802.1x EAP PEAP MSCHAPv2 on Windows 7 Client.

I have problems autenticate a w7 client at our Enterprice WiFi network. XP, Apple clients and all SmartPhones works fine...  We use Radius assigned Vlans based on username and ream routed on our Meru Network to Navis radius as centralied point of
autentication. Navis proxes client autenticatinon recuest to the customers Radiuses based on the realm.
Windows 7 32 client use the radius CA (installed and ticked) and EAP PEAP MSCHAPv2 in the SSID settings. The customer radius is an Freeradius. In autentication logs we se that the client sends the Maschinename, eg. Machine-x200/username@realm
even we in the client settings, under SSID Propirties, Security, MS Protected EAP(PEAP), Settings and EAP-MSCAPv2 Configuration, have removed tick on the default setting:
Use Autom. Windows-username... AND under Security Advanced (back one step), in the 802.1X Settings, choose User autentication only! (not user and maschine, mascine only or guest) and we have saved corectly username@reame =(username here) and password...
in the username password Setting.
Is it possible edit or change the way the client PC is sett up to prevent this?
Is there any way make a policy setting? or is there other solutions?
I have teste te Cisco: PEAP option too, but stil noe autenticatoin from Radius
Thanks

Hi,
As I know, this goal cannot be achieved.
Reference:
Use the 802.1X Wizard to Configure NPS Network Policies
For authentication using Extensible Authentication Protocol – Transport Layer Security (EAP-TLS), select
Microsoft: Smart Card or other certificate, click
Configure, click
OK, and then click
Next.
For authentication using Protected Extensible Authentication Protocol – Transport Layer Security (PEAP-TLS), select
Microsoft: Protected EAP (PEAP). In
Eap Types, click
Add, click
Smart Card or other certificate, click the
Move Up button to position a smart card or other certificate at the top of the list, click
OK, and then click
Next.
For secure password authentication using Protected Extensible Authentication Protocol – Microsoft Challenge Handshake Authentication Protocol
version 2 (PEAP-MS-CHAP v2), select Microsoft: Protected EAP (PEAP). In
Eap Types, click
Add, click
Secured password (EPA-MSCHAP v2), click the
Move Up button to position the secured password authentication type at the top of the list, click
OK, and then click
Next.
Regards,
Sabrina
TechNet Subscriber Support
in forum.
If you have any feedback on our support, please contact
[email protected]
This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
This can be beneficial to other community members reading the thread.

Similar Messages

  • Wireless WPA2-Enterprise + 802.1x (EAP-PEAP/MSCHAPv2) config

    Hello,
    We're in the process of moving all of our wireless from WPA-PSK to WPA2-Enterprise with 802.1x EAP-MSCHAPv2 (PEAP). All workstations are Windows 7 with the 2SP3 IR2 client. What we'd like is for the 802.1x SSO functionality to work so users do not have to sign in computer only first and then use the novell login after connecting. I've followed the documentation for enabling 802.1x that Novell provides with no success. I'm hoping someone has done this or can point me in the direction of documentation that can use to better understand what configuration is needed to make this work.

    Originally Posted by djaquays
    I haven't had a chance to play with this yet on IR8, but I'd be curious of your steps to get this working.
    I'm not sure why FreeRadius would make any difference vs ClearPass.. they both speak RADIUS.
    This is the only documentation I can find from Novell: https://www.novell.com/documentation...a/b8jn9w6.html
    It's a couple of years since I did this so my memory is a bit vague... :(
    Did you install the peap plugin on the workstation, if I remeber correctly this was needed?
    http://support.arubanetworks.com/TOO...4/Default.aspx
    Thomas

  • 802.1x EAP-PEAPv0 (MSCHAPV2) with computer authentication

    I am a network administrator at seven schools, and a few of these schools are now using 802.1x EAP-PEAPv0 (MSCHAPV2) with computer authentication  only, for wireless security. 
    We are a mixture of 2008 and 2003 (Windows Domain) servers running IAS or NPS for RADIUS.  
    I push out the wireless client’s setting via group policy, and the clients are using WZC. 
    Every now and then, a client will be unable to authenticate/validate during the authentication phase. 
    Some clients this will never happen to and a few it will happen repeatedly. 
    To fix this I have to hard wire the computer and do a gpupdate, even though the computer already had the updates applied previously, and is still part of the domain. 
    Many of our classrooms lack network drops, so wireless is the best for us. 
    Except for this one downfall, it is working great. Any help is appreciated.

