802.1x EAP type not configured

Hi, a simple 802.1x test with XP client sp2, 3560 with IOS 12.2(35)SE5 and ACS 4.1(1) build 23.
EAP MD5 selected on the client and enabled on the ACS but I receive in ACS an authentication failure message, with Authen-Failure-Code "EAP type not configured".
Any idea ?
thank you in advance
greatings

You have to install a self-generated certificate on the ACS, and enabled PEAP with "Allow EAP-MSCHAPv2". then changed the setting on our PC, and manage to make it work.
Could you do the following,
1.) Enable full detail logging on the ACS: System Configuration -> Service
Control -> Logging detail level = "FULL". Then restart the ACS services.
2.) Enable "debug radius" together with the debugs that you already have
on the switch
3.) If there is a sniffer (Norton SnifferPro, or the freeware Wireshark or
Ethereal) on the client laptop, please start it and enable sniffing on the
client interface.
4.) Make another authentication attempt.
5.) Generate a "package.cab" on the ACS, by running Bin\CSSupport.exe
underneath the ACS installation directory
6.) Please send me the following information,
a) The package.cab file,
b) the debug output from the switch,
c) the sniffer trace (if available).

Similar Messages

  • EAP type not configured

    hi
    i have an ACS 1113 ....
    i have installed and configured the certificate... and trusted the CA certificate... also i configured the global authentication (enable the PEAP ,EAP-TLS)
    no when i try to authenticate (by the wireless) i get failed to authenticate
    when checking the ACS failed attempts i find the failure code
    - EAP type not configured-
    i don?t know why its happing....
    but every thing is configured...

    Please make sure on ACS > Network Access Profiles >
    Make sure we have "Grant access using global configuration,when no profile matches" option
    selected.
    Also make sure on ACS > ACS Certificate Setup > Install ACS Certificate >
    Make sure a certificate is installed, if it is installed then click cancel.
    Also go to ACS > System Configuration > Global Authentication Setup > Make sure under "PEAP" we have checked "Allow EAP-MSCHAPv2" and/or "Allow EAP-GTC" as applicable.
    Regards,
    ~JG

  • IPAD 802.1x EAP-GTC not working

    I am trying to connect to wifi enterprise 802.1x   rsa 802.11agn (WPA2,AESCCMP,PEAPv1(EAP-GTC)). 
    Our setup
    Trapeze_AP-M522 -> Trapeze_MX200R (7.3.4.4.0) -> Cisco ACS (5.1) -> RSA
    It's working with windows pc and android (phone, tablet)  . When we use EAP-MSCHAPv2 it's working BUT I need 2 factors. 
    We traced the handshake in the cisco ACS, the ipad first try MSCHAPv2 then send another packet not recongnise as a GTC and then failed.
    Any help and / or a sample ICU .mobileconfig would be very apreciated.
    In ICU we select WPA/Enterprise ,  protocol PEAP,  Authentication  Ask for a password with each connection.
    Thanks

    Im having the same issue. Have you been able to resolve it?

  • The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server

    wireless authentication not working 
    I found the following in the radius
    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          1/15/2014 2:07:57 AM
    Event ID:      6273
    Task Category: Network Policy Server
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:     NAP01.test.local
    Description:
    Network Policy Server denied access to a user.
    Contact the Network Policy Server administrator for more information.
    User:
     Security ID:   doamin \user.a
     Account Name:   user.a
    Client Machine:
     Security ID:   NULL SID
     Account Name:   -
     Fully Qualified Account Name: -
     OS-Version:   -
     Called Station Identifier:  00-0F-7D-C4-45-20:staff
     Calling Station Identifier:  0C-74-C2-EF-Dd-0B
    NAS:
     NAS IPv4 Address:  192.168.9.10
     NAS IPv6 Address:  -
     NAS Identifier:   -
     NAS Port-Type:   Wireless - IEEE 802.11
     NAS Port:   497
    RADIUS Client:
     Client Friendly Name:  wcont1
     Client IP Address:   192.168.9.10
    Authentication Details:
     Connection Request Policy Name: Wireless
     Network Policy Name:  wism
     Authentication Provider:  Windows
     Authentication Server:  NAP01.test.local
     Authentication Type:  EAP
     EAP Type:   -
     Account Session Identifier:  -
     Logging Results:   Accounting information was written to the local log file.
     Reason Code:   22
     Reason:    The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
    Please help

    Hi,
    Anything updates?
    In addition, this issue may also because your client didn't have CA certificate of your domain. Please make sure that your client has CA certificate.
    Besides, the error "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server" may be due to that the default maximum transmission unit that NPS uses for EAP payloads is 1500
    bytes. You can lower the maximum size that NPS uses for EAP payloads by adjusting the Framed-MTU attribute in a network policy to a value no greater than 1344:
    Configure the EAP Payload Size
    Best regards,
    Susie

  • 802.1x PEAPV1 (EAP-GTC) not working on Ipad/Iphone

    I am currently working on deploying 802.1x at a remote location for a University. We use Cisco WCS to query a LDAP server. Apparently the Iphones and Ipads are unable to connect using 802.1x PEAP. We have both PEAPv0(EAP-MSCHAPv2) and PEAPv1(EAP-GTC) turned on but our LDAP server only supports EAP-GTC. Does anyone know which PEAP version the Ipad/Iphone supports??  I have included output from the Iphone Configuration Utility while I tried to connect.
    Fri Sep  2 10:54:50 ********** eapolclient[150] <Notice>: peap_verify_server: server certificate not trusted, status 3 0
    Fri Sep  2 10:54:50 ********** Preferences[141] <Warning>: -[WiFiManager(Private) _enterpriseAssociationResult:withInfo:] event: 3
    Fri Sep  2 10:54:50 ********** Preferences[141] <Warning>: -[WiFiManager(Private) _enterpriseAssociationResult:withInfo:]: User Information required
    Fri Sep  2 10:54:55 ********** Preferences[141] <Warning>: -[WiFiManager(Private) _enterpriseAssociationResult:withInfo:] event: 1
    Fri Sep  2 10:54:55 ********** Preferences[141] <Warning>: -[WiFiManager(Private) _enterpriseAssociationResult:withInfo:]: EAPOL failure
    THANK YOU!!!

