802.1x authentication failure
hi, i'm not sure if i'm posting this in the right category but here goes
i wanna use 802.1x on our network but can't seem to get it to work. i followed all the instruction on the web site. it says authentication failed. i'm pretty sure the radius works because i use that same radius for our vpn authentication.
btw i'm using 48 port 2950-EI
config
aaa new-model
aaa authentication dot1x default group radius
interface FastEthernet0/3
switchport access vlan 52
switchport mode access
no ip address
dot1x port-control auto
dot1x timeout reauth-period 1
dot1x max-req 10
dot1x reauthentication
radius-server host x.x.x.x auth-port 1812 acct-port 1813 key <password>
radius-server retransmit 3
am i missing something? thanks
Hello,
ok, the config looks all right then. Is there a firewall or some other filter active between the switch and the RADIUS server that might be blocking the ports 1812 and 1813 ?
Regards,
GP
Similar Messages
-
ISE - AD 802.1x Authentication Failure (All of the sudden)
I have a WLC using ISE to authenticate through AD. (No certificates - only username & password)
ISE is single node deployment.
Its been running fine for the past 6 months, but all of a sudden I get the following errors:
Failure Reason: 12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist
Resolution: Verify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.
Root cause: Session was not found on this PSN. Possible unexpected NAD behaviour. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late.
Any Ideas why this would happen ?im recevieing this error message also
Failure Reason: 12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist
Resolution: Verify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.
Root cause: Session was not found on this PSN. Possible unexpected NAD behaviour. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late.
but im running ISE 1.3 with patch 1 only noticed this after the upgrade.
nad is a 3560v2-24ps-s running c3560-ipservicesk9-mz.122-55.SE10.bin
any ideas anyone? -
Windows 7 802.1x (Wired) Authentication Failure when logging into Lync 2010
Hi
My company has implemented 802.1x Wired authentication, we use GPO to specify a
Wired Profile that uses a COMPUTER certificate.
We are finding that when a Windows 7 laptop comes out of sleep or hibernation, the laptop fails 802.1x authentication and does not connect to the network.
This issue only occurs intermittently, but have been proven to occur only when Lync 2010 is open. If we close Lync 2010 the issue does not occur. Lync 2010 installs a self signed USER certificate for authentication.
I am aware that there are some issues around Windows 7 not selecting the correct certificate when responding to authentication requests (KB2710995,
KB2769121) but these always specify that the issue occurs when 802.1x authentication uses USER certificates, not a mix of USER and COMPUTER. We have installed these hotfixes and the
issue still occurs.Hi,
From the description, you suspect the DHCP request cause this issue. Would you please send us the packets? Since it seems that you have looked into the traffic and found some clues.
Meanwhile, I found the following hotfix which may related to this issue.
No response to 802.1X authentication requests after authentication fails on a computer that is running Windows 7 or Windows Server 2008 R2 http://support.microsoft.com/kb/980295/en-us
Next Action Plan:
1.Clean Boot
a. Click Start, click Run, type "msconfig" (without the quotation marks) in the Open box, and then click OK.
b. In the Startup tab, click the "Disable All" button.
c. In the Services tab, check the "Hide All Microsoft Services" checkbox, and then click the "Disable All" button.
======================================================
Clean Boot + binary search
In a Clean Boot, all the 3rd party services and startup programs are disabled. If the server can start normally in Clean Boot, we can be sure that the issue was caused by some 3rd party service or application. And then we can do a "binary search".
You can enable half of all the services in Services tab, and then restart the server to check the result. If the issue reoccurs, it means the culprit is in this list; if not, the culprit is in the other half. And then, we can continue the binary search, until
we find out the root cause. Please let me know if this action plan is OK for you.
2.Collect etl trace on the problematic client.
netsh trace start capture=yes overwrite=yes tracefile=c:\net.etl filemode=circular
****Try to reproduce this issue****
netsh trace stop
Please send the net.etl to us for underlying analysis.
For any concerns, please let us know.
Best regards,
Steven Song
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
ISE internal user authentication failure - user not found
Hi Forumers'
I trying to do wireless 802.1x, where identity store using intenral user.
But i found this error message when i trying to connect
Authentication failed :
22056 Subject not found in the applicable identity store(s)
My authrorization rules is built like this
identity groups = user identities group / " mygroup"
condition = no setting
permissions = standard / PermitAccess
Question 1
Any troubleshooting step to do on this?
Question 2
For the Authorization rules, what's the condition should set for using Internal User as Identity store?
