00000000: 01 00 00 0e 02 01 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 00000010: 6c 73 ls
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Received Identity Response (count=1) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
*Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=1) for mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 00000000: 02 01 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
*Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
*Dot1x_NW_MsgTask_2: May 27 10:09:46.473: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 4) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:46.473: 00000000: 01 01 00 00 ....
*Dot1x_NW_MsgTask_2: May 27 10:09:46.473: 10:40:f3:8f:ac:62 Received EAPOL START from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 3)
*Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
*Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000000: 02 00 00 32 01 03 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
*Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
*Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
*Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000030: 72 74 69 64 3d 31 rtid=1
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 00000000: 01 00 00 0e 02 03 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 00000010: 6c 73 ls
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Received Identity Response (count=2) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
*Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=3) for mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 00000000: 02 03 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
*Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Unable to send AAA message for mobile 10:40:F3:8F:AC:62
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 4) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000000: 01 01 00 00 ....
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Received EAPOL START from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 5)
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000000: 02 00 00 32 01 05 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000030: 72 74 69 64 3d 31 rtid=1
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Reached Max EAP-Identity Request retries (3) for STA 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Not sending EAP-Failure for STA 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Station 10:40:f3:8f:ac:62 setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 00000000: 01 00 00 0e 02 05 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
*Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 00000010: 6c 73 ls
*Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Received EAP Response packet with mismatching id (currentid=0, eapid=5) from mobile 10:40:f3:8f:ac:62
*apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 Processing RSN IE type 48, length 20 for mobile 10:40:f3:8f:ac:62
*apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 Received RSN IE with 0 PMKIDs from mobile 10:40:f3:8f:ac:62
*apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 Setting active key cache index 8 ---> 8
*apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 unsetting PmkIdValidatedByAp
*dot1xMsgTask: May 27 10:09:54.676: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 1)
*dot1xMsgTask: May 27 10:09:54.676: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
*dot1xMsgTask: May 27 10:09:54.676: 00000000: 02 00 00 32 01 01 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
*dot1xMsgTask: May 27 10:09:54.676: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
*dot1xMsgTask: May 27 10:09:54.676: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
*dot1xMsgTask: May 27 10:09:54.676: 00000030: 72 74 69 64 3d 31 rtid=1
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 00000000: 01 00 00 0e 02 01 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 00000010: 6c 73 ls
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Received Identity Response (count=1) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=1) for mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 00000000: 02 01 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
*Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 4) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000000: 01 01 00 00 ....
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Received EAPOL START from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 3)
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000000: 02 00 00 32 01 03 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
*Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000030: 72 74 69 64 3d 31 rtid=1
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 00000000: 01 00 00 0e 02 03 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 00000010: 6c 73 ls
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Received Identity Response (count=2) from mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=3) for mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 00000000: 02 03 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
*Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Unable to send AAA message for mobile 10:40:F3:8F:AC:62
*radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
*radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
*radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
*radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-resp] AAA request requeued OK
*radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
*radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
*radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
*radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-resp] Requeue failed. Returning AAA response
*radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 AAA Message 'Timeout' received for mobile 10:40:f3:8f:ac:62
*radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 Filtering AAA Response with invalid Session ID - proxy state 10:40:f3:8f:ac:62-02:00
*radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
*radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
*radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
*radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-resp] AAA request requeued OK
*radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
*radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
*radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
*radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-resp] Requeue failed. Returning AAA response
*radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 AAA Message 'Timeout' received for mobile 10:40:f3:8f:ac:62
*Dot1x_NW_MsgTask_2: May 27 10:11:11.529: 10:40:f3:8f:ac:62 Processing AAA Error 'Timeout' (-5) for mobile 10:40:f3:8f:ac:62 -
Setup: two 5500 (v6.0.188.0, mix of 1131 and 1141 AP`s
Laptops running fine for random number of weeks suddenly can´t connect to the wireless network. The output from Client troubleshoot shows:
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Controller association request message received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Association request received from a client has an invalid RSN IE.(One reason could be mismatch in WPA2 algorithm).
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received reassociation request from client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
The wlan to which client is connecting requires 802 1x authentication.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Client moved to associated state successfully.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received EAP Response from the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received EAPOL start message from client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received EAP Response from the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received Access-Challenge from the RADIUS server for the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Sending EAP request to client from radius server.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received Access-Challenge from the RADIUS server for the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Sending EAP request to client from radius server.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received Access-Challenge from the RADIUS server for the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Sending EAP request to client from radius server.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received Access-Challenge from the RADIUS server for the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Sending EAP request to client from radius server.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received Access-Challenge from the RADIUS server for the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Sending EAP request to client from radius server.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received Access-Challenge from the RADIUS server for the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Sending EAP request to client from radius server.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received Access-Challenge from the RADIUS server for the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Sending EAP request to client from radius server.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received Access-Challenge from the RADIUS server for the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Sending EAP request to client from radius server.
05/07/2010 07:03:44 CEST
ERROR
10.1.1.101
Retransmitting EAP-ID request to client,retransmission timer expired.
05/07/2010 07:04:14 CEST
ERROR
10.1.1.101
Retransmitting EAP-ID request to client,retransmission timer expired.
05/07/2010 07:04:44 CEST
ERROR
10.1.1.101
Authentication failed for client as EAP ID request from AP reached maxmium retransmissions.
05/07/2010 07:04:44 CEST
ERROR
10.1.1.101
De-authentication sent to client. slot 0 (claller 1x_ptsm.c:467)
05/07/2010 07:04:44 CEST
ERROR
10.1.1.101
05/07/2010 07:04:44 CEST
ERROR
10.1.1.101
EAPOL-key is invalid, scheduling client for deletion.We are using PEAP-MS-CHAP v2 . The IAS certificate is valid to 2014. We have about 300 laptops, but now and then some of them fails to authenticate. Yesterday I noticed that if I had one of the failing computers connected with wire, after some minutes it suddenly authenticated wireless!
-
Since we upgraded our WCS system to V6.0.196.0 we are receiving a lot of the following error messages and I haven't figured out why.
Client 'c0:cb:38:3f:a1:0d (anonymous, 0.0.0.0)' which was associated with interface '802.11a/n' of AP 'ACAA01-00.P04-G2C2.1' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'. - Controller Name: 205-dg20-bb3-4/2Check you ACS (Radius) logs under failures. You will see why its failing. Sounds like a AD account went bad
or someone is entering the wrong logon ... But check your radius log it will point you in the right direction. -
Clients cannot connect: "Reason:802.1x Authentication failed 3 times. Reas"
As of 1:30 yesterday, no clients can authenticate to my LWAPP Access points. I'm getting this message in the trap logs on my 4404:
Client Excluded: MACAddress:00:90:4b:86:23:94 Base Radio MAC :00:17:df:7f:c8:60 Slot: 0 Reason:802.1x Authentication failed 3 times. ReasonCode: 3
And my (MS IAS) RADIUS server has an entry:
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.
