802.1x authentication on PSK key mgmt?

Hello,
I'm setting up a new 5508 WLC (the first wlc I have ever setup) and I have my WLAN setup with our existing WPA/TKIP ssid for transitioning our clients from our existing autonomous system to the wlc. I have selected PSK as the key mgmt and I can get the client's to connect for a few minutes but I keep seeing these errors:
Fri Aug 21 08:50:05 2009 Client Excluded: MACAddress:00:21:00:f9:dd:50 Base Radio MAC :00:23:eb:27:e3:b0 Slot: 1 User Name: unknown Ip Address: unknown Reason:802.1x Authentication failed 3 times. ReasonCode: 4
I don't have nor do I want 802.1x enabled. Is there something I need to disable either on the client or the controller?
Thanks.
Dan.

Hey,
I have same problem with Cisco 2100 Series WLC on software version 7.0.98.0.
I get a lot of error messages in Log Monitor which look like these:
0
Thu Dec 9 09:00:28 2010
Client Excluded: MACAddress:(..................) Base Radio MAC :(..................) Slot: 0 User Name: unknown Ip Address: (..................) Reason:802.1x Authentication failed 3 times. ReasonCode: 4
1
Thu Dec 9 08:57:09 2010
Interference Profile Failed for Base Radio MAC: (..................) and slotNo: 0
2
Thu Dec 9 08:53:43 2010
Client Excluded: MACAddress:(..................) Base Radio MAC :(..................) Slot: 0 User Name: unknown Ip Address: (..................) Reason:802.1x Authentication failed 3 times. ReasonCode: 4
3
Thu Dec 9 07:57:15 2010
Client Excluded: MACAddress:(..................) Base Radio MAC :(..................) Slot: 0 User Name: unknown Ip Address: (..................) Reason:802.1x Authentication failed 3 times. ReasonCode: 4
4
Thu Dec 9 07:54:10 2010
Client Excluded: MACAddress:(..................) Base Radio MAC :(..................) Slot: 0 User Name: unknown Ip Address: (..................) Reason:802.1x Authentication failed 3 times. ReasonCode: 4
5
Thu Dec 9 07:50:42 2010
Client Excluded: MACAddress:(..................) Base Radio MAC :(..................) Slot: 0 User Name: unknown Ip Address: (..................) Reason:802.1x Authentication failed 3 times. ReasonCode: 4
I'm not using 802.X authentication, it's just WPA/TKIP ...not even WPA2/AES. Each client gets disconnected few times per day. Auth fails like you see above, but for the most time connection just works. Not as good as I'd want it to, but it works, somehow.
I have also set up two WLANS for other devices like printers etc - it works just fine. I mean - no errors, no disconnects, it works perfectly, but why the hell is WPA not working?!
Second bigger problem is that every computer connected via WIFI is loosing one ping packet every minute. I have WLC -> 7 x AP -> End devices.
Everything till AP's is connected via ethernet, then it's wifi connection. When I'm pinging WLC or AP's from lan connected PC it works fine, but when I'm pinging wifi connected end devices (6 pc's) - each one is loosing one packet in exact, same time - every minute.
When I'm doing the same but from second side - wifi connected pc pinging AP's, WLC, lan pc - I loose one ping packet to each device including AP, WLC, other end devices.
It's definately fault in WLC configuration because I loose these packetes on AP's <-> WIFI devices. Any idea, any clue? I'm not sure which setting is responsible for that.
Thanks in advance for any hints, suggestions.
Regards,
Łukasz

Similar Messages

  • FT akm with 802.1x authentication failed at eapol key 2(invalid MIC)