Thanks
NoelThe error is caused to an authentication failure and is not an issue with authorization
You need to look at your authentications policy (Policy->Authentications) and see which identity store was authenticated against
In addition can do the Live Authentications page (Monitor->Authentications) and for the failing record click on the icon under details. This will give you the full details of the requets processing and you can see which rule was matched in the identity policy (Identity Policy Matched Rule) and "Selected Identity Stores". -
EAP SIM Authentication Failure
Hi all,
Is there a way to debug EAP SIM authentication on iPhone / iPad? I see Challenge: AT_MAC_NOT_VALID failures in syslog everytime I try to connect to an EAPSIM server (freeradius). Please refer to following pcap
http://www.cloudshark.org/captures/b9610f2b4a25
I am using following values for simtriplets on freeradius server:
1320727710000010,9fddc72092c6ad036b6e464789315b78,d113e49b,7fc85b9918d92ea8
1320727710000010,81e92b6c0ee0e12ebceba8d92a99dfa5,cca822be,231f55c24633a406
1320727710000010,b120f1c1a0102a2f507dd543de68281f,0ff5b99f,4421fce1f3427e22
The iPad is loaded with a test SIM which is programmed with following values of Ki and Op and above SRES and Kc were generated using following values:
key=0C0A34601D4F07677303652C0462535B
op=63bfa50ee6523365ff14c1f45f88737d
I have verified GSM milenage algorithm with test keys in 3GPP TS 55.205 v9.0.0 and the algorithm seems to work fine. All results match with the test inputs/results provided in 3GPP TS 55.205 v9.0.0. So I doubt there is some issue with SRES/Kc for above Ki/Op values.Hi,
We spent many hours trying to solve this problem.
Our setup:
Cisco wireless setup, using windows NPS for 802.1x authentication.
Certificate base auth, with an internal PKI sending out client machine certs, and also the server cert.
Auth was failing with "reason code 22, The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."
It turned out to be a GPO setting on the server, that was enforcing key protection.
There is this note on the below technet article:
Requiring the use of strong private key protection and user prompting on all new and imported keys will disable some applications, such as Encrypting File System (EFS) and wireless (802.1X) authentication that cannot display UI. For more information, see article 320828 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=115037).
http://technet.microsoft.com/en-us/library/cc725621(v=WS.10).aspx
Hopefully this helps someone out, if you have the same annoying error. -
Why Unable to identify a user for 802.1X authentication (0x50001)?
Hello,
We are trying to set up wifi single-sign-on. When logging to a laptop get a message
"Connecting to Pivot_Users" and after some time "Unable to connect to Pivot_Users" and after that we are logged in to a laptop and successfully connected to Pivot_Users wifi network.
Server: windows server 2003 (with all updates)
laptop: windows 7 professional SP1 (with all updates)
When looking to event log i found this error:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2012-10-10 10:38:01
Event ID: 5632
Task Category: Other Logon/Logoff Events
Level: Information
Keywords: Audit Failure
User: N/A
Computer: sba01-nb
Description:
A request was made to authenticate to a wireless network.
Subject:
Security ID:
Account Name: -
Account Domain: -
Logon ID: 0x0
Network Information:
Name (SSID): Pivot_Users
Interface GUID: {64773f24-bf8b-4e91-bbd7-eb199e3c2c5e}
Local MAC Address: C4:85:08:12:77:44
Peer MAC Address: 00:24:97:83:8E:61
Additional Information:
Reason Code: Unable to identify a user for 802.1X authentication (0x50001)
Error Code: 0x525
EAP Reason Code: 0x0
EAP Root Cause String:
EAP Error Code: 0x0
Event Xml:
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5632</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2012-10-10T07:38:01.093305500Z" />
<EventRecordID>37791</EventRecordID>
<Correlation />
<Execution ProcessID="760" ThreadID="2224" />
<Channel>Security</Channel>
<Computer>sba01-nb</Computer>
<Security />
</System>
<EventData>
<Data Name="SSID">Pivot_Users</Data>
<Data Name="Identity">
</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="PeerMac">00:24:97:83:8E:61</Data>
<Data Name="LocalMac">C4:85:08:12:77:44</Data>
<Data Name="IntfGuid">{64773F24-BF8B-4E91-BBD7-EB199E3C2C5E}</Data>
<Data Name="ReasonCode">0x50001</Data>
<Data Name="ReasonText">Unable to identify a user for 802.1X authentication</Data>
<Data Name="ErrorCode">0x525</Data>
<Data Name="EAPReasonCode">0x0</Data>
<Data Name="EapRootCauseString">
</Data>
<Data Name="EAPErrorCode">0x0</Data>
</EventData>
</Event>
Thank you for answer and help.
Regards,
TadasHi,
Thanks for your post.
Have you configured the client to only use user authentication for 802.1X? If so, I would like to inform you that this is expected when you configure the 802.1X to user only authentication.
Here is the process that is followed.