The previous successful entries all refer to PEAP. We restored our WCS server from tape yesterday, but why would that affect the authentication on the 4404? Does anyone have any idea what's going wrong?There is a command line syntax which will also allow you to export and import an IAS config to other IAS servers. Then you will be sure they are identical...
http://support.microsoft.com/kb/883619 -
802.1x port authentication failing after getting a access-accept packet
Hi all,
Im not 100% sure what the hell is going on here.
Any idea's or help will be appreciated.
Heres the topology.
1 x windows 2012 NPS
1x 3750X
1x Windows 7 x64
data flow
<laptop> - - [gi 1/0/13]<3750X>[gi 1/0/48]- -[gi 5/39]<6513>[po 1] - - [po 4]<6509><5/1> - - <VMWARE>[NPS Server]
The switch that is doing the authentication is the 3750X. Here is the IOS version.
Switch Ports Model SW Version SW Image
* 1 54 WS-C3750X-48 15.2(1)E C3750E-UNIVERSALK9-M
A wireshark trace on the NPS server shows that the packets are arriving and being sent back
Wireshark on a mirror of the trunk port connecting the 6513. It also shows packets being sent and arriving. access-accept packets are being recieved.
As you can see in the debug output, the switch is getting a access-accept, then it is stating a AAA failure.
here is a debug output as you plug in the laptop.
Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
Oct 24 10:53:45.643: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:46.641: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:47.538: dot1x-ev:[Gi1/0/13] Interface state changed to UP
Oct 24 10:53:47.564: dot1x-packet:[6431.500e.9b00, Gi1/0/13] queuing an EAPOL pkt on Auth Q
Oct 24 10:53:47.572: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/13
Oct 24 10:53:47.572: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x1
Oct 24 10:53:47.572: dot1x-packet: length: 0x0000
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 0,TYPE= 0,LEN= 0
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Couldn't find the supplicant in the list
Oct 24 10:53:47.572: dot1x-ev:[6431.500e.9b00, Gi1/0/13] New client detected, sending session start event for 6431.500e.9b00
Oct 24 10:53:47.572: AAA/BIND(00000047): Bind i/f
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Sending create new context event to EAP for 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.580: EAP-EVENT: Received context create from LL (Dot1x-Authenticator) (0x15000045)
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received AAA ID 0x00000047 from LL
Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: Assigning AAA ID 0x00000047
Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: CTS not enabled on interface Gi1/0/13
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received Session ID "C0A846660000004700DF6030" from LL
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Setting authentication mode: Passthrough
Oct 24 10:53:47.580: eap_authen : initial state eap_auth_initialize has enter
Oct 24 10:53:47.580: EAP-EVENT: Allocated new EAP context (handle = 0xE8000047)
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Created a client entry (0x15000045)
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Dot1x authentication started for 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.580: %AUTHMGR-5-START: Starting 'dot1x' for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.580: EAP-EVENT: Received EAP event 'EAP_AUTHENTICATOR_START' on handle 0xE8000047
Oct 24 10:53:47.580: eap_authen : during state eap_auth_initialize, got event 25(eapStartTmo)
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_initialize -> eap_auth_select_action
Oct 24 10:53:47.580: eap_authen : during state eap_auth_select_action, got event 20(eapDecisionPropose)
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_select_action -> eap_auth_propose_method
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_propose_method
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_propose_method -> eap_auth_method_request
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_method_request
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_method_request -> eap_auth_tx_packet
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Current method = Identity
Oct 24 10:53:47.580: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_ID_REQUEST' on handle 0xE8000047
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_tx_packet
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_tx_packet -> eap_auth_idle
Oct 24 10:53:47.589: EAP-AUTH-TX-PAK: Code:REQUEST ID:0x1 Length:0x0005 Type:IDENTITY
Oct 24 10:53:47.589: EAP-EVENT: Started 'Authenticator ReqId Retransmit' timer (30s) for EAP sesion handle 0xE8000047
Oct 24 10:53:47.589: EAP-EVENT: Started EAP tick timer
Oct 24 10:53:47.589: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_TX_PACKET' on handle 0xE8000047
Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
Oct 24 10:53:47.597: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Oct 24 10:53:47.597: dot1x-packet: length: 0x0005
Oct 24 10:53:47.597: dot1x-packet:EAP code: 0x1 id: 0x1 length: 0x0005
Oct 24 10:53:47.597: dot1x-packet: type: 0x1
Oct 24 10:53:47.597: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL packet sent to client 0x15000045
Oct 24 10:53:47.606: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Queuing an EAPOL pkt on Authenticator Q
Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 2,TYPE= 1,LEN= 31
Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.001f
Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
Oct 24 10:53:47.606: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Response sent to the server from 0x15000045
Oct 24 10:53:47.606: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_RX_PACKET' on handle 0xE8000047
Oct 24 10:53:47.606: EAP-AUTH-RX-PAK: Code:RESPONSE ID:0x1 Length:0x001F Type:IDENTITY
Oct 24 10:53:47.606: Payload: 47454E4552414C5C72616E64792E636F ...
