802.1x EAP-PEAP over Ethernet need help !!!

I am trying to get wired 802.1x EAP-PEAP to work and after spending about 8 hours
troubleshooting this, I am not sure what else to do.  Need help.  Here
is the scenario:
- Cisco Catalyst 3350 switch running IOS versionc3550-ipservicesk9-mz.122-44.SE6.bin,
- Steelbelted/JUniper Radius Server version 6.1.6 on a windows 2003 server
with IP address of 129.174.2.7.  This device is connected to the same switch above.
Firewall is OFF on the server, allow ALL,
- Windows 2003 Enterprise Server supplicant with the latest Service pack and patches.  Again,
Firewall is OFF on the server, allow ALL.  Juniper has verified the configuration settings
on the Supplicant machine.  The supplicant has a static IP address of 129.174.2.15, same subnet
as the radius server, I just want enable EAP-PEAP so that user is forced to authenticate before
the port is activate to be "hot".
- Juniper TAC has verified the configuration on the Steelbelted radius for eap-peap
and that everything is looking fine,
I have verified that the switch can communicate fine with the radius server.
- Configuration on the switch for 802.1x:
aaa new-model
aaa authentication dot1x default group radius
radius-server host 129.174.2.7 auth-port 1812 acct-port 1813 key 123456
interface FastEthernet0/39
  description windows 2003 Supplicant
  switchport access vlan 401
  switchport mode access
  dot1x port-control auto
  no spanning-tree portfast (does not matter if this is enable or disable)
lab-sw-1#
.May 20 07:52:47.334: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
.May 20 07:52:47.338: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1  id: 0x2  length: 0x0005 type: 0x1  data:
.May 20 07:52:47.338: EAPOL pak dump Tx
.May 20 07:52:47.338: EAPOL Version: 0x2  type: 0x0  length: 0x0005
.May 20 07:52:47.338: EAP code: 0x1  id: 0x2  length: 0x0005 type: 0x1
.May 20 07:52:47.338: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
lab-sw-1#
lab-sw-1#sh dot1x interface f0/39
Dot1x Info for FastEthernet0/39
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = SINGLE_HOST
Violation Mode            = PROTECT
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 30
ReAuthPeriod              = 3600 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0
lab-sw-1#
I am at a complete lost here.  don't know what else to do.  Someone with expertise in this realm please
help me how to make this work.
Many thanks in advance,

#1:  dot1x system-auth-control is already in the switch configuration
#2:  Not sure if you're already aware, the minute I entered "dot1x port-control auto", the command "dot1x pae authenticator" automatically appears on the interface configuration
The case is being worked on by Cisco TAC.  One of the issues is the windows 2003 server supplicant refuses to work.  Windows XP supplicant uses machine-authentication instead of user-authentication.  Cisco TAC is looking into this issue.

Similar Messages

  • 802.1x EAP-PEAP - Radius Question

    We're going to be deploying a wireless solution to a customer at some point shortly. So far we have a WLC 2500 Series,
    1140 LAPs, and a 2960-S switch. We're going to have Windows 7, iPhone, iPAD devices, and I was going to implement
    802.1x EAP-PEAP. I'm going to need a RADIUS server, but I was just wondering is there a cheaper solution than just
    getting a Cisco ACS to run a simple RADIUS server which is all I need.
    Also, when the Supplicant sends its NAI in a EAP-ResponseIdentity message, what exactly is this username
    and how does it differ from the username you provide after the secure TLS tunnel has been configured.                  

    Hey John,
    Yes, in fact its all about feeling comfortable. So here is a video showing LOCAL PEAP on a WLC.
    http://www.youtube.com/watch?v=YIxG4OEfwtY
    The 2000 is becuase there is a database limit this includes MACS, LOCAL ACCOUNTS and AP MACs for AP policy. The mac is 2048 .. Here I blogged about this ..
    http://www.my80211.com/cisco-wlc-cli-commands/2009/12/27/configure-local-mac-authentication-on-cisco-wlcs.html
    So yes it sounds right and you should be good.
    Hope this makes you feel a little bit better with your direction. If this helps can you mark the question as answered ?
    Thanks John!
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

  • 802.1x EAP PEAP MSCHAPv2 on Windows 7 Client.

