AP1600 WPA-TKIP Clients Disconnect "Received TKIP Michael MIC failure"
Hello
Before I used AP 1240 on lot of site with WPA-TKIP without issue .
Today I try the AP1600 with WPA-TKIP but my clients are disconnected after 1 minute with the below messages
*Mar 1 04:19:46.125: %DOT11-4-TKIP_MIC_FAILURE_REPORT: Received TKIP Michael MIC failure report from the station c0d9.6241.09f9 on the packet (TSC=0x0) encrypted and protected by group key."
So At the same place and with the same Client, the same SSID with AP1240 my clients works fine with AP1600 my clients are disconnected so it's not an environmmental problem
My AP1600 is in the last IOS version and I tried the command " countermeasure tkip hold-time 0" without succes
So for me There is a Bug with AP1600 in WPA-TKIP authentification.
Have You got an idea about this problem
Do you think there is a bug or not ?
Thanks
Hello, I has been a while since you posted this issue, but I got it too, so maybe this will help somebody else.
I was getting this logs:
%DOT11-6-ASSOC: Interface Dot11Radio0, Station XXXX.XXXX.XXXX Associated KEY_MGMT[WPA]
Oct 22 17:04:38.370: %DOT11-4-TKIP_MIC_FAILURE_REPORT:Received TKIP Michael MIC failure report from the station XXXX.XXXX.XXXX on the packet (TSC=0x0) encrypted and protected by group key.
Oct 22 17:04:39.978: %DOT11-4-TKIP_MIC_FAILURE_REPORT: Received TKIP Michael MIC failure report from the station XXXX.XXXX.XXXX on the packet (TSC=0x0) encrypted and protected by group key.
Oct 22 17:04:39.978: %DOT11-3-TKIP_MIC_FAILURE_REPEATED: Two TKIP Michael MIC failures were detected within 1 seconds on Dot11Radio0 interface. The interface will be put on MIC failure hold state for next 60 seconds.
Oct 22 17:04:39.978: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station XXXX.XXXX.XXXX Reason: Invalid MIC
Oct 22 17:04:39.978: %DOT11-4-MAXRETRIES: Packet to client XXXX.XXXX.XXXX reached max retries, removing the client
I made several test changing the configuration of the AP (I am not able to change de wlan profile of the machines), but none of them was successfull.
Then I made last two successful tests:
The firts thing I tried (as a suggestion by googling and TAC) was to use encryption AES (just AES, NOT AES+TKIP) and it worked good. I didnt get desconnected and anything, but the issue was that the AP is going to work with clients that have to use TKIP becuase the wlan profile on the machine cant be changed that easily for different reasons.
The last one was to go to another room where there is very few wlan signal noise around (where I was originaly testing the AP, there are a lot of SSIDs flying around).
And that was it, using TKIP on this new room work just perfect.
I hope this helps
Regards
Karla
Similar Messages
-
Hello All,
we changed our AP1231 to AP1262N-E-K9 autonomous accesss-points. On each access point are two wlans configured for different users.
The first profile uses wpa-psk tkip and the second one uses tkip with radius authentication.
With both profiles we are getting TKIP MIC failures and clients are getting disconnected for 60 seconds. On the AP1231 we had no MIC failures.
We already configured countermeasure tkip hold-time to 0 and also tried to disable the aironet extensions. But clients causing two MIC failures between 60 seconds are still getting deauthenticated.
For further tests we configured a third ssid using wpa2-psk aes encryption and configured vlans for each ssid.
All newer clients who are supporting aes have been tranfered to aes. But we also have clients who don't support aes encryption and so we have to use tkip.
TKIP Michael MIC failures have been logged on all clients using tkip.
Clients are Notebooks running Windows 7, XP with Intel and Atheros WLAN Radios. Mobile devices are running WinCE 5 + 6 with Summit WLAN Radios.
The access points are running IOS 12.4.25d-JA1.
For any other suggestions getting tkip to work I will appreciate.
Regards
Sent from Cisco Technical Support iPad AppThe config of the 1262 is:
version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname AP02_1262N
logging buffered 8192 debugging
logging rate-limit console 9
aaa new-model
aaa group server radius rad_eap
server 172.16.8.68 auth-port 1812 acct-port 1813
server 172.16.8.51 auth-port 1812 acct-port 1813
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
clock timezone gmt 1
clock summer-time gmt recurring last Sun Mar 2:00 last Sun Oct 3:00
dot11 syslog
dot11 vlan-name AES vlan 11
dot11 vlan-name Radius vlan 12
dot11 vlan-name TKIP vlan 10
dot11 ssid xxxxxx
vlan 12
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
dot11 ssid xxxxxx
vlan 11
authentication open
authentication key-management wpa
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxx
dot11 ssid xxxxxx
vlan 10
authentication open
authentication key-management wpa
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxx
dot11 wpa handshake timeout 1000
username Cisco privilege 15 password 7 xxxxxxxxxxx
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 10 mode ciphers tkip
encryption vlan 11 mode ciphers aes-ccm
encryption vlan 12 mode ciphers tkip
ssid xxxxxx
ssid xxxxxx
ssid xxxxxx
countermeasure tkip hold-time 0
antenna receive right-a left-b
antenna gain 0
channel least-congested 2412 2437 2462
station-role root
no dot11 extension aironet
interface Dot11Radio0.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.12
encapsulation dot1Q 12
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
countermeasure tkip hold-time 0
antenna gain 0
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
interface GigabitEthernet0.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface GigabitEthernet0.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
no bridge-group 11 source-learning
bridge-group 11 spanning-disabled
interface GigabitEthernet0.12
encapsulation dot1Q 12
no ip route-cache
bridge-group 12
no bridge-group 12 source-learning
bridge-group 12 spanning-disabled
interface BVI1
ip address dhcp
no ip route-cache
ip default-gateway 172.16.8.201
ip http server
ip http authentication aaa
no ip http secure-server
ip http timeout-policy idle 600 life 6000 requests 5
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
logging history warnings
logging trap debugging
logging 172.16.10.40
radius-server attribute 32 include-in-access-req format %h
radius-server host 172.16.8.68 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
radius-server host 172.16.8.51 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
sntp server 172.16.8.56
end
Messages I get from the Syslog are as follows.
28-01-2013 10:28:39 Local7.Info 172.16.10.65 224: Jan 28 10:28:38.743 gmt: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 2477.0333.201c Reason: Sending station has left the BSS
28-01-2013 10:28:39 Local7.Info 172.16.10.65 223: Jan 28 10:28:38.598 gmt: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 2477.0333.201c Associated KEY_MGMT[WPA PSK]
28-01-2013 10:28:22 Local7.Warning 172.16.10.65 222: Jan 28 10:28:21.485 gmt: %DOT11-4-MAXRETRIES: Packet to client 2477.0333.201c reached max retries, removing the client
28-01-2013 10:28:21 Local7.Info 172.16.10.65 221: Jan 28 10:28:21.479 gmt: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 2477.0333.201c Reason: Previous authentication no longer valid
28-01-2013 10:28:21 Local7.Warning 172.16.10.65 220: Jan 28 10:28:21.479 gmt: %DOT11-4-MAXRETRIES: Packet to client 2477.0333.201c reached max retries, removing the client
28-01-2013 10:27:21 Local7.Info 172.16.10.65 219: Jan 28 10:27:21.009 gmt: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0017.2301.941b Reason: Sending station has left the BSS
28-01-2013 10:27:20 Local7.Warning 172.16.10.65 218: Jan 28 10:27:21.006 gmt: %DOT11-4-TKIP_MIC_FAILURE_REPORT: Received TKIP Michael MIC failure report from the station 0017.2301.941b on the packet (TSC=0x0) encrypted and protected by pairwise key.
28-01-2013 10:27:20 Local7.Warning 172.16.10.65 217: Jan 28 10:27:20.314 gmt: %DOT11-4-TKIP_MIC_FAILURE_REPORT: Received TKIP Michael MIC failure report from the station 0017.2301.941b on the packet (TSC=0x0) encrypted and protected by pairwise key.
28-01-2013 10:27:20 Local7.Warning 172.16.10.65 216: Jan 28 10:27:20.311 gmt: %DOT11-4-TKIP_MIC_FAILURE_REPORT: Received TKIP Michael MIC failure report from the station 2477.0333.201c on the packet (TSC=0x0) encrypted and protected by group key.
28-01-2013 10:26:54 Local7.Warning 172.16.10.65 215: Jan 28 10:26:54.216 gmt: %DOT11-4-TKIP_MIC_FAILURE_REPORT: Received TKIP Michael MIC failure report from the station 2477.0333.201c on the packet (TSC=0x0) encrypted and protected by group key.
Regards, -
Clients disconnected randomly from AP1262N-N-K9- Invalid MIC
Hi guys,
End user has a AP1262 which at the beguinning was working fine, suddendly clients reports problems with disconnections.
checking logs in AP, one of the main logs are:
failure report from the station 0027.1007.37b0 on the packet (TSC=0x0) encrypte
d and protected by group key.
Feb 2 15:44:55.822: %DOT11-4-TKIP_MIC_FAILURE_REPORT: Received TKIP Michael MIC
failure report from the station 0027.1007.37b0 on the packet (TSC=0x0) encrypte
d and protected by group key.
