802.1X Authentication with InTouch

Dear Community,
does anybody know if/when it's possible to use 802.1X authentication with the TelePresence InTouch 10?
It perfectly works on the C/SX codecs and as long as the Panels are connected directly to the Codec, there is no issue. But on some codecs, direct pairing is not possible and therefore I would need 802.1X authentication from the panels itself.
Thanks in advance!
Best regards
Alex

Hello!
We've just launched an Ask the Expert event on 802.1x
https://supportforums.cisco.com/discussion/12463991/ask-expert-8021x-configuring-and-troubleshooting-javier-henderson
Perhaps post your question with Javier as well!
Thank you!

Similar Messages

  • 802.1x authentication with ACS 4.1 for MAC OSX

    Hi,
    I simply wanted to know if it's possible to have 802.1x authentication with MAC OSx on ACS Plateform 4.1?
    If yes, what pre-required on ACS and MAC OSx? Methods of authentification which are recommended ?
    I'm sorry, but i don't find documents which show validated test on 802.1x implementation method on ACS 4.1 with MAC OSx supplicant.
    Thanks in advance
    Best regards
    Thanks

    Yes, Refer to the below DOC
    http://support.apple.com/kb/HT2717
    Port settings and ACS configuration remain the same as you do it for windows based clients

  • 802.1x Authentication with Windows and MAC

    Hello Team;
                  I have one SSID configured with 802.1x . The clients with Mac machines can directly join to the network by just entering the AD usrename and password. For the windows machines we need to do some configuration in the clients machines to work with the SSID.
    Could you please clarify ? Whether the windows machines will just work like the Mac or the preconfiguration is mandatory to work windows with 802.1x.

    Hello Sreejith,
    As per your query i can suggest you the following steps-
    No, the preconfiguration is not mandatory to work windows with 802.1x.To enable 802.1x authntication on wireless follow the steps-
    1.Open Manage Wireless Networks by clicking the Start button , clicking Control Panel, clicking Network and Internet, clicking Network and Sharing Center, and then, in the left pane, clicking Manage wireless networks.
    2.Right-click the network that you want to enable 802.1X authentication for, and then click Properties.
    3.Click the Security tab, and then, in the Security Type list, click 802.1X.
    4.In the Encryption Type list, click the encryption type you want to use.
    On wireless networks, 802.1X can be used with Wired Equivalent Privacy (WEP) or Wi‑Fi Protected Access (WPA) encryption.
    5.In the Choose a network authentication method list, click the method you want to use.
    To configure additional settings, click Settings.
    Hope this will help you.

  • Cisco IP Phone 802.1x authentication with NPS

    Hi All,
    I would like to configure 802.1x authentication on both my Cisco ip phones and windows clients using NPS. So far i have tested the clients and it works however I am not finding any information on if NPS supports 802.1x on ip phones. Has anyone done a similar
    deployment using NPS. So far I am only seeing cisco ACS server being used as the policy server.

    Hi,
    Based on my research, it seems that you may enounter issues related to username(Basically Mircosoft only allows a 20 character user name, while the user name of the phone exceeds the 20 character limit and causes it to fail.) and certificate schema when
    configuring 802.1x authentication for Cisco IP phones.
    Best regards,
    Susie
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • Radius 802.1x authentication with computer AND users.

    Hi !
    I don't know if what I trying to do is possible so please excuse me if this sounds silly :)
    I have a Cisco Wireless lan manager where I've configure 2 differents SSID's : COMPANY and COMPANY_mobiles.
    What I want is to create a policy to restrict the access to the COMPANY SSID to only my company laptops with authenticaded users (both groups exists in the AD).
    Therefore I created a new policy with the following conditons :
    - NAS Port Type : Wireless
    - Client IPv4 Address : <my cisco ip>
    - Called Station ID : ^AA:BB:CC:DD:EE:FF:COMPANY$
    - Users Groups : EUROPE\MY_USER_GROUP
    - Machine Groups : EUROPE\Domain Computers
    When trying to connect a notebook on windows 7 to that COMPANY ssid, I'm beeing rejected with the following error :
    User:
        Security ID:            EUROPE\HOSTNAME$
        Account Name:            host/HOSTNAME.my.server.com
        Account Domain:            EUROPE
        Fully Qualified Account Name:    EUROPE\HOSTNAME$
    Authentication Details:
        Connection Request Policy Name:    Secure Wireless Connections
        Network Policy Name:        Connections to other access servers
        Authentication Provider:        Windows
        Authentication Server:       My.radius.server.com
        Authentication Type:        EAP
        EAP Type:            -
        Account Session Identifier:        -
        Logging Results:            Accounting information was written to the local log file.
        Reason Code:            65
        Reason:                The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network
    Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
    It therefore seems that it doesn't match my network policy and falls bacj to the default one.
    If I remove the user rule, and let the computer rule : Connection OK
    If I remove the computer rule, and let the user rule : Connection OK
    but if I put both, i can't connect :s
    Can someone help me with this issue ?
    Thanks a lot !
    Geoffrey