    I have problems autenticate a w7 client at our Enterprice WiFi network. XP, Apple clients and all SmartPhones works fine...  We use Radius assigned Vlans based on username and ream routed on our Meru Network to Navis radius as centralied point of
    autentication. Navis proxes client autenticatinon recuest to the customers Radiuses based on the realm.
    Windows 7 32 client use the radius CA (installed and ticked) and EAP PEAP MSCHAPv2 in the SSID settings. The customer radius is an Freeradius. In autentication logs we se that the client sends the Maschinename, eg. Machine-x200/username@realm
    even we in the client settings, under SSID Propirties, Security, MS Protected EAP(PEAP), Settings and EAP-MSCAPv2 Configuration, have removed tick on the default setting:
    Use Autom. Windows-username... AND under Security Advanced (back one step), in the 802.1X Settings, choose User autentication only! (not user and maschine, mascine only or guest) and we have saved corectly username@reame =(username here) and password...
    in the username password Setting.
    Is it possible edit or change the way the client PC is sett up to prevent this?
    Is there any way make a policy setting? or is there other solutions?
    I have teste te Cisco: PEAP option too, but stil noe autenticatoin from Radius
    Thanks

    Hi,
    As I know, this goal cannot be achieved.
    Reference:
    Use the 802.1X Wizard to Configure NPS Network Policies
    For authentication using Extensible Authentication Protocol – Transport Layer Security (EAP-TLS), select
    Microsoft: Smart Card or other certificate, click
    Configure, click
    OK, and then click
    Next.
    For authentication using Protected Extensible Authentication Protocol – Transport Layer Security (PEAP-TLS), select
    Microsoft: Protected EAP (PEAP). In
    Eap Types, click
    Add, click
    Smart Card or other certificate, click the
    Move Up button to position a smart card or other certificate at the top of the list, click
    OK, and then click
    Next.
    For secure password authentication using Protected Extensible Authentication Protocol – Microsoft Challenge Handshake Authentication Protocol
    version 2 (PEAP-MS-CHAP v2), select Microsoft: Protected EAP (PEAP). In
    Eap Types, click
    Add, click
    Secured password (EPA-MSCHAP v2), click the
    Move Up button to position the secured password authentication type at the top of the list, click
    OK, and then click
    Next.
    Regards,
    Sabrina
    TechNet Subscriber Support
    in forum.
    If you have any feedback on our support, please contact
    [email protected]
    This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
    This can be beneficial to other community members reading the thread.

  • Android ASUS tab into 802.1X EAP/PEAP wireless network

    Hi Guys,
                    I have been fighting with this for awhile now, i decided to call the exeprt.  At work with have a 802.1x EAP wirless network. PCs and Blackberies work fine once they grab their cert. However,  things aren't that esay with the Android tablets. I have been testing with  an ASUS, i have both cert(CA, and user) into the /etc/security folder of the tablet. But tablet still unable to authenticate, i don't even receive any logs in the Radius SERVER.
    Any tricks or ideas will be very appreciate.
    Thanks,
    GV

    Jean,
    When you say your using PEAP, that means you only need a certificate on the radius server and not the client device.  What radius server are you using and are you setup for PEAP or EAP-TLS?

  • Wireless WPA2-Enterprise + 802.1x (EAP-PEAP/MSCHAPv2) config

    Hello,
    We're in the process of moving all of our wireless from WPA-PSK to WPA2-Enterprise with 802.1x EAP-MSCHAPv2 (PEAP). All workstations are Windows 7 with the 2SP3 IR2 client. What we'd like is for the 802.1x SSO functionality to work so users do not have to sign in computer only first and then use the novell login after connecting. I've followed the documentation for enabling 802.1x that Novell provides with no success. I'm hoping someone has done this or can point me in the direction of documentation that can use to better understand what configuration is needed to make this work.

    Originally Posted by djaquays
    I haven't had a chance to play with this yet on IR8, but I'd be curious of your steps to get this working.
    I'm not sure why FreeRadius would make any difference vs ClearPass.. they both speak RADIUS.
    This is the only documentation I can find from Novell: https://www.novell.com/documentation...a/b8jn9w6.html
    It's a couple of years since I did this so my memory is a bit vague... :(
    Did you install the peap plugin on the workstation, if I remeber correctly this was needed?
    http://support.arubanetworks.com/TOO...4/Default.aspx
    Thomas

  • Nokia E51 with 802.1x / EAP-PEAP & EAP-MSCHAPv2 pr...

    Hello,
    I'm trying to connect my phone to a Wireless AP (Cisco AP1130) using 802.1x, EPA-PEAP & EAP-MSCHAPv2 authentication.
    The RADIUS SERVER is M$ IAS.
    Authentication is working with a laptop, but it is not with my phone
    The only difference during the authentication process on the AP is that during Phase 1 my laptop is sending REALM\Username while my phone is sending Username@REALM.
    Does somebody know what should I change in my phone's configuration to make it work ?
    Thanks,
    Ceux qui aiment marcher en rangs sur une musique :
    ce ne peut être que par erreur qu'ils ont reçu un cerveau,
    une moelle épinière leur suffirait amplement. -- Albert Einstein