    Hi Ryan,
    Thanks for posting here.
    Could you discuss the situation that you mentioned “a client will be unable to authenticate/validate during the authentication phase. 
    Some clients this will never happen to and a few it will happen repeatedly. ”
      in detail ? Can you verify if there is any error or warring that relate with this authentication issue recorded in event log on client and radius server ?
    Only certain computers are facing this issue or all?
    What’s OS running on these client computers?
    According the situation right now , I’d like to share some suggections with you:
    1. An 802.1x client may fail to connect to an Radius server if the Trusted Root CA certificate that issued the Radius server certificate is not installed on
    the client computer. Either verify that the trusted root authority is installed on the client computer or disable certificate validation on the client. To disable certificate validation, access the properties of the connection, and on the Authentication tab,
    click Properties. Click to clear the Validate server certificate check box. EAP-TLS requires the installation of a computer certificate on each RADIUS server and a computer or user certificate, or smart card on all clients. PEAP-MS-CHAPv2 requires the installation
    of a computer certificate on each RADIUS server and the root CA certificates of the issuing CAs of the RADIUS server certificate on each of the client computers.
    2. Verify that Radius is configured for the logging of rejected authentication attempts to the event log. Try the connection again, and then check the system
    event log for an IAS event for the failed connection attempt. Use the information in the log to determine the reason the connection attempt was either rejected or discarded. Logging options are configured on the General tab of the Radius server Properties
    dialog.
    3. Any rejected or discarded connection attempt recorded should identify the Connection Request Policy used. A RADIUS request message is processed only if the
    settings of the incoming RADIUS request message match at least one of the connection request policies. Examine the conditions of the policy identified to see where the request fails.
    4. Determine from the IAS system event log entries whether the authentication failure is for computer auth, user auth, or both. By default, Windows performs
    an 802.1x authentication with computer credentials before displaying the Windows logon screen. Another authentication with user credentials is performed after the user has logged on, and if this fails the machine will be disconnected from the network. Similarly,
    if computer authentication fails but user auth is successful, symptoms will include failure to process login scripts or apply group policies and machine password expiration will not be updated since the user will only be able to logon with cached credentials.
    If you use a smart card for authentication, you can only perform user authentication because smart card usage requires manual entry of a personal identification number (PIN). There is no way to provide the PIN to unlock the smart card certificate during computer
    authentication.
    5. Examine the wireless trace logs captured and search for keywords error, failed, failure, or rejected. This should give an indication as to what point in the
    authentication process the failure occurs.
    Meanwhile, I ‘d like suggest you may start troubleshooting with following the guides below and see if it will help:
    Windows Server 2003 Wireless Troubleshooting
    http://technet.microsoft.com/en-us/library/cc773359(WS.10).aspx
    Troubleshooting Windows Vista 802.11 Wireless Connections
    http://technet.microsoft.com/en-us/library/cc766215(WS.10).aspx
    Thanks.
    Tiger Li
    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact
    [email protected]
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Random computers running Windows XP have this problem.  It does not happen to all of them at once. 
    It is very random.  A computer that has been connecting to the secure network for weeks will all of a sudden not be able to connect. The message is “attempting to authenticate” and it never makes the connection. 
    I checked if logging is turned on and I can see successful events from computers that are working. 
    I can also see failed events from computers that are not ours that tried to connect to our wireless. 
    However for the computers that are having this problem there are no logged events. 
    It is as if they don’t even communicate with the server. 
    Other clients on the same AP are working fine.  I rebooted the IAS service, and RADIUS clients, but this did not help. 
    I also checked all the settings and they are correct, using PEAP, and validating the server certificate is disabled. 
    I did notice that the firewall is also turned on through group policy when the domain is not available.
       Do you think the firewall is blocking the communication? 
    I added an exception to port 1812 UDP and this did not make a difference.

  • 802.1x EAP-PEAP over Ethernet need help !!!

    I am trying to get wired 802.1x EAP-PEAP to work and after spending about 8 hours
    troubleshooting this, I am not sure what else to do.  Need help.  Here
    is the scenario:
    - Cisco Catalyst 3350 switch running IOS versionc3550-ipservicesk9-mz.122-44.SE6.bin,
    - Steelbelted/JUniper Radius Server version 6.1.6 on a windows 2003 server
    with IP address of 129.174.2.7.  This device is connected to the same switch above.
    Firewall is OFF on the server, allow ALL,
    - Windows 2003 Enterprise Server supplicant with the latest Service pack and patches.  Again,
    Firewall is OFF on the server, allow ALL.  Juniper has verified the configuration settings
    on the Supplicant machine.  The supplicant has a static IP address of 129.174.2.15, same subnet
    as the radius server, I just want enable EAP-PEAP so that user is forced to authenticate before
    the port is activate to be "hot".
    - Juniper TAC has verified the configuration on the Steelbelted radius for eap-peap
    and that everything is looking fine,
    I have verified that the switch can communicate fine with the radius server.
    - Configuration on the switch for 802.1x:
    aaa new-model
    aaa authentication dot1x default group radius
    radius-server host 129.174.2.7 auth-port 1812 acct-port 1813 key 123456
    interface FastEthernet0/39
      description windows 2003 Supplicant
      switchport access vlan 401
      switchport mode access
      dot1x port-control auto
      no spanning-tree portfast (does not matter if this is enable or disable)
    lab-sw-1#
    .May 20 07:52:47.334: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
    .May 20 07:52:47.338: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1  id: 0x2  length: 0x0005 type: 0x1  data:
    .May 20 07:52:47.338: EAPOL pak dump Tx
    .May 20 07:52:47.338: EAPOL Version: 0x2  type: 0x0  length: 0x0005
    .May 20 07:52:47.338: EAP code: 0x1  id: 0x2  length: 0x0005 type: 0x1
    .May 20 07:52:47.338: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
    lab-sw-1#
    lab-sw-1#sh dot1x interface f0/39
    Dot1x Info for FastEthernet0/39
    PAE                       = AUTHENTICATOR
    PortControl               = AUTO
    ControlDirection          = Both
    HostMode                  = SINGLE_HOST
    Violation Mode            = PROTECT
    ReAuthentication          = Disabled
    QuietPeriod               = 60
    ServerTimeout             = 30
    SuppTimeout               = 30
    ReAuthPeriod              = 3600 (Locally configured)
    ReAuthMax                 = 2
    MaxReq                    = 2
    TxPeriod                  = 30
    RateLimitPeriod           = 0
    lab-sw-1#
    I am at a complete lost here.  don't know what else to do.  Someone with expertise in this realm please
    help me how to make this work.
    Many thanks in advance,

    #1:  dot1x system-auth-control is already in the switch configuration
    #2:  Not sure if you're already aware, the minute I entered "dot1x port-control auto", the command "dot1x pae authenticator" automatically appears on the interface configuration
    The case is being worked on by Cisco TAC.  One of the issues is the windows 2003 server supplicant refuses to work.  Windows XP supplicant uses machine-authentication instead of user-authentication.  Cisco TAC is looking into this issue.