Oct 24 10:53:47.606: eap_authen : during state eap_auth_idle, got event 1(eapRxPacket)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_idle -> eap_auth_received
Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response received by context 0xE8000047
Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response type = Identity
Oct 24 10:53:47.606: EAP-EVENT: Stopping 'Authenticator ReqId Retransmit' timer for EAP sesion handle 0xE8000047
Oct 24 10:53:47.606: eap_authen : during state eap_auth_received, got event 10(eapMethodData)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_received -> eap_auth_method_response
Oct 24 10:53:47.606: EAP-AUTH-EVENT: Received peer identity: GENERAL\randy.coburn.admin
Oct 24 10:53:47.606: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_IDENTITY' on handle 0xE8000047
Oct 24 10:53:47.606: eap_authen : during state eap_auth_method_response, got event 13(eapMethodEnd)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_method_response -> eap_auth_select_action
Oct 24 10:53:47.606: eap_authen : during state eap_auth_select_action, got event 19(eapDecisionPass)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_select_action -> eap_auth_passthru_init
Oct 24 10:53:47.606: eap_authen : during state eap_auth_passthru_init, got event 22(eapPthruIdentity)
Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_passthru_init -> eap_auth_aaa_req
Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_GET_PEER_MAC_ADDRESS' on handle 0xE8000047
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding Audit-Session-ID "C0A846660000004700DF6030" to RADIUS Req
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added Audit-Session-ID
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding IDB "0x070B90F8" to RADIUS Req
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added IDB
Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_AAA_REQUEST' on handle 0xE8000047
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: eap_auth_aaa_authen_request_shim aaa_service 19, eap aaa_list handle 0, mlist handle 0
Oct 24 10:53:47.614: AAA/AUTHEN/8021X (00000000): Pick method list 'default'
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Request sent successfully
Oct 24 10:53:47.614: eap_authen : during state eap_auth_aaa_req, got event 24(eapAAAReqOk)
Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_aaa_req -> eap_auth_aaa_idle
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute hwidb
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-type
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-service
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute clid-mac-addr
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute target-scope
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-unique-id
Oct 24 10:53:47.614: RADIUS(00000000): Config NAS IP: 0.0.0.0
Oct 24 10:53:47.614: RADIUS(00000000): sending
Oct 24 10:53:47.614: RADIUS/ENCODE: Best Local IP-Address 192.168.70.102 for Radius-Server 192.168.19.121
Oct 24 10:53:47.614: RADIUS(00000000): Send Access-Request to 192.168.19.121:1645 id 1645/21, len 288
Oct 24 10:53:47.614: RADIUS: authenticator F1 BA E5 31 71 54 BF 1A - A2 B1 5E 1A 63 72 1E 72
Oct 24 10:53:47.614: RADIUS: User-Name [1] 28 "GENERAL\randy.coburn.admin"
Oct 24 10:53:47.614: RADIUS: Service-Type [6] 6 Framed [2]
Oct 24 10:53:47.614: RADIUS: Vendor, Cisco [26] 27
Oct 24 10:53:47.614: RADIUS: Cisco AVpair [1] 21 "service-type=Framed"
Oct 24 10:53:47.614: RADIUS: Framed-MTU [12] 6 1500
Oct 24 10:53:47.614: RADIUS: Called-Station-Id [30] 19 "AC-F2-C5-75-7D-0D"
Oct 24 10:53:47.614: RADIUS: Calling-Station-Id [31] 19 "64-31-50-0E-9B-00"
Oct 24 10:53:47.614: RADIUS: EAP-Message [79] 33
Oct 24 10:53:47.614: RADIUS: 02 01 00 1F 01 47 45 4E 45 52 41 4C 5C 72 61 6E 64 79 2E 63 6F [GENERAL\randy.co]
Oct 24 10:53:47.622: RADIUS: 62 75 72 6E 2E 61 64 6D 69 6E [ burn.admin]
Oct 24 10:53:47.622: RADIUS: Message-Authenticato[80] 18
Oct 24 10:53:47.622: RADIUS: EE 52 4D ED B9 06 F3 CE 63 AC 9D 73 24 1B A7 ED [ RMcs$]
Oct 24 10:53:47.622: RADIUS: EAP-Key-Name [102] 2 *
Oct 24 10:53:47.622: RADIUS: Vendor, Cisco [26] 49
Oct 24 10:53:47.622: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A846660000004700DF6030"
Oct 24 10:53:47.622: RADIUS: Vendor, Cisco [26] 20
Oct 24 10:53:47.622: RADIUS: Cisco AVpair [1] 14 "method=dot1x"
Oct 24 10:53:47.622: RADIUS: NAS-IP-Address [4] 6 192.168.70.102
Oct 24 10:53:47.622: RADIUS: NAS-Port [5] 6 60000
Oct 24 10:53:47.622: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/13"
Oct 24 10:53:47.622: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Oct 24 10:53:47.622: RADIUS(00000000): Sending a IPv4 Radius Packet
Oct 24 10:53:47.622: RADIUS(00000000): Started 10 sec timeout
Oct 24 10:53:47.622: RADIUS: Received from id 1645/21 192.168.19.121:1645, Access-Accept, len 66
Oct 24 10:53:47.622: RADIUS: authenticator 92 F6 07 AF C1 AB 0B 4C - 1D 9E A0 D1 01 36 27 26
Oct 24 10:53:47.622: RADIUS: Class [25] 46
Oct 24 10:53:47.622: RADIUS: 76 E3 06 66 00 00 01 37 00 01 02 00 C0 A8 13 79 00 00 00 00 00 00 00 00 00 00 00 00 01 CE CF F8 1F 7B 75 41 00 00 00 00 00 00 00 50 [ vf7y{uAP]
Oct 24 10:53:47.622: RADIUS(00000000): Received from id 1645/21
Oct 24 10:53:47.622: EAP-EVENT: eap_aaa_reply
Oct 24 10:53:47.622: EAP-AUTH-AAA-EVENT: Reply received session_label 72000033
Oct 24 10:53:47.622: EAP-EVENT: Received AAA event 'EAP_AAA_FAIL' on handle 0xE8000047
Oct 24 10:53:47.622: eap_authen : during state eap_auth_aaa_idle, got event 8(eapAAAFail)
Oct 24 10:53:47.622: @@@ eap_authen : eap_auth_aaa_idle -> eap_auth_failure
Oct 24 10:53:47.631: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
Oct 24 10:53:47.631: EAP-AUTH-TX-PAK: Code:FAILURE ID:0x1 Length:0x0004
Oct 24 10:53:47.631: EAP-AUTH-EVENT: FAIL for EAP method ID: 1, name: , on handle 0xE8000047
Oct 24 10:53:47.631: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_FAIL' on handle 0xE8000047
Oct 24 10:53:47.631: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Received an EAP Fail
Oct 24 10:53:47.639: %DOT1X-5-FAIL: Authentication failed for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Added username in dot1x
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Dot1x did not receive any key data
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Processing client delete for hdl 0x15000045 sent by Auth Mgr
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] 6431.500e.9b00: sending canned failure due to method termination
Oct 24 10:53:47.639: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
Oct 24 10:53:47.639: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Oct 24 10:53:47.639: dot1x-packet: length: 0x0004
Oct 24 10:53:47.639: dot1x-packet:EAP code: 0x4 id: 0x1 length: 0x0004
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL canned status packet sent to client 0x15000045
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Deleting client 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.639: %AUTHMGR-7-STOPPING: Stopping 'dot1x' for client 6431.500e.9b00 on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.639: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.648: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Delete auth client (0x15000045) message
Oct 24 10:53:47.648: EAP-EVENT: Received free context (0xE8000047) from LL (Dot1x-Authenticator)
Oct 24 10:53:47.648: dot1x-ev:Auth client ctx destroyed
Oct 24 10:53:47.648: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_DELETE' on handle 0xE8000047
Oct 24 10:53:47.648: EAP-AUTH-EVENT: Freed EAP auth context
Oct 24 10:53:47.648: EAP-EVENT: Freed EAP context
Oct 24 10:53:48.621: EAP-EVENT: Stopped EAP tick timer
Oct 24 10:53:49.485: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to up
Oct 24 10:53:50.491: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to up
Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
Oct 24 10:53:54.518: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:55.524: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to downHi Jatin,
See below the data that you have requested.