    Hi,
    Sorry for the late answer since I was "out of the office" for a while
    So here is the process to get the certificate.
    Log in to you IAS Server.
    Open the IAS Service Application.
    Go to "Remote Access Policies".
    Choose the policy that apply to "Wireless Connection"
    Click "Edit Profile" button.
    Choose "Authentication" Tab.
    Click "EAP Methods"
    Choose "Protected EAP (PEAP)" Entry & click "Edit" Button.
    The Next Window will show you the Certificate Issuer Name & Expiration Date.
    Then, click "Start" Button.
    Choose "Run".
    Type "mmc" in the "Run" box.
    Click "File" & Choose "Add/Remove Snap-In".
    Click "Add" Button.
    Choose "Certificates" entry, click "Add" Button & Choose "My User Account" in the "Certificates Snap-In" Window & click Finnish.
    Click "Close" & "OK" Button.
    Expand the "Certificates - Current User" Entry" & "Intermediate Certification Authorities" & Select "Certificate".
    The left window will show you a list of certificate. One of them should have the same name as the one in the "Certificate Issuer" Entry of the IAS Service Application.
    "Right click" on the certificate, choose "All Tasks", the "Export".
    In the new window, click "Next" Button.
    Choose "DER Encoded Binary X.509 (.cer) entry & click "Next" Button.
    Choose a suitable location.
    Click "Next" Button & "Finnish" Button.
    Certificate is now exported.
    You have to install it on your Phone now.
    The most simple way is to copy the certicate on a Web Server and access it with your phone.
    Hope that Help, if you did not already succeed.
    Ceux qui aiment marcher en rangs sur une musique :
    ce ne peut être que par erreur qu'ils ont reçu un cerveau,
    une moelle épinière leur suffirait amplement. -- Albert Einstein

  • 802.1x/PEAP over Ethernet

    I am trying to setup 802.1x PEAP in my home lab. I have:
    a windows 2003 enterprise server with SP2 and latest patches running as
    Active Directory, DHCP, DNS, WINS. The AD domain name is LAB.
    The windows 2003 is also running Cisco ACS 4.0.1 with a self-signed
    certififcate. I can log into the box https://PEAP8021x:2002 so the cert
    works. I also configure the ACS so that it can also use AD accounts for
    authentication
    Cisco Catalyst 2960 running IOS version flash:c2960-lanbase-mz.122-25.SEE2.bin.
    This version supports 802.1x
    A couple of WindowsXP with Service Pack 2 and latest patches that will act as
    clients for the domain LAB.
    Everything is connected to the Catalyst switch 2960 via CAT-5 cables.
    I would like to accomplish something very simple. Before user(s) on
    WinXP can even access the domain LAB, the winXP machine must be
    authenticated with Cisco ACS with username/password on the AD Server
    so that the machine can be placed in the correct VLAN(s). If this is just
    a visitor and their machine is plugged into my network, authentication will
    fail and they will be put in a guest VLAN where the only connection they have
    will be acess to the Internet and that will be it. All the information will be pushed
    out to the catalyst from the Cisco ACS
    Can someone help me out on how to get this done? Thanks.

    Hi,
    You would need to do following :
    - Machine authentication with user authentication( This part is tricky on WinXP, you may get intermittent results)
    Something to help you:
    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
    "SupplicantMode"=dword:00000003
    "AuthMode"=dword:00000001
    - Machine Access Restriction (MAR)(its on ACS)
    - guest vlan or auth-fail-vlan
    Wired 802.1x:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml
    Configuring IEEE 802.1x Port-Based Authentication:
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea7/scg/sw8021x.htm
    Regards,
    Prem