Feb 2 15:47:56.978: %DOT11-4-TKIP_MIC_FAILURE_REPORT: Received TKIP Michael MIC
failure report from the station 0027.1007.37b0 on the packet (TSC=0x0) encrypte
Today I noticed that after typing sh dot11 associations command some clients are shown, then some minutes or seconds all disappeard.
WLAN#sh dot11 associations
802.11 Client Stations on Dot11Radio0:
SSID RAMINHome] :
MAC Address IP address Device Name Parent State
0016.446a.316f 172.16.90.22 ccx-client - self Assoc
0021.638d.dcbf 172.16.90.19 unknown - self Assoc
0024.d60e.2766 172.16.90.23 ccx-client _WLAN self Assoc
0027.1007.37b0 172.16.90.100 ccx-client TINEZM self Assoc
ac81.12ce.0d30 172.16.90.13 ccx-client - self Assoc
ac81.12ce.1138 172.16.90.151 ccx-client - self Assoc
ac81.12ce.4fa6 172.16.90.147 ccx-client - self Assoc
WLAN#
The logs show the next
on the packet (TSC=0x0) encrypted and protected by group key.
Feb 3 11:05:58.386: %DOT11-3-TKIP_MIC_FAILURE_REPEATED: Two TKIP Michael MIC failures were detected within 0 seconds on Dot11Ra
dio0 interface. The interface will be put on MIC failure hold state for next 60 seconds.
Feb 3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0027.1007.37b0 Reason: Invalid MIC
Feb 3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0024.d60e.2766 Reason: Invalid MIC
Feb 3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station ac81.12ce.0d30 Reason: Invalid MIC
Feb 3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station ac81.12ce.4fa6 Reason: Invalid MIC
Feb 3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station ac81.12ce.1138 Reason: Invalid MIC
Feb 3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0021.638d.dcbf Reason: Invalid MIC
Feb 3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0016.446a.316f Reason: Invalid MIC
Feb 3 11:07:12.184: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 0016.446a.316f Associated KEY_MGMT[WPA PSK]
Feb 3 11:07:16.513: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 0021.638d.dcbf Associated KEY_MGMT[WPA PSK]
PETRAMIN_WLAN#
on the packet (TSC=0x0) encrypted and protected by group key.
Feb 3 11:05:58.386: %DOT11-3-TKIP_MIC_FAILURE_REPEATED: Two TKIP Michael MIC failures were detected within 0 seconds on Dot11Ra
dio0 interface. The interface will be put on MIC failure hold state for next 60 seconds.
Feb 3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0027.1007.37b0 Reason: Invalid MIC
Feb 3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0024.d60e.2766 Reason: Invalid MIC
Feb 3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station ac81.12ce.0d30 Reason: Invalid MIC
Feb 3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station ac81.12ce.4fa6 Reason: Invalid MIC
Feb 3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station ac81.12ce.1138 Reason: Invalid MIC
Feb 3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0021.638d.dcbf Reason: Invalid MIC
Feb 3 11:05:58.386: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0016.446a.316f Reason: Invalid MIC
Feb 3 11:07:12.184: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 0016.446a.316f Associated KEY_MGMT[WPA PSK]
Feb 3 11:07:16.513: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 0021.638d.dcbf Associated KEY_MGMT[WPA PSK]
PETRAMIN_WLAN#
the version of IOS is Version 12.4(25d)JA., WPA- PSK is set,
I have check this errors in cisco tools, it says about possible reasons; one of them
A failure of the Michael MIC in a packet usually indicates an active attack on your network
or RF problems.
For the moment I set countermeasure tkip hold-time 0 , based on some recomendations in this forum.
any others recommendations I will apreciate.
regardsHi Wong,
I cleared this problem after changing to WPA2 / AES.
dot11 ssid XXX
vlan 900
authentication open
authentication key-management wpa version 2
guest-mode
mbssid guest-mode
wpa-psk ascii 7 124B51
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 900 mode ciphers aes-ccm
ssid XXXX
countermeasure tkip hold-time 0
antenna gain 0
station-role root
world-mode dot11d country-code MX indoor
Why don't you try?.. maybe works for you also.
regards. -
Hi All,
We have a WLAN setup with 1 AP 1230 assigned as a WDS, and the 16 APs configured as Infrastructure AP. Off late, I am experiencing a problem where all my clients are getting disconnected frequently. I have checked the logs and the logs indicate the follwoing:
%DOT11-4-TKIP_MIC_FAILURE: TKIP Michael MIC failure was detected on a packet (TSC=0x19B42) received from 0013.ced4.bd48.
Oct 24 12:45:42 172.20.166.22 5673: Oct 24 07:15:42.428: %DOT11-3-TKIP_MIC_FAILURE_REPEATED: Two TKIP Michael MIC failures were detected within 48 seconds on Dot11Radio0 interface. The interface will be put on MIC failure hold state for next 60 seconds.
Oct 24 12:45:42 172.20.166.22 5674: Oct 24 07:15:42.429: %DOT11-4-TKIP_MIC_FAILURE: TKIP Michael MIC failure was detected on a packet (TSC=0x19B43) received from 0013.ced4.bd48.
Oct 24 12:45:42 172.20.166.22 5675: Oct 24 07:15:42.430: %DOT11-4-TKIP_MIC_FAILURE: TKIP Michael MIC failure was detected on a packet (TSC=0x19B44) received from 0013.ced4.bd48.
Oct 24 12:45:42 172.20.166.22 5676: Oct 24 07:15:42.430: Too many MIC failures.
I need a solution to overcome this problems. Please let me know if you need any further information, to help me provide a solution.
regds,
MaheshGood afternoon Mahesh...
Similar to a CRC, TKIP uses Message Integrity Check(MIC) to ensure protection of the payload and headers. Presently the Michael algorithm is used to accomplish this function. Essentially these messages are early warning signs of RF interference, hardware failure and or an active attack.
The initial error message of TKIP_MIC_FAILURE is rather harmless, as there is no effect to surrounding clients. It simply states that the AP has received a packet which failed its integrity check. MIC replaced WEP's CRC-32 checksum for improved security. You will NOT see this issue in LEAP as it does not utilize MIC.
TKIP_MIC_FAILURE_REPEATED, however is another story. If you see this log entry on an access point, you will want to respond quickly. This is stating that a workstation has sent X number of MIC failures in a certain number of seconds. As stated by the 802.11i standard, the access point goes into a blackout period. ( Cisco's default is 60 second blackout period), what this does is disassociates all wireless clients associated with the access point and puts the radio in a type of hold where it does not allow any associations until the blackout is lifted.
The offending client and those associated with the access point do not receive any sort of error. All the user will notice, is that their laptop's wireless has been disconnected. If the user's laptop is able to access another AP it will attempt to connect to it, if behaving and configure correctly. What we have seen in at our facility is the offending client will continue to cause TKIP errors and bring down the AP it just connected to.
Is there a Band-Aid to this problem?
Interface dot11radio x
countermeasure tkip hold-time 0
This is NOT a solution, its simply a fix to keep your APs from going into blackout. Again I would only use this if you had a larger volume of laptops with malfunctioning nics than your local techsupport could handle.
There are two typical causes for these errors, hardware problems and RF issues. RF changes even at 5ft, if you are able to go to multiple areas of your facility (saying you have a large facility) and take still shoot out errors, you likly have a hardware issue. Replace the card and your good to go.
While upgrading to the latest IOS is always the best messure even when not facing problems you will likly not see a decrease/increase.
hope this helps.... Simply put , research if its a single laptop... If it is, attempt to replace the nic.. We had one laptop which even after reloading the IOS, swapping the cards, etc it kept commiting the units. We kept the harddrive and sent the laptop off and was RMA'd. New laptop came in, put the old hdd back in, no problems.
We have not noticed a link between driver version nor firmware... -
AP541N giving "Michael MIC integrity failure" errors in log
Hi all...
My company has an AP541N and it was working fine for about six months, but now roughly once or twice a week it just stops working and needs to be restarted.
Whenever this happens, there are some log messages that look like they relate to the problem. It could be coincidence, but I'm fairly sure they are directly related to, if not the cause of, the issue. Here are the log messages:
Jan 8 12:35:12 warn hostapd wlan0: STA ec:1a:59:8a:b6:c0 WPA: Michael MIC integrity failure detected
Jan 8 12:35:12 warn hostapd wlan0: STA ec:1a:59:8a:b6:c0 WPA: Reported Michael MIC failure
Jan 8 12:35:11 info hostapd The wireless client with MAC address ec:1a:59:8a:b6:c0 has been successfully authenticated.
Jan 8 12:35:11 info hostapd wlan0: STA ec:1a:59:8a:b6:c0 WPA: pairwise key exchange completed (WPAv2)
Jan 8 12:35:11 warn hostapd wlan0: STA ec:1a:59:8a:b6:c0 WPA: Michael MIC integrity failure detected
Jan 8 12:35:11 warn hostapd wlan0: STA ec:1a:59:8a:b6:c0 WPA: Reported Michael MIC failure
Strangely enough, it's always the same MAC address. I've tried adding that address to the block list under MAC filtering but that hasn't changed anything.