    My testing controller s/w version is 7.0.250.0, and testing clients were iphone5, iphone6 and macbook pro13, all debug inform showed failed because of invalid MIC, is this a bug or other reason ?
    WLAN configuration:
    (Cisco Controller) >show wlan 100
    WLAN Identifier.................................. 100
    Profile Name..................................... test-qh
    Network Name (SSID).............................. test-qh
    Status........................................... Enabled
    MAC Filtering.................................... Disabled
    Broadcast SSID................................... Enabled
    AAA Policy Override.............................. Disabled
    Network Admission Control
      Radius-NAC State............................... Disabled
      SNMP-NAC State................................. Disabled
      Quarantine VLAN................................ 0
    Maximum number of Associated Clients............. 10
    Number of Active Clients......................... 0
    Exclusionlist Timeout............................ 60 seconds
    Session Timeout.................................. 1800 seconds
    CHD per WLAN..................................... Enabled
    Webauth DHCP exclusion........................... Disabled
    Interface........................................ management
    Multicast Interface.............................. Not Configured
    --More-- or (q)uit
    WLAN ACL......................................... unconfigured
    DHCP Server...................................... Default
    DHCP Address Assignment Required................. Disabled
    Static IP client tunneling....................... Disabled
    Quality of Service............................... Silver (best effort)
    Scan Defer Priority.............................. 4,5,6
    Scan Defer Time.................................. 100 milliseconds
    WMM.............................................. Allowed
    WMM UAPSD Compliant Client Support............... Disabled
    Media Stream Multicast-direct.................... Disabled
    CCX - AironetIe Support.......................... Enabled
    CCX - Gratuitous ProbeResponse (GPR)............. Disabled
    CCX - Diagnostics Channel Capability............. Disabled
    Dot11-Phone Mode (7920).......................... Disabled
    Wired Protocol................................... None
    IPv6 Support..................................... Disabled
    Peer-to-Peer Blocking Action..................... Disabled
    Radio Policy..................................... All
    DTIM period for 802.11a radio.................... 1
    DTIM period for 802.11b radio.................... 1
    Radius Servers
       Authentication................................ Disabled
       Accounting.................................... Global Servers
    --More-- or (q)uit
       Dynamic Interface............................. Disabled
    Local EAP Authentication......................... Enabled (Profile 'test')
    Security
       802.11 Authentication:........................ Open System
       Static WEP Keys............................... Disabled
       802.1X........................................ Disabled
       Wi-Fi Protected Access (WPA/WPA2)............. Enabled
          WPA (SSN IE)............................... Disabled
          WPA2 (RSN IE).............................. Enabled
             TKIP Cipher............................. Disabled
             AES Cipher.............................. Enabled
                                                                   Auth Key Management
             802.1x.................................. Disabled
             PSK..................................... Disabled
             CCKM.................................... Disabled
             FT(802.11r)............................. Enabled
             FT-PSK(802.11r)......................... Disabled
    FT Reassociation Timeout......................... 20
    FT Over-The-Air mode............................. Enabled
    FT Over-The-Ds mode.............................. Disabled
    CCKM tsf Tolerance............................... 1000
       CKIP ......................................... Disabled
    --More-- or (q)uit
       IP Security................................... Disabled
       IP Security Passthru.......................... Disabled
       Web Based Authentication...................... Disabled
       Web-Passthrough............................... Disabled
       Conditional Web Redirect...................... Disabled
       Splash-Page Web Redirect...................... Disabled
       Auto Anchor................................... Disabled
       H-REAP Local Switching........................ Disabled
       H-REAP Local Authentication................... Disabled
       H-REAP Learn IP Address....................... Enabled
       Client MFP.................................... Optional
       Tkip MIC Countermeasure Hold-down Timer....... 60
    Call Snooping.................................... Disabled
    Roamed Call Re-Anchor Policy..................... Disabled
    SIP CAC Fail Send-486-Busy Policy................ Enabled
    SIP CAC Fail Send Dis-Association Policy......... Disabled
    Band Select...................................... Disabled
    Load Balancing................................... Disabled
     Mobility Anchor List
     WLAN ID     IP Address            Status
    debug info:
    Cisco Controller) >*apfMsConnTask_0: Apr 27 21:46:09.971: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b apfMsAssoStateInc
    *apfMsConnTask_0: Apr 27 21:46:09.971: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:09.971: Adding MDIE, ID is:0x4e57
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
    *spamReceiveTask: Apr 27 21:46:09.973: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:09.974: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:09.974: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.037: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.037: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.117: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.117: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 2)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.133: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.133: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 2, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.135: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.135: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 3)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.139: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.139: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 3, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.140: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.140: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 4)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.200: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.201: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 4, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.309: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.309: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 5)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.312: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.313: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 5, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.314: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.314: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 6)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.321: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.321: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 6, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.322: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.322: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 7)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.325: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.325: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 7, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.326: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.326: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 8)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.329: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.329: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 8, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.331: 68:96:7b:cd:89:1b Processing Access-Accept for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.331: 68:96:7b:cd:89:1b Setting re-auth timeout to 1800 seconds, got from WLAN config.
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Creating a PKC PMKID Cache entry for station 68:96:7b:cd:89:1b (RSN 2)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Adding BSSID 00:27:0d:2e:d0:5e to PMKID cache for station 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: New PMKID: (16)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332:      [0000] 80 a9 e3 16 d9 c8 28 9a 37 11 bd 56 ca 01 d5 ce
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Disabling re-auth since PMK lifetime can take care of same.
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Created PMK Cache Entry for TGr AKM:802.1x 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b   R0KH-ID:192.168.20.244   R1KH-ID:00:24:14:7e:74:c0  MSK Len:48
                                                                                                                                  pmkValidTime:1772
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b PMK sent to mobility group
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Sending EAP-Success to mobile 68:96:7b:cd:89:1b (EAP Id 8)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: Including PMKID in M1  (16)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333:      [0000] 80 a9 e3 16 d9 c8 28 9a 37 11 bd 56 ca 01 d5 ce
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Starting key exchange to mobile 68:96:7b:cd:89:1b, data packets will be dropped
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Sending EAPOL-Key Message to mobile 68:96:7b:cd:89:1b
