%DOT11-7-AUTH_FAILED: Station c023.4921.2100 Authentication failed%Unknown DHCP problem.. No allocation possible

Hi All,
My wireless network system is consisting with 7.5 virtuall wireless controller and few 3600i APs.
All SSIDs & APs have been configured in flexconnect & flexconnect groups.
APs acquire IP address & controller IP address via DHCP option 43.
My problem is,
After I created a new SSID & pushed it. APs don't reboot itself but disconnecting from the controller and never come up back until give a manuall power reboot for each APs.
* DHCP server has not been configured any authentication mechanism for APs.*
I got below console outputs:
*Dec 5 16:56:42.830: %DOT11-7-AUTH_FAILED: Station c023.4921.2100 Authentication failed%Unknown DHCP problem.. No allocation possible
*Dec 5 16:56:54.226: %DOT11-7-AUTH_FAILED: Station c023.4921.2100 Authentication failed
*Dec 21 06:15:03.251: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Dec 21 06:15:03.283: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Dec 21 06:15:04.283: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Dec 21 06:15:14.135: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Dec 21 06:15:14.539: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 21 06:15:15.135: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Dec 21 06:15:15.375: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Dec 21 06:15:15.387: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Dec 21 06:15:15.395: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Dec 21 06:15:16.375: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Dec 21 06:15:16.387: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Dec 21 06:15:16.423: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Dec 21 06:15:16.435: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Dec 21 06:15:16.451: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 21 06:15:17.451: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Dec 21 06:15:17.451: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Dec 21 06:15:17.491: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
., 26)1 06:15:17.983: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_WTP_EVENT_REQUEST
*Dec 21 06:15:18.587: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Dec 21 06:15:24.427: %EVT-4-WRN: Write of flash:/event.capwap done
*Dec 21 06:15:24.447: %LWAPP-3-CLIENTERRORLOG: Switching to Standalone mode
*Dec 21 06:15:24.459: %CAPWAP-3-ERRORLOG: GOING BACK TO DISCOVER MODE
*Dec 21 06:15:24.459: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.15.2:5246
*Dec 21 06:15:24.459: %CAPWAP-3-ERRORLOG: Invalid event 46 & state 4 combination.
*Dec 21 06:15:24.459: %CAPWAP-3-ERRORLOG: SM handler: Failed to process timer message. Event 46, state 4
*Dec 21 06:15:24.459: %CAPWAP-3-ERRORLOG: Failed to handle timer message.
*Dec 21 06:15:24.459: %CAPWAP-3-ERRORLOG: Failed to process Periodic Echo timer message.
*Dec 21 06:15:24.507: %WIDS-6-DISABLED: IDS Signature is removed and disabled.
*Dec 21 06:15:26.419: %CLEANAIR-6-STATE: Slot 0 down
*Dec 21 06:15:26.419: %CLEANAIR-6-STATE: Slot 1 down
Anybody know the reason for this behavior ?
Thanks,
Charith

Hi Charith,
It's looks like AP goes into Standalone mode due to it cannot reach your WLC. In flexconnect when it cannot reach WLC, it will go into standalone mode without rebooting AP. (in local mode AP will reboot unless it can find a WLC)
Can you check your AP has reahability to your WLC all the time ? Where the DHCP configured for users ?
HTH
Rasika

Similar Messages

Cisco1941W error massage "%DOT11-7-AUTH_FAILED: Station 0011.f596.eecb Authentication failed"

I am using Cisco1941W.
When I connect CliantPC to Wireless(1941W) I got bellow massage from 1941AP.
"%DOT11-7-AUTH_FAILED: Station 0011.f596.eecb Authentication failed"
And I couldn't ping from my PC to AP and Router.
Its possible communication from AP to Router.
I show 1941AP configration.
Could you find wrong?
By the way, my PC connected to AP by 108Mbps.
But my PC supported only 802.11a/b/g .
My PC use Static IP Address and use TEST-2 ssid.
I couldn't find error from my PC.
(start)
hostname TEST
enable secret test
aaa new-model
aaa group server radius rad_eap
server 10.73.12.2 auth-port 1645 acct-port 1646
aaa session-id common
dot11 syslog
dot11 ssid TEST-1
   vlan 100
   authentication open eap eap_methods
   authentication key-management wpa
   mbssid guest-mode
dot11 ssid TEST-2
   vlan 200
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii testtesttesttesttest
dot11 aaa csid ietf
username Cisco password 7 05280F1C2243
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
no shut
encryption vlan 100 mode ciphers aes-ccm
encryption vlan 200 mode ciphers aes-ccm
ssid TEST-1
ssid TEST-2
mbssid
antenna gain 0
station-role root
interface Dot11Radio0.100
encapsulation dot1Q 100 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.200
encapsulation dot1Q 200
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
no shut
encryption vlan 100 mode ciphers aes-ccm
encryption vlan 200 mode ciphers aes-ccm
ssid TEST-1
ssid TEST-2
antenna gain 0
no dfs band block
channel 5180
station-role root
interface Dot11Radio1.100
encapsulation dot1Q 100 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1.200
encapsulation dot1Q 200
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
bridge-group 5
no bridge-group 5 source-learning
bridge-group 5 spanning-disabled
no shut
interface GigabitEthernet0.100
encapsulation dot1Q 100 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface GigabitEthernet0.200
encapsulation dot1Q 200
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
interface BVI1
ip address 10.73.12.7 255.255.255.0
no ip route-cache
ip default-gateway 10.73.12.1
ip http server
no ip http secure-server
radius-server deadtime 1440
bridge 1 route ip
(end)
I guess errer massage is telling Radio Frequency error.
I tried to change configuration "speed".
But still get error massage and I couldn't ping from my PC.

Thanks, leolaohoo.
> My PC use Static IP Address and use TEST-2 ssid.
so I use TEST-2.
in this case, ignore TEST-1.
I just paste real configuration.
I tried to connect again.
But still I can't ping from PC to AP.
I use other PC.
I configured bellow.
-interface dot11Radio0
-speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
It was same resault.
Is cisco1941w broken?
I'd like to know one more.
I configured bellow, but I couldn't use 802.11a.
-interface dot11Radio0
-shutdown
how to use 802.11a(5GHz)?

%DOT11-7-AUTH_FAILED: %DOT11-6-DISASSOC:

Hello again,
Thought this issue was fixed yesterday after finding out my printer was the MAC address flashing up on the log, however it seems that every device is playing up.
Thanks
James
These are my wirless devices,
APPLE IPHONE     6809.2780.219a
DELL LAPTOP        0026.c7e2.68be
HTC PHONE           bccf.cca7.43ea
LG TV                    9444.4434.d43c
HP LAPTOP           001f.3c83.bd9e
PRINTER               0080.927b.0edb
SONY ERICSSON b8f9.3410.9524
PLAYSTATION 3     280d.fcec.27c4
The log....
*Aug 28 21:05:35.845: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station   280d.fcec.27c4 Associated
SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 28 21:06:32.913: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 280d.fc
ec.27c4 Reason: Sending station has left the BSS SSID[THE MATRIX]
*Aug 28 21:06:37.321: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station   280d.fcec.27c4 Associated
SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 28 21:07:49.533: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 6809.27
80.219a Reason: Previous authentication no longer valid SSID[THE MATRIX]
*Aug 28 21:09:37.537: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 0080.92
7b.0edb Reason: Previous authentication no longer valid SSID[THE MATRIX]
*Aug 28 21:09:41.117: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station   0080.927b.0edb Reassociat
ed SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 28 21:11:47.057: %DOT11-7-AUTH_FAILED: Station 6809.2780.219a Authentication failed
*Aug 28 21:11:49.413: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station   6809.2780.219a Associated
SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 28 21:11:55.321: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 6809.27
80.219a Reason: Sending station has left the BSS SSID[THE MATRIX]
*Aug 28 21:19:21.612: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 0080.92
7b.0edb Reason: Previous authentication no longer valid SSID[THE MATRIX]
*Aug 28 21:19:25.176: %DOT11-7-AUTH_FAILED: Station 0080.927b.0edb Authentication failed
*Aug 28 21:19:39.324: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station   0080.927b.0edb Associated
SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 28 21:23:54.664: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 0080.92
7b.0edb Reason: Previous authentication no longer valid SSID[THE MATRIX]
*Aug 28 21:23:59.212: %DOT11-7-AUTH_FAILED: Station 0080.927b.0edb Authentication failed
*Aug 28 21:24:07.756: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station   0080.927b.0edb Reassociat
ed SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 28 21:26:06.168: %SYS-5-CONFIG_I: Configured from console by James on vty1 (192.168.0.2)
*Aug 28 21:28:33.444: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station bccf.cc
a7.43ea Reason: Sending station has left the BSS SSID[THE MATRIX]
*Aug 28 21:37:08.112: %SYS-5-CONFIG_I: Configured from console by James on vty1 (192.168.0.2)
*Aug 28 21:42:36.712: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 0080.92
7b.0edb Reason: Previous authentication no longer valid SSID[THE MATRIX]
*Aug 28 21:42:41.080: %DOT11-7-AUTH_FAILED: Station 0080.927b.0edb Authentication failed
*Aug 28 21:42:46.828: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station   0080.927b.0edb Associated
SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 28 21:43:20.296: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station CORE 001f.3c83.bd9e Associa
ted SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 28 21:43:20.300: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c
83.bd9e Reason: Sending station has left the BSS SSID[THE MATRIX]
*Aug 28 21:43:25.808: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c
83.bd9e Reason: Sending station has left the BSS SSID[THE MATRIX]
This is my running config....
CORE#sh run
Building configuration...
Current configuration : 6692 bytes
! Last configuration change at 21:37:08 UTC Wed Aug 28 2013 by James
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname CORE
boot-start-marker
boot-end-marker
logging buffered 64000
no aaa new-model
dot11 syslog
dot11 ssid THE MATRIX
authentication open
authentication key-management wpa
guest-mode
infrastructure-ssid
wpa-psk ascii 7 xxxxx
ip source-route
ip cef
ip dhcp excluded-address 192.168.0.1 192.168.0.19
ip dhcp excluded-address 192.168.0.61 192.168.0.254
ip dhcp excluded-address 172.0.0.1 172.0.0.10
ip dhcp pool LAN_Addresses
import all
network 192.168.0.0 255.255.255.0
dns-server 8.8.8.8 4.2.2.2
default-router 192.168.0.1
lease 5
ip dhcp pool THE MATRIX
import all
network 172.0.0.0 255.255.255.0
default-router 172.0.0.1
dns-server 8.8.8.8 4.2.2.2
lease 5
no ip domain lookup
ip domain name firewire2013
ip name-server 4.2.2.2
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-3845826623
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3845826623
revocation-check none
crypto pki certificate chain TP-self-signed-3845826623
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383435 38323636 3233301E 170D3133 30383235 30363031
31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38343538
32363632 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009FF5 DA191624 A7ECAE35 A3F660AB A049B91F CB83F93F 888EB00D F5E2C20E
83486395 E7069E1D 36BD1EEB 12AFCE88 2E8F5320 52E67F70 3F4716E9 97B1F33E
0147A66D D573E9BC 36D35EA1 226D723B FAEDDCB2 C263511B DA745A66 8798BCEC
F581248B FCD39380 FE92CEB9 09328BCD 71F9D1E1 BCCCB9DB EFA1DC22 ED7CF8BD
25FD0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 143D0167 51FECFA9 ED03DF31 6B0A562E E10A9300 AE301D06
03551D0E 04160414 3D016751 FECFA9ED 03DF316B 0A562EE1 0A9300AE 300D0609
2A864886 F70D0101 04050003 8181006B C454436A 370AC181 BBA4017F 41E3DFD2
CFE9665B 80F797DC B7130067 318318F9 094A4672 5BA2A50F 80EC1225 4C958474
E309731D 9E4E5265 B861BAF0 36E4996B B396CB6C BF210CE6 59F3D165 441C2302
3693441B DB45704D 5A6A15F5 79F939F9 6A9DDA84 DFDF5D11 E729D505 A1692E21
2D95292C 6AC1263E FB35C46E 6D6874
        quit
license udi pid CISCO2811 sn FCZ09237316
username James privilege 15 secret 5 xxxxxxxxxxxxxxxxx
redundancy
class-map type inspect match-any sdm-cls-insp-traffic
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-invalid-src
match access-group 102
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match protocol http
interface FastEthernet0/0
description CONNECTION TO MODEM>ISP$ETH-WAN$
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
no cdp enable
interface FastEthernet0/1
description CONNECTION TO LAB
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex full
speed 100
interface Dot11Radio0/2/0
description WLAN TO MOBILE USERS
ip address 172.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
encryption mode ciphers tkip
ssid THE MATRIX
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface FastEthernet0/0/0
description CONNECTION TO CORE PC
no ip address
interface FastEthernet0/0/1
description CONNECTION TO PS3
no ip address
interface FastEthernet0/0/2
description CONNECTION TO ACCESS SERVER
no ip address
interface FastEthernet0/0/3
no ip address
interface Vlan1
description MANAGEMENT INTERFACE
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
router eigrp 10
network 192.168.0.0 0.0.255.255
redistribute static
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source list 2 interface FastEthernet0/0 overload
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 172.0.0.0 0.0.0.255
access-list 70 remark THIS WILL DENY HOST FROM TELNETTING TO R1
access-list 70 deny   192.168.10.50
access-list 70 permit any
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 172.0.0.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip any any
access-list 102 remark SDM_ACL Category=128
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip 172.0.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
control-plane
mgcp profile default
alias exec s show ip interface brief
alias exec rc show running-config
alias exec r show ip route
alias exec v show version
banner motd ^CCCC
###DO NOT LOG ON AUTHORIZED PERSONNEL ONLY####
^C
line con 0
exec-timeout 100 0
password 7 xxxxxx
logging synchronous
login
line aux 0
exec-timeout 30 0
password 7 xxxxxx
logging synchronous
login
line vty 0 4
access-class 70 in
exec-timeout 100 0
privilege level 15
password 7 xxxxxxx
logging synchronous
login local
transport input telnet ssh
scheduler allocate 20000 1000
end

Tried that and its still the same. All the devices are playing up.
Could the hardware be toast?
*Aug 30 18:23:43.762: %DOT11-7-AUTH_FAILED: Station 001f.3c83.bd9e Authentication failed
*Aug 30 18:23:49.326: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station CORE 001f.3c83.bd9e Associated SSID[THE MATRIX]
AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 30 18:24:03.778: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c83.bd9e Reason: Send
ing station has left the BSS SSID[THE MATRIX]
--More--
*Aug 30 18:31:52.314: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station   bccf.cca7.43ea Associated SSID[THE MATRIX] AU
TH_TYPE[OPEN] KEY_MGMT[WPA PSK]
CORE#
*Aug 30 18:32:04.478: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c83.bd9e Reason: Send
ing station has left the BSS SSID[THE MATRIX]
CORE#
*Aug 30 18:32:09.114: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station CORE 001f.3c83.bd9e Associated SSID[THE MATRIX]
AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
CORE#
*Aug 30 18:32:18.710: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c83.bd9e Reason: Prev
ious authentication no longer valid SSID[THE MATRIX]
CORE#
*Aug 30 18:32:20.230: %DOT11-7-AUTH_FAILED: Station 001f.3c83.bd9e Authentication failed
CORE#
*Aug 30 18:32:26.070: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station CORE 001f.3c83.bd9e Associated SSID[THE MATRIX]
AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
CORE#
*Aug 30 18:32:34.058: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c83.bd9e Reason: Send
ing station has left the BSS SSID[THE MATRIX]
CORE#
*Aug 30 18:32:47.258: %DOT11-7-AUTH_FAILED: Station 001f.3c83.bd9e Authentication failed
CORE#
*Aug 30 18:32:47.678: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station CORE 001f.3c83.bd9e Associated SSID[THE MATRIX]
AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
CORE#
*Aug 30 18:33:12.146: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c83.bd9e Reason: Send
ing station has left the BSS SSID[THE MATRIX]
CORE#
*Aug 30 18:33:32.442: Client 001f.3c83.bd9e failed: reached maximum retries
CORE#
*Aug 30 18:33:34.442: Client 001f.3c83.bd9e failed: reached maximum retries
CORE#
*Aug 30 18:33:39.442: Client 001f.3c83.bd9e failed: reached maximum retries
CORE#
*Aug 30 18:33:44.442: Client 001f.3c83.bd9e failed: reached maximum retries
CORE#
*Aug 30 18:33:46.442: Client 001f.3c83.bd9e failed: reached maximum retries
CORE#
*Aug 30 18:33:48.442: Client 001f.3c83.bd9e failed: reached maximum retries
CORE#
*Aug 30 18:33:53.442: Client 001f.3c83.bd9e failed: reached maximum retries
CORE#
*Aug 30 18:34:10.206: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station bccf.cca7.43ea Reason: Prev
ious authentication no longer valid SSID[THE MATRIX]