I've tried to find that device but haven't been able to, it might be someone's phone and I can't figure out how to get the MAC address of some of the phones in the office.
Any ideas?
Thanks,
MattHi, My name is Eric Moyers. I am a Network Support Engineer in the Cisco Small Business Support Center. Thank you for using the Cisco Community Post Forum and thanks for a great question.
WPA implements the message integrity code (MIC), often referred to as "Michael," to guard against forgery attacks.
For authentication, WPA uses a combination of open system and 802.1x authentication. Initially, the wireless client authenticates with the access points, which authorizes the client to send frames to the access point. Next, WPA performs user-level authentication with 802.1x. WPA Interfaces to an authentication server, such as RADIUS or LDAP, in an enterprise environment. WPA is also capable of operating in what's known as "pre-shared key mode" if no external authentication server is available, such as in homes and small offices.
An issue that WPA does not fix yet is potential denial of service (DoS) attacks. If someone, such as a hacker or disgruntled employee, sends at least two packets each second using an incorrect encryption key, then the access point will kill all user connections for one minute. This is a defense mechanism meant to thwart unauthorized access to the protected side of the network.
Now what does this actually mean in your case? It most likely does not mean someone is trying to hack into your network to do anything malicious. It could be that someone is just trying to get free wireless or as you said someone's phone just scanning for access. So lets look at the MAC address using one of many free tools.
http://www.coffer.com/mac_find/
Using a MAC Address Lookup tool - I see that anything starting with "ec:1a:59" belongs to Belkin International Inc.
That tells me it is probably not a phone but possible a Laptop or Tablet. 2nd choice (less likely) would be a a Belkin router someone has added to the network.
I would look for a Laptop with a Belkin Wireless USB attached
Not sure of the magnitude of the search and where this is at but you could also compare the times when this starts to the work schedule of employees and see if you see anything.
Thanks
Eric Moyers .:|:.:|:.
Cisco Small Business US STAC Advanced Support Engineer
CCNA, CCNA-Wireless
866-606-1866
Mon - Fri 09:30 - 18:30 (UTC - 05:00)
*Please rate the Post so other will know when an answer has been found. -
WPA-TKIP WPA2-AES Connection speed
Hi,
My customer uses controller based wireless network. There is a connection speed problem between two SSID's. First SSID uses WPA(TKIP+AES) and WPA2(TKIP+AES) encryption method and dot1x authentication method. Second SSID uses open authentication (this is a guest SSID)
802.11 a/n/ac is enable on WLC and client can connect with these methods. But clients connect to the first SSID with 802.11 b/g (54 Mbps) and connect to the second SSID with 802.11 a/n/ac. Customer wants to know why our clients connect with low speed to first SSID even if a/n/ac is enable.
Sometimes WPA-TKIP encryption methods can reduce the connection speed. Do you have any idea about that and official document about this problem?
Thanks,
Burhan,TKIP and AES are two different types of encryption that can be used by a Wi-Fi network. TKIP stands for “Temporal Key Integrity Protocol.” It was a stopgap encryption protocol introduced with WPA to replace the very-insecure WEP encryption at the time. TKIP is actually quite similar to WEP encryption. TKIP is no longer considered secure, and is now deprecated. In other words, you shouldn’t be using it.
AES stands for “Advanced Encryption Standard.” This was a more secure encryption protocol introduced with WPA2, which replaced the interim WPA standard. AES isn’t some creaky standard developed specifically for Wi-Fi networks; it’s a serious worldwide encryption standard that’s even been adopted by the US government. For example, when you encrypt a hard drive with TrueCrypt, it can use AES encryption for that. AES is generally considered quite secure, and the main weaknesses would be brute-force attacks (prevented by using a strong passphrase) and security weaknesses in other aspects of WPA2.
The “PSK” in both names stands for “pre-shared key” — the pre-shared key is generally your encryption passphrase. This distinguishes it from WPA-Enterprise, which uses a RADIUS server to hand out unique keys on larger corporate or government Wi-Fi networks.
In summary, TKIP is an older encryption standard used by the old WPA standard. AES is a newer Wi-Fi encryption solution used by the new-and-secure WPA2 standard. In theory, that’s the end of it. But, depending on your router, just choosing WPA2 may not be good enough.
While WPA2 is supposed to use AES for optimal security, it also has the option to use TKIP for backward compatibility with legacy devices. In such a state, devices that support WPA2 will connect with WPA2 and devices that support WPA will connect with WPA. So “WPA2″ doesn’t always mean WPA2-AES. However, on devices without a visible “TKIP” or “AES” option, WPA2 is generally synonymous with WPA2-AES.
WPA and TKIP compatability options can also slow your Wi-Fi network down. Many modern Wi-Fi routers that support 802.11n and newer, faster standards will slow down to 54mbps if you enable WPA or TKIP in their options. They do this to ensure they’re compatible with these older devices.
In comaprison, even 802.11n supports up to 300mbps — but, generally, only if you’re using WPA2 with AES. Theoretically, 802.11ac offers theoretical maximum speeds of 3.46 Gbps under optimum (read: perfect) conditions.
In other words, WPA and TKIP will slow a modern Wi-Fi network down. It’s not all about security! -
Issue getting Motorola 9060G scanner to work with 5508 WPA-TKIP
All,
We have a new 5508 controller that we are trying to get setup to use our Motorola 9060G handheld scanners. This device uses WPA-TKIP and has been working with a Symbol controller without issue. I need to retire this controller so started re-creating the SSID on the Cisco controller. I am having issues getting the scanner to connect with the new SSID. It looks like everything works fine with no security but once I start to enable WPA+WAP2 I get no connectivity. Laptops work fine just not the handheld. I have tried every combination I can think of for AES and TKIP under the WPA and WPA2 policies. I have also gone through the Cisco Best Practices guide for Motorola/Symbol Wireless Handheld Scanners and so far unless I have no security I cannot get things to work properly. I tried doing a debug client to see what or how the two are talking but I can only get results with security set to open. Just looking for other suggestions as to something that I might be missing. My controller is running 7.6.100
Thanks ...
Brent BerryWe have a new 5508 controller that we are trying to get setup to use our Motorola 9060G handheld scanners. This device uses WPA-TKIP and has been working with a Symbol controller without issue. I need to retire this controller so started re-creating the SSID on the Cisco controller.
Just be aware that the Wi-Fi Alliance has scheduled the "elimination" of TKIP. What you are about to do is a "temporary" solution. You can get the scanner to work now because you are using WLC firmwares that still support TKIP. However, if (in the future) you need to upgrade your controller's firmware to support newer wireless access points, your scanners may not work any more.
Read HERE. -
Airport Linksys WRT54GX4 WPA TKIP problem-Driving me Crazy!
HELP! Anyone, My Boss bought a new Linksys Router WRT54GX4 and I cannot connect to it through my ibook. The old one(old router) was damaged and I was able to connect to it fine before it was broken. But the new one uses the WPA TKIP encryption, and my ibook cannot connect to it, it sees the network name and gives me severl WEP coices to connect to but no go. the Actual Network is the WPA TKIP, but I have tried severl different combination to connect to it and still nothing. I have tried the passphrase in uppercase and lowercase and nada. But most other PC's have no problem connecting except for my ibook. It sees other hotspots and connects fine. Any Help would be appreciated. Thanks!
I have a 12" iBook 800 Dual USB 32 MB Vram, 640 RAM and Orig Airport Card.The linksys wrt54gx4 is not quite the same series as the earlier wrt54g routers. The new wrt54gx uses different firmware altogether. This router uses a new technology and employs 3 antenna's where as the earlier wrt54g's had 2 antennas.
It may be that this new technology is not working so well with apple airport cards as I have found the new linksys routers that have 3 antennas to be buggy. I have returned one to a reseller already.
In the wireless security settings of the wrt54gx4 it is possible to have wpa selected but not enabled.
I am not sure if the older airport cards support wpa2. I do know that the latest version airport does support wpa2. But for now try enabling wpa and disabling wpa2 on the linksys box as per this screen shot.
I will be switching to buffalo wifi routers as these new linksys boxes are
a) buggy
b) don't support linux -
Hi,
Is it possible with a E61 to connect to a Wifi network using WPA with TKIP cryption and a certificate ?
Thanks
VincènWe are using WPA + TKIP + (Cert I think) I will share my settings.
Connection Name: Connection
Data Bearer: Wirelass LAN
WLAN netw. name:
Network Status:
WLAN netw. mode: Infrastructure
WLAN security mode: 802.lx or WPA/WPA2
WLAN security sett.
WPA/WPA2: EAP
EAP plug-in settings
Enable EAP-PEAP. If any others are enabled, disable them and raise priority of the EAP-PEAP to #1.
Configure EAP-PEAP
GENERAL TAB
User Certificate: (Not Defined)
CA certificate: (Cert issuer) ours is Equifax Sec Cert Auth
User name in use: user-configured
User name: username
Realm in use: user-configured
Realm: (this field is blank)
Allow PEAPv0: yes
Allow PEAPv1: yes
Allow PEAPv2: no
EAP TAB
Enable EAP-MSCHAPv2. If any others are enable, disable them and raise priority of the EAP-MSCHAPv2 to #1.
