EAP SIM Authentication Failure
Hi all,
Is there a way to debug EAP SIM authentication on iPhone / iPad? I see Challenge: AT_MAC_NOT_VALID failures in syslog everytime I try to connect to an EAPSIM server (freeradius). Please refer to following pcap
http://www.cloudshark.org/captures/b9610f2b4a25
I am using following values for simtriplets on freeradius server:
1320727710000010,9fddc72092c6ad036b6e464789315b78,d113e49b,7fc85b9918d92ea8
1320727710000010,81e92b6c0ee0e12ebceba8d92a99dfa5,cca822be,231f55c24633a406
1320727710000010,b120f1c1a0102a2f507dd543de68281f,0ff5b99f,4421fce1f3427e22
The iPad is loaded with a test SIM which is programmed with following values of Ki and Op and above SRES and Kc were generated using following values:
key=0C0A34601D4F07677303652C0462535B
op=63bfa50ee6523365ff14c1f45f88737d
I have verified GSM milenage algorithm with test keys in 3GPP TS 55.205 v9.0.0 and the algorithm seems to work fine. All results match with the test inputs/results provided in 3GPP TS 55.205 v9.0.0. So I doubt there is some issue with SRES/Kc for above Ki/Op values.
Hi,
We spent many hours trying to solve this problem.
Our setup:
Cisco wireless setup, using windows NPS for 802.1x authentication.
Certificate base auth, with an internal PKI sending out client machine certs, and also the server cert.
Auth was failing with "reason code 22, The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."
It turned out to be a GPO setting on the server, that was enforcing key protection.
There is this note on the below technet article:
Requiring the use of strong private key protection and user prompting on all new and imported keys will disable some applications, such as Encrypting File System (EFS) and wireless (802.1X) authentication that cannot display UI. For more information, see article 320828 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=115037).
http://technet.microsoft.com/en-us/library/cc725621(v=WS.10).aspx
Hopefully this helps someone out, if you have the same annoying error.
Similar Messages
-
EAP-SIM Authentication on Lenovo K900
Hello All,
I want to use EAP-SIM authentication on Lenovo k900 to connect to wifi. Does anyone know how to? because there is no option EAP-SIM on authentication option.
Or there are other option how to use EAP-SIM?
thanksTo Lenovo Android Developer,
Please add this EAP-SIM Wifi authentication feature on the next firmware update.
Because in Indonesia almost all GSM operators using EAP-SIM for their WiFi service.
Thank you. -
Error in wifi connection - Shows EAP -SIM AUTHENTI...
I have nokia E-63, shows in error of wlfi - as EAP - Sim Authentication Failed, please resolved the issue.
Do you need EAP? Use WPA/WEP passphrase.
‡Thank you for hitting the Blue/Green Star button‡
N8-00 RM 596 V:111.030.0609; E71-1(05) RM 346 V: 500.21.009 -
EAP-TLS authentication failure
We've been struggling with this problem for weeks without a solution yet. Maybe someone can help us.
Note: some information below has been redacted and the IP addresses are not the original ones. They have been changed to fictional IP addresses but they have been adjusted to reflect an equivalent situation.
This situation is as follows:
WLAN infrastructure with:
1 x
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
AIR-WLC2112-K9 (IP address = 10.10.10.10)
8 x
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
AIR-LAP1142N-E-K9
Data for the WLC:
Product Version.................................. 6.0.199.4
RTOS Version..................................... 6.0.199.4
Bootloader Version.............................. 4.0.191.0
Emergency Image Version................... 6.0.199.4
The WLC is connected to a switch, Cisco Catalyst model WS-C3750X-24, sw version 12.2(53)SE2.
The idea is to have the clients/supplicants (Windows XP), who have a valid certificate, authenticate against a RADIUS server. The authentication is configured as 802.1x over EAP-TLS.
The RADIUS server is a Windows 2003 Server with IAS (IP address = 15.15.15.15). This server is accessed via a WAN link. We don't manage this server.
The problem: no wireless client (Windows XP) is able to go past the initial authentication.
