FT akm with 802.1x authentication failed at eapol key 2(invalid MIC)

Similar Messages

• Windows 7 – 802.1x Authentication fails after wakeup from Sleep/Hibernation

  In our environment we randomly have issues with 802.1x authentications after Sleep or Hibernation of our client-systems.
  Clients have Windows 7 as OS and are up-to-date regarding regular updates/patches. Drivers (at least
  network and chipset) on affected machines have also been updated.
  802.1x authentication method is PEAP (EAP-MSCHAPv2) and systems are validated
  against Active Directory by RADIUS.
  Analyzing the logs of our RADIUS-Server you can see that the client trys to authenticate
  via MAC instead of its DNS-Name/FQDN (desired method). So the request fails and the client is assigned to a different VLAN without access to the company’s resources. Following steps like DHCP work correctly.
  We have enabled the tracing of RAS-components on some of our clients by executing the following command-line: netsh ras set tracing
  * enabled
  Analyzing the client’s log-file “C:\Windows\tracing\svchost_RASCHAP.LOG” it looks like that the
  component is simply not up at that point in time, because there are absolutely no entries making it impossible to search for a specific error/error-code. Side-fact: unplugging the network-cable and plugging it in again forces the client to
  authenticate again – successfully and with entries in the given log.
  There has been an article KB980295 describing my issue but that does not apply to Windows 7. Hotfix KB2736878 cannot be applied (0x80240017
  - install is not needed because no updates are applicable).
  Does anyone have an idea how you could force the component to initialize earlier (if it is possible at all)?
  Any other advice is highly appreciated as well!
  Thanks a lot

  Hi Deason,
  sorry for my very very late reply on this.
  Even if I could not solve the problem yet, I can tell about some progress.
  As both KB-Files (980295 and 2481614) sadly did not help with this at all and even setting the blockperiod to 1 (I saw that 0 doesn't seem to be supported here: https://technet.microsoft.com/en-us/library/hh831813.aspx) didn't make any difference I
  have been working on how to reproduce the issue. So I wrote a tiny script disabling and enabling the client's network-port on and on (I have removed outputs and logging to keep it short):
  $doAllTheTime = $true
  $i = 0
  $DomainName = (Get-WmiObject -Class Win32_ComputerSystem).domain
  $NWAdapter = Get-WmiObject -Class Win32_NetworkAdapter | ? {$_.name -like "*gigabit*"}
  while ($doAllTheTime -eq $true)
  $i++
  $NWAdapter.disable() | out-null; Start-Sleep -Seconds 10
  $NWAdapter.enable() | out-null; Start-Sleep -Seconds 10
  $ping = $null
  $ping = test-connection $DomainName -count 1
  if ($ping -eq $null)
  "Error with connection"; return
  So I kept it running and after a dozens of loops the issue reoccurred. I could see that it is the dot3svc-Service that does not response anymore by the RASCHAP-log given above. Restarting the service manually triggered a re-authentication that was then successful.
  So I added the restart-service-cmdlet to my script in case that the error was detected and configured a Scheduled Task triggered by the event that a network-cable has been plugged in (has to be provided by the driver). Script and Scheduled Task
  have then been deployed to our clients.
  Even if this is no solution it definitely helps with a high rate of incidents -
  but not entirely... so I am still looking for further steps to
  solve this. Any ideas are highly appreciated.
  Thank you very much for your support!!! Uhle