Configure EAP-MSCHAPv2
User name: username
Prompt password: No
Password: ******
CIPHER TAB
Make sure that every cipher is enabled. There are two hiding at the bottom that are not enabled.
Let me know if this works. Good luck. -
Newbie adding Comcast wireless: WPA2-PSK (AES) or WPA-TKIP?
I have an old (but still great!) 1.25 GHz PowerPC G4, runnig Mac OS X 10.5.8. I also have a 3G iPhone (iOS 4.2.1). (Both are the most current OS for those devices.) In the next 6 months I'll be upgrading both of these devices, but I need to install my router now, with the older equipment/software.
I am very, very new to wireless technology, so I am aware I know nothing about this. I find that the support at Comcast isn't very Mac-savvy (especially working with my older device).
I have a new "Gateway" ARRIS modem/router to set up. My questions:
1 -- Encryption Method - do I choose WPA2-PSK (AES) or WPA-TKIP?
2 -- Are there any settings on my Mac (or iPhone) that I need to know about, in order to be sure the wireless network functions properly and securely?
My thanks to all of you!1. At the noment your G4 isn't capable of running WPA, the only thing you can run is WEP, but change that as soon as you get your new Mac.
2. You ned to go to Settings>wi-fi and enter the details of your setup, name, password, smtp etc etc. -
EA6500 support for Wi-Fi devices on WPA (TKIP)
Although EA6500 states support for WPA devices it appears that some B devices (like HP Wi-Fi printer PSC 2510) are not supported. The lack of support seems due to the lack of WPA with TKIP encryption, only the newer EAS encryption appears to be available.
pompekw,
You should consider cascading your WRT54G to a new router. That way you can keep your legacy devices.
I have legacy devices too. And that's what I do. If your WRT54G is broken, you can pick up a refurb wireless router that supports WEP and WPA TKIP and B/G for $20. And then you just cascade it to your new router. Use Lan-to-Lan cascade (or bridge mode instructions depending on whether or not the secondary router supports bridge mode). If your WRT54G still works, you can use it as the secondary router (which is what I do).
Cascade link
http://kb.linksys.com/Linksys/ukp.aspx?pid=80&vw=1&articleid=3733
Fix #3 in the article below explains it better than I can.
http://www.smallnetbuilder.com/wireless/wireless-basics/30664-5-ways-to-fix-slow-80211n-speed
http://www.metageek.net/products/inssider/ -
WPA TKIP passphrase on WRT54gc
Hello,
Does anybody know if it is possible to make more than one passphrase in the WPA TKIP personal security protocol??
(nice to have in case guests wants to use your network and you do not want to change phrase every time, you can give the second one)
I have a WRT54GC router
FrankNo. One SSID, one encryption, one passphrase.
-
IPad WiFi works only with WPA/TKIP, not WPA2/AES
My iPad (like so many others) stopped connecting to my Linksys WRT54G router (which like everyone else's connects fine with every other device, including non-iOS 4 iPhones). The whole reset/restart/restore dance with the iPad/router/cable modem was performed to no avail. By sheer desperation, security protocols were changed, and that's what finally worked.
The protocol to the rescue was WPA/TKIP, curiously enough. (When security is completely disabled ("Open"), the iPad also connects, perhaps expectedly.) The culprit is WPA2/AES (even AES+TKIP). Any iteration of WPA2/AES ends up blocking the iPad from getting the appropriate IP address via DHCP. Once I changed to WPA/TKIP, everything's been rock-solid and fast.
(The only times WPA2/AES worked was when the iPad was first used for a couple days, and a couple days after switching back to WPA2/AES when it started working with WPA/TKIP. Since then, switching back to WPA2/AES no longer works, even temporarily.)
Any idea why initially WPA2/AES worked, and then suddenly stopped?Ralph Landry1 wrote:
That is a very interesting question ... [involving] the combination of the router and the iPad and their respective implementations of the AES encryption algorithm. The AES algorithm is considerably more complex than TKIP. Why some have problems and not others has to be related to the router and its implementation and the Apple implementation.... t works fine for me connecting with [both] a Verizon FiOS (Actiontec) router [a]nd ... an AirPort Extreme. But there have been a number of posts recently about problems with Linksys and Belkin connectivity.
Tell me about it. I'd been pulling my hair out prior to "discovering (by accident," as George Costanza would say) that WPA/TKIP fixed the problem, and seems to be working fine and fast. Now I'm just academically frustrated (better than actually frustrated) wondering why WPA2/AES is so problematic +with this particular trifecta+ (my iPad, my Linksys router, and WPA2/AES).
Bottom line is there is probably not an easy solution ... and since you do have a strong security protocol that works, keep using it. Very strange that there would be a change in connectivity after a few months, though. Old engineering philosophy, if it ain't broke, don't fix it. If you have something that works, stick with it for now.
Actually, WPA2/AES worked on two (short but notable) occasions:
a) for two days when I first unpacked the iPad, and
b) for two days when I switched back to WPA2/AES upon discovering WPA/TKIP fixed the issue.
So it wasn't two months, which makes more sense. I agree with you that I'm not touching this arrangement for now. What I did have to do was change over the other devices (PCs, Wii's, TiVo's) that didn't automatically adjust over to WPA/TKIP. (To its credit, the iPhone did that on the fly.) Going through each device hurt a little, knowing I was using a less-than-optimal protocol for just one cranky device at expense of every other one--but of course I'd rather everything play nice than be necessarily cutting edge. (It's not like I'm the Pentagon or anything here.)
But also give feedback to Apple:
http://www.apple.com/feedback/ipad.html
Done and done. And thanks for a great and reassuring explanation.
Message was edited by: TashTish -
Cisco Flex 7500 controller with client disconnects
Hey All,
There will be alot of info in this post, hopefully all helpful, more info the better right! If you require anymore info to help me out to not hesistate to request it.
We have been having some issues with clients connecting and disconnecting several times a day and having to manually reconnect from the icon on their taskbar. We have about 380 APs, and 200+ more to deploy that we have and are licensed for but are having some issues that we want to resolve first obviously.
Some locations our setup is a bit more complex than this with multiple SSIDs and vlans, but this issue is everywhere so i will keep it to our simple setup for now:
AP Models: AIR-LAP1042N-A-K9, AIR-CAP1602I-A-K9 (Most locations do not have a mix of both, most have 1042s)
Running a single SSID - WPA/WPA2 with: WPA - TKIP and WPA2 - AES on the same SSID.
They talk back to a Cisco Flex 7500 Series through a tunnel (should not be any port blocking preventing communication)
We are running from what i understand a bad firmware version (7.6.100.0) and during our next maintenance window i am going to try and get them to change to a more stable firmware version.
Data Rates of 1,2,5.5,11 Mbps are disabled
TPCv1 coverage running
Automatic Power Assignment
I will not focus on the a/n/ac network as most of our devices are connecting to WPA due to the config they already have.
Ideally i would like to get rid of WPA all together but i am not 100% in control of the decisions to get the started and people here like to delay things lol.
It is hard to say if the issue is specific to a model as we have so few 1602Is, and it is just at our main office. I have not heard many complaints but i have noticed i will now and then get a limited or no connectivity settings on my wireless icon on my PC. I use hard-wired so i don't really notice if it is not working.
In most locations it looks like the controller is doing a decent job at selection channels to use. I did find one spot where it had on 11 APs down a long hallway, and did not use channel 6 once. I statically set that location to stagger the channels to see what kind results we had and am still waiting to hear on that as they complained the most out of all of our locations. In some cases 3 APs in a row were on channel 1 in the hallway, in alot of casses 1 was 2 times in a row as well as 11 so there was alot of overlap.
I am attaching my show sysinfo and show wlan 17 for that informtion, some of the other settings i have changed today that were previously enabled/set different are:
Disabled Cisco Aironet IE
Set channel automatic rescan from 10 mintues to 12 hours as i can image if it is changing the channels alot it can lead to disconnects.
Some of the main things we get in our message log are:
*dot1xMsgTask: Oct 16 15:17:36.943: #DOT1X-4-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:508 Max EAPOL-key M5 retransmissions exceeded for client 84:85:06:0b:a6:33
- Not sure why we get this as we have a PSK and do not have local eap enabled.....