    I am having the same issue..
    Whenever i am trying to connect my iphone to a WPA2-Enterprise network, it by defaults connects through the MSCHAPv2 Auth protocol, whereas my LDAP supports only GTC auth protocol.
    But there is no option to change the encryption type when configuring a WiFi.
    Requesting to please update as to how connect to the WiFi.
    Thanks in Advance.

  • Which EAP Type to choose for 802.1x Wireless Policy?

    Hi everyone,
    i have a question about recommendation for EAP Type in a wireless policy:
    Which configuration is more secure/recommendet?
    a)
    Authentication Type: PEAP
    EAP Type: EAP-MSCHAP v2
    b)
    Authentication Type: EAP
    EAP Type: Certificate
    We have a working configuration with a) and could Change to b).
    Thanks,
    Andy

    Hi,
    Project a uses PEAP cooperate with EAP(EAP-MSCHAP v2) is more security/recommended.
    PEAP is a new member of the family of EAP protocols. To enhance both the EAP protocols and network security, PEAP provides:
    1. Protection for the EAP method negotiation that occurs between client and server through a TLS channel. This helps prevent an attacker from injecting packets between the client and the network access server (NAS) to cause the negotiation of a less secure
    EAP method. The encrypted TLS channel also helps prevent denial of service attacks against the IAS server.
    2. Support for the fragmentation and reassembly of messages, allowing the use of EAP types that do not provide this.
    3. Wireless clients with the ability to authenticate the IAS or RADIUS server. Because the server also authenticates the client, mutual authentication occurs.
    4. Protection against the deployment of an unauthorized wireless access point (WAP) when the EAP client authenticates the certificate provided by the IAS server. In addition, the TLS master secret created by the PEAP authenticator and client is not shared
    with the access point. Because of this, the access point cannot decrypt the messages protected by PEAP.
    5. PEAP fast reconnect, which reduces the delay in time between an authentication request by a client and the response by the IAS or RADIUS server, and allows wireless clients to move between access points without repeated requests for authentication.
    This reduces resource requirements for both client and server.
    You can choose between two EAP types for use with PEAP: EAP-MS-CHAPv2 or EAP-TLS. EAP-MS-CHAPv2 uses credentials (user name and password) for user authentication. EAP-TLS uses either certificates installed in the client computer certificate store or a smart
    card for user and client computer authentication. Comparatively, the second one is more security because public Key certificates provide a much stronger authentication method than those that use password-based credentials.
    Best Regards,           
    Eve Wang 

  • IDoc output type not getting configured in IDoc-File scenario

    Hello
    I am having IDoc to file scenario where I want to post Delivery Document to legacy system. For this I have configured following EDI configuration for Delivery through NACE transaction
    1] Created output type
    2] Created partner function as EDI LS for this output type
    3] Configured RSNASTED as Processing Routines for output type
    4] Included this output type in the Header output procedure
    5] Configured XI system as the partner in partner profile with appropriate Message control
    Still when I attempt to include this output type in the Delivery it gives me "Output for partner could not be configured". The detail message says "In Customizing, the 'CannotBeChanged' indicator has been set for output type".
    I checked in SPRO but could not find such flag.
    Does anyone had came across such output type configuration.
    Thanks in advance.
    I know this question might be not appropriate in XI forum as it comes under EDI but it has become necessary for XI profs -:)
    Regards
    Rajeev

    Hi,
    Please check the following
    1. Condition Table
    SPRO > Material Management> Purchasing -> Message -> Output Control->Condition Tables->Define Condition Table for Purchase Order
    Select:
    Purchasing Doc. Type,
    Purch. Organization,
    Vendor
    2. Access Sequences
    SPRO -> Material Management-> Purchasing -> Message -> Output Control->Access Sequences->Define Condition Table for Purchase Order
    3. Message Type
    SPRO -> Material Management-> Purchasing -> Message -> Output Control->Message Types->Define Message Type for Purchase Order
    Copy NEU to ZNEU or YNEU
    4. Message Determination Schemas
    4.1. Message Determination Schemas
    SPRO -> Material Management-> Purchasing -> Message -> Output Control->Message Schema->Define Message Schema for Purchase Order-> Maintain Message Determination Schema
    4.2. Assign Schema to Purchase Order
    SPRO -> Material Management-> Purchasing -> Message -> Output Control->Message Schema->Define Message Schema for Purchase Order-> Assign Schema to Purchase Order
    5. Partner Roles per Message Type
    SPRO -> Material Management-> Purchasing -> Message -> Output Control-> Partner Roles per Message Type ->Define Partner Role for Purchase Order
    6. Condition Record
    Navigation Path: SAP Menu-> Logistics -> Material Management -> Purchasing-> Master data->Messages-> Purchase Order-> MN04-> Create
    Now you create PO (ME21N) and save it. Go to ME22N and print the PO by giving output type ZNEU or YNEU.
    G.Ganesh Kumar

  • The interface type is valid, but the specified interface number is not configured

    Hi
    I'm all new to using LabVIEW, which I have to use for a project. I'm trying to make a setup with a Keithley 2000 multimeter and an Agilent U2722A SMU. But I can't figure out how to get these instruments to communicate with LabVIEW. I can see and send commands to the Keithley 2000, but not the Agilent U2722A, with Agilent Connection Expert. But when I use LabVIEW I can't see any of them, and if I use the drivers I've found with "NI Instrument Driver Finder - Configure Search" I pops up with an error message saying
    "Error -1073807195 occurred at VISA Open in Keithley 2000.lvlib:Initialize.vi->Keithley 2000 Read Multiple.vi?            
    Possible reason(s):
    VISA:  (Hex 0xBFFF00A5) The interface type is valid, but the specified interface number is not configured.?"
    I've read all the threads I could find about this problem, but none of them helped. I've checked that the NiVi488.dll is checked in MAX under the VISA options. When I open the VISA Interactive Control I see an ASRL1>>ASRL1::INSTR and ASRL10>>ASRL10::INSTR. I don't know why it says ASRL, when I'm using an USB/GPIB interface, but the Keithley 2000 have 10 as the address. (the Agilent U2722A is connected directly by USB)
    Assume I know nothing.
    Thanks

