%DOT11-7-AUTH_FAILED
Hello,
I have problem med wireless authentication.
Have tried following Operative system on clients. Windows XP, Windows Vista and Windows 7.
Radius Server is working normally.
Under here is debug, version and configuration. Kan somebody se something wrong ? I have no Idea..
Please help me to solve this problem.
Thanks,
Christian Overrein
Debug report.
000272: *Jan 14 21:18:10.331 UTC: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,EAP_START) for 0017.3f78.977b
000273: *Jan 14 21:18:10.331 UTC: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0017.3f78.977b
000274: *Jan 14 21:18:10.331 UTC: EAPOL pak dump tx
000275: *Jan 14 21:18:10.331 UTC: EAPOL Version: 0x1 type: 0x0 length: 0x0032
000276: *Jan 14 21:18:10.331 UTC: EAP code: 0x1 id: 0x2 length: 0x0032 type: 0x1
07403990: 01000032 01020032 ...2...2
074039A0: 01006E65 74776F72 6B69643D 56656C66 ..networkid=Velf
074039B0: 65726465 6E2C6E61 7369643D 56454C57 erden,nasid=VELW
074039C0: 52303030 312C706F 72746964 3D30 R0001,portid=0
000277: *Jan 14 21:18:10.331 UTC: dot11_auth_send_msg: sending data to requestor status 1
000278: *Jan 14 21:18:10.331 UTC: dot11_auth_send_msg: Sending EAPOL to requestor
000279: *Jan 14 21:18:10.331 UTC: dot11_auth_dot1x_send_id_req_to_client: Client 0017.3f78.977b timer started for 30 seconds
000280: *Jan 14 21:18:10.331 UTC: dot11_auth_parse_client_pak: Received EAPOL packet from 0017.3f78.977b
000281: *Jan 14 21:18:10.331 UTC: EAPOL pak dump rx
000282: *Jan 14 21:18:10.331 UTC: EAPOL Version: 0x1 type: 0x1 length: 0x0000
074030D0: 01010000 ....
000283: *Jan 14 21:18:10.331 UTC: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,EAP_START) for 0017.3f78.977b
000284: *Jan 14 21:18:10.335 UTC: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0017.3f78.977b
000285: *Jan 14 21:18:10.335 UTC: EAPOL pak dump tx
000286: *Jan 14 21:18:10.335 UTC: EAPOL Version: 0x1 type: 0x0 length: 0x0032
000287: *Jan 14 21:18:10.335 UTC: EAP code: 0x1 id: 0x3 length: 0x0032 type: 0x1
07404390: 01000032 01030032 ...2...2
074043A0: 01006E65 74776F72 6B69643D 56656C66 ..networkid=Velf
074043B0: 65726465 6E2C6E61 7369643D 56454C57 erden,nasid=VELW
074043C0: 52303030 312C706F 72746964 3D30 R0001,portid=0
000288: *Jan 14 21:18:10.335 UTC: dot11_auth_send_msg: sending data to requestor status 1
VELWR0001#
000289: *Jan 14 21:18:10.335 UTC: dot11_auth_send_msg: Sending EAPOL to requestor
000290: *Jan 14 21:18:10.335 UTC: dot11_auth_dot1x_send_id_req_to_client: Client 0017.3f78.977b timer started for 30 seconds
000328: *Jan 14 21:23:47.627 UTC: %DOT11-7-AUTH_FAILED: Station 0017.3f78.977b Authentication failed
--More--
000329: *Jan 14 21:24:21.727 UTC: %DOT11-7-AUTH_FAILED: Station 0017.3f78.977b Authentication failed
--More--
000330: *Jan 14 21:24:55.823 UTC: %DOT11-7-AUTH_FAILED: Station 0017.3f78.977b Authentication failed
--More--
000331: *Jan 14 21:25:29.823 UTC: %DOT11-7-AUTH_FAILED: Station 0017.3f78.977b Authentication failed
Show Version.
System returned to ROM by reload at 20:58:46 UTC Fri Jan 14 2011
System image file is "flash:/c181x-adventerprisek9-mz.151-3.T.bin"
Last reload type: Normal Reload
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 1812W (MPC8500) processor (revision 0x400) with 118784K/12288K bytes of memory.
Processor board ID FCZ120995G1, with hardware revision 0000
10 FastEthernet interfaces
1 ISDN Basic Rate interface
1 Virtual Private Network (VPN) Module
2 802.11 Radios
31360K bytes of ATA CompactFlash (Read/Write)
License Info:
License UDI:
Device# PID SN
*0 CISCO1812W-AG-E/K9 FCZ120995G1
Show running-config
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname VELWR0001
boot-start-marker
boot system flash:/c181x-adventerprisek9-mz.151-3.T.bin
boot-end-marker
logging userinfo
logging buffered 20000
enable secret 5 $1$TGe/$Bnajd6kvDh/E8pMtAAND00
enable password 7 104D000A0618
aaa new-model
aaa group server radius rad_acct
server 10.0.1.10 auth-port 1645 acct-port 1646
aaa group server radius rad_eap
server 10.0.1.10 auth-port 1645 acct-port 1646
aaa group server radius Velferden_group
server-private 10.0.1.10 auth-port 1645 acct-port 1646 key 7 047602101C705C460D
aaa authentication login default group radius local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login Velferden_list group Velferden_group
aaa authorization exec default local
aaa accounting network acct_methods
action-type start-stop
group rad_acct
aaa session-id common
dot11 syslog
dot11 activity-timeout unknown default 1800
dot11 activity-timeout client default 1800
dot11 activity-timeout repeater default 1800
dot11 activity-timeout workgroup-bridge default 1800
dot11 activity-timeout bridge default 1800
dot11 ssid Velferden
vlan 102
authentication open eap Velferden_list
authentication key-management wpa
accounting acct_methods
mbssid guest-mode
no ip source-route
ip cef
no ip bootp server
no ip domain lookup
ip domain name velferden.local
no ipv6 cef
multilink bundle-name authenticated
archive
log config
hidekeys
username backup privilege 15 secret 5 $1$1/JH$cqnXDVsAd/hjPE6lyLOVe.
ip tcp synwait-time 10
bridge irb
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
shutdown
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
encryption vlan 102 mode ciphers aes-ccm
broadcast-key vlan 102 change 30
ssid Velferden
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Dot11Radio0.102
encapsulation dot1Q 102
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encryption vlan 102 mode ciphers aes-ccm
broadcast-key vlan 102 change 30
ssid Velferden
mbssid
speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Dot11Radio1.102
encapsulation dot1Q 102
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet2
description VELAR0001
switchport access vlan 100
interface FastEthernet3
description VELDC0001
switchport access vlan 100
spanning-tree portfast
interface FastEthernet4
description BORDSWITCH
switchport access vlan 100
interface FastEthernet5
description KLIENTER
switchport access vlan 100
spanning-tree portfast
interface FastEthernet6
description VELSK0001
switchport access vlan 100
spanning-tree portfast
interface FastEthernet7
description KLIENTER
switchport access vlan 100
spanning-tree portfast
interface FastEthernet8
description SPERRET
switchport access vlan 100
shutdown
spanning-tree portfast
interface FastEthernet9
description SPERRET
switchport access vlan 100
shutdown
spanning-tree portfast
interface Vlan1
no ip address
shutdown
interface Vlan100
description User
ip address 10.0.1.9 255.255.255.128
ip helper-address 10.0.1.10
interface Vlan102
no ip address
bridge-group 1
interface Group-Async9
physical-layer async
no ip address
encapsulation slip
interface BVI1
ip address 10.0.1.129 255.255.255.128
ip helper-address 10.0.1.10
ip default-gateway 10.0.1.8
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip radius source-interface Vlan100
logging esm config
logging trap debugging
logging source-interface Vlan100
logging 10.0.1.10
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.0.1.10 auth-port 1645 acct-port 1646 key 7 153427232D011F
radius-server vsa send accounting
radius-server vsa send authentication
control-plane
bridge 1 protocol ieee
bridge 1 route ip
line con 0
line aux 0
line vty 0 4
privilege level 15
logging synchronous
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
scheduler interval 500
end
Hi Sebastian!
OS: I am using Windows 2003 SP2
Radius: IAS (Internet Authentication Service)
I cannot se any errors in the IAS log. The reason is the router doesnt send request to the service for authentication because ut is not been redirected.
Connectivity is checked. I am using radius as login authentication, that works. It is wireless that is the problem.
In my latest post I have posted the configuration.
I hope you may can help me to solve the problem.
regards,
Christian
Similar Messages
-
%DOT11-7-AUTH_FAILED: %DOT11-6-DISASSOC:
Hello again,
Thought this issue was fixed yesterday after finding out my printer was the MAC address flashing up on the log, however it seems that every device is playing up.
Thanks
James
These are my wirless devices,
APPLE IPHONE 6809.2780.219a
DELL LAPTOP 0026.c7e2.68be
HTC PHONE bccf.cca7.43ea
LG TV 9444.4434.d43c
HP LAPTOP 001f.3c83.bd9e
PRINTER 0080.927b.0edb
SONY ERICSSON b8f9.3410.9524
PLAYSTATION 3 280d.fcec.27c4
The log....
*Aug 28 21:05:35.845: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station 280d.fcec.27c4 Associated
SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 28 21:06:32.913: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 280d.fc
ec.27c4 Reason: Sending station has left the BSS SSID[THE MATRIX]
*Aug 28 21:06:37.321: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station 280d.fcec.27c4 Associated
SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 28 21:07:49.533: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 6809.27
80.219a Reason: Previous authentication no longer valid SSID[THE MATRIX]
*Aug 28 21:09:37.537: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 0080.92
7b.0edb Reason: Previous authentication no longer valid SSID[THE MATRIX]
*Aug 28 21:09:41.117: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station 0080.927b.0edb Reassociat
ed SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 28 21:11:47.057: %DOT11-7-AUTH_FAILED: Station 6809.2780.219a Authentication failed
*Aug 28 21:11:49.413: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station 6809.2780.219a Associated
SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 28 21:11:55.321: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 6809.27
80.219a Reason: Sending station has left the BSS SSID[THE MATRIX]
*Aug 28 21:19:21.612: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 0080.92
7b.0edb Reason: Previous authentication no longer valid SSID[THE MATRIX]
*Aug 28 21:19:25.176: %DOT11-7-AUTH_FAILED: Station 0080.927b.0edb Authentication failed
*Aug 28 21:19:39.324: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station 0080.927b.0edb Associated
SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 28 21:23:54.664: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 0080.92
7b.0edb Reason: Previous authentication no longer valid SSID[THE MATRIX]
*Aug 28 21:23:59.212: %DOT11-7-AUTH_FAILED: Station 0080.927b.0edb Authentication failed
*Aug 28 21:24:07.756: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station 0080.927b.0edb Reassociat
ed SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 28 21:26:06.168: %SYS-5-CONFIG_I: Configured from console by James on vty1 (192.168.0.2)
*Aug 28 21:28:33.444: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station bccf.cc
a7.43ea Reason: Sending station has left the BSS SSID[THE MATRIX]
*Aug 28 21:37:08.112: %SYS-5-CONFIG_I: Configured from console by James on vty1 (192.168.0.2)
*Aug 28 21:42:36.712: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 0080.92
7b.0edb Reason: Previous authentication no longer valid SSID[THE MATRIX]
*Aug 28 21:42:41.080: %DOT11-7-AUTH_FAILED: Station 0080.927b.0edb Authentication failed
*Aug 28 21:42:46.828: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station 0080.927b.0edb Associated
SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 28 21:43:20.296: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station CORE 001f.3c83.bd9e Associa
ted SSID[THE MATRIX] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 28 21:43:20.300: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c
83.bd9e Reason: Sending station has left the BSS SSID[THE MATRIX]
*Aug 28 21:43:25.808: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c
83.bd9e Reason: Sending station has left the BSS SSID[THE MATRIX]
This is my running config....