                                                                                                                        state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Received Auth Success while in Authenticating state for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.336: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.336: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.337: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:10.560: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:10.562: 68:96:7b:cd:89:1b Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.565: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.565: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.566: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:10.960: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:10.960: 68:96:7b:cd:89:1b Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.048: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.048: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.048: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:11.360: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:11.360: 68:96:7b:cd:89:1b Retransmit 3 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.364: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.364: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.364: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:11.760: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:11.760: 68:96:7b:cd:89:1b Retransmit 4 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.763: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.764: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.764: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:12.160: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:12.161: 68:96:7b:cd:89:1b Retransmit failure for EAPOL-Key M1 to mobile 68:96:7b:cd:89:1b, retransmit count 5, mscb deauth count 0
    *dot1xMsgTask: Apr 27 21:46:12.162: 68:96:7b:cd:89:1b Removing PMK cache entry for station 68:96:7b:cd:89:1b
    *apfMsConnTask_0: Apr 27 21:46:12.185: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
    *apfMsConnTask_0: Apr 27 21:46:12.185: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:12.185: Adding MDIE, ID is:0x4e57
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
    *spamReceiveTask: Apr 27 21:46:12.187: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.188: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.188: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.191: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.191: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.271: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.271: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 2)
    *apfMsConnTask_0: Apr 27 21:46:12.563: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
    *apfMsConnTask_0: Apr 27 21:46:12.563: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:12.563: Adding MDIE, ID is:0x4e57
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
    *spamReceiveTask: Apr 27 21:46:12.565: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.566: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.571: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.571: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.572: 68:96:7b:cd:89:1b Processing Access-Reject for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.573: 68:96:7b:cd:89:1b Removing PMK cache due to EAP-Failure for mobile 68:96:7b:cd:89:1b (EAP Id -1)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.573: 68:96:7b:cd:89:1b Sending EAP-Failure to mobile 68:96:7b:cd:89:1b (EAP Id -1)
    (Cisco Controller) >*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.573: 68:96:7b:cd:89:1b Setting quiet timer for 5 seconds for mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:17.560: 68:96:7b:cd:89:1b 802.1x 'quiteWhile' Timer expired for station 68:96:7b:cd:89:1b and for message = M0
    *dot1xMsgTask: Apr 27 21:46:17.561: 68:96:7b:cd:89:1b quiet timer completed for mobile 68:96:7b:cd:89:1b
    *dot1xMsgTask: Apr 27 21:46:17.561: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
    (Cisco Controller) >*apfMsConnTask_0: Apr 27 21:46:19.793: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
    *apfMsConnTask_0: Apr 27 21:46:19.793: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:19.793: Adding MDIE, ID is:0x4e57
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
    *spamReceiveTask: Apr 27 21:46:19.796: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.798: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.825: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.826: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.905: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.905: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 2)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.918: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.918: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 2, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.920: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.920: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 3)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.923: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.924: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 3, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.924: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    d*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.925: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 4)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.964: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.964: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 4, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.073: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    e*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.073: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 5)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.076: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.076: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 5, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.077: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.077: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 6)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.083: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.083: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 6, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.084: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.084: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 7)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.087: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.087: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 7, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.088: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.088: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 8)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.090: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.090: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 8, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Processing Access-Accept for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Setting re-auth timeout to 1800 seconds, got from WLAN config.
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Creating a PKC PMKID Cache entry for station 68:96:7b:cd:89:1b (RSN 2)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Adding BSSID 00:27:0d:2e:d0:5e to PMKID cache for station 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: New PMKID: (16)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092:      [0000] 16 3d 85 48 73 81 21 c9 dc 14 19 2e 40 65 7c 74
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b Disabling re-auth since PMK lifetime can take care of same.
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b Created PMK Cache Entry for TGr AKM:802.1x 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b   R0KH-ID:192.168.20.244   R1KH-ID:00:24:14:7e:74:c0  MSK Len:48
                                                                                                                                  pmkValidTime:1813
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b PMK sent to mobility group
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b Sending EAP-Success to mobile 68:96:7b:cd:89:1b (EAP Id 8)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: Including PMKID in M1  (16)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093:      [0000] 16 3d 85 48 73 81 21 c9 dc 14 19 2e 40 65 7c 74
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: 68:96:7b:cd:89:1b Starting key exchange to mobile 68:96:7b:cd:89:1b, data packets will be dropped
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: 68:96:7b:cd:89:1b Sending EAPOL-Key Message to mobile 68:96:7b:cd:89:1b
                                                                                                                        state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: 68:96:7b:cd:89:1b Received Auth Success while in Authenticating state for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.096: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.096: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.096: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:20.360: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:20.361: 68:96:7b:cd:89:1b Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.364: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.364: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.364: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    bug *osapiBsnTimer: Apr 27 21:46:20.760: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:20.760: 68:96:7b:cd:89:1b Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.763: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.764: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.764: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:21.160: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:21.160: 68:96:7b:cd:89:1b Retransmit 3 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:21.164: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:21.164: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:21.164: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    =============================
    qh
    thanks in advance!