1. As soon as client is connected to the network the Authenticator (switch) periodically sends EAP request packet/frame to the client/supplicant.
2. The client has to respond back with an identify and if its configured only for User authentication then it will send blank identity.
3. The Authenticator cannot validate and the authentication would fail.
4. Windows client is configured for a block time of 20 min. So, once the authentication fails the NIC card will go in block time for 20 min until there is a change in credentials. So, even if the authenticatior(swithch) is periodically sending EAP request
it will just ignore them
5. You will see event 15506 after the event 15514.
Here’s the technet that you we can refer for the reason code : Reason: 0x50001 that we see in the event 15514
http://technet.microsoft.com/en-us/library/cc727747(WS.10).aspx
0x50001 = Dec 327681
Reason code: 327681 Event log message: The 802.1X module was unable to identify a set of credentials to be used. [An example is when the authentication mode is set to “User” but no user is logged on.] # def name:
ONEX_UNABLE_TO_IDENTIFY_USER
Best Regards,
Aiden
Aiden Cao
TechNet Community Support -
FT akm with 802.1x authentication failed at eapol key 2(invalid MIC)
My testing controller s/w version is 7.0.250.0, and testing clients were iphone5, iphone6 and macbook pro13, all debug inform showed failed because of invalid MIC, is this a bug or other reason ?
WLAN configuration:
(Cisco Controller) >show wlan 100
WLAN Identifier.................................. 100
Profile Name..................................... test-qh
Network Name (SSID).............................. test-qh
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 10
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
--More-- or (q)uit
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Disabled
Accounting.................................... Global Servers
--More-- or (q)uit
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Enabled (Profile 'test')
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Disabled
CCKM.................................... Disabled
FT(802.11r)............................. Enabled
FT-PSK(802.11r)......................... Disabled
FT Reassociation Timeout......................... 20
FT Over-The-Air mode............................. Enabled
FT Over-The-Ds mode.............................. Disabled
CCKM tsf Tolerance............................... 1000
CKIP ......................................... Disabled
--More-- or (q)uit
IP Security................................... Disabled
IP Security Passthru.......................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
H-REAP Local Authentication................... Disabled
H-REAP Learn IP Address....................... Enabled
Client MFP.................................... Optional
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Mobility Anchor List
WLAN ID IP Address Status
debug info:
Cisco Controller) >*apfMsConnTask_0: Apr 27 21:46:09.971: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
*apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
*apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
*apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b apfMsAssoStateInc
*apfMsConnTask_0: Apr 27 21:46:09.971: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
*apfMsConnTask_0: Apr 27 21:46:09.971: Adding MDIE, ID is:0x4e57
*apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
*apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
*apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
*apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
*spamReceiveTask: Apr 27 21:46:09.973: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:09.974: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_0: Apr 27 21:46:09.974: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.037: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.037: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.117: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.117: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 2)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.133: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.133: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 2, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.135: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.135: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 3)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.139: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.139: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 3, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.140: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.140: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 4)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.200: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.201: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 4, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.309: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.309: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 5)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.312: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.313: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 5, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.314: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.314: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 6)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.321: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.321: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 6, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.322: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.322: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 7)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.325: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.325: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 7, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.326: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.326: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 8)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.329: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.329: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 8, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.331: 68:96:7b:cd:89:1b Processing Access-Accept for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.331: 68:96:7b:cd:89:1b Setting re-auth timeout to 1800 seconds, got from WLAN config.
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Creating a PKC PMKID Cache entry for station 68:96:7b:cd:89:1b (RSN 2)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Adding BSSID 00:27:0d:2e:d0:5e to PMKID cache for station 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: New PMKID: (16)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: [0000] 80 a9 e3 16 d9 c8 28 9a 37 11 bd 56 ca 01 d5 ce
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Disabling re-auth since PMK lifetime can take care of same.