I should add that the WLC and the APs were working perfectly and clients were connecting correctly to them. However this setup was moved to a new building and, since then, nothing has worked. I must add that the configuration on the WLC and APs has not changed, since the network configuration (IP subnets, etc) was migrated from the previous building to this new one. But something has changed: the WAN router (connected to the Internet and with a VPN established to the corporate network) and the LAN equipment (switches), which are all brand new.
On the RADIUS side we find these error messages:
Fully-Qualified-User-Name = XXXXXXXXXXXX/XXXX/XXXXX/XXXX/XXXXX (it shows the correct information)
NAS-IP-Address = 10.10.10.10
NAS-Identifier = XX-002_WLAN
Called-Station-Identifier = f0-25-72-70-65-xx:WLAN-XX
Calling-Station-Identifier = 00-1c-bf-7b-08-xx
Client-Friendly-Name = xxxxxxx_10.10.10.10
Client-IP-Address = 10.10.10.10
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 2
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless LAN Access
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 22
Reason = The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
On the WLC side, the error messages are:
TRAP log:
RADIUS server 15.15.15.15:1812 failed to respond to request (ID 42) for client 00:27:10:a3:1b:xx / user 'unknown'
SYSLOG:
Jan 06 10:16:35 10.10.10.10 XX-002_WLAN: *Jan 06 10:16:32.709: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
Jan 06 10:17:05 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:02.960: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:02:76:xx
Jan 06 10:17:05 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:02.961: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
Jan 06 10:17:36 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:34.110: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:02:76:xx
Jan 06 10:17:36 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:34.110: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
WLC Debug:
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Station 58:94:6b:15:f5:d0 setting dot1x reauth timeout = 1800
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Connecting state
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Sending EAP-Request/Identity to mobile 58:94:6b:15:f5:d0 (EAP Id 1)
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Received EAPOL START from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.709: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Connecting state
*Jan 07 19:31:42.709: 58:94:6b:15:f5:d0 Sending EAP-Request/Identity to mobile 58:94:6b:15:f5:d0 (EAP Id 2)
*Jan 07 19:31:42.710: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.710: 58:94:6b:15:f5:d0 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Received Identity Response (count=2) from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 EAP State update from Connecting to Authenticating for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Authenticating state
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Entering Backend Auth Response state for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: AuthenticationRequest: 0xd1bc104
*Jan 07 19:31:42.711: Callback.....................................0x87e1870
*Jan 07 19:31:42.712: protocolType.................................0x00140001
*Jan 07 19:31:42.712: proxyState...................................58:94:6B:15:F5:D0-9B:00
*Jan 07 19:31:42.712: Packet contains 12 AVPs (not shown)
*Jan 07 19:31:42.712: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*Jan 07 19:31:42.712: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 231) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Access-Challenge received from RADIUS server 15.15.15.15 for mobile 58:94:6b:15:f5:d0 receiveId = 155
*Jan 07 19:31:42.788: AuthorizationResponse: 0xa345700
*Jan 07 19:31:42.788: structureSize................................145
*Jan 07 19:31:42.788: resultCode...................................255
*Jan 07 19:31:42.788: protocolUsed.................................0x00000001
*Jan 07 19:31:42.788: proxyState...................................58:94:6B:15:F5:D0-9B:00
*Jan 07 19:31:42.788: Packet contains 4 AVPs (not shown)
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Processing Access-Challenge for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Entering Backend Auth Req state (id=3) for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Sending EAP Request from AAA to mobile 58:94:6b:15:f5:d0 (EAP Id 3)
*Jan 07 19:31:42.805: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.805: 58:94:6b:15:f5:d0 Received EAP Response from mobile 58:94:6b:15:f5:d0 (EAP Id 3, EAP Type 13)
*Jan 07 19:31:42.806: 58:94:6b:15:f5:d0 Entering Backend Auth Response state for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.806: AuthenticationRequest: 0xd1bc104
*Jan 07 19:31:42.806: Callback.....................................0x87e1870
*Jan 07 19:31:42.806: protocolType.................................0x00140001
*Jan 07 19:31:42.807: proxyState...................................58:94:6B:15:F5:D0-9B:01
*Jan 07 19:31:42.807: Packet contains 13 AVPs (not shown)
*Jan 07 19:31:42.807: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*Jan 07 19:31:42.807: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:31:52.531: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 228) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00 ..
