%DOT11-7-AUTH_FAILED

Similar Messages

• %DOT11-7-AUTH_FAILED: %DOT11-6-DISASSOC:

  Hello again,
  Thought this issue was fixed yesterday after finding out my printer was the MAC address flashing up on the log, however it seems that every device is playing up.
  Thanks
  James
  These are my wirless devices, 
  APPLE IPHONE     6809.2780.219a
  DELL LAPTOP        0026.c7e2.68be
  HTC PHONE           bccf.cca7.43ea
  LG TV                    9444.4434.d43c
  HP LAPTOP           001f.3c83.bd9e
  PRINTER               0080.927b.0edb
  SONY ERICSSON  b8f9.3410.9524
  PLAYSTATION 3     280d.fcec.27c4
  The log....
  *Aug 28 21:05:35.845: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station   280d.fcec.27c4 Associated
  SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  *Aug 28 21:06:32.913: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 280d.fc
  ec.27c4 Reason: Sending station has left the BSS SSID[THE MATRIX]
  *Aug 28 21:06:37.321: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station   280d.fcec.27c4 Associated
  SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  *Aug 28 21:07:49.533: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 6809.27
  80.219a Reason: Previous authentication no longer valid SSID[THE MATRIX]
  *Aug 28 21:09:37.537: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 0080.92
  7b.0edb Reason: Previous authentication no longer valid SSID[THE MATRIX]
  *Aug 28 21:09:41.117: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station   0080.927b.0edb Reassociat
  ed SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  *Aug 28 21:11:47.057: %DOT11-7-AUTH_FAILED: Station 6809.2780.219a Authentication failed
  *Aug 28 21:11:49.413: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station   6809.2780.219a Associated
  SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  *Aug 28 21:11:55.321: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 6809.27
  80.219a Reason: Sending station has left the BSS SSID[THE MATRIX]
  *Aug 28 21:19:21.612: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 0080.92
  7b.0edb Reason: Previous authentication no longer valid SSID[THE MATRIX]
  *Aug 28 21:19:25.176: %DOT11-7-AUTH_FAILED: Station 0080.927b.0edb Authentication failed
  *Aug 28 21:19:39.324: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station   0080.927b.0edb Associated
  SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  *Aug 28 21:23:54.664: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 0080.92
  7b.0edb Reason: Previous authentication no longer valid SSID[THE MATRIX]
  *Aug 28 21:23:59.212: %DOT11-7-AUTH_FAILED: Station 0080.927b.0edb Authentication failed
  *Aug 28 21:24:07.756: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station   0080.927b.0edb Reassociat
  ed SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  *Aug 28 21:26:06.168: %SYS-5-CONFIG_I: Configured from console by James on vty1 (192.168.0.2)
  *Aug 28 21:28:33.444: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station bccf.cc
  a7.43ea Reason: Sending station has left the BSS SSID[THE MATRIX]
  *Aug 28 21:37:08.112: %SYS-5-CONFIG_I: Configured from console by James on vty1 (192.168.0.2)
  *Aug 28 21:42:36.712: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 0080.92
  7b.0edb Reason: Previous authentication no longer valid SSID[THE MATRIX]
  *Aug 28 21:42:41.080: %DOT11-7-AUTH_FAILED: Station 0080.927b.0edb Authentication failed
  *Aug 28 21:42:46.828: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station   0080.927b.0edb Associated
  SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  *Aug 28 21:43:20.296: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station CORE 001f.3c83.bd9e Associa
  ted SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  *Aug 28 21:43:20.300: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c
  83.bd9e Reason: Sending station has left the BSS SSID[THE MATRIX]
  *Aug 28 21:43:25.808: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c
  83.bd9e Reason: Sending station has left the BSS SSID[THE MATRIX]
  This is my running config....
  CORE#sh run
  Building configuration...
  Current configuration : 6692 bytes
  ! Last configuration change at 21:37:08 UTC Wed Aug 28 2013 by James
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname CORE
  boot-start-marker
  boot-end-marker
  logging buffered 64000
  no aaa new-model
  dot11 syslog
  dot11 ssid THE MATRIX
  authentication open
  authentication key-management wpa
  guest-mode
  infrastructure-ssid
  wpa-psk ascii 7 xxxxx
  ip source-route
  ip cef
  ip dhcp excluded-address 192.168.0.1 192.168.0.19
  ip dhcp excluded-address 192.168.0.61 192.168.0.254
  ip dhcp excluded-address 172.0.0.1 172.0.0.10
  ip dhcp pool LAN_Addresses
  import all
  network 192.168.0.0 255.255.255.0
  dns-server 8.8.8.8 4.2.2.2
  default-router 192.168.0.1
  lease 5
  ip dhcp pool THE MATRIX
  import all
  network 172.0.0.0 255.255.255.0
  default-router 172.0.0.1
  dns-server 8.8.8.8 4.2.2.2
  lease 5
  no ip domain lookup
  ip domain name firewire2013
  ip name-server 4.2.2.2
  no ipv6 cef
  multilink bundle-name authenticated
  voice-card 0
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-3845826623
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3845826623
  revocation-check none
  crypto pki certificate chain TP-self-signed-3845826623
  certificate self-signed 01
    3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 33383435 38323636 3233301E 170D3133 30383235 30363031
    31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38343538
    32363632 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    81009FF5 DA191624 A7ECAE35 A3F660AB A049B91F CB83F93F 888EB00D F5E2C20E
    83486395 E7069E1D 36BD1EEB 12AFCE88 2E8F5320 52E67F70 3F4716E9 97B1F33E
    0147A66D D573E9BC 36D35EA1 226D723B FAEDDCB2 C263511B DA745A66 8798BCEC
    F581248B FCD39380 FE92CEB9 09328BCD 71F9D1E1 BCCCB9DB EFA1DC22 ED7CF8BD
    25FD0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
    551D2304 18301680 143D0167 51FECFA9 ED03DF31 6B0A562E E10A9300 AE301D06
    03551D0E 04160414 3D016751 FECFA9ED 03DF316B 0A562EE1 0A9300AE 300D0609
    2A864886 F70D0101 04050003 8181006B C454436A 370AC181 BBA4017F 41E3DFD2
    CFE9665B 80F797DC B7130067 318318F9 094A4672 5BA2A50F 80EC1225 4C958474
    E309731D 9E4E5265 B861BAF0 36E4996B B396CB6C BF210CE6 59F3D165 441C2302
    3693441B DB45704D 5A6A15F5 79F939F9 6A9DDA84 DFDF5D11 E729D505 A1692E21
    2D95292C 6AC1263E FB35C46E 6D6874
          quit
  license udi pid CISCO2811 sn FCZ09237316
  username James privilege 15 secret 5 xxxxxxxxxxxxxxxxx
  redundancy
  class-map type inspect match-any sdm-cls-insp-traffic
  class-map type inspect match-all sdm-insp-traffic
  match class-map sdm-cls-insp-traffic
  class-map type inspect match-any SDM-Voice-permit
  match protocol h323
  match protocol skinny
  match protocol sip
  class-map type inspect match-any sdm-cls-icmp-access
  match protocol icmp
  match protocol tcp
  match protocol udp
  class-map type inspect match-all sdm-invalid-src
  match access-group 102
  class-map type inspect match-all sdm-icmp-access
  match class-map sdm-cls-icmp-access
  class-map type inspect match-all sdm-protocol-http
  match protocol http
  interface FastEthernet0/0
  description CONNECTION TO MODEM>ISP$ETH-WAN$
  ip address dhcp
  ip nat outside
  ip virtual-reassembly in
  duplex full
  speed 100
  no cdp enable
  interface FastEthernet0/1
  description CONNECTION TO LAB
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex full
  speed 100
  interface Dot11Radio0/2/0
  description WLAN TO MOBILE USERS
  ip address 172.0.0.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  encryption mode ciphers tkip
  ssid THE MATRIX
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role root
  interface FastEthernet0/0/0
  description CONNECTION TO CORE PC
  no ip address
  interface FastEthernet0/0/1
  description CONNECTION TO PS3
  no ip address
  interface FastEthernet0/0/2
  description CONNECTION TO ACCESS SERVER
  no ip address
  interface FastEthernet0/0/3
  no ip address
  interface Vlan1
  description MANAGEMENT INTERFACE
  ip address 192.168.0.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  router eigrp 10
  network 192.168.0.0 0.0.255.255
  redistribute static
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip nat inside source list 1 interface FastEthernet0/0 overload
  ip nat inside source list 2 interface FastEthernet0/0 overload
  ip access-list extended SDM_HTTPS
  remark SDM_ACL Category=1
  permit tcp any any eq 443
  ip access-list extended SDM_SHELL
  remark SDM_ACL Category=1
  permit tcp any any eq cmd
  ip access-list extended SDM_SSH
  remark SDM_ACL Category=1
  permit tcp any any eq 22
  access-list 1 permit 192.168.0.0 0.0.255.255
  access-list 2 remark SDM_ACL Category=2
  access-list 2 permit 172.0.0.0 0.0.0.255
  access-list 70 remark THIS WILL DENY HOST FROM TELNETTING TO R1
  access-list 70 deny   192.168.10.50
  access-list 70 permit any
  access-list 100 remark SDM_ACL Category=128
  access-list 100 permit ip host 255.255.255.255 any
  access-list 100 permit ip 127.0.0.0 0.255.255.255 any
  access-list 100 permit ip 172.0.0.0 0.0.0.255 any
  access-list 100 permit ip 192.168.0.0 0.0.0.255 any
  access-list 100 permit ip 192.168.1.0 0.0.0.255 any
  access-list 101 remark SDM_ACL Category=128
  access-list 101 permit ip any any
  access-list 102 remark SDM_ACL Category=128
  access-list 102 permit ip host 255.255.255.255 any
  access-list 102 permit ip 127.0.0.0 0.255.255.255 any
  access-list 102 permit ip 172.0.0.0 0.0.0.255 any
  access-list 102 permit ip 192.168.0.0 0.0.0.255 any
  access-list 102 permit ip 192.168.1.0 0.0.0.255 any
  control-plane
  mgcp profile default
  alias exec s show ip interface brief
  alias exec rc show running-config
  alias exec r show ip route
  alias exec v show version
  banner motd ^CCCC
  ###DO NOT LOG ON AUTHORIZED PERSONNEL ONLY####
  ^C
  line con 0
  exec-timeout 100 0
  password 7 xxxxxx
  logging synchronous
  login
  line aux 0
  exec-timeout 30 0
  password 7 xxxxxx
  logging synchronous
  login
  line vty 0 4
  access-class 70 in
  exec-timeout 100 0
  privilege level 15
  password 7 xxxxxxx
  logging synchronous
  login local
  transport input telnet ssh
  scheduler allocate 20000 1000
  end