%DOT11-7-AUTH_FAILED

Hello,
I have problem med wireless authentication.
Have tried following Operative system on clients. Windows XP, Windows Vista and Windows 7.
Radius Server is working normally.
Under here is debug, version and configuration. Kan somebody se something wrong ? I have no Idea..
Please help me to solve this problem.
Thanks,
Christian Overrein
Debug report.
000272: *Jan 14 21:18:10.331 UTC: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,EAP_START) for 0017.3f78.977b
000273: *Jan 14 21:18:10.331 UTC: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0017.3f78.977b
000274: *Jan 14 21:18:10.331 UTC: EAPOL pak dump tx
000275: *Jan 14 21:18:10.331 UTC: EAPOL Version: 0x1 type: 0x0 length: 0x0032
000276: *Jan 14 21:18:10.331 UTC: EAP code: 0x1 id: 0x2 length: 0x0032 type: 0x1
07403990:                   01000032 01020032          ...2...2
074039A0: 01006E65 74776F72 6B69643D 56656C66 ..networkid=Velf
074039B0: 65726465 6E2C6E61 7369643D 56454C57 erden,nasid=VELW
074039C0: 52303030 312C706F 72746964 3D30      R0001,portid=0
000277: *Jan 14 21:18:10.331 UTC: dot11_auth_send_msg: sending data to requestor status 1
000278: *Jan 14 21:18:10.331 UTC: dot11_auth_send_msg: Sending EAPOL to requestor
000279: *Jan 14 21:18:10.331 UTC: dot11_auth_dot1x_send_id_req_to_client: Client 0017.3f78.977b timer started for 30 seconds
000280: *Jan 14 21:18:10.331 UTC: dot11_auth_parse_client_pak: Received EAPOL packet from 0017.3f78.977b
000281: *Jan 14 21:18:10.331 UTC: EAPOL pak dump rx
000282: *Jan 14 21:18:10.331 UTC: EAPOL Version: 0x1 type: 0x1 length: 0x0000
074030D0:                   01010000                   ....
000283: *Jan 14 21:18:10.331 UTC: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,EAP_START) for 0017.3f78.977b
000284: *Jan 14 21:18:10.335 UTC: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0017.3f78.977b
000285: *Jan 14 21:18:10.335 UTC: EAPOL pak dump tx
000286: *Jan 14 21:18:10.335 UTC: EAPOL Version: 0x1 type: 0x0 length: 0x0032
000287: *Jan 14 21:18:10.335 UTC: EAP code: 0x1 id: 0x3 length: 0x0032 type: 0x1
07404390:                   01000032 01030032          ...2...2
074043A0: 01006E65 74776F72 6B69643D 56656C66 ..networkid=Velf
074043B0: 65726465 6E2C6E61 7369643D 56454C57 erden,nasid=VELW
074043C0: 52303030 312C706F 72746964 3D30      R0001,portid=0
000288: *Jan 14 21:18:10.335 UTC: dot11_auth_send_msg: sending data to requestor status 1
VELWR0001#
000289: *Jan 14 21:18:10.335 UTC: dot11_auth_send_msg: Sending EAPOL to requestor
000290: *Jan 14 21:18:10.335 UTC: dot11_auth_dot1x_send_id_req_to_client: Client 0017.3f78.977b timer started for 30 seconds
000328: *Jan 14 21:23:47.627 UTC: %DOT11-7-AUTH_FAILED: Station 0017.3f78.977b Authentication failed
--More--
000329: *Jan 14 21:24:21.727 UTC: %DOT11-7-AUTH_FAILED: Station 0017.3f78.977b Authentication failed
--More--
000330: *Jan 14 21:24:55.823 UTC: %DOT11-7-AUTH_FAILED: Station 0017.3f78.977b Authentication failed
--More--
000331: *Jan 14 21:25:29.823 UTC: %DOT11-7-AUTH_FAILED: Station 0017.3f78.977b Authentication failed
Show Version.
System returned to ROM by reload at 20:58:46 UTC Fri Jan 14 2011
System image file is "flash:/c181x-adventerprisek9-mz.151-3.T.bin"
Last reload type: Normal Reload
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 1812W (MPC8500) processor (revision 0x400) with 118784K/12288K bytes of memory.
Processor board ID FCZ120995G1, with hardware revision 0000
10 FastEthernet interfaces
1 ISDN Basic Rate interface
1 Virtual Private Network (VPN) Module
2 802.11 Radios
31360K bytes of ATA CompactFlash (Read/Write)
License Info:
License UDI:
Device#   PID                   SN
*0        CISCO1812W-AG-E/K9    FCZ120995G1
Show running-config
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname VELWR0001
boot-start-marker
boot system flash:/c181x-adventerprisek9-mz.151-3.T.bin
boot-end-marker
logging userinfo
logging buffered 20000
enable secret 5 $1$TGe/$Bnajd6kvDh/E8pMtAAND00
enable password 7 104D000A0618
aaa new-model
aaa group server radius rad_acct
server 10.0.1.10 auth-port 1645 acct-port 1646
aaa group server radius rad_eap
server 10.0.1.10 auth-port 1645 acct-port 1646
aaa group server radius Velferden_group
server-private 10.0.1.10 auth-port 1645 acct-port 1646 key 7 047602101C705C460D
aaa authentication login default group radius local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login Velferden_list group Velferden_group
aaa authorization exec default local
aaa accounting network acct_methods
action-type start-stop
group rad_acct
aaa session-id common
dot11 syslog
dot11 activity-timeout unknown default 1800
dot11 activity-timeout client default 1800
dot11 activity-timeout repeater default 1800
dot11 activity-timeout workgroup-bridge default 1800
dot11 activity-timeout bridge default 1800
dot11 ssid Velferden
vlan 102
authentication open eap Velferden_list
authentication key-management wpa
accounting acct_methods
mbssid guest-mode
no ip source-route
ip cef
no ip bootp server
no ip domain lookup
ip domain name velferden.local
no ipv6 cef
multilink bundle-name authenticated
archive
log config
hidekeys
username backup privilege 15 secret 5 $1$1/JH$cqnXDVsAd/hjPE6lyLOVe.
ip tcp synwait-time 10
bridge irb
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
shutdown
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
encryption vlan 102 mode ciphers aes-ccm
broadcast-key vlan 102 change 30
ssid Velferden
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Dot11Radio0.102
encapsulation dot1Q 102
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encryption vlan 102 mode ciphers aes-ccm
broadcast-key vlan 102 change 30
ssid Velferden
mbssid
speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Dot11Radio1.102
encapsulation dot1Q 102
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet2
description VELAR0001
switchport access vlan 100
interface FastEthernet3
description VELDC0001
switchport access vlan 100
spanning-tree portfast
interface FastEthernet4
description BORDSWITCH
switchport access vlan 100
interface FastEthernet5
description KLIENTER
switchport access vlan 100
spanning-tree portfast
interface FastEthernet6
description VELSK0001
switchport access vlan 100
spanning-tree portfast
interface FastEthernet7
description KLIENTER
switchport access vlan 100
spanning-tree portfast
interface FastEthernet8
description SPERRET
switchport access vlan 100
shutdown
spanning-tree portfast
interface FastEthernet9
description SPERRET
switchport access vlan 100
shutdown
spanning-tree portfast
interface Vlan1
no ip address
shutdown
interface Vlan100
description User
ip address 10.0.1.9 255.255.255.128
ip helper-address 10.0.1.10
interface Vlan102
no ip address
bridge-group 1
interface Group-Async9
physical-layer async
no ip address
encapsulation slip
interface BVI1
ip address 10.0.1.129 255.255.255.128
ip helper-address 10.0.1.10
ip default-gateway 10.0.1.8
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip radius source-interface Vlan100
logging esm config
logging trap debugging
logging source-interface Vlan100
logging 10.0.1.10
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.0.1.10 auth-port 1645 acct-port 1646 key 7 153427232D011F
radius-server vsa send accounting
radius-server vsa send authentication
control-plane
bridge 1 protocol ieee
bridge 1 route ip
line con 0
line aux 0
line vty 0 4
privilege level 15
logging synchronous
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
scheduler interval 500
end

Hi Sebastian!
OS: I am using Windows 2003 SP2
Radius: IAS (Internet Authentication Service)
I cannot se any errors in the IAS log. The reason is the router doesnt send request to the service for authentication because ut is not been redirected.
Connectivity is checked. I am using radius as login authentication, that works. It is wireless that is the problem.
In my latest post I have posted the configuration.
I hope you may can help me to solve the problem.
regards,
Christian