    Can anyone help me?

  • E71 and 802.1x authentication

    Dear All,
       Our wireless is using 802.1x to authenticate users. With notebooks, it's working very well but when i use Nokia E71, it cannot connect to wireless network.
    This is my <Access Point> configuration on Nokia E71:
    <IT DEPT>
          WLAN network name: IT DEPT
          Network status: Public
          WLAN network mode:Infrastructure
          WLAN security mode: WPA/WPA2
          WLAN security settings:
              WPA/WPA2: EAP
              WPA2 only mode: off
              EAP plug-in settings:
                  EAP-PEAP (enabled only)
                      Personal certificate: my personal certificate <== issued by our local CA
                      Authority certificate: <my CA> <=== our local CA
                      User name in use: From certificate
                      User name: <blank>
                      Realm in use: From certificate
                      Realm: <blank>
                      Allow PEAPv0: Yes
                      Allow PEAPv1: No
                      Allow PEAPv2: No
                 EAP-MSCHAPv2:
                      User name: <my domain username>
                      Prompt password: No
                      Password: <my domain password>
                Cipher:
                      All are enabled
    This is configuration on my Wireless LAN controller:
                    Layer 2:
                           Layer 2 Security: WPA+WPA2
                     WPA+WPA2 Parameters
                          WPA Policy: not checked
                          WPA2 Policy: checked
                          WPA2 Encryption: AES is checked; TKIP is checked
                          Auth Key Mgmt: 802.1X
    But when i connect to Wireless, on phone i always see error:
              WLAN: EAP-PEAP authentication failed
    In Event Viewer on IAS server, i always see this warning:
     User <my domain name>\<my username> was denied access.
     Fully-Qualified-User-Name = <my domain name>/Users/<my username>
     NAS-IP-Address = 10.0.0.10
     NAS-Identifier = WLC
     Called-Station-Identifier = 00-23-33-79-28-10OVOforSTAFF
     Calling-Station-Identifier = 00-24-7D-F6-7A-AA
     Client-Friendly-Name = WLC
     Client-IP-Address = 10.0.0.10
     NAS-Port-Type = Wireless - IEEE 802.11
     NAS-Port = 1
     Proxy-Policy-Name = Use Windows authentication for all users
     Authentication-Provider = Windows
     Authentication-Server = <undetermined>
     Policy-Name = WLC
     Authentication-Type = PEAP
     EAP-Type = <undetermined>
     Reason-Code = 262
     Reason = The supplied message is incomplete.  The signature was not verified.  
     I can see my CA in Settings = > General => Security => Certificate management => Authority certificates on my phone
    It's very helpful if you can help me to solved this problem. i don't know what is happening.
    Thanks so much!
    Message Edited by publicuser on 06-Aug-2009 10:37 AM

    Our own IT department's been trying to get it to work for a while, but it seems Nokia's implimentation of 802.1x just plain does not work properly in that configuration.
    Help I'm trapped in a sig factory.

  • 802.1x authentication fails

    Setup: two 5500 (v6.0.188.0, mix of 1131 and 1141 AP`s
    Laptops running fine for random number of weeks suddenly can´t connect to the wireless network. The output from Client troubleshoot shows:
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Controller association request message received.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Association request received from a client has an invalid RSN IE.(One reason could be mismatch in WPA2 algorithm).
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Received reassociation request from client.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    The wlan to which client is connecting requires 802 1x authentication.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Client moved to associated state successfully.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Received EAP Response from the client.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Received EAPOL start message from client.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Received EAP Response from the client.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    EAP response from client to AP received.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    EAP response from client to AP received.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Received Access-Challenge from the RADIUS server for the client.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Sending EAP request to client from radius server.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    EAP response from client to AP received.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Received Access-Challenge from the RADIUS server for the client.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Sending EAP request to client from radius server.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    EAP response from client to AP received.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Received Access-Challenge from the RADIUS server for the client.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Sending EAP request to client from radius server.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    EAP response from client to AP received.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Received Access-Challenge from the RADIUS server for the client.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Sending EAP request to client from radius server.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    EAP response from client to AP received.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Received Access-Challenge from the RADIUS server for the client.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Sending EAP request to client from radius server.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    EAP response from client to AP received.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Received Access-Challenge from the RADIUS server for the client.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Sending EAP request to client from radius server.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    EAP response from client to AP received.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Received Access-Challenge from the RADIUS server for the client.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Sending EAP request to client from radius server.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    EAP response from client to AP received.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Received Access-Challenge from the RADIUS server for the client.
    05/07/2010 07:03:14 CEST
    INFO
    10.1.1.101
    Sending EAP request to client from radius server.
    05/07/2010 07:03:44 CEST
    ERROR
    10.1.1.101
    Retransmitting EAP-ID request to client,retransmission timer expired.
    05/07/2010 07:04:14 CEST
    ERROR
    10.1.1.101
    Retransmitting EAP-ID request to client,retransmission timer expired.
    05/07/2010 07:04:44 CEST
    ERROR
    10.1.1.101
    Authentication failed for client as EAP ID request from AP reached maxmium retransmissions.
    05/07/2010 07:04:44 CEST
    ERROR
    10.1.1.101
    De-authentication sent to client. slot 0 (claller 1x_ptsm.c:467)
    05/07/2010 07:04:44 CEST
    ERROR
    10.1.1.101
    05/07/2010 07:04:44 CEST
    ERROR
    10.1.1.101
    EAPOL-key is invalid, scheduling client for deletion.

    We are using PEAP-MS-CHAP v2 . The IAS certificate is valid to 2014. We have about 300 laptops, but now and then some of them fails to authenticate. Yesterday I noticed that if I had one of the failing computers connected with wire, after some minutes it suddenly authenticated wireless!