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Created PMK Cache Entry for TGr AKM:802.1x 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b R0KH-ID:192.168.20.244 R1KH-ID:00:24:14:7e:74:c0 MSK Len:48
pmkValidTime:1772
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b PMK sent to mobility group
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Sending EAP-Success to mobile 68:96:7b:cd:89:1b (EAP Id 8)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: Including PMKID in M1 (16)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: [0000] 80 a9 e3 16 d9 c8 28 9a 37 11 bd 56 ca 01 d5 ce
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Starting key exchange to mobile 68:96:7b:cd:89:1b, data packets will be dropped
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Sending EAPOL-Key Message to mobile 68:96:7b:cd:89:1b
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Received Auth Success while in Authenticating state for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.336: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.336: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.337: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
*osapiBsnTimer: Apr 27 21:46:10.560: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
*dot1xMsgTask: Apr 27 21:46:10.562: 68:96:7b:cd:89:1b Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.565: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.565: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.566: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
*osapiBsnTimer: Apr 27 21:46:10.960: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
*dot1xMsgTask: Apr 27 21:46:10.960: 68:96:7b:cd:89:1b Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.048: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.048: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.048: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
*osapiBsnTimer: Apr 27 21:46:11.360: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
*dot1xMsgTask: Apr 27 21:46:11.360: 68:96:7b:cd:89:1b Retransmit 3 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.364: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.364: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.364: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
*osapiBsnTimer: Apr 27 21:46:11.760: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
*dot1xMsgTask: Apr 27 21:46:11.760: 68:96:7b:cd:89:1b Retransmit 4 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.763: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.764: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.764: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
*osapiBsnTimer: Apr 27 21:46:12.160: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
*dot1xMsgTask: Apr 27 21:46:12.161: 68:96:7b:cd:89:1b Retransmit failure for EAPOL-Key M1 to mobile 68:96:7b:cd:89:1b, retransmit count 5, mscb deauth count 0
*dot1xMsgTask: Apr 27 21:46:12.162: 68:96:7b:cd:89:1b Removing PMK cache entry for station 68:96:7b:cd:89:1b
*apfMsConnTask_0: Apr 27 21:46:12.185: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
*apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
*apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
*apfMsConnTask_0: Apr 27 21:46:12.185: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
*apfMsConnTask_0: Apr 27 21:46:12.185: Adding MDIE, ID is:0x4e57
*apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
*apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
*apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
*apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
*spamReceiveTask: Apr 27 21:46:12.187: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.188: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.188: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.191: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.191: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.271: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.271: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 2)
*apfMsConnTask_0: Apr 27 21:46:12.563: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
*apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
*apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
*apfMsConnTask_0: Apr 27 21:46:12.563: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
*apfMsConnTask_0: Apr 27 21:46:12.563: Adding MDIE, ID is:0x4e57
*apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
*apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
*apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
*apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
*spamReceiveTask: Apr 27 21:46:12.565: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.566: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.571: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.571: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.572: 68:96:7b:cd:89:1b Processing Access-Reject for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.573: 68:96:7b:cd:89:1b Removing PMK cache due to EAP-Failure for mobile 68:96:7b:cd:89:1b (EAP Id -1)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.573: 68:96:7b:cd:89:1b Sending EAP-Failure to mobile 68:96:7b:cd:89:1b (EAP Id -1)
(Cisco Controller) >*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.573: 68:96:7b:cd:89:1b Setting quiet timer for 5 seconds for mobile 68:96:7b:cd:89:1b
*osapiBsnTimer: Apr 27 21:46:17.560: 68:96:7b:cd:89:1b 802.1x 'quiteWhile' Timer expired for station 68:96:7b:cd:89:1b and for message = M0
*dot1xMsgTask: Apr 27 21:46:17.561: 68:96:7b:cd:89:1b quiet timer completed for mobile 68:96:7b:cd:89:1b
*dot1xMsgTask: Apr 27 21:46:17.561: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
(Cisco Controller) >*apfMsConnTask_0: Apr 27 21:46:19.793: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
*apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
*apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
*apfMsConnTask_0: Apr 27 21:46:19.793: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
*apfMsConnTask_0: Apr 27 21:46:19.793: Adding MDIE, ID is:0x4e57
*apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
*apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
*apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
*apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
*spamReceiveTask: Apr 27 21:46:19.796: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.798: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.825: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.826: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.905: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.905: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 2)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.918: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.918: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 2, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.920: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.920: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 3)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.923: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.924: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 3, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.924: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
d*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.925: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 4)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.964: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.964: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 4, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.073: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
e*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.073: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 5)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.076: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.076: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 5, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.077: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.077: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 6)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.083: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.083: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 6, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.084: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.084: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 7)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.087: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.087: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 7, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.088: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.088: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 8)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.090: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.090: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 8, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Processing Access-Accept for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Setting re-auth timeout to 1800 seconds, got from WLAN config.
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Creating a PKC PMKID Cache entry for station 68:96:7b:cd:89:1b (RSN 2)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Adding BSSID 00:27:0d:2e:d0:5e to PMKID cache for station 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: New PMKID: (16)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: [0000] 16 3d 85 48 73 81 21 c9 dc 14 19 2e 40 65 7c 74
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b Disabling re-auth since PMK lifetime can take care of same.
