802.1x authentication failure

hi, i'm not sure if i'm posting this in the right category but here goes
i wanna use 802.1x on our network but can't seem to get it to work. i followed all the instruction on the web site. it says authentication failed. i'm pretty sure the radius works because i use that same radius for our vpn authentication.
btw i'm using 48 port 2950-EI
config
aaa new-model
aaa authentication dot1x default group radius
interface FastEthernet0/3
switchport access vlan 52
switchport mode access
no ip address
dot1x port-control auto
dot1x timeout reauth-period 1
dot1x max-req 10
dot1x reauthentication
radius-server host x.x.x.x auth-port 1812 acct-port 1813 key <password>
radius-server retransmit 3
am i missing something? thanks

Hello,
ok, the config looks all right then. Is there a firewall or some other filter active between the switch and the RADIUS server that might be blocking the ports 1812 and 1813 ?
Regards,
GP

Similar Messages

  • ISE - AD 802.1x Authentication Failure (All of the sudden)

    I have a WLC using ISE to authenticate through AD.  (No certificates - only username & password)
    ISE is single node deployment.
    Its been running fine for the past 6 months, but all of a sudden I get the following errors:
    Failure Reason:  12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist
    Resolution:  Verify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.
    Root cause:  Session was not found on this PSN. Possible unexpected NAD behaviour. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late.
    Any Ideas why this would happen ?

    im recevieing this error message also 
    Failure Reason:  12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist
    Resolution:  Verify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.
    Root cause:  Session was not found on this PSN. Possible unexpected NAD behaviour. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late.
    but im running ISE 1.3 with patch 1 only noticed this after the upgrade.
    nad is a 3560v2-24ps-s running c3560-ipservicesk9-mz.122-55.SE10.bin
    any ideas anyone?

  • Windows 7 802.1x (Wired) Authentication Failure when logging into Lync 2010

    Hi
    My company has implemented 802.1x Wired authentication, we use GPO to specify a
    Wired Profile that uses a COMPUTER certificate.
    We are finding that when a Windows 7 laptop comes out of sleep or hibernation, the laptop fails 802.1x authentication and does not connect to the network.
    This issue only occurs intermittently, but have been proven to occur only when Lync 2010 is open.  If we close Lync 2010 the issue does not occur.  Lync 2010 installs a self signed USER certificate for authentication.
    I am aware that there are some issues around Windows 7 not selecting the correct certificate when responding to authentication requests (KB2710995,
    KB2769121) but these always specify that the issue occurs when 802.1x authentication uses USER certificates, not a mix of USER and COMPUTER.  We have installed these hotfixes and the
    issue still occurs.

    Hi,
    From the description, you suspect the DHCP request cause this issue. Would you please send us the packets? Since it seems that you have looked into the traffic and found some clues.
    Meanwhile, I found the following hotfix which may related to this issue.
    No response to 802.1X authentication requests after authentication fails on a computer that is running Windows 7 or Windows Server 2008 R2 http://support.microsoft.com/kb/980295/en-us
    Next Action Plan:
    1.Clean Boot
    a. Click Start, click Run, type "msconfig" (without the quotation marks) in the Open box, and then click OK.
    b. In the Startup tab, click the "Disable All" button.
    c. In the Services tab, check the "Hide All Microsoft Services" checkbox, and then click the "Disable All" button.
    ======================================================
    Clean Boot + binary search
    In a Clean Boot, all the 3rd party services and startup programs are disabled. If the server can start normally in Clean Boot, we can be sure that the issue was caused by some 3rd party service or application. And then we can do a "binary search".
    You can enable half of all the services in Services tab, and then restart the server to check the result. If the issue reoccurs, it means the culprit is in this list; if not, the culprit is in the other half. And then, we can continue the binary search, until
    we find out the root cause. Please let me know if this action plan is OK for you.
    2.Collect etl trace on the problematic client.
    netsh trace start capture=yes overwrite=yes tracefile=c:\net.etl filemode=circular
    ****Try to reproduce this issue****
    netsh trace stop
    Please send the net.etl to us for underlying analysis.
    For any concerns, please let us know.
    Best regards,
    Steven Song
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  • ISE internal user authentication failure - user not found

    Hi Forumers'
    I trying to do wireless 802.1x, where identity store using intenral user.
    But i found this error message when i trying to connect
    Authentication failed                                                                                 :
    22056 Subject not found in the applicable identity store(s)
    My authrorization rules is built like this
    identity groups = user identities group / " mygroup"
    condition = no setting
    permissions = standard / PermitAccess
    Question 1
    Any troubleshooting step to do on this?
    Question 2
    For the Authorization rules, what's the condition should set for using Internal User as Identity store?
    Thanks
    Noel

    The error is caused to an authentication failure and is not an issue with authorization
    You need to look at your authentications policy (Policy->Authentications) and see which identity store was authenticated against
    In addition can do the Live Authentications page (Monitor->Authentications) and for the failing record click on the icon under details. This will give you the full details of the requets processing and you can see which rule was matched in the identity policy (Identity Policy Matched Rule) and "Selected Identity Stores".