CORE#sh run
Building configuration...
Current configuration : 6692 bytes
! Last configuration change at 21:37:08 UTC Wed Aug 28 2013 by James
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname CORE
boot-start-marker
boot-end-marker
logging buffered 64000
no aaa new-model
dot11 syslog
dot11 ssid THE MATRIX
authentication open
authentication key-management wpa
guest-mode
infrastructure-ssid
wpa-psk ascii 7 xxxxx
ip source-route
ip cef
ip dhcp excluded-address 192.168.0.1 192.168.0.19
ip dhcp excluded-address 192.168.0.61 192.168.0.254
ip dhcp excluded-address 172.0.0.1 172.0.0.10
ip dhcp pool LAN_Addresses
import all
network 192.168.0.0 255.255.255.0
dns-server 8.8.8.8 4.2.2.2
default-router 192.168.0.1
lease 5
ip dhcp pool THE MATRIX
import all
network 172.0.0.0 255.255.255.0
default-router 172.0.0.1
dns-server 8.8.8.8 4.2.2.2
lease 5
no ip domain lookup
ip domain name firewire2013
ip name-server 4.2.2.2
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-3845826623
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3845826623
revocation-check none
crypto pki certificate chain TP-self-signed-3845826623
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383435 38323636 3233301E 170D3133 30383235 30363031
31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38343538
32363632 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009FF5 DA191624 A7ECAE35 A3F660AB A049B91F CB83F93F 888EB00D F5E2C20E
83486395 E7069E1D 36BD1EEB 12AFCE88 2E8F5320 52E67F70 3F4716E9 97B1F33E
0147A66D D573E9BC 36D35EA1 226D723B FAEDDCB2 C263511B DA745A66 8798BCEC
F581248B FCD39380 FE92CEB9 09328BCD 71F9D1E1 BCCCB9DB EFA1DC22 ED7CF8BD
25FD0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 143D0167 51FECFA9 ED03DF31 6B0A562E E10A9300 AE301D06
03551D0E 04160414 3D016751 FECFA9ED 03DF316B 0A562EE1 0A9300AE 300D0609
2A864886 F70D0101 04050003 8181006B C454436A 370AC181 BBA4017F 41E3DFD2
CFE9665B 80F797DC B7130067 318318F9 094A4672 5BA2A50F 80EC1225 4C958474
E309731D 9E4E5265 B861BAF0 36E4996B B396CB6C BF210CE6 59F3D165 441C2302
3693441B DB45704D 5A6A15F5 79F939F9 6A9DDA84 DFDF5D11 E729D505 A1692E21
2D95292C 6AC1263E FB35C46E 6D6874
quit
license udi pid CISCO2811 sn FCZ09237316
username James privilege 15 secret 5 xxxxxxxxxxxxxxxxx
redundancy
class-map type inspect match-any sdm-cls-insp-traffic
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-invalid-src
match access-group 102
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match protocol http
interface FastEthernet0/0
description CONNECTION TO MODEM>ISP$ETH-WAN$
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
no cdp enable
interface FastEthernet0/1
description CONNECTION TO LAB
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex full
speed 100
interface Dot11Radio0/2/0
description WLAN TO MOBILE USERS
ip address 172.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
encryption mode ciphers tkip
ssid THE MATRIX
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface FastEthernet0/0/0
description CONNECTION TO CORE PC
no ip address
interface FastEthernet0/0/1
description CONNECTION TO PS3
no ip address
interface FastEthernet0/0/2
description CONNECTION TO ACCESS SERVER
no ip address
interface FastEthernet0/0/3
no ip address
interface Vlan1
description MANAGEMENT INTERFACE
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
router eigrp 10
network 192.168.0.0 0.0.255.255
redistribute static
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source list 2 interface FastEthernet0/0 overload
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 172.0.0.0 0.0.0.255
access-list 70 remark THIS WILL DENY HOST FROM TELNETTING TO R1
access-list 70 deny 192.168.10.50
access-list 70 permit any
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 172.0.0.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip any any
access-list 102 remark SDM_ACL Category=128
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip 172.0.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
control-plane
mgcp profile default
alias exec s show ip interface brief
alias exec rc show running-config
alias exec r show ip route
alias exec v show version
banner motd ^CCCC
###DO NOT LOG ON AUTHORIZED PERSONNEL ONLY####
^C
line con 0
exec-timeout 100 0
password 7 xxxxxx
logging synchronous
login
line aux 0
exec-timeout 30 0
password 7 xxxxxx
logging synchronous
login
line vty 0 4
access-class 70 in
exec-timeout 100 0
privilege level 15
password 7 xxxxxxx
logging synchronous
login local
transport input telnet ssh
scheduler allocate 20000 1000
endTried that and its still the same. All the devices are playing up.
Could the hardware be toast?
*Aug 30 18:23:43.762: %DOT11-7-AUTH_FAILED: Station 001f.3c83.bd9e Authentication failed
*Aug 30 18:23:49.326: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station CORE 001f.3c83.bd9e Associated SSID[THE MATRIX]
AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
*Aug 30 18:24:03.778: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c83.bd9e Reason: Send
ing station has left the BSS SSID[THE MATRIX]
--More--
*Aug 30 18:31:52.314: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station bccf.cca7.43ea Associated SSID[THE MATRIX] AU
TH_TYPE[OPEN] KEY_MGMT[WPA PSK]
CORE#
*Aug 30 18:32:04.478: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c83.bd9e Reason: Send
ing station has left the BSS SSID[THE MATRIX]
CORE#
*Aug 30 18:32:09.114: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station CORE 001f.3c83.bd9e Associated SSID[THE MATRIX]
AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
CORE#
*Aug 30 18:32:18.710: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c83.bd9e Reason: Prev
ious authentication no longer valid SSID[THE MATRIX]
CORE#
*Aug 30 18:32:20.230: %DOT11-7-AUTH_FAILED: Station 001f.3c83.bd9e Authentication failed
CORE#
*Aug 30 18:32:26.070: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station CORE 001f.3c83.bd9e Associated SSID[THE MATRIX]
AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
CORE#
*Aug 30 18:32:34.058: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c83.bd9e Reason: Send
ing station has left the BSS SSID[THE MATRIX]
CORE#
*Aug 30 18:32:47.258: %DOT11-7-AUTH_FAILED: Station 001f.3c83.bd9e Authentication failed
CORE#
*Aug 30 18:32:47.678: %DOT11-6-ASSOC: Interface Dot11Radio0/2/0, Station CORE 001f.3c83.bd9e Associated SSID[THE MATRIX]
AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
CORE#
*Aug 30 18:33:12.146: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station 001f.3c83.bd9e Reason: Send
ing station has left the BSS SSID[THE MATRIX]
CORE#
*Aug 30 18:33:32.442: Client 001f.3c83.bd9e failed: reached maximum retries
CORE#
*Aug 30 18:33:34.442: Client 001f.3c83.bd9e failed: reached maximum retries
CORE#
*Aug 30 18:33:39.442: Client 001f.3c83.bd9e failed: reached maximum retries
CORE#
*Aug 30 18:33:44.442: Client 001f.3c83.bd9e failed: reached maximum retries
CORE#
*Aug 30 18:33:46.442: Client 001f.3c83.bd9e failed: reached maximum retries
CORE#
*Aug 30 18:33:48.442: Client 001f.3c83.bd9e failed: reached maximum retries
CORE#
*Aug 30 18:33:53.442: Client 001f.3c83.bd9e failed: reached maximum retries
CORE#
*Aug 30 18:34:10.206: %DOT11-6-DISASSOC: Interface Dot11Radio0/2/0, Deauthenticating Station bccf.cca7.43ea Reason: Prev
ious authentication no longer valid SSID[THE MATRIX] -
I am using Cisco1941W.
When I connect CliantPC to Wireless(1941W) I got bellow massage from 1941AP.
"%DOT11-7-AUTH_FAILED: Station 0011.f596.eecb Authentication failed"
And I couldn't ping from my PC to AP and Router.
Its possible communication from AP to Router.
I show 1941AP configration.
Could you find wrong?
By the way, my PC connected to AP by 108Mbps.
But my PC supported only 802.11a/b/g .
My PC use Static IP Address and use TEST-2 ssid.
I couldn't find error from my PC.
(start)
hostname TEST
enable secret test
aaa new-model
aaa group server radius rad_eap
server 10.73.12.2 auth-port 1645 acct-port 1646
aaa session-id common
dot11 syslog
dot11 ssid TEST-1
vlan 100
authentication open eap eap_methods
authentication key-management wpa
mbssid guest-mode
dot11 ssid TEST-2
vlan 200
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii testtesttesttesttest
dot11 aaa csid ietf
username Cisco password 7 05280F1C2243
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
no shut
encryption vlan 100 mode ciphers aes-ccm
encryption vlan 200 mode ciphers aes-ccm
ssid TEST-1
ssid TEST-2
mbssid
antenna gain 0
station-role root
interface Dot11Radio0.100
encapsulation dot1Q 100 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.200
encapsulation dot1Q 200
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
no shut
encryption vlan 100 mode ciphers aes-ccm
encryption vlan 200 mode ciphers aes-ccm
ssid TEST-1
ssid TEST-2
antenna gain 0
no dfs band block
channel 5180
station-role root
interface Dot11Radio1.100
encapsulation dot1Q 100 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1.200
encapsulation dot1Q 200
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
bridge-group 5
no bridge-group 5 source-learning
bridge-group 5 spanning-disabled
no shut
interface GigabitEthernet0.100
encapsulation dot1Q 100 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface GigabitEthernet0.200
encapsulation dot1Q 200
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
interface BVI1
ip address 10.73.12.7 255.255.255.0
no ip route-cache
ip default-gateway 10.73.12.1
ip http server
no ip http secure-server
radius-server deadtime 1440
bridge 1 route ip
(end)
I guess errer massage is telling Radio Frequency error.
I tried to change configuration "speed".
But still get error massage and I couldn't ping from my PC.Thanks, leolaohoo.
> My PC use Static IP Address and use TEST-2 ssid.
so I use TEST-2.
in this case, ignore TEST-1.
I just paste real configuration.
I tried to connect again.
But still I can't ping from PC to AP.
I use other PC.
I configured bellow.
-interface dot11Radio0
-speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
It was same resault.
Is cisco1941w broken?
I'd like to know one more.
I configured bellow, but I couldn't use 802.11a.
-interface dot11Radio0
-shutdown
how to use 802.11a(5GHz)? -
Hi All,
My wireless network system is consisting with 7.5 virtuall wireless controller and few 3600i APs.
All SSIDs & APs have been configured in flexconnect & flexconnect groups.
APs acquire IP address & controller IP address via DHCP option 43.
My problem is,
After I created a new SSID & pushed it. APs don't reboot itself but disconnecting from the controller and never come up back until give a manuall power reboot for each APs.