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b Created PMK Cache Entry for TGr AKM:802.1x 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b R0KH-ID:192.168.20.244 R1KH-ID:00:24:14:7e:74:c0 MSK Len:48
pmkValidTime:1813
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b PMK sent to mobility group
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b Sending EAP-Success to mobile 68:96:7b:cd:89:1b (EAP Id 8)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: Including PMKID in M1 (16)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: [0000] 16 3d 85 48 73 81 21 c9 dc 14 19 2e 40 65 7c 74
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: 68:96:7b:cd:89:1b Starting key exchange to mobile 68:96:7b:cd:89:1b, data packets will be dropped
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: 68:96:7b:cd:89:1b Sending EAPOL-Key Message to mobile 68:96:7b:cd:89:1b
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: 68:96:7b:cd:89:1b Received Auth Success while in Authenticating state for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.096: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.096: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.096: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
*osapiBsnTimer: Apr 27 21:46:20.360: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
*dot1xMsgTask: Apr 27 21:46:20.361: 68:96:7b:cd:89:1b Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.364: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.364: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.364: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
bug *osapiBsnTimer: Apr 27 21:46:20.760: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
*dot1xMsgTask: Apr 27 21:46:20.760: 68:96:7b:cd:89:1b Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.763: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.764: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.764: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
*osapiBsnTimer: Apr 27 21:46:21.160: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
*dot1xMsgTask: Apr 27 21:46:21.160: 68:96:7b:cd:89:1b Retransmit 3 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:21.164: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:21.164: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:21.164: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
=============================
qh
thanks in advance!Can anyone help me?
-
Since we upgraded our WCS system to V6.0.196.0 we are receiving a lot of the following error messages and I haven't figured out why.
Client 'c0:cb:38:3f:a1:0d (anonymous, 0.0.0.0)' which was associated with interface '802.11a/n' of AP 'ACAA01-00.P04-G2C2.1' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'. - Controller Name: 205-dg20-bb3-4/2Check you ACS (Radius) logs under failures. You will see why its failing. Sounds like a AD account went bad
or someone is entering the wrong logon ... But check your radius log it will point you in the right direction. -
I am in the process of implementing machine based 802.1x to my company. I have 2 radius servers and 1 CA. The machines get their certificates via group policy. The group policy is working fine and everyone has been issued their certificates that are supposed
to have them. I wait til they get their certificates, then enter the commands for 802.1x on their port. I have about 50 machines that are working as they should, but I have three random machines that will not communicate whenever I flip the port on the switch.
The three machines have valid certificates and have full connectivity to the two radius servers and the CA. I do not believe it is a switch problem, because I have other machines connected to this switch that are authenticating properly. Also, I have
tried the 802.1x hotfix on these machines with no luck. I am wondering if there is anything that I could try on the clients that would keep them from authenticating. All of my clients are Windows 7 SP1 64 bit. Any suggestions would be appreciated! Hi,
Based on your description, you are deploying 802.1x authenticated wired network access. The issue is that three machines in your network can’t pass the 802.1x authentication.
About “The three machines have full connectivity to the two radius servers and the CA.” Does it mean that the three machines can ping two radius servers?
What errors did three machines receive when the three machines logon? Or are there any related event logs in the RADIUS server?
For example, in Windows 2012 R2 NPS server, you could check Security-Auditing event in Custom Views\Server Roles\Network Policy and Access Services.
You could also check the Audit Failure event. It is in the Windows Logs\Security directory.
Please also check if the wired network (IEEE 802.3) group policy was applied to the three machines.
You could run
gpresult /h c:\report.html to generate the result of group policy.
If you couldn’t find the group policy which you created, please run
gpupdate /force command in the three clients.
Best Regards,
Tina
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
WAP321 Authentication failure log codes
Devices that have previoulsy connected to the WAP are still able to connect but any new device to the environment is not. If I delete the network from an existing device that device is no longer able to authenticate and connect to the WAP. Log entries below show the following errors for a single MAC. This happened once before and to solve the issue I reentered the key into the SSID setup on the WAP. All devices had to delete the existing SSID from their list of networks but then they were able to rejoin. I don't want to ask users to do that again. Any help on the log entries below is greatly appreciated!