    Hi Geoffrey,
    I would like to know if
    EAP-TLS wireless authentication has been used since it uses user and computer certificates to authenticate wireless access clients.
    Please try to use NPS wizard to configure 802.1x wireless connection,
    and
    you will find that it
    creates new connection request policy and network policy. Network policy NAS Port type will be "Wireless -Other OR Wireless -IEEE 802.11".If
    you
    need filter by user and computer account, the log should show both authenticate user and machine account name.
    EAP-TLS-based Authenticated Wireless Access Design
    http://technet.microsoft.com/en-us/library/dd348478(WS.10).aspx
    Regards, Rick Tan

  • Srw2048 802.1x, authentication with certificates

    Hi,
    Is it possible to use 802.1 x port authentication on SRW2048 based on EAP and certificates?
    Br,
    Lukasz

    Hello!
    We've just launched an Ask the Expert event on 802.1x
    https://supportforums.cisco.com/discussion/12463991/ask-expert-8021x-configuring-and-troubleshooting-javier-henderson
    Perhaps post your question with Javier as well!
    Thank you!

  • 802.1x authentication with mac address

    Hi guys,
    there is a strange requirement from one of our customer,
    they want us to do 802.1x with mac address authentication and they dont want the pop-ups which ask
    for username, password and domain.
    is it possible??
    can i avoid popping up the username password with 802.1x and that too with mac address???
    Any help would be greatly appreciated
    Thanks
    Jvalin

    Hi,
    The feature which you are looking for is possible in case of wired 802.1x. This feature is called as the MAC-Auth Bypass and is done mostly if the client machine is not 802.1x capable. However nowerdays it is used even if the machine is 802.1x capable.In this we enter the MAC address of the machine in the user database e.g. Active Directory. When you connect the client machine to the Switch, if we have MAC-Auth Bypass enabled on the port, it would take the MAC address of the machine as the username without any prompt for username and password.
    A windows server admin can easily push a group policy which disables the 802.1x on the client machine and it would only respond to the MAC-Auth Bypass.But first you would have to make sure your switch has the Mac-Auth Bypass in the IOS.
    For more information, you can go to http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf
    Regards,
    Kush

  • IEEE 802.1x Authentication with RADIUS failed

    Hello guys,
    I've a little strange Situation.
    If user start his Computer (Windows 7 enterprise) and computer is connected via LAN it works fine.
    If user start his Computer (Windows 7 enterprise) and computer is connected via WLAN it works also fine.
    But if user start his Computer (Windows 7 enterprise) that is connected via LAN it is not more possible to connect to WLAN (parallel). I've implemented an IEEE 802.1 RADIUS authenticiation.
    It does not work with this special user account. I've tested it already successful with couple other accounts.
    Does someone has experience with such Situation?
    Regards
    Rodik

    It does not work with this special user account. I've tested it already successful with couple other accounts.
    Hi,
    Did you mean that this problem just occures to the single User Account but others works fine at same computer, isn't it?
    When it connect Wlan failed, is there any error message? Have you tried to reinstall the WLan device driver for test?
    it would be better to provide more details about the Wlan connect failed.
    Roger Lu
    TechNet Community Support