  • 802.1X EAP-PEAP Authentication issue

    Hi Experts,
    I am experiencing an issue where the authentication process for two of my Wireless networks prompts the user to enter their credentials at least two times before letting them onto the network.
    The networks in question  are set up identically, here is an overview:
    Layer 2 security is WPA & WPA2
    WPA - TKIP
    WPA2 - AES
    Auth Key Management is 802.1X
    Radius Servers are microsoft Windows 2008 Network Policy Service (Used to be IAS) - All users are in Active Directory and IAS policy allows access absed on AD group.
    This has all worked fine previously and still works fine if you enter the username/password combo at least twice on the initial profile setup. (For info, once the wireless profile is setup, you do not get prompted for credentials again, so this issue is ony during intial setup)
    We have recently added another WLAN that uses web auth, pointing to a RADIUS server to. In order to get this going, we changed the "Web Radius Authentication" setting to "CHAP" from "PAP" under the Controller . General config.
    This is the only change I can think of that could possibly be relevant.
    Would anyone be able to shed any light on why I would be prompted to authenticate twice? Affected clients are Windows 7 and Mac OSX at the mo.
    Debugs as follows:
    *Oct 11 16:12:10.237: 00:23:12:08:25:28 Adding mobile on LWAPP AP 00:13:5f:fb:0f:40(0)
    *Oct 11 16:12:10.237: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 23) in 5 seconds
    *Oct 11 16:12:10.237: 00:23:12:08:25:28 apfProcessProbeReq (apf_80211.c:4598) Changing state for mobile 00:23:12:08:25:28 on AP 00:13:5f:fb:0f:40 from Idle to Probe
    *Oct 11 16:12:10.237: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:10.238: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:10.388: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.077: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.086: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.086: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.228: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.229: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.239: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.296: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.305: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.306: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.306: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.317: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.448: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.449: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.458: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.459: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.600: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.610: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.868: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.878: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:17.031: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:19.927: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:19.934: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:19.938: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:19.938: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:20.080: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:20.080: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:20.090: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:20.233: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:20.243: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:24.941: 00:23:12:08:25:28 apfMsExpireCallback (apf_ms.c:417) Expiring Mobile!
    *Oct 11 16:12:24.941: 00:23:12:08:25:28 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [00:13:5f:fb:0f:40]
    *Oct 11 16:12:24.941: 00:23:12:08:25:28 Deleting mobile on AP 00:13:5f:fb:0f:40(0)
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 Adding mobile on LWAPP AP 00:11:5c:14:6d:d0(0)
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 Reassociation received from mobile on AP 00:11:5c:14:6d:d0
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 STA - rates (8): 139 150 24 36 48 72 96 108 0 0 0 0 0 0 0 0
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 STA - rates (10): 139 150 24 36 48 72 96 108 12 18 0 0 0 0 0 0
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 Processing RSN IE type 48, length 20 for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 Received RSN IE with 0 PMKIDs from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 START (0) Initializing policy
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:11:5c:14:6d:d0 vapId 4 apVapId 4
    *Oct 11 16:12:25.220: 00:23:12:08:25:28 apfPemAddUser2 (apf_policy.c:208) Changing state for mobile 00:23:12:08:25:28 on AP 00:11:5c:14:6d:d0 from Idle to Associated
    *Oct 11 16:12:25.220: 00:23:12:08:25:28 Stopping deletion of Mobile Station: (callerId: 48)
    *Oct 11 16:12:25.220: 00:23:12:08:25:28 Sending Assoc Response to station on BSSID 00:11:5c:14:6d:d0 (status 0)
    *Oct 11 16:12:25.220: 00:23:12:08:25:28 apfProcessAssocReq (apf_80211.c:4310) Changing state for mobile 00:23:12:08:25:28 on AP 00:11:5c:14:6d:d0 from Associated to Associated
    *Oct 11 16:12:25.223: 00:23:12:08:25:28 Disable re-auth, use PMK lifetime.
    *Oct 11 16:12:25.223: 00:23:12:08:25:28 Station 00:23:12:08:25:28 setting dot1x reauth timeout = 7200
    *Oct 11 16:12:25.223: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Connecting state
    *Oct 11 16:12:25.223: 00:23:12:08:25:28 Sending EAP-Request/Identity to mobile 00:23:12:08:25:28 (EAP Id 1)
    *Oct 11 16:12:25.243: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.243: 00:23:12:08:25:28 Received Identity Response (count=1) from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.243: 00:23:12:08:25:28 EAP State update from Connecting to Authenticating for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.243: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Authenticating state
    *Oct 11 16:12:25.243: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.250: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.250: 00:23:12:08:25:28 Entering Backend Auth Req state (id=2) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.251: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 2)