Authentication failed AP1131

Hello,
I got a report from a branch office which is getting trouble to authenticate users to the WLAN this is a stand alone AP which has a configuration script that we use for all our branch offices but in this case is not working. It seems to be an issue with RADIUS but if it was the case the whole company would be experiencing problems since it is a central RADIUS server.
Here is a log from the AP
By the way I modified the radius server timeout to 90 sec
APIMMEXP01#
Sep 1 17:01:47.240: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:01:53.503: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failed
Sep 1 17:01:58.739: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
failed
Sep 1 17:02:35.587: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.27:1812,1646
is not responding.
Sep 1 17:02:35.589: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.27:1812,1646
is being marked alive.
Sep 1 17:02:47.476: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:02:50.344: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.28:1812,1646
is not responding.
Sep 1 17:02:50.344: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.28:1812,1646
is being marked alive.
Sep 1 17:02:53.768: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failed
Sep 1 17:02:58.966: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
failed
Sep 1 17:04:00.953: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:04:07.050: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failed
Sep 1 17:04:12.332: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
failed
Sep 1 17:04:33.294: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.27:1812,1646
is not responding.
Sep 1 17:04:33.294: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.27:1812,1646
is being marked alive.
Sep 1 17:04:36.577: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.28:1812,1646
is not responding.
Sep 1 17:04:36.577: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.28:1812,1646
is being marked alive.
Sep 1 17:05:01.009: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:05:07.175: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failed
Sep 1 17:05:12.517: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
failed
Sep 1 17:06:01.247: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:06:19.739: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.28:1812,1646
is not responding.
Sep 1 17:06:19.739: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.28:1812,1646
is being marked alive.
Sep 1 17:06:20.707: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failed
Sep 1 17:06:25.241: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.27:1812,1646
is not responding.
Sep 1 17:06:25.243: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.27:1812,1646
is being marked alive.
Sep 1 17:06:25.836: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
failed
Sep 1 17:07:01.237: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:07:20.694: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failed
Sep 1 17:07:25.818: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
failed
Sep 1 17:08:01.623: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:08:13.834: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.28:1812,1646
is not responding.
Sep 1 17:08:13.834: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.28:1812,1646
is being marked alive.
Sep 1 17:08:27.978: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.27:1812,1646
is not responding.
Sep 1 17:08:27.979: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.27:1812,1646
is being marked alive.
Sep 1 17:08:34.301: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failed
Sep 1 17:08:39.325: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
failed
Sep 1 17:09:15.042: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:09:34.664: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failed
Sep 1 17:09:47.790: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.28:1812,1646
is not responding.
Sep 1 17:09:47.790: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.28:1812,1646
is being marked alive.
Sep 1 17:10:15.184: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:10:16.644: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.27:1812,1646
is not responding.
Sep 1 17:10:16.644: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.27:1812,1646
is being marked alive.
Sep 1 17:10:48.062: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failed

What error is the AAA server showing for these errors?
Sent from Cisco Technical Support iPad App

Getting the error "Authentication failed."

Hi,
I am getting the error +"Authentication failed. If problem persists, please contact the system administrator"+ while login to OEM12c grid console as sysman user.
I thought it was sysman password related and set the new password at DB level and OMS level too.
Changed the SYSMAN user password at DB level as: alter user sysman identified by qmpzla102;
Changed the SYSMAN user password at Grid level (OMS level) as: emctl config oms -store_repos_details -repos_host ushdc8951.us.deloitte.com -repos_port 1521 -repos_sid OER -repos_user SYSMAN -repos_pwd qmpzla102
Though I am getting the same error while login to the OEM console.
Please help me in getting the solution.
Thanks,
Mahipal

Similar thread
Error while login to 12c R2 OEM grid

802.1x authentication fail

i have a juniper device linux operating system on that we have radius server configured and i am trying to integrate my WLC with that radius
i have added WLC as a host there in radius
on wlc i have configured authentication like radius ip shared secret key and done
its working i can ping radius server
also in wlc i configured on Wlan aaa allow override check box and also hited the WPA2 802.1x layer2 security and radius server option brought on top.
i also configured my windows wireless adaptor as PEAP MSCHAP v2
i am trying to connect this ssid and its asking for my AD accounts but when i enter that its not authenticating users and giving this logs.
(WiSM-slot24-1) >debug aaa events enable
(WiSM-slot24-1) >
(WiSM-slot24-1) >
(WiSM-slot24-1) >*apfMsConnTask_0: Dec 31 15:12:03.043: 00:13:e8:3e:26:bf Processing RSN IE type 48, length 22 for mobile 00:13:e8:3e:26:bf
*apfMsConnTask_0: Dec 31 15:12:03.043: 00:13:e8:3e:26:bf Received RSN IE with 0 PMKIDs from mobile 00:13:e8:3e:26:bf
*apfMsConnTask_0: Dec 31 15:12:03.043: 00:13:e8:3e:26:bf apfMsAssoStateInc
*dot1xMsgTask: Dec 31 15:12:03.044: 00:13:e8:3e:26:bf Station 00:13:e8:3e:26:bf setting dot1x reauth timeout = 1800
*dot1xMsgTask: Dec 31 15:12:03.044: 00:13:e8:3e:26:bf Sending EAP-Request/Identity to mobile 00:13:e8:3e:26:bf (EAP Id 1)
*Dot1x_NW_MsgTask_0: Dec 31 15:12:03.097: 00:13:e8:3e:26:bf Received EAPOL START from mobile 00:13:e8:3e:26:bf
*Dot1x_NW_MsgTask_0: Dec 31 15:12:03.097: 00:13:e8:3e:26:bf Sending EAP-Request/Identity to mobile 00:13:e8:3e:26:bf (EAP Id 2)
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.596: 00:13:e8:3e:26:bf Received EAPOL EAPPKT from mobile 00:13:e8:3e:26:bf
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.596: 00:13:e8:3e:26:bf Received Identity Response (count=2) from mobile 00:13:e8:3e:26:bf
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.596: 00:13:e8:3e:26:bf Audit Session ID added to the mscb: 0a8740e10000002e4efefc1c
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.596: Creating audit session ID (dot1x_aaa_eapresp_supp) and Radius Request
*aaaQueueReader: Dec 31 15:12:12.597: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*aaaQueueReader: Dec 31 15:12:12.597: 00:13:e8:3e:26:bf Successful transmission of Authentication Packet (id 202) to 10.34.11.2:1812, proxy state 00:13:e8:3e:26:bf-00:00
*radiusTransportThread: Dec 31 15:12:12.598: ****Enter processIncomingMessages: response code=11
*radiusTransportThread: Dec 31 15:12:12.598: ****Enter processRadiusResponse: response code=11
*radiusTransportThread: Dec 31 15:12:12.598: 00:13:e8:3e:26:bf Access-Challenge received from RADIUS server 10.34.11.2 for mobile 00:13:e8:3e:26:bf receiveId = 3
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.598: 00:13:e8:3e:26:bf Processing Access-Challenge for mobile 00:13:e8:3e:26:bf
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.598: 00:13:e8:3e:26:bf Sending EAP Request from AAA to mobile 00:13:e8:3e:26:bf (EAP Id 3)
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.600: 00:13:e8:3e:26:bf Received EAPOL EAPPKT from mobile 00:13:e8:3e:26:bf
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.600: 00:13:e8:3e:26:bf Received EAP Response from mobile 00:13:e8:3e:26:bf (EAP Id 3, EAP Type 3)
*aaaQueueReader: Dec 31 15:12:12.600: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*aaaQueueReader: Dec 31 15:12:12.600: 00:13:e8:3e:26:bf Successful transmission of Authentication Packet (id 203) to 10.34.11.2:1812, proxy state 00:13:e8:3e:26:bf-00:00
*radiusTransportThread: Dec 31 15:12:12.601: ****Enter processIncomingMessages: response code=3
*radiusTransportThread: Dec 31 15:12:12.601: ****Enter processRadiusResponse: response code=3
*radiusTransportThread: Dec 31 15:12:12.601: 00:13:e8:3e:26:bf Access-Reject received from RADIUS server 10.34.11.2 for mobile 00:13:e8:3e:26:bf receiveId = 3
*radiusTransportThread: Dec 31 15:12:12.601: 00:13:e8:3e:26:bf [Error] Client requested no retries for mobile 00:13:E8:3E:26:BF
*radiusTransportThread: Dec 31 15:12:12.601: 00:13:e8:3e:26:bf Returning AAA Error 'Authentication Failed' (-4) for mobile 00:13:e8:3e:26:bf
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.601: 00:13:e8:3e:26:bf Processing Access-Reject for mobile 00:13:e8:3e:26:bf
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.602: 00:13:e8:3e:26:bf Removing PMK cache due to EAP-Failure for mobile 00:13:e8:3e:26:bf (EAP Id 3)
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.602: 00:13:e8:3e:26:bf Sending EAP-Failure to mobile 00:13:e8:3e:26:bf (EAP Id 3)
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.602: 00:13:e8:3e:26:bf Setting quiet timer for 5 seconds for mobile 00:13:e8:3e:26:bf
*apfMsConnTask_0: Dec 31 15:12:15.319: 00:13:e8:3e:26:bf Processing RSN IE type 48, length 22 for mobile 00:13:e8:3e:26:bf
*apfMsConnTask_0: Dec 31 15:12:15.319: 00:13:e8:3e:26:bf Received RSN IE with 0 PMKIDs from mobile 00:13:e8:3e:26:bf
*dot1xMsgTask: Dec 31 15:12:15.320: 00:13:e8:3e:26:bf Sending EAP-Request/Identity to mobile 00:13:e8:3e:26:bf (EAP Id 1)
*Dot1x_NW_MsgTask_0: Dec 31 15:12:15.389: 00:13:e8:3e:26:bf Received EAPOL START from mobile 00:13:e8:3e:26:bf
*Dot1x_NW_MsgTask_0: Dec 31 15:12:15.389: 00:13:e8:3e:26:bf Sending EAP-Request/Identity to mobile 00:13:e8:3e:26:bf (EAP Id 2)
any idea to solve this problem?
or any one knows that how to configur a radius server on juniper linux operating system?
many thanks in advance