  • 802.1x wireless authentication with certificates

    Hi.
    I have configured and working 802.1x authentication with certificates for Wired connections. with no problem.
    when i try to authenticate the same machine with 802.1x and certificates , on Wirelss, the ACS rejects it  with:
    "12520  EAP-TLS failed SSL/TLS handshake because the client rejected the ACS local-certificate."
    the ACS is the same, the certificate the same, and the root ca is the same.
    what's hapenning????
    Antero Vasconcelos

    What supplicant are we using for wireless authentication? Do we have complete chain of certificates installed on the client machine? Can you check if we have root CA/intermediate correctly installed in client and ACS.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • 802.1x Authentication on Wired and Wireless LAN

    I have successfully configured 802.1x authentication on wired and wireless Lan. We have Cisco Switches, ACS SE and Windows AD.
    But i have one issue regarding the Single Sign on while authentication using the 802.1x with Windows Active directory the users that are login first time not able to logon but the users that have their profiles already existed in their PC then there is no issue and they successfully authenticated and login easily.
    Is there any way of login successfully for the users first time using 802.1x authentication with Windows AD like a Single Sign On?

    We ran into the same situation from time to time. We implemented 802.1x authentication using the Cisco Secure Services Client (SSC) on the windows hosts.
    At the beginning we were completly unable to logon on the maschines where no locally stored windows profile exists. After change to timeout to authenticate at the network in the SSC options we are able to logon to the network and also be authenticated by the domain controller.
    Sadly this works out often as a timing issue. Most times the user needs to try a couple of times. At the moment, I'm also very interessted in a good way to avoid this (as it seems to be) racecondition.
    Hope that someone else has any clue?

  • 802.1x authetication with dynamic Vlan assignment by a radius server

    Hi
    At school I want to start using 802.1x authentication with dynamic Vlan assignment by a Windows Server 2012R2 Radius server.
    When a student logs in, I want it to be placed in the "Students" Vlan, when a Administrative employee logs in, I want it to be placed in the "Administative" vlan and when the client is unknown I want to place it in the "Guest" Vlan.
    I have several SG200 switches and I configured everything as mentioned in the administrative guide but I cannot get it to work as desired.
    What does work:
    - If the client is permitted, the switch changes to "authorized" state. (before anyone logs on to the domain with that client)
    - When a User logs on that is part of the Administrative employees, the switch changes to "authorized" and when a student logs on, it changes to "unauthorized". 
    So far so good.
    But what doesn't work:
    - it does not put the administrative employee in the Vlan "Administrative", it just enables the port on the switch but leaves it in the default vlan 1.
    - I can not find the Guest VLAN.
    Any help would be appriciated.

    Hi Wouter,
    Can you see in the packet capture Radius accept message VLAN attribute? Also please ensure you have the latest firmware and boot code:
    http://www.cisco.com/c/en/us/support/switches/sg200-26-26-port-gigabit-smart-switch/model.html#~rdtab1
    I would recommend you to open ticket with Small Business team so they can go with you through packet capture and configuration steps:
    http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
    Regards,
    Aleksandra 

  • 802.1x Wireless Authentication with 10.8.4 Build 12E3067

    Hello All,
    Work in a school and we use 802.1x authentication for Wi-Fi and access to our server and Staff wireless VLAN.  We use a login window profile that authenticates with our Active Directory.
    Previous and working set up was MBA (Mid 2012) 5,1. Running OS 10.8.4 build 12E55.  This OS was downloaded from Mac App Store. Bound to domain and using authorization certificates for our active directory controllers. Created Wi-Fi 802.1x authentication profile with Profile Manager on 10.8 server.  No issue.  Units authenticate with server at user login, join Wi-Fi and mounts home folder. 
    New and not working set up is MBA (Mid 2013) 6,2 running OS 10.8.4 build 12E3067.  This unit will not run build 12E55, boots to prohibitory sign. Unit is set up with same certificates and 802.1x profile. When first booting up the Wi-Fi signal appears to be attached to the network, unlike previous setup when unit will Wi-Fi indicator will appear disconnected until user logs in.  90% of the time new units will not authenticate. States unable to connect to server and then loads into mobile user account.  Will not attached to Wi-Fi. There are instances when it does authenticate properly.  However logging out and then back in will cause the failure.
    Also note, I have made an image of the 6,2 MBA with build 12E3067 and installed in on MBA 5,1. Same Failure happens.  This leads me to believe the issue lies in OS 10.8.4 build 12E3067.
    Troubleshooting:
    -I have taken OS build 12E3067 on MBA 6,2 (failing to authenticate) and removed Wi-Fi profile. Unit authenticates over Ethernet with no issue. Add profile back and issue surfaces.
    -Created new profile using profile manager and issue continues. Verified proper certificates are being used. Would the previous profile
    -Restarted domain controllers. Issue continues.
    Any thoughts or questions would be appreciated.

