802.1x Authentication problems

Similar Messages

• 802.1x authentication problem on C2960S-48TS-L with Linux clients

  Hi,
  Due to implementing wired 802.1x in my company I fased with problem of authentication of some Linux computers (Ubuntu 13.10+) via mab at the one of my Access switches(C2960S-48TS-L). The problem exist on IOS 12.55 and 15.0(2)SE6.
  It seems that Authenticator can't detect MAC address of supplicant. In debug the MAC address is (Unknown MAC) or (0000.0000.0000). 
  Before authentication I could see registered MAC address on the switchport interface(without 802.1x settings on the port):
  sh mac address-table interface g1/0/2          "before 802.1x authentication"
  Vlan    Mac Address       Type        Ports
     2    0015.990f.60d9    STATIC      Gi1/0/2
  The host should get to Vlan 2 after failed authentication(according to port settings). But actually after trying to authenticate the host on this port
  loses connection with network and doesn't get in 2 Vlan
  sh mac address-table interface g1/0/2              "after 802.1x authentication"
  Vlan    Mac Address       Type        Ports
  sh authentication sessions
  Interface  MAC Address     Method   Domain   Status         Session ID
  Gi1/0/24   (unknown)       dot1x    DATA     Authz Success  6A7D1FAF0000000000023E32
  Gi1/0/25   (unknown)       dot1x    DATA     Authz Success  6A7D1FAF0000000200024193
  Gi1/0/2    (unknown)       mab      UNKNOWN  Running        6A7D1FAF000000280011BA1A
  sh dot1x interface g1/0/2 details
  Dot1x Info for GigabitEthernet1/0/2
  PAE                       = AUTHENTICATOR
  QuietPeriod               = 5
  ServerTimeout             = 0
  SuppTimeout               = 30
  ReAuthMax                 = 2
  MaxReq                    = 2
  TxPeriod                  = 3
  sh run int g1/0/2
  interface GigabitEthernet1/0/2
   description ## User Port ##
   switchport access vlan 2
   switchport mode access
   switchport voice vlan 5
   switchport port-security maximum 5
   switchport port-security
   switchport port-security aging time 2
   switchport port-security aging type inactivity
   ip arp inspection limit rate 120
   authentication event fail retry 0 action authorize vlan 2
   authentication event server dead action authorize vlan 2
   authentication event no-response action authorize vlan 2
   authentication host-mode multi-host
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate 3900
   authentication timer inactivity 300
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout quiet-period 5
   dot1x timeout tx-period 3
   storm-control broadcast level 1.00
   storm-control multicast level 1.00
   storm-control action trap
   no cdp enable
   spanning-tree portfast
   spanning-tree bpduguard enable
   spanning-tree guard root
  end
  I have tried to change  authentication host-mode to multi-domain but the problem remains.
  "debug dot1x all" in the attached file.
  Please help me to resolve this issue