    *Oct 11 16:12:25.260: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.262: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 2, EAP Type 25)
    *Oct 11 16:12:25.262: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.265: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.265: 00:23:12:08:25:28 Entering Backend Auth Req state (id=3) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.265: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 3)
    *Oct 11 16:12:25.269: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.269: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 3, EAP Type 25)
    *Oct 11 16:12:25.269: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.270: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.271: 00:23:12:08:25:28 Entering Backend Auth Req state (id=4) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.271: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 4)
    *Oct 11 16:12:25.274: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.274: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 4, EAP Type 25)
    *Oct 11 16:12:25.274: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.275: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.275: 00:23:12:08:25:28 Entering Backend Auth Req state (id=5) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.275: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 5)
    *Oct 11 16:12:25.285: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.286: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 5, EAP Type 25)
    *Oct 11 16:12:25.286: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.292: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.292: 00:23:12:08:25:28 Entering Backend Auth Req state (id=6) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.292: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 6)
    *Oct 11 16:12:25.318: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.318: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 6, EAP Type 25)
    *Oct 11 16:12:25.318: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.320: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.320: 00:23:12:08:25:28 Entering Backend Auth Req state (id=7) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.320: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 7)
    *Oct 11 16:12:25.321: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.323: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 7, EAP Type 25)
    *Oct 11 16:12:25.323: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.326: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.326: 00:23:12:08:25:28 Entering Backend Auth Req state (id=8) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.326: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 8)
    At this point, the username and password dialog pops up again.
    If credentials are not entered, the following timeout message pops up....
    *Oct 11 16:12:53.973: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
    If the credentials are re-entered the it continues:
    *Oct 11 16:12:53.975: 00:23:12:08:25:28 Retransmit 1 of EAP-Request (length 79) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 8, EAP Type 25)
    *Oct 11 16:13:01.094: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.098: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.098: 00:23:12:08:25:28 Entering Backend Auth Req state (id=9) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.098: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 9)
    *Oct 11 16:13:01.102: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.102: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 9, EAP Type 25)
    *Oct 11 16:13:01.102: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.106: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.106: 00:23:12:08:25:28 Entering Backend Auth Req state (id=10) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.106: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 10)
    *Oct 11 16:13:01.108: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.108: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 10, EAP Type 25)
    *Oct 11 16:13:01.108: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Processing Access-Accept for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Setting re-auth timeout to 7200 seconds, got from WLAN config.
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Station 00:23:12:08:25:28 setting dot1x reauth timeout = 7200
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Creating a PKC PMKID Cache entry for station 00:23:12:08:25:28 (RSN 2)
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Adding BSSID 00:11:5c:14:6d:d3 to PMKID cache for station 00:23:12:08:25:28
    *Oct 11 16:13:01.113: New PMKID: (16)
    *Oct 11 16:13:01.113:      [0000] 15 9e 3d 61 e3 94 bb 82 2b 6f 7e 05 74 49 81 52
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Disabling re-auth since PMK lifetime can take care of same.
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 PMK sent to mobility group
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 Sending EAP-Success to mobile 00:23:12:08:25:28 (EAP Id 10)
    *Oct 11 16:13:01.116: Including PMKID in M1  (16)
    *Oct 11 16:13:01.116:      [0000] 15 9e 3d 61 e3 94 bb 82 2b 6f 7e 05 74 49 81 52
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 Starting key exchange to mobile 00:23:12:08:25:28, data packets will be dropped
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 Sending EAPOL-Key Message to mobile 00:23:12:08:25:28
       state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 Entering Backend Auth Success state (id=10) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 Received Auth Success while in Authenticating state for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Authenticated state
    *Oct 11 16:13:01.996: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
    *Oct 11 16:13:01.997: 00:23:12:08:25:28 Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.999: 00:23:12:08:25:28 Received EAPOL-Key from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.999: 00:23:12:08:25:28 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.999: 00:23:12:08:25:28 Received EAPOL-key in PTK_START state (message 2) from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.999: 00:23:12:08:25:28 Stopping retransmission timer for mobile 00:23:12:08:25:28