    I'm using the GPIB-USB-HS. I also used this on the development PC when I exported the hardware configuration.
    This shows up in my MAX config and when I scan instruments, all of them show up. I can query them in MAX no problem.
    My installer includes all the .exe's from my project. As I said, I've done this with my previous 2009 installer without any issue. I upgraded my installer since I upgraded my project for version 2013. The error only happens when I run my code.
     

  • 802.1X EAP-PEAP Authentication issue

    Hi Experts,
    I am experiencing an issue where the authentication process for two of my Wireless networks prompts the user to enter their credentials at least two times before letting them onto the network.
    The networks in question  are set up identically, here is an overview:
    Layer 2 security is WPA & WPA2
    WPA - TKIP
    WPA2 - AES
    Auth Key Management is 802.1X
    Radius Servers are microsoft Windows 2008 Network Policy Service (Used to be IAS) - All users are in Active Directory and IAS policy allows access absed on AD group.
    This has all worked fine previously and still works fine if you enter the username/password combo at least twice on the initial profile setup. (For info, once the wireless profile is setup, you do not get prompted for credentials again, so this issue is ony during intial setup)
    We have recently added another WLAN that uses web auth, pointing to a RADIUS server to. In order to get this going, we changed the "Web Radius Authentication" setting to "CHAP" from "PAP" under the Controller . General config.
    This is the only change I can think of that could possibly be relevant.
    Would anyone be able to shed any light on why I would be prompted to authenticate twice? Affected clients are Windows 7 and Mac OSX at the mo.
    Debugs as follows:
    *Oct 11 16:12:10.237: 00:23:12:08:25:28 Adding mobile on LWAPP AP 00:13:5f:fb:0f:40(0)
    *Oct 11 16:12:10.237: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 23) in 5 seconds
    *Oct 11 16:12:10.237: 00:23:12:08:25:28 apfProcessProbeReq (apf_80211.c:4598) Changing state for mobile 00:23:12:08:25:28 on AP 00:13:5f:fb:0f:40 from Idle to Probe
    *Oct 11 16:12:10.237: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:10.238: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:10.388: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.077: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.086: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.086: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.228: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.229: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.239: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.296: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.305: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.306: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.306: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.317: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.448: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.449: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.458: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.459: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.600: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.610: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.868: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.878: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:17.031: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:19.927: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:19.934: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:19.938: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:19.938: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:20.080: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:20.080: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:20.090: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:20.233: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:20.243: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:24.941: 00:23:12:08:25:28 apfMsExpireCallback (apf_ms.c:417) Expiring Mobile!
    *Oct 11 16:12:24.941: 00:23:12:08:25:28 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [00:13:5f:fb:0f:40]
    *Oct 11 16:12:24.941: 00:23:12:08:25:28 Deleting mobile on AP 00:13:5f:fb:0f:40(0)
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 Adding mobile on LWAPP AP 00:11:5c:14:6d:d0(0)
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 Reassociation received from mobile on AP 00:11:5c:14:6d:d0
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 STA - rates (8): 139 150 24 36 48 72 96 108 0 0 0 0 0 0 0 0
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 STA - rates (10): 139 150 24 36 48 72 96 108 12 18 0 0 0 0 0 0
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 Processing RSN IE type 48, length 20 for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 Received RSN IE with 0 PMKIDs from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 START (0) Initializing policy
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:11:5c:14:6d:d0 vapId 4 apVapId 4
    *Oct 11 16:12:25.220: 00:23:12:08:25:28 apfPemAddUser2 (apf_policy.c:208) Changing state for mobile 00:23:12:08:25:28 on AP 00:11:5c:14:6d:d0 from Idle to Associated
    *Oct 11 16:12:25.220: 00:23:12:08:25:28 Stopping deletion of Mobile Station: (callerId: 48)
    *Oct 11 16:12:25.220: 00:23:12:08:25:28 Sending Assoc Response to station on BSSID 00:11:5c:14:6d:d0 (status 0)
    *Oct 11 16:12:25.220: 00:23:12:08:25:28 apfProcessAssocReq (apf_80211.c:4310) Changing state for mobile 00:23:12:08:25:28 on AP 00:11:5c:14:6d:d0 from Associated to Associated
    *Oct 11 16:12:25.223: 00:23:12:08:25:28 Disable re-auth, use PMK lifetime.
    *Oct 11 16:12:25.223: 00:23:12:08:25:28 Station 00:23:12:08:25:28 setting dot1x reauth timeout = 7200
    *Oct 11 16:12:25.223: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Connecting state
    *Oct 11 16:12:25.223: 00:23:12:08:25:28 Sending EAP-Request/Identity to mobile 00:23:12:08:25:28 (EAP Id 1)
    *Oct 11 16:12:25.243: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.243: 00:23:12:08:25:28 Received Identity Response (count=1) from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.243: 00:23:12:08:25:28 EAP State update from Connecting to Authenticating for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.243: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Authenticating state