  • 802.1x EAP-PEAP - Radius Question

    We're going to be deploying a wireless solution to a customer at some point shortly. So far we have a WLC 2500 Series,
    1140 LAPs, and a 2960-S switch. We're going to have Windows 7, iPhone, iPAD devices, and I was going to implement
    802.1x EAP-PEAP. I'm going to need a RADIUS server, but I was just wondering is there a cheaper solution than just
    getting a Cisco ACS to run a simple RADIUS server which is all I need.
    Also, when the Supplicant sends its NAI in a EAP-ResponseIdentity message, what exactly is this username
    and how does it differ from the username you provide after the secure TLS tunnel has been configured.                  

    Hey John,
    Yes, in fact its all about feeling comfortable. So here is a video showing LOCAL PEAP on a WLC.
    http://www.youtube.com/watch?v=YIxG4OEfwtY
    The 2000 is becuase there is a database limit this includes MACS, LOCAL ACCOUNTS and AP MACs for AP policy. The mac is 2048 .. Here I blogged about this ..
    http://www.my80211.com/cisco-wlc-cli-commands/2009/12/27/configure-local-mac-authentication-on-cisco-wlcs.html
    So yes it sounds right and you should be good.
    Hope this makes you feel a little bit better with your direction. If this helps can you mark the question as answered ?
    Thanks John!
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

  • E6 EAP-PEAP MSCHAPv2 authority certificate

    I am unable to connect to our company WLAN. I tried various username/domain/realm combinations for the EAP-PEAP MSCHAPv2 settings but it keeps giving message authentication failed. Our ocmpany does not have authority certificate and hence I select "not defined". I was told by our network admin that Nokia phones have this problem that they cannot connect without authority certificate.
    Is there any work around? I tried excporting an interim certificate of our company from my laptop but to no avail. Pls help.

    If there is actual workaround to get EAP-PEAP MSCHAPv2 to use with WLAN to use Eduroam, that would help me and many other people.
    Maybe Nokia has not build it to Nokia E6 phones.
    But if there would be an update for Belle OS to use this security authentication with WLAN that would help as well.
    greetings
    IT Support, helpdesk (not for Nokia).

  • Nokia E51 with 802.1x / EAP-PEAP & EAP-MSCHAPv2 pr...

    Hello,
    I'm trying to connect my phone to a Wireless AP (Cisco AP1130) using 802.1x, EPA-PEAP & EAP-MSCHAPv2 authentication.
    The RADIUS SERVER is M$ IAS.
    Authentication is working with a laptop, but it is not with my phone
    The only difference during the authentication process on the AP is that during Phase 1 my laptop is sending REALM\Username while my phone is sending Username@REALM.
    Does somebody know what should I change in my phone's configuration to make it work ?
    Thanks,
    Ceux qui aiment marcher en rangs sur une musique :
    ce ne peut être que par erreur qu'ils ont reçu un cerveau,
    une moelle épinière leur suffirait amplement. -- Albert Einstein

    Hi,
    Sorry for the late answer since I was "out of the office" for a while
    So here is the process to get the certificate.
    Log in to you IAS Server.
    Open the IAS Service Application.
    Go to "Remote Access Policies".
    Choose the policy that apply to "Wireless Connection"
    Click "Edit Profile" button.
    Choose "Authentication" Tab.
    Click "EAP Methods"
    Choose "Protected EAP (PEAP)" Entry & click "Edit" Button.
    The Next Window will show you the Certificate Issuer Name & Expiration Date.
    Then, click "Start" Button.
    Choose "Run".
    Type "mmc" in the "Run" box.
    Click "File" & Choose "Add/Remove Snap-In".
    Click "Add" Button.
    Choose "Certificates" entry, click "Add" Button & Choose "My User Account" in the "Certificates Snap-In" Window & click Finnish.
    Click "Close" & "OK" Button.
    Expand the "Certificates - Current User" Entry" & "Intermediate Certification Authorities" & Select "Certificate".
    The left window will show you a list of certificate. One of them should have the same name as the one in the "Certificate Issuer" Entry of the IAS Service Application.
    "Right click" on the certificate, choose "All Tasks", the "Export".
    In the new window, click "Next" Button.
    Choose "DER Encoded Binary X.509 (.cer) entry & click "Next" Button.
    Choose a suitable location.
    Click "Next" Button & "Finnish" Button.
    Certificate is now exported.
    You have to install it on your Phone now.
    The most simple way is to copy the certicate on a Web Server and access it with your phone.
    Hope that Help, if you did not already succeed.
    Ceux qui aiment marcher en rangs sur une musique :
    ce ne peut être que par erreur qu'ils ont reçu un cerveau,
    une moelle épinière leur suffirait amplement. -- Albert Einstein