  Tried that and its still the same.  All the devices are playing up.
  Could the hardware be toast?
  *Aug 30 18:23:43.762: %DOT11-7-AUTH_FAILED: Station 001f.3c83.bd9e Authentication failed
  *Aug 30 18:23:49.326: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station CORE 001f.3c83.bd9e Associated SSID[THE MATRIX]
  AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  *Aug 30 18:24:03.778: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c83.bd9e Reason: Send
  ing station has left the BSS SSID[THE MATRIX]
  --More--
  *Aug 30 18:31:52.314: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station   bccf.cca7.43ea Associated SSID[THE MATRIX] AU
  TH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  CORE#
  *Aug 30 18:32:04.478: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c83.bd9e Reason: Send
  ing station has left the BSS SSID[THE MATRIX]
  CORE#
  *Aug 30 18:32:09.114: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station CORE 001f.3c83.bd9e Associated SSID[THE MATRIX]
  AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  CORE#
  *Aug 30 18:32:18.710: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c83.bd9e Reason: Prev
  ious authentication no longer valid SSID[THE MATRIX]
  CORE#
  *Aug 30 18:32:20.230: %DOT11-7-AUTH_FAILED: Station 001f.3c83.bd9e Authentication failed
  CORE#
  *Aug 30 18:32:26.070: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station CORE 001f.3c83.bd9e Associated SSID[THE MATRIX]
  AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  CORE#
  *Aug 30 18:32:34.058: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c83.bd9e Reason: Send
  ing station has left the BSS SSID[THE MATRIX]
  CORE#
  *Aug 30 18:32:47.258: %DOT11-7-AUTH_FAILED: Station 001f.3c83.bd9e Authentication failed
  CORE#
  *Aug 30 18:32:47.678: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station CORE 001f.3c83.bd9e Associated SSID[THE MATRIX]
  AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  CORE#
  *Aug 30 18:33:12.146: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c83.bd9e Reason: Send
  ing station has left the BSS SSID[THE MATRIX]
  CORE#
  *Aug 30 18:33:32.442: Client 001f.3c83.bd9e failed: reached maximum retries
  CORE#
  *Aug 30 18:33:34.442: Client 001f.3c83.bd9e failed: reached maximum retries
  CORE#
  *Aug 30 18:33:39.442: Client 001f.3c83.bd9e failed: reached maximum retries
  CORE#
  *Aug 30 18:33:44.442: Client 001f.3c83.bd9e failed: reached maximum retries
  CORE#
  *Aug 30 18:33:46.442: Client 001f.3c83.bd9e failed: reached maximum retries
  CORE#
  *Aug 30 18:33:48.442: Client 001f.3c83.bd9e failed: reached maximum retries
  CORE#
  *Aug 30 18:33:53.442: Client 001f.3c83.bd9e failed: reached maximum retries
  CORE#
  *Aug 30 18:34:10.206: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station bccf.cca7.43ea Reason: Prev
  ious authentication no longer valid SSID[THE MATRIX]

• Cisco1941W error massage "%DOT11-7-AUTH_FAILED: Station 0011.f596.eecb Authentication failed"

  I am using Cisco1941W.
  When I connect CliantPC to Wireless(1941W) I got bellow massage from 1941AP.
  "%DOT11-7-AUTH_FAILED: Station 0011.f596.eecb Authentication failed"
  And I couldn't ping from my PC to AP and Router.
  Its possible communication from AP to Router.
  I show 1941AP configration.
  Could you find wrong?
  By the way, my PC connected to AP by 108Mbps.
  But my PC supported only 802.11a/b/g .
  My PC use Static IP Address and use TEST-2  ssid.
  I couldn't find error from my PC.
  (start)
  hostname TEST
  enable secret test
  aaa new-model
  aaa group server radius rad_eap
  server 10.73.12.2 auth-port 1645 acct-port 1646
  aaa session-id common
  dot11 syslog
  dot11 ssid TEST-1
     vlan 100
     authentication open eap eap_methods
     authentication key-management wpa
     mbssid guest-mode
  dot11 ssid TEST-2
     vlan 200
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii testtesttesttesttest
  dot11 aaa csid ietf
  username Cisco password 7 05280F1C2243
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  no shut
  encryption vlan 100 mode ciphers aes-ccm
  encryption vlan 200 mode ciphers aes-ccm
  ssid TEST-1
  ssid TEST-2
  mbssid
  antenna gain 0
  station-role root
  interface Dot11Radio0.100
  encapsulation dot1Q 100 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.200
  encapsulation dot1Q 200
  no ip route-cache
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  bridge-group 2 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  no shut
  encryption vlan 100 mode ciphers aes-ccm
  encryption vlan 200 mode ciphers aes-ccm
  ssid TEST-1
  ssid TEST-2
  antenna gain 0
  no dfs band block
  channel 5180
  station-role root
  interface Dot11Radio1.100
  encapsulation dot1Q 100 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio1.200
  encapsulation dot1Q 200
  no ip route-cache
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  bridge-group 2 spanning-disabled
  interface GigabitEthernet0
  description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
  no ip address
  no ip route-cache
  bridge-group 5
  no bridge-group 5 source-learning
  bridge-group 5 spanning-disabled
  no shut
  interface GigabitEthernet0.100
  encapsulation dot1Q 100 native
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface GigabitEthernet0.200
  encapsulation dot1Q 200
  no ip route-cache
  bridge-group 2
  no bridge-group 2 source-learning
  bridge-group 2 spanning-disabled
  interface BVI1
  ip address 10.73.12.7 255.255.255.0
  no ip route-cache
  ip default-gateway 10.73.12.1
  ip http server
  no ip http secure-server
  radius-server deadtime 1440
  bridge 1 route ip
  (end)
  I guess errer massage is telling Radio Frequency error.
  I tried to change configuration "speed".
  But still get error massage and I couldn't ping from my PC.

  Thanks, leolaohoo.
  > My PC use Static IP Address and use TEST-2  ssid.
  so I use TEST-2.
  in this case, ignore TEST-1.
  I just paste real configuration.
  I tried to connect again.
  But still I can't ping from PC to AP.
  I use other PC.
  I configured bellow.
    -interface dot11Radio0
    -speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  It was same resault.
  Is cisco1941w broken?
  I'd like to know one more.
  I configured bellow, but I couldn't use 802.11a.
    -interface dot11Radio0
    -shutdown
  how to use 802.11a(5GHz)?

• %DOT11-7-AUTH_FAILED: Station c023.4921.2100 Authentication failed%Unknown DHCP problem.. No allocation possible

  Hi All,
  My wireless network system is consisting with 7.5 virtuall wireless controller and few 3600i APs.
  All SSIDs & APs have been configured in flexconnect & flexconnect groups.
  APs acquire IP address & controller IP address via DHCP option 43.
  My problem is,
  After I created a new SSID & pushed it. APs don't reboot itself but disconnecting from the controller and never come up back until give a manuall power reboot for each APs.
  * DHCP server has not been configured any authentication mechanism for APs.*
  I got below console outputs:
  *Dec  5 16:56:42.830: %DOT11-7-AUTH_FAILED: Station c023.4921.2100 Authentication failed%Unknown DHCP problem.. No allocation possible
  *Dec  5 16:56:54.226: %DOT11-7-AUTH_FAILED: Station c023.4921.2100 Authentication failed
  *Dec 21 06:15:03.251: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
  *Dec 21 06:15:03.283: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
  *Dec 21 06:15:04.283: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
  *Dec 21 06:15:14.135: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
  *Dec 21 06:15:14.539: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
  *Dec 21 06:15:15.135: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
  *Dec 21 06:15:15.375: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
  *Dec 21 06:15:15.387: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
  *Dec 21 06:15:15.395: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
  *Dec 21 06:15:16.375: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
  *Dec 21 06:15:16.387: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
  *Dec 21 06:15:16.423: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
  *Dec 21 06:15:16.435: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
  *Dec 21 06:15:16.451: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
  *Dec 21 06:15:17.451: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
  *Dec 21 06:15:17.451: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
  *Dec 21 06:15:17.491: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
  ., 26)1 06:15:17.983: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_WTP_EVENT_REQUEST
  *Dec 21 06:15:18.587: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
  *Dec 21 06:15:24.427: %EVT-4-WRN: Write of flash:/event.capwap done
  *Dec 21 06:15:24.447: %LWAPP-3-CLIENTERRORLOG: Switching to Standalone mode
  *Dec 21 06:15:24.459: %CAPWAP-3-ERRORLOG: GOING BACK TO DISCOVER MODE
  *Dec 21 06:15:24.459: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.15.2:5246
  *Dec 21 06:15:24.459: %CAPWAP-3-ERRORLOG: Invalid event 46 & state 4 combination.
  *Dec 21 06:15:24.459: %CAPWAP-3-ERRORLOG: SM handler: Failed to process timer message. Event 46, state 4
  *Dec 21 06:15:24.459: %CAPWAP-3-ERRORLOG: Failed to handle timer message.
  *Dec 21 06:15:24.459: %CAPWAP-3-ERRORLOG: Failed to process Periodic Echo timer message.
  *Dec 21 06:15:24.507: %WIDS-6-DISABLED: IDS Signature is removed and disabled.
  *Dec 21 06:15:26.419: %CLEANAIR-6-STATE: Slot 0 down
  *Dec 21 06:15:26.419: %CLEANAIR-6-STATE: Slot 1 down
  Anybody know the reason for this behavior ?
  Thanks,
  Charith

  Hi Charith,
  It's looks like AP goes into Standalone mode due to it cannot reach your WLC. In flexconnect when it cannot reach WLC, it will go into standalone mode without rebooting AP. (in local mode AP will reboot unless it can find a WLC)
  Can you check your AP has reahability to your WLC all the time ? Where the DHCP configured for users ?
  HTH
  Rasika

• AP1200 with EAP - dot11 holdoff timer

  Hi all
  We are running AP1200 with open eap. We are experiencing a transient problem with a couple unknown PC's attempting (and Failing) authentication every second. After some time, the memory gets fragmented on the AP, causing the AP to hang.
  From the AP
  >>>
  Aug 4 14:12:17: %DOT11-7-AUTH_FAILED: Station 000e.d70f.441c Authentication fad
  Aug 4 14:12:18: %DOT11-7-AUTH_FAILED: Station 000e.d70f.441c Authentication fad
  Aug 4 14:12:19: %DOT11-7-AUTH_FAILED: Station 000e.d70f.441c Authentication fad
  Aug 4 14:12:21: %DOT11-7-AUTH_FAILED: Station 000e.d70f.441c Authentication fad
  Aug 4 14:12:22: %SYS-2-MALLOCFAIL: Memory allocation of 1500 bytes failed from
  Pool: Processor Free: 122180 Cause: Memory fragmentation
  Alternate Pool: None Free: 0 Cause: No Alternate pool
  -Process= "Logger", ipl= 6, pid= 16
  -Traceback= 10DDB0 10FF40 108EF0 117C20 366E0 368A0 442FC 445A8 47CEC 1337F8
  Aug 4 14:12:23: %DOT11-7-AUTH_FAILED: Station 000e.d70f.441c Authentication fad
  <<<
  We have not been able to find this certain host.
  We attempted to mitigate the failures using the "dot11 holdoff-timer 120". From the documentation this command looks like it will only take effect when performing MAC Authentication, yet in the configuration guide, it does not specify mac authen only. We have not had success in the lab.
  Can anyone here shed some more light on this command.
  TIA,
  Alex

  If all the PCs in your wireless network are working , then the unknown PCs could be some rogue devices trying to access the network. Since authentication is failing at every attempt it is clear that it is a rogue device trying to get entry in to the network.