You should post on the Juniper forums regarding your policy configuration. You should stick with using a radius than just doing ldap through the wlc. Here is a link for webauth using ldap, but should get you close. Again... you should look at getting your juniper radius configuration fixed first.
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a03e09.shtml

802.1x port authentication failing after getting a access-accept packet

Hi all,
Im not 100% sure what the hell is going on here.
Any idea's or help will be appreciated.
Heres the topology.
1 x windows 2012 NPS
1x 3750X
1x Windows 7 x64
data flow
<laptop> - - [gi 1/0/13]<3750X>[gi 1/0/48]- -[gi 5/39]<6513>[po 1] - - [po 4]<6509><5/1> - - <VMWARE>[NPS Server]
The switch that is doing the authentication is the 3750X. Here is the IOS version.
Switch Ports Model              SW Version            SW Image
*    1 54    WS-C3750X-48       15.2(1)E              C3750E-UNIVERSALK9-M
A wireshark trace on the NPS server shows that the packets are arriving and being sent back
Wireshark on a mirror of the trunk port connecting the 6513. It also shows packets being sent and arriving. access-accept packets are being recieved.
As you can see in the debug output, the switch is getting a access-accept, then it is stating a AAA failure.
here is a debug output as you plug in the laptop.
Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
Oct 24 10:53:45.643: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:46.641: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:47.538: dot1x-ev:[Gi1/0/13] Interface state changed to UP
Oct 24 10:53:47.564: dot1x-packet:[6431.500e.9b00, Gi1/0/13] queuing an EAPOL pkt on Auth Q
Oct 24 10:53:47.572: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/13
Oct 24 10:53:47.572: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x1
Oct 24 10:53:47.572: dot1x-packet: length: 0x0000
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 0,TYPE= 0,LEN= 0
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Couldn't find the supplicant in the list
Oct 24 10:53:47.572: dot1x-ev:[6431.500e.9b00, Gi1/0/13] New client detected, sending session start event for 6431.500e.9b00
Oct 24 10:53:47.572: AAA/BIND(00000047): Bind i/f
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Sending create new context event to EAP for 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.580: EAP-EVENT: Received context create from LL (Dot1x-Authenticator) (0x15000045)
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received AAA ID 0x00000047 from LL
Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: Assigning AAA ID 0x00000047
Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: CTS not enabled on interface Gi1/0/13
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received Session ID "C0A846660000004700DF6030" from LL
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Setting authentication mode: Passthrough
Oct 24 10:53:47.580:     eap_authen : initial state eap_auth_initialize has enter
Oct 24 10:53:47.580: EAP-EVENT: Allocated new EAP context (handle = 0xE8000047)
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Created a client entry (0x15000045)
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Dot1x authentication started for 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.580: %AUTHMGR-5-START: Starting 'dot1x' for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.580: EAP-EVENT: Received EAP event 'EAP_AUTHENTICATOR_START' on handle 0xE8000047
Oct 24 10:53:47.580:     eap_authen : during state eap_auth_initialize, got event 25(eapStartTmo)
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_initialize -> eap_auth_select_action
Oct 24 10:53:47.580:     eap_authen : during state eap_auth_select_action, got event 20(eapDecisionPropose)
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_select_action -> eap_auth_propose_method
Oct 24 10:53:47.580:     eap_authen : idle during state eap_auth_propose_method
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_propose_method -> eap_auth_method_request
Oct 24 10:53:47.580:     eap_authen : idle during state eap_auth_method_request
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_method_request -> eap_auth_tx_packet
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Current method = Identity
Oct 24 10:53:47.580: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_ID_REQUEST' on handle 0xE8000047
Oct 24 10:53:47.580:     eap_authen : idle during state eap_auth_tx_packet
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_tx_packet -> eap_auth_idle
Oct 24 10:53:47.589: EAP-AUTH-TX-PAK: Code:REQUEST ID:0x1   Length:0x0005 Type:IDENTITY
Oct 24 10:53:47.589: EAP-EVENT: Started 'Authenticator ReqId Retransmit' timer (30s) for EAP sesion handle 0xE8000047
Oct 24 10:53:47.589: EAP-EVENT: Started EAP tick timer
Oct 24 10:53:47.589: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_TX_PACKET' on handle 0xE8000047
Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
Oct 24 10:53:47.597: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Oct 24 10:53:47.597: dot1x-packet: length: 0x0005
Oct 24 10:53:47.597: dot1x-packet:EAP code: 0x1 id: 0x1 length: 0x0005
Oct 24 10:53:47.597: dot1x-packet: type: 0x1
Oct 24 10:53:47.597: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL packet sent to client 0x15000045
Oct 24 10:53:47.606: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Queuing an EAPOL pkt on Authenticator Q
Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 2,TYPE= 1,LEN= 31
Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.001f
Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
Oct 24 10:53:47.606: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Response sent to the server from 0x15000045
Oct 24 10:53:47.606: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_RX_PACKET' on handle 0xE8000047
Oct 24 10:53:47.606: EAP-AUTH-RX-PAK: Code:RESPONSE ID:0x1   Length:0x001F Type:IDENTITY
Oct 24 10:53:47.606:     Payload: 47454E4552414C5C72616E64792E636F ...
Oct 24 10:53:47.606:     eap_authen : during state eap_auth_idle, got event 1(eapRxPacket)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_idle -> eap_auth_received
Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response received by context 0xE8000047
Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response type = Identity
Oct 24 10:53:47.606: EAP-EVENT: Stopping 'Authenticator ReqId Retransmit' timer for EAP sesion handle 0xE8000047
Oct 24 10:53:47.606:     eap_authen : during state eap_auth_received, got event 10(eapMethodData)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_received -> eap_auth_method_response
Oct 24 10:53:47.606: EAP-AUTH-EVENT: Received peer identity: GENERAL\randy.coburn.admin
Oct 24 10:53:47.606: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_IDENTITY' on handle 0xE8000047
Oct 24 10:53:47.606:     eap_authen : during state eap_auth_method_response, got event 13(eapMethodEnd)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_method_response -> eap_auth_select_action
Oct 24 10:53:47.606:     eap_authen : during state eap_auth_select_action, got event 19(eapDecisionPass)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_select_action -> eap_auth_passthru_init
Oct 24 10:53:47.606:     eap_authen : during state eap_auth_passthru_init, got event 22(eapPthruIdentity)
Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_passthru_init -> eap_auth_aaa_req
Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_GET_PEER_MAC_ADDRESS' on handle 0xE8000047
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding Audit-Session-ID "C0A846660000004700DF6030" to RADIUS Req
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added Audit-Session-ID
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding IDB "0x070B90F8" to RADIUS Req
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added IDB
Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_AAA_REQUEST' on handle 0xE8000047
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: eap_auth_aaa_authen_request_shim aaa_service 19, eap aaa_list handle 0, mlist handle 0
Oct 24 10:53:47.614: AAA/AUTHEN/8021X (00000000): Pick method list 'default'
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Request sent successfully
Oct 24 10:53:47.614:     eap_authen : during state eap_auth_aaa_req, got event 24(eapAAAReqOk)
Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_aaa_req -> eap_auth_aaa_idle
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute hwidb
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-type
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-service
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute clid-mac-addr
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute target-scope
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-unique-id
Oct 24 10:53:47.614: RADIUS(00000000): Config NAS IP: 0.0.0.0
Oct 24 10:53:47.614: RADIUS(00000000): sending
Oct 24 10:53:47.614: RADIUS/ENCODE: Best Local IP-Address 192.168.70.102 for Radius-Server 192.168.19.121
Oct 24 10:53:47.614: RADIUS(00000000): Send Access-Request to 192.168.19.121:1645 id 1645/21, len 288
Oct 24 10:53:47.614: RADIUS: authenticator F1 BA E5 31 71 54 BF 1A - A2 B1 5E 1A 63 72 1E 72
Oct 24 10:53:47.614: RADIUS: User-Name           [1]   28 "GENERAL\randy.coburn.admin"
Oct 24 10:53:47.614: RADIUS: Service-Type        [6]   6   Framed                    [2]
Oct 24 10:53:47.614: RADIUS: Vendor, Cisco       [26] 27
Oct 24 10:53:47.614: RADIUS:   Cisco AVpair       [1]   21 "service-type=Framed"
Oct 24 10:53:47.614: RADIUS: Framed-MTU          [12] 6   1500
Oct 24 10:53:47.614: RADIUS: Called-Station-Id   [30] 19 "AC-F2-C5-75-7D-0D"
Oct 24 10:53:47.614: RADIUS: Calling-Station-Id [31] 19 "64-31-50-0E-9B-00"
Oct 24 10:53:47.614: RADIUS: EAP-Message         [79] 33
Oct 24 10:53:47.614: RADIUS:   02 01 00 1F 01 47 45 4E 45 52 41 4C 5C 72 61 6E 64 79 2E 63 6F [GENERAL\randy.co]
Oct 24 10:53:47.622: RADIUS:   62 75 72 6E 2E 61 64 6D 69 6E        [ burn.admin]
Oct 24 10:53:47.622: RADIUS: Message-Authenticato[80] 18
Oct 24 10:53:47.622: RADIUS:   EE 52 4D ED B9 06 F3 CE 63 AC 9D 73 24 1B A7 ED             [ RMcs$]
Oct 24 10:53:47.622: RADIUS: EAP-Key-Name        [102] 2   *
Oct 24 10:53:47.622: RADIUS: Vendor, Cisco       [26] 49
Oct 24 10:53:47.622: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=C0A846660000004700DF6030"
Oct 24 10:53:47.622: RADIUS: Vendor, Cisco       [26] 20
Oct 24 10:53:47.622: RADIUS:   Cisco AVpair       [1]   14 "method=dot1x"
Oct 24 10:53:47.622: RADIUS: NAS-IP-Address      [4]   6   192.168.70.102
Oct 24 10:53:47.622: RADIUS: NAS-Port            [5]   6   60000
Oct 24 10:53:47.622: RADIUS: NAS-Port-Id         [87] 23 "GigabitEthernet1/0/13"
Oct 24 10:53:47.622: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
Oct 24 10:53:47.622: RADIUS(00000000): Sending a IPv4 Radius Packet
Oct 24 10:53:47.622: RADIUS(00000000): Started 10 sec timeout
Oct 24 10:53:47.622: RADIUS: Received from id 1645/21 192.168.19.121:1645, Access-Accept, len 66
Oct 24 10:53:47.622: RADIUS: authenticator 92 F6 07 AF C1 AB 0B 4C - 1D 9E A0 D1 01 36 27 26
Oct 24 10:53:47.622: RADIUS: Class               [25] 46
Oct 24 10:53:47.622: RADIUS:   76 E3 06 66 00 00 01 37 00 01 02 00 C0 A8 13 79 00 00 00 00 00 00 00 00 00 00 00 00 01 CE CF F8 1F 7B 75 41 00 00 00 00 00 00 00 50          [ vf7y{uAP]
Oct 24 10:53:47.622: RADIUS(00000000): Received from id 1645/21
Oct 24 10:53:47.622: EAP-EVENT: eap_aaa_reply
Oct 24 10:53:47.622: EAP-AUTH-AAA-EVENT: Reply received session_label 72000033
Oct 24 10:53:47.622: EAP-EVENT: Received AAA event 'EAP_AAA_FAIL' on handle 0xE8000047
Oct 24 10:53:47.622:     eap_authen : during state eap_auth_aaa_idle, got event 8(eapAAAFail)
Oct 24 10:53:47.622: @@@ eap_authen : eap_auth_aaa_idle -> eap_auth_failure
Oct 24 10:53:47.631: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
Oct 24 10:53:47.631: EAP-AUTH-TX-PAK: Code:FAILURE ID:0x1   Length:0x0004
Oct 24 10:53:47.631: EAP-AUTH-EVENT: FAIL for EAP method ID: 1, name: , on handle 0xE8000047
Oct 24 10:53:47.631: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_FAIL' on handle 0xE8000047
Oct 24 10:53:47.631: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Received an EAP Fail
Oct 24 10:53:47.639: %DOT1X-5-FAIL: Authentication failed for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Added username in dot1x
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Dot1x did not receive any key data
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Processing client delete for hdl 0x15000045 sent by Auth Mgr
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] 6431.500e.9b00: sending canned failure due to method termination
Oct 24 10:53:47.639: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
Oct 24 10:53:47.639: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Oct 24 10:53:47.639: dot1x-packet: length: 0x0004
Oct 24 10:53:47.639: dot1x-packet:EAP code: 0x4 id: 0x1 length: 0x0004
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL canned status packet sent to client 0x15000045
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Deleting client 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.639: %AUTHMGR-7-STOPPING: Stopping 'dot1x' for client 6431.500e.9b00 on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.639: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.648: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Delete auth client (0x15000045) message
Oct 24 10:53:47.648: EAP-EVENT: Received free context (0xE8000047) from LL (Dot1x-Authenticator)
Oct 24 10:53:47.648: dot1x-ev:Auth client ctx destroyed
Oct 24 10:53:47.648: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_DELETE' on handle 0xE8000047
Oct 24 10:53:47.648: EAP-AUTH-EVENT: Freed EAP auth context
Oct 24 10:53:47.648: EAP-EVENT: Freed EAP context
Oct 24 10:53:48.621: EAP-EVENT: Stopped EAP tick timer
Oct 24 10:53:49.485: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to up
Oct 24 10:53:50.491: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to up
Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
Oct 24 10:53:54.518: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:55.524: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down