    *Oct 11 16:13:02.000: 00:23:12:08:25:28 Sending EAPOL-Key Message to mobile 00:23:12:08:25:28
       state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.02
    *Oct 11 16:13:02.002: 00:23:12:08:25:28 Received EAPOL-Key from mobile 00:23:12:08:25:28
    *Oct 11 16:13:02.002: 00:23:12:08:25:28 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:23:12:08:25:28
    *Oct 11 16:13:02.002: 00:23:12:08:25:28 Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 00:23:12:08:25:28
    *Oct 11 16:13:02.002: 00:23:12:08:25:28 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
    *Oct 11 16:13:02.004: 00:23:12:08:25:28 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:11:5c:14:6d:d0 vapId 4 apVapId 4
    *Oct 11 16:13:02.004: 00:23:12:08:25:28 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
    *Oct 11 16:13:02.006: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4391, Adding TMP rule
    *Oct 11 16:13:02.007: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
      type = Airespace AP - Learn IP address
      on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
      ACL Id = 255, Jumbo F
    *Oct 11 16:13:02.007: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
    *Oct 11 16:13:02.007: 00:23:12:08:25:28 Stopping retransmission timer for mobile 00:23:12:08:25:28
    *Oct 11 16:13:02.010: 00:23:12:08:25:28 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
    *Oct 11 16:13:02.010: 00:23:12:08:25:28 Sent an XID frame
    *Oct 11 16:13:02.283: 00:23:12:08:25:28 DHCP received op BOOTREQUEST (1) (len 308, port 29, encap 0xec03)
    *Oct 11 16:13:02.283: 00:23:12:08:25:28 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
    *Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
    *Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4072, Adding TMP rule
    *Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
      type = Airespace AP - Learn IP address
      on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
      ACL Id = 255, Jumb
    *Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
    *Oct 11 16:13:03.909: 00:23:12:08:25:28 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
    *Oct 11 16:13:03.909: 00:23:12:08:25:28 Sent an XID frame
    *Oct 11 16:13:04.879: 00:23:12:08:25:28 DHCP received op BOOTREQUEST (1) (len 308, port 29, encap 0xec03)
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP selecting relay 1 - control block settings:
                dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
                dhcpGateway: 0.0.0.0, dhcpRelay: 0.0.0.0  VLAN: 0
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP selected relay 1 - 172.19.0.50 (local address 172.23.24.2, gateway 172.23.24.1, VLAN 110, port 29)
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP transmitting DHCP REQUEST (3)
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP   xid: 0x53839a5f (1401133663), secs: 4, flags: 0
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP   chaddr: 00:23:12:08:25:28
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP   siaddr: 0.0.0.0,  giaddr: 172.23.24.2
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP   requested ip: 172.23.26.53
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP sending REQUEST to 172.23.24.1 (len 350, port 29, vlan 110)
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP selecting relay 2 - control block settings:
                dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
                dhcpGateway: 0.0.0.0, dhcpRelay: 172.23.24.2  VLAN: 110
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP selected relay 2 - 172.19.0.51 (local address 172.23.24.2, gateway 172.23.24.1, VLAN 110, port 29)
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP transmitting DHCP REQUEST (3)
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 2
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   xid: 0x53839a5f (1401133663), secs: 4, flags: 0
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   chaddr: 00:23:12:08:25:28
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   siaddr: 0.0.0.0,  giaddr: 172.23.24.2
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   requested ip: 172.23.26.53
    *Oct 11 16:13:04.885: 00:23:12:08:25:28 DHCP sending REQUEST to 172.23.24.1 (len 350, port 29, vlan 110)
    *Oct 11 16:13:04.890: 00:23:12:08:25:28 DHCP received op BOOTREPLY (2) (len 327, port 29, encap 0xec00)
    *Oct 11 16:13:04.890: 00:23:12:08:25:28 DHCP setting server from ACK (server 172.19.0.50, yiaddr 172.23.26.53)
    *Oct 11 16:13:04.890: 00:23:12:08:25:28 172.23.26.53 DHCP_REQD (7) Change state to RUN (20) last state RUN (20)
    *Oct 11 16:13:04.890: 00:23:12:08:25:28 172.23.26.53 RUN (20) Reached PLUMBFASTPATH: from line 4856
    *Oct 11 16:13:04.891: 00:23:12:08:25:28 172.23.26.53 RUN (20) Replacing Fast Path rule
      type = Airespace AP Client
      on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
      ACL Id = 255, Jumbo Frames = N
    *Oct 11 16:13:04.891: 00:23:12:08:25:28 172.23.26.53 RUN (20) Successfully plumbed mobile rule (ACL ID 255)
    *Oct 11 16:13:04.891: 00:23:12:08:25:28 Assigning Address 172.23.26.53 to mobile
    *Oct 11 16:13:04.891: 00:23:12:08:25:28 DHCP sending REPLY to STA (len 430, port 29, vlan 0)
    *Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP transmitting DHCP ACK (5)
    *Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
    *Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP   xid: 0x53839a5f (1401133663), secs: 0, flags: 0
    *Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP   chaddr: 00:23:12:08:25:28
    *Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP   ciaddr: 0.0.0.0,  yiaddr: 172.23.26.53
    *Oct 11 16:13:04.894: 00:23:12:08:25:28 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *Oct 11 16:13:04.894: 00:23:12:08:25:28 DHCP   server id: 1.1.1.1  rcvd server id: 172.19.0.50
    *Oct 11 16:13:04.898: 00:23:12:08:25:28 172.23.26.53 Added NPU entry of type 1, dtlFlags 0x0
    *Oct 11 16:13:04.900: 00:23:12:08:25:28 Sending a gratuitous ARP for 172.23.26.53, VLAN Id 110
    *Oct 11 16:13:04.907: 00:23:12:08:25:28 DHCP received op BOOTREPLY (2) (len 327, port 29, encap 0xec00)
    *Oct 11 16:13:04.907: 00:23:12:08:25:28 DHCP dropping ACK from 172.19.0.51 (yiaddr: 172.23.26.53)
    At this point, the client is connected and everything is working.