    did you find any resolution to this?  our mba- mid 2013 deployment is having a very similar problem.  We've gone through loads of troubleshooting and have yet to come to a resolution.  all our mid 2012 mba's are working fine they're 10.7.5/10.8.4 mixed.  console logs don't show much, i'll try the wireless diags tomorrow.  our other 10.8.4 build appears fine on other models of machines.  i've read posts about deleteing the adapters, deleting the system config plists and changing the mtu size, these steps do not work for us.
    we don't have as high a failure rate with our deployment, but 25%-30% of our clients randomly drop connectivity and are unable to reconnect (fluttering wi-fi wave).  when you slect the wifi symbol in the menu bar other wireless networks do not show, the 'looking for networks' fly wheel continues to spin.  ocasionaly on login the yellow jelly bean will appear then disappear before finally timeing out without logging the user in (depsite having mobile accounts enabled).    mostly the problem manifests itself when waking from sleep - the wifi symbol flutters endlessly without connecting.  deleting the 8021x profile and readding it will reenable connectivity.  we've tried new profiels, but to the same end.  i know our certs and systems are fine because previous mac os x builds work fine as do our windows clients.
    any input would be much appreciated.

  • FT akm with 802.1x authentication failed at eapol key 2(invalid MIC)

    My testing controller s/w version is 7.0.250.0, and testing clients were iphone5, iphone6 and macbook pro13, all debug inform showed failed because of invalid MIC, is this a bug or other reason ?
    WLAN configuration:
    (Cisco Controller) >show wlan 100
    WLAN Identifier.................................. 100
    Profile Name..................................... test-qh
    Network Name (SSID).............................. test-qh
    Status........................................... Enabled
    MAC Filtering.................................... Disabled
    Broadcast SSID................................... Enabled
    AAA Policy Override.............................. Disabled
    Network Admission Control
      Radius-NAC State............................... Disabled
      SNMP-NAC State................................. Disabled
      Quarantine VLAN................................ 0
    Maximum number of Associated Clients............. 10
    Number of Active Clients......................... 0
    Exclusionlist Timeout............................ 60 seconds
    Session Timeout.................................. 1800 seconds
    CHD per WLAN..................................... Enabled
    Webauth DHCP exclusion........................... Disabled
    Interface........................................ management
    Multicast Interface.............................. Not Configured
    --More-- or (q)uit
    WLAN ACL......................................... unconfigured
    DHCP Server...................................... Default
    DHCP Address Assignment Required................. Disabled
    Static IP client tunneling....................... Disabled
    Quality of Service............................... Silver (best effort)
    Scan Defer Priority.............................. 4,5,6
    Scan Defer Time.................................. 100 milliseconds
    WMM.............................................. Allowed
    WMM UAPSD Compliant Client Support............... Disabled
    Media Stream Multicast-direct.................... Disabled
    CCX - AironetIe Support.......................... Enabled
    CCX - Gratuitous ProbeResponse (GPR)............. Disabled
    CCX - Diagnostics Channel Capability............. Disabled
    Dot11-Phone Mode (7920).......................... Disabled
    Wired Protocol................................... None
    IPv6 Support..................................... Disabled
    Peer-to-Peer Blocking Action..................... Disabled
    Radio Policy..................................... All
    DTIM period for 802.11a radio.................... 1
    DTIM period for 802.11b radio.................... 1
    Radius Servers
       Authentication................................ Disabled
       Accounting.................................... Global Servers
    --More-- or (q)uit
       Dynamic Interface............................. Disabled
    Local EAP Authentication......................... Enabled (Profile 'test')
    Security
       802.11 Authentication:........................ Open System
       Static WEP Keys............................... Disabled
       802.1X........................................ Disabled
       Wi-Fi Protected Access (WPA/WPA2)............. Enabled
          WPA (SSN IE)............................... Disabled
          WPA2 (RSN IE).............................. Enabled
             TKIP Cipher............................. Disabled
             AES Cipher.............................. Enabled
                                                                   Auth Key Management
             802.1x.................................. Disabled
             PSK..................................... Disabled
             CCKM.................................... Disabled
             FT(802.11r)............................. Enabled
             FT-PSK(802.11r)......................... Disabled
    FT Reassociation Timeout......................... 20
    FT Over-The-Air mode............................. Enabled
    FT Over-The-Ds mode.............................. Disabled
    CCKM tsf Tolerance............................... 1000
       CKIP ......................................... Disabled
    --More-- or (q)uit
       IP Security................................... Disabled
       IP Security Passthru.......................... Disabled
       Web Based Authentication...................... Disabled
       Web-Passthrough............................... Disabled
       Conditional Web Redirect...................... Disabled
       Splash-Page Web Redirect...................... Disabled
       Auto Anchor................................... Disabled
       H-REAP Local Switching........................ Disabled
       H-REAP Local Authentication................... Disabled
       H-REAP Learn IP Address....................... Enabled
       Client MFP.................................... Optional
       Tkip MIC Countermeasure Hold-down Timer....... 60
    Call Snooping.................................... Disabled
    Roamed Call Re-Anchor Policy..................... Disabled
    SIP CAC Fail Send-486-Busy Policy................ Enabled
    SIP CAC Fail Send Dis-Association Policy......... Disabled
    Band Select...................................... Disabled
    Load Balancing................................... Disabled
     Mobility Anchor List
     WLAN ID     IP Address            Status
    debug info:
    Cisco Controller) >*apfMsConnTask_0: Apr 27 21:46:09.971: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b apfMsAssoStateInc
    *apfMsConnTask_0: Apr 27 21:46:09.971: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:09.971: Adding MDIE, ID is:0x4e57
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