  I have removed port security but still have failed authentication on the port
  002262: Mar 26 16:23:26.516: dot1x-ev(Gi1/0/2): Deleting client 0x9A000053 (0000.0000.0000)
  002263: Mar 26 16:23:26.516: dot1x-ev:Delete auth client (0x9A000053) message
  002264: Mar 26 16:23:26.516: dot1x-ev:Auth client ctx destroyed
  002265: Mar 26 16:23:26.715:     dot1x_auth Gi1/0/2: initial state auth_initialize has enter
  002266: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_initialize_enter called
  002267: Mar 26 16:23:26.715:     dot1x_auth Gi1/0/2: during state auth_initialize, got event 0(cfg_auto)
  002268: Mar 26 16:23:26.715: @@@ dot1x_auth Gi1/0/2: auth_initialize -> auth_disconnected
  002269: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_disconnected_enter called
  002270: Mar 26 16:23:26.715:     dot1x_auth Gi1/0/2: idle during state auth_disconnected
  002271: Mar 26 16:23:26.715: @@@ dot1x_auth Gi1/0/2: auth_disconnected -> auth_restart
  002272: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_restart_enter called
  002273: Mar 26 16:23:26.715: dot1x-ev(Gi1/0/2): Sending create new context event to EAP for 0x6D000054 (0000.0000.0000)
  002274: Mar 26 16:23:26.715:     dot1x_auth_bend Gi1/0/2: initial state auth_bend_initialize has enter
  002275: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_initialize_enter called
  002276: Mar 26 16:23:26.715:     dot1x_auth_bend Gi1/0/2: initial state auth_bend_initialize has idle
  002277: Mar 26 16:23:26.715:     dot1x_auth_bend Gi1/0/2: during state auth_bend_initialize, got event 16383(idle)
  002278: Mar 26 16:23:26.715: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_initialize -> auth_bend_idle
  002279: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_idle_enter called
  002280: Mar 26 16:23:26.715: dot1x-ev(Gi1/0/2): Created a client entry (0x6D000054)
  002281: Mar 26 16:23:26.715: dot1x-ev(Gi1/0/2): Dot1x authentication started for 0x6D000054 (0000.0000.0000)
  002282: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): Posting !EAP_RESTART on Client 0x6D000054
  002283: Mar 26 16:23:26.715:     dot1x_auth Gi1/0/2: during state auth_restart, got event 6(no_eapRestart)
  002284: Mar 26 16:23:26.715: @@@ dot1x_auth Gi1/0/2: auth_restart -> auth_connecting
  002285: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_connecting_enter called
  002286: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_restart_connecting_action called
  002287: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): Posting RX_REQ on Client 0x6D000054
  002288: Mar 26 16:23:26.721:     dot1x_auth Gi1/0/2: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
  002289: Mar 26 16:23:26.721: @@@ dot1x_auth Gi1/0/2: auth_connecting -> auth_authenticating
  002290: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_authenticating_enter called
  002291: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_connecting_authenticating_action called
  002292: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): Posting AUTH_START for 0x6D000054
  002293: Mar 26 16:23:26.721:     dot1x_auth_bend Gi1/0/2: during state auth_bend_idle, got event 4(eapReq_authStart)
  002294: Mar 26 16:23:26.721: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_idle -> auth_bend_request
  002295: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_enter called
  002296: Mar 26 16:23:26.721: dot1x-ev(Gi1/0/2): Sending EAPOL packet to group PAE address
  002297: Mar 26 16:23:26.721: dot1x-ev(Gi1/0/2): Role determination not required
  002298: Mar 26 16:23:26.721: dot1x-registry:registry:dot1x_ether_macaddr called
  002299: Mar 26 16:23:26.721: dot1x-ev(Gi1/0/2): Sending out EAPOL packet
  002300: Mar 26 16:23:26.721: EAPOL pak dump Tx
  002301: Mar 26 16:23:26.721: EAPOL Version: 0x3  type: 0x0  length: 0x0005
  002302: Mar 26 16:23:26.721: EAP code: 0x1  id: 0x1  length: 0x0005 type: 0x1
  002303: Mar 26 16:23:26.721: dot1x-packet(Gi1/0/2): EAPOL packet sent to client 0x6D000054 (0000.0000.0000)
  002304: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_idle_request_action called
  002305: Mar 26 16:23:29.814: dot1x-sm(Gi1/0/2): Posting EAP_REQ for 0x6D000054
  002306: Mar 26 16:23:29.814:     dot1x_auth_bend Gi1/0/2: during state auth_bend_request, got event 7(eapReq)
  002307: Mar 26 16:23:29.814: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_request -> auth_bend_request
  002308: Mar 26 16:23:29.814: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_request_action called
  002309: Mar 26 16:23:29.814: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_enter called
  002310: Mar 26 16:23:29.814: dot1x-ev(Gi1/0/2): Sending EAPOL packet to group PAE address
  002311: Mar 26 16:23:29.814: dot1x-ev(Gi1/0/2): Role determination not required
  002312: Mar 26 16:23:29.814: dot1x-registry:registry:dot1x_ether_macaddr called
  002313: Mar 26 16:23:29.814: dot1x-ev(Gi1/0/2): Sending out EAPOL packet
  002314: Mar 26 16:23:29.814: EAPOL pak dump Tx
  002315: Mar 26 16:23:29.814: EAPOL Version: 0x3  type: 0x0  length: 0x0005
  002316: Mar 26 16:23:29.814: EAP code: 0x1  id: 0x1  length: 0x0005 type: 0x1
  002317: Mar 26 16:23:29.814: dot1x-packet(Gi1/0/2): EAPOL packet sent to client 0x6D000054 (0000.0000.0000)
  002318: Mar 26 16:23:32.907: dot1x-sm(Gi1/0/2): Posting EAP_REQ for 0x6D000054
  002319: Mar 26 16:23:32.907:     dot1x_auth_bend Gi1/0/2: during state auth_bend_request, got event 7(eapReq)
  002320: Mar 26 16:23:32.907: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_request -> auth_bend_request
  002321: Mar 26 16:23:32.907: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_request_action called
  002322: Mar 26 16:23:32.907: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_enter called
  002323: Mar 26 16:23:32.913: dot1x-ev(Gi1/0/2): Sending EAPOL packet to group PAE address
  002324: Mar 26 16:23:32.913: dot1x-ev(Gi1/0/2): Role determination not required
  002325: Mar 26 16:23:32.913: dot1x-registry:registry:dot1x_ether_macaddr called
  002326: Mar 26 16:23:32.913: dot1x-ev(Gi1/0/2): Sending out EAPOL packet
  002327: Mar 26 16:23:32.913: EAPOL pak dump Tx
  002328: Mar 26 16:23:32.913: EAPOL Version: 0x3  type: 0x0  length: 0x0005
  002329: Mar 26 16:23:32.913: EAP code: 0x1  id: 0x1  length: 0x0005 type: 0x1
  002330: Mar 26 16:23:32.913: dot1x-packet(Gi1/0/2): EAPOL packet sent to client 0x6D000054 (0000.0000.0000)
  002331: Mar 26 16:23:36.001: dot1x-ev(Gi1/0/2): Received an EAP Timeout
  002332: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): Posting EAP_TIMEOUT for 0x6D000054
  002333: Mar 26 16:23:36.001:     dot1x_auth_bend Gi1/0/2: during state auth_bend_request, got event 12(eapTimeout)
  002334: Mar 26 16:23:36.001: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_request -> auth_bend_timeout
  002335: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_timeout_enter called
  002336: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_timeout_action called
  002337: Mar 26 16:23:36.001:     dot1x_auth_bend Gi1/0/2: idle during state auth_bend_timeout
  002338: Mar 26 16:23:36.001: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_timeout -> auth_bend_idle
  002339: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_idle_enter called
  002340: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): Posting AUTH_TIMEOUT on Client 0x6D000054
  002341: Mar 26 16:23:36.001:     dot1x_auth Gi1/0/2: during state auth_authenticating, got event 14(authTimeout)
  002342: Mar 26 16:23:36.001: @@@ dot1x_auth Gi1/0/2: auth_authenticating -> auth_authc_result
  002343: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_authenticating_exit called
  002344: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_authc_result_enter called
  002345: Mar 26 16:23:36.001: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Gi1/0/2 AuditSessionID 6A7D1FAF0000006001916AC3
  002346: Mar 26 16:23:36.001: dot1x-ev(Gi1/0/2): Sending event (2) to Auth Mgr for 0000.0000.0000
  002347: Mar 26 16:23:36.001: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/2 AuditSessionID 6A7D1FAF0000006001916AC3
  002348: Mar 26 16:23:36.001: dot1x-ev(Gi1/0/2): Received Authz fail for the client  0x6D000054 (0000.0000.0000)
  002349: Mar 26 16:23:36.001: dot1x-ev(Gi1/0/2): Deleting client 0x6D000054 (0000.0000.0000)
  002350: Mar 26 16:23:36.001: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/2 AuditSessionID 6A7D1FAF0000006001916AC3
  002351: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): Posting_AUTHZ_FAIL on Client 0x6D000054
  002352: Mar 26 16:23:36.001:     dot1x_auth Gi1/0/2: during state auth_authc_result, got event 22(authzFail)
  002353: Mar 26 16:23:36.006: @@@ dot1x_auth Gi1/0/2: auth_authc_result -> auth_held
  002354: Mar 26 16:23:36.006: dot1x-ev:Delete auth client (0x6D000054) message
  002355: Mar 26 16:23:36.006: dot1x-ev:Auth client ctx destroyed
  002356: Mar 26 16:23:36.006: dot1x-ev:Aborted posting message to authenticator state machine: Invalid client