  • 802.1x Authentication in Extreme architecture

    Hi all,
    Objectives :
    Authenticate a supplicant on a Extreme 802.1x port with an ACS SE 4.2
    Supplicant = IP Phone
    Authenticator : Switch Extreme 450 E
    Authentication Server : ACS SE 1113 4.2.0.124.9
    1) We have done the tests with a Windows ACS 4.2.0.124 and everything runs correctly, the supplicant authenticates without any problem.
    2)We have replicate the windows ACS with the ACS SE. The 802.1x authentication does not work with the ACS SE but works with the Windows ACS.
    3) We have upload UDvs and VSA on the ACS SE and it still not work.
    These are the .csv file uploaded :
    accountactionsVsa.csv (used for the vendor)
    accountAttributes.csv (used for the vendor attributes)
    accountProfile.csv (used for the Attributes profile)
    accountvalues.csv (used for the Attributes values). This one is not on the attachment files :
    1,8,,,354,Disabled,1916,201,0,15/04/2009 10:00,,,,0
    2,7,,,354,Enabled,1916,201,1,15/04/2009 10:00,,,,0
    3,6,,,354,Disabled,1916,206,0,15/04/2009 10:00,,,,0
    4,5,,,354,Enabled,1916,206,1,15/04/2009 10:00,,,,0
    5,4,,,355,,,,,15/04/2009 10:00,,,,0
    The message in ACS Failed Attemps logs is : "Bad Request from NAS".
    We have verified the authenticator address and the secret key, everything is ok.
    With Windows ACS we can see first an "access request" between authenticator and aurthentication server. Next an "access challenge" from authentication server to Authenticator. NExt an "access request" between authenticator and aurthentication server and then an "access Accept" from authentication server to Authenticator.
    With ACS SE we can see first an "access request" between authenticator and aurthentication server. Next an "access Reject" from authentication server to Authenticator.
    We have tried to understand the differences between the first "access request" in ACS windows architecture and the first "access request" in ACS SE architecture. The only difference is on the Message-authenticator(80).
    Have you already had this kind of problem. How can i Solve it?
    Thanks for your replies.
    Best regards.

    The Supplicant only use EAP MD5 since it is a Ip phone.
    EAP MD5 is already checked in Global authentication Setup.
    Just for remember :
    802.1x runs in a Windows Version but not in a SE version with same configuration (we have done the test with a replication from Windows version to Appliance SE version. Both ACS version have the same configuration but one is running and not the other.

  • WPA with 802.1x authentication

    Hi experts,
    I need clarification in a fundamental concept.
    Is it possible to configure WPA with 802.1x authentication without external AAA / ACS server.
    If the username and password is configured in local device, is it possible to create 802.1x authentication without RADIUS server
    Thanks in advance
    regards,RB

    You can't do 802.1x without RADIUS. But you can use Local EAP on an Autonomous AP or on a LAP Controller. They can both act as RADIUS servers. Here's an example config for an autonomous AP:
    aaa group server radius rad_eap
    server 192.168.0.1 auth-port 1812 acct-port 1813
    aaa authentication login eap_methods group rad_eap
    dot11 ssid ccie
    authentication open eap eap_methods
    authentication network-eap eap_methods
    guest-mode
    radius-server local
    nas 192.168.0.1 key cisco
    user test password test
    radius-server host 192.168.0.1 auth-port 1812 acct-port 1813 key cisco
    LAP Controller local EAP is configurable through GUI

  • 802.1X Authentication issues when moving between switch ports

    Hi Guys,
    We are having some issues at our office where when users move from one switch to another, the 802.1X authentication does not want to take place. The PC just gets an APIPA address. Now I have read about features that MAC Move and MAC replace but they seem to be used when moving from one port a switch to another port on that same switch. Will MAC move help for issues between switches? And should I focus my attention on the switch's configuration or have a look at the NPS server that might be blocking that authentication as the user is already authenticated?
    My configuration we have on the switch ports look as follows:
    authentication host-mode multi-domain
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    dot1x pae authenticator
    Your help is greatly appreciated.
    Grant

    Hi Neno,
    Thanks for the reply. We are using NPS on a Server 2008 R2 virtual machine. The switches are stacked 2960S-48FPS-L running 15.0(2)SE. I will quickly do the debugs and get back to you.
    Here is the config:
    aaa group server radius customer-nps
     server name radius1
     server name radius2
    aaa authentication dot1x default group radius
    dot1x system-auth-control
    radius server radius1
     address ipv4 172.28.130.52 auth-port 1645 acct-port 1646
     key 7 05392415365959251C283630083D2F0B3B2E22253A
    radius server radius2
     address ipv4 172.28.131.52 auth-port 1645 acct-port 1646
     key 7 107C2B031202052709290B092719181432190D000C
    interface GigabitEthernet1/0/1
     switchport access vlan 300
     switchport mode access
     switchport voice vlan 2
     srr-queue bandwidth share 1 30 35 5
     queue-set 2
     priority-queue out
     authentication host-mode multi-domain
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication periodic
     authentication timer reauthenticate 28800
     authentication timer inactivity 1800
     mab
     no snmp trap link-status
     mls qos trust cos
     dot1x pae authenticator
     auto qos trust cos
     storm-control broadcast level 1.00
     storm-control multicast level 1.00
     spanning-tree portfast
     spanning-tree bpdufilter enable

  • Cisco IP Phone 802.1x authentication with NPS

    Hi All,
    I would like to configure 802.1x authentication on both my Cisco ip phones and windows clients using NPS. So far i have tested the clients and it works however I am not finding any information on if NPS supports 802.1x on ip phones. Has anyone done a similar
    deployment using NPS. So far I am only seeing cisco ACS server being used as the policy server.

    Hi,
    Based on my research, it seems that you may enounter issues related to username(Basically Mircosoft only allows a 20 character user name, while the user name of the phone exceeds the 20 character limit and causes it to fail.) and certificate schema when
    configuring 802.1x authentication for Cisco IP phones.
    Best regards,
    Susie
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • Why Unable to identify a user for 802.1X authentication (0x50001)?