    *spamReceiveTask: Apr 27 21:46:09.973: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:09.974: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:09.974: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.037: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.037: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.117: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.117: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 2)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.133: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.133: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 2, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.135: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.135: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 3)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.139: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.139: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 3, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.140: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.140: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 4)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.200: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.201: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 4, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.309: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.309: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 5)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.312: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.313: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 5, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.314: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.314: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 6)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.321: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.321: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 6, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.322: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.322: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 7)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.325: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.325: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 7, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.326: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.326: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 8)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.329: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.329: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 8, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.331: 68:96:7b:cd:89:1b Processing Access-Accept for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.331: 68:96:7b:cd:89:1b Setting re-auth timeout to 1800 seconds, got from WLAN config.
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Creating a PKC PMKID Cache entry for station 68:96:7b:cd:89:1b (RSN 2)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Adding BSSID 00:27:0d:2e:d0:5e to PMKID cache for station 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: New PMKID: (16)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332:      [0000] 80 a9 e3 16 d9 c8 28 9a 37 11 bd 56 ca 01 d5 ce
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Disabling re-auth since PMK lifetime can take care of same.
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Created PMK Cache Entry for TGr AKM:802.1x 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b   R0KH-ID:192.168.20.244   R1KH-ID:00:24:14:7e:74:c0  MSK Len:48
                                                                                                                                  pmkValidTime:1772
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b PMK sent to mobility group
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Sending EAP-Success to mobile 68:96:7b:cd:89:1b (EAP Id 8)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: Including PMKID in M1  (16)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333:      [0000] 80 a9 e3 16 d9 c8 28 9a 37 11 bd 56 ca 01 d5 ce
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Starting key exchange to mobile 68:96:7b:cd:89:1b, data packets will be dropped
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Sending EAPOL-Key Message to mobile 68:96:7b:cd:89:1b
                                                                                                                        state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Received Auth Success while in Authenticating state for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.336: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.336: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.337: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:10.560: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:10.562: 68:96:7b:cd:89:1b Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.565: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.565: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.566: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:10.960: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:10.960: 68:96:7b:cd:89:1b Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.048: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.048: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.048: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:11.360: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:11.360: 68:96:7b:cd:89:1b Retransmit 3 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.364: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.364: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.364: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:11.760: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:11.760: 68:96:7b:cd:89:1b Retransmit 4 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.763: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.764: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.764: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:12.160: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:12.161: 68:96:7b:cd:89:1b Retransmit failure for EAPOL-Key M1 to mobile 68:96:7b:cd:89:1b, retransmit count 5, mscb deauth count 0
    *dot1xMsgTask: Apr 27 21:46:12.162: 68:96:7b:cd:89:1b Removing PMK cache entry for station 68:96:7b:cd:89:1b
    *apfMsConnTask_0: Apr 27 21:46:12.185: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
    *apfMsConnTask_0: Apr 27 21:46:12.185: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:12.185: Adding MDIE, ID is:0x4e57
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
    *spamReceiveTask: Apr 27 21:46:12.187: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.188: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.188: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.191: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.191: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.271: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.271: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 2)
    *apfMsConnTask_0: Apr 27 21:46:12.563: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
    *apfMsConnTask_0: Apr 27 21:46:12.563: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:12.563: Adding MDIE, ID is:0x4e57
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