* DHCP server has not been configured any authentication mechanism for APs.*
I got below console outputs:
*Dec 5 16:56:42.830: %DOT11-7-AUTH_FAILED: Station c023.4921.2100 Authentication failed%Unknown DHCP problem.. No allocation possible
*Dec 5 16:56:54.226: %DOT11-7-AUTH_FAILED: Station c023.4921.2100 Authentication failed
*Dec 21 06:15:03.251: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Dec 21 06:15:03.283: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Dec 21 06:15:04.283: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Dec 21 06:15:14.135: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Dec 21 06:15:14.539: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 21 06:15:15.135: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Dec 21 06:15:15.375: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Dec 21 06:15:15.387: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Dec 21 06:15:15.395: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Dec 21 06:15:16.375: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Dec 21 06:15:16.387: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Dec 21 06:15:16.423: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Dec 21 06:15:16.435: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Dec 21 06:15:16.451: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Dec 21 06:15:17.451: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Dec 21 06:15:17.451: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Dec 21 06:15:17.491: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
., 26)1 06:15:17.983: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_WTP_EVENT_REQUEST
*Dec 21 06:15:18.587: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Dec 21 06:15:24.427: %EVT-4-WRN: Write of flash:/event.capwap done
*Dec 21 06:15:24.447: %LWAPP-3-CLIENTERRORLOG: Switching to Standalone mode
*Dec 21 06:15:24.459: %CAPWAP-3-ERRORLOG: GOING BACK TO DISCOVER MODE
*Dec 21 06:15:24.459: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.15.2:5246
*Dec 21 06:15:24.459: %CAPWAP-3-ERRORLOG: Invalid event 46 & state 4 combination.
*Dec 21 06:15:24.459: %CAPWAP-3-ERRORLOG: SM handler: Failed to process timer message. Event 46, state 4
*Dec 21 06:15:24.459: %CAPWAP-3-ERRORLOG: Failed to handle timer message.
*Dec 21 06:15:24.459: %CAPWAP-3-ERRORLOG: Failed to process Periodic Echo timer message.
*Dec 21 06:15:24.507: %WIDS-6-DISABLED: IDS Signature is removed and disabled.
*Dec 21 06:15:26.419: %CLEANAIR-6-STATE: Slot 0 down
*Dec 21 06:15:26.419: %CLEANAIR-6-STATE: Slot 1 down
Anybody know the reason for this behavior ?
Thanks,
CharithHi Charith,
It's looks like AP goes into Standalone mode due to it cannot reach your WLC. In flexconnect when it cannot reach WLC, it will go into standalone mode without rebooting AP. (in local mode AP will reboot unless it can find a WLC)
Can you check your AP has reahability to your WLC all the time ? Where the DHCP configured for users ?
HTH
Rasika -
AP1200 with EAP - dot11 holdoff timer
Hi all
We are running AP1200 with open eap. We are experiencing a transient problem with a couple unknown PC's attempting (and Failing) authentication every second. After some time, the memory gets fragmented on the AP, causing the AP to hang.
From the AP
>>>
Aug 4 14:12:17: %DOT11-7-AUTH_FAILED: Station 000e.d70f.441c Authentication fad
Aug 4 14:12:18: %DOT11-7-AUTH_FAILED: Station 000e.d70f.441c Authentication fad
Aug 4 14:12:19: %DOT11-7-AUTH_FAILED: Station 000e.d70f.441c Authentication fad
Aug 4 14:12:21: %DOT11-7-AUTH_FAILED: Station 000e.d70f.441c Authentication fad
Aug 4 14:12:22: %SYS-2-MALLOCFAIL: Memory allocation of 1500 bytes failed from
Pool: Processor Free: 122180 Cause: Memory fragmentation
Alternate Pool: None Free: 0 Cause: No Alternate pool
-Process= "Logger", ipl= 6, pid= 16
-Traceback= 10DDB0 10FF40 108EF0 117C20 366E0 368A0 442FC 445A8 47CEC 1337F8
Aug 4 14:12:23: %DOT11-7-AUTH_FAILED: Station 000e.d70f.441c Authentication fad
<<<
We have not been able to find this certain host.
We attempted to mitigate the failures using the "dot11 holdoff-timer 120". From the documentation this command looks like it will only take effect when performing MAC Authentication, yet in the configuration guide, it does not specify mac authen only. We have not had success in the lab.
Can anyone here shed some more light on this command.
TIA,
AlexIf all the PCs in your wireless network are working , then the unknown PCs could be some rogue devices trying to access the network. Since authentication is failing at every attempt it is clear that it is a rogue device trying to get entry in to the network.
-
How do I configure a cisco 1131 AP to use WPA2 enterprise and authenticate to Active Directory
I have a Win2008 server set up as a radius server (192.168.32.71) and a stand alone AP (192.168.201.9) The AP is config is below:
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
enable secret 5 $1$IdUV$UvE2IJTNzHX6mW6Mmh3At0
ip subnet-zero
ip domain name TKGCORP.local
ip name-server 192.168.32.71
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa group server radius rad_eap1
server 192.168.201.9 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 ssid ka_test
vlan 201
authentication open eap eap_methods1
authentication network-eap eap_methods1
guest-mode
power inline negotiation prestandard source
username Cisco password 7 112A1016141D
username tkgadmin privilege 15 password 7 022D167B06551D60
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 201 mode ciphers aes-ccm tkip
encryption key 1 size 128bit 7 673B0AA56FCB4E630D8E4856427E transmit-key
encryption mode wep mandatory
broadcast-key change 150
ssid ka_test
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.201
encapsulation dot1Q 201
no ip route-cache
bridge-group 201
bridge-group 201 subscriber-loop-control
bridge-group 201 block-unknown-source
no bridge-group 201 source-learning
no bridge-group 201 unicast-flooding
bridge-group 201 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
encryption key 1 size 128bit 7 B711059074E30B1E1D4E3EC038BB transmit-key
encryption mode wep mandatory
broadcast-key change 150
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 160 in
interface FastEthernet0.201
encapsulation dot1Q 201
no ip route-cache
bridge-group 201
no bridge-group 201 source-learning
bridge-group 201 spanning-disabled
interface BVI1
ip address 192.168.201.9 255.255.255.0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
no authentication eapfast
no authentication mac
nas 192.168.201.9 key 7 010703174F
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.32.71 auth-port 1645 acct-port 1646 key 7 0835495D1D
radius-server host 192.168.201.9 auth-port 1812 acct-port 1813 key 7 0010161510
radius-server vsa send accounting
control-plane
bridge 1 route ip
line con 0
line vty 0 4
endSorry for the late reply Steve. The link you provided was extremely helpful here is what my config looks like now:
ersion 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
enable secret 5 $1$7vHS$YWCMbrlAgDUayKlOHhMlF1
ip subnet-zero
ip domain name TKGCORP.local
ip name-server 192.168.32.71
aaa new-model
aaa group server radius rad_eap
server 192.168.32.71 auth-port 1645 acct-port 1646
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 ssid wap_test
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
guest-mode
infrastructure-ssid optional
power inline negotiation prestandard source
username Cisco password 7 047802150C2E
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers tkip
ssid wap_test
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 160 in
interface BVI1
ip address 192.168.201.9 255.255.255.0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.32.71 auth-port 1645 acct-port 1646 key 7 071B245F5A
radius-server vsa send accounting
control-plane
bridge 1 route ip
line con 0
line vty 0 4
end
I get a login screen but it will not let me connect, on my radius server I have it set to allow a group that my username is in. Here are some debugs from when I try to connect to the AP:
ap#debug aaa authentication
AAA Authentication debugging is on
ap#
*Mar 2 01:11:53.284: AAA/BIND(00000006): Bind i/f
*Mar 2 01:11:53.355: AAA/AUTHEN/PPP (00000006): Pick method list 'eap_methods'
*Mar 2 01:11:54.556: %DOT11-7-AUTH_FAILED: Station c0cb.3835.a102 Authentication failed
*Mar 2 01:11:55.280: AAA/BIND(00000007): Bind i/f
*Mar 2 01:11:55.404: AAA/AUTHEN/PPP (00000007): Pick method list 'eap_methods'
*Mar 2 01:11:56.349: AAA/BIND(00000008): Bind i/f
*Mar 2 01:11:56.525: AAA/AUTHEN/PPP (00000008): Pick method list 'eap_methods'
*Mar 2 01:11:57.300: AAA/BIND(00000009): Bind i/f
*Mar 2 01:11:58.070: AAA/BIND(0000000A): Bind i/f
*Mar 2 01:11:58.812: AAA/BIND(0000000B): Bind i/f
*Mar 2 01:12:15.470: AAA/AUTHEN/PPP (0000000B): Pick method list 'eap_methods'
*Mar 2 01:12:15.492: %DOT11-7-AUTH_FAILED: Station c0cb.3835.a102 Authentication failed
ap#undebug all
All possible debugging has been turned off -
Hi *,
I have the following problem with RADIUS and EAP authentication.
Radius server sends an "Access-Accept" packet to my AP, but the station does not authenticate.
I've tried with different encryption configuration and with different authentication methods under "dot11 essid", but nothing changes...
What could it be?