  • EAP SIM Authentication Failure

    Hi all,
    Is there a way to debug EAP SIM authentication on iPhone / iPad? I see Challenge: AT_MAC_NOT_VALID failures in syslog everytime I try to connect to an EAPSIM server (freeradius). Please refer to following pcap
    http://www.cloudshark.org/captures/b9610f2b4a25
    I am using following values for simtriplets on freeradius server:
    1320727710000010,9fddc72092c6ad036b6e464789315b78,d113e49b,7fc85b9918d92ea8
    1320727710000010,81e92b6c0ee0e12ebceba8d92a99dfa5,cca822be,231f55c24633a406
    1320727710000010,b120f1c1a0102a2f507dd543de68281f,0ff5b99f,4421fce1f3427e22
    The iPad is loaded with a test SIM which is programmed with following values of Ki and Op and above SRES and Kc were generated using following values:
    key=0C0A34601D4F07677303652C0462535B
    op=63bfa50ee6523365ff14c1f45f88737d
    I have verified GSM milenage algorithm with test keys in 3GPP TS 55.205 v9.0.0 and the algorithm seems to work fine. All results match with the test inputs/results provided in 3GPP TS 55.205 v9.0.0. So I doubt there is some issue with SRES/Kc for above Ki/Op values.

    Hi,
    We spent many hours trying to solve this problem.
    Our setup:
    Cisco wireless setup, using windows NPS for 802.1x authentication.
    Certificate base auth, with an internal PKI sending out client machine certs, and also the server cert.
    Auth was failing with "reason code 22, The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."
    It turned out to be a GPO setting on the server, that was enforcing key protection.
    There is this note on the below technet article:
    Requiring the use of strong private key protection and user prompting on all new and imported keys will disable some applications, such as Encrypting File System (EFS) and wireless (802.1X) authentication that cannot display UI. For more information, see article 320828 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=115037).
    http://technet.microsoft.com/en-us/library/cc725621(v=WS.10).aspx
    Hopefully this helps someone out, if you have the same annoying error.

  • Why Unable to identify a user for 802.1X authentication (0x50001)?

    Hello, 
      We are trying to set up wifi single-sign-on. When logging to a laptop get a message
    "Connecting to Pivot_Users" and after some time "Unable to connect to Pivot_Users" and after that we are logged in to a laptop and successfully connected to Pivot_Users wifi network.
    Server: windows server 2003 (with all updates)
    laptop: windows 7 professional SP1 (with all updates)
    When looking to event log i found this error:
    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          2012-10-10 10:38:01
    Event ID:      5632
    Task Category: Other Logon/Logoff Events
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      sba01-nb
    Description:
    A request was made to authenticate to a wireless network.
    Subject:
    Security ID:                
    Account Name:                -
    Account Domain:                -
    Logon ID:                0x0
    Network Information:
    Name (SSID):                Pivot_Users
    Interface GUID:                {64773f24-bf8b-4e91-bbd7-eb199e3c2c5e}
    Local MAC Address:        C4:85:08:12:77:44
    Peer MAC Address:        00:24:97:83:8E:61
    Additional Information:
    Reason Code:                Unable to identify a user for 802.1X authentication (0x50001)
    Error Code:                0x525
    EAP Reason Code:        0x0
    EAP Root Cause String:        
    EAP Error Code:                0x0
    Event Xml:
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>5632</EventID>
        <Version>1</Version>
        <Level>0</Level>
        <Task>12551</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2012-10-10T07:38:01.093305500Z" />
        <EventRecordID>37791</EventRecordID>
        <Correlation />
        <Execution ProcessID="760" ThreadID="2224" />
        <Channel>Security</Channel>
        <Computer>sba01-nb</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SSID">Pivot_Users</Data>
        <Data Name="Identity">
        </Data>
        <Data Name="SubjectUserName">-</Data>
        <Data Name="SubjectDomainName">-</Data>
        <Data Name="SubjectLogonId">0x0</Data>
        <Data Name="PeerMac">00:24:97:83:8E:61</Data>
        <Data Name="LocalMac">C4:85:08:12:77:44</Data>
        <Data Name="IntfGuid">{64773F24-BF8B-4E91-BBD7-EB199E3C2C5E}</Data>
        <Data Name="ReasonCode">0x50001</Data>
        <Data Name="ReasonText">Unable to identify a user for 802.1X authentication</Data>
        <Data Name="ErrorCode">0x525</Data>
        <Data Name="EAPReasonCode">0x0</Data>
        <Data Name="EapRootCauseString">
        </Data>
        <Data Name="EAPErrorCode">0x0</Data>
      </EventData>
    </Event>
    Thank you for answer and help.
    Regards, 
      Tadas