• 802.1x re authentication problem

  Hello,
  I have problem with 802.1x authentication on switch ports which are configured in "Multi Session" mode. In Single host mode and Multiple Host mode it works just fine.
  The problem is following, when PC  is first connected on switch port it authenticates successfully. After about 1-2 minutes windows 7 NIC notifies that its going to authenticate again, and after couple of minutes NIC status is changed to “Authentication Failed”. On ACS I only see first authentication request which is successful.  If I unplug PC from port and plug it again. It authenticates successfully and then starts again with same problems.
  I was doing packet sniffing on PC, and it seems that after pc first authentication completes successful, switch starting to sent EAP Identity/Request packets to host, for that host is sending EAP Identity/Response to switch, but switch don’t continues authentication process and starts again with new EAP Identity/Request packets.
  On Windows 7 host Event viewer I see  following log messages:
                  Reason: 0x70004
                  Reason Text: The network stopped answering authentication requests
                  Error Code: 0x0
  The ACS version is 5.3. Authentication method is PEAP.  Supplicant OS is Windows 7 I also trued with Windows XP, with same result. The Authentication switch is ESW 520 with latest firmware. I also trued with 2960/3560 switches and it works perfectly. On ESW 520 switch if port mode is other  than “Multi Session" if works without any issue.
  Do you have any Idea how can i fix this ?

  Hi ngtransge,
  Thanks for rating the replies. You need to select "User Authentication". I am pasting some screenshots which might help you out.