Debug piece and configuration follows:
*Jan 25 14:23:34.795: RADIUS/ENCODE(00000012): acct_session_id: 17*Jan 25 14:23:34.795: RADIUS(00000012): sending*Jan 25 14:23:34.799: RADIUS: 4E 47 56 7A 78 65 4A 4F 55 31 47 40 77 6C 61 6E [NGVzxeJOU1G@wlan]*Jan 25 14:23:34.799: RADIUS: 2E 6D 6E 63 30 30 31 2E 6D 63 63 30 30 31 2E 33 [.mnc001.mcc001.3]*Jan 25 14:23:34.799: RADIUS: 67 70 70 6E 65 74 77 6F 72 6B 2E 6F 72 67 [gppnetwork.org]*Jan 25 14:23:34.799: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]*Jan 25 14:23:34.799: RADIUS: NAS-Port [5] 6 265 *Jan 25 14:23:34.799: RADIUS: NAS-Port-Id [87] 5 "265"*Jan 25 14:23:34.799: RADIUS: NAS-IP-Address [4] 6 192.168.173.2 *Jan 25 14:23:34.811: RADIUS/DECODE: EAP-Message fragments, 20, total 20 bytes*Jan 25 14:23:34.831: RADIUS/ENCODE(00000012):Orig. component type = DOT11*Jan 25 14:23:34.831: RADIUS: AAA Unsupported Attr: ssid [265] 8 *Jan 25 14:23:34.831: RADIUS: 57 69 66 69 45 41 [WifiEA]*Jan 25 14:23:34.831: RADIUS: AAA Unsupported Attr: interface [157] 3 *Jan 25 14:23:34.831: RADIUS: 32 [2]*Jan 25 14:23:34.831: RADIUS(00000012): Config NAS IP: 192.168.173.2*Jan 25 14:23:34.831: RADIUS/ENCODE(00000012): acct_session_id: 17*Jan 25 14:23:34.835: RADIUS(00000012): sending*Jan 25 14:23:34.835: RADIUS: 10 01 00 01 07 05 00 00 D9 37 C3 D9 79 3E 33 EA [?????????7??y>3?]*Jan 25 14:23:34.835: RADIUS: F3 7D 73 43 BF BA D0 6A [?}sC???j]*Jan 25 14:23:34.835: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]*Jan 25 14:23:34.835: RADIUS: NAS-Port [5] 6 265 *Jan 25 14:23:34.835: RADIUS: NAS-Port-Id [87] 5 "265"*Jan 25 14:23:34.835: RADIUS: NAS-IP-Address [4] 6 192.168.173.2 *Jan 25 14:23:35.035: RADIUS: Received from id 1645/64 192.168.177.158:1812, Access-Challenge, len 304*Jan 25 14:23:35.039: RADIUS: 46 10 78 5F 5F B0 CB 6C 0B 05 00 00 DA C3 BF 28 [F?x__??l???????(]*Jan 25 14:23:35.039: RADIUS: E0 18 2B 95 97 C2 0A D7 40 53 FE 62 [??+?????@S?b]*Jan 25 14:23:35.039: RADIUS(00000012): Received from id 1645/64*Jan 25 14:23:35.039: RADIUS/DECODE: EAP-Message fragments, 60+220, total 280 bytes*Jan 25 14:23:35.355: RADIUS/ENCODE(00000012):Orig. component type = DOT11*Jan 25 14:23:35.355: RADIUS: AAA Unsupported Attr: ssid [265] 8 *Jan 25 14:23:35.355: RADIUS: 57 69 66 69 45 41 [WifiEA]*Jan 25 14:23:35.355: RADIUS: AAA Unsupported Attr: interface [157] 3 *Jan 25 14:23:35.359: RADIUS: 92 DA 5E 26 CF 40 01 22 7A 8E F5 C1 [??^&?@?"z???]*Jan 25 14:23:35.359: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]*Jan 25 14:23:35.359: RADIUS: NAS-Port [5] 6 265 *Jan 25 14:23:35.359: RADIUS: NAS-Port-Id [87] 5 "265"*Jan 25 14:23:35.359: RADIUS: NAS-IP-Address [4] 6 192.168.173.2 *Jan 25 14:23:35.367: RADIUS: Received from id 1645/65 192.168.177.158:1812, Access-Accept, len 30*Jan 25 14:23:35.367: RADIUS: authenticator 8C 2C 1B 97 82 BB 6C 7F - AA D3 4A AB CA 22 8B B7*Jan 25 14:23:35.367: RADIUS: EAP-Message [79] 10 *Jan 25 14:23:35.367: RADIUS: 03 01 00 04 00 00 00 00 [????????]*Jan 25 14:23:35.371: RADIUS(00000012): Received from id 1645/65*Jan 25 14:23:35.371: RADIUS/DECODE: EAP-Message fragments, 8, total 8 bytes*Jan 25 14:23:35.671: %DOT11-7-AUTH_FAILED: Station d023.dbb8.d6a9 Authentication failed
Config:
aaa new-model!aaa group server radius rad_eap server-private 192.168.177.158 auth-port 1812 acct-port 1813 key 7 044803071D2448!aaa authentication login eap_methods group rad_eapaaa authorization exec default if-authenticated aaa authorization network default if-authenticated ! aaa session-id commonip name-server 192.168.177.45! dot11 ssid WifiEAP1 vlan 10 authentication open eap eap_methods authentication shared eap eap_methods authentication key-management wpa optional guest-mode! bridge irb! interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 10 mode ciphers aes-ccm tkip wep128 ! broadcast-key vlan 10 change 300 ! ssid WifiEAP1 ! antenna gain 0 station-role root! interface Dot11Radio0.10 encapsulation dot1Q 10 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled! interface GigabitEthernet0 ip address 192.168.173.3 255.255.255.0 no ip route-cache! interface GigabitEthernet0.1 encapsulation dot1Q 10 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled! interface BVI1 ip address 192.168.173.2 255.255.255.0 no ip route-cache!ip radius source-interface BVI1 bridge 1 route ip
thanks so much!Stefano: not sure if related but there is an unsupported attribute in the debugs:
Jan 25 14:23:35.355: RADIUS: AAA Unsupported Attr:
*Jan 25 14:23:35.355: RADIUS: 57 69 66 69 45 41
*Jan 25 14:23:35.355: RADIUS: AAA Unsupported Attr: interface
Try to eliminate any configured attributes on radius except those in IETF radius. Then try again.
You may also chech by removing the shared eap as suggested above. Let us know if this works.
Sent from Cisco Technical Support iPad App -
Surface Pro 3 is not able to connect to standalone aironet
Hello,
we are having issues with several Surface Pro 3 device connecting to a standalone Aironet. Other Device connect to this AP no problem. SP3 connect to other APs (not cisco) no problem. So there seems to be an issue between the two devices. When I look in the logs of the AP I get the following message:
Jan 15 19:59:52.513: %DOT11-7-AUTH_FAILED: Station 501a.c5e5.aeff Authentication failed
I tried to run aaa debug but nothing shows up but that message above. We use WPA2 AES/TKIP.
I proceeded to run debug all on the AP and this is what I got. Keep in mind that we are troubleshooting 501a.c5e5.aeff
Jan 15 19:55:19.646: Setting client MAC 501a.c5e5.aeff radio slotunit 0 address 0x7E2CE90
Jan 15 19:55:19.646: Adding client 501a.c5e5.aeff client->reap_flags_1 0
Jan 15 19:55:19.646: Dot11Radio0: Adding client 501a.c5e5.aeff aid 6
Jan 15 19:55:19.646: dot11_mgmt: drv add resp for client 501a.c5e5.aeff aid 6
Jan 15 19:55:19.646: dot11_mgmt: dot11_mgmt_sta_ref (ref=2, sta_ptr=0x7530010, mac=501a.c5e5.aeff)
Jan 15 19:55:19.646: SM: ---Open Authentication 0x7530010: Drv Add Resp (8)
Jan 15 19:55:19.646: SM: Drv_Add_InProg (8) --> DONT CHANGE STATE (255)
Jan 15 19:55:19.646: dot11_mgmt: [168D368F] response from driver for client 501a.c5e5.aeff
Jan 15 19:55:19.646: Setting global apsd config before assoc rsp
Jan 15 19:55:19.646: dot11_driver_client_apsd_settings Client(501a.c5e5.aeff) not found for APSD settings
Jan 15 19:55:19.646: about to perform cac before cac resp
Jan 15 19:55:19.646: dot11_tsm_delete_ts_not_reassociated:Clean streams not in REASSOC
Jan 15 19:55:19.646: dot11_mgmt: [168D36F5] send assoc resp, status[0] to dst=501a.c5e5.aeff, aid[6] on Dot11Radio1
Jan 15 19:55:19.646: There is nothing to add from qosie_set in ASSOC Rsp
Jan 15 19:55:19.646: Dot11Radio1: Tx AssocResp client 501a.c5e5.aeff
Jan 15 19:55:19.646: dot11_aaa_auth_request: Received dot11_aaa_auth_request for client 501a.c5e5.aeff
Jan 15 19:55:19.646: dot11_aaa_auth_request: SSID: Executive, Mac Address: 501a.c5e5.aeff, auth_algorithm 0, key_mgmt 1027074
Jan 15 19:55:19.646: AAA/API(00000000): aaa_util_unique_id_alloc(), pc 0x185F920, enter {
Jan 15 19:55:19.646: AAA/ID(NA): DOT11 allocating
Jan 15 19:55:19.646: AAA/ID(00000023): Call started 14:55:19 -0500 Jan 15 2015
Jan 15 19:55:19.646: AAA/DB(00000023): add Intf/7D3D488
Jan 15 19:55:19.646: AAA/DB(00000023): add DB 7E2910C
Jan 15 19:55:19.646: AAA/ID(00000023): DOT11 allocated
Jan 15 19:55:19.646: AAA/API(00000023): } aaa_util_unique_id_alloc()
Jan 15 19:55:19.646: dot11_mgr_disp_wlccp_update_auth: unknown auth type 0x1
Jan 15 19:55:19.646: dot11_aaa_add_dot11_client_entry: AAA Client entry (501a.c5e5.aeff, 4106500) is added to the client list
Jan 15 19:55:19.646: dot11_aaa_start_auth_sequence: dot11_aaa_start_auth_sequence for client 501a.c5e5.aeff [key_mgmt] = FAC02
Jan 15 19:55:19.646: dot11_aaa_start_auth_sequence: dot11_aaa_start_auth_sequence for client 501a.c5e5.aeff [key_mgmt] = FAC02
Jan 15 19:55:19.646: dot11_mgr_sm_start_wpav2_psk: Starting wpav2 4-way handshake for PSK or pmk cache supplicant 501a.c5e5.aeff
Jan 15 19:55:19.646: dot11_mgr_sm_send_wpav2_ptk_msg1: Starting wpav2 ptk msg 1 to supplicant 501a.c5e5.aeffCould not find station pointer for client 501a.c5e5.aeff. Using vlan number from aaa_client
Jan 15 19:55:19.646: dot11_dot1x_send_ssn_eapol_key: wpav2 msg 1 pak_size 121
Jan 15 19:55:19.646: dot11_dot1x_send_ssn_eapol_key: eapol->length 117
Jan 15 19:55:19.646: dot11_dot1x_build_ptk_handshake: building PTK msg 1 for 501a.c5e5.aeff
Jan 15 19:55:19.646: dot11_dot1x_build_ptk_handshake: ptk key len 16
Jan 15 19:55:19.646: dot11_dot1x_build_ptk_handshake: ptk key data len 22
Jan 15 19:55:19.646: dot11_dot1x_build_ptk_handshake: wpav2 pmkid[DOT1X]: 0CBC860AAF0DBBA764ED9D51BB113194
Jan 15 19:55:19.646: dot1x-registry:registry:dot1x_ether_macaddr called
Jan 15 19:55:19.646: dot11_mgr_disp_client_send_eapol: sending eapol to client 501a.c5e5.aeff on BSSID c025.5ca5.3c40
Jan 15 19:55:19.646: dot11_mgr_sm_send_wpav2_ptk_msg1: [1] Sent PTK msg 1 to 501a.c5e5.aeff, no timer set
Jan 15 19:55:19.650: dot11_mgmt: dot11_mgmt_sta_deref (ref=3, sta_ptr=0x7530010, mac=501a.c5e5.aeff)
Also, on windows end I checked the Event Viewer and I see that SP3 is not getting any response back from the AP.
Any help would be greatly appreciated. Thanks.I rolled out a batch of these to our wireless network a couple of months back. A couple of tips:
- From a wireless perspective these devices are extremely buggy out of the box (I'm not exaggerating). They basically won't function using the built in wireless with anything other than the most very basic wireless setup of a home router until you apply ALL of the patches and updates for them in Windows Update. In my case I had to install all the updates via ethernet dongle and/or a Linksys USB Wireless dongle (the drivers were much better for the USB dongle and allowed connectivity to work). The built in Marvell adaptor looks to be good from a features perspective but poor from a driver perspective. Once the updates were applied it mostly worked.
- I experienced a similar problem with FT (Fast Transition) enabled - the SP3 will not connect with FT enabled. In my view there were two issues - (1) the devices won't even connect if FT is enabled and (2) they don't support the FT feature for seamless roaming.
I took it up with Microsoft and they acknowledged the problem but wouldn't commit to fixing the buggy behaviour (allowing the connection and ignoring the FT attribute like many older clients do) nor would they commit to when they will support the FT feature (fast roaming).
These tips might not be the cause of your problem but hopefully they will help you get it up and running.