*Jan 07 19:31:52.808: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:32:02.531: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 228) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:32:02.808: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:32:12.532: 58:94:6b:15:f5:d0 Max retransmission of Access-Request (id 228) to 15.15.15.15 reached for mobile 58:94:6b:15:f5:d0
*Jan 07 19:32:12.532: 58:94:6b:15:f5:d0 [Error] Client requested no retries for mobile 58:94:6B:15:F5:D0
*Jan 07 19:32:12.533: 58:94:6b:15:f5:d0 Returning AAA Error 'Timeout' (-5) for mobile 58:94:6b:15:f5:d0
*Jan 07 19:32:12.533: AuthorizationResponse: 0xb99ff864
Finally, we've also done some packet sniffing, using Wireshark and Commview. These appear to suggest that something is wrong with one of the packets and this leads to the authentication process to fail and restart again and again:
******************** WIRESHARK CAPTURE ********************
No. Time Source Destination Protocol Info
1 0.000000 10.10.10.10 15.15.15.15 RADIUS Access-Request(1) (id=125, l=280)
Frame 1: 322 bytes on wire (2576 bits), 322 bytes captured (2576 bits)
Ethernet II, Src: Cisco_62:63:00 (f8:66:f2:62:63:00), Dst: Cisco_55:20:41 (1c:df:0f:55:20:41)
Internet Protocol, Src: 10.10.10.10 (10.10.10.10), Dst: 15.15.15.15 (15.15.15.15)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 308
Identification: 0x501f (20511)
Flags: 0x02 (Don't Fragment)
Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0x4aee [correct]
Source: 10.10.10.10 (10.10.10.10)
Destination: 15.15.15.15 (15.15.15.15)
User Datagram Protocol, Src Port: filenet-rpc (32769), Dst Port: radius (1812)
Source port: filenet-rpc (32769)
Destination port: radius (1812)
Length: 288
Checksum: 0xe8e0 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Radius Protocol
Code: Access-Request (1)
Packet identifier: 0x7d (125)
Length: 280
Authenticator: 79b2f31c7e67d6fdaa7e15f362ecb025
Attribute Value Pairs
AVP: l=27 t=User-Name(1): XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (username is correct!!!)
AVP: l=19 t=Calling-Station-Id(31): 00-21-6a-29-80-xx
AVP: l=27 t=Called-Station-Id(30): f0-25-72-70-65-c0:WLAN-XX
AVP: l=6 t=NAS-Port(5): 2
AVP: l=6 t=NAS-IP-Address(4): 10.10.10.10
AVP: l=13 t=NAS-Identifier(32): XX-002_WLAN
AVP: l=12 t=Vendor-Specific(26) v=Airespace(14179)
AVP: l=6 t=Service-Type(6): Framed(2)
AVP: l=6 t=Framed-MTU(12): 1300
AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19)
AVP: l=89 t=EAP-Message(79) Last Segment[1]
EAP fragment
Extensible Authentication Protocol
Code: Response (2)
Id: 3
Length: 87
Type: EAP-TLS [RFC5216] [Aboba] (13)
Flags(0x80): Length
Length: 77
Secure Socket Layer
AVP: l=25 t=State(24): 1d68036a000001370001828b38990000000318a3088c00
AVP: l=18 t=Message-Authenticator(80): 9fe1bfac02df3293ae2f8efc95de2d5d
No. Time Source Destination Protocol Info
2 0.060373 15.15.15.15 10.10.10.10 IP Fragmented IP protocol (proto=UDP 0x11, off=0, ID=2935) [Reassembled in #3]
Frame 2: 62 bytes on wire (496 bits), 62 bytes captured (496 bits)
Ethernet II, Src: Cisco_55:20:41 (1c:df:0f:55:20:41), Dst: Cisco_62:63:00 (f8:66:f2:62:63:00)
Internet Protocol, Src: 15.15.15.15 (15.15.15.15), Dst: 10.10.10.10 (10.10.10.10)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 44
Identification: 0x2935 (10549)
Flags: 0x01 (More Fragments)
Fragment offset: 0
Time to live: 122
Protocol: UDP (17)
Header checksum: 0x58e0 [correct]
Source: 15.15.15.15 (15.15.15.15)
Destination: 10.10.10.10 (10.10.10.10)
Reassembled IP in frame: 3
Data (24 bytes)
0000 07 14 80 01 05 69 e8 f5 0b 7d 05 61 6c 83 00 ae .....i...}.al...