    Hi,
    It looks like some issue on the client side...
    Thelogs presented here are not related with the Web Auth WLAN and it has no impact on the behavior you are seeing.
    Looking at the logs:
    *Oct 11 16:12:25.326: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 8)
    At this point, the username and password dialog pops up again.
    If credentials are not entered, the following timeout message pops up....
    *Oct 11 16:12:53.973: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
    If the credentials are re-entered the it continues:
    *Oct 11 16:12:53.975: 00:23:12:08:25:28 Retransmit 1 of EAP-Request (length 79) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    ===================
    This logs show exactly what you describe...
    The AAA sends an EAP request asking for the credentials.
    The login pops up and the EAP timeout starts decrementing.
    If the user does not enter credentials, it will expire and another EAP Request is sent.
    If you let the EAP timeout it is expected that you enter credentials twice, if by the time you press enter, the timeout has already expired.
    As you say, if you have a profile configured, this should not happen and the authentication should be smooth.
    HTH,
    Tiago

  • 802.1X EAP-PEAP with Apple devices

    We have deployed a variety of wireless networks using Cisco WLC (2504, 5508 and Virtual WLCs) with (1550e, 1260, 2602 access points) and we have been unable to get apple device to successfully authenticate to corporate SSID's that use 802.1X against a Microsoft IAS server. We have spent numerous hours building different profiles with OS-X Server and other profile configuration utilities with no luck.
    Apple devices authenticate just fine to corporate SSIDs if we use autonomous access points using 802.1x against the same Microsoft Radius server but continue to fail when we attempt the same through any of the WLC options referenced above.
    Can anyone shed some light into this issue? It seems that radius request only show up on the IAS logs when something is entered in the "outer identity field"
    Thanks in advance.
    Ivan Chacon

    Complete these steps to troubleshoot the configurations:
    1.    Use the debug lwapp events enable command in order to check if the AP registers with the WLC.
    2.    Check if the RADIUS server receives and validates the authentication request from the wireless client. Check the NAS-IP- Address, date and time in order to verify if the WLC was able to reach the Radius server.
    Check the Passed Authentications and Failed Attempts reports on the Radius server in order to accomplish this.
    3.    You can also use these debug commands in order to troubleshoot AAA authentication:
    •    debug aaa all enable—Configures the debug of all AAA messages.
    •    debug dot1x packet enable—Enables the debug of all dot1x packets.
    Here is a sample output from the debug 802.1x aaa enable command:
    (Cisco Controller) >debug dot1x aaa enable
    4.    Monitor the logs on the WLC in order to check if the RADIUS server receives the user credentials. Click Monitor in order to check the logs from the WLC GUI. From the left-hand side menu, click Statistics and click Radius server from the list of options.
    This is very important because in some cases, the RADIUS server never receives the user credentials if the RADIUS server configuration on the WLC is incorrect.
    This is how the logs appear on the WLC if the RADIUS parameters are configured incorrectly:
    You can use a combination of the show wlan summary command in order to recognize which of your WLANs employ RADIUS server authentication. Then you can view the show client summary command in order to see which MAC addresses (clients) are successfully authenticated on RADIUS WLANs. You can also correlate this with your Raduis attempts or failed attempts logs.
    •    Verify on the controller that RADIUS server is in active state, and not on standby or disabled.
    •    Use the ping command in order to check if the Radius server is reachable from the WLC.
    •    Check if the RADIUS server is selected from the drop down menu of the WLAN (SSID).

  • HT201412 My ipod screen is black with white and gray lines all over; i need help please!My ipod also won't respond to any button pressing and nothing shows/syncs on itunes

    I was using my ipod when the screen froze,then it went black/gray with messedup pixels and lines everywhere.I already tried plugging it in and connecting it to my computer,but nothings shows up in itunes, and my ipod doesn't respond to any buttons.Plus it won't go off.Someone please help; i don't want to have to replace it.

    Try:
    - iOS: Not responding or does not turn on
    - Also try DFU mode after try recovery mode
    How to put iPod touch / iPhone into DFU mode « Karthik's scribblings
    - If not successful and you can't fully turn the iOS device fully off, let the battery fully drain. After charging for an least an hour try the above again.
    - Try on another computer
    - If still not successful that usually indicates a hardware problem and an appointment at the Genius Bar of an Apple store is in order.
    Apple Retail Store - Genius Bar       

  • BufferedImage over socket need help

    I have written a program that gets frames from my webcam and can save it to my hdd as jpg files, which works fine. I would now like to send the bufferedimages from my server to connected clients instead of saving them to my hdd. I've searched for help on the forums but can't find anything that works. If you have any ideas or code snipets on how to send the bufferedimages and receive them it would be appreciated. Thanks.

    Just send them as regular files.If you can write your images to a temp file, send them as such:
         in = new BufferedInputStream( new FileInputStream(file));
         out = new BufferedOutputStream( socket.getOutputStream());
    And receive it on the server side as such:
    BufferedInputStream in = new BufferedInputStream( clientSocket.getInputStream() );
         BufferedOutputStream out = new BufferedOutputStream( new FileOutputStream(file) );
    //write it to the client's hdd
    Once you send your file out, just delete your temp file.
    I hope this will help.