Fortunately all of these problems can be fixed with driver updates, so maybe in the future they may end up being pretty good wireless clients afterall :-) -
Constantly getting error on UC520 Wi-Fi
Hello,
I am constantly getting error on UC520W Wifi from last Night, I am not getting with this error,
Can anyone help me , what is the cause of this error, or is there any issue on UC520,
Please suggest & help me
.858: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001320: Jan 8 05:12:22.166: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001321: Jan 8 05:12:22.166: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001322: Jan 8 05:13:23.997: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001323: Jan 8 05:13:24.305: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001324: Jan 8 05:13:24.305: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001325: Jan 8 05:14:33.512: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001326: Jan 8 05:14:33.820: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001327: Jan 8 05:14:33.820: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001328: Jan 8 05:14:50.784: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001329: Jan 8 05:14:51.376: %DOT11-7-AUTH_FAILED: Station 001d.a231.4aad Authentication failed
001330: Jan 8 05:14:55.941: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001331: Jan 8 05:14:55.941: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001332: Jan 8 05:15:23.594: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001333: Jan 8 05:15:23.914: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001334: Jan 8 05:15:23.914: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001335: Jan 8 05:16:16.128: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001336: Jan 8 05:16:17.112: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001337: Jan 8 05:16:17.116: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001338: Jan 8 05:16:22.072: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001339: Jan 8 05:16:22.376: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001340: Jan 8 05:16:22.376: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001341: Jan 8 05:17:01.454: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001342: Jan 8 05:17:02.026: %DOT11-7-AUTH_FAILED: Station 001d.a231.4aad Authentication failed
001343: Jan 8 05:17:14.110: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001344: Jan 8 05:17:14.110: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001345: Jan 8 05:17:32.835: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001346: Jan 8 05:17:33.911: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001347: Jan 8 05:17:33.911: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001348: Jan 8 05:18:16.933: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001349: Jan 8 05:18:17.257: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001350: Jan 8 05:18:17.261: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001351: Jan 8 05:18:35.498: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001352: Jan 8 05:18:35.810: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001353: Jan 8 05:18:35.810: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001354: Jan 8 05:18:50.698: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001355: Jan 8 05:18:51.206: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001356: Jan 8 05:18:51.206: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001357: Jan 8 05:18:55.970: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001358: Jan 8 05:19:03.143: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001359: Jan 8 05:19:03.451: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001360: Jan 8 05:19:03.451: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001361: Jan 8 05:19:10.827: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001362: Jan 8 05:19:11.143: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001363: Jan 8 05:19:11.143: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001364: Jan 8 05:19:27.832: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001365: Jan 8 05:19:28.148: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001366: Jan 8 05:19:28.148: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001367: Jan 8 05:19:55.281: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001368: Jan 8 05:19:55.513: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001369: Jan 8 05:19:55.517: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001370: Jan 8 05:20:14.742: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001371: Jan 8 05:20:15.046: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001372: Jan 8 05:20:15.046: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001373: Jan 8 05:20:34.082: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001374: Jan 8 05:20:34.634: %DOT11-7-AUTH_FAILED: Station 001d.a231.4aad Authentication failed
001375: Jan 8 05:20:47.035: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001376: Jan 8 05:20:47.035: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001377: Jan 8 05:20:54.811: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001378: Jan 8 05:21:11.340: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001379: Jan 8 05:21:11.340: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001380: Jan 8 05:21:23.748: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001381: Jan 8 05:21:24.057: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001382: Jan 8 05:21:24.057: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]kya
001383: Jan 8 05:22:20.471: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001384: Jan 8 05:22:21.003: %DOT11-7-AUTH_FAILED: Station 001d.a231.4aad Authentication failed
001385: Jan 8 05:22:25.095: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001386: Jan 8 05:22:25.095: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001387: Jan 8 05:22:39.308: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001388: Jan 8 05:22:39.644: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001389: Jan 8 05:22:39.644: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001390: Jan 8 05:22:52.832: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001391: Jan 8 05:22:53.136: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001392: Jan 8 05:22:53.140: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001393: Jan 8 05:23:24.749: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001394: Jan 8 05:23:25.133: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001395: Jan 8 05:23:25.133: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001396: Jan 8 05:25:46.851: %IPPHONE-6-UNREGISTER_ABNORMAL: ephone-11:SEP001DA2314AAD IP:10.1.1.11 Socket:6 DeviceType:Phone has unregistered abnormally.
001397: Jan 8 05:27:20.475: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001398: Jan 8 05:27:43.084: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001399: Jan 8 05:27:43.084: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001400: Jan 8 05:27:48.696: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001401: Jan 8 05:28:04.933: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001402: Jan 8 05:28:04.933: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001403: Jan 8 05:28:09.893: %IPPHONE-6-REG_ALARM: Name=SEP001DA2314AAD Load= Last=TCP-timeout
001404: Jan 8 05:28:10.229: %IPPHONE-6-REGISTER: ephone-11:SEP001DA2314AAD IP:10.1.1.11 Socket:6 DeviceType:Phone has registered.
001405: Jan 8 05:29:03.851: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001406: Jan 8 05:29:04.159: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001407: Jan 8 05:29:04.159: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001408: Jan 8 05:29:51.725: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001409: Jan 8 05:29:52.029: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001410: Jan 8 05:29:52.033: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001411: Jan 8 05:29:59.734: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001412: Jan 8 05:30:00.042: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001413: Jan 8 05:30:00.042: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001414: Jan 8 05:30:05.878: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001415: Jan 8 05:30:06.190: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001416: Jan 8 05:30:06.190: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001417: Jan 8 05:31:16.469: %IPPHONE-6-REG_ALARM: 10: Name=SEP001BD5019982 Load= SCCP31.8-2-2SR2S Last=TCP-timeout
001418: Jan 8 05:31:18.461: %IPPHONE-6-UNREGISTER_ABNORMAL: ephone-6:SEP001BD5019982 IP:192.168.4.175 Socket:5 DeviceType:Phone has unregistered abnormally.
001419: Jan 8 05:31:18.461: %IPPHONE-6-REGISTER: ephone-6:SEP001BD5019982 IP:192.168.4.175 Socket:8 DeviceType:Phone has registered.
001420: Jan 8 05:31:36.890: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001421: Jan 8 05:31:37.110: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001422: Jan 8 05:31:37.110: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001423: Jan 8 05:32:08.595: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001424: Jan 8 05:32:09.119: %DOT11-7-AUTH_FAILED: Station 001d.a231.4aad Authentication failed
001425: Jan 8 05:32:11.751: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001426: Jan 8 05:32:11.751: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
Translating "kya"...domain server (63.203.35.55)
001427: Jan 8 05:32:49.721: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001428: Jan 8 05:32:50.125: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001429: Jan 8 05:32:50.129: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
% Unknown command or computer name, or unable to find computer address
coinop-uc520#
coinop-uc520#kya sh ip dhc
coinop-uc520#sh ip dhcp bind
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
10.1.1.11 0100.1da2.314a.ad Jan 09 2011 02:27 PM Automatic
192.168.2.11 0100.16d4.3c0e.99 Jan 09 2011 09:41 AM Automatic
192.168.2.14 0100.16ea.ee13.28 Jan 09 2011 01:22 PM Automatic
192.168.2.16 0100.237d.0081.4b Jan 09 2011 02:29 PM Automatic
192.168.2.19 0100.0c6e.0438.e8 Jan 09 2011 12:43 PM Automatic
192.168.2.47 0100.0c29.e2eb.b9 Jan 08 2011 08:20 PM Automatic
coinop-uc520#ping
001430: Jan 8 05:34:17.872: %IPPHONE-6-UNREGISTER_ABNORMAL: ephone-11:SEP001DA2314AAD IP:10.1.1.11 Socket:6 DeviceType:Phone has unregistered abnormally.
001431: Jan 8 05:38:48.864: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 0016.eaee.1328 Reason: Sending station has left the BSS SSID[coinop]
001432: Jan 8 05:38:58.460: *** Not encrypted dot1x packet from 0016.eaee.1328 has been discarded
001433: Jan 8 05:38:58.460: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station coinop-uc520 0016.eaee.1328 Associated SSID[coinop] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001434: Jan 8 05:42:08.512: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001435: Jan 8 05:42:43.133: %DOT11-7-AUTH_FAILED: Station 001d.a231.4aad Authentication failed
001436: Jan 8 05:42:48.725: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001437: Jan 8 05:42:48.725: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001438: Jan 8 05:43:09.406: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001439: Jan 8 05:43:09.814: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001440: Jan 8 05:43:09.818: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001441: Jan 8 05:43:16.363: %IPPHONE-6-REG_ALARM: Name=SEP001DA2314AAD Load= Last=TCP-timeout
001442: Jan 8 05:43:16.691: %IPPHONE-6-REGISTER: ephone-11:SEP001DA2314AAD IP:10.1.1.11 Socket:5 DeviceType:Phone has registered.
001443: Jan 8 05:43:44.072: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 0016.eaee.1328 Reason: Sending station has left the BSS SSID[coinop]
001444: Jan 8 05:43:53.956: *** Not encrypted dot1x packet from 0016.eaee.1328 has been discarded
001445: Jan 8 05:43:53.956: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station coinop-uc520 0016.eaee.1328 Associated SSID[coinop] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001446: Jan 8 05:43:57.180: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001447: Jan 8 05:43:57.540: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001448: Jan 8 05:43:58.568: %IPPHONE-6-UNREGISTER_NORMAL: ephone-11:SEP001DA2314AAD IP:10.1.1.11 Socket:5 DeviceType:Phone has unregistered normally.
001449: Jan 8 05:44:01.572: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001450: Jan 8 05:44:01.572: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001451: Jan 8 05:44:10.565: %IPPHONE-6-REG_ALARM: Name=SEP001DA2314AAD Load= Last=TCP-Bad-ACK
001452: Jan 8 05:44:12.469: %IPPHONE-6-REGISTER: ephone-11:SEP001DA2314AAD IP:10.1.1.11 Socket:5 DeviceType:Phone has registered.
001453: Jan 8 05:45:09.259: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001454: Jan 8 05:45:09.575: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001455: Jan 8 05:45:09.575: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001456: Jan 8 05:45:22.868: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001457: Jan 8 05:45:23.176: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001458: Jan 8 05:45:23.176: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001459: Jan 8 05:46:16.934: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001460: Jan 8 05:46:17.246: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001461: Jan 8 05:46:17.246: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001462: Jan 8 05:46:27.466: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001463: Jan 8 05:46:27.770: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001464: Jan 8 05:46:27.770: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001465: Jan 8 05:46:28.198: *** Not encrypted dot1x packet from 0016.eaee.1328 has been discarded
001466: Jan 8 05:46:35.903: %IPPHONE-6-UNREGISTER_ABNORMAL: ephone-6:SEP001BD5019982 IP:192.168.4.175 Socket:8 DeviceType:Phone has unregistered abnormally.