0010 d0 75 05 c3 56 29 a7 b1 .u..V)..
No. Time Source Destination Protocol Info
3 0.060671 15.15.15.15 10.10.10.10 RADIUS Access-challenge(11) (id=125, l=1377)
Frame 3: 1395 bytes on wire (11160 bits), 1395 bytes captured (11160 bits)
Ethernet II, Src: Cisco_55:20:41 (1c:df:0f:55:20:41), Dst: Cisco_62:63:00 (f8:66:f2:62:63:00)
Internet Protocol, Src: 15.15.15.15 (15.15.15.15), Dst: 10.10.10.10 (10.10.10.10)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 1381
Identification: 0x2935 (10549)
Flags: 0x00
Fragment offset: 24
Time to live: 122
Protocol: UDP (17)
Header checksum: 0x73a4 [correct]
Source: 15.15.15.15 (15.15.15.15)
Destination: 10.10.10.10 (10.10.10.10)
[IP Fragments (1385 bytes): #2(24), #3(1361)]
User Datagram Protocol, Src Port: radius (1812), Dst Port: filenet-rpc (32769)
Source port: radius (1812)
Destination port: filenet-rpc (32769)
Length: 1385
Checksum: 0xe8f5 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Radius Protocol
Code: Access-challenge (11)
Packet identifier: 0x7d (125)
Length: 1377
Authenticator: 6c8300aed07505c35629a7b14de483be
Attribute Value Pairs
AVP: l=6 t=Session-Timeout(27): 30
Session-Timeout: 30
AVP: l=255 t=EAP-Message(79) Segment[1]
EAP fragment
AVP: l=255 t=EAP-Message(79) Segment[2]
EAP fragment
AVP: l=255 t=EAP-Message(79) Segment[3]
EAP fragment
AVP: l=255 t=EAP-Message(79) Segment[4]
EAP fragment
AVP: l=255 t=EAP-Message(79) Segment[5]
EAP fragment
AVP: l=33 t=EAP-Message(79) Last Segment[6]
EAP fragment
Extensible Authentication Protocol
Code: Request (1)
Id: 4
Length: 1296
Type: EAP-TLS [RFC5216] [Aboba] (13)
Flags(0xC0): Length More
Length: 8184
Secure Socket Layer
[Malformed Packet: SSL]
[Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
[Message: Malformed Packet (Exception occurred)]
[Severity level: Error]
[Group: Malformed]
******************** COMMVIEW CAPTURE ******************
Packet #6, Direction: Pass-through, Time:11:27:35,251292, Size: 323
Ethernet II
Destination MAC: 1C:DF:0F:55:20:xx
Source MAC: F8:66:F2:62:63:xx
Ethertype: 0x0800 (2048) - IP
IP
IP version: 0x04 (4)
Header length: 0x05 (5) - 20 bytes
Differentiated Services Field: 0x00 (0)
Differentiated Services Code Point: 000000 - Default
ECN-ECT: 0
ECN-CE: 0
Total length: 0x0135 (309)
ID: 0x2B26 (11046)
Flags
Don't fragment bit: 1 - Don't fragment
More fragments bit: 0 - Last fragment
Fragment offset: 0x0000 (0)
Time to live: 0x40 (64)
Protocol: 0x11 (17) - UDP
Checksum: 0x6FE6 (28646) - correct
Source IP: 161.86.66.49
Destination IP: 15.15.15.15
IP Options: None
UDP
Source port: 32769
Destination port: 1812
Length: 0x0121 (289)
Checksum: 0x5824 (22564) - correct
Radius
Code: 0x01 (1) - Access-Request
Identifier: 0x8D (141)
Packet Length: 0x0119 (281)
Authenticator: 60 4E A6 58 A8 88 A2 33 4E 56 D0 E9 3B E0 62 18
Attributes
Attribute
Type: 0x01 (1) - User-Name
Length: 0x1A (26)
Username: XXXXXXXXXXXXXXXXXXXXXXX (username is correct!!!)