    Hi,
    Thanks for your post.
    Have you configured the client to only use user authentication for 802.1X? If so, I would like to inform you that this is expected when you configure the 802.1X to user only authentication.
    Here is the process that is followed.
    1. As soon as client is connected to the network the Authenticator (switch) periodically sends EAP request packet/frame to the client/supplicant.
    2. The client has to respond back with an identify and if its configured only for User authentication then it will send blank identity.
    3. The Authenticator cannot validate and the authentication would fail.
    4. Windows client is configured for a block time of 20 min. So, once the authentication fails the NIC card will go in block time for 20 min until there is a change in credentials. So, even if the authenticatior(swithch) is periodically sending EAP request
    it will just ignore them
    5. You will see event 15506 after the event 15514.
    Here’s the technet that you we can refer for the reason code : Reason: 0x50001 that we see in the event 15514
    http://technet.microsoft.com/en-us/library/cc727747(WS.10).aspx
    0x50001 = Dec 327681
    Reason code:  327681   Event log message:  The 802.1X module was unable to identify a set of credentials to be used. [An example is when the authentication mode is set to “User” but no user is logged on.]   # def name: 
    ONEX_UNABLE_TO_IDENTIFY_USER
    Best Regards,
    Aiden
    Aiden Cao
    TechNet Community Support

  • FT akm with 802.1x authentication failed at eapol key 2(invalid MIC)