• 802.1x authentication fails

  Setup: two 5500 (v6.0.188.0, mix of 1131 and 1141 AP`s
  Laptops running fine for random number of weeks suddenly can´t connect to the wireless network. The output from Client troubleshoot shows:
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Controller association request message received.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Association request received from a client has an invalid RSN IE.(One reason could be mismatch in WPA2 algorithm).
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Received reassociation request from client.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  The wlan to which client is connecting requires 802 1x authentication.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Client moved to associated state successfully.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Received EAP Response from the client.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Received EAPOL start message from client.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Received EAP Response from the client.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  EAP response from client to AP received.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  EAP response from client to AP received.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Received Access-Challenge from the RADIUS server for the client.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Sending EAP request to client from radius server.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  EAP response from client to AP received.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Received Access-Challenge from the RADIUS server for the client.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Sending EAP request to client from radius server.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  EAP response from client to AP received.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Received Access-Challenge from the RADIUS server for the client.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Sending EAP request to client from radius server.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  EAP response from client to AP received.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Received Access-Challenge from the RADIUS server for the client.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Sending EAP request to client from radius server.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  EAP response from client to AP received.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Received Access-Challenge from the RADIUS server for the client.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Sending EAP request to client from radius server.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  EAP response from client to AP received.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Received Access-Challenge from the RADIUS server for the client.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Sending EAP request to client from radius server.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  EAP response from client to AP received.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Received Access-Challenge from the RADIUS server for the client.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Sending EAP request to client from radius server.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  EAP response from client to AP received.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Received Access-Challenge from the RADIUS server for the client.
  05/07/2010 07:03:14 CEST
  INFO
  10.1.1.101
  Sending EAP request to client from radius server.
  05/07/2010 07:03:44 CEST
  ERROR
  10.1.1.101
  Retransmitting EAP-ID request to client,retransmission timer expired.
  05/07/2010 07:04:14 CEST
  ERROR
  10.1.1.101
  Retransmitting EAP-ID request to client,retransmission timer expired.
  05/07/2010 07:04:44 CEST
  ERROR
  10.1.1.101
  Authentication failed for client as EAP ID request from AP reached maxmium retransmissions.
  05/07/2010 07:04:44 CEST
  ERROR
  10.1.1.101
  De-authentication sent to client. slot 0 (claller 1x_ptsm.c:467)
  05/07/2010 07:04:44 CEST
  ERROR
  10.1.1.101
  05/07/2010 07:04:44 CEST
  ERROR
  10.1.1.101
  EAPOL-key is invalid, scheduling client for deletion.

  We are using PEAP-MS-CHAP v2 . The IAS certificate is valid to 2014. We have about 300 laptops, but now and then some of them fails to authenticate. Yesterday I noticed that if I had one of the failing computers connected with wire, after some minutes it suddenly authenticated wireless!

• Getting a lot of this error:The reason code is '4(802.1X Authentication failed 3 times.)'. - Controller Name:

  Since we upgraded our WCS system to V6.0.196.0 we are receiving a lot of the following error messages and I haven't figured out why.
  Client 'c0:cb:38:3f:a1:0d (anonymous, 0.0.0.0)' which was associated with interface '802.11a/n' of AP 'ACAA01-00.P04-G2C2.1' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'. - Controller Name: 205-dg20-bb3-4/2

  Check you ACS (Radius) logs under failures. You will see why its failing. Sounds like a AD account went bad
  or someone is entering the wrong logon ... But check your radius log it will point you in the right direction.

• 802.1X Authentication failed without 802.1X authentication enabled

  Hi,
  we are using 2 WISMs, with version 4.2.207 and a WCS to control them.
  It seemed to work fine for about 2 weeks, and now we detected the following problem in some users. They were connected to the wireless without problems, and then they lost the connection. For authentication we use WPA2, we also use mac-filter.
  When they lost the connection we can see the following error:
  Message:
  Client 'mac address' which was associated with AP 'mac address', interface '1' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'.
  Message:
  Client 'mac' which was associated with AP 'mac', interface '0' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'.
  I also attach an output of the troubleshoot mac address...
  Can some help me with this?
  Thank you.
  Best regards,

  Hi Kirbus,
  we open a TAC and we were advised for now to do the following changes:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman","serif";}
  1.       please make sure to disable Aironet extensions (if present)  , on the WLAN advanced configuration
  2.       disable management frame protection (MFP) signature generation (if present) , MFP also on the WLAN advanced configuration
  3.       on the WLC general configuration , can you please disable aggressive load balancing
  4.       on the security tab on the WLC , please wireless protection policies > disable client exclusion policies
  5.       on the AP network configuration please disable short preamble the original standard was long preambles
  6.       Wireless -> disable auto-RRM channel & power assignment & try "on demand"
  7.       apply these modification on the WLC CLI
  Config advanced eap identity-request-timeout 20
  Config advanced eap identity-request-retries 10
  Config advanced eap request-timeout 20
  Config advanced eap request-retries 10
  Save config, and see if you still face the problem.
  We are still monitoring the solution, but until now we didn't face the problem again.
  Let me now how it goes for you.
  Thank you.
  Best regards,