    *Oct 11 16:12:25.243: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.250: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.250: 00:23:12:08:25:28 Entering Backend Auth Req state (id=2) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.251: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 2)
    *Oct 11 16:12:25.260: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.262: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 2, EAP Type 25)
    *Oct 11 16:12:25.262: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.265: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.265: 00:23:12:08:25:28 Entering Backend Auth Req state (id=3) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.265: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 3)
    *Oct 11 16:12:25.269: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.269: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 3, EAP Type 25)
    *Oct 11 16:12:25.269: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.270: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.271: 00:23:12:08:25:28 Entering Backend Auth Req state (id=4) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.271: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 4)
    *Oct 11 16:12:25.274: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.274: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 4, EAP Type 25)
    *Oct 11 16:12:25.274: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.275: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.275: 00:23:12:08:25:28 Entering Backend Auth Req state (id=5) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.275: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 5)
    *Oct 11 16:12:25.285: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.286: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 5, EAP Type 25)
    *Oct 11 16:12:25.286: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.292: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.292: 00:23:12:08:25:28 Entering Backend Auth Req state (id=6) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.292: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 6)
    *Oct 11 16:12:25.318: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.318: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 6, EAP Type 25)
    *Oct 11 16:12:25.318: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.320: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.320: 00:23:12:08:25:28 Entering Backend Auth Req state (id=7) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.320: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 7)
    *Oct 11 16:12:25.321: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.323: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 7, EAP Type 25)
    *Oct 11 16:12:25.323: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.326: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.326: 00:23:12:08:25:28 Entering Backend Auth Req state (id=8) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.326: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 8)
    At this point, the username and password dialog pops up again.
    If credentials are not entered, the following timeout message pops up....
    *Oct 11 16:12:53.973: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
    If the credentials are re-entered the it continues:
    *Oct 11 16:12:53.975: 00:23:12:08:25:28 Retransmit 1 of EAP-Request (length 79) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 8, EAP Type 25)
    *Oct 11 16:13:01.094: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.098: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.098: 00:23:12:08:25:28 Entering Backend Auth Req state (id=9) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.098: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 9)
    *Oct 11 16:13:01.102: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.102: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 9, EAP Type 25)
    *Oct 11 16:13:01.102: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.106: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.106: 00:23:12:08:25:28 Entering Backend Auth Req state (id=10) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.106: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 10)
    *Oct 11 16:13:01.108: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.108: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 10, EAP Type 25)
    *Oct 11 16:13:01.108: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Processing Access-Accept for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Setting re-auth timeout to 7200 seconds, got from WLAN config.
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Station 00:23:12:08:25:28 setting dot1x reauth timeout = 7200
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Creating a PKC PMKID Cache entry for station 00:23:12:08:25:28 (RSN 2)
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Adding BSSID 00:11:5c:14:6d:d3 to PMKID cache for station 00:23:12:08:25:28
    *Oct 11 16:13:01.113: New PMKID: (16)
    *Oct 11 16:13:01.113:      [0000] 15 9e 3d 61 e3 94 bb 82 2b 6f 7e 05 74 49 81 52
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Disabling re-auth since PMK lifetime can take care of same.
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 PMK sent to mobility group
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 Sending EAP-Success to mobile 00:23:12:08:25:28 (EAP Id 10)
    *Oct 11 16:13:01.116: Including PMKID in M1  (16)
    *Oct 11 16:13:01.116:      [0000] 15 9e 3d 61 e3 94 bb 82 2b 6f 7e 05 74 49 81 52
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 Starting key exchange to mobile 00:23:12:08:25:28, data packets will be dropped
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 Sending EAPOL-Key Message to mobile 00:23:12:08:25:28
       state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 Entering Backend Auth Success state (id=10) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 Received Auth Success while in Authenticating state for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Authenticated state
    *Oct 11 16:13:01.996: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
    *Oct 11 16:13:01.997: 00:23:12:08:25:28 Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.999: 00:23:12:08:25:28 Received EAPOL-Key from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.999: 00:23:12:08:25:28 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.999: 00:23:12:08:25:28 Received EAPOL-key in PTK_START state (message 2) from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.999: 00:23:12:08:25:28 Stopping retransmission timer for mobile 00:23:12:08:25:28