    My testing controller s/w version is 7.0.250.0, and testing clients were iphone5, iphone6 and macbook pro13, all debug inform showed failed because of invalid MIC, is this a bug or other reason ?
    WLAN configuration:
    (Cisco Controller) >show wlan 100
    WLAN Identifier.................................. 100
    Profile Name..................................... test-qh
    Network Name (SSID).............................. test-qh
    Status........................................... Enabled
    MAC Filtering.................................... Disabled
    Broadcast SSID................................... Enabled
    AAA Policy Override.............................. Disabled
    Network Admission Control
      Radius-NAC State............................... Disabled
      SNMP-NAC State................................. Disabled
      Quarantine VLAN................................ 0
    Maximum number of Associated Clients............. 10
    Number of Active Clients......................... 0
    Exclusionlist Timeout............................ 60 seconds
    Session Timeout.................................. 1800 seconds
    CHD per WLAN..................................... Enabled
    Webauth DHCP exclusion........................... Disabled
    Interface........................................ management
    Multicast Interface.............................. Not Configured
    --More-- or (q)uit
    WLAN ACL......................................... unconfigured
    DHCP Server...................................... Default
    DHCP Address Assignment Required................. Disabled
    Static IP client tunneling....................... Disabled
    Quality of Service............................... Silver (best effort)
    Scan Defer Priority.............................. 4,5,6
    Scan Defer Time.................................. 100 milliseconds
    WMM.............................................. Allowed
    WMM UAPSD Compliant Client Support............... Disabled
    Media Stream Multicast-direct.................... Disabled
    CCX - AironetIe Support.......................... Enabled
    CCX - Gratuitous ProbeResponse (GPR)............. Disabled
    CCX - Diagnostics Channel Capability............. Disabled
    Dot11-Phone Mode (7920).......................... Disabled
    Wired Protocol................................... None
    IPv6 Support..................................... Disabled
    Peer-to-Peer Blocking Action..................... Disabled
    Radio Policy..................................... All
    DTIM period for 802.11a radio.................... 1
    DTIM period for 802.11b radio.................... 1
    Radius Servers
       Authentication................................ Disabled
       Accounting.................................... Global Servers
    --More-- or (q)uit
       Dynamic Interface............................. Disabled
    Local EAP Authentication......................... Enabled (Profile 'test')
    Security
       802.11 Authentication:........................ Open System
       Static WEP Keys............................... Disabled
       802.1X........................................ Disabled
       Wi-Fi Protected Access (WPA/WPA2)............. Enabled
          WPA (SSN IE)............................... Disabled
          WPA2 (RSN IE).............................. Enabled
             TKIP Cipher............................. Disabled
             AES Cipher.............................. Enabled
                                                                   Auth Key Management
             802.1x.................................. Disabled
             PSK..................................... Disabled
             CCKM.................................... Disabled
             FT(802.11r)............................. Enabled
             FT-PSK(802.11r)......................... Disabled
    FT Reassociation Timeout......................... 20
    FT Over-The-Air mode............................. Enabled
    FT Over-The-Ds mode.............................. Disabled
    CCKM tsf Tolerance............................... 1000
       CKIP ......................................... Disabled
    --More-- or (q)uit
       IP Security................................... Disabled
       IP Security Passthru.......................... Disabled
       Web Based Authentication...................... Disabled
       Web-Passthrough............................... Disabled
       Conditional Web Redirect...................... Disabled
       Splash-Page Web Redirect...................... Disabled
       Auto Anchor................................... Disabled
       H-REAP Local Switching........................ Disabled
       H-REAP Local Authentication................... Disabled
       H-REAP Learn IP Address....................... Enabled
       Client MFP.................................... Optional
       Tkip MIC Countermeasure Hold-down Timer....... 60
    Call Snooping.................................... Disabled
    Roamed Call Re-Anchor Policy..................... Disabled
    SIP CAC Fail Send-486-Busy Policy................ Enabled
    SIP CAC Fail Send Dis-Association Policy......... Disabled
    Band Select...................................... Disabled
    Load Balancing................................... Disabled
     Mobility Anchor List
     WLAN ID     IP Address            Status
    debug info:
    Cisco Controller) >*apfMsConnTask_0: Apr 27 21:46:09.971: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b apfMsAssoStateInc
    *apfMsConnTask_0: Apr 27 21:46:09.971: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:09.971: Adding MDIE, ID is:0x4e57
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
    *spamReceiveTask: Apr 27 21:46:09.973: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:09.974: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:09.974: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.037: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.037: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.117: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.117: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 2)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.133: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.133: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 2, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.135: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.135: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 3)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.139: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.139: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 3, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.140: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.140: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 4)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.200: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.201: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 4, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.309: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.309: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 5)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.312: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.313: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 5, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.314: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.314: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 6)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.321: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.321: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 6, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.322: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.322: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 7)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.325: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.325: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 7, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.326: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.326: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 8)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.329: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.329: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 8, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.331: 68:96:7b:cd:89:1b Processing Access-Accept for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.331: 68:96:7b:cd:89:1b Setting re-auth timeout to 1800 seconds, got from WLAN config.
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Creating a PKC PMKID Cache entry for station 68:96:7b:cd:89:1b (RSN 2)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Adding BSSID 00:27:0d:2e:d0:5e to PMKID cache for station 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: New PMKID: (16)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332:      [0000] 80 a9 e3 16 d9 c8 28 9a 37 11 bd 56 ca 01 d5 ce
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Disabling re-auth since PMK lifetime can take care of same.
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Created PMK Cache Entry for TGr AKM:802.1x 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b   R0KH-ID:192.168.20.244   R1KH-ID:00:24:14:7e:74:c0  MSK Len:48
                                                                                                                                  pmkValidTime:1772
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b PMK sent to mobility group
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Sending EAP-Success to mobile 68:96:7b:cd:89:1b (EAP Id 8)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: Including PMKID in M1  (16)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333:      [0000] 80 a9 e3 16 d9 c8 28 9a 37 11 bd 56 ca 01 d5 ce
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Starting key exchange to mobile 68:96:7b:cd:89:1b, data packets will be dropped
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Sending EAPOL-Key Message to mobile 68:96:7b:cd:89:1b
                                                                                                                        state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Received Auth Success while in Authenticating state for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.336: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.336: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.337: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:10.560: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:10.562: 68:96:7b:cd:89:1b Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.565: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.565: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.566: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:10.960: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:10.960: 68:96:7b:cd:89:1b Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.048: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.048: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.048: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:11.360: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:11.360: 68:96:7b:cd:89:1b Retransmit 3 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.364: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.364: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.364: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:11.760: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:11.760: 68:96:7b:cd:89:1b Retransmit 4 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.763: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.764: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.764: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:12.160: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:12.161: 68:96:7b:cd:89:1b Retransmit failure for EAPOL-Key M1 to mobile 68:96:7b:cd:89:1b, retransmit count 5, mscb deauth count 0
    *dot1xMsgTask: Apr 27 21:46:12.162: 68:96:7b:cd:89:1b Removing PMK cache entry for station 68:96:7b:cd:89:1b
    *apfMsConnTask_0: Apr 27 21:46:12.185: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
    *apfMsConnTask_0: Apr 27 21:46:12.185: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:12.185: Adding MDIE, ID is:0x4e57
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
    *spamReceiveTask: Apr 27 21:46:12.187: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.188: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.188: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.191: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.191: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.271: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.271: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 2)
    *apfMsConnTask_0: Apr 27 21:46:12.563: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
    *apfMsConnTask_0: Apr 27 21:46:12.563: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:12.563: Adding MDIE, ID is:0x4e57
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
    *spamReceiveTask: Apr 27 21:46:12.565: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.566: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.571: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.571: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.572: 68:96:7b:cd:89:1b Processing Access-Reject for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.573: 68:96:7b:cd:89:1b Removing PMK cache due to EAP-Failure for mobile 68:96:7b:cd:89:1b (EAP Id -1)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.573: 68:96:7b:cd:89:1b Sending EAP-Failure to mobile 68:96:7b:cd:89:1b (EAP Id -1)
    (Cisco Controller) >*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.573: 68:96:7b:cd:89:1b Setting quiet timer for 5 seconds for mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:17.560: 68:96:7b:cd:89:1b 802.1x 'quiteWhile' Timer expired for station 68:96:7b:cd:89:1b and for message = M0
    *dot1xMsgTask: Apr 27 21:46:17.561: 68:96:7b:cd:89:1b quiet timer completed for mobile 68:96:7b:cd:89:1b
    *dot1xMsgTask: Apr 27 21:46:17.561: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
    (Cisco Controller) >*apfMsConnTask_0: Apr 27 21:46:19.793: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
    *apfMsConnTask_0: Apr 27 21:46:19.793: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:19.793: Adding MDIE, ID is:0x4e57
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
    *spamReceiveTask: Apr 27 21:46:19.796: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.798: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.825: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.826: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.905: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.905: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 2)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.918: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.918: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 2, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.920: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.920: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 3)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.923: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.924: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 3, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.924: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    d*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.925: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 4)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.964: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.964: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 4, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.073: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    e*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.073: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 5)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.076: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.076: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 5, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.077: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.077: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 6)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.083: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.083: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 6, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.084: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.084: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 7)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.087: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.087: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 7, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.088: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.088: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 8)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.090: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.090: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 8, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Processing Access-Accept for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Setting re-auth timeout to 1800 seconds, got from WLAN config.
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Creating a PKC PMKID Cache entry for station 68:96:7b:cd:89:1b (RSN 2)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Adding BSSID 00:27:0d:2e:d0:5e to PMKID cache for station 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: New PMKID: (16)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092:      [0000] 16 3d 85 48 73 81 21 c9 dc 14 19 2e 40 65 7c 74
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b Disabling re-auth since PMK lifetime can take care of same.
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b Created PMK Cache Entry for TGr AKM:802.1x 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b   R0KH-ID:192.168.20.244   R1KH-ID:00:24:14:7e:74:c0  MSK Len:48
                                                                                                                                  pmkValidTime:1813
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b PMK sent to mobility group
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b Sending EAP-Success to mobile 68:96:7b:cd:89:1b (EAP Id 8)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: Including PMKID in M1  (16)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093:      [0000] 16 3d 85 48 73 81 21 c9 dc 14 19 2e 40 65 7c 74
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: 68:96:7b:cd:89:1b Starting key exchange to mobile 68:96:7b:cd:89:1b, data packets will be dropped
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: 68:96:7b:cd:89:1b Sending EAPOL-Key Message to mobile 68:96:7b:cd:89:1b
                                                                                                                        state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: 68:96:7b:cd:89:1b Received Auth Success while in Authenticating state for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.096: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.096: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.096: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:20.360: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:20.361: 68:96:7b:cd:89:1b Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.364: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.364: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.364: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    bug *osapiBsnTimer: Apr 27 21:46:20.760: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:20.760: 68:96:7b:cd:89:1b Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.763: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.764: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.764: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:21.160: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:21.160: 68:96:7b:cd:89:1b Retransmit 3 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:21.164: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:21.164: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:21.164: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    =============================
    qh
    thanks in advance!