• CCKM with 802.1x authentication

  Hi,
  Can we use CCKM authentication with 802.1x layer 2 authentication method. I read it one cisco article that we can't use CCKM with 802.1x authentication.  Please find the url below, its says that is you choose layer 2 authentication method is 802.1x, then we can't use cckm. Kindly suggest
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/82135-wlc-authenticate.html
  Regards,
  Jubair.S

  Yes, You can. 
  Refer this document which clearly state it
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01001110.html#ID963
  802.1X+CCKM—During normal operation, 802.1X-enabled clients mutually authenticate with a new access point by performing a complete 802.1X authentication, including communication with the main RADIUS server. However, when you configure your WLAN for 802.1X and CCKM fast secure roaming, CCKM-enabled clients securely roam from one access point to another without the need to reauthenticate to the RADIUS server. 802.1X+CCKM is considered optional CCKM because both CCKM and non-CCKM clients are supported when this option is selected.
  HTH
  Rasika
  **** Pls rate all useful responses ***

• WPA with 802.1x authentication

  Hi experts,
  I need clarification in a fundamental concept.
  Is it possible to configure WPA with 802.1x authentication without external AAA / ACS server.
  If the username and password is configured in local device, is it possible to create 802.1x authentication without RADIUS server
  Thanks in advance
  regards,RB

  You can't do 802.1x without RADIUS. But you can use Local EAP on an Autonomous AP or on a LAP Controller. They can both act as RADIUS servers. Here's an example config for an autonomous AP:
  aaa group server radius rad_eap
  server 192.168.0.1 auth-port 1812 acct-port 1813
  aaa authentication login eap_methods group rad_eap
  dot11 ssid ccie
  authentication open eap eap_methods
  authentication network-eap eap_methods
  guest-mode
  radius-server local
  nas 192.168.0.1 key cisco
  user test password test
  radius-server host 192.168.0.1 auth-port 1812 acct-port 1813 key cisco
  LAP Controller local EAP is configurable through GUI

• Clients cannot connect: "Reason:802.1x Authentication failed 3 times. Reas"

  As of 1:30 yesterday, no clients can authenticate to my LWAPP Access points. I'm getting this message in the trap logs on my 4404:
  Client Excluded: MACAddress:00:90:4b:86:23:94 Base Radio MAC :00:17:df:7f:c8:60 Slot: 0 Reason:802.1x Authentication failed 3 times. ReasonCode: 3
  And my (MS IAS) RADIUS server has an entry:
  Authentication-Type = EAP
  EAP-Type = <undetermined>
  Reason-Code = 66
  Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.
  The previous successful entries all refer to PEAP. We restored our WCS server from tape yesterday, but why would that affect the authentication on the 4404? Does anyone have any idea what's going wrong?

  There is a command line syntax which will also allow you to export and import an IAS config to other IAS servers. Then you will be sure they are identical...
  http://support.microsoft.com/kb/883619