    *Oct 11 16:13:02.000: 00:23:12:08:25:28 Sending EAPOL-Key Message to mobile 00:23:12:08:25:28
       state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.02
    *Oct 11 16:13:02.002: 00:23:12:08:25:28 Received EAPOL-Key from mobile 00:23:12:08:25:28
    *Oct 11 16:13:02.002: 00:23:12:08:25:28 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:23:12:08:25:28
    *Oct 11 16:13:02.002: 00:23:12:08:25:28 Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 00:23:12:08:25:28
    *Oct 11 16:13:02.002: 00:23:12:08:25:28 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
    *Oct 11 16:13:02.004: 00:23:12:08:25:28 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:11:5c:14:6d:d0 vapId 4 apVapId 4
    *Oct 11 16:13:02.004: 00:23:12:08:25:28 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
    *Oct 11 16:13:02.006: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4391, Adding TMP rule
    *Oct 11 16:13:02.007: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
      type = Airespace AP - Learn IP address
      on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
      ACL Id = 255, Jumbo F
    *Oct 11 16:13:02.007: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
    *Oct 11 16:13:02.007: 00:23:12:08:25:28 Stopping retransmission timer for mobile 00:23:12:08:25:28
    *Oct 11 16:13:02.010: 00:23:12:08:25:28 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
    *Oct 11 16:13:02.010: 00:23:12:08:25:28 Sent an XID frame
    *Oct 11 16:13:02.283: 00:23:12:08:25:28 DHCP received op BOOTREQUEST (1) (len 308, port 29, encap 0xec03)
    *Oct 11 16:13:02.283: 00:23:12:08:25:28 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
    *Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
    *Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4072, Adding TMP rule
    *Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
      type = Airespace AP - Learn IP address
      on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
      ACL Id = 255, Jumb
    *Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
    *Oct 11 16:13:03.909: 00:23:12:08:25:28 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
    *Oct 11 16:13:03.909: 00:23:12:08:25:28 Sent an XID frame
    *Oct 11 16:13:04.879: 00:23:12:08:25:28 DHCP received op BOOTREQUEST (1) (len 308, port 29, encap 0xec03)
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP selecting relay 1 - control block settings:
                dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
                dhcpGateway: 0.0.0.0, dhcpRelay: 0.0.0.0  VLAN: 0
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP selected relay 1 - 172.19.0.50 (local address 172.23.24.2, gateway 172.23.24.1, VLAN 110, port 29)
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP transmitting DHCP REQUEST (3)
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP   xid: 0x53839a5f (1401133663), secs: 4, flags: 0
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP   chaddr: 00:23:12:08:25:28
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP   siaddr: 0.0.0.0,  giaddr: 172.23.24.2
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP   requested ip: 172.23.26.53
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP sending REQUEST to 172.23.24.1 (len 350, port 29, vlan 110)
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP selecting relay 2 - control block settings:
                dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
                dhcpGateway: 0.0.0.0, dhcpRelay: 172.23.24.2  VLAN: 110
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP selected relay 2 - 172.19.0.51 (local address 172.23.24.2, gateway 172.23.24.1, VLAN 110, port 29)
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP transmitting DHCP REQUEST (3)
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 2
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   xid: 0x53839a5f (1401133663), secs: 4, flags: 0
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   chaddr: 00:23:12:08:25:28
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   siaddr: 0.0.0.0,  giaddr: 172.23.24.2
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   requested ip: 172.23.26.53
    *Oct 11 16:13:04.885: 00:23:12:08:25:28 DHCP sending REQUEST to 172.23.24.1 (len 350, port 29, vlan 110)
    *Oct 11 16:13:04.890: 00:23:12:08:25:28 DHCP received op BOOTREPLY (2) (len 327, port 29, encap 0xec00)
    *Oct 11 16:13:04.890: 00:23:12:08:25:28 DHCP setting server from ACK (server 172.19.0.50, yiaddr 172.23.26.53)
    *Oct 11 16:13:04.890: 00:23:12:08:25:28 172.23.26.53 DHCP_REQD (7) Change state to RUN (20) last state RUN (20)
    *Oct 11 16:13:04.890: 00:23:12:08:25:28 172.23.26.53 RUN (20) Reached PLUMBFASTPATH: from line 4856
    *Oct 11 16:13:04.891: 00:23:12:08:25:28 172.23.26.53 RUN (20) Replacing Fast Path rule
      type = Airespace AP Client
      on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
      ACL Id = 255, Jumbo Frames = N
    *Oct 11 16:13:04.891: 00:23:12:08:25:28 172.23.26.53 RUN (20) Successfully plumbed mobile rule (ACL ID 255)
    *Oct 11 16:13:04.891: 00:23:12:08:25:28 Assigning Address 172.23.26.53 to mobile
    *Oct 11 16:13:04.891: 00:23:12:08:25:28 DHCP sending REPLY to STA (len 430, port 29, vlan 0)
    *Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP transmitting DHCP ACK (5)
    *Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
    *Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP   xid: 0x53839a5f (1401133663), secs: 0, flags: 0
    *Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP   chaddr: 00:23:12:08:25:28
    *Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP   ciaddr: 0.0.0.0,  yiaddr: 172.23.26.53
    *Oct 11 16:13:04.894: 00:23:12:08:25:28 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *Oct 11 16:13:04.894: 00:23:12:08:25:28 DHCP   server id: 1.1.1.1  rcvd server id: 172.19.0.50
    *Oct 11 16:13:04.898: 00:23:12:08:25:28 172.23.26.53 Added NPU entry of type 1, dtlFlags 0x0
    *Oct 11 16:13:04.900: 00:23:12:08:25:28 Sending a gratuitous ARP for 172.23.26.53, VLAN Id 110
    *Oct 11 16:13:04.907: 00:23:12:08:25:28 DHCP received op BOOTREPLY (2) (len 327, port 29, encap 0xec00)
    *Oct 11 16:13:04.907: 00:23:12:08:25:28 DHCP dropping ACK from 172.19.0.51 (yiaddr: 172.23.26.53)
    At this point, the client is connected and everything is working.