Hi Jatin,
See below the data that you have requested.
show run bits.
aaa new-model
aaa authentication dot1x default group radius
aaa session-id common
clock timezone BST 0 0
clock summer-time UTC recurring last Sun Mar 1:00 last Sun Oct 2:00
dot1x system-auth-control
interface GigabitEthernet1/0/13
switchport access vlan 80
switchport mode access
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface GigabitEthernet1/0/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 70
switchport mode trunk
radius server NPS1
address ipv4 192.168.19.121 auth-port 1645 acct-port 1646
timeout 10
key thesecret
ip default-gateway 192.168.70.1
SW1-randy#show auth sessions interface gig 1/0/13
Interface    MAC Address    Method       Domain          Status    Fg Session ID
Gi1/0/13     803f.5d09.189e N/A          UNKNOWN      Unauth         C0A846660000002F00251DBC
SW1-randy#Show mac address-table Interface GigabitEthernet1/0/13
          Mac Address Table
Vlan    Mac Address       Type        Ports
80    803f.5d09.189e    DYNAMIC     Drop
SW1-randy#ping 192.168.19.121
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.19.121, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Here is a wireshark of the accept packet.
Message was edited by: randy coburn
Added wireshark trace

NPS Authentication Fails (Reason 16) After Migration to 2012 R2 from 2008 R2

I'm using NPS for wired dot1x authentication and I just migrated my NPS server from 2008 R2 to 2012 R2. When I point the network switch to start using the new 2012 R2 NPS as the RADIUS server, I get authentication failures - event 6273, reason code
16. When I switch it back to the 2008 R2 server, it works fine. The two servers are configured EXACTLY the same as far as I can tell - same RADIUS client config, same connection request policies, same network policies - and it should be since I
used the MS prescribed migration process. The only thing that differs is the server's certificate name used in the PEAP setup screen.
I'm using computer authentication only, so everything is based on computer accounts and I've selected to NOT validate server credentials on the group policy.
I've verified the shared secrets multiple times. Both servers are domain controllers.
Here is an example of the errors logged on the 2012 R2 server.
========================================
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
   Security ID:           FAITHCHURCH\youthroom$
   Account Name:           host/YOUTHROOM.faithchurch.net
   Account Domain:           FAITHCHURCH
   Fully Qualified Account Name:   FAITHCHURCH\youthroom$
Client Machine:
   Security ID:           NULL SID
   Account Name:           -
   Fully Qualified Account Name:   -
   OS-Version:           -
   Called Station Identifier:       -
   Calling Station Identifier:       44-37-E6-C0-32-CA
NAS:
   NAS IPv4 Address:       192.168.1.1
   NAS IPv6 Address:       -
   NAS Identifier:           -
   NAS Port-Type:           Ethernet
   NAS Port:           1010
RADIUS Client:
   Client Friendly Name:       Extreme X440
   Client IP Address:           192.168.1.1
Authentication Details:
   Connection Request Policy Name:   Secure Wired (Ethernet) Connections 2
   Network Policy Name:       Secure Wired (Ethernet) Connections 2
   Authentication Provider:       Windows
   Authentication Server:       Sigma.faithchurch.net
   Authentication Type:       PEAP
   EAP Type:           -
   Account Session Identifier:       -
   Logging Results:           Accounting information was written to the local log file.
   Reason Code:           16
   Reason:               Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
========================================

Hi,
Have you added the NPS server to the RAS and IAS Servers
security group in AD DS?
The NPS server needs permission to read the dial-in properties of user accounts during the authorization process.
Try to add a loal user on the NPS server, then test with the local user. If it works, it means that there is something wrong between NPS and DC.
If the issue persists, it means that the configuration between NPS and NAS is wrong.
Steven Lee
TechNet Community Support

Exchange 2010 sp2 emc initialization error using "kerberos" authentication failed