• 802.1x authentication fail

  i have a juniper device linux operating system on that we have radius server configured and i am trying to integrate my WLC with that radius
  i have added WLC as a host there in radius
  on wlc i have configured authentication like radius ip shared secret key and done
  its working i can ping radius server
  also in wlc i configured on Wlan aaa allow override check box and also hited the WPA2 802.1x layer2 security and radius server option brought on top.
  i also configured my windows wireless adaptor as PEAP MSCHAP v2
  i am trying to connect this ssid and its asking for my AD accounts but when i enter that its not authenticating users and giving this logs.
  (WiSM-slot24-1) >debug aaa events enable
  (WiSM-slot24-1) >
  (WiSM-slot24-1) >
  (WiSM-slot24-1) >*apfMsConnTask_0: Dec 31 15:12:03.043: 00:13:e8:3e:26:bf Processing RSN IE type 48, length 22 for mobile 00:13:e8:3e:26:bf
  *apfMsConnTask_0: Dec 31 15:12:03.043: 00:13:e8:3e:26:bf Received RSN IE with 0 PMKIDs from mobile 00:13:e8:3e:26:bf
  *apfMsConnTask_0: Dec 31 15:12:03.043: 00:13:e8:3e:26:bf apfMsAssoStateInc
  *dot1xMsgTask: Dec 31 15:12:03.044: 00:13:e8:3e:26:bf Station 00:13:e8:3e:26:bf setting dot1x reauth timeout = 1800
  *dot1xMsgTask: Dec 31 15:12:03.044: 00:13:e8:3e:26:bf Sending EAP-Request/Identity to mobile 00:13:e8:3e:26:bf (EAP Id 1)
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:03.097: 00:13:e8:3e:26:bf Received EAPOL START from mobile 00:13:e8:3e:26:bf
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:03.097: 00:13:e8:3e:26:bf Sending EAP-Request/Identity to mobile 00:13:e8:3e:26:bf (EAP Id 2)
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.596: 00:13:e8:3e:26:bf Received EAPOL EAPPKT from mobile 00:13:e8:3e:26:bf
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.596: 00:13:e8:3e:26:bf Received Identity Response (count=2) from mobile 00:13:e8:3e:26:bf
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.596: 00:13:e8:3e:26:bf Audit Session ID added to the mscb: 0a8740e10000002e4efefc1c
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.596: Creating audit session ID (dot1x_aaa_eapresp_supp) and Radius Request
  *aaaQueueReader: Dec 31 15:12:12.597: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
  *aaaQueueReader: Dec 31 15:12:12.597: 00:13:e8:3e:26:bf Successful transmission of Authentication Packet (id 202) to 10.34.11.2:1812, proxy state 00:13:e8:3e:26:bf-00:00
  *radiusTransportThread: Dec 31 15:12:12.598: ****Enter processIncomingMessages: response code=11
  *radiusTransportThread: Dec 31 15:12:12.598: ****Enter processRadiusResponse: response code=11
  *radiusTransportThread: Dec 31 15:12:12.598: 00:13:e8:3e:26:bf Access-Challenge received from RADIUS server 10.34.11.2 for mobile 00:13:e8:3e:26:bf receiveId = 3
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.598: 00:13:e8:3e:26:bf Processing Access-Challenge for mobile 00:13:e8:3e:26:bf
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.598: 00:13:e8:3e:26:bf Sending EAP Request from AAA to mobile 00:13:e8:3e:26:bf (EAP Id 3)
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.600: 00:13:e8:3e:26:bf Received EAPOL EAPPKT from mobile 00:13:e8:3e:26:bf
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.600: 00:13:e8:3e:26:bf Received EAP Response from mobile 00:13:e8:3e:26:bf (EAP Id 3, EAP Type 3)
  *aaaQueueReader: Dec 31 15:12:12.600: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
  *aaaQueueReader: Dec 31 15:12:12.600: 00:13:e8:3e:26:bf Successful transmission of Authentication Packet (id 203) to 10.34.11.2:1812, proxy state 00:13:e8:3e:26:bf-00:00
  *radiusTransportThread: Dec 31 15:12:12.601: ****Enter processIncomingMessages: response code=3
  *radiusTransportThread: Dec 31 15:12:12.601: ****Enter processRadiusResponse: response code=3
  *radiusTransportThread: Dec 31 15:12:12.601: 00:13:e8:3e:26:bf Access-Reject received from RADIUS server 10.34.11.2 for mobile 00:13:e8:3e:26:bf receiveId = 3
  *radiusTransportThread: Dec 31 15:12:12.601: 00:13:e8:3e:26:bf [Error] Client requested no retries for mobile 00:13:E8:3E:26:BF
  *radiusTransportThread: Dec 31 15:12:12.601: 00:13:e8:3e:26:bf Returning AAA Error 'Authentication Failed' (-4) for mobile 00:13:e8:3e:26:bf
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.601: 00:13:e8:3e:26:bf Processing Access-Reject for mobile 00:13:e8:3e:26:bf
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.602: 00:13:e8:3e:26:bf Removing PMK cache due to EAP-Failure for mobile 00:13:e8:3e:26:bf (EAP Id 3)
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.602: 00:13:e8:3e:26:bf Sending EAP-Failure to mobile 00:13:e8:3e:26:bf (EAP Id 3)
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.602: 00:13:e8:3e:26:bf Setting quiet timer for 5 seconds for mobile 00:13:e8:3e:26:bf
  *apfMsConnTask_0: Dec 31 15:12:15.319: 00:13:e8:3e:26:bf Processing RSN IE type 48, length 22 for mobile 00:13:e8:3e:26:bf
  *apfMsConnTask_0: Dec 31 15:12:15.319: 00:13:e8:3e:26:bf Received RSN IE with 0 PMKIDs from mobile 00:13:e8:3e:26:bf
  *dot1xMsgTask: Dec 31 15:12:15.320: 00:13:e8:3e:26:bf Sending EAP-Request/Identity to mobile 00:13:e8:3e:26:bf (EAP Id 1)
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:15.389: 00:13:e8:3e:26:bf Received EAPOL START from mobile 00:13:e8:3e:26:bf
  *Dot1x_NW_MsgTask_0: Dec 31 15:12:15.389: 00:13:e8:3e:26:bf Sending EAP-Request/Identity to mobile 00:13:e8:3e:26:bf (EAP Id 2)
  any idea to solve this problem?
  or any one knows that how to configur a radius server on juniper linux operating system?
  many thanks in advance