• ESW 520 802.1x re authentication problem

  Hello
  I have problem with ESW 520, on 802.1x authentication. The problem is when host authenticates successfully it works about couple of minutes, after it truest too authenticate again but it lags. On network interface it shows notification that if Failed authentication. On ACS I see only one authentication attempt which is successful. This problem is happening on Win7 and Win XP. If I unplug and plug cable it authenticates successfully, but then about couple of minutes it again lags. Switch sees port as authenticated. On Win7 event viewer I have following error:
                  Reason: 0x70004
                  Reason Text: The network stopped answering authentication requests
                  Error Code: 0x0
  If I connect same hosts on Catalyst 2960 switch, they work successfully.

  Hi  ngtransge
  There are  tree possible explanations about  why the authentications  fails.
  A)the network interface is shut down after failed computer authentication. You can see this on the switch as line protocol down for that port.
  To verify the client has a domain certificate:
  1. Click Start and click Run.
  2. Type mmc, and then press ENTER.
  3. On the File menu, click Add/Remove Snap-in.
  4. Click Certificates, click Add, select Computer account, and then click Next.
  5. Verify that Local computer: (the computer this console is running on) is selected, click Finish, and then click OK.
  6. In the console tree, double-click Certificates (Local Computer), double-click Personal, and then click Certificates.
  On a domain joined client, you should see a certificate here with Intended Purposes of Client Authentication. Make sure this certificate is not expired. If it is expired, you will need to regain connection to your CA to request a new one.
  B) You should check your switch's configuration, perhaps a port or some ports could be blocked by an access-list and interrupt the re authentication.
  C) If this two solutions don't work, you have to try to change the authentication method (PEAP-MSCHAPv2 or PEAP-EAP-TLS)
  Greetings, Johnnatn Rodriguez Miranda

• 802.1X Novell Chap authentication problems

  Ok, I've got FreeRadius up and authenticating successfully to eDir with
  LDAP. If I boot workstation only and use the built in Microsoft
  supplicant, etc. PEAP MSCHAP, I can authenticate to my access point
  using my edir credentials. Then I can click on the Novell client and log
  into the network.
  If I turn on the Novell Client 491sp4 802.1X support which puts in the
  Novell Chap as the authentication method it stops working. The
  Freeradius server shows the error <no password attribute> just as if my
  Universal Password wasn't set. But it is because it works with MSChap as
  the authentication method.
  I've applied all the Microsoft KB patches for WiFi I can find listed
  here in the listserv. Even the one that you have to submit to MS to
  receive 923154. I've set supplicant mode to 3 in the registry. I'm
  really at a loss.
  I'd just love to have the Novell Client do single sign on to our WPA
  protected wireless. Any advise is greatly appreciated. I see some of you
  have it working with minor problems. Can you help this long time Netware
  user since 2.X in college get it going too?
  Thanks in advance.
  -Nyle

  Nyle F. Landas wrote:
  > If I turn on the Novell Client 491sp4 802.1X support which puts in the
  > Novell Chap as the authentication method it stops working. The
  > Freeradius server shows the error <no password attribute> just as if my
  > Universal Password wasn't set. But it is because it works with MSChap as
  > the authentication method.
  Addendum: I've got it so if I log into Workstation only, it will
  authenticate using the Novell MSCHAP. It just won't authenticate with
  the Novell Client so that I have a single sign on.
  The error from the client changes but most of the time I get - "802.1X
  Found no connections to authenticate" Sometimes I get "802.1X
  Authentication failed. Timeout waiting for Authentication to finish.
  Logging into workstation only."
  If I set SuppliantMode to 3 it also won't even authenticate when I log
  in as workstation only. If I delete that key it will at least work at
  the workstation only.
  Again I believe I've applied all KB from Microsoft. Did I miss something
  simple? HELP, Please......
  -Nyle

• Windows 7 – 802.1x Authentication fails after wakeup from Sleep/Hibernation

  In our environment we randomly have issues with 802.1x authentications after Sleep or Hibernation of our client-systems.
  Clients have Windows 7 as OS and are up-to-date regarding regular updates/patches. Drivers (at least
  network and chipset) on affected machines have also been updated.
  802.1x authentication method is PEAP (EAP-MSCHAPv2) and systems are validated
  against Active Directory by RADIUS.
  Analyzing the logs of our RADIUS-Server you can see that the client trys to authenticate
  via MAC instead of its DNS-Name/FQDN (desired method). So the request fails and the client is assigned to a different VLAN without access to the company’s resources. Following steps like DHCP work correctly.
  We have enabled the tracing of RAS-components on some of our clients by executing the following command-line: netsh ras set tracing
  * enabled
  Analyzing the client’s log-file “C:\Windows\tracing\svchost_RASCHAP.LOG” it looks like that the
  component is simply not up at that point in time, because there are absolutely no entries making it impossible to search for a specific error/error-code. Side-fact: unplugging the network-cable and plugging it in again forces the client to
  authenticate again – successfully and with entries in the given log.
  There has been an article KB980295 describing my issue but that does not apply to Windows 7. Hotfix KB2736878 cannot be applied (0x80240017
  - install is not needed because no updates are applicable).
  Does anyone have an idea how you could force the component to initialize earlier (if it is possible at all)?
  Any other advice is highly appreciated as well!
  Thanks a lot