Attribute
Type: 0x1F (31) - Calling-Station-Id
Length: 0x11 (17)
Calling id: 58-94-6b-15-5f-xx
Attribute
Type: 0x1E (30) - Called-Station-Id
Length: 0x19 (25)
Called id: f0-25-72-70-65-c0:WLAN-XX
Attribute
Type: 0x05 (5) - NAS-Port
Length: 0x04 (4)
Port: 0x00000002 (2)
Attribute
Type: 0x04 (4) - NAS-IP-Address
Length: 0x04 (4)
Address: 10.10.10.10
Attribute
Type: 0x20 (32) - NAS-Identifier
Length: 0x0B (11)
NAS identifier: XX-002_WLAN
Attribute
Type: 0x1A (26) - Vendor-Specific
Length: 0x0A (10)
Vendor id: 0x00003763 (14179)
Vendor specific:
Attribute
Type: 0x06 (6) - Service-Type
Length: 0x04 (4)
Service type: 0x00000002 (2) - Framed
Attribute
Type: 0x0C (12) - Framed-MTU
Length: 0x04 (4)
Framed MTU: 0x00000514 (1300)
Attribute
Type: 0x3D (61) - NAS-Port-Type
Length: 0x04 (4)
NAS port type: 0x00000013 (19) - Wireless - IEEE 802.11
Attribute
Type: 0x4F (79) - EAP-Message
Length: 0x57 (87)
EAP-Message
Attribute
Type: 0x18 (24) - State
Length: 0x17 (23)
State: 1F 38 04 12 00 00 01 37 00 01 82 8B 38 99 00 00 00 03 18 A6 82 B7 00
Attribute
Type: 0x50 (80) - Message-Authenticator
Length: 0x10 (16)
Message-Authenticator: 4F 13 92 9C 10 29 C5 3A B9 AE 92 CA 74 11 6C B5
Packet #28, Direction: Pass-through, Time:11:27:36,523743, Size: 62
Ethernet II
Destination MAC: F8:66:F2:62:63:xx
Source MAC: 1C:DF:0F:55:20:xx
Ethertype: 0x0800 (2048) - IP
IP
IP version: 0x04 (4)
Header length: 0x05 (5) - 20 bytes
Differentiated Services Field: 0x00 (0)
Differentiated Services Code Point: 000000 - Default
ECN-ECT: 0
ECN-CE: 0
Total length: 0x002C (44)
ID: 0x4896 (18582)
Flags
Don't fragment bit: 0 - May fragment
More fragments bit: 1 - More fragments
Fragment offset: 0x0000 (0)
Time to live: 0x7A (122)
Protocol: 0x11 (17) - UDP
Checksum: 0x397F (14719) - correct
Source IP: 15.15.15.15
Destination IP: 10.10.10.10
IP Options: None
UDP
Source port: 1812
Destination port: 32769
Length: 0x0569 (1385)
Checksum: 0x2FE4 (12260) - incorrectHi,
We spent many hours trying to solve this problem.
Our setup:
Cisco wireless setup, using windows NPS for 802.1x authentication.
Certificate base auth, with an internal PKI sending out client machine certs, and also the server cert.
Auth was failing with "reason code 22, The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."
It turned out to be a GPO setting on the server, that was enforcing key protection.
There is this note on the below technet article:
Requiring the use of strong private key protection and user prompting on all new and imported keys will disable some applications, such as Encrypting File System (EFS) and wireless (802.1X) authentication that cannot display UI. For more information, see article 320828 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=115037).
http://technet.microsoft.com/en-us/library/cc725621(v=WS.10).aspx
Hopefully this helps someone out, if you have the same annoying error. -
EAP-TLS Authentication failure happening in ACS for Wireless End User Authentication
Hi All,
We have the Win 3.2 ACS setup in the production environment, We are migrating it with 4.2 Appliance version. We have succesfully migrated the database and other stuffs from 3.2 to 4.2. Same way we have exported the certificates from 3.2 to 4.2 and installed it.