*apfMsConnTask_6: Oct 16 15:19:01.753: #APF-3-AID_UPDATE_FAILED: apf_80211.c:6570 Error updating Association ID for REAP AP Clientc8:f9:f9:2b:fd:50 - AID 4
*apfMsConnTask_6: Oct 16 15:19:01.753: #LWAPP-3-INVALID_AID2: spam_api.c:1462 Association identifier 4 for client 18:9e:fc:4d:9e:87 is already in use by 8c:2d:aa:b7:70:5e
- There is a bug for this log, but according to the bug our 7.6.100.0 is not effected
Here is my show sysinfo:
(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.6.100.0
RTOS Version..................................... 7.6.100.0
Bootloader Version............................... 7.6.101.2
Emergency Image Version.......................... 7.6.101.2
Build Type....................................... DATA + WPS
System Name...................................... Cisco_cf:17:26
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1295
Redundancy Mode.................................. Disabled
IP Address....................................... 10.156.50.100
System Up Time................................... 52 days 5 hrs 54 mins 25 secs
System Timezone Location......................... (GMT -4:00) Altantic Time (Canada)
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180
Configured Country............................... CA - Canada
--More-- or (q)uit
Operating Environment............................ Commercial (10 to 35 C)
Internal Temp Alarm Limits....................... 10 to 38 C
Internal Temperature............................. +22 C
Fan Status....................................... OK
RAID Volume Status............................... OK
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 13
Number of Active Clients......................... 1584
Burned-in MAC Address............................ 70:81:05:CF:17:20
Power Supply 1................................... Present, OK
Power Supply 2................................... Present, OK
Maximum number of APs supported.................. 600
Here is my Show wlan 17
WLAN Identifier.................................. 17
Profile Name..................................... AirCCRSB
Network Name (SSID).............................. AirCCRSB
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 1768
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 28800 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 12 hours
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... Cisco_cf:17:26
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Disabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers
Accounting.................................... Global Servers
Interim Update............................. Disabled
Framed IPv6 Acct AVP ...................... Prefix
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Enabled
TKIP Cipher............................. Enabled
AES Cipher.............................. Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Enabled
CCKM.................................... Disabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Enabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
WAPI.......................................... Disabled
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Enabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
flexconnect PPPoE pass-through................ Disabled
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Disabled
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Split Tunnel (Printers).......................... Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Mobility Anchor List
WLAN ID IP Address Status
802.11u........................................ Disabled
MSAP Services.................................. Disabled
Local Policy
Priority Policy NameAs long as you take the configuration backup downgrading from 7.6.100.0 to 7.4.121.0 should be fine. Because this is Flexconnect deployment, make sure you review the release notes thoroughly as config like vlan mapping is impacted it is painful to reconfigure.
I still think moving to 7.6MR3 & once 8.x get stable going for that code is a good plan. Though 7.4.121.0 is assure wave it does not mean it has no bugs.(remember that prior to this 7.4.110.0 was assure wave & it deferred in quick time) . I would say 8.x going to be the code staying for long time period, so ultimately you have to be there.
In 8.x there are few FlexConnect improvements,one being AP won't reload when you change from local mode to FlexConnect.
HTH
Rasika
**** Pls rate all useful responses *** -
WLC 5508 and client disconnections
Hello, all!
have an issue - one client is disconnecting sometime.
that is the log from debug client
(Cisco Controller) >*apfReceiveTask: Oct 26 16:31:42.120: 68:09:27:81:da:8f Deleting mobile on AP 00:3a:99:81:dc:10(0)
*dot1xMsgTask: Oct 31 14:20:26.178: 44:2a:60:f6:d9:ec Key exchange done, data packets from mobile 44:2a:60:f6:d9:ec should be forwarded shortly
*dot1xMsgTask: Oct 31 14:20:26.178: 44:2a:60:f6:d9:ec Sending EAPOL-Key Message to mobile 44:2a:60:f6:d9:ec
state PTKINITDONE (message 5 - group), replay counter 00.00.00.00.00.00.00.03
*dot1xMsgTask: Oct 31 14:20:26.178: 44:2a:60:f6:d9:ec Updated broadcast key sent to mobile 44:2A:60:F6:D9:EC
*Dot1x_NW_MsgTask_4: Oct 31 14:20:26.186: 44:2a:60:f6:d9:ec Received EAPOL-Key from mobile 44:2a:60:f6:d9:ec
*Dot1x_NW_MsgTask_4: Oct 31 14:20:26.186: 44:2a:60:f6:d9:ec Received EAPOL-key in REKEYNEGOTIATING state (message 6) from mobile 44:2a:60:f6:d9:ec
*Dot1x_NW_MsgTask_4: Oct 31 14:20:26.186: 44:2a:60:f6:d9:ec Stopping retransmission timer for mobile 44:2a:60:f6:d9:ec
*Dot1x_NW_MsgTask_4: Oct 31 14:20:26.721: 44:2a:60:f6:d9:ec Received EAPOL-Key from mobile 44:2a:60:f6:d9:ec
*Dot1x_NW_MsgTask_4: Oct 31 14:20:26.721: 44:2a:60:f6:d9:ec Received EAPOL-key to initiate new key exchange from mobile 44:2a:60:f6:d9:ec
*Dot1x_NW_MsgTask_4: Oct 31 14:20:26.721: 44:2a:60:f6:d9:ec Initializing EAPOL-Key Request replay counter to 00 00 00 00 00 00 00 00 for client 44:2a:60:f6:d9:ec
*Dot1x_NW_MsgTask_4: Oct 31 14:20:26.721: 44:2a:60:f6:d9:ec Starting key exchange to mobile 44:2a:60:f6:d9:ec, data packets will be dropped
*Dot1x_NW_MsgTask_4: Oct 31 14:20:26.721: 44:2a:60:f6:d9:ec Sending EAPOL-Key Message to mobile 44:2a:60:f6:d9:ec
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.04
*Dot1x_NW_MsgTask_4: Oct 31 14:20:26.721: 44:2a:60:f6:d9:ec Received EAPOL-key MIC err message from mobile 44:2a:60:f6:d9:ec
*dot1xMsgTask: Oct 31 14:20:27.778: 44:2a:60:f6:d9:ec Failure sending WPA EAPOL-Key due to invalid state 2 to mobile 44:2a:60:f6:d9:ec
*dot1xMsgTask: Oct 31 14:20:27.778: 44:2a:60:f6:d9:ec Unable to send WPA key to mobile 44:2a:60:f6:d9:ec
*dot1xMsgTask: Oct 31 14:20:27.778: 44:2a:60:f6:d9:ec Unable to update broadcast key to mobile 44:2A:60:F6:D9:EC
*osapiBsnTimer: Oct 31 14:20:31.778: 44:2a:60:f6:d9:ec 802.1x 'timeoutEvt' Timer expired for station 44:2a:60:f6:d9:ec and for message = M2
*dot1xMsgTask: Oct 31 14:20:31.778: 44:2a:60:f6:d9:ec Retransmit 1 of EAPOL-Key M1 (length 99) for mobile 44:2a:60:f6:d9:ec
*osapiBsnTimer: Oct 31 14:20:36.777: 44:2a:60:f6:d9:ec 802.1x 'timeoutEvt' Timer expired for station 44:2a:60:f6:d9:ec and for message = M2
*dot1xMsgTask: Oct 31 14:20:36.778: 44:2a:60:f6:d9:ec Retransmit 2 of EAPOL-Key M1 (length 99) for mobile 44:2a:60:f6:d9:ec
*osapiBsnTimer: Oct 31 14:20:41.777: 44:2a:60:f6:d9:ec 802.1x 'timeoutEvt' Timer expired for station 44:2a:60:f6:d9:ec and for message = M2
*dot1xMsgTask: Oct 31 14:20:41.778: 44:2a:60:f6:d9:ec Retransmit 3 of EAPOL-Key M1 (length 99) for mobile 44:2a:60:f6:d9:ec
*osapiBsnTimer: Oct 31 14:20:46.777: 44:2a:60:f6:d9:ec 802.1x 'timeoutEvt' Timer expired for station 44:2a:60:f6:d9:ec and for message = M2
*dot1xMsgTask: Oct 31 14:20:46.778: 44:2a:60:f6:d9:ec Retransmit 4 of EAPOL-Key M1 (length 99) for mobile 44:2a:60:f6:d9:ec
*osapiBsnTimer: Oct 31 14:20:51.777: 44:2a:60:f6:d9:ec 802.1x 'timeoutEvt' Timer expired for station 44:2a:60:f6:d9:ec and for message = M2
*dot1xMsgTask: Oct 31 14:20:51.778: 44:2a:60:f6:d9:ec Retransmit failure for EAPOL-Key M1 to mobile 44:2a:60:f6:d9:ec, retransmit count 5, mscb deauth count 0
*dot1xMsgTask: Oct 31 14:20:51.778: 44:2a:60:f6:d9:ec Resetting MSCB PMK Cache Entry 0 for station 44:2a:60:f6:d9:ec
*dot1xMsgTask: Oct 31 14:20:51.778: 44:2a:60:f6:d9:ec Setting active key cache index 0 ---> 8
*dot1xMsgTask: Oct 31 14:20:51.779: 44:2a:60:f6:d9:ec Sent Deauthenticate to mobile on BSSID 00:3a:98:ef:5c:f0 slot 0(caller 1x_ptsm.c:546)
*dot1xMsgTask: Oct 31 14:20:51.779: 44:2a:60:f6:d9:ec Scheduling deletion of Mobile Station: (callerId: 57) in 10 seconds
*osapiBsnTimer: Oct 31 14:21:01.777: 44:2a:60:f6:d9:ec apfMsExpireCallback (apf_ms.c:591) Expiring Mobile!
*apfReceiveTask: Oct 31 14:21:01.778: 44:2a:60:f6:d9:ec apfMsExpireMobileStation (apf_ms.c:5604) Changing state for mobile 44:2a:60:f6:d9:ec on AP 00:3a:98:ef:5c:f0 from Associated to Disassociated
*apfReceiveTask: Oct 31 14:21:01.778: 44:2a:60:f6:d9:ec Scheduling deletion of Mobile Station: (callerId: 45) in 10 seconds
*osapiBsnTimer: Oct 31 14:21:11.777: 44:2a:60:f6:d9:ec apfMsExpireCallback (apf_ms.c:591) Expiring Mobile!