    Hello, 
      We are trying to set up wifi single-sign-on. When logging to a laptop get a message
    "Connecting to Pivot_Users" and after some time "Unable to connect to Pivot_Users" and after that we are logged in to a laptop and successfully connected to Pivot_Users wifi network.
    Server: windows server 2003 (with all updates)
    laptop: windows 7 professional SP1 (with all updates)
    When looking to event log i found this error:
    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          2012-10-10 10:38:01
    Event ID:      5632
    Task Category: Other Logon/Logoff Events
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      sba01-nb
    Description:
    A request was made to authenticate to a wireless network.
    Subject:
    Security ID:                
    Account Name:                -
    Account Domain:                -
    Logon ID:                0x0
    Network Information:
    Name (SSID):                Pivot_Users
    Interface GUID:                {64773f24-bf8b-4e91-bbd7-eb199e3c2c5e}
    Local MAC Address:        C4:85:08:12:77:44
    Peer MAC Address:        00:24:97:83:8E:61
    Additional Information:
    Reason Code:                Unable to identify a user for 802.1X authentication (0x50001)
    Error Code:                0x525
    EAP Reason Code:        0x0
    EAP Root Cause String:        
    EAP Error Code:                0x0
    Event Xml:
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>5632</EventID>
        <Version>1</Version>
        <Level>0</Level>
        <Task>12551</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2012-10-10T07:38:01.093305500Z" />
        <EventRecordID>37791</EventRecordID>
        <Correlation />
        <Execution ProcessID="760" ThreadID="2224" />
        <Channel>Security</Channel>
        <Computer>sba01-nb</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SSID">Pivot_Users</Data>
        <Data Name="Identity">
        </Data>
        <Data Name="SubjectUserName">-</Data>
        <Data Name="SubjectDomainName">-</Data>
        <Data Name="SubjectLogonId">0x0</Data>
        <Data Name="PeerMac">00:24:97:83:8E:61</Data>
        <Data Name="LocalMac">C4:85:08:12:77:44</Data>
        <Data Name="IntfGuid">{64773F24-BF8B-4E91-BBD7-EB199E3C2C5E}</Data>
        <Data Name="ReasonCode">0x50001</Data>
        <Data Name="ReasonText">Unable to identify a user for 802.1X authentication</Data>
        <Data Name="ErrorCode">0x525</Data>
        <Data Name="EAPReasonCode">0x0</Data>
        <Data Name="EapRootCauseString">
        </Data>
        <Data Name="EAPErrorCode">0x0</Data>
      </EventData>
    </Event>
    Thank you for answer and help.
    Regards, 
      Tadas

    Hi,
    Thanks for your post.
    Have you configured the client to only use user authentication for 802.1X? If so, I would like to inform you that this is expected when you configure the 802.1X to user only authentication.
    Here is the process that is followed.
    1. As soon as client is connected to the network the Authenticator (switch) periodically sends EAP request packet/frame to the client/supplicant.
    2. The client has to respond back with an identify and if its configured only for User authentication then it will send blank identity.
    3. The Authenticator cannot validate and the authentication would fail.
    4. Windows client is configured for a block time of 20 min. So, once the authentication fails the NIC card will go in block time for 20 min until there is a change in credentials. So, even if the authenticatior(swithch) is periodically sending EAP request
    it will just ignore them
    5. You will see event 15506 after the event 15514.
    Here’s the technet that you we can refer for the reason code : Reason: 0x50001 that we see in the event 15514
    http://technet.microsoft.com/en-us/library/cc727747(WS.10).aspx
    0x50001 = Dec 327681
    Reason code:  327681   Event log message:  The 802.1X module was unable to identify a set of credentials to be used. [An example is when the authentication mode is set to “User” but no user is logged on.]   # def name: 
    ONEX_UNABLE_TO_IDENTIFY_USER
    Best Regards,
    Aiden
    Aiden Cao
    TechNet Community Support

  • 802.1X authentication process in Active Directory joined computer.

    Hi,
    I'm not really sure my understanding of the authentication process of an Active Directory joined computer, and I would like to know the purpose of multiple times auth as described below:
    1. When Windows start up,
    2. it will authenticate to the 802.1x network using computer account.
    3. When user entering AD credential and pressing login, it will disconnect the current 802.1x connection. Re-auth to the network through AD user account.
    4. once 3 is done, the AD credential will be used to auth to AD again to login.
    Why do we need 3 times of authentication? Why do we need steps 3?
    Note: this is just my current understanding on one of the mode of 802.1x authentication. Please feel free to correct and add more information so that I can understand 802.1x authentication more precisely.
    Thank you!
    Ah_Chao|| MCSE,VCP,EMCSAe

    Hi,
    According to your description, my understanding is that you want to know the reason why 802.1x has 3 times authentication.
    It is depends on your 802.1x settings. The option Computer Authentication (allows you to specify how computer authentication works with user authentication). One of the possible settings is
    With User Re-Authentication. When users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is performed using the user credentials. When a user
    logs off of the computer, authentication is performed with the computer credentials. This is the recommended setting because it ensures that the connection to the wireless AP is always using the security credentials of the computer's current security context
    (computer credentials when no user is logged on and user credentials when a user is logged on).
    Detailed description you may reference:
    https://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx?f=255&MSPPError=-2147217396
    And more information about 802.1x, you may reference:
    Understanding 802.1X authentication for wireless networks
    https://technet.microsoft.com/en-us/library/cc759077(v=ws.10).aspx
    IEEE 802.1X Wired Authentication
    https://technet.microsoft.com/en-us/magazine/2008.02.cableguy.aspx
    Creating a secure 802.1x wireless infrastructure using Microsoft Windows
    http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx
    Best Regards,
    Eve Wang
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • 802.1x Authentication on Wired and Wireless LAN

    I have successfully configured 802.1x authentication on wired and wireless Lan. We have Cisco Switches, ACS SE and Windows AD.
    But i have one issue regarding the Single Sign on while authentication using the 802.1x with Windows Active directory the users that are login first time not able to logon but the users that have their profiles already existed in their PC then there is no issue and they successfully authenticated and login easily.
    Is there any way of login successfully for the users first time using 802.1x authentication with Windows AD like a Single Sign On?