We have the leap as well as eap-tls in the authentication part.
We were able to test successfully with the leap. But when it comes to eap-tls. In 4.2 version its throwing the error.
5/3/2011
23:16:38
Authen failed
[email protected]
EAP-TLS users
0023.1413.de18
(Default)
EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake
21356
10.121.198.38
13
EAP-TLS
ap-1242b4
Bangalore APs
We have used the same certficate exported and installed in the 4.2 version. But its working in the existing 3.2 version and why it is not working with the 4.2 version.
Could anyone help me out in this?
Regards
KarthikHi,
Looks like the CA Cert is not installed on the ACS.
The following link will help you install the CA cert.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAuth.html#wp327056
Also trust the CA certificate in the Edit trust list list.
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts. -
How to connect to a "EAP-SIM" authentication wlan ...
Any advice would be great!
ThanksHi,
What you can do is to set up a reverse and the forward proxy. When the client hits the first proxy it should be configured as a reverse proxy which will redirect the request to the second proxy (this will be a reverse proxy) which will connect to the internet.
Hope this helps.
Regards,
Dakshin.
Developer Technical Support
Sun Microsystems
http://www.sun.com/developers/support. -
Does Cisco Aironet 1131G really support EAP-SIM ?
Hello!
I have tried to configure EAP-SIM authentication on Cisco Aironet 1131G for Wi-Fi Offload but unfortunately I couldnt make it work. As far as I understand the Wi-Fi standard it is fully supported in 802.11n within WPA2-Enterprise standard. I have read Cisco datasheet for 1131G where your are claiming that you support EAP-SIM in WPA2 also. I have tried to configure it according to configuration guide but it always requires to enter password key first when I try to connect to SSID with configured WPA2 and EAP-SIM. Can you please provide us with additional info how to properly configure AP or confirm that EAP-SIM needed for seamless 3G/Wi-Fi authentication is supported only within WPA2-Enterprise.
BR,
DenysYes EAP-SIM is supported by Cisco Aironet 1131G. For more detail about this product you can go to below link.
http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps6087/product_data_sheet0900aecd801b9058.htmlhttp:// -
Does any one tried EAP-SIM authentication with IPHONE5
I see that IPHONE5 is not responding for Challenge message with triples from Radius ServerWe seem to have the same issue where IOS is breaking off the EAP-SIM authentication at 6 seconds, while the AP is waiting on a RADIUS Access-Accept, which eventually comes in, but after IOS already stopped the wifi authentication process.
-
EAP-SIM Fast Re-Authentication
Hi,
I understand IPHONE supports EAP-SIM, but how about Fast Re-Authentication defined in RFC 4186? does IPHONE support it?To Lenovo Android Developer,
Please add this EAP-SIM Wifi authentication feature on the next firmware update.
Because in Indonesia almost all GSM operators using EAP-SIM for their WiFi service.
Thank you. -
Does EAP/SIM make sense for others than mobile operators?
Hi,
I'm wondering about the many different EAP authentication protocols. One of these is EAP/SIM (initiated by Nokia). I think the advantage of this authentication method might be the kind of key exchange. Users are familiar in using SIM-cards. Out of this consideration I have some questions:
* Is EAP/SIM as secure as EAP/TLS or EAP/Cisco?
* Does it make sense to use EAP/SIM as an WISP (given that the WISP is NOT a GSM/UMTS mobile operator)?
* What is the position of Cisco to EAP/SIM? Will Cisco support it?
Best regards,
ArminThis white paper should help: http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wswpf_wp.htm
-
WAP321 Authentication failure log codes
Devices that have previoulsy connected to the WAP are still able to connect but any new device to the environment is not. If I delete the network from an existing device that device is no longer able to authenticate and connect to the WAP. Log entries below show the following errors for a single MAC. This happened once before and to solve the issue I reentered the key into the SSID setup on the WAP. All devices had to delete the existing SSID from their list of networks but then they were able to rejoin. I don't want to ask users to do that again. Any help on the log entries below is greatly appreciated!