• How do I configure a cisco 1131 AP to use WPA2 enterprise and authenticate to Active Directory

  I have a Win2008 server set up as a radius server (192.168.32.71) and a stand alone AP (192.168.201.9) The AP is config is below:
  version 12.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ap
  enable secret 5 $1$IdUV$UvE2IJTNzHX6mW6Mmh3At0
  ip subnet-zero
  ip domain name TKGCORP.local
  ip name-server 192.168.32.71
  aaa new-model
  aaa group server radius rad_eap
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa group server radius rad_eap1
  server 192.168.201.9 auth-port 1812 acct-port 1813
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authentication login eap_methods1 group rad_eap1
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  dot11 ssid ka_test
     vlan 201
     authentication open eap eap_methods1
     authentication network-eap eap_methods1
     guest-mode
  power inline negotiation prestandard source
  username Cisco password 7 112A1016141D
  username tkgadmin privilege 15 password 7 022D167B06551D60
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 201 mode ciphers aes-ccm tkip
  encryption key 1 size 128bit 7 673B0AA56FCB4E630D8E4856427E transmit-key
  encryption mode wep mandatory
  broadcast-key change 150
  ssid ka_test
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role root
  bridge-group 1
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.201
  encapsulation dot1Q 201
  no ip route-cache
  bridge-group 201
  bridge-group 201 subscriber-loop-control
  bridge-group 201 block-unknown-source
  no bridge-group 201 source-learning
  no bridge-group 201 unicast-flooding
  bridge-group 201 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  shutdown
  encryption key 1 size 128bit 7 B711059074E30B1E1D4E3EC038BB transmit-key
  encryption mode wep mandatory
  broadcast-key change 150
  speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  hold-queue 160 in
  interface FastEthernet0.201
  encapsulation dot1Q 201
  no ip route-cache
  bridge-group 201
  no bridge-group 201 source-learning
  bridge-group 201 spanning-disabled
  interface BVI1
  ip address 192.168.201.9 255.255.255.0
  no ip route-cache
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  radius-server local
    no authentication eapfast
    no authentication mac
    nas 192.168.201.9 key 7 010703174F
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 192.168.32.71 auth-port 1645 acct-port 1646 key 7 0835495D1D
  radius-server host 192.168.201.9 auth-port 1812 acct-port 1813 key 7 0010161510
  radius-server vsa send accounting
  control-plane
  bridge 1 route ip
  line con 0
  line vty 0 4
  end

  Sorry for the late reply Steve. The link you provided was extremely helpful here is what my config  looks like now:
  ersion 12.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ap
  enable secret 5 $1$7vHS$YWCMbrlAgDUayKlOHhMlF1
  ip subnet-zero
  ip domain name TKGCORP.local
  ip name-server 192.168.32.71
  aaa new-model
  aaa group server radius rad_eap
  server 192.168.32.71 auth-port 1645 acct-port 1646
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  dot11 ssid wap_test
     authentication open eap eap_methods
     authentication network-eap eap_methods
     authentication key-management wpa
     guest-mode
     infrastructure-ssid optional
  power inline negotiation prestandard source
  username Cisco password 7 047802150C2E
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode ciphers tkip
  ssid wap_test
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  shutdown
  speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  hold-queue 160 in
  interface BVI1
  ip address 192.168.201.9 255.255.255.0
  no ip route-cache
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 192.168.32.71 auth-port 1645 acct-port 1646 key 7 071B245F5A
  radius-server vsa send accounting
  control-plane
  bridge 1 route ip
  line con 0
  line vty 0 4
  end
  I get a login screen but it will not let me connect, on my radius server I have it set to allow a group that my username is in. Here are some debugs from when I try to connect to the AP:
  ap#debug aaa  authentication
  AAA Authentication debugging is on
  ap#
  *Mar  2 01:11:53.284: AAA/BIND(00000006): Bind i/f 
  *Mar  2 01:11:53.355: AAA/AUTHEN/PPP (00000006): Pick method list 'eap_methods'
  *Mar  2 01:11:54.556: %DOT11-7-AUTH_FAILED: Station c0cb.3835.a102 Authentication failed
  *Mar  2 01:11:55.280: AAA/BIND(00000007): Bind i/f 
  *Mar  2 01:11:55.404: AAA/AUTHEN/PPP (00000007): Pick method list 'eap_methods'
  *Mar  2 01:11:56.349: AAA/BIND(00000008): Bind i/f 
  *Mar  2 01:11:56.525: AAA/AUTHEN/PPP (00000008): Pick method list 'eap_methods'
  *Mar  2 01:11:57.300: AAA/BIND(00000009): Bind i/f 
  *Mar  2 01:11:58.070: AAA/BIND(0000000A): Bind i/f 
  *Mar  2 01:11:58.812: AAA/BIND(0000000B): Bind i/f 
  *Mar  2 01:12:15.470: AAA/AUTHEN/PPP (0000000B): Pick method list 'eap_methods'
  *Mar  2 01:12:15.492: %DOT11-7-AUTH_FAILED: Station c0cb.3835.a102 Authentication failed
  ap#undebug all
  All possible debugging has been turned off

• Problem with EAP and RADIUS

  Hi *,
    I have the following problem with RADIUS and EAP authentication.
  Radius server sends an "Access-Accept" packet to my AP, but the station does not authenticate.
  I've tried with different encryption configuration and with different authentication methods under "dot11 essid", but nothing changes...
  What could it be?
  Debug piece and configuration follows:
  *Jan 25 14:23:34.795: RADIUS/ENCODE(00000012): acct_session_id: 17*Jan 25 14:23:34.795: RADIUS(00000012): sending*Jan 25 14:23:34.799: RADIUS:   4E 47 56 7A 78 65 4A 4F 55 31 47 40 77 6C 61 6E  [NGVzxeJOU1G@wlan]*Jan 25 14:23:34.799: RADIUS:   2E 6D 6E 63 30 30 31 2E 6D 63 63 30 30 31 2E 33  [.mnc001.mcc001.3]*Jan 25 14:23:34.799: RADIUS:   67 70 70 6E 65 74 77 6F 72 6B 2E 6F 72 67        [gppnetwork.org]*Jan 25 14:23:34.799: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]*Jan 25 14:23:34.799: RADIUS:  NAS-Port            [5]   6   265                       *Jan 25 14:23:34.799: RADIUS:  NAS-Port-Id         [87]  5   "265"*Jan 25 14:23:34.799: RADIUS:  NAS-IP-Address      [4]   6   192.168.173.2             *Jan 25 14:23:34.811: RADIUS/DECODE: EAP-Message fragments, 20, total 20 bytes*Jan 25 14:23:34.831: RADIUS/ENCODE(00000012):Orig. component type = DOT11*Jan 25 14:23:34.831: RADIUS:  AAA Unsupported Attr: ssid              [265] 8   *Jan 25 14:23:34.831: RADIUS:   57 69 66 69 45 41                                [WifiEA]*Jan 25 14:23:34.831: RADIUS:  AAA Unsupported Attr: interface         [157] 3   *Jan 25 14:23:34.831: RADIUS:   32                                               [2]*Jan 25 14:23:34.831: RADIUS(00000012): Config NAS IP: 192.168.173.2*Jan 25 14:23:34.831: RADIUS/ENCODE(00000012): acct_session_id: 17*Jan 25 14:23:34.835: RADIUS(00000012): sending*Jan 25 14:23:34.835: RADIUS:   10 01 00 01 07 05 00 00 D9 37 C3 D9 79 3E 33 EA  [?????????7??y>3?]*Jan 25 14:23:34.835: RADIUS:   F3 7D 73 43 BF BA D0 6A                          [?}sC???j]*Jan 25 14:23:34.835: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]*Jan 25 14:23:34.835: RADIUS:  NAS-Port            [5]   6   265                       *Jan 25 14:23:34.835: RADIUS:  NAS-Port-Id         [87]  5   "265"*Jan 25 14:23:34.835: RADIUS:  NAS-IP-Address      [4]   6   192.168.173.2             *Jan 25 14:23:35.035: RADIUS: Received from id 1645/64 192.168.177.158:1812, Access-Challenge, len 304*Jan 25 14:23:35.039: RADIUS:   46 10 78 5F 5F B0 CB 6C 0B 05 00 00 DA C3 BF 28  [F?x__??l???????(]*Jan 25 14:23:35.039: RADIUS:   E0 18 2B 95 97 C2 0A D7 40 53 FE 62              [??+?????@S?b]*Jan 25 14:23:35.039: RADIUS(00000012): Received from id 1645/64*Jan 25 14:23:35.039: RADIUS/DECODE: EAP-Message fragments, 60+220, total 280 bytes*Jan 25 14:23:35.355: RADIUS/ENCODE(00000012):Orig. component type = DOT11*Jan 25 14:23:35.355: RADIUS:  AAA Unsupported Attr: ssid              [265] 8   *Jan 25 14:23:35.355: RADIUS:   57 69 66 69 45 41                                [WifiEA]*Jan 25 14:23:35.355: RADIUS:  AAA Unsupported Attr: interface         [157] 3   *Jan 25 14:23:35.359: RADIUS:   92 DA 5E 26 CF 40 01 22 7A 8E F5 C1              [??^&?@?"z???]*Jan 25 14:23:35.359: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]*Jan 25 14:23:35.359: RADIUS:  NAS-Port            [5]   6   265                       *Jan 25 14:23:35.359: RADIUS:  NAS-Port-Id         [87]  5   "265"*Jan 25 14:23:35.359: RADIUS:  NAS-IP-Address      [4]   6   192.168.173.2             *Jan 25 14:23:35.367: RADIUS: Received from id 1645/65 192.168.177.158:1812, Access-Accept, len 30*Jan 25 14:23:35.367: RADIUS:  authenticator 8C 2C 1B 97 82 BB 6C 7F - AA D3 4A AB CA 22 8B B7*Jan 25 14:23:35.367: RADIUS:  EAP-Message         [79]  10  *Jan 25 14:23:35.367: RADIUS:   03 01 00 04 00 00 00 00                          [????????]*Jan 25 14:23:35.371: RADIUS(00000012): Received from id 1645/65*Jan 25 14:23:35.371: RADIUS/DECODE: EAP-Message fragments, 8, total 8 bytes*Jan 25 14:23:35.671: %DOT11-7-AUTH_FAILED: Station d023.dbb8.d6a9 Authentication failed
  Config:
  aaa new-model!aaa group server radius rad_eap server-private 192.168.177.158 auth-port 1812 acct-port 1813 key 7 044803071D2448!aaa authentication login eap_methods group rad_eapaaa authorization exec default if-authenticated aaa authorization network default if-authenticated !         aaa session-id commonip name-server 192.168.177.45!                dot11 ssid WifiEAP1   vlan 10   authentication open eap eap_methods    authentication shared eap eap_methods   authentication key-management wpa optional   guest-mode!         bridge irb!         interface Dot11Radio0 no ip address no ip route-cache !        encryption vlan 10 mode ciphers aes-ccm tkip wep128 !        broadcast-key vlan 10 change 300 !        ssid WifiEAP1 !        antenna gain 0 station-role root!         interface Dot11Radio0.10 encapsulation dot1Q 10 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled!         interface GigabitEthernet0 ip address 192.168.173.3 255.255.255.0 no ip route-cache!         interface GigabitEthernet0.1 encapsulation dot1Q 10 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled!         interface BVI1 ip address 192.168.173.2 255.255.255.0 no ip route-cache!ip radius source-interface BVI1 bridge 1 route ip
  thanks so much!