Jul 19 2013 01:42:34
info
hostapd[1078]
wlan0: IEEE 802.11 STA 90:18:7c:b1:79:ea deauthed from BSSID c4:64:13:0c:e3:00 reason 1
Jul 19 2013 01:42:34
info
hostapd[1078]
Station 90:18:7c:b1:79:ea had an authentication failure, reason 16
Jul 19 2013 01:42:32
warn
hostapd[1078]
Received invalid EAPOL-Key MIC (msg 2/4)
Jul 19 2013 01:42:32
info
hostapd[1078]
Station 90:18:7c:b1:79:ea had an authentication failure, reason 22
Jul 19 2013 01:42:31
info
hostapd[1078]
Station 90:18:7c:b1:79:ea had an authentication failure, reason 22
Jul 19 2013 01:42:30
warn
hostapd[1078]
Received invalid EAPOL-Key MIC (msg 2/4)
Jul 19 2013 01:42:30
info
hostapd[1078]
Station 90:18:7c:b1:79:ea had an authentication failure, reason 22
Jul 19 2013 01:42:30
info
hostapd[1078]
wlan0: IEEE 802.11 STA 90:18:7c:b1:79:ea associated with BSSID c4:64:13:0c:e3:00
Jul 19 2013 01:42:30
info
hostapd[1078]
wlan0: IEEE 802.11 Assoc request from 90:18:7c:b1:79:ea BSSID c4:64:13:0c:e3:00 SSID KnightIns1Hi, My name is Eric Moyers. I am a Network Support Engineer in the Cisco Small Business Support Center. Thank you for using the Cisco Community Post Forums.
Reason Code 16: Authentication failed due to a user credentials mismatch.
Reason-Code 22: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
I am not sure what is causing this. However I would ask that you do two things. While everything is working normally go to Administration/Support Information and download a diagnostic file. Label it with a date WAP321 and the word "good". Save it somewhere. When this happens again, before doing anything go back in and get another diagnostic file label it the same except with the word "bad".
Call in and open a support case and have the engineer notify me that you have opened one and also give them a reference to this community support thread.
I will work with your engineer to see what is happening.
Thanks
Eric Moyers .:|:.:|:.
Cisco Small Business US STAC Advanced Support Engineer
CCNA, CCNA-Wireless
866-606-1866
Mon - Fri 09:00 - 18:00 (UTC - 05:00)
*Please rate the Post so other will know when an answer has been found. -
WAP321 - Station had an authentication failure, reason 19/20
Clients can authenticate succesful, work for some time, until they get an authentication failure, reason 19, followed by reason 20. WLAN has to be disabled and again enabled on the client and it's working again unti it come's again to the authentication failures. What do these failures mean? And how can these be resolved?
Thanks, Roland
May 7 2013 16:22:05 info hostapd[1086] Station 10:40:f3:a7:7f:f6 had an authentication failure, reason 20
May 7 2013 16:22:04 info hostapd[1086] Station 10:40:f3:a7:7f:f6 had an authentication failure, reason 19
May 7 2013 15:18:09 info hostapd[1086] The wireless client with MAC address 10:40:f3:a7:7f:f6 has been successfully authenticated.
May 7 2013 15:18:09 info hostapd[1086] wlan0: WPA STA 10:40:f3:a7:7f:f6 pairwise key exchange completed (WPAv2)
May 7 2013 15:18:09 info hostapd[1086] wlan0: IEEE 802.11 STA 10:40:f3:a7:7f:f6 associated with BSSID a4:93:4c:b1:cf:08
May 7 2013 15:18:09 info hostapd[1086] wlan0: IEEE 802.11 Assoc request from 10:40:f3:a7:7f:f6 BSSID a4:93:4c:b1:cf:08 SSID WLAN
May 7 2013 15:18:09 info hostapd[1086] wlan0: IEEE 802.11 STA 10:40:f3:a7:7f:f6 deauthed from BSSID a4:93:4c:b1:cf:08 reason 3: STA is leaving IBSS or ESS
May 7 2013 15:18:09 info hostapd[1086] wlan0: IEEE 802.11 Assoc request from 10:40:f3:a7:7f:f6 BSSID a4:93:4c:b1:cf:08 SSID WLAN
May 7 2013 15:18:09 info hostapd[1086] wlan0: IEEE 802.11 STA 10:40:f3:a7:7f:f6 deauthed from BSSID a4:93:4c:b1:cf:08 reason 3: STA is leaving IBSS or ESS
May 7 2013 14:28:47 info hostapd[1086] Station 10:40:f3:a7:7f:f6 had an authentication failure, reason 20
May 7 2013 14:28:46 info hostapd[1086] Station 10:40:f3:a7:7f:f6 had an authentication failure, reason 19
May 7 2013 14:03:41 info hostapd[1086] The wireless client with MAC address 10:40:f3:a7:7f:f6 has been successfully authenticated.
May 7 2013 14:03:41 info hostapd[1086] wlan0: WPA STA 10:40:f3:a7:7f:f6 pairwise key exchange completed (WPAv2)
May 7 2013 14:03:41 info hostapd[1086] wlan0: IEEE 802.11 STA 10:40:f3:a7:7f:f6 associated with BSSID a4:93:4c:b1:cf:08
May 7 2013 14:03:41 info hostapd[1086] wlan0: IEEE 802.11 Assoc request from 10:40:f3:a7:7f:f6 BSSID a4:93:4c:b1:cf:08 SSID WLANI'm experiencing this aswell...