  • 802.1X EAP-PEAP Authentication issue

    Hi Experts,
    I am experiencing an issue where the authentication process for two of my Wireless networks prompts the user to enter their credentials at least two times before letting them onto the network.
    The networks in question  are set up identically, here is an overview:
    Layer 2 security is WPA & WPA2
    WPA - TKIP
    WPA2 - AES
    Auth Key Management is 802.1X
    Radius Servers are microsoft Windows 2008 Network Policy Service (Used to be IAS) - All users are in Active Directory and IAS policy allows access absed on AD group.
    This has all worked fine previously and still works fine if you enter the username/password combo at least twice on the initial profile setup. (For info, once the wireless profile is setup, you do not get prompted for credentials again, so this issue is ony during intial setup)
    We have recently added another WLAN that uses web auth, pointing to a RADIUS server to. In order to get this going, we changed the "Web Radius Authentication" setting to "CHAP" from "PAP" under the Controller . General config.
    This is the only change I can think of that could possibly be relevant.
    Would anyone be able to shed any light on why I would be prompted to authenticate twice? Affected clients are Windows 7 and Mac OSX at the mo.
    Debugs as follows:
    *Oct 11 16:12:10.237: 00:23:12:08:25:28 Adding mobile on LWAPP AP 00:13:5f:fb:0f:40(0)
    *Oct 11 16:12:10.237: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 23) in 5 seconds
    *Oct 11 16:12:10.237: 00:23:12:08:25:28 apfProcessProbeReq (apf_80211.c:4598) Changing state for mobile 00:23:12:08:25:28 on AP 00:13:5f:fb:0f:40 from Idle to Probe
    *Oct 11 16:12:10.237: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:10.238: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:10.388: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.077: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.086: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.086: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.228: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.229: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.239: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.296: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.305: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.306: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.306: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.317: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.448: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.449: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.458: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.459: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.600: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.610: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.868: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.878: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:17.031: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:19.927: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:19.934: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:19.938: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:19.938: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:20.080: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:20.080: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:20.090: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:20.233: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:20.243: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:24.941: 00:23:12:08:25:28 apfMsExpireCallback (apf_ms.c:417) Expiring Mobile!
    *Oct 11 16:12:24.941: 00:23:12:08:25:28 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [00:13:5f:fb:0f:40]
    *Oct 11 16:12:24.941: 00:23:12:08:25:28 Deleting mobile on AP 00:13:5f:fb:0f:40(0)
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 Adding mobile on LWAPP AP 00:11:5c:14:6d:d0(0)
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 Reassociation received from mobile on AP 00:11:5c:14:6d:d0
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 STA - rates (8): 139 150 24 36 48 72 96 108 0 0 0 0 0 0 0 0
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 STA - rates (10): 139 150 24 36 48 72 96 108 12 18 0 0 0 0 0 0
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 Processing RSN IE type 48, length 20 for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 Received RSN IE with 0 PMKIDs from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 START (0) Initializing policy
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:11:5c:14:6d:d0 vapId 4 apVapId 4
    *Oct 11 16:12:25.220: 00:23:12:08:25:28 apfPemAddUser2 (apf_policy.c:208) Changing state for mobile 00:23:12:08:25:28 on AP 00:11:5c:14:6d:d0 from Idle to Associated
    *Oct 11 16:12:25.220: 00:23:12:08:25:28 Stopping deletion of Mobile Station: (callerId: 48)
    *Oct 11 16:12:25.220: 00:23:12:08:25:28 Sending Assoc Response to station on BSSID 00:11:5c:14:6d:d0 (status 0)
    *Oct 11 16:12:25.220: 00:23:12:08:25:28 apfProcessAssocReq (apf_80211.c:4310) Changing state for mobile 00:23:12:08:25:28 on AP 00:11:5c:14:6d:d0 from Associated to Associated
    *Oct 11 16:12:25.223: 00:23:12:08:25:28 Disable re-auth, use PMK lifetime.
    *Oct 11 16:12:25.223: 00:23:12:08:25:28 Station 00:23:12:08:25:28 setting dot1x reauth timeout = 7200
    *Oct 11 16:12:25.223: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Connecting state
    *Oct 11 16:12:25.223: 00:23:12:08:25:28 Sending EAP-Request/Identity to mobile 00:23:12:08:25:28 (EAP Id 1)
    *Oct 11 16:12:25.243: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.243: 00:23:12:08:25:28 Received Identity Response (count=1) from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.243: 00:23:12:08:25:28 EAP State update from Connecting to Authenticating for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.243: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Authenticating state
    *Oct 11 16:12:25.243: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.250: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.250: 00:23:12:08:25:28 Entering Backend Auth Req state (id=2) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.251: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 2)
    *Oct 11 16:12:25.260: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.262: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 2, EAP Type 25)
    *Oct 11 16:12:25.262: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.265: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.265: 00:23:12:08:25:28 Entering Backend Auth Req state (id=3) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.265: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 3)
    *Oct 11 16:12:25.269: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.269: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 3, EAP Type 25)
    *Oct 11 16:12:25.269: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.270: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.271: 00:23:12:08:25:28 Entering Backend Auth Req state (id=4) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.271: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 4)
    *Oct 11 16:12:25.274: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.274: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 4, EAP Type 25)
    *Oct 11 16:12:25.274: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.275: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.275: 00:23:12:08:25:28 Entering Backend Auth Req state (id=5) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.275: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 5)
    *Oct 11 16:12:25.285: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.286: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 5, EAP Type 25)
    *Oct 11 16:12:25.286: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.292: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.292: 00:23:12:08:25:28 Entering Backend Auth Req state (id=6) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.292: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 6)
    *Oct 11 16:12:25.318: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.318: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 6, EAP Type 25)
    *Oct 11 16:12:25.318: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.320: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.320: 00:23:12:08:25:28 Entering Backend Auth Req state (id=7) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.320: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 7)
    *Oct 11 16:12:25.321: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.323: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 7, EAP Type 25)
    *Oct 11 16:12:25.323: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.326: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.326: 00:23:12:08:25:28 Entering Backend Auth Req state (id=8) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.326: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 8)
    At this point, the username and password dialog pops up again.
    If credentials are not entered, the following timeout message pops up....
    *Oct 11 16:12:53.973: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
    If the credentials are re-entered the it continues:
    *Oct 11 16:12:53.975: 00:23:12:08:25:28 Retransmit 1 of EAP-Request (length 79) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 8, EAP Type 25)