We use exchange 2010 SP2.
We have 2 management stations, both w2k8 R2 SP1.
I have one mangement station on which the emc and ems works ok.
On the other management staiton (which is also in another ad site) the emc and ems don't work.
I get the following error message : The attempt to connect to
http://fqdnCasServer/PowerShell using "Kerberos" authentication failed: Connecting to remote server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
I have checked the time on the management station and on the exchange server and this is ok.
It is not a permissions issue because the user functions ok on the other management station.
On the bad management station I can open the emc once and after a minute I get an error message and the message access denied. From then on I can't connect any more.
What am I doing wrong?
Anyone any tips?
Thanks,
JB

This is what I get in the eventlog of the bad management station.
Log Name:      MSExchange Management
Source:        MSExchange CmdletLogs
Date:          1/10/2012 11:39:27
Event ID:      6
Task Category: (1)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Server.domain.com
Description:
The description for Event ID 6 from source MSExchange CmdletLogs cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Get-ExchangeServer
{Identity=Servername}
Domain/ou/ou/ou/ou/username
Exchange Management Console-Local
3080
22
00:00:00.3593888
View Entire Forest: 'True', Configuration Domain Controller: 'FQDN DC', Preferred Global Catalog: 'FQDN DC', Preferred Domain Controllers: '{ FQDN DN }'
Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'FQDN MGMTSTATION' couldn't be found on 'FQDN DC'.
Context
the message resource is present but the message is not found in the string/message table
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="MSExchange CmdletLogs" />
    <EventID Qualifiers="49152">6</EventID>
    <Level>2</Level>
    <Task>1</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-10-01T09:39:27.000000000Z" />
    <EventRecordID>11</EventRecordID>
    <Channel>MSExchange Management</Channel>
    <Computer>FQDN MGMT STATION</Computer>
    <Security />
</System>
<EventData>
    <Data>Get-ExchangeServer</Data>
    <Data>{Identity=MGMT STATION}</Data>
    <Data>domain/ou/ou/ou/ou/username</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>Exchange Management Console-Local</Data>
    <Data>3080</Data>
    <Data>
    </Data>
    <Data>22</Data>
    <Data>00:00:00.3593888</Data>
    <Data>View Entire Forest: 'True', Configuration Domain Controller: 'FQDN DC', Preferred Global Catalog: 'FQDN DC', Preferred Domain Controllers: '{ FQDN DC }'</Data>
    <Data>Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'FQDN MGMT STATION' couldn't be found on 'FQDN DC'.</Data>
    <Data>Context</Data>
    <Data>
    </Data>
</EventData>
</Event>

Web authentication with Radius server problem

Hello,
I'm having problem to web authenticate users via radius server for one WLC. Here is the outpu from WLC:
*emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created for mobile, length = 7
*emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created in mscb for mobile, length = 7
*aaaQueueReader: Mar 26 14:17:31.537: Unable to find requested user entry for aaaaaa
*aaaQueueReader: Mar 26 14:17:31.537: ReProcessAuthentication previous proto 8, next proto 1
*aaaQueueReader: Mar 26 14:17:31.537: AuthenticationRequest: 0x1e08eb94
*aaaQueueReader: Mar 26 14:17:31.538:   Callback.....................................0x10908d90
*aaaQueueReader: Mar 26 14:17:31.538:   protocolType.................................0x00000001
*aaaQueueReader: Mar 26 14:17:31.538:   proxyState...................................20:7D:xx:xx:D8:F0-00:00
*aaaQueueReader: Mar 26 14:17:31.538:   Packet contains 11 AVPs (not shown)
*aaaQueueReader: Mar 26 14:17:31.538: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*aaaQueueReader: Mar 26 14:17:31.538: 20:7d:xx:xx:d8:f0 Successful transmission of Authentication Packet (id 67) to 10.xx.33.249:1645, proxy state 20:7d:xx:xx:d8:f0-00:01
*aaaQueueReader: Mar 26 14:17:31.538: 00000000: 01 43 00 8c 48 7c a7 ff df 06 53 30 c0 be e1 8e .C..H|....S0....
*aaaQueueReader: Mar 26 14:17:31.538: 00000010: d7 fd 8b d3 01 09 73 65 66 72 73 76 65 02 12 7b ......aaaaaa..{
*aaaQueueReader: Mar 26 14:17:31.538: 00000020: ae 2e f5 eb fa cf f5 cc 3b 08 65 d7 04 0e ba 06 ........;.e.....
*aaaQueueReader: Mar 26 14:17:31.538: 00000030: 06 00 00 00 01 04 06 0a 2e 09 14 05 06 00 00 00 ................
*aaaQueueReader: Mar 26 14:17:31.538: 00000040: 0d 20 0d 73 65 76 73 74 2d 6c 77 63 31 30 3d 06 ...xxxxx-lwc10=.
*aaaQueueReader: Mar 26 14:17:31.538: 00000050: 00 00 00 13 1a 0c 00 00 37 63 01 06 00 00 00 01 ........7c......
*aaaQueueReader: Mar 26 14:17:31.538: 00000060: 1f 0e 31 39 32 2e 31 36 38 2e 31 2e 36 31 1e 0c ..192.168.1.61..
*aaaQueueReader: Mar 26 14:17:31.538: 00000070: 31 30 2e 34 36 2e 39 2e 32 30 50 12 95 11 7c d9 10.xx.9.20P...|.
*aaaQueueReader: Mar 26 14:17:31.538: 00000080: 75 8e 01 6e bf 62 38 f8 38 ab 68 4a              u..n.b8.8.hJ
*radiusTransportThread: Mar 26 14:17:31.603: 00000000: 03 43 00 14 e5 8c e7 75 52 04 af e0 07 b7 fb 96 .C.....uR.......
*radiusTransportThread: Mar 26 14:17:31.603: 00000010: c1 4a fb 40                                       .J.@
*radiusTransportThread: Mar 26 14:17:31.603: ****Enter processIncomingMessages: response code=3
*radiusTransportThread: Mar 26 14:17:31.603: ****Enter processRadiusResponse: response code=3
*radiusTransportThread: Mar 26 14:17:31.603: 20:7d:xx:xx:d8:f0 Access-Reject received from RADIUS server 10.xx.33.249 for mobile 20:7d:xx:xx:d8:f0 receiveId = 0
*radiusTransportThread: Mar 26 14:17:31.603: ReProcessAuthentication previous proto 1, next proto 2
*radiusTransportThread: Mar 26 14:17:31.603: AuthenticationRequest: 0x1da9fa4c
*radiusTransportThread: Mar 26 14:17:31.603:    Callback.....................................0x10908d90
*radiusTransportThread: Mar 26 14:17:31.603:    protocolType.................................0x00000002
*radiusTransportThread: Mar 26 14:17:31.603:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
*radiusTransportThread: Mar 26 14:17:31.603:    Packet contains 11 AVPs (not shown)
*radiusTransportThread: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Returning AAA Error 'No Server' (-7) for mobile 20:7d:xx:xx:d8:f0
*radiusTransportThread: Mar 26 14:17:31.605: AuthorizationResponse: 0x2dd03648
*radiusTransportThread: Mar 26 14:17:31.605:    structureSize................................32
*radiusTransportThread: Mar 26 14:17:31.605:    resultCode...................................-7
*radiusTransportThread: Mar 26 14:17:31.605:    protocolUsed.................................0x00000002
*radiusTransportThread: Mar 26 14:17:31.605:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
*radiusTransportThread: Mar 26 14:17:31.605:    Packet contains 0 AVPs:
*emWeb: Mar 26 14:17:31.605: Authentication failed for aaaaaa
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Username entry deleted for mobile
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Plumbing web-auth redirect rule due to user logout
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Deleting mobile policy rule 42461
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Adding Web RuleID 42464 for mobile 20:7d:xx:xx:d8:f0
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Web Authentication failure for station
*emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Reached ERROR: from line 5069
That was pretty clear for me that Radius is refusing to give user access.
Fully-Qualified-User-Name = NMEA\aaaaaa
NAS-IP-Address = 10.xx.9.20
NAS-Identifier = xxxxx-lwc10
Called-Station-Identifier = 10.xx.9.20
Calling-Station-Identifier = 192.168.1.61
Client-Friendly-Name = YYY10.xx
Client-IP-Address = 10.xx.9.20
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 13
Proxy-Policy-Name = Use Windows authentication forall users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = YYYYY Wireless Users
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy
That output is from WLC 5508 version 7.0.235
What is strange, that user was able to authenticate from other before refresh WLC 4402 ver 4.2.207. I cannot change WLC because of AP which cannot run old version.
this is output from working client connection from old WLC
NAS-IP-Address = 10.xx.9.13
NAS-Identifier = xxxxx-lwc03
Client-Friendly-Name = YYY10.46
Client-IP-Address = 10.xx.9.13
Calling-Station-Identifier = 192.168.19.246
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = YYYYY Wireless Guest Access
Authentication-Type = PAP
EAP-Type = <undetermined>
I know there is different Policy Name used, but my question is why it is not using the same as on old WLC when configuration is same.
Is there any way I can force users to use different policy from WLC or AP configuration or is this solely configuration of Radius?
Is it maybe problem of version 7.0.235?
Any toughts would be much appriciated.