  You should post on the Juniper forums regarding your policy configuration.  You should stick with using a radius than just doing ldap through the wlc.  Here is a link for webauth using ldap, but should get you close.  Again... you should look at getting your juniper radius configuration fixed first.
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a03e09.shtml

• 802.1x - Authentication failed

  Hello!
  There is a network layout: custom laptop, switch Cisco (model - Cisco WS-C3750-48PS-S, firmware version - 122-58.SE2) and Freeradius server.
  The user is authenticated by MAC-address (switch sends MAC-address of the server as username and password).
  On my computer, there is "Authentication failed".
  Port mirroring was made and  the traffic was checked by Wireshark.
  It can be seen that the server responds Accept-message (screenshot attached), which transmits the number of vlan.
  With the command "sh vlan" can be seen that the switch port assigned the desired vlan to port.
  Port is mirrored towards the user. There are three Start messages from the user (screenshot attached), but the message Request-Identity from the switch are absent (no screenshot).
  Therefore, the user does not receive a message from a switch that authentication passed, and does not work with the network (not sending a DHCP-query).
  If you disable 802.1x on a PC, the PC works with a network.
  The network was tested on 2 different switches with different firmware (). PCs are with Windows 7 and Windows 8.
  Fa 1/0/18 - to PC.
  Fa 1/0/47 - to Freeradius-server
  What could be the problem?
  Thanks in advance.
  p.s. I attach config-file.

  No problem! Yes, you are correct, a switchport can be configured to support both mab and dot1x authentications. I am still trying to understanding the following:
  1. When does authentication fail and when does it work. Please provide more details
  2. Can you post screenshots of the supplicant(Windows) configurations
  3. Please post the output of this command during both the failed and successful authentications:
  how authentication session interface_name_number detail
  4. I would also add the following commands to your access port:
  dot1x pae authenticator
  authentication event fail action next-method
  authentication violation restrict
  Thank you for rating helpful posts! 

• 802.1X Authentication fails when connecting to WPA Enterprise using Leopard

  I'm trying to connect to an office WiFi network with my MacBook Pro which has 10.5.1 installed.
  There are instructions on how to connect using Tiger which are very simple:
  1. Enter network name
  2. Wireless Security: WPA Enterprise
  3. Enter domain credentials for username and password fields
  4. 802.1X Configuration: Automatic
  There are at least two people here using Tiger that can connect using these instructions.
  I've tried the same thing with Leopard and keep getting an error dialog stating "802.1X Authentication has failed."
  I've also tried fiddling with the 802.1X tab under "Advanced" (I know the protocol is PEAP), but no matter what I get the same error.

  Turns out I was not authorized to use the WiFi. IT got me setup and everything works now.