001467: Jan 8 05:46:54.820: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
001468: Jan 8 05:46:55.132: *** Not encrypted dot1x packet from 001d.a231.4aad has been discarded
001469: Jan 8 05:46:55.132: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voicThanks for suggestion,
But please look apart from 0016.eaee.1328 this MAC address, we have more error like below & I am constantly getting error from last night, also let you know wi-fi Ip phone is working on i have post my config please suggest if anywhere is wrong
001461: Jan 8 05:46:17.246: %DOT11-6-ASSOC: Interface Dot11Radio0/5/0, Station SEP001DA2314AAD 001d.a231.4aad Associated SSID[uc520-voice] AUTH_TYPE[OPEN] KEY_MGMT[WPA PSK]
001462: Jan 8 05:46:27.466: %DOT11-6-DISASSOC: Interface Dot11Radio0/5/0, Deauthenticating Station 001d.a231.4aad Reason: Previous authentication no longer valid SSID[uc520-voice]
dot11 ssid coinop
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 XXXXXXXXXXXXXXXXXXXX
dot11 ssid uc520-voice
vlan 100
authentication open
authentication key-management wpa
wpa-psk ascii 7 XXXXXXXXXXXXXXXXXXXX
ip cef
ip dhcp relay information trust-all
ip dhcp use vrf connected
ip dhcp excluded-address 10.1.1.1 10.1.1.10
ip dhcp excluded-address 192.168.10.1 192.168.10.10
ip dhcp excluded-address 10.1.1.200 10.1.1.254
ip dhcp excluded-address 192.168.2.1 192.168.2.10
ip dhcp pool phone
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
option 150 ip 10.1.1.1
ip dhcp pool data
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 203.7.224.10 203.25.27.50
ip name-server 63.203.35.55
username admin privilege 15 password 7 XXXXXXXXXXXXXXXXXXXX
archive
log config
logging enable
logging size 600
hidekeys
ip tftp source-interface Loopback0
bridge irb
interface Loopback0
ip address 10.1.10.2 255.255.255.252
ip nat inside
ip virtual-reassembly
macro description cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone
tunnel source XXXXXXXXXXX
tunnel mode gre multipoint
tunnel path-mtu-discovery
interface Tunnel2
no ip address
interface FastEthernet0/0
description $FW_OUTSIDE$
no ip address
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface Integrated-Service-Engine0/0
description cue is initialized with default IMAP group
ip unnumbered Loopback0
ip nat inside
ip virtual-reassembly
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
macro description cisco-switch | cisco-switch | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phh | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch
interface FastEthernet0/1/0
switchport voice vlan 100
macro description cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone
interface FastEthernet0/1/1
switchport voice vlan 100
macro description cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone
interface FastEthernet0/1/2
switchport voice vlan 100
macro description cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone
interface FastEthernet0/1/3
switchport voice vlan 100
macro description cisco-phone | cisco-phone | ciscophone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | ciscophone | cisco-phone | cisco-phone | cisco-phone | cisco-phone
interface FastEthernet0/1/4
switchport voice vlan 100
macro description cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone
interface FastEthernet0/1/5
switchport voice vlan 100
macro description cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone
interface FastEthernet0/1/6
switchport voice vlan 100
macro description cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | native | cisco-phone itch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | native
interface FastEthernet0/1/7
switchport voice vlan 100
macro description cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone | cisco-phone
interface FastEthernet0/1/8
switchport mode trunk
macro description cisco-switc | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switch | cisco-switc
interface Dot11Radio0/5/0
no ip address
ip virtual-reassembly
encryption vlan 100 mode ciphers tkip
encryption vlan 1 mode ciphers tkip
ssid coinop
ssid uc520-voice
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
world-mode dot11d country AU both
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0/5/0.1
encapsulation dot1Q 100
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0/5/0.2
encapsulation dot1Q 1 native
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Virtual-Template1
ip unnumbered Dialer1
ip nat inside
ip virtual-reassembly
peer default ip address pool IP_POOL
no keepalive
ppp encrypt mppe 40
ppp authentication chap ms-chap pap
interface Virtual-Template2 type tunnel
ip unnumbered BVI2
ip nat inside
ip virtual-reassembly
shutdown
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
interface Virtual-Template7 type tunnel
ip unnumbered BVI2
ip nat inside
ip virtual-reassembly
shutdown
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
interface Vlan1
no ip address
ip virtual-reassembly
bridge-group 2
bridge-group 2 spanning-disabled
interface Vlan100
no ip address
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
interface Dialer1
mtu 1492
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1492
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap refuse
ppp pap sent-username [email protected] password 7 XXXXXXXXXXXXXXXXXXXX
crypto map vpnmap
interface BVI1
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface BVI2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly -
Machine authentication in Aironet
i'm trying to authenticate laptops to Active directory before joining wireless AP (aironet 1240A)
i'm using EAP in AP
and PEAP with certificates in NPS
i'm forcing laptops to use "computer authentication" through a GPO
certificates already deployed to All machines
policy is configured in NPS with "machine group" condition
the problem i'm facing that their is some laptops are authenticated successfully while the others are not
all machines are using windows 7 and located in the same Active Directory OU (same GPO applied)
here is what i saw in AP after enabling debug radius authentication
the working machines
*Mar 4 20:25:34.125: RADIUS/ENCODE(00000009):Orig. component type = DOT11
*Mar 4 20:25:34.125: RADIUS: AAA Unsupported Attr: ssid [265] 9
*Mar 4 20:25:34.126: RADIUS: 63 6F 72 70 6F 72 61 [corpora]
*Mar 4 20:25:34.126: RADIUS: AAA Unsupported Attr: interface [157] 3
*Mar 4 20:25:34.126: RADIUS: 32 [2]
*Mar 4 20:25:34.126: RADIUS(00000009): Config NAS IP: X.Y.64.229
*Mar 4 20:25:34.126: RADIUS/ENCODE(00000009): acct_session_id: 8
*Mar 4 20:25:34.126: RADIUS(00000009): Config NAS IP: X.Y.64.229
*Mar 4 20:25:34.126: RADIUS(00000009): sending
*Mar 4 20:25:34.127: RADIUS(00000009): Send Access-Request to X.Y.64.30:1812 id 1645/8, len 160
*Mar 4 20:25:34.127: RADIUS: authenticator AC E6 88 FF CD B5 F3 CE - EA 56 67 37 2F 72 B5 C5
*Mar 4 20:25:34.127: RADIUS: User-Name [1] 23 "host/FADI-LT.domain.com"
*Mar 4 20:25:34.127: RADIUS: Framed-MTU [12] 6 1400
*Mar 4 20:25:34.128: RADIUS: Called-Station-Id [30] 16 "0027.0c68.1dc0"
*Mar 4 20:25:34.128: RADIUS: Calling-Station-Id [31] 16 "0811.9699.ba30"
*Mar 4 20:25:34.128: RADIUS: Service-Type [6] 6 Login [1]
*Mar 4 20:25:34.128: RADIUS: Message-Authenticato[80] 18
*Mar 4 20:25:34.128: RADIUS: 1C 45 ED 5A 5D 1E DA 88 73 E5 D3 16 9F A2 62 A9 [?E?Z]???s?????b?]
*Mar 4 20:25:34.128: RADIUS: EAP-Message [79] 28
*Mar 4 20:25:34.128: RADIUS: 02 02 00 1A 01 68 6F 73 74 2F 46 41 44 49 2D 4C [?????host/FADI-L]
*Mar 4 20:25:34.129: RADIUS: 54 2E 61 64 61 73 69 2E 61 65 [T.domain.com]
*Mar 4 20:25:34.129: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
*Mar 4 20:25:34.129: RADIUS: NAS-Port [5] 6 263
*Mar 4 20:25:34.129: RADIUS: NAS-Port-Id [87] 5 "263"
*Mar 4 20:25:34.129: RADIUS: NAS-IP-Address [4] 6 10.10.64.229
*Mar 4 20:25:34.129: RADIUS: Nas-Identifier [32] 4 "AP"
*Mar 4 20:25:34.166: RADIUS: Received from id 1645/8 10.10.64.30:1812, Access-Challenge, len 90
*Mar 4 20:25:34.167: RADIUS: authenticator 36 94 18 74 91 6F AA 0E - D4 D7 DC 48 A8 53 43 68
*Mar 4 20:25:34.167: RADIUS: Session-Timeout [27] 6 30
*Mar 4 20:25:34.167: RADIUS: EAP-Message [79] 8
*Mar 4 20:25:34.167: RADIUS: 01 03 00 06 0D 20 [????? ]
*Mar 4 20:25:34.167: RADIUS: State [24] 38
the non working machines
*Mar 4 20:26:18.949: RADIUS/ENCODE(0000000A):Orig. component type = DOT11
*Mar 4 20:26:18.949: RADIUS: AAA Unsupported Attr: ssid [265] 9
*Mar 4 20:26:18.949: RADIUS: 63 6F 72 70 6F 72 61 [corpora]
*Mar 4 20:26:18.949: RADIUS: AAA Unsupported Attr: interface [157] 3
*Mar 4 20:26:18.949: RADIUS: 32 [2]
*Mar 4 20:26:18.949: RADIUS(0000000A): Config NAS IP: X.Y.64.229
*Mar 4 20:26:18.950: RADIUS/ENCODE(0000000A): acct_session_id: 9
*Mar 4 20:26:18.950: RADIUS(0000000A): Config NAS IP: X.Y.64.229
*Mar 4 20:26:18.950: RADIUS(0000000A): sending
*Mar 4 20:26:18.950: RADIUS(0000000A): Send Access-Request to X.Y.64.30:1812 id 1645/11, len 150
*Mar 4 20:26:18.951: RADIUS: authenticator 17 64 A0 78 8E 49 12 7C - 79 8A 55 17 79 1F D5 A1
*Mar 4 20:26:18.951: RADIUS: User-Name [1] 18 "domain\username"
*Mar 4 20:26:18.951: RADIUS: Framed-MTU [12] 6 1400
*Mar 4 20:26:18.951: RADIUS: Called-Station-Id [30] 16 "0027.0c68.1dc0"
*Mar 4 20:26:18.951: RADIUS: Calling-Station-Id [31] 16 "0022.faf1.9258"
*Mar 4 20:26:18.951: RADIUS: Service-Type [6] 6 Login [1]
*Mar 4 20:26:18.951: RADIUS: Message-Authenticato[80] 18
*Mar 4 20:26:18.951: RADIUS: 06 FC 55 89 6D 45 AA E5 8A 73 73 2C 82 87 28 BA [??U?mE???ss,??(?]
*Mar 4 20:26:18.952: RADIUS: EAP-Message [79] 23
*Mar 4 20:26:18.952: RADIUS: 02 02 00 15 01 41 44 41 53 49 5C 66 61 64 69 2E [?????domain\user]
*Mar 4 20:26:18.952: RADIUS: 61 64 6D 69 6E [name]
*Mar 4 20:26:18.952: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
*Mar 4 20:26:18.952: RADIUS: NAS-Port [5] 6 264
*Mar 4 20:26:18.952: RADIUS: NAS-Port-Id [87] 5 "264"
*Mar 4 20:26:18.952: RADIUS: NAS-IP-Address [4] 6 X.Y.64.229
*Mar 4 20:26:18.953: RADIUS: Nas-Identifier [32] 4 "AP"
*Mar 4 20:26:18.980: RADIUS: Received from id 1645/11 X.Y.64.30:1812, Access-Challenge, len 90
*Mar 4 20:26:18.980: RADIUS: authenticator 54 84 DD 91 72 03 E9 08 - EA 61 C0 B3 B5 D6 9A 42
*Mar 4 20:26:18.981: RADIUS: Session-Timeout [27] 6 30
*Mar 4 20:26:18.981: RADIUS: EAP-Message [79] 8
*Mar 4 20:26:18.981: RADIUS: 01 03 00 06 0D 20 [????? ]
*Mar 4 20:26:18.981: RADIUS: State [24] 38
*Mar 4 20:26:18.981: RADIUS: 15 D3 02 D9 00 00 01 37 00 01 02 00 0A 0A 40 1E [???????7??????@?]
*Mar 4 20:26:18.982: RADIUS: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 [????????????????]