show run bits.
aaa new-model
aaa authentication dot1x default group radius
aaa session-id common
clock timezone BST 0 0
clock summer-time UTC recurring last Sun Mar 1:00 last Sun Oct 2:00
dot1x system-auth-control
interface GigabitEthernet1/0/13
switchport access vlan 80
switchport mode access
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface GigabitEthernet1/0/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 70
switchport mode trunk
radius server NPS1
address ipv4 192.168.19.121 auth-port 1645 acct-port 1646
timeout 10
key thesecret
ip default-gateway 192.168.70.1
SW1-randy#show auth sessions interface gig 1/0/13
Interface MAC Address Method Domain Status Fg Session ID
Gi1/0/13 803f.5d09.189e N/A UNKNOWN Unauth C0A846660000002F00251DBC
SW1-randy#Show mac address-table Interface GigabitEthernet1/0/13
Mac Address Table
Vlan Mac Address Type Ports
80 803f.5d09.189e DYNAMIC Drop
SW1-randy#ping 192.168.19.121
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.19.121, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Here is a wireshark of the accept packet.
Message was edited by: randy coburn
Added wireshark trace -
Cisco 2960 802.1x authentication fail
Physical switch version:
C2960 Boot Loader (C2960-HBOOT-M) Version 15.0(2r)EZ1, RELEASE SOFTWARE (fc1)
System image file is "flash:/c2960-lanbasek9-mz.150-2.SE5/c2960-lanbasek9-mz.150-2.SE5.bin"
The goal of this lab is only authenticated by the MAC address of the laptop.
Currently,I have a trouble as following and don't know what is this root cause .
Please give me a guide point.
Thanks so much
*Mar 2 20:45:03.908: %AUTHMGR-5-START: Starting 'mab' for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:04.218: %MAB-5-FAIL: Authentication failed for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:04.218: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:04.218: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:04.218: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:04.218: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:05.720: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 2 20:45:06.726: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to upI have a few questions:
1. What type of Radius server do you have?
2. Can you post a screen shot of your Radius AAA policies
3. Do you have the mac address entered in your Radius server
4. Provide the output from the following commands:
- show aaa servers
- show authentication session interface interface_name_number
Thank you for rating helpful posts! -
802.1X Authentication Failed with WPA 1/2
Hi
i have a wlc 2106 , when a user want to connnect to the wireless , it will show the log as below . the user can not connect to the wireless network .
After disable and re-enable the wifi nic or connect to another AP(not cisco ) and retry to connect this ssid , the user can connect the wireless successfully ,you can get the log in detail from the attachment .Who can tell me what happen at this ? By the way , most of the nic are intel .
Mon Jun 7 09:09:05 2010: 00:13:e8:08:de:9b 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [00:1f:6d:b8:18:c0]
Mon Jun 7 09:09:05 2010: 00:13:e8:08:de:9b Deleting mobile on AP 00:1f:6d:b8:18:c0(0)
Mon Jun 7 09:09:13 2010: 00:13:e8:08:de:9b Adding mobile on LWAPP AP 00:1f:6d:b8:18:c0(0)
Mon Jun 7 09:09:13 2010: 00:13:e8:08:de:9b Scheduling deletion of Mobile Station: (callerId: 23) in 5 seconds
Mon Jun 7 09:09:13 2010: 00:13:e8:08:de:9b apfProcessProbeReq (apf_80211.c:4120) Changing state for mobile 00:13:e8:08:de:9b on AP 00:1f:6d:b8:18:c0 from Idle to Probe
Mon Jun 7 09:09:13 2010: 00:13:e8:08:de:9b Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
Mon Jun 7 09:09:13 2010: 00:13:e8:08:de:9b Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
Mon Jun 7 09:09:13 2010: 00:13:e8:08:de:9b Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
Mon Jun 7 09:09:13 2010: 00:13:e8:08:de:9b Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
Mon Jun 7 09:09:13 2010: 00:13:e8:08:de:9b Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
Mon Jun 7 09:09:18 2010: 00:13:e8:08:de:9b apfMsExpireCallback (apf_ms.c:433) Expiring Mobile!
Mon Jun 7 09:09:18 2010: 00:13:e8:08:de:9b 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [00:1f:6d:b8:18:c0]
Mon Jun 7 09:09:18 2010: 00:13:e8:08:de:9b Deleting mobile on AP 00:1f:6d:b8:18:c0(0)
Mon Jun 7 09:09:20 2010: 00:13:e8:08:de:9b Adding mobile on LWAPP AP 00:26:99:91:44:00(0)
Mon Jun 7 09:09:20 2010: 00:13:e8:08:de:9b Scheduling deletion of Mobile Station: (callerId: 23) in 5 seconds
Mon Jun 7 09:09:20 2010: 00:13:e8:08:de:9b apfProcessProbeReq (apf_80211.c:4120) Changing state for mobile 00:13:e8:08:de:9b on AP 00:26:99:91:44:00 from Idle to Probe
Mon Jun 7 09:09:20 2010: 00:13:e8:08:de:9b Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
Mon Jun 7 09:09:20 2010: 00:13:e8:08:de:9b Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
Mon Jun 7 09:09:20 2010: 00:13:e8:08:de:9b Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
Mon Jun 7 09:09:21 2010: 00:13:e8:08:de:9b Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
Mon Jun 7 09:09:21 2010: 00:13:e8:08:de:9b Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
Mon Jun 7 09:09:21 2010: 00:13:e8:08:de:9b Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
Mon Jun 7 09:09:21 2010: 00:13:e8:08:de:9b Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
Mon Jun 7 09:09:25 2010: 00:13:e8:08:de:9b apfMsExpireCallback (apf_ms.c:433) Expiring Mobile!