  Stefano: not sure if related but there is an unsupported attribute in the debugs:
  Jan 25 14:23:35.355: RADIUS:  AAA Unsupported Attr:
  *Jan 25 14:23:35.355: RADIUS:   57 69 66 69 45 41
  *Jan 25 14:23:35.355: RADIUS:  AAA Unsupported Attr: interface
  Try to eliminate any configured attributes on radius except those in IETF radius. Then try again.
  You may also chech by removing the shared eap as suggested above. Let us know if this works.
  Sent from Cisco Technical Support iPad App

• Surface Pro 3 is not able to connect to standalone aironet

  Hello,
  we are having issues with several Surface Pro 3 device connecting to a standalone Aironet. Other Device connect to this AP no problem. SP3 connect to other APs (not cisco) no problem. So there seems to be an issue between the two devices. When I look in the logs of the AP I get the following message:
  Jan 15 19:59:52.513: %DOT11-7-AUTH_FAILED: Station 501a.c5e5.aeff Authentication failed
  I tried to run aaa debug but nothing shows up but that message above. We use WPA2 AES/TKIP.
  I proceeded to run debug all on the AP and this is what I got. Keep in mind that we are troubleshooting 501a.c5e5.aeff 
  Jan 15 19:55:19.646: Setting client MAC 501a.c5e5.aeff radio slotunit 0 address 0x7E2CE90
  Jan 15 19:55:19.646:  Adding client 501a.c5e5.aeff client->reap_flags_1 0
  Jan 15 19:55:19.646: Dot11Radio0: Adding client 501a.c5e5.aeff aid 6
  Jan 15 19:55:19.646: dot11_mgmt: drv add resp for client 501a.c5e5.aeff aid 6
  Jan 15 19:55:19.646: dot11_mgmt: dot11_mgmt_sta_ref (ref=2, sta_ptr=0x7530010, mac=501a.c5e5.aeff)
  Jan 15 19:55:19.646: SM: ---Open Authentication 0x7530010: Drv Add Resp (8)
  Jan 15 19:55:19.646: SM:    Drv_Add_InProg (8) --> DONT CHANGE STATE (255)
  Jan 15 19:55:19.646: dot11_mgmt: [168D368F] response from driver for client 501a.c5e5.aeff
  Jan 15 19:55:19.646:  Setting global apsd config before assoc rsp
  Jan 15 19:55:19.646:  dot11_driver_client_apsd_settings Client(501a.c5e5.aeff) not found for APSD settings
  Jan 15 19:55:19.646: about to perform cac before cac resp
  Jan 15 19:55:19.646:  dot11_tsm_delete_ts_not_reassociated:Clean streams not in REASSOC 
  Jan 15 19:55:19.646: dot11_mgmt: [168D36F5] send assoc resp, status[0] to dst=501a.c5e5.aeff, aid[6] on Dot11Radio1
  Jan 15 19:55:19.646: There is nothing to add from qosie_set in ASSOC Rsp
  Jan 15 19:55:19.646: Dot11Radio1: Tx AssocResp client 501a.c5e5.aeff
  Jan 15 19:55:19.646: dot11_aaa_auth_request: Received dot11_aaa_auth_request for client 501a.c5e5.aeff
  Jan 15 19:55:19.646: dot11_aaa_auth_request: SSID: Executive, Mac Address: 501a.c5e5.aeff, auth_algorithm 0, key_mgmt 1027074
  Jan 15 19:55:19.646: AAA/API(00000000): aaa_util_unique_id_alloc(), pc 0x185F920, enter {
  Jan 15 19:55:19.646: AAA/ID(NA): DOT11 allocating
  Jan 15 19:55:19.646: AAA/ID(00000023): Call started 14:55:19 -0500 Jan 15 2015
  Jan 15 19:55:19.646: AAA/DB(00000023): add Intf/7D3D488
  Jan 15 19:55:19.646: AAA/DB(00000023): add DB 7E2910C
  Jan 15 19:55:19.646: AAA/ID(00000023): DOT11 allocated
  Jan 15 19:55:19.646: AAA/API(00000023): } aaa_util_unique_id_alloc()
  Jan 15 19:55:19.646: dot11_mgr_disp_wlccp_update_auth:  unknown auth type 0x1
  Jan 15 19:55:19.646: dot11_aaa_add_dot11_client_entry: AAA Client entry (501a.c5e5.aeff, 4106500) is added to the client list
  Jan 15 19:55:19.646: dot11_aaa_start_auth_sequence: dot11_aaa_start_auth_sequence for client 501a.c5e5.aeff [key_mgmt] = FAC02
  Jan 15 19:55:19.646: dot11_aaa_start_auth_sequence: dot11_aaa_start_auth_sequence for client 501a.c5e5.aeff [key_mgmt] = FAC02
  Jan 15 19:55:19.646: dot11_mgr_sm_start_wpav2_psk: Starting wpav2 4-way handshake for PSK or pmk cache supplicant 501a.c5e5.aeff
  Jan 15 19:55:19.646: dot11_mgr_sm_send_wpav2_ptk_msg1: Starting wpav2 ptk msg 1 to supplicant 501a.c5e5.aeffCould not find station pointer for client 501a.c5e5.aeff. Using vlan number from aaa_client 
  Jan 15 19:55:19.646: dot11_dot1x_send_ssn_eapol_key: wpav2 msg 1 pak_size 121
  Jan 15 19:55:19.646: dot11_dot1x_send_ssn_eapol_key: eapol->length 117
  Jan 15 19:55:19.646: dot11_dot1x_build_ptk_handshake: building PTK msg 1 for 501a.c5e5.aeff
  Jan 15 19:55:19.646: dot11_dot1x_build_ptk_handshake: ptk key len 16
  Jan 15 19:55:19.646: dot11_dot1x_build_ptk_handshake: ptk key data len 22
  Jan 15 19:55:19.646: dot11_dot1x_build_ptk_handshake: wpav2 pmkid[DOT1X]: 0CBC860AAF0DBBA764ED9D51BB113194
  Jan 15 19:55:19.646: dot1x-registry:registry:dot1x_ether_macaddr called
  Jan 15 19:55:19.646: dot11_mgr_disp_client_send_eapol: sending eapol to client 501a.c5e5.aeff on BSSID c025.5ca5.3c40
  Jan 15 19:55:19.646: dot11_mgr_sm_send_wpav2_ptk_msg1: [1] Sent PTK msg 1 to 501a.c5e5.aeff, no timer set
  Jan 15 19:55:19.650: dot11_mgmt: dot11_mgmt_sta_deref (ref=3, sta_ptr=0x7530010, mac=501a.c5e5.aeff)
  Also, on windows end I checked the Event Viewer and I see that SP3 is not getting any response back from the AP. 
  Any help would be greatly appreciated. Thanks.

  I rolled out a batch of these to our wireless network a couple of months back.  A couple of tips:
  - From a wireless perspective these devices are extremely buggy out of the box (I'm not exaggerating).  They basically won't function using the built in wireless with anything other than the most very basic wireless setup of a home router until you apply ALL of the patches and updates for them in Windows Update.  In my case I had to install all the updates via ethernet dongle and/or a Linksys USB Wireless dongle (the drivers were much better for the USB dongle and allowed connectivity to work).  The built in Marvell adaptor looks to be good from a features perspective but poor from a driver perspective.  Once the updates were applied it mostly worked.
  - I experienced a similar problem with FT (Fast Transition) enabled - the SP3 will not connect with FT enabled.  In my view there were two issues - (1) the devices won't even connect if FT is enabled and (2) they don't support the FT feature for seamless roaming.
  I took it up with Microsoft and they acknowledged the problem but wouldn't commit to fixing the buggy behaviour (allowing the connection and ignoring the FT attribute like many older clients do) nor would they commit to when they will support the FT feature (fast roaming).
  These tips might not be the cause of your problem but hopefully they will help you get it up and running.
  Fortunately all of these problems can be fixed with driver updates, so maybe in the future they may end up being pretty good wireless clients afterall :-)