    Hi,
    It looks like some issue on the client side...
    Thelogs presented here are not related with the Web Auth WLAN and it has no impact on the behavior you are seeing.
    Looking at the logs:
    *Oct 11 16:12:25.326: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 8)
    At this point, the username and password dialog pops up again.
    If credentials are not entered, the following timeout message pops up....
    *Oct 11 16:12:53.973: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
    If the credentials are re-entered the it continues:
    *Oct 11 16:12:53.975: 00:23:12:08:25:28 Retransmit 1 of EAP-Request (length 79) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    ===================
    This logs show exactly what you describe...
    The AAA sends an EAP request asking for the credentials.
    The login pops up and the EAP timeout starts decrementing.
    If the user does not enter credentials, it will expire and another EAP Request is sent.
    If you let the EAP timeout it is expected that you enter credentials twice, if by the time you press enter, the timeout has already expired.
    As you say, if you have a profile configured, this should not happen and the authentication should be smooth.
    HTH,
    Tiago

  • 802.1x EAP-PEAP over Ethernet need help !!!

    I am trying to get wired 802.1x EAP-PEAP to work and after spending about 8 hours
    troubleshooting this, I am not sure what else to do.  Need help.  Here
    is the scenario:
    - Cisco Catalyst 3350 switch running IOS versionc3550-ipservicesk9-mz.122-44.SE6.bin,
    - Steelbelted/JUniper Radius Server version 6.1.6 on a windows 2003 server
    with IP address of 129.174.2.7.  This device is connected to the same switch above.
    Firewall is OFF on the server, allow ALL,
    - Windows 2003 Enterprise Server supplicant with the latest Service pack and patches.  Again,
    Firewall is OFF on the server, allow ALL.  Juniper has verified the configuration settings
    on the Supplicant machine.  The supplicant has a static IP address of 129.174.2.15, same subnet
    as the radius server, I just want enable EAP-PEAP so that user is forced to authenticate before
    the port is activate to be "hot".
    - Juniper TAC has verified the configuration on the Steelbelted radius for eap-peap
    and that everything is looking fine,
    I have verified that the switch can communicate fine with the radius server.
    - Configuration on the switch for 802.1x:
    aaa new-model
    aaa authentication dot1x default group radius
    radius-server host 129.174.2.7 auth-port 1812 acct-port 1813 key 123456
    interface FastEthernet0/39
      description windows 2003 Supplicant
      switchport access vlan 401
      switchport mode access
      dot1x port-control auto
      no spanning-tree portfast (does not matter if this is enable or disable)
    lab-sw-1#
    .May 20 07:52:47.334: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
    .May 20 07:52:47.338: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1  id: 0x2  length: 0x0005 type: 0x1  data:
    .May 20 07:52:47.338: EAPOL pak dump Tx
    .May 20 07:52:47.338: EAPOL Version: 0x2  type: 0x0  length: 0x0005
    .May 20 07:52:47.338: EAP code: 0x1  id: 0x2  length: 0x0005 type: 0x1
    .May 20 07:52:47.338: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
    lab-sw-1#
    lab-sw-1#sh dot1x interface f0/39
    Dot1x Info for FastEthernet0/39
    PAE                       = AUTHENTICATOR
    PortControl               = AUTO
    ControlDirection          = Both
    HostMode                  = SINGLE_HOST
    Violation Mode            = PROTECT
    ReAuthentication          = Disabled
    QuietPeriod               = 60
    ServerTimeout             = 30
    SuppTimeout               = 30
    ReAuthPeriod              = 3600 (Locally configured)
    ReAuthMax                 = 2
    MaxReq                    = 2
    TxPeriod                  = 30
    RateLimitPeriod           = 0
    lab-sw-1#
    I am at a complete lost here.  don't know what else to do.  Someone with expertise in this realm please
    help me how to make this work.
    Many thanks in advance,

    #1:  dot1x system-auth-control is already in the switch configuration
    #2:  Not sure if you're already aware, the minute I entered "dot1x port-control auto", the command "dot1x pae authenticator" automatically appears on the interface configuration
    The case is being worked on by Cisco TAC.  One of the issues is the windows 2003 server supplicant refuses to work.  Windows XP supplicant uses machine-authentication instead of user-authentication.  Cisco TAC is looking into this issue.

  • 802.1x EAP PEAP MSCHAPv2 on Windows 7 Client.

    I have problems autenticate a w7 client at our Enterprice WiFi network. XP, Apple clients and all SmartPhones works fine...  We use Radius assigned Vlans based on username and ream routed on our Meru Network to Navis radius as centralied point of
    autentication. Navis proxes client autenticatinon recuest to the customers Radiuses based on the realm.
    Windows 7 32 client use the radius CA (installed and ticked) and EAP PEAP MSCHAPv2 in the SSID settings. The customer radius is an Freeradius. In autentication logs we se that the client sends the Maschinename, eg. Machine-x200/username@realm
    even we in the client settings, under SSID Propirties, Security, MS Protected EAP(PEAP), Settings and EAP-MSCAPv2 Configuration, have removed tick on the default setting:
    Use Autom. Windows-username... AND under Security Advanced (back one step), in the 802.1X Settings, choose User autentication only! (not user and maschine, mascine only or guest) and we have saved corectly username@reame =(username here) and password...
    in the username password Setting.
    Is it possible edit or change the way the client PC is sett up to prevent this?
    Is there any way make a policy setting? or is there other solutions?
    I have teste te Cisco: PEAP option too, but stil noe autenticatoin from Radius
    Thanks

    Hi,
    As I know, this goal cannot be achieved.
    Reference:
    Use the 802.1X Wizard to Configure NPS Network Policies
    For authentication using Extensible Authentication Protocol – Transport Layer Security (EAP-TLS), select
    Microsoft: Smart Card or other certificate, click
    Configure, click
    OK, and then click
    Next.
    For authentication using Protected Extensible Authentication Protocol – Transport Layer Security (PEAP-TLS), select
    Microsoft: Protected EAP (PEAP). In
    Eap Types, click
    Add, click
    Smart Card or other certificate, click the
    Move Up button to position a smart card or other certificate at the top of the list, click
    OK, and then click
    Next.
    For secure password authentication using Protected Extensible Authentication Protocol – Microsoft Challenge Handshake Authentication Protocol
    version 2 (PEAP-MS-CHAP v2), select Microsoft: Protected EAP (PEAP). In
    Eap Types, click
    Add, click
    Secured password (EPA-MSCHAP v2), click the
    Move Up button to position the secured password authentication type at the top of the list, click
    OK, and then click
    Next.
    Regards,
    Sabrina
    TechNet Subscriber Support
    in forum.
    If you have any feedback on our support, please contact
    [email protected]
    This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
    This can be beneficial to other community members reading the thread.