    *Oct 11 16:13:01.094: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.098: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.098: 00:23:12:08:25:28 Entering Backend Auth Req state (id=9) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.098: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 9)
    *Oct 11 16:13:01.102: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.102: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 9, EAP Type 25)
    *Oct 11 16:13:01.102: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.106: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.106: 00:23:12:08:25:28 Entering Backend Auth Req state (id=10) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.106: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 10)
    *Oct 11 16:13:01.108: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.108: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 10, EAP Type 25)
    *Oct 11 16:13:01.108: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Processing Access-Accept for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Setting re-auth timeout to 7200 seconds, got from WLAN config.
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Station 00:23:12:08:25:28 setting dot1x reauth timeout = 7200
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Creating a PKC PMKID Cache entry for station 00:23:12:08:25:28 (RSN 2)
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Adding BSSID 00:11:5c:14:6d:d3 to PMKID cache for station 00:23:12:08:25:28
    *Oct 11 16:13:01.113: New PMKID: (16)
    *Oct 11 16:13:01.113:      [0000] 15 9e 3d 61 e3 94 bb 82 2b 6f 7e 05 74 49 81 52
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Disabling re-auth since PMK lifetime can take care of same.
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 PMK sent to mobility group
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 Sending EAP-Success to mobile 00:23:12:08:25:28 (EAP Id 10)
    *Oct 11 16:13:01.116: Including PMKID in M1  (16)
    *Oct 11 16:13:01.116:      [0000] 15 9e 3d 61 e3 94 bb 82 2b 6f 7e 05 74 49 81 52
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 Starting key exchange to mobile 00:23:12:08:25:28, data packets will be dropped
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 Sending EAPOL-Key Message to mobile 00:23:12:08:25:28
       state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 Entering Backend Auth Success state (id=10) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 Received Auth Success while in Authenticating state for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Authenticated state
    *Oct 11 16:13:01.996: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
    *Oct 11 16:13:01.997: 00:23:12:08:25:28 Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.999: 00:23:12:08:25:28 Received EAPOL-Key from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.999: 00:23:12:08:25:28 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.999: 00:23:12:08:25:28 Received EAPOL-key in PTK_START state (message 2) from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.999: 00:23:12:08:25:28 Stopping retransmission timer for mobile 00:23:12:08:25:28
    *Oct 11 16:13:02.000: 00:23:12:08:25:28 Sending EAPOL-Key Message to mobile 00:23:12:08:25:28
       state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.02
    *Oct 11 16:13:02.002: 00:23:12:08:25:28 Received EAPOL-Key from mobile 00:23:12:08:25:28
    *Oct 11 16:13:02.002: 00:23:12:08:25:28 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:23:12:08:25:28
    *Oct 11 16:13:02.002: 00:23:12:08:25:28 Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 00:23:12:08:25:28
    *Oct 11 16:13:02.002: 00:23:12:08:25:28 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
    *Oct 11 16:13:02.004: 00:23:12:08:25:28 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:11:5c:14:6d:d0 vapId 4 apVapId 4
    *Oct 11 16:13:02.004: 00:23:12:08:25:28 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
    *Oct 11 16:13:02.006: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4391, Adding TMP rule
    *Oct 11 16:13:02.007: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
      type = Airespace AP - Learn IP address
      on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
      ACL Id = 255, Jumbo F
    *Oct 11 16:13:02.007: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
    *Oct 11 16:13:02.007: 00:23:12:08:25:28 Stopping retransmission timer for mobile 00:23:12:08:25:28
    *Oct 11 16:13:02.010: 00:23:12:08:25:28 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
    *Oct 11 16:13:02.010: 00:23:12:08:25:28 Sent an XID frame
    *Oct 11 16:13:02.283: 00:23:12:08:25:28 DHCP received op BOOTREQUEST (1) (len 308, port 29, encap 0xec03)
    *Oct 11 16:13:02.283: 00:23:12:08:25:28 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
    *Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
    *Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4072, Adding TMP rule
    *Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
      type = Airespace AP - Learn IP address
      on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
      ACL Id = 255, Jumb
    *Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
    *Oct 11 16:13:03.909: 00:23:12:08:25:28 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
    *Oct 11 16:13:03.909: 00:23:12:08:25:28 Sent an XID frame
    *Oct 11 16:13:04.879: 00:23:12:08:25:28 DHCP received op BOOTREQUEST (1) (len 308, port 29, encap 0xec03)
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP selecting relay 1 - control block settings:
                dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
                dhcpGateway: 0.0.0.0, dhcpRelay: 0.0.0.0  VLAN: 0
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP selected relay 1 - 172.19.0.50 (local address 172.23.24.2, gateway 172.23.24.1, VLAN 110, port 29)
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP transmitting DHCP REQUEST (3)
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP   xid: 0x53839a5f (1401133663), secs: 4, flags: 0
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP   chaddr: 00:23:12:08:25:28
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP   siaddr: 0.0.0.0,  giaddr: 172.23.24.2
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP   requested ip: 172.23.26.53
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP sending REQUEST to 172.23.24.1 (len 350, port 29, vlan 110)
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP selecting relay 2 - control block settings:
                dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
                dhcpGateway: 0.0.0.0, dhcpRelay: 172.23.24.2  VLAN: 110
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP selected relay 2 - 172.19.0.51 (local address 172.23.24.2, gateway 172.23.24.1, VLAN 110, port 29)
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP transmitting DHCP REQUEST (3)
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 2
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   xid: 0x53839a5f (1401133663), secs: 4, flags: 0
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   chaddr: 00:23:12:08:25:28
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   siaddr: 0.0.0.0,  giaddr: 172.23.24.2
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   requested ip: 172.23.26.53
    *Oct 11 16:13:04.885: 00:23:12:08:25:28 DHCP sending REQUEST to 172.23.24.1 (len 350, port 29, vlan 110)
    *Oct 11 16:13:04.890: 00:23:12:08:25:28 DHCP received op BOOTREPLY (2) (len 327, port 29, encap 0xec00)
    *Oct 11 16:13:04.890: 00:23:12:08:25:28 DHCP setting server from ACK (server 172.19.0.50, yiaddr 172.23.26.53)
    *Oct 11 16:13:04.890: 00:23:12:08:25:28 172.23.26.53 DHCP_REQD (7) Change state to RUN (20) last state RUN (20)
    *Oct 11 16:13:04.890: 00:23:12:08:25:28 172.23.26.53 RUN (20) Reached PLUMBFASTPATH: from line 4856
    *Oct 11 16:13:04.891: 00:23:12:08:25:28 172.23.26.53 RUN (20) Replacing Fast Path rule
      type = Airespace AP Client
      on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
      ACL Id = 255, Jumbo Frames = N
    *Oct 11 16:13:04.891: 00:23:12:08:25:28 172.23.26.53 RUN (20) Successfully plumbed mobile rule (ACL ID 255)
    *Oct 11 16:13:04.891: 00:23:12:08:25:28 Assigning Address 172.23.26.53 to mobile
    *Oct 11 16:13:04.891: 00:23:12:08:25:28 DHCP sending REPLY to STA (len 430, port 29, vlan 0)
    *Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP transmitting DHCP ACK (5)
    *Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
    *Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP   xid: 0x53839a5f (1401133663), secs: 0, flags: 0
    *Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP   chaddr: 00:23:12:08:25:28
    *Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP   ciaddr: 0.0.0.0,  yiaddr: 172.23.26.53
    *Oct 11 16:13:04.894: 00:23:12:08:25:28 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *Oct 11 16:13:04.894: 00:23:12:08:25:28 DHCP   server id: 1.1.1.1  rcvd server id: 172.19.0.50
    *Oct 11 16:13:04.898: 00:23:12:08:25:28 172.23.26.53 Added NPU entry of type 1, dtlFlags 0x0
    *Oct 11 16:13:04.900: 00:23:12:08:25:28 Sending a gratuitous ARP for 172.23.26.53, VLAN Id 110
    *Oct 11 16:13:04.907: 00:23:12:08:25:28 DHCP received op BOOTREPLY (2) (len 327, port 29, encap 0xec00)
    *Oct 11 16:13:04.907: 00:23:12:08:25:28 DHCP dropping ACK from 172.19.0.51 (yiaddr: 172.23.26.53)
    At this point, the client is connected and everything is working.