Jan 5 2000 06:40:44
info
hostapd[1098]
Station 1c:62:b8:ab:04:f4 had an authentication failure, reason 20
Jan 5 2000 06:40:43
info
hostapd[1098]
Station 1c:62:b8:ab:04:f4 had an authentication failure, reason 19
Jan 5 2000 06:34:53
info
hostapd[1098]
The wireless client with MAC address 1c:62:b8:ab:04:f4 has been successfully authenticated.
Jan 5 2000 06:34:53
info
hostapd[1098]
wlan0: WPA STA 1c:62:b8:ab:04:f4 pairwise key exchange completed (WPAv2)
Jan 5 2000 06:34:53
info
hostapd[1098]
wlan0: IEEE 802.11 STA 1c:62:b8:ab:04:f4 associated with BSSID d8:67:d9:c4:73:48
Jan 5 2000 06:34:53
info
hostapd[1098]
wlan0: IEEE 802.11 Assoc request from 1c:62:b8:ab:04:f4 BSSID d8:67:d9:c4:73:48 SSID World Domination Inc.
Jan 5 2000 06:34:53
info
hostapd[1098]
wlan0: IEEE 802.11 STA 1c:62:b8:ab:04:f4 deauthed from BSSID d8:67:d9:c4:73:48 reason 3: STA is leaving IBSS or ESS
Jan 5 2000 05:52:01
notice
sntp[1067]
Unable to resolve SNTP server host name:time-a.timefreq.bldrdoc.gov
Jan 5 2000 04:46:59
notice
sntp[1067]
Unable to resolve SNTP server host name:time-a.timefreq.bldrdoc.gov
Jan 5 2000 04:29:17
info
hostapd[1098]
Station 1c:62:b8:ab:04:f4 had an authentication failure, reason 20
Jan 5 2000 04:29:16
info
hostapd[1098]
Station 1c:62:b8:ab:04:f4 had an authentication failure, reason 19
The date is also set wrong on my WAP, but thats not necessarily the issue.
This problem is new as of Friday Evening (7/19/13) last week when the device was relocated. -
Intermittent AD Authentication failures in ISE 1.2
Starting today I was getting intermittent authentication failures in ISE. It would say that the user was not found in the selected identity store. The account is there though. At one point I ran a authetication test from the external identity source menu and I got a failure and then the next time a pass. I have no idea why this is happening. I just updated to ISE 1.2 the other day. I'm also seeing what looks like a high level of latency on both of my PSN's. Is this normal? Any ideas?
Thanks
JefInteresting. I have one location that is not having this problem at all. The other is having it somewhat frequently. The PSN's for each location are tied to the local AD servers. I have not had this until we started getting 300-380 PC's connecting. We are a school so we are slowly getting started. It's real random. One user will work then another time they won't. Happens with admin and user. I have notices that with this new version of ISE it is complaining that it is getting accounting updates from the NAS too often, but I have not looked into this because I just installed 1.2 about 3-4 days ago and haven't had time to look into it.
When you say Multicast to you AD...how did you check that? We do use multicast. -
HI, Im using Iphone 4 and i recently got my IOS updated to IOS7 and now im getting the error message as "PDP authentication failure" Im using Aircel carrier.
Please let me know how to fix this issueupdate...
I am not one to give up. So I called AT&T today. Now they are telling me they canceled my order because they were unable to fulfill my order. Basically, AT&T told me they sold out so they canceled my order so I can proceed to reorder again. It took them 4 days to realize this. I will be lucky if I get a new phone by Christmas. I am sure they will find a way to cancel my order again.
Again, I argued, how is this my fault. I placed my order at the store around 11 a.m. Pacific time. My friend ordered his phone online sometime after me. He got his but my order was canceled. AT&T tried to explain to me that they sold over 600,000 phones, almost 500 per minute during there peak. Again, I asked, how this was my fault.
I can understand over selling the phone. It is a great product. There is no reason to cancel my order. You adjust my order and tell me you will let me know when my phone will be in. I would have been mad that my phone was going to be late but I would have survived. At least I would be getting one.
At this point, I have no order and AT&T or Apple website will allow me to order one. I just want to get in the QUEUE for one.
Frustrated. -
Please can someone help me to solve the error message "Could not activate cellular data network: PDP authentication failure"when using 3G or GPRS on safari with an iphone 4GS and latest software updates. I have tried resetting the network and phone settings. I have restored the factory settings on itunes and still the problem persists.
All iPhones sold in Japan are sold carrier locked and cannot be officially unlocked by the carrier. If you unlocked it, it was by unauthorized means (hacked), and support cannot be given to you in this forum.