*apfReceiveTask: Oct 31 14:21:11.779: 44:2a:60:f6:d9:ec Sent Deauthenticate to mobile on BSSID 00:3a:98:ef:5c:f0 slot 0(caller apf_ms.c:5698)
*apfReceiveTask: Oct 31 14:21:11.779: 44:2a:60:f6:d9:ec apfMsAssoStateDec
*apfReceiveTask: Oct 31 14:21:11.779: 44:2a:60:f6:d9:ec apfMsExpireMobileStation (apf_ms.c:5736) Changing state for mobile 44:2a:60:f6:d9:ec on AP 00:3a:98:ef:5c:f0 from Disassociated to Idle
*apfReceiveTask: Oct 31 14:21:11.779: 44:2a:60:f6:d9:ec Scheduling deletion of Mobile Station: (callerId: 47) in 10 seconds
*osapiBsnTimer: Oct 31 14:21:21.777: 44:2a:60:f6:d9:ec apfMsExpireCallback (apf_ms.c:591) Expiring Mobile!
*apfReceiveTask: Oct 31 14:21:21.778: 44:2a:60:f6:d9:ec pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfReceiveTask: Oct 31 14:21:21.778: 44:2a:60:f6:d9:ec 192.168.46.133 RUN (20) Deleted mobile LWAPP rule on AP [00:3a:98:ef:5c:f0]
*apfReceiveTask: Oct 31 14:21:21.778: 44:2a:60:f6:d9:ec apfMsRunStateDec
*apfReceiveTask: Oct 31 14:21:21.778: 44:2a:60:f6:d9:ec apfMs1xStateDec
*apfReceiveTask: Oct 31 14:21:21.778: 44:2a:60:f6:d9:ec Deleting mobile on AP 00:3a:98:ef:5c:f0(0)
*apfMsConnTask_1: Oct 31 14:21:56.744: 44:2a:60:f6:d9:ec Adding mobile on LWAPP AP 00:3a:98:ef:5c:f0(0)
*apfMsConnTask_1: Oct 31 14:21:56.744: 44:2a:60:f6:d9:ec Association received from mobile on AP 00:3a:98:ef:5c:f0
*apfMsConnTask_1: Oct 31 14:21:56.744: 44:2a:60:f6:d9:ec 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
*apfMsConnTask_1: Oct 31 14:21:56.744: 44:2a:60:f6:d9:ec 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
*apfMsConnTask_1: Oct 31 14:21:56.744: 44:2a:60:f6:d9:ec Applying site-specific Local Bridging override for station 44:2a:60:f6:d9:ec - vapId 1, site 'default-group', interface 'management'
*apfMsConnTask_1: Oct 31 14:21:56.744: 44:2a:60:f6:d9:ec Applying Local Bridging Interface Policy for station 44:2a:60:f6:d9:ec - vlan 0, interface id 0, interface 'management'
*apfMsConnTask_1: Oct 31 14:21:56.745: 44:2a:60:f6:d9:ec processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_1: Oct 31 14:21:56.745: 44:2a:60:f6:d9:ec processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_1: Oct 31 14:21:56.745: 44:2a:60:f6:d9:ec STA - rates (8): 2 4 11 150 36 48 72 108 0 0 0 0 0 0 0 0
*apfMsConnTask_1: Oct 31 14:21:56.745: 44:2a:60:f6:d9:ec suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_1: Oct 31 14:21:56.745: 44:2a:60:f6:d9:ec STA - rates (12): 2 4 11 150 36 48 72 108 12 18 24 96 0 0 0 0
*apfMsConnTask_1: Oct 31 14:21:56.745: 44:2a:60:f6:d9:ec extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_1: Oct 31 14:21:56.745: 44:2a:60:f6:d9:ec Processing WPA IE type 221, length 24 for mobile 44:2a:60:f6:d9:ec
*apfMsConnTask_1: Oct 31 14:21:56.745: 44:2a:60:f6:d9:ec 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_1: Oct 31 14:21:56.745: 44:2a:60:f6:d9:ec 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*apfMsConnTask_1: Oct 31 14:21:56.745: 44:2a:60:f6:d9:ec 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*apfMsConnTask_1: Oct 31 14:21:56.745: 44:2a:60:f6:d9:ec 0.0.0.0 8021X_REQD (3) DHCP required on AP 00:3a:98:ef:5c:f0 vapId 1 apVapId 1for this client
*apfMsConnTask_1: Oct 31 14:21:56.745: 44:2a:60:f6:d9:ec Not Using WMM Compliance code qosCap 00
*apfMsConnTask_1: Oct 31 14:21:56.745: 44:2a:60:f6:d9:ec 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:3a:98:ef:5c:f0 vapId 1 apVapId 1 flex-acl-name:
*apfMsConnTask_1: Oct 31 14:21:56.745: 44:2a:60:f6:d9:ec apfMsAssoStateInc
*apfMsConnTask_1: Oct 31 14:21:56.745: 44:2a:60:f6:d9:ec apfPemAddUser2 (apf_policy.c:270) Changing state for mobile 44:2a:60:f6:d9:ec on AP 00:3a:98:ef:5c:f0 from Idle to Associated
*apfMsConnTask_1: Oct 31 14:21:56.745: 44:2a:60:f6:d9:ec Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_1: Oct 31 14:21:56.745: 44:2a:60:f6:d9:ec Sending Assoc Response to station on BSSID 00:3a:98:ef:5c:f0 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_1: Oct 31 14:21:56.745: 44:2a:60:f6:d9:ec apfProcessAssocReq (apf_80211.c:6309) Changing state for mobile 44:2a:60:f6:d9:ec on AP 00:3a:98:ef:5c:f0 from Associated to Associated
*apfMsConnTask_1: Oct 31 14:21:56.747: 44:2a:60:f6:d9:ec Updating AID for REAP AP Client 00:3a:98:ef:5c:f0 - AID ===> 5
*dot1xMsgTask: Oct 31 14:21:56.750: 44:2a:60:f6:d9:ec Creating a PKC PMKID Cache entry for station 44:2a:60:f6:d9:ec (RSN 0)
*dot1xMsgTask: Oct 31 14:21:56.750: 44:2a:60:f6:d9:ec Setting active key cache index 8 ---> 8
*dot1xMsgTask: Oct 31 14:21:56.750: 44:2a:60:f6:d9:ec Setting active key cache index 8 ---> 0
*dot1xMsgTask: Oct 31 14:21:56.750: 44:2a:60:f6:d9:ec Initiating WPA PSK to mobile 44:2a:60:f6:d9:ec
*dot1xMsgTask: Oct 31 14:21:56.750: 44:2a:60:f6:d9:ec dot1x - moving mobile 44:2a:60:f6:d9:ec into Force Auth state
*dot1xMsgTask: Oct 31 14:21:56.750: 44:2a:60:f6:d9:ec Skipping EAP-Success to mobile 44:2a:60:f6:d9:ec
*dot1xMsgTask: Oct 31 14:21:56.750: 44:2a:60:f6:d9:ec Starting key exchange to mobile 44:2a:60:f6:d9:ec, data packets will be dropped
*dot1xMsgTask: Oct 31 14:21:56.750: 44:2a:60:f6:d9:ec Sending EAPOL-Key Message to mobile 44:2a:60:f6:d9:ec
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*osapiBsnTimer: Oct 31 14:22:01.777: 44:2a:60:f6:d9:ec 802.1x 'timeoutEvt' Timer expired for station 44:2a:60:f6:d9:ec and for message = M2
*dot1xMsgTask: Oct 31 14:22:01.778: 44:2a:60:f6:d9:ec Retransmit 1 of EAPOL-Key M1 (length 99) for mobile 44:2a:60:f6:d9:ec
*apfMsConnTask_1: Oct 31 14:22:05.624: 44:2a:60:f6:d9:ec Association received from mobile on AP 00:3a:98:ef:5c:f0
*apfMsConnTask_1: Oct 31 14:22:05.624: 44:2a:60:f6:d9:ec 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1709)
*apfMsConnTask_1: Oct 31 14:22:05.625: 44:2a:60:f6:d9:ec 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1876)
*apfMsConnTask_1: Oct 31 14:22:05.625: 44:2a:60:f6:d9:ec Applying site-specific Local Bridging override for station 44:2a:60:f6:d9:ec - vapId 1, site 'default-group', interface 'management'
*apfMsConnTask_1: Oct 31 14:22:05.625: 44:2a:60:f6:d9:ec Applying Local Bridging Interface Policy for station 44:2a:60:f6:d9:ec - vlan 0, interface id 0, interface 'management'
*apfMsConnTask_1: Oct 31 14:22:05.625: 44:2a:60:f6:d9:ec processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_1: Oct 31 14:22:05.625: 44:2a:60:f6:d9:ec processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_1: Oct 31 14:22:05.625: 44:2a:60:f6:d9:ec STA - rates (8): 2 4 11 150 36 48 72 108 12 18 24 96 0 0 0 0
*apfMsConnTask_1: Oct 31 14:22:05.625: 44:2a:60:f6:d9:ec suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_1: Oct 31 14:22:05.625: 44:2a:60:f6:d9:ec STA - rates (12): 2 4 11 150 36 48 72 108 12 18 24 96 0 0 0 0
*apfMsConnTask_1: Oct 31 14:22:05.625: 44:2a:60:f6:d9:ec extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_1: Oct 31 14:22:05.625: 44:2a:60:f6:d9:ec Processing WPA IE type 221, length 24 for mobile 44:2a:60:f6:d9:ec
*apfMsConnTask_1: Oct 31 14:22:05.625: 44:2a:60:f6:d9:ec 0.0.0.0 8021X_REQD (3) Initializing policy