• Constantly getting error on UC520 Wi-Fi

  Hello,
  I am constantly getting error on UC520W Wifi from last Night, I am not getting with this error,
  Can anyone help me , what is the cause of this error, or is there any issue on UC520,
  Please suggest & help me
  .858: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001320: Jan  8 05:12:22.166: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001321: Jan  8 05:12:22.166: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001322: Jan  8 05:13:23.997: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001323: Jan  8 05:13:24.305: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001324: Jan  8 05:13:24.305: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001325: Jan  8 05:14:33.512: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001326: Jan  8 05:14:33.820: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001327: Jan  8 05:14:33.820: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001328: Jan  8 05:14:50.784: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001329: Jan  8 05:14:51.376: %DOT11-7-AUTH_FAILED: Station 001d.a231.4aad Authentication failed
  001330: Jan  8 05:14:55.941: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001331: Jan  8 05:14:55.941: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001332: Jan  8 05:15:23.594: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001333: Jan  8 05:15:23.914: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001334: Jan  8 05:15:23.914: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001335: Jan  8 05:16:16.128: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001336: Jan  8 05:16:17.112: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001337: Jan  8 05:16:17.116: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001338: Jan  8 05:16:22.072: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001339: Jan  8 05:16:22.376: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001340: Jan  8 05:16:22.376: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001341: Jan  8 05:17:01.454: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001342: Jan  8 05:17:02.026: %DOT11-7-AUTH_FAILED: Station 001d.a231.4aad Authentication failed
  001343: Jan  8 05:17:14.110: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001344: Jan  8 05:17:14.110: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001345: Jan  8 05:17:32.835: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001346: Jan  8 05:17:33.911: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001347: Jan  8 05:17:33.911: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001348: Jan  8 05:18:16.933: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001349: Jan  8 05:18:17.257: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001350: Jan  8 05:18:17.261: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001351: Jan  8 05:18:35.498: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001352: Jan  8 05:18:35.810: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001353: Jan  8 05:18:35.810: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001354: Jan  8 05:18:50.698: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001355: Jan  8 05:18:51.206: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001356: Jan  8 05:18:51.206: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001357: Jan  8 05:18:55.970: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001358: Jan  8 05:19:03.143: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001359: Jan  8 05:19:03.451: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001360: Jan  8 05:19:03.451: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001361: Jan  8 05:19:10.827: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001362: Jan  8 05:19:11.143: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001363: Jan  8 05:19:11.143: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001364: Jan  8 05:19:27.832: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001365: Jan  8 05:19:28.148: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001366: Jan  8 05:19:28.148: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001367: Jan  8 05:19:55.281: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001368: Jan  8 05:19:55.513: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001369: Jan  8 05:19:55.517: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001370: Jan  8 05:20:14.742: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001371: Jan  8 05:20:15.046: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001372: Jan  8 05:20:15.046: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001373: Jan  8 05:20:34.082: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001374: Jan  8 05:20:34.634: %DOT11-7-AUTH_FAILED: Station 001d.a231.4aad Authentication failed
  001375: Jan  8 05:20:47.035: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001376: Jan  8 05:20:47.035: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001377: Jan  8 05:20:54.811: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001378: Jan  8 05:21:11.340: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001379: Jan  8 05:21:11.340: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001380: Jan  8 05:21:23.748: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001381: Jan  8 05:21:24.057: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001382: Jan  8 05:21:24.057: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]kya
  001383: Jan  8 05:22:20.471: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001384: Jan  8 05:22:21.003: %DOT11-7-AUTH_FAILED: Station 001d.a231.4aad Authentication failed
  001385: Jan  8 05:22:25.095: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001386: Jan  8 05:22:25.095: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001387: Jan  8 05:22:39.308: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001388: Jan  8 05:22:39.644: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001389: Jan  8 05:22:39.644: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001390: Jan  8 05:22:52.832: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001391: Jan  8 05:22:53.136: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001392: Jan  8 05:22:53.140: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001393: Jan  8 05:23:24.749: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001394: Jan  8 05:23:25.133: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001395: Jan  8 05:23:25.133: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001396: Jan  8 05:25:46.851: %IPPHONE-6-UNREGISTER_ABNORMAL: ephone-11:SEP001DA2314AAD IP:10.1.1.11 Socket:6 DeviceType:Phone has unregistered abnormally.
  001397: Jan  8 05:27:20.475: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001398: Jan  8 05:27:43.084: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001399: Jan  8 05:27:43.084: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001400: Jan  8 05:27:48.696: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001401: Jan  8 05:28:04.933: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001402: Jan  8 05:28:04.933: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001403: Jan  8 05:28:09.893: %IPPHONE-6-REG_ALARM: Name=SEP001DA2314AAD Load= Last=TCP-timeout
  001404: Jan  8 05:28:10.229: %IPPHONE-6-REGISTER: ephone-11:SEP001DA2314AAD IP:10.1.1.11 Socket:6 DeviceType:Phone has registered.
  001405: Jan  8 05:29:03.851: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001406: Jan  8 05:29:04.159: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001407: Jan  8 05:29:04.159: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001408: Jan  8 05:29:51.725: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001409: Jan  8 05:29:52.029: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001410: Jan  8 05:29:52.033: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001411: Jan  8 05:29:59.734: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001412: Jan  8 05:30:00.042: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001413: Jan  8 05:30:00.042: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001414: Jan  8 05:30:05.878: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001415: Jan  8 05:30:06.190: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001416: Jan  8 05:30:06.190: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001417: Jan  8 05:31:16.469: %IPPHONE-6-REG_ALARM: 10: Name=SEP001BD5019982 Load= SCCP31.8-2-2SR2S Last=TCP-timeout
  001418: Jan  8 05:31:18.461: %IPPHONE-6-UNREGISTER_ABNORMAL: ephone-6:SEP001BD5019982 IP:192.168.4.175 Socket:5 DeviceType:Phone has unregistered abnormally.
  001419: Jan  8 05:31:18.461: %IPPHONE-6-REGISTER: ephone-6:SEP001BD5019982 IP:192.168.4.175 Socket:8 DeviceType:Phone has registered.
  001420: Jan  8 05:31:36.890: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001421: Jan  8 05:31:37.110: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001422: Jan  8 05:31:37.110: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001423: Jan  8 05:32:08.595: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001424: Jan  8 05:32:09.119: %DOT11-7-AUTH_FAILED: Station 001d.a231.4aad Authentication failed
  001425: Jan  8 05:32:11.751: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001426: Jan  8 05:32:11.751: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  Translating "kya"...domain server (63.203.35.55)
  001427: Jan  8 05:32:49.721: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001428: Jan  8 05:32:50.125: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001429: Jan  8 05:32:50.129: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  % Unknown command or computer name, or unable to find computer address
  coinop-uc520#
  coinop-uc520#kya                sh ip dhc
  coinop-uc520#sh ip dhcp bind
  Bindings from all pools not associated with VRF:
  IP address          Client-ID/               Lease expiration        Type
       Hardware address/
       User name
  10.1.1.11           0100.1da2.314a.ad       Jan 09 2011 02:27 PM    Automatic
  192.168.2.11        0100.16d4.3c0e.99       Jan 09 2011 09:41 AM    Automatic
  192.168.2.14        0100.16ea.ee13.28       Jan 09 2011 01:22 PM    Automatic
  192.168.2.16        0100.237d.0081.4b       Jan 09 2011 02:29 PM    Automatic
  192.168.2.19        0100.0c6e.0438.e8       Jan 09 2011 12:43 PM    Automatic
  192.168.2.47        0100.0c29.e2eb.b9       Jan 08 2011 08:20 PM    Automatic
  coinop-uc520#ping
  001430: Jan  8 05:34:17.872: %IPPHONE-6-UNREGISTER_ABNORMAL: ephone-11:SEP001DA2314AAD IP:10.1.1.11 Socket:6 DeviceType:Phone has unregistered abnormally.
  001431: Jan  8 05:38:48.864: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 0016.eaee.1328 Reason: Sending station has left the BSS SSID[coinop]
  001432: Jan  8 05:38:58.460: *** Not encrypted dot1x packet from 0016.eaee.1328 has been discarded
  001433: Jan  8 05:38:58.460: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station coinop-uc520 0016.eaee.1328 Associated SSID[coinop] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001434: Jan  8 05:42:08.512: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001435: Jan  8 05:42:43.133: %DOT11-7-AUTH_FAILED: Station 001d.a231.4aad Authentication failed
  001436: Jan  8 05:42:48.725: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001437: Jan  8 05:42:48.725: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001438: Jan  8 05:43:09.406: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001439: Jan  8 05:43:09.814: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001440: Jan  8 05:43:09.818: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001441: Jan  8 05:43:16.363: %IPPHONE-6-REG_ALARM: Name=SEP001DA2314AAD Load= Last=TCP-timeout
  001442: Jan  8 05:43:16.691: %IPPHONE-6-REGISTER: ephone-11:SEP001DA2314AAD IP:10.1.1.11 Socket:5 DeviceType:Phone has registered.
  001443: Jan  8 05:43:44.072: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 0016.eaee.1328 Reason: Sending station has left the BSS SSID[coinop]
  001444: Jan  8 05:43:53.956: *** Not encrypted dot1x packet from 0016.eaee.1328 has been discarded
  001445: Jan  8 05:43:53.956: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station coinop-uc520 0016.eaee.1328 Associated SSID[coinop] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001446: Jan  8 05:43:57.180: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001447: Jan  8 05:43:57.540: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001448: Jan  8 05:43:58.568: %IPPHONE-6-UNREGISTER_NORMAL: ephone-11:SEP001DA2314AAD IP:10.1.1.11 Socket:5 DeviceType:Phone has unregistered normally.
  001449: Jan  8 05:44:01.572: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001450: Jan  8 05:44:01.572: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001451: Jan  8 05:44:10.565: %IPPHONE-6-REG_ALARM: Name=SEP001DA2314AAD Load= Last=TCP-Bad-ACK
  001452: Jan  8 05:44:12.469: %IPPHONE-6-REGISTER: ephone-11:SEP001DA2314AAD IP:10.1.1.11 Socket:5 DeviceType:Phone has registered.
  001453: Jan  8 05:45:09.259: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001454: Jan  8 05:45:09.575: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001455: Jan  8 05:45:09.575: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001456: Jan  8 05:45:22.868: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001457: Jan  8 05:45:23.176: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001458: Jan  8 05:45:23.176: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001459: Jan  8 05:46:16.934: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001460: Jan  8 05:46:17.246: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001461: Jan  8 05:46:17.246: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001462: Jan  8 05:46:27.466: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001463: Jan  8 05:46:27.770: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001464: Jan  8 05:46:27.770: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001465: Jan  8 05:46:28.198: *** Not encrypted dot1x packet from 0016.eaee.1328 has been discarded
  001466: Jan  8 05:46:35.903: %IPPHONE-6-UNREGISTER_ABNORMAL: ephone-6:SEP001BD5019982 IP:192.168.4.175 Socket:8 DeviceType:Phone has unregistered abnormally.
  001467: Jan  8 05:46:54.820: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  001468: Jan  8 05:46:55.132: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
  001469: Jan  8 05:46:55.132: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voic

  Thanks for suggestion,
  But please look apart from 0016.eaee.1328  this MAC address, we have more error like below & I am constantly getting error  from last night, also let you know wi-fi Ip phone is working on i have post my config please suggest if anywhere is wrong
  001461: Jan  8 05:46:17.246: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
  001462: Jan  8 05:46:27.466: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
  dot11 ssid coinop
     vlan 1
     authentication open
     authentication key-management wpa
     guest-mode
     wpa-psk ascii 7 XXXXXXXXXXXXXXXXXXXX
  dot11 ssid uc520-voice
     vlan 100
     authentication open
     authentication key-management wpa
     wpa-psk ascii 7 XXXXXXXXXXXXXXXXXXXX
  ip cef
  ip dhcp relay information trust-all
  ip dhcp use vrf connected
  ip dhcp excluded-address 10.1.1.1 10.1.1.10
  ip dhcp excluded-address 192.168.10.1 192.168.10.10
  ip dhcp excluded-address 10.1.1.200 10.1.1.254
  ip dhcp excluded-address 192.168.2.1 192.168.2.10
  ip dhcp pool phone
     network 10.1.1.0 255.255.255.0
     default-router 10.1.1.1
     option 150 ip 10.1.1.1
  ip dhcp pool data
     network 192.168.2.0 255.255.255.0
     default-router 192.168.2.1
     dns-server 203.7.224.10 203.25.27.50
  ip name-server 63.203.35.55
  username admin privilege 15 password 7 XXXXXXXXXXXXXXXXXXXX
  archive
  log config
    logging enable
    logging size 600
    hidekeys
  ip tftp source-interface Loopback0
  bridge irb
  interface Loopback0
  ip address 10.1.10.2 255.255.255.252
  ip nat inside
  ip virtual-reassembly
  macro description cisco-phone | cisco-phone | cisco-phone | cisco-phone |  cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone |  cisco-phone | cisco-phone | cisco-phone | cisco-phone
  tunnel source XXXXXXXXXXX
  tunnel mode gre multipoint
  tunnel path-mtu-discovery
  interface Tunnel2
  no ip address
  interface FastEthernet0/0
  description $FW_OUTSIDE$
  no ip address
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  pppoe enable group global
  pppoe-client dial-pool-number 1
  interface Integrated-Service-Engine0/0
  description cue is initialized with default IMAP group
  ip unnumbered Loopback0
  ip nat inside
  ip virtual-reassembly
  service-module ip address 10.1.10.1 255.255.255.252
  service-module ip default-gateway 10.1.10.2
  macro description cisco-switch | cisco-switch | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phh | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch
  interface FastEthernet0/1/0
  switchport voice vlan 100
  macro description cisco-phone  | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone
  interface FastEthernet0/1/1
  switchport voice vlan 100
  macro description cisco-phone  | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone
  interface FastEthernet0/1/2
  switchport voice vlan 100
  macro description cisco-phone  | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone
  interface FastEthernet0/1/3
  switchport voice vlan 100
  macro description cisco-phone  | cisco-phone | ciscophone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone  | cisco-phone | ciscophone | cisco-phone | cisco-phone | cisco-phone | cisco-phone
  interface FastEthernet0/1/4
  switchport voice vlan 100
  macro description cisco-phone  | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone
  interface FastEthernet0/1/5
  switchport voice vlan 100
  macro description cisco-phone  | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone
  interface FastEthernet0/1/6
  switchport voice vlan 100
  macro description cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch |  native | cisco-phone itch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch |  native
  interface FastEthernet0/1/7
  switchport voice vlan 100
  macro description cisco-phone  | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone
  interface FastEthernet0/1/8
  switchport mode trunk
  macro description cisco-switc | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switc
  interface Dot11Radio0/5/0
  no ip address
  ip virtual-reassembly
  encryption vlan 100 mode ciphers tkip
  encryption vlan 1 mode ciphers tkip
  ssid coinop
  ssid uc520-voice
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role root
  world-mode dot11d country AU both
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Dot11Radio0/5/0.1
  encapsulation dot1Q 100
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Dot11Radio0/5/0.2
  encapsulation dot1Q 1 native
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 spanning-disabled
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  interface Virtual-Template1
  ip unnumbered Dialer1
  ip nat inside
  ip virtual-reassembly
  peer default ip address pool IP_POOL
  no keepalive
  ppp encrypt mppe 40
  ppp authentication chap ms-chap pap
  interface Virtual-Template2 type tunnel
  ip unnumbered BVI2
  ip nat inside
  ip virtual-reassembly
  shutdown
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile SDM_Profile1
  interface Virtual-Template7 type tunnel
  ip unnumbered BVI2
  ip nat inside
  ip virtual-reassembly
  shutdown
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile SDM_Profile1
  interface Vlan1
  no ip address
  ip virtual-reassembly
  bridge-group 2
  bridge-group 2 spanning-disabled
  interface Vlan100
  no ip address
  ip virtual-reassembly
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface Dialer1
  mtu 1492
  ip address negotiated
  ip mtu 1492
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  ip route-cache flow
  ip tcp adjust-mss 1492
  dialer pool 1
  dialer-group 1
  ppp authentication pap callin
  ppp chap refuse
  ppp pap sent-username [email protected] password 7 XXXXXXXXXXXXXXXXXXXX
  crypto map vpnmap
  interface BVI1
  ip address 10.1.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  interface BVI2
  ip address 192.168.2.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly

• Machine authentication in Aironet

  i'm trying to authenticate laptops to Active directory before joining wireless AP (aironet 1240A)
  i'm using EAP in AP
  and PEAP with certificates in NPS
  i'm forcing laptops to use "computer authentication" through a GPO
  certificates already deployed to All machines
  policy is configured in NPS with "machine group" condition
  the problem i'm facing that their is some laptops are authenticated successfully while the others are not
  all machines are using windows 7 and located in the same Active Directory OU (same GPO applied)
  here is what i saw in AP after enabling debug radius authentication
  the working machines
  *Mar  4 20:25:34.125: RADIUS/ENCODE(00000009):Orig. component type = DOT11
  *Mar  4 20:25:34.125: RADIUS:  AAA Unsupported Attr: ssid              [265] 9  
  *Mar  4 20:25:34.126: RADIUS:   63 6F 72 70 6F 72 61                             [corpora]
  *Mar  4 20:25:34.126: RADIUS:  AAA Unsupported Attr: interface         [157] 3  
  *Mar  4 20:25:34.126: RADIUS:   32                                               [2]
  *Mar  4 20:25:34.126: RADIUS(00000009): Config NAS IP: X.Y.64.229
  *Mar  4 20:25:34.126: RADIUS/ENCODE(00000009): acct_session_id: 8
  *Mar  4 20:25:34.126: RADIUS(00000009): Config NAS IP: X.Y.64.229
  *Mar  4 20:25:34.126: RADIUS(00000009): sending
  *Mar  4 20:25:34.127: RADIUS(00000009): Send Access-Request to X.Y.64.30:1812 id 1645/8, len 160
  *Mar  4 20:25:34.127: RADIUS:  authenticator AC E6 88 FF CD B5 F3 CE - EA 56 67 37 2F 72 B5 C5
  *Mar  4 20:25:34.127: RADIUS:  User-Name           [1]   23  "host/FADI-LT.domain.com"
  *Mar  4 20:25:34.127: RADIUS:  Framed-MTU          [12]  6   1400               
  *Mar  4 20:25:34.128: RADIUS:  Called-Station-Id   [30]  16  "0027.0c68.1dc0"
  *Mar  4 20:25:34.128: RADIUS:  Calling-Station-Id  [31]  16  "0811.9699.ba30"
  *Mar  4 20:25:34.128: RADIUS:  Service-Type        [6]   6   Login                     [1]
  *Mar  4 20:25:34.128: RADIUS:  Message-Authenticato[80]  18
  *Mar  4 20:25:34.128: RADIUS:   1C 45 ED 5A 5D 1E DA 88 73 E5 D3 16 9F A2 62 A9  [?E?Z]???s?????b?]
  *Mar  4 20:25:34.128: RADIUS:  EAP-Message         [79]  28
  *Mar  4 20:25:34.128: RADIUS:   02 02 00 1A 01 68 6F 73 74 2F 46 41 44 49 2D 4C  [?????host/FADI-L]
  *Mar  4 20:25:34.129: RADIUS:   54 2E 61 64 61 73 69 2E 61 65                    [T.domain.com]
  *Mar  4 20:25:34.129: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
  *Mar  4 20:25:34.129: RADIUS:  NAS-Port            [5]   6   263                
  *Mar  4 20:25:34.129: RADIUS:  NAS-Port-Id         [87]  5   "263"
  *Mar  4 20:25:34.129: RADIUS:  NAS-IP-Address      [4]   6   10.10.64.229       
  *Mar  4 20:25:34.129: RADIUS:  Nas-Identifier      [32]  4   "AP"
  *Mar  4 20:25:34.166: RADIUS: Received from id 1645/8 10.10.64.30:1812, Access-Challenge, len 90
  *Mar  4 20:25:34.167: RADIUS:  authenticator 36 94 18 74 91 6F AA 0E - D4 D7 DC 48 A8 53 43 68
  *Mar  4 20:25:34.167: RADIUS:  Session-Timeout     [27]  6   30                 
  *Mar  4 20:25:34.167: RADIUS:  EAP-Message         [79]  8
  *Mar  4 20:25:34.167: RADIUS:   01 03 00 06 0D 20                                [????? ]
  *Mar  4 20:25:34.167: RADIUS:  State               [24]  38
  the non working machines
  *Mar  4 20:26:18.949: RADIUS/ENCODE(0000000A):Orig. component type = DOT11
  *Mar  4 20:26:18.949: RADIUS:  AAA Unsupported Attr: ssid              [265] 9  
  *Mar  4 20:26:18.949: RADIUS:   63 6F 72 70 6F 72 61                             [corpora]
  *Mar  4 20:26:18.949: RADIUS:  AAA Unsupported Attr: interface         [157] 3  
  *Mar  4 20:26:18.949: RADIUS:   32                                               [2]
  *Mar  4 20:26:18.949: RADIUS(0000000A): Config NAS IP: X.Y.64.229
  *Mar  4 20:26:18.950: RADIUS/ENCODE(0000000A): acct_session_id: 9
  *Mar  4 20:26:18.950: RADIUS(0000000A): Config NAS IP: X.Y.64.229
  *Mar  4 20:26:18.950: RADIUS(0000000A): sending
  *Mar  4 20:26:18.950: RADIUS(0000000A): Send Access-Request to X.Y.64.30:1812 id 1645/11, len 150
  *Mar  4 20:26:18.951: RADIUS:  authenticator 17 64 A0 78 8E 49 12 7C - 79 8A 55 17 79 1F D5 A1
  *Mar  4 20:26:18.951: RADIUS:  User-Name           [1]   18  "domain\username"
  *Mar  4 20:26:18.951: RADIUS:  Framed-MTU          [12]  6   1400               
  *Mar  4 20:26:18.951: RADIUS:  Called-Station-Id   [30]  16  "0027.0c68.1dc0"
  *Mar  4 20:26:18.951: RADIUS:  Calling-Station-Id  [31]  16  "0022.faf1.9258"
  *Mar  4 20:26:18.951: RADIUS:  Service-Type        [6]   6   Login                     [1]
  *Mar  4 20:26:18.951: RADIUS:  Message-Authenticato[80]  18
  *Mar  4 20:26:18.951: RADIUS:   06 FC 55 89 6D 45 AA E5 8A 73 73 2C 82 87 28 BA  [??U?mE???ss,??(?]
  *Mar  4 20:26:18.952: RADIUS:  EAP-Message         [79]  23
  *Mar  4 20:26:18.952: RADIUS:   02 02 00 15 01 41 44 41 53 49 5C 66 61 64 69 2E  [?????domain\user]
  *Mar  4 20:26:18.952: RADIUS:   61 64 6D 69 6E                                   [name]
  *Mar  4 20:26:18.952: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
  *Mar  4 20:26:18.952: RADIUS:  NAS-Port            [5]   6   264                
  *Mar  4 20:26:18.952: RADIUS:  NAS-Port-Id         [87]  5   "264"
  *Mar  4 20:26:18.952: RADIUS:  NAS-IP-Address      [4]   6   X.Y.64.229       
  *Mar  4 20:26:18.953: RADIUS:  Nas-Identifier      [32]  4   "AP"
  *Mar  4 20:26:18.980: RADIUS: Received from id 1645/11 X.Y.64.30:1812, Access-Challenge, len 90
  *Mar  4 20:26:18.980: RADIUS:  authenticator 54 84 DD 91 72 03 E9 08 - EA 61 C0 B3 B5 D6 9A 42
  *Mar  4 20:26:18.981: RADIUS:  Session-Timeout     [27]  6   30                 
  *Mar  4 20:26:18.981: RADIUS:  EAP-Message         [79]  8
  *Mar  4 20:26:18.981: RADIUS:   01 03 00 06 0D 20                                [????? ]
  *Mar  4 20:26:18.981: RADIUS:  State               [24]  38
  *Mar  4 20:26:18.981: RADIUS:   15 D3 02 D9 00 00 01 37 00 01 02 00 0A 0A 40 1E  [???????7??????@?]
  *Mar  4 20:26:18.982: RADIUS:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08  [????????????????]
  *Mar  4 20:26:18.982: RADIUS:   55 9E B9 77                                      [U??w]
  *Mar  4 20:26:18.982: RADIUS:  Message-Authenticato[80]  18
  *Mar  4 20:26:18.982: RADIUS:   1A EC 06 E6 E0 46 C4 06 15 87 E9 26 30 49 63 47  [?????F?????&0IcG]
  *Mar  4 20:26:18.983: RADIUS(0000000A): Received from id 1645/11
  *Mar  4 20:26:18.983: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
  *Mar  4 20:26:18.986: RADIUS/ENCODE(0000000A):Orig. component type = DOT11
  *Mar  4 20:26:18.986: RADIUS:  AAA Unsupported Attr: ssid              [265] 9  
  *Mar  4 20:26:18.986: RADIUS:   63 6F 72 70 6F 72 61                             [corpora]
  *Mar  4 20:26:18.987: RADIUS:  AAA Unsupported Attr: interface         [157] 3  
  *Mar  4 20:26:18.987: RADIUS:   32                                               [2]
  *Mar  4 20:26:18.987: RADIUS(0000000A): Config NAS IP: X.Y..64.229
  *Mar  4 20:26:18.987: RADIUS/ENCODE(0000000A): acct_session_id: 9
  *Mar  4 20:26:18.987: RADIUS(0000000A): Config NAS IP: X.Y..64.229
  *Mar  4 20:26:18.987: RADIUS(0000000A): sending
  *Mar  4 20:26:18.988: RADIUS(0000000A): Send Access-Request to 10.10.64.30:1812 id 1645/12, len 173
  *Mar  4 20:26:18.988: RADIUS:  authenticator 37 26 0B EC 12 5D 6A E5 - 22 1A 27 4A B0 5B E2 AA
  *Mar  4 20:26:18.988: RADIUS:  User-Name           [1]   18  "domain\username"
  *Mar  4 20:26:18.988: RADIUS:  Framed-MTU          [12]  6   1400               
  *Mar  4 20:26:18.988: RADIUS:  Called-Station-Id   [30]  16  "0027.0c68.1dc0"
  *Mar  4 20:26:18.988: RADIUS:  Calling-Station-Id  [31]  16  "0022.faf1.9258"
  *Mar  4 20:26:18.988: RADIUS:  Service-Type        [6]   6   Login                     [1]
  *Mar  4 20:26:18.988: RADIUS:  Message-Authenticato[80]  18
  *Mar  4 20:26:18.989: RADIUS:   3D 11 05 D8 6E DF 92 2B 51 EC BA BA FB C4 10 5F  [=???n??+Q??????_]
  *Mar  4 20:26:18.989: RADIUS:  EAP-Message         [79]  8
  *Mar  4 20:26:18.989: RADIUS:   02 03 00 06 03 19                                [??????]
  *Mar  4 20:26:18.989: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
  *Mar  4 20:26:18.989: RADIUS:  NAS-Port            [5]   6   264                
  *Mar  4 20:26:18.989: RADIUS:  NAS-Port-Id         [87]  5   "264"
  *Mar  4 20:26:18.989: RADIUS:  State               [24]  38
  *Mar  4 20:26:18.990: RADIUS:   15 D3 02 D9 00 00 01 37 00 01 02 00 0A 0A 40 1E  [???????7??????@?]
  *Mar  4 20:26:18.990: RADIUS:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08  [????????????????]
  *Mar  4 20:26:18.990: RADIUS:   55 9E B9 77                                      [U??w]
  *Mar  4 20:26:18.990: RADIUS:  NAS-IP-Address      [4]   6   X.Y.64.229       
  *Mar  4 20:26:18.990: RADIUS:  Nas-Identifier      [32]  4   "AP"
  *Mar  4 20:26:18.992: RADIUS: Received from id 1645/12 10.10.64.30:1812, Access-Reject, len 44
  *Mar  4 20:26:18.992: RADIUS:  authenticator 76 30 DF F4 7A 36 AC E7 - 20 AA 83 C1 05 8B 62 EC
  *Mar  4 20:26:18.992: RADIUS:  EAP-Message         [79]  6
  *Mar  4 20:26:18.993: RADIUS:   04 03 00 04                                      [????]
  *Mar  4 20:26:18.993: RADIUS:  Message-Authenticato[80]  18
  *Mar  4 20:26:18.993: RADIUS:   FD 21 74 AF A8 7F A1 A5 9E CE 3A 35 45 DA EA C9  [?!t???????:5E???]
  *Mar  4 20:26:18.993: RADIUS(0000000A): Received from id 1645/12
  *Mar  4 20:26:18.994: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
  *Mar  4 20:26:18.994: %DOT11-7-AUTH_FAILED: Station 0022.faf1.9258 Authentication failed
  obviously the machine who send machine name (host\machinename) will be authenticated successfully
  and machines who send username (domain\username) will not be authenticated successfully
  now
  i tested those unsuccessful machines in a wired  dot1x switch using the same NPS policy and they were sending their machine names instead of usernames and they were authenticated successfully
  i suspected that this is maybe because of the AP config
  here it is
  Current configuration : 2662 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname AP
  enable secret 5 $1$gtul$Uhe4qVAC8GN0drownggAb0
  aaa new-model
  aaa group server radius rad_eap
   server X.Y.64.30 auth-port 1812 acct-port 1813
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  ip domain name domain
  dot11 ssid corporate
     vlan 64
     authentication open eap eap_methods
     authentication network-eap eap_methods
     authentication key-management wpa version 2
     mbssid guest-mode
  dot11 network-map
  power inline negotiation prestandard source
  username Cisco password 7 13261E010803
  bridge irb
  interface Dot11Radio0
   no ip address
   no ip route-cache
   encryption mode ciphers aes-ccm
   encryption vlan 64 mode ciphers aes-ccm
   ssid corporate
   mbssid
   station-role root
  interface Dot11Radio0.64
   encapsulation dot1Q 64 native
   no ip route-cache
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
   bridge-group 1 spanning-disabled
  interface Dot11Radio1
   no ip address
   no ip route-cache
   shutdown
   no dfs band block
   channel dfs
   station-role root
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
   bridge-group 1 spanning-disabled
  interface FastEthernet0
   no ip address
   no ip route-cache
   duplex auto
   speed auto
  interface FastEthernet0.64
   encapsulation dot1Q 64 native
   no ip route-cache
   bridge-group 1
   no bridge-group 1 source-learning
   bridge-group 1 spanning-disabled
  interface BVI1
   ip address X.Y.64.229 255.255.255.0
   no ip route-cache
  ip default-gateway X.Y.64.1
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  snmp-server community cable RO
  snmp-server enable traps tty
  radius-server attribute 32 include-in-access-req format %h
  radius-server host X.Y.64.30 auth-port 1812 acct-port 1813 key 7 104F0D18161E2D1E0D071538212B213036
  radius-server vsa send accounting
  bridge 1 route ip
  line con 0
  line vty 5 15
  end