    Can anyone help me?

  • Getting a lot of this error:The reason code is '4(802.1X Authentication failed 3 times.)'. - Controller Name:

    Since we upgraded our WCS system to V6.0.196.0 we are receiving a lot of the following error messages and I haven't figured out why.
    Client 'c0:cb:38:3f:a1:0d (anonymous, 0.0.0.0)' which was associated with interface '802.11a/n' of AP 'ACAA01-00.P04-G2C2.1' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'. - Controller Name: 205-dg20-bb3-4/2

    Check you ACS (Radius) logs under failures. You will see why its failing. Sounds like a AD account went bad
    or someone is entering the wrong logon ... But check your radius log it will point you in the right direction.

  • 802.1x random failures

    I am in the process of implementing machine based 802.1x to my company. I have 2 radius servers and 1 CA. The machines get their certificates via group policy. The group policy is working fine and everyone has been issued their certificates that are supposed
    to have them. I wait til they get their certificates, then enter the commands for 802.1x on their port. I have about 50 machines that are working as they should, but I have three random machines that will not communicate whenever I flip the port on the switch.
    The three machines have valid certificates and have full connectivity to the two radius servers and the CA. I do not believe it is a switch problem, because I have other machines connected to this switch that are authenticating properly. Also, I have
    tried the 802.1x hotfix on these machines with no luck. I am wondering if there is anything that I could try on the clients that would keep them from authenticating. All of my clients are Windows 7 SP1 64 bit. Any suggestions would be appreciated! 

    Hi,
    Based on your description, you are deploying 802.1x authenticated wired network access. The issue is that three machines in your network can’t pass the 802.1x authentication.
    About “The three machines have full connectivity to the two radius servers and the CA.” Does it mean that the three machines can ping two radius servers?
    What errors did three machines receive when the three machines logon? Or are there any related event logs in the RADIUS server?
    For example, in Windows 2012 R2 NPS server, you could check Security-Auditing event in Custom Views\Server Roles\Network Policy and Access Services.
    You could also check the Audit Failure event. It is in the Windows Logs\Security directory.
    Please also check if the wired network (IEEE 802.3) group policy was applied to the three machines.
    You could run
    gpresult /h c:\report.html to generate the result of group policy.
    If you couldn’t find the group policy which you created, please run
    gpupdate /force command in the three clients.
    Best Regards,
    Tina
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • WAP321 Authentication failure log codes