*apfMsConnTask_1: Oct 31 14:22:05.625: 44:2a:60:f6:d9:ec 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)
*apfMsConnTask_1: Oct 31 14:22:05.625: 44:2a:60:f6:d9:ec 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*apfMsConnTask_1: Oct 31 14:22:05.625: 44:2a:60:f6:d9:ec 0.0.0.0 8021X_REQD (3) DHCP required on AP 00:3a:98:ef:5c:f0 vapId 1 apVapId 1for this client
*apfMsConnTask_1: Oct 31 14:22:05.625: 44:2a:60:f6:d9:ec Not Using WMM Compliance code qosCap 00
*apfMsConnTask_1: Oct 31 14:22:05.625: 44:2a:60:f6:d9:ec 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:3a:98:ef:5c:f0 vapId 1 apVapId 1 flex-acl-name:
*apfMsConnTask_1: Oct 31 14:22:05.625: 44:2a:60:f6:d9:ec apfPemAddUser2 (apf_policy.c:270) Changing state for mobile 44:2a:60:f6:d9:ec on AP 00:3a:98:ef:5c:f0 from Associated to Associated
*apfMsConnTask_1: Oct 31 14:22:05.625: 44:2a:60:f6:d9:ec Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_1: Oct 31 14:22:05.625: 44:2a:60:f6:d9:ec Sending Assoc Response to station on BSSID 00:3a:98:ef:5c:f0 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_1: Oct 31 14:22:05.626: 44:2a:60:f6:d9:ec apfProcessAssocReq (apf_80211.c:6309) Changing state for mobile 44:2a:60:f6:d9:ec on AP 00:3a:98:ef:5c:f0 from Associated to Associated
*dot1xMsgTask: Oct 31 14:22:05.628: 44:2a:60:f6:d9:ec Creating a PKC PMKID Cache entry for station 44:2a:60:f6:d9:ec (RSN 0)
*dot1xMsgTask: Oct 31 14:22:05.628: 44:2a:60:f6:d9:ec Setting active key cache index 0 ---> 8
*dot1xMsgTask: Oct 31 14:22:05.628: 44:2a:60:f6:d9:ec Setting active key cache index 8 ---> 0
*dot1xMsgTask: Oct 31 14:22:05.628: 44:2a:60:f6:d9:ec Initiating WPA PSK to mobile 44:2a:60:f6:d9:ec
*dot1xMsgTask: Oct 31 14:22:05.628: 44:2a:60:f6:d9:ec dot1x - moving mobile 44:2a:60:f6:d9:ec into Force Auth state
*dot1xMsgTask: Oct 31 14:22:05.628: 44:2a:60:f6:d9:ec Skipping EAP-Success to mobile 44:2a:60:f6:d9:ec
*dot1xMsgTask: Oct 31 14:22:05.628: 44:2a:60:f6:d9:ec Starting key exchange to mobile 44:2a:60:f6:d9:ec, data packets will be dropped
*dot1xMsgTask: Oct 31 14:22:05.628: 44:2a:60:f6:d9:ec Sending EAPOL-Key Message to mobile 44:2a:60:f6:d9:ec
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.634: 44:2a:60:f6:d9:ec Received EAPOL-Key from mobile 44:2a:60:f6:d9:ec
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.634: 44:2a:60:f6:d9:ec Received EAPOL-key in PTK_START state (message 2) from mobile 44:2a:60:f6:d9:ec
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.634: 44:2a:60:f6:d9:ec Stopping retransmission timer for mobile 44:2a:60:f6:d9:ec
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.634: 44:2a:60:f6:d9:ec Sending EAPOL-Key Message to mobile 44:2a:60:f6:d9:ec
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.640: 44:2a:60:f6:d9:ec Received EAPOL-Key from mobile 44:2a:60:f6:d9:ec
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.640: 44:2a:60:f6:d9:ec Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 44:2a:60:f6:d9:ec
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.640: 44:2a:60:f6:d9:ec apfMs1xStateInc
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.640: 44:2a:60:f6:d9:ec 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.640: 44:2a:60:f6:d9:ec 0.0.0.0 L2AUTHCOMPLETE (4) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.640: 44:2a:60:f6:d9:ec 0.0.0.0 L2AUTHCOMPLETE (4) DHCP required on AP 00:3a:98:ef:5c:f0 vapId 1 apVapId 1for this client
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.640: 44:2a:60:f6:d9:ec Not Using WMM Compliance code qosCap 00
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.640: 44:2a:60:f6:d9:ec 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:3a:98:ef:5c:f0 vapId 1 apVapId 1 flex-acl-name:
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.640: 44:2a:60:f6:d9:ec 0.0.0.0 L2AUTHCOMPLETE (4) pemAdvanceState2 5287, Adding TMP rule
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.640: 44:2a:60:f6:d9:ec 0.0.0.0 L2AUTHCOMPLETE (4) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP 00:3a:98:ef:5c:f0, slot 0, interface = 1, QOS = 3
IPv4 ACL ID = 255
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.640: 44:2a:60:f6:d9:ec 0.0.0.0 L2AUTHCOMPLETE (4) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 0, Local Bridging intf id = 0
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.640: 44:2a:60:f6:d9:ec 0.0.0.0 L2AUTHCOMPLETE (4) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255)
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.640: 44:2a:60:f6:d9:ec 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.640: 44:2a:60:f6:d9:ec 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 5303, Adding TMP rule
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.640: 44:2a:60:f6:d9:ec 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
type = Airespace AP - Learn IP address
on AP 00:3a:98:ef:5c:f0, slot 0, interface = 1, QOS = 3
IPv4 ACL ID = 255,
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.640: 44:2a:60:f6:d9:ec 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 0, Local Bridging intf id = 0
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.640: 44:2a:60:f6:d9:ec 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255)
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.640: 44:2a:60:f6:d9:ec Stopping retransmission timer for mobile 44:2a:60:f6:d9:ec
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.641: 44:2a:60:f6:d9:ec Key exchange done, data packets from mobile 44:2a:60:f6:d9:ec should be forwarded shortly
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.641: 44:2a:60:f6:d9:ec Sending EAPOL-Key Message to mobile 44:2a:60:f6:d9:ec
state PTKINITDONE (message 5 - group), replay counter 00.00.00.00.00.00.00.02
*pemReceiveTask: Oct 31 14:22:05.642: 44:2a:60:f6:d9:ec 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*pemReceiveTask: Oct 31 14:22:05.642: 44:2a:60:f6:d9:ec 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*spamApTask0: Oct 31 14:22:05.643: 44:2a:60:f6:d9:ec Sent EAPOL-Key M5 for mobile 44:2a:60:f6:d9:ec
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.648: 44:2a:60:f6:d9:ec Received EAPOL-Key from mobile 44:2a:60:f6:d9:ec
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.648: 44:2a:60:f6:d9:ec Received EAPOL-key in REKEYNEGOTIATING state (message 6) from mobile 44:2a:60:f6:d9:ec
*Dot1x_NW_MsgTask_4: Oct 31 14:22:05.648: 44:2a:60:f6:d9:ec Stopping retransmission timer for mobile 44:2a:60:f6:d9:ec
*apfOrphanSocketTask: Oct 31 14:22:05.694: 44:2a:60:f6:d9:ec Orphan Packet from STA - IP 192.168.46.133
*apfOrphanSocketTask: Oct 31 14:22:05.694: 44:2a:60:f6:d9:ec Static IP client associated to interface management which can support client subnet.
*apfOrphanSocketTask: Oct 31 14:22:05.694: 44:2a:60:f6:d9:ec apfMsRunStateInc
*apfOrphanSocketTask: Oct 31 14:22:05.694: 44:2a:60:f6:d9:ec 192.168.46.133 DHCP_REQD (7) Change state to RUN (20) last state RUN (20)
*pemReceiveTask: Oct 31 14:22:05.695: 44:2a:60:f6:d9:ec 192.168.46.133 Removed NPU entry.