  Hi Deason,
  sorry for my very very late reply on this.
  Even if I could not solve the problem yet, I can tell about some progress.
  As both KB-Files (980295 and 2481614) sadly did not help with this at all and even setting the blockperiod to 1 (I saw that 0 doesn't seem to be supported here: https://technet.microsoft.com/en-us/library/hh831813.aspx) didn't make any difference I
  have been working on how to reproduce the issue. So I wrote a tiny script disabling and enabling the client's network-port on and on (I have removed outputs and logging to keep it short):
  $doAllTheTime = $true
  $i = 0
  $DomainName = (Get-WmiObject -Class Win32_ComputerSystem).domain
  $NWAdapter = Get-WmiObject -Class Win32_NetworkAdapter | ? {$_.name -like "*gigabit*"}
  while ($doAllTheTime -eq $true)
  $i++
  $NWAdapter.disable() | out-null; Start-Sleep -Seconds 10
  $NWAdapter.enable() | out-null; Start-Sleep -Seconds 10
  $ping = $null
  $ping = test-connection $DomainName -count 1
  if ($ping -eq $null)
  "Error with connection"; return
  So I kept it running and after a dozens of loops the issue reoccurred. I could see that it is the dot3svc-Service that does not response anymore by the RASCHAP-log given above. Restarting the service manually triggered a re-authentication that was then successful.
  So I added the restart-service-cmdlet to my script in case that the error was detected and configured a Scheduled Task triggered by the event that a network-cable has been plugged in (has to be provided by the driver). Script and Scheduled Task
  have then been deployed to our clients.
  Even if this is no solution it definitely helps with a high rate of incidents -
  but not entirely... so I am still looking for further steps to
  solve this. Any ideas are highly appreciated.
  Thank you very much for your support!!! Uhle

• Trouble with 802.1x authentication

  Hello. I live in a dorm, and we connect to the Net over 802.1x authentication. Everything worked OK, until two days ago. Now I can no longer authenticate my Mac on the network and connect to the Net.
  I get the following error:
  "802.1X is unable to authenticate. It is possible that the configuration you have provided is invalid. If you are unsure about what configuration to connect with, check with your network administrator.
  (Error: 1 on port en0)"
  My configuration seems to be ok (I didn't change anything about it, it just stopped working), username and password are also correct. Also other computers can connect to the network, and my LAN card works normally otherwise, only it can't pass the 802.1x authentication :S I'm connected now over my LinuxBox which shares the connection to my Mac, so obviously my LAN card is not broken...
  What could be the problem?
  cheers!

  hi, if the problem still persists, have you tried clearing out any 802.1x profiles you have saved?
  Go to System Preferences > Network, click on Airport, choose Advanced, go to the 802.1x tab, look at the section on the left side that has User Profiles. Select the profile and hit the minus button at the bottom of the pane.
  A lot of these issues seem to be helped by clearing out any saved data about the wireless network, and setting it up manually again. We have seen many issues here at Notre Dame with Macs vs 802.1x. Hoping Apple makes it more reliable soon.

• 802.1x Authentication for University Network Fails After 10.5.5 Update

  Hi everyone, I hope that someone might be able to help me with my problem. I used to connect to the internet through my university's network at my dorm using the ethernet connection. Even before when I was using 10.5.4 I had to do the 802.1x authentication manually after every boot.
  Now that I updated to 10.5.5 everytime I try to connect it tells me "802.1x Authentication has failed", does anyone have similar problems, solutions??? This is everything the IT department's homepage has to offer: http://www.unibz.it/ict/8021x_mac1/index.html?LanguageID=EN&
  Thanks a lot!
  Btw, it seems the update somehow messed up Timemachine as well, but that doesn't bother me as much as the internet connection.

  Hi,
  You probably need to install a root certificate into your Mac's system keychain so that your Mac knows it can trust the University's Certificate Authority (CA).
  They should be able to provide you with a file for the CA and instructions.
  cheers

• 802.1x authentication on Macbooks running Lion..