Jul 19 2013 01:42:34
info
hostapd[1078]
wlan0: IEEE 802.11 STA 90:18:7c:b1:79:ea deauthed from BSSID c4:64:13:0c:e3:00 reason 1
Jul 19 2013 01:42:34
info
hostapd[1078]
Station 90:18:7c:b1:79:ea had an authentication failure, reason 16
Jul 19 2013 01:42:32
warn
hostapd[1078]
Received invalid EAPOL-Key MIC (msg 2/4)
Jul 19 2013 01:42:32
info
hostapd[1078]
Station 90:18:7c:b1:79:ea had an authentication failure, reason 22
Jul 19 2013 01:42:31
info
hostapd[1078]
Station 90:18:7c:b1:79:ea had an authentication failure, reason 22
Jul 19 2013 01:42:30
warn
hostapd[1078]
Received invalid EAPOL-Key MIC (msg 2/4)
Jul 19 2013 01:42:30
info
hostapd[1078]
Station 90:18:7c:b1:79:ea had an authentication failure, reason 22
Jul 19 2013 01:42:30
info
hostapd[1078]
wlan0: IEEE 802.11 STA 90:18:7c:b1:79:ea associated with BSSID c4:64:13:0c:e3:00
Jul 19 2013 01:42:30
info
hostapd[1078]
wlan0: IEEE 802.11 Assoc request from 90:18:7c:b1:79:ea BSSID c4:64:13:0c:e3:00 SSID KnightIns1Hi, My name is Eric Moyers. I am a Network Support Engineer in the Cisco Small Business Support Center. Thank you for using the Cisco Community Post Forums.
Reason Code 16: Authentication failed due to a user credentials mismatch.
Reason-Code 22: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
I am not sure what is causing this. However I would ask that you do two things. While everything is working normally go to Administration/Support Information and download a diagnostic file. Label it with a date WAP321 and the word "good". Save it somewhere. When this happens again, before doing anything go back in and get another diagnostic file label it the same except with the word "bad".
Call in and open a support case and have the engineer notify me that you have opened one and also give them a reference to this community support thread.
I will work with your engineer to see what is happening.
Thanks
Eric Moyers .:|:.:|:.
Cisco Small Business US STAC Advanced Support Engineer
CCNA, CCNA-Wireless
866-606-1866
Mon - Fri 09:00 - 18:00 (UTC - 05:00)
*Please rate the Post so other will know when an answer has been found. -
I'm getting a PDP authentication failure message and cannot connect over 3G. Help?!
A few days ago I suddenly started getting an error message when trying to connect to the internet over 3G. "Could not activate cellular data network. PDP authentication failure"
I am in Germany, on Telekom. Have called Telekom customer service and went to the Telekom retail store. Neither could figure out the problem and advised I do a factory restore on the iphone via iTunes. I did that and am still getting the error message.
The only weird thing that happened before the error started showing up is I had called Telekom the night before to add a U.S. data roaming package to my phone plan for an upcoming stateside trip. They told me to text "W2S" to 7277 in order to add the U.S. data roaming plan. I did that, and the next morning this error started popping up. Don't know if that is related or coincidence.
I am traveling to the states in a few days and would really like to get this cleared up. The only option Telekom has left for me is to mail my phone in to Apple. :-(If I may ask, what country are you from?
To note, what you see is just not possible from a radio communication level, you're the first I've ever seen with this problem. (see photo and footnote below)
Since you said the Carrier option is available, can you go to it, turn off automatic and see what networks show? Normally it you will see At&t and T-mobile, however, if you see Sprint, you will need to go talk to Apple.
But if T-mobile does show, select it and see if your phone connects.
If not, remove the SIM card reboot the phone and try again.
I'm sorry about not being clear about the phone number, while connected to the Verizon network, is the phone number showing your T-mobile one or is it something different?