    Devices that have previoulsy connected to the WAP are still able to connect but any new device to the environment is not.  If I delete the network from an existing device that device is no longer able to authenticate and connect to the WAP.  Log entries below show the following errors for a single MAC.  This happened once before and to solve the issue I reentered the key into the SSID setup on the WAP.  All devices had to delete the existing SSID from their list of networks but then they were able to rejoin.  I don't want to ask users to do that again.  Any help on the log entries below is greatly appreciated!
    Jul 19 2013 01:42:34
    info
    hostapd[1078]
    wlan0: IEEE 802.11 STA 90:18:7c:b1:79:ea deauthed from BSSID c4:64:13:0c:e3:00 reason 1
    Jul 19 2013 01:42:34
    info
    hostapd[1078]
    Station 90:18:7c:b1:79:ea had an authentication failure, reason 16
    Jul 19 2013 01:42:32
    warn
    hostapd[1078]
    Received invalid EAPOL-Key MIC (msg 2/4)
    Jul 19 2013 01:42:32
    info
    hostapd[1078]
    Station 90:18:7c:b1:79:ea had an authentication failure, reason 22
    Jul 19 2013 01:42:31
    info
    hostapd[1078]
    Station 90:18:7c:b1:79:ea had an authentication failure, reason 22
    Jul 19 2013 01:42:30
    warn
    hostapd[1078]
    Received invalid EAPOL-Key MIC (msg 2/4)
    Jul 19 2013 01:42:30
    info
    hostapd[1078]
    Station 90:18:7c:b1:79:ea had an authentication failure, reason 22
    Jul 19 2013 01:42:30
    info
    hostapd[1078]
    wlan0: IEEE 802.11 STA 90:18:7c:b1:79:ea associated with BSSID c4:64:13:0c:e3:00
    Jul 19 2013 01:42:30
    info
    hostapd[1078]
    wlan0: IEEE 802.11 Assoc request from 90:18:7c:b1:79:ea BSSID c4:64:13:0c:e3:00 SSID KnightIns1

    Hi, My name is Eric Moyers. I am a Network Support Engineer in the Cisco Small Business Support Center. Thank you for using the Cisco Community Post Forums.
    Reason Code 16: Authentication failed due to a user credentials mismatch.
    Reason-Code 22: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
    I am not sure what is causing this. However I would ask that you do two things. While everything is working normally go to Administration/Support Information and download a diagnostic file. Label it with a date WAP321 and the word "good". Save it somewhere. When this happens again, before doing anything go back in and get another diagnostic file label it the same except with the word "bad".
    Call in and open a support case and have the engineer notify me that you have opened one and also give them a reference to this community support thread.
    I will work with your engineer to see what is happening.
    Thanks
    Eric Moyers    .:|:.:|:.
    Cisco Small Business US STAC Advanced Support Engineer
    CCNA, CCNA-Wireless
    866-606-1866
    Mon - Fri 09:00 - 18:00 (UTC - 05:00)
    *Please rate the Post so other will know when an answer has been found.

  • WAP321 - Station had an authentication failure, reason 19/20

    Clients can authenticate succesful, work for some time, until they get an authentication failure, reason 19, followed by reason 20. WLAN has to be disabled and again enabled on the client and it's working again unti it come's again to the authentication failures. What do these failures mean? And how can these be resolved?
    Thanks, Roland
    May 7 2013 16:22:05     info     hostapd[1086]     Station 10:40:f3:a7:7f:f6 had an authentication failure, reason 20     
    May 7 2013 16:22:04     info     hostapd[1086]     Station 10:40:f3:a7:7f:f6 had an authentication failure, reason 19     
    May 7 2013 15:18:09     info     hostapd[1086]     The wireless client with MAC address 10:40:f3:a7:7f:f6 has been successfully authenticated.     
    May 7 2013 15:18:09     info     hostapd[1086]     wlan0: WPA STA 10:40:f3:a7:7f:f6 pairwise key exchange completed (WPAv2)     
    May 7 2013 15:18:09     info     hostapd[1086]     wlan0: IEEE 802.11 STA 10:40:f3:a7:7f:f6 associated with BSSID a4:93:4c:b1:cf:08     
    May 7 2013 15:18:09     info     hostapd[1086]     wlan0: IEEE 802.11 Assoc request from 10:40:f3:a7:7f:f6 BSSID a4:93:4c:b1:cf:08 SSID WLAN     
    May 7 2013 15:18:09     info     hostapd[1086]     wlan0: IEEE 802.11 STA 10:40:f3:a7:7f:f6 deauthed from BSSID a4:93:4c:b1:cf:08 reason 3: STA is leaving IBSS or ESS     
    May 7 2013 15:18:09     info     hostapd[1086]     wlan0: IEEE 802.11 Assoc request from 10:40:f3:a7:7f:f6 BSSID a4:93:4c:b1:cf:08 SSID WLAN     
    May 7 2013 15:18:09     info     hostapd[1086]     wlan0: IEEE 802.11 STA 10:40:f3:a7:7f:f6 deauthed from BSSID a4:93:4c:b1:cf:08 reason 3: STA is leaving IBSS or ESS     
    May 7 2013 14:28:47     info     hostapd[1086]     Station 10:40:f3:a7:7f:f6 had an authentication failure, reason 20     
    May 7 2013 14:28:46     info     hostapd[1086]     Station 10:40:f3:a7:7f:f6 had an authentication failure, reason 19     
    May 7 2013 14:03:41     info     hostapd[1086]     The wireless client with MAC address 10:40:f3:a7:7f:f6 has been successfully authenticated.     
    May 7 2013 14:03:41     info     hostapd[1086]     wlan0: WPA STA 10:40:f3:a7:7f:f6 pairwise key exchange completed (WPAv2)     
    May 7 2013 14:03:41     info     hostapd[1086]     wlan0: IEEE 802.11 STA 10:40:f3:a7:7f:f6 associated with BSSID a4:93:4c:b1:cf:08     
    May 7 2013 14:03:41     info     hostapd[1086]     wlan0: IEEE 802.11 Assoc request from 10:40:f3:a7:7f:f6 BSSID a4:93:4c:b1:cf:08 SSID WLAN