*Mar 4 20:26:18.982: RADIUS: 55 9E B9 77 [U??w]
*Mar 4 20:26:18.982: RADIUS: Message-Authenticato[80] 18
*Mar 4 20:26:18.982: RADIUS: 1A EC 06 E6 E0 46 C4 06 15 87 E9 26 30 49 63 47 [?????F?????&0IcG]
*Mar 4 20:26:18.983: RADIUS(0000000A): Received from id 1645/11
*Mar 4 20:26:18.983: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
*Mar 4 20:26:18.986: RADIUS/ENCODE(0000000A):Orig. component type = DOT11
*Mar 4 20:26:18.986: RADIUS: AAA Unsupported Attr: ssid [265] 9
*Mar 4 20:26:18.986: RADIUS: 63 6F 72 70 6F 72 61 [corpora]
*Mar 4 20:26:18.987: RADIUS: AAA Unsupported Attr: interface [157] 3
*Mar 4 20:26:18.987: RADIUS: 32 [2]
*Mar 4 20:26:18.987: RADIUS(0000000A): Config NAS IP: X.Y..64.229
*Mar 4 20:26:18.987: RADIUS/ENCODE(0000000A): acct_session_id: 9
*Mar 4 20:26:18.987: RADIUS(0000000A): Config NAS IP: X.Y..64.229
*Mar 4 20:26:18.987: RADIUS(0000000A): sending
*Mar 4 20:26:18.988: RADIUS(0000000A): Send Access-Request to 10.10.64.30:1812 id 1645/12, len 173
*Mar 4 20:26:18.988: RADIUS: authenticator 37 26 0B EC 12 5D 6A E5 - 22 1A 27 4A B0 5B E2 AA
*Mar 4 20:26:18.988: RADIUS: User-Name [1] 18 "domain\username"
*Mar 4 20:26:18.988: RADIUS: Framed-MTU [12] 6 1400
*Mar 4 20:26:18.988: RADIUS: Called-Station-Id [30] 16 "0027.0c68.1dc0"
*Mar 4 20:26:18.988: RADIUS: Calling-Station-Id [31] 16 "0022.faf1.9258"
*Mar 4 20:26:18.988: RADIUS: Service-Type [6] 6 Login [1]
*Mar 4 20:26:18.988: RADIUS: Message-Authenticato[80] 18
*Mar 4 20:26:18.989: RADIUS: 3D 11 05 D8 6E DF 92 2B 51 EC BA BA FB C4 10 5F [=???n??+Q??????_]
*Mar 4 20:26:18.989: RADIUS: EAP-Message [79] 8
*Mar 4 20:26:18.989: RADIUS: 02 03 00 06 03 19 [??????]
*Mar 4 20:26:18.989: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
*Mar 4 20:26:18.989: RADIUS: NAS-Port [5] 6 264
*Mar 4 20:26:18.989: RADIUS: NAS-Port-Id [87] 5 "264"
*Mar 4 20:26:18.989: RADIUS: State [24] 38
*Mar 4 20:26:18.990: RADIUS: 15 D3 02 D9 00 00 01 37 00 01 02 00 0A 0A 40 1E [???????7??????@?]
*Mar 4 20:26:18.990: RADIUS: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 [????????????????]
*Mar 4 20:26:18.990: RADIUS: 55 9E B9 77 [U??w]
*Mar 4 20:26:18.990: RADIUS: NAS-IP-Address [4] 6 X.Y.64.229
*Mar 4 20:26:18.990: RADIUS: Nas-Identifier [32] 4 "AP"
*Mar 4 20:26:18.992: RADIUS: Received from id 1645/12 10.10.64.30:1812, Access-Reject, len 44
*Mar 4 20:26:18.992: RADIUS: authenticator 76 30 DF F4 7A 36 AC E7 - 20 AA 83 C1 05 8B 62 EC
*Mar 4 20:26:18.992: RADIUS: EAP-Message [79] 6
*Mar 4 20:26:18.993: RADIUS: 04 03 00 04 [????]
*Mar 4 20:26:18.993: RADIUS: Message-Authenticato[80] 18
*Mar 4 20:26:18.993: RADIUS: FD 21 74 AF A8 7F A1 A5 9E CE 3A 35 45 DA EA C9 [?!t???????:5E???]
*Mar 4 20:26:18.993: RADIUS(0000000A): Received from id 1645/12
*Mar 4 20:26:18.994: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
*Mar 4 20:26:18.994: %DOT11-7-AUTH_FAILED: Station 0022.faf1.9258 Authentication failed
obviously the machine who send machine name (host\machinename) will be authenticated successfully
and machines who send username (domain\username) will not be authenticated successfully
now
i tested those unsuccessful machines in a wired dot1x switch using the same NPS policy and they were sending their machine names instead of usernames and they were authenticated successfully
i suspected that this is maybe because of the AP config
here it is
Current configuration : 2662 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname AP
enable secret 5 $1$gtul$Uhe4qVAC8GN0drownggAb0
aaa new-model
aaa group server radius rad_eap
server X.Y.64.30 auth-port 1812 acct-port 1813
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
ip domain name domain
dot11 ssid corporate
vlan 64
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa version 2
mbssid guest-mode
dot11 network-map
power inline negotiation prestandard source
username Cisco password 7 13261E010803
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
encryption vlan 64 mode ciphers aes-ccm
ssid corporate
mbssid
station-role root
interface Dot11Radio0.64
encapsulation dot1Q 64 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
interface FastEthernet0.64
encapsulation dot1Q 64 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address X.Y.64.229 255.255.255.0
no ip route-cache
ip default-gateway X.Y.64.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
snmp-server community cable RO
snmp-server enable traps tty
radius-server attribute 32 include-in-access-req format %h
radius-server host X.Y.64.30 auth-port 1812 acct-port 1813 key 7 104F0D18161E2D1E0D071538212B213036
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 5 15
endHi,
You will need o be more specific so we can help you.
What exactly is happening/not working?
Please keep in mind that with MAR, the PC needs to do machine authentication prior to user login, as the ACS will only allow users to login from previously authenticated machines.
Is your PC doing machine authentication?
HTH,
Tiag
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Need a solution for the following error code on AIR-AP1231G-A-K9
Dec 1 10:05:46.243: %DOT11-7-AUTH_FAILED: Station 0018.de89.d720 Authentication failed
Hi
Here you are the explanation:
The specified station has failed authentication.
The most common reasons are the user has entered the wrong password or the radius server maybe unavailable.
Hope this helps -
Hello,
I got a report from a branch office which is getting trouble to authenticate users to the WLAN this is a stand alone AP which has a configuration script that we use for all our branch offices but in this case is not working. It seems to be an issue with RADIUS but if it was the case the whole company would be experiencing problems since it is a central RADIUS server.
Here is a log from the AP
By the way I modified the radius server timeout to 90 sec
APIMMEXP01#
Sep 1 17:01:47.240: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:01:53.503: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failed
Sep 1 17:01:58.739: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
failed
Sep 1 17:02:35.587: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.27:1812,1646
is not responding.
Sep 1 17:02:35.589: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.27:1812,1646
is being marked alive.
Sep 1 17:02:47.476: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:02:50.344: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.28:1812,1646
is not responding.
Sep 1 17:02:50.344: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.28:1812,1646
is being marked alive.
Sep 1 17:02:53.768: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failed
Sep 1 17:02:58.966: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
failed
Sep 1 17:04:00.953: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:04:07.050: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failed
Sep 1 17:04:12.332: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
failed
Sep 1 17:04:33.294: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.27:1812,1646
is not responding.
Sep 1 17:04:33.294: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.27:1812,1646
is being marked alive.
Sep 1 17:04:36.577: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.28:1812,1646
is not responding.
Sep 1 17:04:36.577: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.28:1812,1646
is being marked alive.
Sep 1 17:05:01.009: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:05:07.175: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failed
Sep 1 17:05:12.517: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
failed
Sep 1 17:06:01.247: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:06:19.739: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.28:1812,1646
is not responding.
Sep 1 17:06:19.739: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.28:1812,1646
is being marked alive.
Sep 1 17:06:20.707: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failed
Sep 1 17:06:25.241: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.27:1812,1646
is not responding.
Sep 1 17:06:25.243: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.27:1812,1646
is being marked alive.
Sep 1 17:06:25.836: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
failed
Sep 1 17:07:01.237: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:07:20.694: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failed
Sep 1 17:07:25.818: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
failed
Sep 1 17:08:01.623: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:08:13.834: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.28:1812,1646
is not responding.
Sep 1 17:08:13.834: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.28:1812,1646
is being marked alive.
Sep 1 17:08:27.978: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.27:1812,1646
is not responding.
Sep 1 17:08:27.979: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.27:1812,1646
is being marked alive.
Sep 1 17:08:34.301: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failed
Sep 1 17:08:39.325: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
failed
Sep 1 17:09:15.042: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:09:34.664: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failed
Sep 1 17:09:47.790: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.28:1812,1646
is not responding.
Sep 1 17:09:47.790: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.28:1812,1646
is being marked alive.
Sep 1 17:10:15.184: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:10:16.644: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.27:1812,1646
is not responding.
Sep 1 17:10:16.644: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.27:1812,1646
is being marked alive.
Sep 1 17:10:48.062: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failedWhat error is the AAA server showing for these errors?
Sent from Cisco Technical Support iPad App -
802.11x with 2008 R2 NPS
Here's what I'm using for attempt at 802.11x:
-2008 R2 NPS
-AIR-AP1142N-A-K9
-Lenovo T510 Laptop
Here is what I followed:
1. http://techblog.mirabito.net.au/?p=87&cpage=1#comment-26452
2. http://blog.laurence.id.au/2010/03/running-peap-with-cisco-aeronet-1231g.html
Here is my config on the AP, radius related:
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
clock timezone EST -4
dot11 syslog
dot11 ssid IPC02-AP
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa version 2
guest-mode
encryption mode ciphers aes-ccm tkip
interface BVI1
ip address 192.168.1.7 255.255.255.0
no ip route-cache
ip radius source-interface BVI1
radius-server local
nas 192.168.1.38 key 7 *
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.1.38 auth-port 1645 acct-port 1646 key 7 *
Here is my part of my debug:
RADIUS(000000C0): Received from id 1645/151
RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
Client 0026.c750.**** failed: by EAP authentication server
dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for 0026.c750.****
dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 0026.c750.****
dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
dot11_auth_dot1x_send_client_fail: Authentication failed for 0026.c750.****
DOT11-7-AUTH_FAILED: Station 0026.c750.**** Authentication failed RADIUS(000000C0): Received from id 1645/151
RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
Client 0026.c750.**** failed: by EAP authentication server
dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for 0026.c750.****
dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 0026.c750.****
dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
dot11_auth_dot1x_send_client_fail: Authentication failed for 0026.c750.****
DOT11-7-AUTH_FAILED: Station 0026.c750.**** Authentication failed
I get a "connection failed" on my laptop. I don't see any logs/events relating to a failure of credentials on my 2008 server.
Any ideas?I have not gotten any other feedback and I have not been ablet to identify anything on technet about it. It will happen with any role that requires more than 27 of the Cisco-AV-Pair settings. It is working fine for stuff like the Lobby administrator logins, that require less than 5 access rules to be passed from the NPS, but that just goes to show that it is working as long as I do ot hit the 27 "line-item" limit.
-
Problem authenticating Wireless users with peap
Good afternoon,
I am currently trying to authenticate wireless users using PEAP and an external RADIUS server. The problem is when I try to authenticate I get this error :
AAA/AUTHEN/PPP : Pick method list 'Permanent Local'
DOT11-7-AUTH_FAILED : Station ... Authentication failed
It shouldn't use local authentication, but the aaa server I configured.
I looked on the internet but didn't find a working solution.
Does anyone know why it is not working ?
Here is my running configuration :
Current configuration : 4276 bytes
! Last configuration change at 00:45:40 UTC Mon Mar 1 1993
! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
logging rate-limit console 9
enable secret 5 $1$QVC3$dIVAarlXOo52rN3ceZm1k0
aaa new-model
aaa group server radius rad_eap
server 192.168.2.2 auth-port 1812 acct-port 1813
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
no ip routing
no ip cef
dot11 syslog
dot11 ssid test
authentication open eap eap_list
authentication key-management wpa version 2
guest-mode
eap profile peap
method peap
crypto pki token default removal timeout 0
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
ssid test
antenna gain 0
stbc
beamform ofdm
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
antenna gain 0
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
dot1x pae authenticator
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface BVI1
ip address 192.168.3.10 255.255.255.0
no ip route-cache
ip default-gateway IP
ip forward-protocol nd
ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.2.2 auth-port 1812 acct-port 1813 key 7 140441081E501F0B7D
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
transport input all
end
Thank youI haven't setup autonomous APs before but I think I might see the problem. You are defining an authentication list called "eap_methods" but you never call for it in your SSID settings. Instead there you call a list named "eap_list" In addition, I think you might be missing one more command. So perhaps try this:
dot11 ssid test
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa version 2
guest-mode
Hope this helps!