For reference,
Normally, what you will see in the status bar when on the Verizon network when not on 3G/LTE is the 1X symbol.
GPRS is a completely different communication type from 1X and Verizon doesn't support it. If you visit a Verizon store (or T-mobile) the staff will probably be surprised and confused about what your phone is showing. -
TS2422 PDP authentication failure
I just brought my new iPad running 5.1 to Sweden, purchased a local micro SIM card and installed it. I show 2 bars and Tele2 3G in the upper left corner but receive the error message "Could not activate cellular data network PDP authentication failure". I have re-started several times, reset network settings and authentication key.
Try resetting your phone:
Press the Sleep/Wake button & Home button at the same time, keep pressing until you see the Apple logo, then release. -
My partner and I both have an iPhone 5s on the Three network in the UK
Both phones are on iOS 8.03
We are currently in portugal and because Three do not currently allow minutes from the UK to be used in Portugal.
We both bought the europass data to use.
On landing both phones worked then 5 minutes after mine stopped and received Could Not Activate Data Network PDP Authentication Failure. My partners continued to work without any issues.
I've tried the numerous online fixes without success and also contacted my provider without a resolution.
We then tried my partners SIM card in my phone to check whether it was a sim or phone issue. Her sim failed in my phone and when she placed it back into her phone she then received the same PDP Authentication failure message.
It is therefore believed that it could be a software issue.
What are your thoughts Apple?
ThanksThis is almost ALWAYS a carrier problem. Settings aren't correct for your account, etc. However, there are a couple of things you can try, but if they don't work, you need to contact your carrier & have them check your account settings:
1. Remove the SIM card from your iPhone, then turn off your phone, wait are few seconds, turn your phone back on, then reinsert the sim card and wait a few seconds. See if this fixes the problem. If not:
2. Go to Settings -> General -> Reset -> Reset Network Settings on your phone to reset the network setting on the iPhone. -
ERROR: Could not activate cellular data network: PDP authentication failure
I have an iPhone 3g that was given to me by a friend a couple months ago. Before I got the phone i was on a plan with Softbank in japan with another cell phone. When i got the iphone i unlocked it so that i could use my old sim card with the iphone. everything worked out fine, i was unable to use the internet via 3g since it wasnt on my plan but i could text and make calls with no problem.
Everything was working fine until yesterday when i started getting this error message: "Could not activate cellular data network: PDP authentication failure"
once this happened i could no longer text or make calls. my iphone recognizes the sim card, shows one bar of signal, the network, and the 3g symbol. i have also rebooted, restored, reset network settings, and talked with Softbank; all had no help.
i have no idea how to fix it, any suggestions would be awesome.
thanks.All iPhones sold in Japan are sold carrier locked and cannot be officially unlocked by the carrier. If you unlocked it, it was by unauthorized means (hacked), and support cannot be given to you in this forum.
Hacked iPhones are subject to countermeasures by Apple, particularly when updating the firmware. It is likely permanently re-locked or permanently disabled.
Message was edited by: modular747
Maybe you are looking for
-
Seeking Director Developer in Seattle Washington.
Software Developer for a small, growing, industry-leading music education software publisher. See www.emediamusic.com for more information about us. Experience in Macromedia Director and Lingo required. Visual Basic, Perl, Access, C and Flash experie
-
Does Audition 3 integrate directly into Premiere Pro CS3?
On occasion I need to use a filter like De-Esser that is not in Soundbooth. Can I go directly from Premiere Pro CS3 to Audition 3 and back again like the previous versions?
-
Sharing resources between computers
Here is the situation... I used to have 2 computers connected to the same router (WRT55AG) which was used as an Internet Access point. All the ressources on each computer could be shared (Printers, folders, etc.) and everything worked fine. I just b
-
Old hard drive went belly up and was replace with a new hard drive. I can find my old photos in the hard drive but they won't display in iPhotos. It appears the photos were slit into two images with extension JPG and PNG. If I try to drag the photos
-
How can I automate the "relocate menu bar" functionality found in the display arrangment tag in system preferences. I want to be able to quickly move the menu bat to my Cintiq tablet display, either by clicking an icon or a keyboard shortcut.