    I'm experiencing this aswell...
    Jan 5 2000 06:40:44
    info
    hostapd[1098]
    Station 1c:62:b8:ab:04:f4 had an authentication failure, reason 20
    Jan 5 2000 06:40:43
    info
    hostapd[1098]
    Station 1c:62:b8:ab:04:f4 had an authentication failure, reason 19
    Jan 5 2000 06:34:53
    info
    hostapd[1098]
    The wireless client with MAC address 1c:62:b8:ab:04:f4 has been successfully authenticated.
    Jan 5 2000 06:34:53
    info
    hostapd[1098]
    wlan0: WPA STA 1c:62:b8:ab:04:f4 pairwise key exchange completed (WPAv2)
    Jan 5 2000 06:34:53
    info
    hostapd[1098]
    wlan0: IEEE 802.11 STA 1c:62:b8:ab:04:f4 associated with BSSID d8:67:d9:c4:73:48
    Jan 5 2000 06:34:53
    info
    hostapd[1098]
    wlan0: IEEE 802.11 Assoc request from 1c:62:b8:ab:04:f4 BSSID d8:67:d9:c4:73:48 SSID World Domination Inc.
    Jan 5 2000 06:34:53
    info
    hostapd[1098]
    wlan0: IEEE 802.11 STA 1c:62:b8:ab:04:f4 deauthed from BSSID d8:67:d9:c4:73:48 reason 3: STA is leaving IBSS or ESS
    Jan 5 2000 05:52:01
    notice
    sntp[1067]
    Unable to resolve SNTP server host name:time-a.timefreq.bldrdoc.gov
    Jan 5 2000 04:46:59
    notice
    sntp[1067]
    Unable to resolve SNTP server host name:time-a.timefreq.bldrdoc.gov
    Jan 5 2000 04:29:17
    info
    hostapd[1098]
    Station 1c:62:b8:ab:04:f4 had an authentication failure, reason 20
    Jan 5 2000 04:29:16
    info
    hostapd[1098]
    Station 1c:62:b8:ab:04:f4 had an authentication failure, reason 19
    The date is also set wrong on my WAP, but thats not necessarily the issue.
    This problem is new as of Friday Evening (7/19/13) last week when the device was relocated.

  • Intermittent AD Authentication failures in ISE 1.2

              Starting today I was getting intermittent authentication failures in ISE. It would say that the user was not found in the selected identity store. The account is there though. At one point I ran a authetication test from the external identity source menu and I got a failure and then the next time a pass. I have no idea why this is happening. I just updated to ISE 1.2 the other day. I'm also seeing what looks like a high level of latency on both of my PSN's. Is this normal?  Any ideas?
    Thanks
    Jef

    Interesting. I have one location that is not having this problem at all. The other is having it somewhat frequently. The PSN's for each location are tied to the local AD servers. I have not had this until we started getting 300-380 PC's connecting. We are a school so we are slowly getting started. It's real random. One user will work then another time they won't. Happens with admin and user. I have notices that with this new version of ISE it is complaining that it is getting accounting updates from the NAS too often, but I have not looked into this because I just installed 1.2 about 3-4 days ago and haven't had time to look into it.
    When you say Multicast to you AD...how did you check that? We do use multicast.

  • HI, Im using Iphone 4 and i recently got my IOS updated to IOS7 and  now im getting the error message as "PDP authentication failure" Im using Aircel carrier.

    HI, Im using Iphone 4 and i recently got my IOS updated to IOS7 and  now im getting the error message as "PDP authentication failure" Im using Aircel carrier.
    Please let me know how to fix this issue

    update...
    I am not one to give up. So I called AT&T today. Now they are telling me they canceled my order because they were unable to fulfill my order. Basically, AT&T told me they sold out so they canceled my order so I can proceed to reorder again. It took them 4 days to realize this. I will be lucky if I get a new phone by Christmas. I am sure they will find a way to cancel my order again.
    Again, I argued, how is this my fault. I placed my order at the store around 11 a.m. Pacific time. My friend ordered his phone online sometime after me. He got his but my order was canceled. AT&T tried to explain to me that they sold over 600,000 phones, almost 500 per minute during there peak. Again, I asked, how this was my fault.
    I can understand over selling the phone. It is a great product. There is no reason to cancel my order. You adjust my order and tell me you will let me know when my phone will be in. I would have been mad that my phone was going to be late but I would have survived. At least I would be getting one.
    At this point, I have no order and AT&T or Apple website will allow me to order one. I just want to get in the QUEUE for one.
    Frustrated.

  • How to solve the error message "Could not activate cellular data network: PDP authentication failure"when using 3g or gPRS on safari with an iphone 4 and latest software updates

    Please can someone help me to solve the error message "Could not activate cellular data network: PDP authentication failure"when using 3G or GPRS on safari with an iphone 4GS and latest software updates. I have tried resetting the network and phone settings. I have restored the factory settings on itunes and still the problem persists.