Hacked iPhones are subject to countermeasures by Apple, particularly when updating the firmware. It is likely permanently re-locked or permanently disabled.
Message was edited by: modular747 -
Hi.
I'm using SCOM 2012 R2 and have imported the Exchange server 2010 MP.
I have runned the TestCasConnectivityUser.ps1 script and almost everything is okay except for the OWA test login.
The OWA rule is working for some time until (I think) SCOM is doing a automatic password reset of the extest_ account. Then I get the OWA error below. The other test connectivity are working. Any suggestions.
One or more of the Outlook Web App connectivity tests had warnings. Detailed information:
Target: xxx|xxx
Error: The test couldn't sign in to Outlook Web App due to an authentication failure.
URL: https://xxx.com/OWA/
Mailbox: xxxx
User: extest_xxx
Details:
[22:50:08.936] : The TrustAnySSLCertificate flag was specified, so any certificate will be trusted.
[22:50:08.936] : Sending the HTTP GET logon request without credentials for authentication type verification.
[22:50:09.154] : The HTTP request succeeded with result code 200 (OK).
[22:50:09.154] : The sign-in page is from ISA Server, not Outlook Web App.
[22:50:09.154] : The server reported that it supports authentication method FBA.
[22:50:09.154] : This virtual directory URL type is External or Unknown, so the authentication type won't be checked.
[22:50:09.154] : Trying to sign in with method 'Fba'.
[22:50:09.154] : Sending HTTP request for logon page 'https://xxx.com/CookieAuth.dll?Logon'.
[22:50:09.154] : The HTTP request succeeded with result code 200 (OK).
[22:50:09.373] : The test couldn't sign in to Outlook Web App due to an authentication failure.
URL: https://xxx.com/OWA/
Mailbox: xxx
User: extest_xxx
[22:50:09.373] : Test failed for URL 'https://xxx/OWA/'.
Authentication Method: FBA
Mailbox Server: xxx
Client Access Server Name: xxx
Scenario: Logon
Scenario Description: Sign in to Outlook Web App and verify the response page.
User Name: extest_xxx
Performance Counter Name: Logon Latency
Result: Skipped
Site: xxx
Latency: -00:00:00.0010000
Secure Access: True
ConnectionType: Plaintext
Port: 0
Latency (ms): -1
Virtual Directory Name: owa (Default Web Site)
URL: https://xxx.com/OWA/
URL Type: External
Error:
The test couldn't sign in to Outlook Web App due to an authentication failure.
URL: https://xxx.com/OWA/
Mailbox: xxx
User: extest_xxx
Diagnostic command: "Test-OwaConnectivity -TestType:External -MonitoringContext:$true -TrustAnySSLCertificate:$true -LightMode:$true"
EventSourceName: MSExchange Monitoring OWAConnectivity External
Knowledge:
http://go.microsoft.com/fwlink/?LinkID=67336&id=CB86B85A-AF81-43FC-9B07-3C6FC00D3D42
Computer: xxx
Impacted Entities (3):
OWA Service - xxx, xxx - xxx, Exchange
Knowledge: View additional knowledge...
External Knowledge Sources
For more information, see the respective topic at the Microsoft Exchange Server TechCenter
Thanks
MHemHi,
Based on the error, it looks like an OWA authentication failure.
Have you tried post this to LYNC forums?
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.
Maybe you are looking for
-
Can you hear me now? No you can't because the call was dropped.
Hi, I switched to verizon about one year ago, excited about the great coverage they advertise. But coverage has recently stopped in my area, which is close to a large city plus I used to have great coverage. When I call tech support they say that I
-
Easy way to create a new dvd from an authored dvd so slideshow can be added
Can a DVD be copied and an almost duplicate DVD be created from it with an iDVD slideshow added? I would like to know if I can make a composite DVD from my wedding video DVD and the wedding slideshow DVD I created with iDVD that keeps all their respe
-
Incompitible Print Setting Error for HP LJ 8500n in Windows Vista
Hi, I have two laptops, one with Windows XP and another with Windows Vista Business. There is a HP LJ 8500n connected with router and accessed by both laptops. Somehow, when I print from Windows XP laptop and I change the print settings there is no e
-
Need some help tweaking the supersized jquery plugin
Hi, I'm using this plugin http://www.buildintearnet.com/2010/11/supersized-3-0-full-screen-background-slideshow-jque ry-plugin/ on my site here - http://www.blackpaint.co.uk/new/ The plugin cycles through as many images as yuo tell it to, when it rea
-
I couldn't find a place to post this topic in the discussions so I'll try here. I know this is a Microsoft issue, but I just wanted to get some feedback. When I try to open Entourage, I immediately get an error message that says "Entourage cannot acc