• Send vlan via Radius with 802.1x Authentication

  Hi all.
  I am trying to set up 802.1x authentication using Windows XP Supplicant, Catalyst 2950 and FreeRadius as radius server.
  I can login correctly so I have the port in Authorized mode, but I can't download the vlan id through the radius server.
  Reading docs, I have found these attributes:
  cisco-avpair="tunnel-type(#64)=VLAN(13)"
  cisco-avpair="tunnel-medium-type(#65)=802 media(6)"
  cisco-avpair="tunnel-private-group-ID(#81)=2" (2 is my vlan id)
  but when I insert these into radius DB (I have also tryed with text file config...) I can see from Radius debugs that only the first one (cisco-avpair="tunnel-type(#64)=VLAN(13)" is passed in the access-accept packet.
  Here are some outputs:
  Sending Access-Challenge of id 80 to 128.0.0.21:1812
  Cisco-AVPair = "tunnel-type=VLAN"
  EAP-Message = 0x0101001604103ee52f729eb199689ef4fc77a18a6a08
  Message-Authenticator = 0x00000000000000000000000000000000
  State = 0xf88b9673c199cb13def96563250cf8a7
  I issued a "debug radius" on the switch Catalyst 2950 also, and the output is:
  02:49:39: RADIUS: Received from id 73 128.0.0.243:1812, Access-Accept, len 129
  02:49:39: Attribute 26 75 0000000901457475
  02:49:39: Attribute 79 6 03010004
  02:49:39: Attribute 80 18 1ABB3507
  02:49:39: Attribute 1 10 74657374
  02:49:39: RADIUS: EAP-login: length of eap packet = 4
  02:49:39: RADIUS: EAP-login: radius didn't send any vlan
  so I can see that radius is not sending anything about vlan...
  Has anyone alredy tried this set up?
  Thank you in advance.
  Massimo Magnani.

  OK, so I may have glossed over that before. From your debug post, you had:
  Cisco-AVPair = "tunnel-type=VLAN"
  Unless I'm missing something, that looks like a VSA (or RADIUS Attribute [26\9\1].
  You don't need VSAs for VLAN Assignment. You can do this with three standard RADIUS Attributes. Here they are (and an example of what they should look like):
  [64] Tunnel-Type – “VLAN” (13)
  [65] Tunnel-Medium-Type – “802” (6)
  [81] Tunnel-Private-Group-ID - "" OR ""
  They are defined in RFC 2868.
  Hope this helps,

• Trouble with 802.1x authentication

  Hello. I live in a dorm, and we connect to the Net over 802.1x authentication. Everything worked OK, until two days ago. Now I can no longer authenticate my Mac on the network and connect to the Net.
  I get the following error:
  "802.1X is unable to authenticate. It is possible that the configuration you have provided is invalid. If you are unsure about what configuration to connect with, check with your network administrator.
  (Error: 1 on port en0)"
  My configuration seems to be ok (I didn't change anything about it, it just stopped working), username and password are also correct. Also other computers can connect to the network, and my LAN card works normally otherwise, only it can't pass the 802.1x authentication :S I'm connected now over my LinuxBox which shares the connection to my Mac, so obviously my LAN card is not broken...
  What could be the problem?
  cheers!

  hi, if the problem still persists, have you tried clearing out any 802.1x profiles you have saved?
  Go to System Preferences > Network, click on Airport, choose Advanced, go to the 802.1x tab, look at the section on the left side that has User Profiles. Select the profile and hit the minus button at the bottom of the pane.
  A lot of these issues seem to be helped by clearing out any saved data about the wireless network, and setting it up manually again. We have seen many issues here at Notre Dame with Macs vs 802.1x. Hoping Apple makes it more reliable soon.