Scott,
You are probably right. The condition that is checked for the first policy name (we have 2) is to match
NAS-Port-Type = Wireless - IEEE 802.11, and this is basically used to differentiate guests from other company users.
as you can see from the logs the one that is working correctly is not sending NAS-Port-Type. The question is why.
As I said before.
WLC 5508 ver. 7.0.235 is sending NAS-Port-Type
WLC 4402 ver. 4.2.207 is not.
The same user was working OK on 4402 WLC and after refresh and associating APs to 5508 it all broke, so client did not changed anything on adapter.

RADIUS rlm_mschap: authentication failed -14090

We have a Mac mini server running Snow Leopard, and we have configured the RADIUS server to provide WPA2 Enterprise authentication for our Airport Base Stations. I thought I'd share the solution to a problem we were experiencing from time to time where a user could not fully-authenticate to the network. Our logs radiusd would show:
Auth: rlm_opendirectory: User <username> is authorized
Auth: rlm_mschap: authentication failed -14090
Auth: rlm_opendirectory: Could not get the user's uuid
This happened most recently when a user got a new laptop and had migrated everything from a Time Machine back-up. I tried restarting the server, RADIUS, resetting the user's password, etc. Nothing seemed to make a difference, and these logs might as well say nothing at all -- completely unhelpful.
I then had the user log in to his Mac under a different account and try to connect and it was successful. Back to the original account, and we found a whole bunch duplicated profiles under the 802.1X tab in the Network panel of System Preferences. After deleting all of those and trying it again, it finally worked.
Not sure why the server side couldn't be a little more helpful in diagnosing the problem, but there you go...

I have similar issues, and tried what you suggested, but no dice. Cross-posted here: http://discussions.apple.com/thread.jspa?messageID=11894473
Summary, one OD account is able to authenticate via AEBS, other accounts are not, and I cannot see any difference.

SAP Business One Integration Services Authentication Failed

Dear ,
ALL SAP forum members,
Iam Using SAP Business One 8.81 PL 06, Micorsoft SQL 2008 R2
In SLD B1DI and JDBC, the connections were tested successfully.
Whenever I log into SBO, I am getting "SAP Business One Integration Services Authentication Failed" error message. I did extensive research on all possible SBO documents dating 1 year back especially in B1ic Troubleshooting Document (New and Old) and searched the length of the SBO forums, but I could not a solution.
I uninstalled and reinstalled the B1f package many a time. The integration services we re also restarted many times and the connections were all tested successfully. Firewall, AntiVirus also checked.
In the B1f, in the Monitoring Window, the login is "Ok" but the AuthCheck is "Failed". I checked Authent.Monitor->Authentic Info and I found the following message under Action message "Wrong Usrname and Password".
I debugged and i found again "/com.sap.b1i.vplatform.scenarios.authen/sap.Xcelsius/Authenticate_Check.bfd
But could not understand much of it.
But i could go no further. The experts are requested to suggest their solutions, If any, to me as Iam stuck in this phase for the last 3 week
I hope some experts will guide me over this issue
Thanks and regards
Ashish Gupte

Hi Konstantin Ryahovsky
Thanks for your reply. My problem is solved.
And frankly speaking i dont know how it was solved. I have not uninstall, install ,not even i had restarted the server also.
only change i did in SLD >> Maintainance >>> cfg Runtime >>>> Put server IP address instead of server Name and restarted the services.
Thanks & regards
Ashish Gupte

Toshiba EXCITE Pro - WIFI connection. Authentication failed after update

Hello.
Just received this Tablet.
Everything seemed ok while updating to the latest version (did that first to solve the heat problems).
After the last update *i lost my WIfi connection. Authentication failed* (didnt change something - was connecting - updating ok 1 minute before the last update).
After that i started testing ,Wps connection , No security Wifi etc etc.
*Finally at a random time (and with the initial settings) i got connected*. After i shut down the tablet the same problem occured.
After doing the same things again i finally got connected and this time it seems to be ok, even after i shut down the tablet.
However this is frustrating.
Maybe you have to sort this out?
I have seen and other people returning this tablet after having this problem.
It is not a hardware problem since its working ok before the update.
Of course tried factory reset twice.
Hope i dont have this problem again, *but i am informing in hope that you fix this in a future update.*

Toshiba sent me the fix for this. Figured I would use Facebook and they sorted a solution straight away.
It requires a complete reset. Not the soft reset from within Android.
I'll post it here as they will check through moderation I guess.
Thanks for sending a private message Ben. For us to get this resolved for you we would advise to perform a reset from the Android system recovery menu, to do the reset please follow these steps:
The reset process will delete any data, settings, and applications on your tablet. You must have a backup of any data you wish to keep before proceeding.
1. Make sure the tablet is off and not in standby.
2. Hold down the Volume Up and Power buttons simultaneously until the two Android icons appear.
3. Use the volume buttons to select the white box on the right.
4. Once selected, press the power button.
5. Use the volume buttons to select wipe cache partition and then press the power button.
6. Select Yes and press the power button.
7. Use the volume buttons to select wipe data/factory reset and then press the power button.
8. Select Yes and press the power button.
9. The tablet will now reset.
If you have any issues after the reset please get back to us as soon as possible!
Its been working well ever since. I guess the cache clean part might be the main one. You'll have to select the reboot yourself as I did at the end.
Might be best to use Facebook i'll see if I can find my post as the response was quick and efficient unlike their responses in here. I.e nowt from them so far.
They needed my name and serial numbers probably to log problems etc.
Message was edited by: bensimmo

I'm trying to connect through the FTP client Filezilla. When I try to login with the wizard, it gives me a "503 Failure of Data Connection" reply; when I attempt to login myself, it gives me a "530 Login Authentication Failed." HELP!!!

My current softward is: Mac OS X Lion 10.7.5 (11G63)
When I attempt to use the Filezilla connection wizard I get the following message:
Connecting to probe.filezilla-project.org
Response: 220 FZ router and firewall tester ready
USER FileZilla
Response: 331 Give any password.
PASS 3.7.1.1
Response: 230 logged on.
Checking for correct external IP address
Retrieving external IP address from http://ip.filezilla-project.org/ip.php
Checking for correct external IP address
IP 27.0.19.56 ch-a-bj-fg
Response: 200 OK
PREP 52470
Response: 200 Using port 52470, data token 1871898076
PORT 27,0,19,56,204,246
Response: 200 PORT command successful
LIST
Response: 150 opening data connection
Response: 503 Failure of data connection.
Server sent unexpected reply.
Connection closed
When I attempt to login Host/Username/Password myself I get the following message:
Status:          Resolving address of amyhoney.com
Status:          Connecting to 184.168.54.1:21...
Status:          Connection established, waiting for welcome message...
Response:          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response:          220-You are user number 12 of 500 allowed.
Response:          220-Local time is now 04:05. Server port: 21.
Response:          220-This is a private system - No anonymous login
Response:          220 You will be disconnected after 3 minutes of inactivity.
Command:          USER 5475****
Response:          331 User 5475**** OK. Password required
Command:          PASS ********************
Response:          530 Login authentication failed
Error:          Critical error
Error:          Could not connect to server
Now before anyone points out the obvious: my username and password are correct. I've already gone through changing them so I know they are.
Additionally, I've pretty much tried EVERYTHING I've read online, from messing with "terminal" (and subsequently the FTP and STFP options) to changing the sharing options and turning on file sharing/remote management as well as just turning off my Firewall completely.
Now I've used Filezilla before when I first published my site and everything worked fine. My site is published through Wordpress so most of my editing was done through simply logging into my "wp-login." I recently changed the theme and in order to change the header image in that theme I have to do it through my "wp-content" folder, which means I need to use Filezilla. I feel like a complete moron right now considering I've had my site for about a year and can't even doing something this simple.
I've read that the newer version of Lion/Mountain Lion don't support automatice FTP anymore, which (as I mentioned prior) I attempted to fix through Terminal. However, nothing I do seem to do works.
Can someone walk me through fixing this? And I do mean 'walk me through'. I'm not a tech-savvy nerd who knows all the lingo, I just know the basics so sorry if my ignorance offends you.
HELP!!

First be sure login and password are OK. Sometimes the address starts wit "http://..." and sometime starts with "ftp://...". Try both normal FTP access and Scure FTP access (SFTP). At the end, contact the site's provider.

%DOT11-7-AUTH_FAILED: Station c023.4921.2100 Authentication failed%Unknown DHCP problem.. No allocation possible

Similar Messages

Maybe you are looking for