*apfOrphanSocketTask: Oct 31 14:22:05.695: 44:2a:60:f6:d9:ec Assigning Address 192.168.46.133 to mobile
*DHCP Socket Task: Oct 31 14:22:05.710: 44:2a:60:f6:d9:ec DHCP received op BOOTREQUEST (1) (len 324,vlan 0, port 1, encap 0xec00)
*DHCP Socket Task: Oct 31 14:22:05.710: 44:2a:60:f6:d9:ec DHCP dropping looped REQUEST from DS (encap type 0xec00)
*DHCP Socket Task: Oct 31 14:22:05.711: 44:2a:60:f6:d9:ec DHCP received op BOOTREPLY (2) (len 433,vlan 0, port 1, encap 0xec00)
*DHCP Socket Task: Oct 31 14:22:05.711: 44:2a:60:f6:d9:ec DHCP processing DHCP ACK (5)
*DHCP Socket Task: Oct 31 14:22:05.711: 44:2a:60:f6:d9:ec DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Oct 31 14:22:05.711: 44:2a:60:f6:d9:ec DHCP xid: 0x18474c86 (407325830), secs: 0, flags: 0
*DHCP Socket Task: Oct 31 14:22:05.711: 44:2a:60:f6:d9:ec DHCP chaddr: 44:2a:60:f6:d9:ec
*DHCP Socket Task: Oct 31 14:22:05.711: 44:2a:60:f6:d9:ec DHCP ciaddr: 0.0.0.0, yiaddr: 192.168.46.133
*DHCP Socket Task: Oct 31 14:22:05.711: 44:2a:60:f6:d9:ec DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Oct 31 14:22:05.711: 44:2a:60:f6:d9:ec DHCP server id: 192.168.45.111 rcvd server id: 192.168.45.111
*DHCP Socket Task: Oct 31 14:22:05.711: 44:2a:60:f6:d9:ec DHCP received op BOOTREPLY (2) (len 433,vlan 0, port 1, encap 0xec03)
*DHCP Socket Task: Oct 31 14:22:05.711: 44:2a:60:f6:d9:ec DHCP processing DHCP ACK (5)
*DHCP Socket Task: Oct 31 14:22:05.711: 44:2a:60:f6:d9:ec DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Oct 31 14:22:05.711: 44:2a:60:f6:d9:ec DHCP xid: 0x18474c86 (407325830), secs: 0, flags: 0
*DHCP Socket Task: Oct 31 14:22:05.711: 44:2a:60:f6:d9:ec DHCP chaddr: 44:2a:60:f6:d9:ec
*DHCP Socket Task: Oct 31 14:22:05.711: 44:2a:60:f6:d9:ec DHCP ciaddr: 0.0.0.0, yiaddr: 192.168.46.133
*DHCP Socket Task: Oct 31 14:22:05.711: 44:2a:60:f6:d9:ec DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Oct 31 14:22:05.711: 44:2a:60:f6:d9:ec DHCP server id: 192.168.45.111 rcvd server id: 192.168.45.111
*DHCP Socket Task: Oct 31 14:22:56.251: 44:2a:60:f6:d9:ec DHCP received op BOOTREQUEST (1) (len 308,vlan 0, port 1, encap 0xec00)
*DHCP Socket Task: Oct 31 14:22:56.251: 44:2a:60:f6:d9:ec DHCP dropping looped REQUEST from DS (encap type 0xec00)
*DHCP Socket Task: Oct 31 14:22:56.251: 44:2a:60:f6:d9:ec DHCP received op BOOTREPLY (2) (len 410,vlan 0, port 1, encap 0xec03)
*DHCP Socket Task: Oct 31 14:22:56.252: 44:2a:60:f6:d9:ec DHCP processing DHCP ACK (5)
*DHCP Socket Task: Oct 31 14:22:56.252: 44:2a:60:f6:d9:ec DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Oct 31 14:22:56.252: 44:2a:60:f6:d9:ec DHCP xid: 0x360eedf0 (906948080), secs: 0, flags: 0
*DHCP Socket Task: Oct 31 14:22:56.252: 44:2a:60:f6:d9:ec DHCP chaddr: 44:2a:60:f6:d9:ec
*DHCP Socket Task: Oct 31 14:22:56.252: 44:2a:60:f6:d9:ec DHCP ciaddr: 192.168.46.133, yiaddr: 0.0.0.0
*DHCP Socket Task: Oct 31 14:22:56.252: 44:2a:60:f6:d9:ec DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Oct 31 14:22:56.252: 44:2a:60:f6:d9:ec DHCP server id: 192.168.45.111 rcvd server id: 192.168.45.111
*DHCP Socket Task: Oct 31 14:22:56.253: 44:2a:60:f6:d9:ec DHCP received op BOOTREPLY (2) (len 410,vlan 0, port 1, encap 0xec03)
*DHCP Socket Task: Oct 31 14:22:56.253: 44:2a:60:f6:d9:ec DHCP processing DHCP ACK (5)
*DHCP Socket Task: Oct 31 14:22:56.253: 44:2a:60:f6:d9:ec DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Oct 31 14:22:56.253: 44:2a:60:f6:d9:ec DHCP xid: 0x360eedf0 (906948080), secs: 0, flags: 0
*DHCP Socket Task: Oct 31 14:22:56.253: 44:2a:60:f6:d9:ec DHCP chaddr: 44:2a:60:f6:d9:ec
*DHCP Socket Task: Oct 31 14:22:56.253: 44:2a:60:f6:d9:ec DHCP ciaddr: 192.168.46.133, yiaddr: 0.0.0.0
*DHCP Socket Task: Oct 31 14:22:56.253: 44:2a:60:f6:d9:ec DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >*DHCP Socket Task: Oct 31 14:22:56.253: 44:2a:60:f6:d9:ec DHCP server id: 192.168.45.103 rcvd server id: 192.168.45.103
*DHCP Socket Task: Oct 31 14:29:41.712: 44:2a:60:f6:d9:ec DHCP received op BOOTREQUEST (1) (len 308,vlan 0, port 1, encap 0xec00)
*DHCP Socket Task: Oct 31 14:29:41.712: 44:2a:60:f6:d9:ec DHCP dropping looped REQUEST from DS (encap type 0xec00)
*DHCP Socket Task: Oct 31 14:29:41.713: 44:2a:60:f6:d9:ec DHCP received op BOOTREPLY (2) (len 410,vlan 0, port 1, encap 0xec03)
*DHCP Socket Task: Oct 31 14:29:41.713: 44:2a:60:f6:d9:ec DHCP processing DHCP ACK (5)
*DHCP Socket Task: Oct 31 14:29:41.713: 44:2a:60:f6:d9:ec DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Oct 31 14:29:41.713: 44:2a:60:f6:d9:ec DHCP xid: 0x6bd418e0 (1809062112), secs: 0, flags: 0
*DHCP Socket Task: Oct 31 14:29:41.713: 44:2a:60:f6:d9:ec DHCP chaddr: 44:2a:60:f6:d9:ec
*DHCP Socket Task: Oct 31 14:29:41.713: 44:2a:60:f6:d9:ec DHCP ciaddr: 192.168.46.133, yiaddr: 0.0.0.0
*DHCP Socket Task: Oct 31 14:29:41.713: 44:2a:60:f6:d9:ec DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Oct 31 14:29:41.713: 44:2a:60:f6:d9:ec DHCP server id: 192.168.45.111 rcvd server id: 192.168.45.111
*DHCP Socket Task: Oct 31 14:29:41.713: 44:2a:60:f6:d9:ec DHCP received op BOOTREPLY (2) (len 410,vlan 0, port 1, encap 0xec03)
*DHCP Socket Task: Oct 31 14:29:41.713: 44:2a:60:f6:d9:ec DHCP processing DHCP ACK (5)
*DHCP Socket Task: Oct 31 14:29:41.713: 44:2a:60:f6:d9:ec DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Oct 31 14:29:41.713: 44:2a:60:f6:d9:ec DHCP xid: 0x6bd418e0 (1809062112), secs: 0, flags: 0
*DHCP Socket Task: Oct 31 14:29:41.713: 44:2a:60:f6:d9:ec DHCP chaddr: 44:2a:60:f6:d9:ec
*DHCP Socket Task: Oct 31 14:29:41.713: 44:2a:60:f6:d9:ec DHCP ciaddr: 192.168.46.133, yiaddr: 0.0.0.0
*DHCP Socket Task: Oct 31 14:29:41.713: 44:2a:60:f6:d9:ec DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
the selected potrion of log is just about lost connection. can you help me in understanding?Well then I would look at the client device since its one device right now. If you have other devices working, it's hard to say the wireless is broke. Upgrade the wireless adapter firmware since your client has Windows 7 running on a Mac air.
Sent from Cisco Technical Support iPhone App
Maybe you are looking for
-
Problem with HP Laserjet 6L and Windows 7 ( 64 bits )
Hi. I have a new pc, with Windows 7 ( 64 bits ) and when I try to print , nothing happend. Any body could tell me, what happend. I update the driver following the instrucctions in HP but , nothing happend. I am breacking my head try searching the s
-
How do I make my pdf uneditable?
I have taken a pdf and added typing to that pdf. I would now like to make that typing unchangeable so as to share the document without allowing editing of that typing. It is not important to me that future comments and typing cannot be added to the d
-
How do you use timeline in a pages document? I need to restore a document from earlier?
How do you use timeline in a pages document? I need to restore a document from earlier today? How do I bring up the time - scale?
-
Needing help: using Keylistener to change images
I am trying to using the arrow keys to switch between pictures i have but i cant get it to work... mind that im relativly new at java. Here is what i trying to do: starts at pic1: press up: frame now has pic2: press down: frame now shows pic1 my code
-
What is the correct charger for the new iPad Air 2?
Our new iPad Air 2 came with a 10Watt charger. Went to the apple store to get a spare. The Apple folk insist the 12 watt unit is what it needs - sold my will two. Just trying to figure out which is correct for a new Model= 'MGKL2LL/A' iPad Air 2. Th