• 802.1x authentication fail when trying to implement 802.11N

  Hello, I'm trying to deploy 802.11N along with 802.1X and IAS.
  Controller comunciates with Radius server (IAS) and this lives in a ESX host along with the Domain controller. Somehow users are not able to authenticate.
  WLC: AIR-CT550 - IP 10.152.36.5
  IAS: 10.204.34.35
  Domain controller: 10.204.35.149
  Testing client MAC:  24:77:03:dc:c6:10
  Check these logs:
  *Jan 29 19:11:45.816: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
  *Jan 29 19:11:45.842: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
  *Jan 29 19:11:45.844: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
  *Jan 29 19:11:50.691: 24:77:03:dc:c6:10 apfMsExpireCallback (apf_ms.c:418) Expiring Mobile!
  *Jan 29 19:11:50.692: 24:77:03:dc:c6:10 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [0c:27:24:4e:62:10]
  *Jan 29 19:11:50.692: 24:77:03:dc:c6:10 Deleting mobile on AP 0c:27:24:4e:62:10(0)
  *Jan 29 19:11:51.727: 24:77:03:dc:c6:10 Adding mobile on LWAPP AP 50:17:ff:df:08:70(1)
  *Jan 29 19:11:51.727: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 23) in 5 seconds
  *Jan 29 19:11:51.727: 24:77:03:dc:c6:10 apfProcessProbeReq (apf_80211.c:4722) Changing state for mobile 24:77:03:dc:c6:10 on AP 50:17:ff:df:08:70 from Idle to Probe
  *Jan 29 19:11:51.729: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
  *Jan 29 19:11:51.742: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
  *Jan 29 19:11:51.743: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
  *Jan 29 19:11:51.758: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
  *Jan 29 19:11:51.758: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
  *Jan 29 19:11:51.773: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
  *Jan 29 19:11:51.774: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
  *Jan 29 19:11:51.943: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Association received from mobile on AP 50:17:ff:de:45:90
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Applying site-specific IPv6 override for station 24:77:03:dc:c6:10 - vapId 3, site 'default-group', interface 'enterprise wireless 3rd floor'
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Applying IPv6 Interface Policy for station 24:77:03:dc:c6:10 - vlan 603, interface id 11, interface 'enterprise wireless 3rd floor'
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Processing RSN IE type 48, length 22 for mobile 24:77:03:dc:c6:10
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Received RSN IE with 0 PMKIDs from mobile 24:77:03:dc:c6:10
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [50:17:ff:df:08:70]
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Updated location for station old AP 50:17:ff:df:08:70-1, new AP 50:17:ff:de:45:90-1
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 0.0.0.0 START (0) Initializing policy
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 50:17:ff:de:45:90 vapId 3 apVapId 3
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 apfPemAddUser2 (apf_policy.c:213) Changing state for mobile 24:77:03:dc:c6:10 on AP 50:17:ff:de:45:90 from Probe to Associated
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Stopping deletion of Mobile Station: (callerId: 48)
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Sending Assoc Response to station on BSSID 50:17:ff:de:45:90 (status 0) Vap Id 3 Slot 1
  *Jan 29 19:11:51.945: 24:77:03:dc:c6:10 apfProcessAssocReq (apf_80211.c:4389) Changing state for mobile 24:77:03:dc:c6:10 on AP 50:17:ff:de:45:90 from Associated to Associated
  *Jan 29 19:11:51.947: 24:77:03:dc:c6:10 Station 24:77:03:dc:c6:10 setting dot1x reauth timeout = 0
  *Jan 29 19:11:51.947: 24:77:03:dc:c6:10 Stopping reauth timeout for 24:77:03:dc:c6:10
  *Jan 29 19:11:51.947: 24:77:03:dc:c6:10 dot1x - moving mobile 24:77:03:dc:c6:10 into Connecting state
  *Jan 29 19:11:51.947: 24:77:03:dc:c6:10 Sending EAP-Request/Identity to mobile 24:77:03:dc:c6:10 (EAP Id 1)
  *Jan 29 19:11:51.974: 24:77:03:dc:c6:10 Received EAPOL START from mobile 24:77:03:dc:c6:10
  *Jan 29 19:11:51.974: 24:77:03:dc:c6:10 dot1x - moving mobile 24:77:03:dc:c6:10 into Connecting state
  *Jan 29 19:11:51.974: 24:77:03:dc:c6:10 Sending EAP-Request/Identity to mobile 24:77:03:dc:c6:10 (EAP Id 2)
  *Jan 29 19:11:52.006: 24:77:03:dc:c6:10 Received EAPOL EAPPKT from mobile 24:77:03:dc:c6:10
  *Jan 29 19:11:52.006: 24:77:03:dc:c6:10 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 24:77:03:dc:c6:10
  *Jan 29 19:11:52.030: 24:77:03:dc:c6:10 Received EAPOL EAPPKT from mobile 24:77:03:dc:c6:10
  *Jan 29 19:11:52.030: 24:77:03:dc:c6:10 Username entry (NA\a-Gregg.Davis) created for mobile
  *Jan 29 19:11:52.030: 24:77:03:dc:c6:10 Received Identity Response (count=2) from mobile 24:77:03:dc:c6:10
  *Jan 29 19:11:52.030: 24:77:03:dc:c6:10 EAP State update from Connecting to Authenticating for mobile 24:77:03:dc:c6:10
  *Jan 29 19:11:52.030: 24:77:03:dc:c6:10 dot1x - moving mobile 24:77:03:dc:c6:10 into Authenticating state
  *Jan 29 19:11:52.030: 24:77:03:dc:c6:10 Entering Backend Auth Response state for mobile 24:77:03:dc:c6:10
  *Jan 29 19:11:52.031: apfVapRadiusInfoGet: WLAN(3) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
  *Jan 29 19:11:52.031: 24:77:03:dc:c6:10 Successful transmission of Authentication Packet (id 62) to 10.204.34.35:1812, proxy state 24:77:03:dc:c6:10-00:00
  *Jan 29 19:11:52.051: ****Enter processIncomingMessages: response code=11
  *Jan 29 19:11:52.051: Received a RADIUS message from unknown server 10.204.35.149 port 1812
  *Jan 29 19:11:54.032: 24:77:03:dc:c6:10 Successful transmission of Authentication Packet (id 62) to 10.204.34.35:1812, proxy state 24:77:03:dc:c6:10-00:00
  *Jan 29 19:11:54.049: ****Enter processIncomingMessages: response code=11
  *Jan 29 19:11:54.049: Received a RADIUS message from unknown server 10.204.35.149 port 1812
  *Jan 29 19:11:56.032: 24:77:03:dc:c6:10 Successful transmission of Authentication Packet (id 62) to 10.204.34.35:1812, proxy state 24:77:03:dc:c6:10-00:00
  *Jan 29 19:11:56.048: ****Enter processIncomingMessages: response code=11
  *Jan 29 19:11:56.048: Received a RADIUS message from unknown server 10.204.35.149 port 1812
  Any idea of what could be the problem?
  Thanks.