  Hi Guys,
  I was wondering if anyone has experienced problems with 802.1x authentication on their Cisco Wifi network using Macbook Pro/Airs running Lion.
  We have..
  2x Controllers with WiSMs running 7.0.116.0
  A mixture of 1131 and 1142 APs..  ( APs mainly in HREAP mode with some APs located on the same local network as the Controller in Local Mode )
  Macbook Airs/ Pro running Lion
  The symptoms we are experiencing are very similar to those described in this thread.. https://supportforums.cisco.com/message/3485552
  In summary, we are finding that when our MacBooks are coming out of sleep/standby or roaming between APs, the devices get stuck during the 802.1x authentication process and will either get the self assigned 169 address or continuously try to authenticate.
  This can occasionally be solved by turning the wifi interface off and on or manually stopping and starting the 802.1x process on the Mac
  From reading various online forums, we have tried the following to resolve this..
  - Disabled WPA across our wifi network as we don't use it anymore.. We now just use WPA2 with AES and Dot1x authentication.
  - Disabled Client Load Balancing on the SSID configuration… this does not seem to have made things any better or worse although we are seeing more Load Profile threshold notification alerts for some of our APs which are used heavily.
  - The 802.1x time out is currently set at 20secs.
  - Some APs which are in Local mode ( due to them being on the same local network as our wifi controllers ) have been changed to HREAP mode and assigned a static IP address.. We found that this was required at our spoke sites where we were originally experiencing issues with our old Windows based devices.. Incidentally, we have not experienced any of these delayed authentication issues with our Window laptops, all our problems seem to be with our MacBooks running Lion..
  As I mentioned earlier, there seems to be many discussions online regarding problems with the Lion OS and 802.1x authentication..
  Has anyone experienced these problems in the past on there Cisco Aps and successfully managed to resolve it.. ?
  Any ideas would be appreciated..
  Many thanks.
  Jon.

  Ran across this old post while researching this same issue. For us, the problem appears to be with the Mac's trying to request an IPv6 address if set to Automatically or Link-local only for Configure IPv6 under the TCP/IP tab. When we changed this to Manually and set a manual link local address, the problem went away and could reconnect after roaming between APs or coming out of sleep/standby.
  Enjoy,
  Wayne 
  UPDATE 1: This 'fix' did not solve the issue. After a day, we're still seeing the problem. 
  UPDATE 2: Found the solution to my problem. It was the cert chain of trust and CRL lookup. The link below describes the problem, but basically the Mac's were unable to check the certs and causing a time out. No network = no CRL lookup = no network......
  http://support.apple.com/kb/TS5258?viewlocale=en_US&locale=en_US

• 802.1x Authentication in Extreme architecture

  Hi all,
  Objectives :
  Authenticate a supplicant on a Extreme 802.1x port with an ACS SE 4.2
  Supplicant = IP Phone
  Authenticator : Switch Extreme 450 E
  Authentication Server : ACS SE 1113 4.2.0.124.9
  1) We have done the tests with a Windows ACS 4.2.0.124 and everything runs correctly, the supplicant authenticates without any problem.
  2)We have replicate the windows ACS with the ACS SE. The 802.1x authentication does not work with the ACS SE but works with the Windows ACS.
  3) We have upload UDvs and VSA on the ACS SE and it still not work.
  These are the .csv file uploaded :
  accountactionsVsa.csv (used for the vendor)
  accountAttributes.csv (used for the vendor attributes)
  accountProfile.csv (used for the Attributes profile)
  accountvalues.csv (used for the Attributes values). This one is not on the attachment files :
  1,8,,,354,Disabled,1916,201,0,15/04/2009 10:00,,,,0
  2,7,,,354,Enabled,1916,201,1,15/04/2009 10:00,,,,0
  3,6,,,354,Disabled,1916,206,0,15/04/2009 10:00,,,,0
  4,5,,,354,Enabled,1916,206,1,15/04/2009 10:00,,,,0
  5,4,,,355,,,,,15/04/2009 10:00,,,,0
  The message in ACS Failed Attemps logs is : "Bad Request from NAS".
  We have verified the authenticator address and the secret key, everything is ok.
  With Windows ACS we can see first an "access request" between authenticator and aurthentication server. Next an "access challenge" from authentication server to Authenticator. NExt an "access request" between authenticator and aurthentication server and then an "access Accept" from authentication server to Authenticator.
  With ACS SE we can see first an "access request" between authenticator and aurthentication server. Next an "access Reject" from authentication server to Authenticator.
  We have tried to understand the differences between the first "access request" in ACS windows architecture and the first "access request" in ACS SE architecture. The only difference is on the Message-authenticator(80).
  Have you already had this kind of problem. How can i Solve it?
  Thanks for your replies.
  Best regards.