  Hi,
  You will need o be more specific so we can help you.
  What exactly is happening/not working?
  Please keep in mind that with MAR, the PC needs to do machine authentication prior to user login, as the ACS will only allow users to login from previously authenticated machines.
  Is your PC doing machine authentication?
  HTH,
  Tiag
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Need a solution for the following error code on AIR-AP1231G-A-K9

  Dec 1 10:05:46.243: %DOT11-7-AUTH_FAILED: Station 0018.de89.d720 Authentication failed

  Hi
  Here you are the explanation:
  The specified station has failed authentication.
  The most common reasons are the user has entered the wrong password or the radius server maybe unavailable.
  Hope this helps

• Authentication failed AP1131

  Hello,
  I got a report from a branch office which is getting trouble to authenticate users to the WLAN this is a stand alone AP which has a configuration script that we use for all our branch offices but in this case is not working. It seems to be an issue with RADIUS but if it was the case the whole company would be experiencing problems since it is a central RADIUS server.
  Here is a log from the AP
  By the way I modified the radius server timeout to 90 sec
  APIMMEXP01#
  Sep  1 17:01:47.240: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
  failed
  Sep  1 17:01:53.503: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
  failed
  Sep  1 17:01:58.739: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
  failed
  Sep  1 17:02:35.587: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.27:1812,1646
  is not responding.
  Sep  1 17:02:35.589: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.27:1812,1646
  is being marked alive.
  Sep  1 17:02:47.476: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
  failed
  Sep  1 17:02:50.344: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.28:1812,1646
  is not responding.
  Sep  1 17:02:50.344: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.28:1812,1646
  is being marked alive.
  Sep  1 17:02:53.768: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
  failed
  Sep  1 17:02:58.966: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
  failed
  Sep  1 17:04:00.953: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
  failed
  Sep  1 17:04:07.050: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
  failed
  Sep  1 17:04:12.332: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
  failed
  Sep  1 17:04:33.294: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.27:1812,1646
  is not responding.
  Sep  1 17:04:33.294: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.27:1812,1646
  is being marked alive.
  Sep  1 17:04:36.577: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.28:1812,1646
  is not responding.
  Sep  1 17:04:36.577: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.28:1812,1646
  is being marked alive.
  Sep  1 17:05:01.009: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
  failed
  Sep  1 17:05:07.175: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
  failed
  Sep  1 17:05:12.517: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
  failed
  Sep  1 17:06:01.247: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
  failed
  Sep  1 17:06:19.739: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.28:1812,1646
  is not responding.
  Sep  1 17:06:19.739: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.28:1812,1646
  is being marked alive.
  Sep  1 17:06:20.707: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
  failed
  Sep  1 17:06:25.241: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.27:1812,1646
  is not responding.
  Sep  1 17:06:25.243: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.27:1812,1646
  is being marked alive.
  Sep  1 17:06:25.836: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
  failed
  Sep  1 17:07:01.237: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
  failed
  Sep  1 17:07:20.694: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
  failed
  Sep  1 17:07:25.818: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
  failed
  Sep  1 17:08:01.623: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
  failed
  Sep  1 17:08:13.834: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.28:1812,1646
  is not responding.
  Sep  1 17:08:13.834: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.28:1812,1646
  is being marked alive.
  Sep  1 17:08:27.978: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.27:1812,1646
  is not responding.
  Sep  1 17:08:27.979: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.27:1812,1646
  is being marked alive.
  Sep  1 17:08:34.301: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
  failed
  Sep  1 17:08:39.325: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
  failed
  Sep  1 17:09:15.042: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
  failed
  Sep  1 17:09:34.664: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
  failed
  Sep  1 17:09:47.790: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.28:1812,1646
  is not responding.
  Sep  1 17:09:47.790: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.28:1812,1646
  is being marked alive.
  Sep  1 17:10:15.184: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
  failed
  Sep  1 17:10:16.644: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.27:1812,1646
  is not responding.
  Sep  1 17:10:16.644: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.27:1812,1646
  is being marked alive.
  Sep  1 17:10:48.062: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
  failed

  What error is the AAA server showing for these errors?
  Sent from Cisco Technical Support iPad App

• 802.11x with 2008 R2 NPS

  Here's what I'm using for attempt at 802.11x:
  -2008 R2 NPS
  -AIR-AP1142N-A-K9
  -Lenovo T510 Laptop
  Here is what I followed:
  1. http://techblog.mirabito.net.au/?p=87&cpage=1#comment-26452
  2. http://blog.laurence.id.au/2010/03/running-peap-with-cisco-aeronet-1231g.html
  Here is my config on the AP, radius related:
  aaa new-model
  aaa group server radius rad_eap
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  clock timezone EST -4
  dot11 syslog
  dot11 ssid IPC02-AP
     authentication open eap eap_methods
     authentication network-eap eap_methods
     authentication key-management wpa version 2
     guest-mode
  encryption mode ciphers aes-ccm tkip
  interface BVI1
  ip address 192.168.1.7 255.255.255.0
  no ip route-cache
  ip radius source-interface BVI1
  radius-server local
    nas 192.168.1.38 key 7 *
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 192.168.1.38 auth-port 1645 acct-port 1646 key 7 *
  Here is my part of my debug:
  RADIUS(000000C0): Received from id 1645/151
  RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
  dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
  dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
  Client 0026.c750.**** failed: by EAP authentication server
  dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for 0026.c750.****
  dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 0026.c750.****
  dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
  dot11_auth_dot1x_send_client_fail: Authentication failed for 0026.c750.****
  DOT11-7-AUTH_FAILED: Station 0026.c750.**** Authentication failed RADIUS(000000C0): Received from id 1645/151
  RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
  dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
  dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
  Client 0026.c750.**** failed: by EAP authentication server
  dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for 0026.c750.****
  dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 0026.c750.****
  dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
  dot11_auth_dot1x_send_client_fail: Authentication failed for 0026.c750.****
  DOT11-7-AUTH_FAILED: Station 0026.c750.**** Authentication failed
  I get a "connection failed" on my laptop.  I don't see any logs/events relating to a failure of credentials on my 2008 server.
  Any ideas?

  I have not gotten any other feedback and I have not been ablet to identify anything on technet about it.  It will happen with any role that requires more than 27 of the Cisco-AV-Pair settings.  It is working fine for stuff like the Lobby administrator logins, that require less than 5 access rules to be passed from the NPS, but that just goes to show that it is working as long as I do ot hit the 27 "line-item" limit.

• Problem authenticating Wireless users with peap

  Good afternoon,
  I am currently trying to authenticate wireless users using PEAP and an external RADIUS server. The problem is when I try to authenticate I get this error :
  AAA/AUTHEN/PPP : Pick method list 'Permanent Local'
  DOT11-7-AUTH_FAILED : Station ... Authentication failed
  It shouldn't use local authentication, but the aaa server I configured.
  I looked on the internet but didn't find a working solution.
  Does anyone know why it is not working ?
  Here is my running configuration :
  Current configuration : 4276 bytes
  ! Last configuration change at 00:45:40 UTC Mon Mar 1 1993
  ! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
  ! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ap
  logging rate-limit console 9
  enable secret 5 $1$QVC3$dIVAarlXOo52rN3ceZm1k0
  aaa new-model
  aaa group server radius rad_eap
   server 192.168.2.2 auth-port 1812 acct-port 1813
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  no ip routing
  no ip cef
  dot11 syslog
  dot11 ssid test
     authentication open eap eap_list
     authentication key-management wpa version 2
     guest-mode
  eap profile peap
   method peap
  crypto pki token default removal timeout 0
  bridge irb
  interface Dot11Radio0
   no ip address
   no ip route-cache
   encryption mode ciphers aes-ccm
   ssid test
   antenna gain 0
   stbc
   beamform ofdm
   station-role root
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio1
   no ip address
   no ip route-cache
   shutdown
   antenna gain 0
   no dfs band block
   channel dfs
   station-role root
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface GigabitEthernet0
   no ip address
   no ip route-cache
   duplex auto
   speed auto
   dot1x pae authenticator
   bridge-group 1
   bridge-group 1 spanning-disabled
   no bridge-group 1 source-learning
  interface BVI1
   ip address 192.168.3.10 255.255.255.0
   no ip route-cache
  ip default-gateway IP
  ip forward-protocol nd
  ip http server
  ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 192.168.2.2 auth-port 1812 acct-port 1813 key 7 140441081E501F0B7D
  radius-server vsa send accounting
  bridge 1 route ip
  line con 0
  line vty 0 4
   transport input all
  end
  Thank you

  I haven't setup autonomous APs before but I think I might see the problem. You are defining an authentication list called "eap_methods" but you never call for it in your SSID settings. Instead there you call a list named "eap_list" In addition, I think you might be missing one more command. So perhaps try this:
  dot11 ssid test
  authentication open eap eap_methods
  authentication network-eap eap_methods
  authentication key-management wpa version 2
  guest-mode
  Hope this helps!
  Thank you for rating helpful posts!