  • Cisco 1130 ag - The system is not configured to boot automatically

    I have a problem on a 1131ag Access point on recycle it stops and makes me maunually type BOOT at the ap: prompt
    ----------VVVVVVVVVVVVV----------------
    ap: Xmodem file system is available.
    flashfs[0]: 282 files, 13 directories
    flashfs[0]: 0 orphaned files, 0 orphaned directories
    flashfs[0]: Total bytes: 15998976
    flashfs[0]: Bytes used: 9497088
    flashfs[0]: Bytes available: 6501888
    flashfs[0]: flashfs fsck took 33 seconds.
    Base ethernet MAC Address: 00:12:d9:2b:39:0c
    Initializing ethernet port 0...
    Reset ethernet port 0...
    Reset done!
    ethernet link up, 100 mbps, full-duplex
    Ethernet port 0 initialized: link is up
    The system is not configured to boot automatically. The
    following command will finish loading the operating system
    software:
    boot
    C1130 Boot Loader (C1130-BOOT-M) Version 12.3(2)JA, RELEASE SOFTWARE (fc2)
    Technical Support: http://www.cisco.com/techsupport
    Compiled Mon 08-Nov-04 12:40 by ccai
    [I have to type "boot" here to load system]
    ap: boot
    Loading "flash:/c1130-k9w7-mx.123-7.JA4/c1130-k9w7-mx.123-7.JA4"...#############
    File "flash:/c1130-k9w7-mx.123-7.JA4/c1130-k9w7-mx.123-7.JA4" uncompressed and 0
    executing...
    Restricted Rights Legend
    Use, duplication, or disclosure by the Government is
    subject to restrictions as set forth in subparagraph
    (c) of the Commercial Computer Software - Restricted
    Rights clause at FAR sec. 52.227-19 and subparagraph
    (c) (1) (ii) of the Rights in Technical Data and Computer
    Software clause at DFARS sec. 252.227-7013.
    cisco Systems, Inc.
    170 West Tasman Drive
    San Jose, California 95134-1706
    Cisco IOS Software, C1130 Software (C1130-K9W7-M), Version 12.3(7)JA4, RELEASE )
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2006 by Cisco Systems, Inc.
    Compiled Tue 05-Sep-06 14:14 by alnguyen
    Image text-base: 0x00003000, data-base: 0x00683F60
    Initializing flashfs...
    flashfs[1]: 282 files, 13 directories
    flashfs[1]: 0 orphaned files, 0 orphaned directories
    flashfs[1]: Total bytes: 15998976
    flashfs[1]: Bytes used: 9497088
    flashfs[1]: Bytes available: 6501888
    flashfs[1]: flashfs fsck took 4 seconds.
    flashfs[1]: Initialization complete....done Initializing flashfs.
    [Legal notes removed]
    cisco AIR-AP1131AG-A-K9 (PowerPCElvis) processor (revision B0) with 24566K/8.
    Processor board ID FOC08514JMF
    PowerPCElvis CPU at 262Mhz, revision number 0x0950
    Last reset from power-on
    1 FastEthernet interface
    2 802.11 Radio(s)
    32K bytes of flash-simulated non-volatile configuration memory.
    Base ethernet MAC Address: 00:12:D9:2B:39:0C
    Part Number : 73-8962-06
    PCA Assembly Number : 800-24818-06
    PCA Revision Number : B0
    PCB Serial Number : FOC08514JMF
    Top Assembly Part Number : 800-25544-01
    Top Assembly Serial Number : FTX0909T049
    Top Revision Number : A0
    Product/Model Number : AIR-AP1131AG-A-K9
    -----------^^^^^^^^^^^^------------------
    I have already performed the ap: set BOOT etc commands a dozen times with the same results.
    It says: The system is not configured to boot automatically.
    I've been trying to get this one going for 4 months now..it was knocked out during a power outage while upgrading it.

    I didn't know how to get to global configuration mode - I did manage to get there with a bit of guess work.
    You use AP: Boot
    Let it go through the boot process then at the AP> prompt, [enable] priviledged command set, type in password.
    At AP# prompt type [config] then press enter for [terminal] at AP#[config] type NO BOOT MANUAL press [Enter] key and reboot AP.
    Question...Do I have to use a WRITE command to write the configuration to CMOS?
    I did just play it safe.

  • 802.1x EAP-PEAPv0 (MSCHAPV2) with computer authentication

    I am a network administrator at seven schools, and a few of these schools are now using 802.1x EAP-PEAPv0 (MSCHAPV2) with computer authentication  only, for wireless security. 
    We are a mixture of 2008 and 2003 (Windows Domain) servers running IAS or NPS for RADIUS.  
    I push out the wireless client’s setting via group policy, and the clients are using WZC. 
    Every now and then, a client will be unable to authenticate/validate during the authentication phase. 
    Some clients this will never happen to and a few it will happen repeatedly. 
    To fix this I have to hard wire the computer and do a gpupdate, even though the computer already had the updates applied previously, and is still part of the domain. 
    Many of our classrooms lack network drops, so wireless is the best for us. 
    Except for this one downfall, it is working great. Any help is appreciated.

    Hi Ryan,
    Thanks for posting here.
    Could you discuss the situation that you mentioned “a client will be unable to authenticate/validate during the authentication phase. 
    Some clients this will never happen to and a few it will happen repeatedly. ”
      in detail ? Can you verify if there is any error or warring that relate with this authentication issue recorded in event log on client and radius server ?
    Only certain computers are facing this issue or all?
    What’s OS running on these client computers?
    According the situation right now , I’d like to share some suggections with you:
    1. An 802.1x client may fail to connect to an Radius server if the Trusted Root CA certificate that issued the Radius server certificate is not installed on
    the client computer. Either verify that the trusted root authority is installed on the client computer or disable certificate validation on the client. To disable certificate validation, access the properties of the connection, and on the Authentication tab,
    click Properties. Click to clear the Validate server certificate check box. EAP-TLS requires the installation of a computer certificate on each RADIUS server and a computer or user certificate, or smart card on all clients. PEAP-MS-CHAPv2 requires the installation
    of a computer certificate on each RADIUS server and the root CA certificates of the issuing CAs of the RADIUS server certificate on each of the client computers.
    2. Verify that Radius is configured for the logging of rejected authentication attempts to the event log. Try the connection again, and then check the system
    event log for an IAS event for the failed connection attempt. Use the information in the log to determine the reason the connection attempt was either rejected or discarded. Logging options are configured on the General tab of the Radius server Properties
    dialog.
    3. Any rejected or discarded connection attempt recorded should identify the Connection Request Policy used. A RADIUS request message is processed only if the
    settings of the incoming RADIUS request message match at least one of the connection request policies. Examine the conditions of the policy identified to see where the request fails.
    4. Determine from the IAS system event log entries whether the authentication failure is for computer auth, user auth, or both. By default, Windows performs
    an 802.1x authentication with computer credentials before displaying the Windows logon screen. Another authentication with user credentials is performed after the user has logged on, and if this fails the machine will be disconnected from the network. Similarly,
    if computer authentication fails but user auth is successful, symptoms will include failure to process login scripts or apply group policies and machine password expiration will not be updated since the user will only be able to logon with cached credentials.
    If you use a smart card for authentication, you can only perform user authentication because smart card usage requires manual entry of a personal identification number (PIN). There is no way to provide the PIN to unlock the smart card certificate during computer
    authentication.
    5. Examine the wireless trace logs captured and search for keywords error, failed, failure, or rejected. This should give an indication as to what point in the
    authentication process the failure occurs.
    Meanwhile, I ‘d like suggest you may start troubleshooting with following the guides below and see if it will help:
    Windows Server 2003 Wireless Troubleshooting
    http://technet.microsoft.com/en-us/library/cc773359(WS.10).aspx
    Troubleshooting Windows Vista 802.11 Wireless Connections
    http://technet.microsoft.com/en-us/library/cc766215(WS.10).aspx
    Thanks.
    Tiger Li
    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact
    [email protected]
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Random computers running Windows XP have this problem.  It does not happen to all of them at once. 
    It is very random.  A computer that has been connecting to the secure network for weeks will all of a sudden not be able to connect. The message is “attempting to authenticate” and it never makes the connection. 
    I checked if logging is turned on and I can see successful events from computers that are working. 
    I can also see failed events from computers that are not ours that tried to connect to our wireless. 
    However for the computers that are having this problem there are no logged events. 
    It is as if they don’t even communicate with the server. 
    Other clients on the same AP are working fine.  I rebooted the IAS service, and RADIUS clients, but this did not help. 
    I also checked all the settings and they are correct, using PEAP, and validating the server certificate is disabled. 
    I did notice that the firewall is also turned on through group policy when the domain is not available.
       Do you think the firewall is blocking the communication? 
    I added an exception to port 1812 UDP and this did not make a difference.