  The Supplicant only use EAP MD5 since it is a Ip phone.
  EAP MD5 is already checked in Global authentication Setup.
  Just for remember :
  802.1x runs in a Windows Version but not in a SE version with same configuration (we have done the test with a replication from Windows version to Appliance SE version. Both ACS version have the same configuration but one is running and not the other.

• 802.1x authentication on PSK key mgmt?

  Hello,
  I'm setting up a new 5508 WLC (the first wlc I have ever setup) and I have my WLAN setup with our existing WPA/TKIP ssid for transitioning our clients from our existing autonomous system to the wlc. I have selected PSK as the key mgmt and I can get the client's to connect for a few minutes but I keep seeing these errors:
  Fri Aug 21 08:50:05 2009 Client Excluded: MACAddress:00:21:00:f9:dd:50 Base Radio MAC :00:23:eb:27:e3:b0 Slot: 1 User Name: unknown Ip Address: unknown Reason:802.1x Authentication failed 3 times. ReasonCode: 4
  I don't have nor do I want 802.1x enabled. Is there something I need to disable either on the client or the controller?
  Thanks.
  Dan.

  Hey,
  I have same problem with Cisco 2100 Series WLC on software version 7.0.98.0.
  I get a lot of error messages in Log Monitor which look like these:
  0
  Thu Dec 9 09:00:28 2010
  Client Excluded: MACAddress:(..................) Base Radio MAC :(..................) Slot: 0 User Name: unknown Ip Address: (..................) Reason:802.1x Authentication failed 3 times. ReasonCode: 4
  1
  Thu Dec 9 08:57:09 2010
  Interference Profile Failed for Base Radio MAC: (..................) and slotNo: 0
  2
  Thu Dec 9 08:53:43 2010
  Client Excluded: MACAddress:(..................) Base Radio MAC :(..................) Slot: 0 User Name: unknown Ip Address: (..................) Reason:802.1x Authentication failed 3 times. ReasonCode: 4
  3
  Thu Dec 9 07:57:15 2010
  Client Excluded: MACAddress:(..................) Base Radio MAC :(..................) Slot: 0 User Name: unknown Ip Address: (..................) Reason:802.1x Authentication failed 3 times. ReasonCode: 4
  4
  Thu Dec 9 07:54:10 2010
  Client Excluded: MACAddress:(..................) Base Radio MAC :(..................) Slot: 0 User Name: unknown Ip Address: (..................) Reason:802.1x Authentication failed 3 times. ReasonCode: 4
  5
  Thu Dec 9 07:50:42 2010
  Client Excluded: MACAddress:(..................) Base Radio MAC :(..................) Slot: 0 User Name: unknown Ip Address: (..................) Reason:802.1x Authentication failed 3 times. ReasonCode: 4
  I'm not using 802.X authentication, it's just WPA/TKIP ...not even WPA2/AES. Each client gets disconnected few times per day. Auth fails like you see above, but for the most time connection just works. Not as good as I'd want it to, but it works, somehow.
  I have also set up two WLANS for other devices like printers etc - it works just fine. I mean - no errors, no disconnects, it works perfectly, but why the hell is WPA not working?!
  Second bigger problem is that every computer connected via WIFI is loosing one ping packet every minute. I have WLC -> 7 x AP -> End devices.
  Everything till AP's is connected via ethernet, then it's wifi connection. When I'm pinging WLC or AP's from lan connected PC it works fine, but when I'm pinging wifi connected end devices (6 pc's) - each one is loosing one packet in exact, same time - every minute.
  When I'm doing the same but from second side - wifi connected pc pinging AP's, WLC, lan pc - I loose one ping packet to each device including AP, WLC, other end devices.
  It's definately fault in WLC configuration because I loose these packetes on AP's <-> WIFI devices. Any idea, any clue? I'm not sure which setting is responsible for that.
  Thanks in advance for any hints, suggestions.
  Regards,
  Łukasz

• 802.1X Authentication failed without 802.1X authentication enabled

  Hi,
  we are using 2 WISMs, with version 4.2.207 and a WCS to control them.
  It seemed to work fine for about 2 weeks, and now we detected the following problem in some users. They were connected to the wireless without problems, and then they lost the connection. For authentication we use WPA2, we also use mac-filter.
  When they lost the connection we can see the following error:
  Message:
  Client 'mac address' which was associated with AP 'mac address', interface '1' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'.
  Message:
  Client 'mac' which was associated with AP 'mac', interface '0' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'.
  I also attach an output of the troubleshoot mac address...
  Can some help me with this?
  Thank you.
  Best regards,