Thank you for rating helpful posts! -
EAP-TLS with Radius Server configuration (1130AG)
Hi All,
Im currently tryign to get eap-tls user certificate based wireless authentication working. The mismatch of guides im trying to follow has me ocming up trumps with success so far, so heres hoping you guys can right me wrongs and put me on the right path again.
My steps for radius:- (i think this part ive actually got ok)
http://technet.microsoft.com/en-us/library/dd283091(v=ws.10).aspx
Steps for the wirless profile on a win 7 client:- this has me confused all over the place
http://technet.microsoft.com/en-us/library/dd759246.aspx
My 1130 Config:-
[code]
Current configuration : 3805 bytes
! Last configuration change at 11:57:56 UTC Fri Jan 25 2013 by apd
! NVRAM config last updated at 14:43:51 UTC Fri Jan 25 2013 by apd
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname WAP1
aaa new-model
aaa group server radius RAD_EAP
server 10.1.1.29 auth-port 1812 acct-port 1813
aaa authentication login default local
aaa authentication login EAP_LOGIN group RAD_EAP
aaa authorization exec default local
aaa authorization network default local
aaa session-id common
ip domain name ************
dot11 syslog
dot11 ssid TEST
authentication open eap EAP_LOGIN
authentication network-eap EAP_LOGIN
guest-mode
crypto pki trustpoint TP-self-signed-1829403336
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1829403336
revocation-check none
rsakeypair TP-self-signed-1829403336
quit
username ***************
ip ssh version 2
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
ssid TEST
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
ssid TEST
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 10.1.2.245 255.255.255.0
ip helper-address 10.1.1.27
no ip route-cache
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
radius-server host 10.1.1.29 auth-port 1812 acct-port 1813 key **************
radius-server key ************
bridge 1 route ip
line con 0
logging synchronous
transport preferred ssh
line vty 0 4
logging synchronous
transport input ssh
sntp server 130.88.212.143
end
[/code]
and my current debug
[code]
Jan 25 12:00:56.703: dot11_auth_send_msg: sending data to requestor status 1
Jan 25 12:00:56.703: dot11_auth_send_msg: Sending EAPOL to requestor
Jan 25 12:00:56.703: dot1x-registry:registry:dot1x_ether_macaddr called
Jan 25 12:00:56.703: dot11_auth_dot1x_send_id_req_to_client: Client 74de.2b81.56c4 timer started for 30 seconds
WAP1#
Jan 25 12:01:26.698: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 74de.2b81.56c4
Jan 25 12:01:26.698: dot11_auth_dot1x_send_client_fail: Authentication failed for 74de.2b81.56c4
Jan 25 12:01:26.698: dot11_auth_send_msg: sending data to requestor status 0
Jan 25 12:01:26.698: dot11_auth_send_msg: client FAILED to authenticate 74de.2b81.56c4, node_type 64 for application 0x1
Jan 25 12:01:26.699: dot11_auth_delete_client_entry: 74de.2b81.56c4 is deleted for application 0x1
Jan
WAP1#25 12:01:26.699: %DOT11-7-AUTH_FAILED: Station 74de.2b81.56c4 Authentication failed
Jan 25 12:01:26.699: dot11_aaa_upd_accounting: Updating attributes for user: 74de.2b81.56c4
Jan 25 12:01:26.699: dot11_aaa_upd_accounting: Updating attributes for user: 74de.2b81.56c4
Jan 25 12:01:26.699: dot11_auth_client_abort: Received abort request for client 74de.2b81.56c4
Jan 25 12:01:26.699: dot11_auth_client_abort: No client entry to abort: 74de.2b81.56c4 for application 0x1
Jan 25 12:01:27.580: AAA/BIND(000000
WAP1#12): Bind i/f
Jan 25 12:01:27.580: dot11_auth_add_client_entry: Create new client 74de.2b81.56c4 for application 0x1
Jan 25 12:01:27.580: dot11_auth_initialize_client: 74de.2b81.56c4 is added to the client list for application 0x1
Jan 25 12:01:27.581: dot11_auth_add_client_entry: req->auth_type 0
Jan 25 12:01:27.581: dot11_auth_add_client_entry: auth_methods_inprocess: 2
Jan 25 12:01:27.581: dot11_auth_add_client_entry: eap list name: EAP_LOGIN
Jan 25 12:01:27.581: dot11_run_auth_methods: Start aut
WAP1#h method EAP or LEAP
Jan 25 12:01:27.581: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
Jan 25 12:01:27.581: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74de.2b81.56c4
Jan 25 12:01:27.581: EAPOL pak dump tx
Jan 25 12:01:27.581: EAPOL Version: 0x1 type: 0x0 length: 0x002B
Jan 25 12:01:27.581: EAP code: 0x1 id: 0x1 length: 0x002B type: 0x1
01801670: 0100002B 0101002B ...+...+
01801680: 01006E65 74776F72 6B69643D 54455354 ..networkid=TEST
WAP1#
01801690: 2C6E6173 69643D41 50445741 50312C70 ,nasid=WAP1,p
018016A0: 6F727469 643D30 ortid=0
Jan 25 12:01:27.582: dot11_auth_send_msg: sending data to requestor status 1
Jan 25 12:01:27.582: dot11_auth_send_msg: Sending EAPOL to requestor
Jan 25 12:01:27.582: dot1x-registry:registry:dot1x_ether_macaddr called
Jan 25 12:01:27.583: dot11_auth_dot1x_send_id_req_to_client: Client 74de.2b81.56c4 timer started for 30 seconds
WAP1#
[/code]
Can anyone point me in the right direction with this?
i also dont like it that you can attempt to join the network first before failing
can i have user cert based + psk? and then apply it all by GPO
Thanks for any helpok ive ammdened the wireless profile as suggested
i already have the root ca and a user certificate installed with matching usernames
I had already added the radius device to the NPS server and matched the keys to the AP
now heres the debug im getting, when i check the NPS server, still doesnt look like its getting any requests at all :|
Jan 29 11:53:13.501: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 74de.2b81.56c4
Jan 29 11:53:13.501: dot11_auth_dot1x_send_client_fail: Authentication failed for 74de.2b81.56c4
Jan 29 11:53:13.501: dot11_auth_send_msg: sending data to requestor status 0
Jan 29 11:53:13.501: dot11_auth_send_msg: client FAILED to authenticate 74de.2b81.56c4, node_type 64 for application 0x1
Jan 29 11:53:13.501: dot11_auth_delete_client_entry: 74de.2b81.56c4 is deleted for application 0x1
Jan
WAP1#29 11:53:13.501: dot11_mgr_disp_callback: Received message from Local Authenticator
Jan 29 11:53:13.501: dot11_mgr_disp_callback: Received FAIL from Local Authenticator
Jan 29 11:53:13.501: dot11_mgr_sm_run_machine: Executing Action(BRIDGE,AUTHENTICATOR_FAIL) for 74de.2b81.56c4
Jan 29 11:53:13.502: dot11_mgr_sm_send_client_fail: Authentication failed for 74de.2b81.56c4
Jan 29 11:53:13.502: %DOT11-7-AUTH_FAILED: Station 74de.2b81.56c4 Authentication failed
Jan 29 11:53:13.502: dot11_mgr_disp_auth_abort
WAP1#: Sending abort request for client 74de.2b81.56c4 to local Authenticator
Jan 29 11:53:13.502: dot11_auth_client_abort: Received abort request for client 74de.2b81.56c4
Jan 29 11:53:13.502: dot11_auth_client_abort: No client entry to abort: 74de.2b81.56c4 for application 0x1
Jan 29 11:53:14.619: AAA/BIND(00000019): Bind i/f
Jan 29 11:53:14.619: dot11_mgr_disp_auth_request: Send auth request for client 74de.2b81.56c4 to local Authenticator
Jan 29 11:53:14.619: dot11_auth_add_client_entry: Create new c
WAP1#lient 74de.2b81.56c4 for application 0x1
Jan 29 11:53:14.620: dot11_auth_initialize_client: 74de.2b81.56c4 is added to the client list for application 0x1
Jan 29 11:53:14.620: dot11_auth_add_client_entry: req->auth_type 0
Jan 29 11:53:14.620: dot11_auth_add_client_entry: auth_methods_inprocess: 2
Jan 29 11:53:14.620: dot11_auth_add_client_entry: eap list name: EAP_LOGIN
Jan 29 11:53:14.620: dot11_run_auth_methods: Start auth method EAP or LEAP
Jan 29 11:53:14.620: dot11_auth_dot1x_start: in the dot11
WAP1#_auth_dot1x_start
Jan 29 11:53:14.620: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74de.2b81.56c4
Jan 29 11:53:14.620: EAPOL pak dump tx
Jan 29 11:53:14.621: EAPOL Version: 0x1 type: 0x0 length: 0x002B
Jan 29 11:53:14.621: EAP code: 0x1 id: 0x1 length: 0x002B type: 0x1
01808560: 0100002B 0101002B 01006E65 74776F72 ...+...+..networ
01808570: 6B69643D 54455354 2C6E6173 69643D41 kid=TEST,nasid=A
01808580: 50445741 50312C70 6F727469 643D30 WAP1,portid=0
Jan 29 11:53
WAP1#:14.621: dot11_auth_send_msg: sending data to requestor status 1
Jan 29 11:53:14.621: dot11_auth_send_msg: Sending EAPOL to requestor
Jan 29 11:53:14.622: dot11_mgr_disp_callback: Received message from Local Authenticator
Jan 29 11:53:14.622: dot11_mgr_disp_callback: Received DOT11_AAA_EAP from Local Authenticator
Jan 29 11:53:14.622: dot11_mgr_sm_run_machine: Executing Action(BRIDGE,AUTHENTICATOR_REPLY) for 74de.2b81.56c4
Jan 29 11:53:14.622: dot11_mgr_sm_send_response_to_client: Forwarding Authenti
WAP1#cator message to client 74de.2b81.56c4
Jan 29 11:53:14.622: EAPOL pak dump tx
Jan 29 11:53:14.622: EAPOL Version: 0x1 type: 0x0 length: 0x002B
Jan 29 11:53:14.622: EAP code: 0x1 id: 0x1 length: 0x002B type: 0x1
01808690: 0100002B 0101002B ...+...+
018086A0: 01006E65 74776F72 6B69643D 54455354 ..networkid=TEST
018086B0: 2C6E6173 69643D41 50445741 50312C70 ,nasid=WAP1,p
018086C0: 6F727469 643D30 ortid=0
Jan 29 11:53:14.623: dot1x-regi
Maybe you are looking for
-
I just got a new ipad 2 but I'm having trouble setting it up, can someone help me?
-
Why can't restart my iMac after I updated OS SOftware
Can't restart after I updated the software.....
-
Alt key shortcut woes in InDesign CS6
Greetings, Our company recently switched from Macs to PCs for design work. Now all of the keyboard shortcuts that had been assigned on the Mac and started with the Option key (e.g., Opt + numeric keypad 1) have switched to the Alt key on the PC (e.g.
-
im trying to make a movie and every time i start up iDVD 6 it just quits about 30 seconds after i start it! please some one help me
-
No Duplex printing (canon mp830) on mac os x v10.6.
How can I configure this? Updating the driver file to the latest version from canon failed. I can not get access to the printer setting like Duplex Printing. Post Script printers usually have a lot of settings, but I don't see any. Print Center is