Mon Jun 7 09:09:25 2010: 00:13:e8:08:de:9b 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [00:26:99:91:44:00]
Mon Jun 7 09:09:25 2010: 00:13:e8:08:de:9b Deleting mobile on AP 00:26:99:91:44:00(0)
Mon Jun 7 09:09:38 2010: 00:13:e8:08:de:9b Adding mobile on LWAPP AP 00:26:99:91:44:00(0)
Mon Jun 7 09:09:38 2010: 00:13:e8:08:de:9b Scheduling deletion of Mobile Station: (callerId: 23) in 5 seconds
Mon Jun 7 09:09:38 2010: 00:13:e8:08:de:9b apfProcessProbeReq (apf_80211.c:4120) Changing state for mobile 00:13:e8:08:de:9b on AP 00:26:99:91:44:00 from Idle to Probe
Mon Jun 7 09:09:38 2010: 00:13:e8:08:de:9b Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
Mon Jun 7 09:09:38 2010: 00:13:e8:08:de:9b Reassociation received from mobile on AP 00:26:99:91:44:00
Mon Jun 7 09:09:38 2010: 00:13:e8:08:de:9b STA - rates (8): 130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
Mon Jun 7 09:09:38 2010: 00:13:e8:08:de:9b STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
Mon Jun 7 09:09:38 2010: 00:13:e8:08:de:9b Processing WPA IE type 221, length 24 for mobile 00:13:e8:08:de:9b
Mon Jun 7 09:09:38 2010: 00:13:e8:08:de:9b 0.0.0.0 START (0) Initializing policy
Mon Jun 7 09:09:38 2010: 00:13:e8:08:de:9b 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
Mon Jun 7 09:09:38 2010: 00:13:e8:08:de:9b 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
Mon Jun 7 09:09:38 2010: 00:13:e8:08:de:9b 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:26:99:91:44:00
Mon Jun 7 09:09:38 2010: 00:13:e8:08:de:9b apfPemAddUser2 (apf_policy.c:212) Changing state for mobile 00:13:e8:08:de:9b on AP 00:26:99:91:44:00 from Probe to Associated
Mon Jun 7 09:09:38 2010: 00:13:e8:08:de:9b Stopping deletion of Mobile Station: (callerId: 48)
Mon Jun 7 09:09:38 2010: 00:13:e8:08:de:9b Sending Assoc Response to station on BSSID 00:26:99:91:44:00 (status 0)
Mon Jun 7 09:09:38 2010: 00:13:e8:08:de:9b apfProcessAssocReq (apf_80211.c:3885) Changing state for mobile 00:13:e8:08:de:9b on AP 00:26:99:91:44:00 from Associated to Associated
Mon Jun 7 09:09:38 2010: 00:13:e8:08:de:9b Station 00:13:e8:08:de:9b setting dot1x reauth timeout = 1800
Mon Jun 7 09:09:38 2010: 00:13:e8:08:de:9b dot1x - moving mobile 00:13:e8:08:de:9b into Connecting state
Mon Jun 7 09:09:38 2010: 00:13:e8:08:de:9b Sending EAP-Request/Identity to mobile 00:13:e8:08:de:9b (EAP Id 1)
Mon Jun 7 09:09:39 2010: 00:13:e8:08:de:9b 802.1x 'txWhen' Timer expired for station 00:13:e8:08:de:9b
Mon Jun 7 09:09:39 2010: 00:13:e8:08:de:9b dot1x - moving mobile 00:13:e8:08:de:9b into Connecting state
Mon Jun 7 09:09:39 2010: 00:13:e8:08:de:9b Sending EAP-Request/Identity to mobile 00:13:e8:08:de:9b (EAP Id 2)
Mon Jun 7 09:09:40 2010: 00:13:e8:08:de:9b 802.1x 'txWhen' Timer expired for station 00:13:e8:08:de:9b
Mon Jun 7 09:09:40 2010: 00:13:e8:08:de:9b dot1x - moving mobile 00:13:e8:08:de:9b into Connecting state
Mon Jun 7 09:09:40 2010: 00:13:e8:08:de:9b Sending EAP-Request/Identity to mobile 00:13:e8:08:de:9b (EAP Id 3)
Mon Jun 7 09:09:41 2010: 00:13:e8:08:de:9b 802.1x 'txWhen' Timer expired for station 00:13:e8:08:de:9b
Mon Jun 7 09:09:41 2010: 00:13:e8:08:de:9b dot1x - moving mobile 00:13:e8:08:de:9b into Connecting state
Mon Jun 7 09:09:41 2010: 00:13:e8:08:de:9b Sending EAP-Request/Identity to mobile 00:13:e8:08:de:9b (EAP Id 4)
Mon Jun 7 09:09:42 2010: 00:13:e8:08:de:9b 802.1x 'txWhen' Timer expired for station 00:13:e8:08:de:9b
Mon Jun 7 09:09:42 2010: 00:13:e8:08:de:9b dot1x - moving mobile 00:13:e8:08:de:9b into Connecting state
Mon Jun 7 09:09:42 2010: 00:13:e8:08:de:9b Sending EAP-Request/Identity to mobile 00:13:e8:08:de:9b (EAP Id 5)
Mon Jun 7 09:09:43 2010: 00:13:e8:08:de:9b 802.1x 'txWhen' Timer expired for station 00:13:e8:08:de:9b
Mon Jun 7 09:09:43 2010: 00:13:e8:08:de:9b dot1x - moving mobile 00:13:e8:08:de:9b into Connecting state
Mon Jun 7 09:09:43 2010: 00:13:e8:08:de:9b Sending EAP-Request/Identity to mobile 00:13:e8:08:de:9b (EAP Id 6)
Mon Jun 7 09:09:44 2010: 00:13:e8:08:de:9b 802.1x 'txWhen' Timer expired for station 00:13:e8:08:de:9b
Mon Jun 7 09:09:44 2010: 00:13:e8:08:de:9b dot1x - moving mobile 00:13:e8:08:de:9b into Connecting state
Mon Jun 7 09:09:44 2010: 00:13:e8:08:de:9b Sending EAP-Request/Identity to mobile 00:13:e8:08:de:9b (EAP Id 7)
Mon Jun 7 09:09:45 2010: 00:13:e8:08:de:9b 802.1x 'txWhen' Timer expired for station 00:13:e8:08:de:9b
Mon Jun 7 09:09:45 2010: 00:13:e8:08:de:9b dot1x - moving mobile 00:13:e8:08:de:9b into Connecting state
Mon Jun 7 09:09:45 2010: 00:13:e8:08:de:9b Sending EAP-Request/Identity to mobile 00:13:e8:08:de:9b (EAP Id 8)
Mon Jun 7 09:09:46 2010: 00:13:e8:08:de:9b 802.1x 'txWhen' Timer expired for station 00:13:e8:08:de:9b
Mon Jun 7 09:09:46 2010: 00:13:e8:08:de:9b dot1x - moving mobile 00:13:e8:08:de:9b into Connecting state
Mon Jun 7 09:09:46 2010: 00:13:e8:08:de:9b Sending EAP-Request/Identity to mobile 00:13:e8:08:de:9b (EAP Id 9)
Mon Jun 7 09:09:47 2010: 00:13:e8:08:de:9b 802.1x 'txWhen' Timer expired for station 00:13:e8:08:de:9b
Mon Jun 7 09:09:47 2010: 00:13:e8:08:de:9b dot1x - moving mobile 00:13:e8:08:de:9b into Connecting state
Mon Jun 7 09:09:47 2010: 00:13:e8:08:de:9b Sending EAP-Request/Identity to mobile 00:13:e8:08:de:9b (EAP Id 10)
Mon Jun 7 09:09:48 2010: 00:13:e8:08:de:9b 802.1x 'txWhen' Timer expired for station 00:13:e8:08:de:9b
Mon Jun 7 09:09:48 2010: 00:13:e8:08:de:9b dot1x - moving mobile 00:13:e8:08:de:9b into Connecting state