    All iPhones sold in Japan are sold carrier locked and cannot be officially unlocked by the carrier. If you unlocked it, it was by unauthorized means (hacked), and support cannot be given to you in this forum.
    Hacked iPhones are subject to countermeasures by Apple, particularly when updating the firmware. It is likely permanently re-locked or permanently disabled.
    Message was edited by: modular747

  • The test couldn't sign in to Outlook Web App due to an authentication failure. Extest_ account.

    Hi.
    I'm using SCOM 2012 R2 and have imported the Exchange server 2010 MP.
    I have runned the TestCasConnectivityUser.ps1 script and almost everything is okay except for the OWA test login.
    The OWA rule is working for some time until (I think) SCOM is doing a automatic password reset of the extest_ account. Then I get the OWA error below. The other test connectivity are working. Any suggestions.
    One or more of the Outlook Web App connectivity tests had warnings. Detailed information:
    Target: xxx|xxx
    Error: The test couldn't sign in to Outlook Web App due to an authentication failure.
    URL: https://xxx.com/OWA/
    Mailbox: xxxx
    User: extest_xxx
    Details:
    [22:50:08.936] : The TrustAnySSLCertificate flag was specified, so any certificate will be trusted.
    [22:50:08.936] : Sending the HTTP GET logon request without credentials for authentication type verification.
    [22:50:09.154] : The HTTP request succeeded with result code 200 (OK).
    [22:50:09.154] : The sign-in page is from ISA Server, not Outlook Web App.
    [22:50:09.154] : The server reported that it supports authentication method FBA.
    [22:50:09.154] : This virtual directory URL type is External or Unknown, so the authentication type won't be checked.
    [22:50:09.154] : Trying to sign in with method 'Fba'.
    [22:50:09.154] : Sending HTTP request for logon page 'https://xxx.com/CookieAuth.dll?Logon'.
    [22:50:09.154] : The HTTP request succeeded with result code 200 (OK).
    [22:50:09.373] : The test couldn't sign in to Outlook Web App due to an authentication failure.
    URL: https://xxx.com/OWA/
    Mailbox: xxx
    User: extest_xxx
    [22:50:09.373] : Test failed for URL 'https://xxx/OWA/'.
    Authentication Method: FBA
    Mailbox Server: xxx
    Client Access Server Name: xxx
    Scenario: Logon
    Scenario Description: Sign in to Outlook Web App and verify the response page.
    User Name: extest_xxx
    Performance Counter Name: Logon Latency
    Result: Skipped
    Site: xxx
    Latency: -00:00:00.0010000
    Secure Access: True
    ConnectionType: Plaintext
    Port: 0
    Latency (ms): -1
    Virtual Directory Name: owa (Default Web Site)
    URL: https://xxx.com/OWA/
    URL Type: External
    Error:
    The test couldn't sign in to Outlook Web App due to an authentication failure.
    URL: https://xxx.com/OWA/
    Mailbox: xxx
    User: extest_xxx
    Diagnostic command: "Test-OwaConnectivity -TestType:External -MonitoringContext:$true -TrustAnySSLCertificate:$true -LightMode:$true"
    EventSourceName: MSExchange Monitoring OWAConnectivity External
    Knowledge:
    http://go.microsoft.com/fwlink/?LinkID=67336&id=CB86B85A-AF81-43FC-9B07-3C6FC00D3D42
    Computer: xxx
    Impacted Entities (3):
    OWA Service - xxx, xxx - xxx, Exchange
    Knowledge:     View additional knowledge...
    External Knowledge Sources
    For more information, see the respective topic at the Microsoft Exchange Server TechCenter
    Thanks
    MHem

    Hi,
    Based on the error, it looks like an OWA authentication failure.
    Have you tried post this to LYNC forums?
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

Maybe you are looking for

  • Can you hear me now? No you can't because the call was dropped.

    Hi, I switched to verizon about one year ago, excited about the great coverage they advertise. But coverage has recently stopped in my area, which is close to a large city plus I used to have great coverage.  When I call tech support they say that I

  • Easy way to create a new dvd from an authored dvd so slideshow can be added

    Can a DVD be copied and an almost duplicate DVD be created from it with an iDVD slideshow added? I would like to know if I can make a composite DVD from my wedding video DVD and the wedding slideshow DVD I created with iDVD that keeps all their respe

  • Incompitible Print Setting Error for HP LJ 8500n in Windows Vista

    Hi, I have two laptops, one with Windows XP and another with Windows Vista Business. There is a HP LJ 8500n connected with router and accessed by both laptops. Somehow, when I print from Windows XP laptop and I change the print settings there is no e

  • Need some help tweaking the supersized jquery plugin

    Hi, I'm using this plugin http://www.buildintearnet.com/2010/11/supersized-3-0-full-screen-background-slideshow-jque ry-plugin/ on my site here - http://www.blackpaint.co.uk/new/ The plugin cycles through as many images as yuo tell it to, when it rea

  • Can't Open Entourage

    I couldn't find a place to post this topic in the discussions so I'll try here. I know this is a Microsoft issue, but I just wanted to get some feedback. When I try to open Entourage, I immediately get an error message that says "Entourage cannot acc