  Hi Francisco,
  *Jan 29 19:11:52.031: 24:77:03:dc:c6:10 Successful transmission of Authentication Packet (id 62) to 10.204.34.35:1812, proxy state 24:77:03:dc:c6:10-00:00
  *Jan 29 19:11:52.051: ****Enter processIncomingMessages: response code=11*Jan 29 19:11:52.051: Received a RADIUS message from unknown server 10.204.35.149 port 1812
  *Jan 29 19:11:54.032: 24:77:03:dc:c6:10 Successful transmission of Authentication Packet (id 62) to 10.204.34.35:1812, proxy state 24:77:03:dc:c6:10-00:00
  *Jan 29 19:11:54.049: ****Enter processIncomingMessages: response code=11*Jan 29 19:11:54.049: Received a RADIUS message from unknown server 10.204.35.149 port 1812
  These message indicate there is some issue with RADIUS communication. Looks like WLC send RADIUS packets to IAS, but it does not get any response. Instead it getting RADIUS response from DC.
  Pls check this communication
  HTH
  Rasika
  **** Pls rate all useful resposnes *****

• Cisco 2960 802.1x authentication fail

  Physical switch version:
  C2960 Boot Loader (C2960-HBOOT-M) Version 15.0(2r)EZ1, RELEASE SOFTWARE (fc1)
  System image file is "flash:/c2960-lanbasek9-mz.150-2.SE5/c2960-lanbasek9-mz.150-2.SE5.bin"
  The goal of this lab is only authenticated by the MAC address of the laptop.
  Currently,I have a trouble as following and don't know what is this root cause .
  Please give me a guide point. 
  Thanks so much
  *Mar  2 20:45:03.908: %AUTHMGR-5-START: Starting 'mab' for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
  *Mar  2 20:45:04.218: %MAB-5-FAIL: Authentication failed for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
  *Mar  2 20:45:04.218: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
  *Mar  2 20:45:04.218: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
  *Mar  2 20:45:04.218: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
  *Mar  2 20:45:04.218: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
  *Mar  2 20:45:05.720: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
  *Mar  2 20:45:06.726: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

  I have a few questions:
  1. What type of Radius server do you have?
  2. Can you post a screen shot of your Radius AAA policies
  3. Do you have the mac address entered in your Radius server
  4. Provide the output from the following commands:
  - show aaa servers
  - show authentication session interface interface_name_number
  Thank you for rating helpful posts!