  • 802.1x EAP-TLS for wired users with ACS 5.5

    Hi All,
    We are configuring a new setup for wired users authentication with 802.1x(EAP-TLS). ACS 5.5 we are using as authentication server.
    We have added the root CA(internal) certificate and certifcate for ACS signed by CA. Now We want to check the authentication is working or not . I hope both root CA and identity certifcate also we need to install in the laptops. But I am not sure how to download the certifcates for client machine manually from CA.
    Kindly suggest on how to get certificates for clients both manually as well as automatically?
    Thanks,
    Vijay

    Hi Vijay,
       for the Wired 802.1x (EAP-TLS) you need to have following certificates:
    On ACS--- Root CA, Intermediate CA, Server Certificate
    On Client-- Root CA, Intermediate CA, User certificate(In case of user authentication) OR Machine certificae(In case of Machine authentication)
     I am not sure which third party certificate are you using, If its in house Microsoft or any other certificate server then you need download the client certificate from the server itself. 
    In case of Microsoft, There will be a template for user certificate. You can select it and create user certificate
    This one is an old document, But has steps to configure Machine certificate for the user, You can see the steps to download user certificate if its Microsoft server:
    http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-windows/43722-acs-eap.html#wc-2
    In case You are using the third party certificate serevr , Then you need to check with them on how to download the user certificate
    Cheers
    Minakshi(rate the helpful post)

  • 802.1x EAP-PEAP - Radius Question

    We're going to be deploying a wireless solution to a customer at some point shortly. So far we have a WLC 2500 Series,
    1140 LAPs, and a 2960-S switch. We're going to have Windows 7, iPhone, iPAD devices, and I was going to implement
    802.1x EAP-PEAP. I'm going to need a RADIUS server, but I was just wondering is there a cheaper solution than just
    getting a Cisco ACS to run a simple RADIUS server which is all I need.
    Also, when the Supplicant sends its NAI in a EAP-ResponseIdentity message, what exactly is this username
    and how does it differ from the username you provide after the secure TLS tunnel has been configured.                  

    Hey John,
    Yes, in fact its all about feeling comfortable. So here is a video showing LOCAL PEAP on a WLC.
    http://www.youtube.com/watch?v=YIxG4OEfwtY
    The 2000 is becuase there is a database limit this includes MACS, LOCAL ACCOUNTS and AP MACs for AP policy. The mac is 2048 .. Here I blogged about this ..
    http://www.my80211.com/cisco-wlc-cli-commands/2009/12/27/configure-local-mac-authentication-on-cisco-wlcs.html
    So yes it sounds right and you should be good.
    Hope this makes you feel a little bit better with your direction. If this helps can you mark the question as answered ?
    Thanks John!
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

Maybe you are looking for

  • BAPI_SALESORDER_SIMULATE-  FREE GOODS - ORDER_CONDITION_EX

    Hi Gurus, I am using standard Function module : BAPI_SALESORDER_SIMULATE to simulate pricing conditions. I am trying to figure out the reason for the function module:  BAPI_SALESORDER_SIMULATE  not giving values in CONDITIONS EX when I use it to <b>s

  • MSxpsPCL6 filter failing on Win 8 with Binding and Punching

    Hello, We are currently developing a print driver for Windows 8+ based on v4 model. The development and basic testing process takes place on Win 8.1 Pro machine where everything works just fine. During testing on Windows 8 Enterprise, a serious probl

  • Photoshop Elements 13 bundled with Premier Elements 13 for $70

    Black Friday at B&H.  It doesn't get this cheap.  Free shipping and B&H does not charge sales tax in most places.  http://www.bhphotovideo.com/c/product/1077543-REG/adobe_65234906_photoshop_elements_13.htm l

  • Drum loops on Logic Pro 9.?

    I have just installed Logic Pro 9 and I am trying to follow the first tutorial  which is an exercise with Apple Loops.  I had a message to say that  there weren't any Apple Loops on my system "Please reinstall Apple Loop Package."  .  I installed iLi

  • USB port troubleshooting?

    There was a graphic at beginning. How can I put a stop for appearing? The breakdown of USB port and iSight.