    Hi,
    It looks like some issue on the client side...
    Thelogs presented here are not related with the Web Auth WLAN and it has no impact on the behavior you are seeing.
    Looking at the logs:
    *Oct 11 16:12:25.326: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 8)
    At this point, the username and password dialog pops up again.
    If credentials are not entered, the following timeout message pops up....
    *Oct 11 16:12:53.973: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
    If the credentials are re-entered the it continues:
    *Oct 11 16:12:53.975: 00:23:12:08:25:28 Retransmit 1 of EAP-Request (length 79) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    ===================
    This logs show exactly what you describe...
    The AAA sends an EAP request asking for the credentials.
    The login pops up and the EAP timeout starts decrementing.
    If the user does not enter credentials, it will expire and another EAP Request is sent.
    If you let the EAP timeout it is expected that you enter credentials twice, if by the time you press enter, the timeout has already expired.
    As you say, if you have a profile configured, this should not happen and the authentication should be smooth.
    HTH,
    Tiago

  • Android ASUS tab into 802.1X EAP/PEAP wireless network

    Hi Guys,
                    I have been fighting with this for awhile now, i decided to call the exeprt.  At work with have a 802.1x EAP wirless network. PCs and Blackberies work fine once they grab their cert. However,  things aren't that esay with the Android tablets. I have been testing with  an ASUS, i have both cert(CA, and user) into the /etc/security folder of the tablet. But tablet still unable to authenticate, i don't even receive any logs in the Radius SERVER.
    Any tricks or ideas will be very appreciate.
    Thanks,
    GV

    Jean,
    When you say your using PEAP, that means you only need a certificate on the radius server and not the client device.  What radius server are you using and are you setup for PEAP or EAP-TLS?