    *spamReceiveTask: Apr 27 21:46:12.565: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.566: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.571: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.571: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.572: 68:96:7b:cd:89:1b Processing Access-Reject for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.573: 68:96:7b:cd:89:1b Removing PMK cache due to EAP-Failure for mobile 68:96:7b:cd:89:1b (EAP Id -1)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.573: 68:96:7b:cd:89:1b Sending EAP-Failure to mobile 68:96:7b:cd:89:1b (EAP Id -1)
    (Cisco Controller) >*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.573: 68:96:7b:cd:89:1b Setting quiet timer for 5 seconds for mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:17.560: 68:96:7b:cd:89:1b 802.1x 'quiteWhile' Timer expired for station 68:96:7b:cd:89:1b and for message = M0
    *dot1xMsgTask: Apr 27 21:46:17.561: 68:96:7b:cd:89:1b quiet timer completed for mobile 68:96:7b:cd:89:1b
    *dot1xMsgTask: Apr 27 21:46:17.561: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
    (Cisco Controller) >*apfMsConnTask_0: Apr 27 21:46:19.793: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
    *apfMsConnTask_0: Apr 27 21:46:19.793: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:19.793: Adding MDIE, ID is:0x4e57
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
    *spamReceiveTask: Apr 27 21:46:19.796: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.798: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.825: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.826: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.905: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.905: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 2)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.918: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.918: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 2, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.920: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.920: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 3)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.923: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.924: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 3, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.924: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    d*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.925: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 4)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.964: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.964: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 4, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.073: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    e*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.073: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 5)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.076: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.076: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 5, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.077: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.077: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 6)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.083: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.083: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 6, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.084: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.084: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 7)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.087: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.087: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 7, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.088: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.088: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 8)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.090: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.090: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 8, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Processing Access-Accept for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Setting re-auth timeout to 1800 seconds, got from WLAN config.
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Creating a PKC PMKID Cache entry for station 68:96:7b:cd:89:1b (RSN 2)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Adding BSSID 00:27:0d:2e:d0:5e to PMKID cache for station 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: New PMKID: (16)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092:      [0000] 16 3d 85 48 73 81 21 c9 dc 14 19 2e 40 65 7c 74
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b Disabling re-auth since PMK lifetime can take care of same.
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b Created PMK Cache Entry for TGr AKM:802.1x 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b   R0KH-ID:192.168.20.244   R1KH-ID:00:24:14:7e:74:c0  MSK Len:48
                                                                                                                                  pmkValidTime:1813
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b PMK sent to mobility group
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b Sending EAP-Success to mobile 68:96:7b:cd:89:1b (EAP Id 8)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: Including PMKID in M1  (16)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093:      [0000] 16 3d 85 48 73 81 21 c9 dc 14 19 2e 40 65 7c 74
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: 68:96:7b:cd:89:1b Starting key exchange to mobile 68:96:7b:cd:89:1b, data packets will be dropped
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: 68:96:7b:cd:89:1b Sending EAPOL-Key Message to mobile 68:96:7b:cd:89:1b
                                                                                                                        state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: 68:96:7b:cd:89:1b Received Auth Success while in Authenticating state for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.096: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.096: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.096: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:20.360: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:20.361: 68:96:7b:cd:89:1b Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.364: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.364: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.364: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    bug *osapiBsnTimer: Apr 27 21:46:20.760: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:20.760: 68:96:7b:cd:89:1b Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.763: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.764: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.764: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:21.160: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:21.160: 68:96:7b:cd:89:1b Retransmit 3 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:21.164: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:21.164: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:21.164: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    =============================
    qh
    thanks in advance!