Mon Jun 7 09:09:48 2010: 00:13:e8:08:de:9b Sending EAP-Request/Identity to mobile 00:13:e8:08:de:9b (EAP Id 11)
Mon Jun 7 09:09:49 2010: 00:13:e8:08:de:9b 802.1x 'txWhen' Timer expired for station 00:13:e8:08:de:9b
Mon Jun 7 09:09:49 2010: 00:13:e8:08:de:9b dot1x - moving mobile 00:13:e8:08:de:9b into Connecting state
Mon Jun 7 09:09:49 2010: 00:13:e8:08:de:9b Sending EAP-Request/Identity to mobile 00:13:e8:08:de:9b (EAP Id 12)
Mon Jun 7 09:09:50 2010: 00:13:e8:08:de:9b 802.1x 'txWhen' Timer expired for station 00:13:e8:08:de:9b
Mon Jun 7 09:09:50 2010: 00:13:e8:08:de:9b dot1x - moving mobile 00:13:e8:08:de:9b into Connecting state
Mon Jun 7 09:09:50 2010: 00:13:e8:08:de:9b Sending EAP-Request/Identity to mobile 00:13:e8:08:de:9b (EAP Id 13)
Mon Jun 7 09:09:51 2010: 00:13:e8:08:de:9b 802.1x 'txWhen' Timer expired for station 00:13:e8:08:de:9b
Mon Jun 7 09:09:51 2010: 00:13:e8:08:de:9b dot1x - moving mobile 00:13:e8:08:de:9b into Connecting state
Mon Jun 7 09:09:51 2010: 00:13:e8:08:de:9b Sending EAP-Request/Identity to mobile 00:13:e8:08:de:9b (EAP Id 14)
Mon Jun 7 09:09:52 2010: 00:13:e8:08:de:9b 802.1x 'txWhen' Timer expired for station 00:13:e8:08:de:9b
Mon Jun 7 09:09:52 2010: 00:13:e8:08:de:9b dot1x - moving mobile 00:13:e8:08:de:9b into Connecting state
Mon Jun 7 09:09:52 2010: 00:13:e8:08:de:9b Sending EAP-Request/Identity to mobile 00:13:e8:08:de:9b (EAP Id 15)
Mon Jun 7 09:09:53 2010: 00:13:e8:08:de:9b 802.1x 'txWhen' Timer expired for station 00:13:e8:08:de:9b
Mon Jun 7 09:09:53 2010: 00:13:e8:08:de:9b dot1x - moving mobile 00:13:e8:08:de:9b into Connecting state
Mon Jun 7 09:09:53 2010: 00:13:e8:08:de:9b Sending EAP-Request/Identity to mobile 00:13:e8:08:de:9b (EAP Id 16)
Mon Jun 7 09:09:54 2010: 00:13:e8:08:de:9b 802.1x 'txWhen' Timer expired for station 00:13:e8:08:de:9b
Mon Jun 7 09:09:54 2010: 00:13:e8:08:de:9b dot1x - moving mobile 00:13:e8:08:de:9b into Connecting state
Mon Jun 7 09:09:54 2010: 00:13:e8:08:de:9b Sending EAP-Request/Identity to mobile 00:13:e8:08:de:9b (EAP Id 17)
Mon Jun 7 09:09:55 2010: 00:13:e8:08:de:9b 802.1x 'txWhen' Timer expired for station 00:13:e8:08:de:9b
Mon Jun 7 09:09:55 2010: 00:13:e8:08:de:9b dot1x - moving mobile 00:13:e8:08:de:9b into Connecting state
Mon Jun 7 09:09:55 2010: 00:13:e8:08:de:9b Sending EAP-Request/Identity to mobile 00:13:e8:08:de:9b (EAP Id 18)
Mon Jun 7 09:09:56 2010: 00:13:e8:08:de:9b 802.1x 'txWhen' Timer expired for station 00:13:e8:08:de:9b
Mon Jun 7 09:09:56 2010: 00:13:e8:08:de:9b dot1x - moving mobile 00:13:e8:08:de:9b into Connecting state
Mon Jun 7 09:09:56 2010: 00:13:e8:08:de:9b Sending EAP-Request/Identity to mobile 00:13:e8:08:de:9b (EAP Id 19)
Mon Jun 7 09:09:57 2010: 00:13:e8:08:de:9b 802.1x 'txWhen' Timer expired for station 00:13:e8:08:de:9b
Mon Jun 7 09:09:57 2010: 00:13:e8:08:de:9b dot1x - moving mobile 00:13:e8:08:de:9b into Connecting state
Mon Jun 7 09:09:57 2010: 00:13:e8:08:de:9b Sending EAP-Request/Identity to mobile 00:13:e8:08:de:9b (EAP Id 20)
Mon Jun 7 09:09:58 2010: 00:13:e8:08:de:9b 802.1x 'txWhen' Timer expired for station 00:13:e8:08:de:9b
Mon Jun 7 09:09:58 2010: 00:13:e8:08:de:9b dot1x - moving mobile 00:13:e8:08:de:9b into Connecting state
Mon Jun 7 09:09:58 2010: 00:13:e8:08:de:9b Sending EAP-Request/Identity to mobile 00:13:e8:08:de:9b (EAP Id 21)
Mon Jun 7 09:09:58 2010: 00:13:e8:08:de:9b Reached Max EAP-Identity Request retries (21) for STA 00:13:e8:08:de:9b
Mon Jun 7 09:09:58 2010: 00:13:e8:08:de:9b Sent Deauthenticate to mobile on BSSID 00:26:99:91:44:00 slot 0(caller 1x_auth_pae.c:2539)
Mon Jun 7 09:09:58 2010: 00:13:e8:08:de:9b Scheduling deletion of Mobile Station: (callerId: 6) in 10 seconds
Mon Jun 7 09:09:58 2010: 00:13:e8:08:de:9b dot1x - moving mobile 00:13:e8:08:de:9b into Disconnected state
Mon Jun 7 09:09:58 2010: 00:13:e8:08:de:9b Not sending EAP-Failure for STA 00:13:e8:08:de:9b
Mon Jun 7 09:09:58 2010: 00:13:e8:08:de:9b Association received from mobile on AP 00:1f:6d:b8:18:c0
Mon Jun 7 09:09:58 2010: 00:13:e8:08:de:9b STA - rates (8): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
Mon Jun 7 09:09:58 2010: 00:13:e8:08:de:9b STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
Mon Jun 7 09:09:58 2010: 00:13:e8:08:de:9b Processing WPA IE type 221, length 24 for mobile 00:13:e8:08:de:9b
Mon Jun 7 09:09:58 2010: 00:13:e8:08:de:9b 0.0.0.0 8021X_REQD (3) Deleted mobile LWAPP rule on AP [00:26:99:91:44:00]
Mon Jun 7 09:09:58 2010: 00:13:e8:08:de:9b Updated location for station old AP 00:00:00:00:00:00-0, new AP 00:1f:6d:b8:18:c0-0Thx for you reply ,
i have reconfig the WLC, and it looks good so far .below is my configuration
config wps client-exclusion all disable
Config advanced eap identity-request-timeout 20
Config advanced eap identity-request-retries 10
Config advanced eap request-timeout 20
Config advanced eap request-retries 10
config 802.11b disable network
config 802.11b preamble long
config 802.11b enable network
config wlan disable 1
config wlan mfp infrast protection disable
config wlan enable 1
config wlan disable 2
config wlan mfp infrast protection disable
config wlan enable 2 -
802.1x EAP-PEAPv0 (MSCHAPV2) with computer authentication
I am a network administrator at seven schools, and a few of these schools are now using 802.1x EAP-PEAPv0 (MSCHAPV2) with computer authentication only, for wireless security.