  • Connecting iPads to an Enterprise Wireless 802.1x (EAP-TLS) Network Using Windows Server 2003 IAS

    Hi there,
    I am asked to deploy iPads on an 802.1x EAP-TLS WiFi network. The customer has a Windows Server 2003 IAS server providing RADIUS. There also is a Windows based CA infrastructure in place. This solution is in production and is already being used by other wireless devices. Could someone please highlight the configuration steps for the iPad deployment? The customer whishes to automate the initial deployment and the renewal of the certificates. I have a basic understanding of 802.1x, RADIUS, Certificates etc. in a Windows infrastructure but I am new to enterprise deployment of iPads. There is no MDM tool in place by the way...
    I did find a Microsoft article which I think describes what needs to be done: http://blogs.technet.com/b/pki/archive/2012/02/27/ndes-and-ipads.aspx. This article basically states the following steps:
    1. Create a placeholder computer account in Active Directory Domain Services (AD DS)
    2. Configure a Service Principal Name (SPN) for the new computer object.
    3. Enroll a computer certificate passing the FQDN of the placeholder computer object as a Subject Name, using Web Enrollment Pages or Certificates MMC snap-in directly from the computer (Skip step 4 if you are using the Certificates MMC snap-in)
    4. Export the certificate created for the non-domain joined machine and install it.
    5. Associate the newly created certificate to the placeholder AD DS domain computer account manually created through Name Mappings
    The article then elaborates on specific steps needed for the iPad because it treats all certificates as user certificates. Can someone confirm this behavior??
    Regards,
    Jeffrey

    Use VPP.  Select an MDM.  Read the google doc below.
    IT Resources -- ios & OS X -- This is a fantastic web page.  I like the education site over the business site.
    View documentation, video tutorials, and web pages to help IT professionals develop and deploy education solutions.
    http://www.apple.com/education/resources/information-technology.html
       business site is:
       http://www.apple.com/lae/ipad/business/resources/
    Excellent guide. See announcment post -- https://discussions.apple.com/thread/4256735?tstart=0
    https://docs.google.com/document/d/1SMBgyzONxcx6_FswgkW9XYLpA4oCt_2y1uw9ceMZ9F4/ edit?pli=1
    good tips for initial deployment:
    https://discussions.apple.com/message/18942350#18942350
    https://discussions.apple.com/thread/3804209?tstart=0

  • How to connect to AP with WPA2, EAP-PEAP, MSCHAPv2...

    I am trying to connect to the company network, but it always shows "PEAP authentication failed".
    There are only instructions for iPhone and PC.
    security : WPA2-Enterprise
    authority certificate : None
    Security Type : PEAP
    Inner Link Security : EAP-MSCHAPv2
    additionally MAC address filtering.
    The access point I set is as follows:
    network status: public
    wLAN network mode: infrastructure
    security: WPA/WPA2
    WPA2 only mode: off
    EAP plug-in setting: EAP-PEAP enable only
    personal certificate: not defined
    authority certificate: not defined
    user name: user-defined   BLANK
    realm in use: user-defined   BLANK
    allow PEAPv0
    MSCHAPv2
    user name: username
    password: mypassword
    We have domain, but there are no command about domain in iPhone guide. 
    Is there anything wrong of my setting?

    WPA2-Enterprise is not supported on your device.
    ‡Thank you for hitting the Blue/Green Star button‡
    N8-00 RM 596 V:111.030.0609; E71-1(05) RM 346 V: 500.21.009

  • Nokia N95 8G can't connect to EAP-PEAP MSCHAPv2 Ne...

    HELP HELP HELP!! I have a problem getting my Nokia N95 8G connect to my LSU wireless network,,, Here my network sittings, I tried many possible configurations but, unfortunately, I didn't make it!!!
    ESSID (Network Name): lsusecure
    Network Type: Infrastructure (or Access Point)
    TCP/IP: DHCP
    EAP Type: PEAP
    Network Authentication: WPA (WPA-enterprise)
    Data Encryption: TKIP
    Authentication Method/Protocol: MSCHAP-V2
    Inner EAP Type: EAP-MSCHAPv2
    servers name: acs-wlan.net.lsu.edu;acs-wlan.lsu.edu
    Certification Authorities: GTE CyberTrust Global Root
    username: whatever
    password: urwhatever
    for more settings if needed check this link:
    http://grok.lsu.edu/Article.aspx?articleId=1465
    another think might help, is the certificate for some linux machines, the file is attached(the file name is acs-wlan-cert-chain without extension)...
    I hope some of you can make this, I am really need it. Thanks to everybody will help
    Attachments:
    acs-wlan-cert-chain.txt ‏2 KB

    We have a similar setup at my university in the UK, and by extension many of the sites in the EDUROAM network. The local staff have been working hard at this for a couple of years, but as far as we can tell, Nokia's implimentation just will not work in this scenario under any circumstances. You're going to have to wait until Nokia properly supports this kind of authentication. Our own techs are going to start annoying Nokia about it as soon as they finish this year's wave of wi-fi installations.
    Help I'm trapped in a sig factory.