    We ran into the same situation from time to time. We implemented 802.1x authentication using the Cisco Secure Services Client (SSC) on the windows hosts.
    At the beginning we were completly unable to logon on the maschines where no locally stored windows profile exists. After change to timeout to authenticate at the network in the SSC options we are able to logon to the network and also be authenticated by the domain controller.
    Sadly this works out often as a timing issue. Most times the user needs to try a couple of times. At the moment, I'm also very interessted in a good way to avoid this (as it seems to be) racecondition.
    Hope that someone else has any clue?

  • Windows 7 – 802.1x Authentication fails after wakeup from Sleep/Hibernation

    In our environment we randomly have issues with 802.1x authentications after Sleep or Hibernation of our client-systems.
    Clients have Windows 7 as OS and are up-to-date regarding regular updates/patches. Drivers (at least
    network and chipset) on affected machines have also been updated.
    802.1x authentication method is PEAP (EAP-MSCHAPv2) and systems are validated
    against Active Directory by RADIUS.
    Analyzing the logs of our RADIUS-Server you can see that the client trys to authenticate
    via MAC instead of its DNS-Name/FQDN (desired method). So the request fails and the client is assigned to a different VLAN without access to the company’s resources. Following steps like DHCP work correctly.
    We have enabled the tracing of RAS-components on some of our clients by executing the following command-line: netsh ras set tracing
    * enabled
    Analyzing the client’s log-file “C:\Windows\tracing\svchost_RASCHAP.LOG” it looks like that the
    component is simply not up at that point in time, because there are absolutely no entries making it impossible to search for a specific error/error-code. Side-fact: unplugging the network-cable and plugging it in again forces the client to
    authenticate again – successfully and with entries in the given log.
    There has been an article KB980295 describing my issue but that does not apply to Windows 7. Hotfix KB2736878 cannot be applied (0x80240017
    - install is not needed because no updates are applicable).
    Does anyone have an idea how you could force the component to initialize earlier (if it is possible at all)?
    Any other advice is highly appreciated as well!
    Thanks a lot

    Hi Deason,
    sorry for my very very late reply on this.
    Even if I could not solve the problem yet, I can tell about some progress.
    As both KB-Files (980295 and 2481614) sadly did not help with this at all and even setting the blockperiod to 1 (I saw that 0 doesn't seem to be supported here: https://technet.microsoft.com/en-us/library/hh831813.aspx) didn't make any difference I
    have been working on how to reproduce the issue. So I wrote a tiny script disabling and enabling the client's network-port on and on (I have removed outputs and logging to keep it short):
    $doAllTheTime = $true
    $i = 0
    $DomainName = (Get-WmiObject -Class Win32_ComputerSystem).domain
    $NWAdapter = Get-WmiObject -Class Win32_NetworkAdapter | ? {$_.name -like "*gigabit*"}
    while ($doAllTheTime -eq $true)
    $i++
    $NWAdapter.disable() | out-null; Start-Sleep -Seconds 10
    $NWAdapter.enable() | out-null; Start-Sleep -Seconds 10
    $ping = $null
    $ping = test-connection $DomainName -count 1
    if ($ping -eq $null)
    "Error with connection"; return
    So I kept it running and after a dozens of loops the issue reoccurred. I could see that it is the dot3svc-Service that does not response anymore by the RASCHAP-log given above. Restarting the service manually triggered a re-authentication that was then successful.
    So I added the restart-service-cmdlet to my script in case that the error was detected and configured a Scheduled Task triggered by the event that a network-cable has been plugged in (has to be provided by the driver). Script and Scheduled Task
    have then been deployed to our clients.
    Even if this is no solution it definitely helps with a high rate of incidents -
    but not entirely... so I am still looking for further steps to
    solve this. Any ideas are highly appreciated.
    Thank you very much for your support!!! Uhle

  • 802.1x Authentication with Windows and MAC

    Hello Team;
                  I have one SSID configured with 802.1x . The clients with Mac machines can directly join to the network by just entering the AD usrename and password. For the windows machines we need to do some configuration in the clients machines to work with the SSID.
    Could you please clarify ? Whether the windows machines will just work like the Mac or the preconfiguration is mandatory to work windows with 802.1x.