We are a mixture of 2008 and 2003 (Windows Domain) servers running IAS or NPS for RADIUS.
I push out the wireless client’s setting via group policy, and the clients are using WZC.
Every now and then, a client will be unable to authenticate/validate during the authentication phase.
Some clients this will never happen to and a few it will happen repeatedly.
To fix this I have to hard wire the computer and do a gpupdate, even though the computer already had the updates applied previously, and is still part of the domain.
Many of our classrooms lack network drops, so wireless is the best for us.
Except for this one downfall, it is working great. Any help is appreciated.Hi Ryan,
Thanks for posting here.
Could you discuss the situation that you mentioned “a client will be unable to authenticate/validate during the authentication phase.
Some clients this will never happen to and a few it will happen repeatedly. ”
in detail ? Can you verify if there is any error or warring that relate with this authentication issue recorded in event log on client and radius server ?
Only certain computers are facing this issue or all?
What’s OS running on these client computers?
According the situation right now , I’d like to share some suggections with you:
1. An 802.1x client may fail to connect to an Radius server if the Trusted Root CA certificate that issued the Radius server certificate is not installed on
the client computer. Either verify that the trusted root authority is installed on the client computer or disable certificate validation on the client. To disable certificate validation, access the properties of the connection, and on the Authentication tab,
click Properties. Click to clear the Validate server certificate check box. EAP-TLS requires the installation of a computer certificate on each RADIUS server and a computer or user certificate, or smart card on all clients. PEAP-MS-CHAPv2 requires the installation
of a computer certificate on each RADIUS server and the root CA certificates of the issuing CAs of the RADIUS server certificate on each of the client computers.
2. Verify that Radius is configured for the logging of rejected authentication attempts to the event log. Try the connection again, and then check the system
event log for an IAS event for the failed connection attempt. Use the information in the log to determine the reason the connection attempt was either rejected or discarded. Logging options are configured on the General tab of the Radius server Properties
dialog.
3. Any rejected or discarded connection attempt recorded should identify the Connection Request Policy used. A RADIUS request message is processed only if the
settings of the incoming RADIUS request message match at least one of the connection request policies. Examine the conditions of the policy identified to see where the request fails.
4. Determine from the IAS system event log entries whether the authentication failure is for computer auth, user auth, or both. By default, Windows performs
an 802.1x authentication with computer credentials before displaying the Windows logon screen. Another authentication with user credentials is performed after the user has logged on, and if this fails the machine will be disconnected from the network. Similarly,
if computer authentication fails but user auth is successful, symptoms will include failure to process login scripts or apply group policies and machine password expiration will not be updated since the user will only be able to logon with cached credentials.
If you use a smart card for authentication, you can only perform user authentication because smart card usage requires manual entry of a personal identification number (PIN). There is no way to provide the PIN to unlock the smart card certificate during computer
authentication.
5. Examine the wireless trace logs captured and search for keywords error, failed, failure, or rejected. This should give an indication as to what point in the
authentication process the failure occurs.
Meanwhile, I ‘d like suggest you may start troubleshooting with following the guides below and see if it will help:
Windows Server 2003 Wireless Troubleshooting
http://technet.microsoft.com/en-us/library/cc773359(WS.10).aspx
Troubleshooting Windows Vista 802.11 Wireless Connections
http://technet.microsoft.com/en-us/library/cc766215(WS.10).aspx
Thanks.
Tiger Li
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
[email protected]
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Random computers running Windows XP have this problem. It does not happen to all of them at once.
It is very random. A computer that has been connecting to the secure network for weeks will all of a sudden not be able to connect. The message is “attempting to authenticate” and it never makes the connection.
I checked if logging is turned on and I can see successful events from computers that are working.
I can also see failed events from computers that are not ours that tried to connect to our wireless.
However for the computers that are having this problem there are no logged events.
It is as if they don’t even communicate with the server.
Other clients on the same AP are working fine. I rebooted the IAS service, and RADIUS clients, but this did not help.
I also checked all the settings and they are correct, using PEAP, and validating the server certificate is disabled.
I did notice that the firewall is also turned on through group policy when the domain is not available.
Do you think the firewall is blocking the communication?
I added an exception to port 1812 UDP and this did not make a difference. -
Problems with 802.1x MS PEAP machine and user authentication
Using Microsoft PEAP 802.1x client on Windows XP SP2, if we enable machine authentication against a Windows Domain, the machine authentication is successful and the machine gets access to the network. However, when user logon occurs to the domain, contrary to the flow given in ACS and Windows documentation, no user authentication takes place.
We need to differentiate user access based on their identities. We need machine authentication only to allow users access to the domain controller and also GP implementation.