  • EAP-PEAP, CCKM & WPA2 AES

    Hi Guys,
    Can someone advise on the pros/cons implementing both WPA2 (AES) and CCKM to a single WLAN running 802.1x (EAP-PEAP)?
    There appears to multiple conflicting docs about it.
    Cheers,
    Nick

    Hi Nick,
    1. WPA2 (AES) and CCKM do NOT work together properly as most of the experts say like this. (but I have this scenario and still i did not herad any issue from employees)
    2. Most of the clients don't support WPA2 with CCKM combined because they have overlapping roaming mechanism(this is the reason provides by expert).
    3. WPA with cckm works perfectly (as cisco recommanded)
    Regards
    Dont forget to rate helpful posts

  • Big problem with Nokia E60 and EAP-PEAP connection

    At our University we have Wlan now.
    The Lan based on the standart 802.11 b/g with 54 Mbit/s
    The Authentifikation based on the standart 802.1x (Peap) with the connection WPA/TKIP.
    My Firmware:
    V3.0633.09.04
    20-11-06
    RM-49
    Nokia E60
    My Configuration:
    Connection Name: FH-Hof
    Data Bearer:Wireless LAN
    WLAN netw.Name: FHHof
    Network status: Hidden
    WLAN netw.mode: Infrastructure
    WLAN security Mode: WPA/WPA2
    WLAN security settings:
    WPA mode: EAP
    TKIP-Security: allowed
    EAP plugin settings:EAP-PEAP
    User Cert: not defined
    CA Cert: CA-FH-Hof
    username in use: User configured
    username: aschmidt
    real in use: user configured
    realm: FH-Hof
    Allow PEAPv0: yes
    Yes for v1 and v2
    EAP: EAP-mschapv2
    Username: aschmidt
    prompt password: Yes
    password: entered my password
    Extended Settings:
    IPv4-Settings: No Changes
    IPv6-Settings: No Changes
    Proxserver-Address: proxy.fh-hof.de
    Prxy-Port-Number: 3128
    If I started to try the connection I have to enter my Username and my password. After that the handy asked me about my username and password again after a time.
    Now it takes circa one minute and the connection failed.
    The Error-Message ist: No Connection! WPA authentification failed.
    My´account is not blocked.
    Have I to enter any Ciphers?
    Thanks for every help and sorry for my bad English!
    EDIT: Removed non english linkMessage Edited by sailer_one on 27-Apr-200710:07 AM
    Message Edited by sailer_one on 27-Apr-200710:07 AM
    Message Edited by sailer_one on 27-Apr-200710:12 AM
    Message Edited by ajak on 27-Apr-2007 10:21 AM

    also try change "WLAN security Mode" from WPA to 802.1x
    I think Nokia referrs to WPA as WPA-PSK, but when you say TKIP then it also could be 802.1x as TKIP is the encryption used.
    So infact your wireless domain might be a 802.1x/EAP-PEAP/MS-CHAPv2 network.Message Edited by mbil on 30-Apr-200702:58 PM

  • Need help wrt query

    Hi ,
    I have table A with below data :
    Name Sal
    Ram

    That's because it's over here:
    Need help wrt query

  • Having serious problems withe my ipod touch 1st gen need help!!

    just last week it was working fine then within a span of 2 hrs the wifi just wouldnt connnect any more. no matter what i did in reseting the the ipod or setting it wouldnt work. then it battery life just started to go only watched 20 min of a movie and the batter died. and yesterday i lastened to 8 hrs of music then it died. and now today only was able to listen to 1 hr of music then it died. all were charged over night. need help please!!!

    WiFi problems, especially if you have lost the WiFi symbol from the top left of the screen, can usually be fixed by resetting network settings - Settings > General > Reset > Reset Network Settings.
    For your other problems, I think a complete restore might be in order. I would at least try it and see what happens.

Maybe you are looking for

  • Is there a way to stop the calendar from linking to keywords in text messages in IOS 7?

    With the new upgrade to IOS 7, I've noticed that certain keywords such as "tonight," "tomorrow," or times like "9:15" all underline and form a link to the calendar in text messaging. Is there a way to turn this feature off? It's quite annoying as I d

  • I can't find IX2 in Windows 8.1 Network

    I guys, I've been installed Windows 8.1 my brand new Lenovo IX2 was working so far so good, but, after a few day it was desappear from the network. I do not change any parameter  from IX2 or Windows. it's accesible from the browser going to IX2, also

  • Setting up the class root directory and choosing class files.

    I made a simple test application as it is proposed at the J2EE 1.4 Tutorial and all worked. (Chapter 24 Getting started with Enterprise Beans) Than I deleted the ear file to try out the deploy mechanism again. And after generating the new application

  • FIOS And TIVO Series # and Cable Cards

    I recently lost one tuner on my series 3 TIVO HD.  Asked for re-activation and eventually a new cable card to restore the lost tuner.  After the second visit I had nothing on either tuner.  Techs claim they have never been trained on cable cards, inv

  • My copy of RH7 has gone goofy...

    Hi everyone-- I had been using a trial copy of RH7, and it had been working FINE. I bought a license, then when I entered my new serial number, it started misbehaving. Two things I have found so far are as follows: (1) A newly created project will no