    Can anyone help me?

  • Send vlan via Radius with 802.1x Authentication

    Hi all.
    I am trying to set up 802.1x authentication using Windows XP Supplicant, Catalyst 2950 and FreeRadius as radius server.
    I can login correctly so I have the port in Authorized mode, but I can't download the vlan id through the radius server.
    Reading docs, I have found these attributes:
    cisco-avpair="tunnel-type(#64)=VLAN(13)"
    cisco-avpair="tunnel-medium-type(#65)=802 media(6)"
    cisco-avpair="tunnel-private-group-ID(#81)=2" (2 is my vlan id)
    but when I insert these into radius DB (I have also tryed with text file config...) I can see from Radius debugs that only the first one (cisco-avpair="tunnel-type(#64)=VLAN(13)" is passed in the access-accept packet.
    Here are some outputs:
    Sending Access-Challenge of id 80 to 128.0.0.21:1812
    Cisco-AVPair = "tunnel-type=VLAN"
    EAP-Message = 0x0101001604103ee52f729eb199689ef4fc77a18a6a08
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xf88b9673c199cb13def96563250cf8a7
    I issued a "debug radius" on the switch Catalyst 2950 also, and the output is:
    02:49:39: RADIUS: Received from id 73 128.0.0.243:1812, Access-Accept, len 129
    02:49:39: Attribute 26 75 0000000901457475
    02:49:39: Attribute 79 6 03010004
    02:49:39: Attribute 80 18 1ABB3507
    02:49:39: Attribute 1 10 74657374
    02:49:39: RADIUS: EAP-login: length of eap packet = 4
    02:49:39: RADIUS: EAP-login: radius didn't send any vlan
    so I can see that radius is not sending anything about vlan...
    Has anyone alredy tried this set up?
    Thank you in advance.
    Massimo Magnani.

    OK, so I may have glossed over that before. From your debug post, you had:
    Cisco-AVPair = "tunnel-type=VLAN"
    Unless I'm missing something, that looks like a VSA (or RADIUS Attribute [26\9\1].
    You don't need VSAs for VLAN Assignment. You can do this with three standard RADIUS Attributes. Here they are (and an example of what they should look like):
    [64] Tunnel-Type – “VLAN” (13)
    [65] Tunnel-Medium-Type – “802” (6)
    [81] Tunnel-Private-Group-ID - "" OR ""
    They are defined in RFC 2868.
    Hope this helps,

  • Trouble with 802.1x authentication

    Hello. I live in a dorm, and we connect to the Net over 802.1x authentication. Everything worked OK, until two days ago. Now I can no longer authenticate my Mac on the network and connect to the Net.
    I get the following error:
    "802.1X is unable to authenticate. It is possible that the configuration you have provided is invalid. If you are unsure about what configuration to connect with, check with your network administrator.
    (Error: 1 on port en0)"
    My configuration seems to be ok (I didn't change anything about it, it just stopped working), username and password are also correct. Also other computers can connect to the network, and my LAN card works normally otherwise, only it can't pass the 802.1x authentication :S I'm connected now over my LinuxBox which shares the connection to my Mac, so obviously my LAN card is not broken...
    What could be the problem?
    cheers!

    hi, if the problem still persists, have you tried clearing out any 802.1x profiles you have saved?
    Go to System Preferences > Network, click on Airport, choose Advanced, go to the 802.1x tab, look at the section on the left side that has User Profiles. Select the profile and hit the minus button at the bottom of the pane.
    A lot of these issues seem to be helped by clearing out any saved data about the wireless network, and setting it up manually again. We have seen many issues here at Notre Dame with Macs vs 802.1x. Hoping Apple makes it more reliable soon.

Maybe you are looking for