  • 802.1X EAP-PEAP with Apple devices

    We have deployed a variety of wireless networks using Cisco WLC (2504, 5508 and Virtual WLCs) with (1550e, 1260, 2602 access points) and we have been unable to get apple device to successfully authenticate to corporate SSID's that use 802.1X against a Microsoft IAS server. We have spent numerous hours building different profiles with OS-X Server and other profile configuration utilities with no luck.
    Apple devices authenticate just fine to corporate SSIDs if we use autonomous access points using 802.1x against the same Microsoft Radius server but continue to fail when we attempt the same through any of the WLC options referenced above.
    Can anyone shed some light into this issue? It seems that radius request only show up on the IAS logs when something is entered in the "outer identity field"
    Thanks in advance.
    Ivan Chacon

    Complete these steps to troubleshoot the configurations:
    1.    Use the debug lwapp events enable command in order to check if the AP registers with the WLC.
    2.    Check if the RADIUS server receives and validates the authentication request from the wireless client. Check the NAS-IP- Address, date and time in order to verify if the WLC was able to reach the Radius server.
    Check the Passed Authentications and Failed Attempts reports on the Radius server in order to accomplish this.
    3.    You can also use these debug commands in order to troubleshoot AAA authentication:
    •    debug aaa all enable—Configures the debug of all AAA messages.
    •    debug dot1x packet enable—Enables the debug of all dot1x packets.
    Here is a sample output from the debug 802.1x aaa enable command:
    (Cisco Controller) >debug dot1x aaa enable
    4.    Monitor the logs on the WLC in order to check if the RADIUS server receives the user credentials. Click Monitor in order to check the logs from the WLC GUI. From the left-hand side menu, click Statistics and click Radius server from the list of options.
    This is very important because in some cases, the RADIUS server never receives the user credentials if the RADIUS server configuration on the WLC is incorrect.
    This is how the logs appear on the WLC if the RADIUS parameters are configured incorrectly:
    You can use a combination of the show wlan summary command in order to recognize which of your WLANs employ RADIUS server authentication. Then you can view the show client summary command in order to see which MAC addresses (clients) are successfully authenticated on RADIUS WLANs. You can also correlate this with your Raduis attempts or failed attempts logs.
    •    Verify on the controller that RADIUS server is in active state, and not on standby or disabled.
    •    Use the ping command in order to check if the Radius server is reachable from the WLC.
    •    Check if the RADIUS server is selected from the drop down menu of the WLAN (SSID).

  • ACS 5.1 - EAP-PEAP - Imported public cert - Clients still get cert error

    We have ACS 5.1 up and running. Our company has a SuperCert purchsed with Thwarte so we requested a Certificate. Once we figured out the formatting we were able to successuflly get the certificate to bind to the CSR. For some reason our windows 7 users will be prompted the first time they connect with an option to terminate or continue. If they continue they are able to connect to the WLAN just fine. Our MAC users are always prompted with the cert error, even if they install the ceritificate. Unlike ACS 4.x and earlier I do not see where I can import the Root CA so we are thinking about purchasing another certificate from another public CA but who? Any thoughts are idea's would be greatly appreciated.

    Hi,
    Adverstisement apart, Verisign is widely used and trusted.
    However, even using your current CA, you should be able to install the Root CA and the ACS cert on the client machines under the trusted CAs and then the warning should not popup anymore.
    HTH,
    Tiago
    If this helps you and/or  answers your question please mark the question as "answered" and/or rate  it, so other users can easily find it.

  • Wireless Guest Access with 802.1X (PEAP/MSCHAPv2) and ISE?

    Hi,
    I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
    The WLCs are running 7.3 and ISE is 1.1.1
    I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
    They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
    The credentials will be created by the sponsor, using the sponsor portal on the ISE.
    Now to the questions:
    Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
    Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
    When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
    As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
    Thankyou very much :-)
    Best Regards,
    Niels J. Larsen

    Hi,
    I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
    The WLCs are running 7.3 and ISE is 1.1.1
    I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
    They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
    The credentials will be created by the sponsor, using the sponsor portal on the ISE.
    Now to the questions:
    Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
    Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
    When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
    As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
    Thankyou very much :-)
    Best Regards,
    Niels J. Larsen

Maybe you are looking for

  • How do I find and free the hidden files on external drive?

    I cannot see , or free, space on my external drive. It is a Seagate Freeagent 500 GB disk. I am using 100GB for photos and music. Only 38 MB are reported free. How can I reclaim the rest of the space? I had used in the past as Time machine backup. To

  • Itunes cannot open, missing msvcr80.dll, Help??

    went to go download the new itunes today and even during the download it gives me a hard time in regards to "Apple Mobile Device" but even if it goes through it givves me a error saying missing MSVCR80.DLL CDoes anyone know a solution or has apple re

  • Trade ipod touch to apple

    i want to trade in my ipod touch 4th generation. is there a way to do that

  • Custom table for DRAW

    Hi,     I need to create a custom table for document. For each document, there may be some people comment it, so one DRAW record may have several comment record in ZXXX table.     I try to use user exit CV110001 to implement this, but when I try to s

  • Access DataField in Itemrenderer when submitting to Database

    Hello, I'm really stuck on this one. I have setup an Itemrenderer in a Datagrid which manages a DateField. Users can enter a date and other values directly in the datagrid. When they click 'submit', I want to populate a row in a database and I have s