• EAP-TLS with Radius Server configuration (1130AG)

  Hi All,
  Im currently tryign to get eap-tls user certificate based wireless authentication working. The mismatch of guides im trying to follow has me ocming up trumps with success so far, so heres hoping you guys can right me wrongs and put me on the right path again.
  My steps for radius:- (i think this part ive actually got ok)
  http://technet.microsoft.com/en-us/library/dd283091(v=ws.10).aspx
  Steps for the wirless profile on a win 7 client:- this has me confused all over the place
  http://technet.microsoft.com/en-us/library/dd759246.aspx
  My 1130 Config:-
  [code]
  Current configuration : 3805 bytes
  ! Last configuration change at 11:57:56 UTC Fri Jan 25 2013 by apd
  ! NVRAM config last updated at 14:43:51 UTC Fri Jan 25 2013 by apd
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname WAP1
  aaa new-model
  aaa group server radius RAD_EAP
  server 10.1.1.29 auth-port 1812 acct-port 1813
  aaa authentication login default local
  aaa authentication login EAP_LOGIN group RAD_EAP
  aaa authorization exec default local
  aaa authorization network default local
  aaa session-id common
  ip domain name ************
  dot11 syslog
  dot11 ssid TEST
     authentication open eap EAP_LOGIN
     authentication network-eap EAP_LOGIN
     guest-mode
  crypto pki trustpoint TP-self-signed-1829403336
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1829403336
  revocation-check none
  rsakeypair TP-self-signed-1829403336
    quit
  username ***************
  ip ssh version 2
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  ssid TEST
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  ssid TEST
  no dfs band block
  channel dfs
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 10.1.2.245 255.255.255.0
  ip helper-address 10.1.1.27
  no ip route-cache
  no ip http server
  ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  radius-server host 10.1.1.29 auth-port 1812 acct-port 1813 key **************
  radius-server key ************
  bridge 1 route ip
  line con 0
  logging synchronous
  transport preferred ssh
  line vty 0 4
  logging synchronous
  transport input ssh
  sntp server 130.88.212.143
  end
  [/code]
  and my current debug
  [code]
  Jan 25 12:00:56.703: dot11_auth_send_msg:  sending data to requestor status 1
  Jan 25 12:00:56.703: dot11_auth_send_msg: Sending EAPOL to requestor
  Jan 25 12:00:56.703: dot1x-registry:registry:dot1x_ether_macaddr called
  Jan 25 12:00:56.703: dot11_auth_dot1x_send_id_req_to_client: Client 74de.2b81.56c4 timer started for 30 seconds
  WAP1#
  Jan 25 12:01:26.698: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 74de.2b81.56c4
  Jan 25 12:01:26.698: dot11_auth_dot1x_send_client_fail: Authentication failed for 74de.2b81.56c4
  Jan 25 12:01:26.698: dot11_auth_send_msg:  sending data to requestor status 0
  Jan 25 12:01:26.698: dot11_auth_send_msg: client FAILED to authenticate 74de.2b81.56c4, node_type 64 for application 0x1
  Jan 25 12:01:26.699: dot11_auth_delete_client_entry: 74de.2b81.56c4 is deleted for application 0x1
  Jan
  WAP1#25 12:01:26.699: %DOT11-7-AUTH_FAILED: Station 74de.2b81.56c4 Authentication failed
  Jan 25 12:01:26.699: dot11_aaa_upd_accounting: Updating attributes for user: 74de.2b81.56c4
  Jan 25 12:01:26.699: dot11_aaa_upd_accounting: Updating attributes for user: 74de.2b81.56c4
  Jan 25 12:01:26.699: dot11_auth_client_abort: Received abort request for client 74de.2b81.56c4
  Jan 25 12:01:26.699: dot11_auth_client_abort: No client entry to abort: 74de.2b81.56c4 for application 0x1
  Jan 25 12:01:27.580: AAA/BIND(000000
  WAP1#12): Bind i/f
  Jan 25 12:01:27.580: dot11_auth_add_client_entry: Create new client 74de.2b81.56c4 for application 0x1
  Jan 25 12:01:27.580: dot11_auth_initialize_client: 74de.2b81.56c4 is added to the client list for application 0x1
  Jan 25 12:01:27.581: dot11_auth_add_client_entry: req->auth_type 0
  Jan 25 12:01:27.581: dot11_auth_add_client_entry: auth_methods_inprocess: 2
  Jan 25 12:01:27.581: dot11_auth_add_client_entry: eap list name: EAP_LOGIN
  Jan 25 12:01:27.581: dot11_run_auth_methods: Start aut
  WAP1#h method EAP or LEAP
  Jan 25 12:01:27.581: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
  Jan 25 12:01:27.581: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74de.2b81.56c4
  Jan 25 12:01:27.581: EAPOL pak dump tx
  Jan 25 12:01:27.581: EAPOL Version: 0x1  type: 0x0  length: 0x002B
  Jan 25 12:01:27.581: EAP code: 0x1  id: 0x1  length: 0x002B type: 0x1
  01801670:                   0100002B 0101002B          ...+...+
  01801680: 01006E65 74776F72 6B69643D 54455354  ..networkid=TEST
  WAP1#
  01801690: 2C6E6173 69643D41 50445741 50312C70  ,nasid=WAP1,p
  018016A0: 6F727469 643D30                      ortid=0
  Jan 25 12:01:27.582: dot11_auth_send_msg:  sending data to requestor status 1
  Jan 25 12:01:27.582: dot11_auth_send_msg: Sending EAPOL to requestor
  Jan 25 12:01:27.582: dot1x-registry:registry:dot1x_ether_macaddr called
  Jan 25 12:01:27.583: dot11_auth_dot1x_send_id_req_to_client: Client 74de.2b81.56c4 timer started for 30 seconds
  WAP1#
  [/code]
  Can anyone point me in the right direction with this?
  i also dont like it that you can attempt to join the network first before failing
  can i have user cert based + psk? and then apply it all by GPO
  Thanks for any help

  ok ive ammdened the wireless profile as suggested
  i already have the root ca and a user certificate installed with matching usernames
  I had already added the radius device to the NPS server and matched the keys to the AP
  now heres the debug im getting, when i check the NPS server, still doesnt look like its getting any requests at all :|
  Jan 29 11:53:13.501: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 74de.2b81.56c4
  Jan 29 11:53:13.501: dot11_auth_dot1x_send_client_fail: Authentication failed for 74de.2b81.56c4
  Jan 29 11:53:13.501: dot11_auth_send_msg:  sending data to requestor status 0
  Jan 29 11:53:13.501: dot11_auth_send_msg: client FAILED to authenticate 74de.2b81.56c4, node_type 64 for application 0x1
  Jan 29 11:53:13.501: dot11_auth_delete_client_entry: 74de.2b81.56c4 is deleted for application 0x1
  Jan
  WAP1#29 11:53:13.501: dot11_mgr_disp_callback: Received message from Local Authenticator
  Jan 29 11:53:13.501: dot11_mgr_disp_callback: Received FAIL from Local Authenticator
  Jan 29 11:53:13.501: dot11_mgr_sm_run_machine: Executing Action(BRIDGE,AUTHENTICATOR_FAIL) for 74de.2b81.56c4
  Jan 29 11:53:13.502: dot11_mgr_sm_send_client_fail: Authentication failed for 74de.2b81.56c4
  Jan 29 11:53:13.502: %DOT11-7-AUTH_FAILED: Station 74de.2b81.56c4 Authentication failed
  Jan 29 11:53:13.502: dot11_mgr_disp_auth_abort
  WAP1#: Sending abort request for client 74de.2b81.56c4 to local Authenticator
  Jan 29 11:53:13.502: dot11_auth_client_abort: Received abort request for client 74de.2b81.56c4
  Jan 29 11:53:13.502: dot11_auth_client_abort: No client entry to abort: 74de.2b81.56c4 for application 0x1
  Jan 29 11:53:14.619: AAA/BIND(00000019): Bind i/f
  Jan 29 11:53:14.619: dot11_mgr_disp_auth_request: Send auth request for client 74de.2b81.56c4 to local Authenticator
  Jan 29 11:53:14.619: dot11_auth_add_client_entry: Create new c
  WAP1#lient 74de.2b81.56c4 for application 0x1
  Jan 29 11:53:14.620: dot11_auth_initialize_client: 74de.2b81.56c4 is added to the client list for application 0x1
  Jan 29 11:53:14.620: dot11_auth_add_client_entry: req->auth_type 0
  Jan 29 11:53:14.620: dot11_auth_add_client_entry: auth_methods_inprocess: 2
  Jan 29 11:53:14.620: dot11_auth_add_client_entry: eap list name: EAP_LOGIN
  Jan 29 11:53:14.620: dot11_run_auth_methods: Start auth method EAP or LEAP
  Jan 29 11:53:14.620: dot11_auth_dot1x_start: in the dot11
  WAP1#_auth_dot1x_start
  Jan 29 11:53:14.620: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74de.2b81.56c4
  Jan 29 11:53:14.620: EAPOL pak dump tx
  Jan 29 11:53:14.621: EAPOL Version: 0x1  type: 0x0  length: 0x002B
  Jan 29 11:53:14.621: EAP code: 0x1  id: 0x1  length: 0x002B type: 0x1
  01808560: 0100002B 0101002B 01006E65 74776F72  ...+...+..networ
  01808570: 6B69643D 54455354 2C6E6173 69643D41  kid=TEST,nasid=A
  01808580: 50445741 50312C70 6F727469 643D30    WAP1,portid=0
  Jan 29 11:53
  WAP1#:14.621: dot11_auth_send_msg:  sending data to requestor status 1
  Jan 29 11:53:14.621: dot11_auth_send_msg: Sending EAPOL to requestor
  Jan 29 11:53:14.622: dot11_mgr_disp_callback: Received message from Local Authenticator
  Jan 29 11:53:14.622: dot11_mgr_disp_callback: Received DOT11_AAA_EAP from Local Authenticator
  Jan 29 11:53:14.622: dot11_mgr_sm_run_machine: Executing Action(BRIDGE,AUTHENTICATOR_REPLY) for 74de.2b81.56c4
  Jan 29 11:53:14.622: dot11_mgr_sm_send_response_to_client: Forwarding Authenti
  WAP1#cator message to client 74de.2b81.56c4
  Jan 29 11:53:14.622: EAPOL pak dump tx
  Jan 29 11:53:14.622: EAPOL Version: 0x1  type: 0x0  length: 0x002B
  Jan 29 11:53:14.622: EAP code: 0x1  id: 0x1  length: 0x002B type: 0x1
  01808690:                   0100002B 0101002B          ...+...+
  018086A0: 01006E65 74776F72 6B69643D 54455354  ..networkid=TEST
  018086B0: 2C6E6173 69643D41 50445741 50312C70  ,nasid=WAP1,p
  018086C0: 6F727469 643D30                      ortid=0
  Jan 29 11:53:14.623: dot1x-regi