    Hello Sreejith,
    As per your query i can suggest you the following steps-
    No, the preconfiguration is not mandatory to work windows with 802.1x.To enable 802.1x authntication on wireless follow the steps-
    1.Open Manage Wireless Networks by clicking the Start button , clicking Control Panel, clicking Network and Internet, clicking Network and Sharing Center, and then, in the left pane, clicking Manage wireless networks.
    2.Right-click the network that you want to enable 802.1X authentication for, and then click Properties.
    3.Click the Security tab, and then, in the Security Type list, click 802.1X.
    4.In the Encryption Type list, click the encryption type you want to use.
    On wireless networks, 802.1X can be used with Wired Equivalent Privacy (WEP) or Wi‑Fi Protected Access (WPA) encryption.
    5.In the Choose a network authentication method list, click the method you want to use.
    To configure additional settings, click Settings.
    Hope this will help you.

  • Send vlan via Radius with 802.1x Authentication

    Hi all.
    I am trying to set up 802.1x authentication using Windows XP Supplicant, Catalyst 2950 and FreeRadius as radius server.
    I can login correctly so I have the port in Authorized mode, but I can't download the vlan id through the radius server.
    Reading docs, I have found these attributes:
    cisco-avpair="tunnel-type(#64)=VLAN(13)"
    cisco-avpair="tunnel-medium-type(#65)=802 media(6)"
    cisco-avpair="tunnel-private-group-ID(#81)=2" (2 is my vlan id)
    but when I insert these into radius DB (I have also tryed with text file config...) I can see from Radius debugs that only the first one (cisco-avpair="tunnel-type(#64)=VLAN(13)" is passed in the access-accept packet.
    Here are some outputs:
    Sending Access-Challenge of id 80 to 128.0.0.21:1812
    Cisco-AVPair = "tunnel-type=VLAN"
    EAP-Message = 0x0101001604103ee52f729eb199689ef4fc77a18a6a08
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xf88b9673c199cb13def96563250cf8a7
    I issued a "debug radius" on the switch Catalyst 2950 also, and the output is:
    02:49:39: RADIUS: Received from id 73 128.0.0.243:1812, Access-Accept, len 129
    02:49:39: Attribute 26 75 0000000901457475
    02:49:39: Attribute 79 6 03010004
    02:49:39: Attribute 80 18 1ABB3507
    02:49:39: Attribute 1 10 74657374
    02:49:39: RADIUS: EAP-login: length of eap packet = 4
    02:49:39: RADIUS: EAP-login: radius didn't send any vlan
    so I can see that radius is not sending anything about vlan...
    Has anyone alredy tried this set up?
    Thank you in advance.
    Massimo Magnani.

    OK, so I may have glossed over that before. From your debug post, you had:
    Cisco-AVPair = "tunnel-type=VLAN"
    Unless I'm missing something, that looks like a VSA (or RADIUS Attribute [26\9\1].
    You don't need VSAs for VLAN Assignment. You can do this with three standard RADIUS Attributes. Here they are (and an example of what they should look like):
    [64] Tunnel-Type – “VLAN” (13)
    [65] Tunnel-Medium-Type – “802” (6)
    [81] Tunnel-Private-Group-ID - "" OR ""
    They are defined in RFC 2868.
    Hope this helps,

  • Trouble with 802.1x authentication

    Hello. I live in a dorm, and we connect to the Net over 802.1x authentication. Everything worked OK, until two days ago. Now I can no longer authenticate my Mac on the network and connect to the Net.
    I get the following error:
    "802.1X is unable to authenticate. It is possible that the configuration you have provided is invalid. If you are unsure about what configuration to connect with, check with your network administrator.
    (Error: 1 on port en0)"
    My configuration seems to be ok (I didn't change anything about it, it just stopped working), username and password are also correct. Also other computers can connect to the network, and my LAN card works normally otherwise, only it can't pass the 802.1x authentication :S I'm connected now over my LinuxBox which shares the connection to my Mac, so obviously my LAN card is not broken...
    What could be the problem?
    cheers!

    hi, if the problem still persists, have you tried clearing out any 802.1x profiles you have saved?
    Go to System Preferences > Network, click on Airport, choose Advanced, go to the 802.1x tab, look at the section on the left side that has User Profiles. Select the profile and hit the minus button at the bottom of the pane.
    A lot of these issues seem to be helped by clearing out any saved data about the wireless network, and setting it up manually again. We have seen many issues here at Notre Dame with Macs vs 802.1x. Hoping Apple makes it more reliable soon.

Maybe you are looking for

  • Problem with display of pages in IE

    I'll keep this short and simple, I'm not after criticism of my work but if it is a mess then I understand, I've re-coded a website designed by a friend who has joined the army & is currently serving so I cannot get in touch with him for help, I'm a n

  • Set Width for a column, Merge cells in Excel

    Hi all, I am using jacob.dll to open and modify an Excel file. And I am stucking in below trouble: Dispatch workbook = Dispatch.invoke(workbooks, "Open",           Dispatch.Method,           new Object[]"D:\\02042005.xls",           new Variant(false

  • Camera to PB

    Is there a trick (cables,software,etc) to connecting my digital camera to my PB so as to frame my shots onscreen? In other words, see on my PB the photo I am about to capture. Thanks in advance Larry

  • Address Same as Above checkbox that will autopopulate 2nd address fields

    LiveCycle ES2 Sure this easy question has came up before, but I cannot find the solution anywhere. I am creating a form where the user would fill in their contact information. (address, phone, email, etc.) Then they will need to fill in their return

  • T.o.r

    Dear sap gurus, what will happen if i deactivate t.o.r and availability check at schedule line level? why there is a config settings in shipping for avaiablility check and tor? please clarify on this Divya