Any idea why user does not get prompted when they logon. 802.1x is configured in users profile and I have tried with both integrated and non-integrated with Domain logon (i.e. "use my windows logon name and password and domain (if any) option"
There is no record of any identity request/response in ACS after the initial machine authentication (which appears in successful authentication log)
We are using MS-CHAPv2.Update...The problem of cached credentials in MS PEAP does not occur if "enable logon using Windows username and password (and domain if any) is checked. Using this option, MS PEAP always uses logged on users most current credentials.
However, using this option sends the username as "DOMAIN\USERNAME". Since we are using ACS internal database for user authentication (even though the ACS and Windows passwords are same - using an identity management system) ACS does not recognize the user.
I have tried proxy distribution with prefix stripping but it does not seem to work when it is pointing to the same ACS server on which proxy distribution is configured and which receives the request.
Any idea how the domain\ can be ignored by ACS? -
802.1x EAP-TLS with NPS/W2008 - Authentication result 'timeout'
Hello
[Env on my lab investigation]
supplicant - W7 with cert
authenticator - Catalyst 2960 with IOS 15.0(1)SE2 /newest/
authentication server 2x - W2008/NPS like a RADIUS server
[Config some part of authenticator]
interface FastEthernet0/1
switchport access vlan 34
switchport mode access
authentication event fail retry 1 action authorize vlan 47
authentication event server dead action authorize vlan 35
authentication event no-response action authorize vlan 47
authentication event server alive action reinitialize
authentication port-control auto
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 15
spanning-tree portfast
[Symptoms]
After reboot authenticator the supplican connected to FE0/1 finally put into the Guest VLAN 47 and before that I saw on the authenticators console Authentication result 'timeout', but when the switch is up and running the the same port authenticator FE0/1 the same supplicant W7 with cert now I connect to authenticator finally supplicant put into static VLAN 34.
[Summary]
The problem is the end station that are still connected to the supplicant port /use a EAP-TLS/ after the reboot supplicant! All of them will be put into the Guest VLAN instead of static VLAN 34!
[The question]
What is wrong and how to configure/tune and what authenticator or authentication server to prevent after the reboot to observe a authentication timeouts?
Of course the supplicant after 20 minutes /next EAPOL start farmet put into VLAN 34 .
[Logs]
During this I observed the wireshark supplicant and authenticator console and NPS wireshark, below:
1. supplicant and authenticator orderflow at wireshar:
- supplicant EAPOL Start
- authenticator EAP Request Identity
- supplicat Response Identity, 3 times
- supplicant EAPOL Start
- authenticator EAP Failure
- authenticator EAP Request Identity x2
- supplicat Response Identity x2
and again, more detail about flow from whireshar chart at the end
2. authenticator console saw like this:
*Mar 1 00:02:51.563: %DOT1X-5-FAIL: Authentication failed for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
*Mar 1 00:02:51.563: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
*Mar 1 00:02:51.563: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
krasw8021x>
*Mar 1 00:03:52.876: %DOT1X-5-FAIL: Authentication failed for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
*Mar 1 00:03:52.876: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
*Mar 1 00:03:52.876: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
and finaly
*Mar 1 00:05:00.286: %AUTHMGR-5-VLANASSIGN: VLAN 47 assigned to Interface Fa0/1 AuditSessionID 0A0E2E96000000040003C914
*Mar 1 00:05:01.167: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa0/1 AuditSessionID 0A0E2E96000000040003C914
*Mar 1 00:05:01.302: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
3. Authentication server:
- NPS doesn'e recived any RADIUS Access-Request/Response.
[supplicant EAPOL flow chart, source wireshark]
|Time | Cisco_f9:98:81 | Dell_12:cf:80 |
| | | Nearest |
|0,041 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|0,045 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|0,051 | | Start | |EAPOL: Start
| | |(0) <------------------ (0) |
|0,065 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|0,075 | | Response, Identity |EAP: Response, Identity [RFC3748]
| | |(0) <------------------ (0) |
|0,075 | | Response, Identity |EAP: Response, Identity [RFC3748]
| | |(0) <------------------ (0) |
|18,063 | | Start | |EAPOL: Start
| | |(0) <------------------ (0) |
|18,065 | Failure | | |EAP: Failure
| |(0) ------------------> (0) | |
|18,268 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|18,303 | | Response, Identity |EAP: Response, Identity [RFC3748]
| | |(0) <------------------ (0) |
|18,307 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|18,307 | | Response, Identity |EAP: Response, Identity [RFC3748]
| | |(0) <------------------ (0) |
|37,073 | Request, EAP-TLS [R | |EAP: Request, EAP-TLS [RFC5216] [Aboba]
| |(0) ------------------> (0) | |
|67,941 | Request, EAP-TLS [R | |EAP: Request, EAP-TLS [RFC5216] [Aboba]
| |(0) ------------------> (0) | |
|98,805 | Request, EAP-TLS [R | |EAP: Request, EAP-TLS [RFC5216] [Aboba]
| |(0) ------------------> (0) | |
|129,684 | Failure | | |EAP: Failure
| |(0) ------------------> (0) | |
|144,697 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|160,125 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|175,561 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|190,996 | Failure | | |EAP: Failure
| |(0) ------------------> (0) | |
|206,002 | Failure | | |EAP: Failure
| |(0) ------------------> (0) | |
|206,204 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|212,103 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|227,535 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|242,970 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
/regards PiterHi,
Did you ever try to configure re-authentication?
Is the client is up and running if you connect it to the switch?
Sent from Cisco Technical Support iPad App
Maybe you are looking for
-
hi ,] last n8 i partatioon hard disk and install windows 7 using bootr cam , nw wt heppen my mac HD partation dnt start jst gray screen with apple logo appear and then some loading bar heppen and then shurt down i tried to repair partation using disk
-
ENTER TAX_CODE error in BAPI_PO_CREATE1, am passing correctly, still erorr?
Hi Experts, From SE 37, am trying to create the PO by using BAPI_PO_CRAETE1, so, am hving issues like, 1 - ENTER TAX CODE of # 083 in ME I tried to pass the value to the filed of TAX_CODE of POACCOUNT & POACCOUNTX structures/table, but, still am get
-
The save failed due to out of memory or disk space?
What does this mean? I have a paper to right as well as other task that I must complete. This popped up while I was trying to save a file through Microsoft word.
-
Color correction in after effects
I was wondering how you put a color correction pack into after effects once you download it. all help is appreciated.
-
New computer, new hard drive, old hard drive available
The mother board on my computer self destructed. Purchase new computer with larger hard drive, installed old hard drive as secondary drive. I had to install new copy of Itunes on new hard drive for it to work. I still have my old unusable Itunes on m