  Hi Kirbus,
  we open a TAC and we were advised for now to do the following changes:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman","serif";}
  1.       please make sure to disable Aironet extensions (if present)  , on the WLAN advanced configuration
  2.       disable management frame protection (MFP) signature generation (if present) , MFP also on the WLAN advanced configuration
  3.       on the WLC general configuration , can you please disable aggressive load balancing
  4.       on the security tab on the WLC , please wireless protection policies > disable client exclusion policies
  5.       on the AP network configuration please disable short preamble the original standard was long preambles
  6.       Wireless -> disable auto-RRM channel & power assignment & try "on demand"
  7.       apply these modification on the WLC CLI
  Config advanced eap identity-request-timeout 20
  Config advanced eap identity-request-retries 10
  Config advanced eap request-timeout 20
  Config advanced eap request-retries 10
  Save config, and see if you still face the problem.
  We are still monitoring the solution, but until now we didn't face the problem again.
  Let me now how it goes for you.
  Thank you.
  Best regards,

• 802.1X Authentication + PKI encryption

  Hi Guys,
  I want to know if there is a relationship between 802.1x authentication and cisco PKI encryption.
  We are facing some problems with many IP Phones that were using 802.1x without problems. Once we we installed PKI encryption on ip phones , many of them began to fail : the ip phone shows phone not registered and on the status messages we can see authentication fail. I have to restart security settings on ip phones or disabling 802.1x on the switches to get phones registering again
  I am using CUCM 8.5 with 6961 phones
  Regards

  We ran into the same situation from time to time. We implemented 802.1x authentication using the Cisco Secure Services Client (SSC) on the windows hosts.
  At the beginning we were completly unable to logon on the maschines where no locally stored windows profile exists. After change to timeout to authenticate at the network in the SSC options we are able to logon to the network and also be authenticated by the domain controller.
  Sadly this works out often as a timing issue. Most times the user needs to try a couple of times. At the moment, I'm also very interessted in a good way to avoid this (as it seems to be) racecondition.
  Hope that someone else has any clue?

• SCCM 2012 - 802.1x authentication for zero touch installation

  Hi guys,
  I'm setting up a demo environment for sccm 2012. Our customer has the requirement to enforce 802.1x authentication (username & password without certificates) on the network. So I need a 802.1x integration into the WinPE image, that clients can access
  the install vlan instead of the guest vlan during the zero touch Windows 7 OS install process.
  What I did before:
   - mount the SCCM modified WinPE image (boot.XXX99999.wim)
   - integration of the KB972831 hotfix into the WinPE
   - creation of a lan profile and eap profile file
   - copy both files into the mounted image
   - creation of new wim file
  I've booted the boot wim via a usb stick to test the 802.1x integration with the following commands:
    net start dot3svc
    => The Wired AutoConfig service was started successfully
    netsh lan add profile filename="X:\8021x\Local Area Connection.xml " interface="Local Area Connection"
    => The profile was added successfully on the interface Local Area connection
   netsh lan set eapuserdata filename=x:\8021x\Wired-WinPE-UserData-PEAP-MSChapv2.xml allusers=yes interface="Local Area Connection"
    => Error setting user data for interface Local Area Connection. The operation is not supported.
  Actually I can't post web links here. If the files are needed I can send them per mail.
  What can I do to solve this problem?
  Thanks!
  Regards
  Bastian

  Hi!
  Did you gave a look at this website: http://myitforum.com/cs2/blogs/lakey81/archive/2011/07/06/configuring-802-1x-network-authentication-for-winpe-3-0-and-configmgr-deployments.aspx
  I've followed those steps and it worked as a charm, even for WinPE 4.0.
  If you have questions let me know.
  Cheers.

• 802.1x authentication client sends username as PC-NAME\USERNAME

  Hi Team,
  I've enabled 802.1x authentication in windows 7 desktop whose PC name is INDIA-ACP with users "radius" as administrator.
  When I connect my LAN cable to my authenticator device, the user "radius" is sending his credentials along with pc-name instead just only the username.
  Example, in the packet capture i've observed the response identity pkt user credentials appeared as "INDIA-ACP\radius" instead just the "radius" as the identity user.
  Please help me in re-solving this issue.
  Regards,
  Anurag

  Hi Anurag,
  According to your description, the user name changed from radius to INDIA-ACP\radius. Due to the packet was send from the Windows 7 PC to the authenticator device, it seems that the problem is in Windows 7 PC. Have we used INDIA-ACP\radius as the username
  and chose “Remember my credentials” before? When we choose “Remember my credentials”, the credentials would be saved and managed by Credentials Manager in Windows 7. Windows credentials management is the process by which the operating system receives the credentials
  from the service or user and secures that information for future presentation to the authenticating target. Maybe the credentials was saved by the Credentials Manager, when we connect the authenticator device, the Credentials Manager send the saved credentials
  to the authenticator device. To verify if the credential was saved in the Credentials Manager, please open Credentials Manager in the control panel.
  Best Regards,
  Tina