Peap authentication issue
I have some problems with peap authentication. Here debug of my AP:
Mar 13 09:50:39 10.15.1.14 2370: *Mar 1 19:24:18.889: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
Mar 13 09:50:39 10.15.1.14 2371: *Mar 1 19:24:18.890: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 001a.73ff.a214
Mar 13 09:50:39 10.15.1.14 2372: *Mar 1 19:24:18.890: dot11_auth_dot1x_send_id_req_to_client: Client 001a.73ff.a214 timer started for 30 seconds
Mar 13 09:51:03 10.15.1.14 2373: *Mar 1 19:24:43.549: dot11_auth_parse_client_pak: Received EAPOL packet from 001a.73ff.a214
Mar 13 09:51:03 10.15.1.14 2374: *Mar 1 19:24:43.549: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,EAP_START) for 001a.73ff.a214
Mar 13 09:51:03 10.15.1.14 2375: *Mar 1 19:24:43.549: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 001a.73ff.a214
Mar 13 09:51:03 10.15.1.14 2376: *Mar 1 19:24:43.550: dot11_auth_dot1x_send_id_req_to_client: Client 001a.73ff.a214 timer started for 30 seconds
Mar 13 09:51:03 10.15.1.14 2377: *Mar 1 19:24:43.554: dot11_auth_parse_client_pak: Received EAPOL packet from 001a.73ff.a214
Mar 13 09:51:03 10.15.1.14 2378: *Mar 1 19:24:43.554: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 001a.73ff.a214
Mar 13 09:51:04 10.15.1.14 2379: *Mar 1 19:24:43.554: dot11_auth_dot1x_send_response_to_server: Sending client 001a.73ff.a214 data to server
Mar 13 09:51:04 10.15.1.14 2380: *Mar 1 19:24:43.554: AAA/AUTHEN/PPP (00000159): Pick method list 'eap_methods'
Mar 13 09:51:04 10.15.1.14 2381: *Mar 1 19:24:43.554: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
Mar 13 09:51:25 10.15.1.14 2382: *Mar 1 19:25:05.371: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
Mar 13 09:51:25 10.15.1.14 2383: *Mar 1 19:25:05.371: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
Mar 13 09:51:25 10.15.1.14 2384: *Mar 1 19:25:05.372: Client 001a.73ff.a214 failed: EAP reason 1
Mar 13 09:51:25 10.15.1.14 2385: *Mar 1 19:25:05.372: dot11_auth_dot1x_parse_aaa_resp: Failed client 001a.73ff.a214 with aaa_req_status_detail 1
Mar 13 09:51:25 10.15.1.14 2386: *Mar 1 19:25:05.372: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for 001a.73ff.a214
Mar 13 09:51:25 10.15.1.14 2387: *Mar 1 19:25:05.372: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 001a.73ff.a214
Mar 13 09:51:25 10.15.1.14 2388: *Mar 1 19:25:05.373: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
Mar 13 09:51:26 10.15.1.14 2389: *Mar 1 19:25:05.373: dot11_auth_dot1x_send_client_fail: Authentication failed for 001a.73ff.a214
Mar 13 09:51:26 10.15.1.14 2390: *Mar 1 19:25:05.373: %DOT11-7-AUTH_FAILED: Station 001a.73ff.a214 Authentication failed
Mar 13 09:51:27 10.15.1.14 2391: *Mar 1 19:25:06.611: AAA/BIND(0000015A): Bind i/f
In IAS log I can find requests and and access is permitted.
What is the problem?
Thank you for your help!
Answering partially your second question, 'Authenticate as Computer when Computer Information Available' is required to enable machine authentication and the same has to be enabled on the ACS server also.
Similar Messages
-
802.1X EAP-PEAP Authentication issue
Hi Experts,
I am experiencing an issue where the authentication process for two of my Wireless networks prompts the user to enter their credentials at least two times before letting them onto the network.
The networks in question are set up identically, here is an overview:
Layer 2 security is WPA & WPA2
WPA - TKIP
WPA2 - AES
Auth Key Management is 802.1X
Radius Servers are microsoft Windows 2008 Network Policy Service (Used to be IAS) - All users are in Active Directory and IAS policy allows access absed on AD group.
This has all worked fine previously and still works fine if you enter the username/password combo at least twice on the initial profile setup. (For info, once the wireless profile is setup, you do not get prompted for credentials again, so this issue is ony during intial setup)
We have recently added another WLAN that uses web auth, pointing to a RADIUS server to. In order to get this going, we changed the "Web Radius Authentication" setting to "CHAP" from "PAP" under the Controller . General config.
This is the only change I can think of that could possibly be relevant.
Would anyone be able to shed any light on why I would be prompted to authenticate twice? Affected clients are Windows 7 and Mac OSX at the mo.
Debugs as follows:
*Oct 11 16:12:10.237: 00:23:12:08:25:28 Adding mobile on LWAPP AP 00:13:5f:fb:0f:40(0)
*Oct 11 16:12:10.237: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 23) in 5 seconds
*Oct 11 16:12:10.237: 00:23:12:08:25:28 apfProcessProbeReq (apf_80211.c:4598) Changing state for mobile 00:23:12:08:25:28 on AP 00:13:5f:fb:0f:40 from Idle to Probe
*Oct 11 16:12:10.237: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:10.238: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:10.388: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.077: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.086: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.086: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.228: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.229: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.239: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.296: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.305: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.306: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.306: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.317: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.448: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.449: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.458: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.459: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.600: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.610: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.868: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.878: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:17.031: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:19.927: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:19.934: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:19.938: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:19.938: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:20.080: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:20.080: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:20.090: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:20.233: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:20.243: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:24.941: 00:23:12:08:25:28 apfMsExpireCallback (apf_ms.c:417) Expiring Mobile!
*Oct 11 16:12:24.941: 00:23:12:08:25:28 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [00:13:5f:fb:0f:40]
*Oct 11 16:12:24.941: 00:23:12:08:25:28 Deleting mobile on AP 00:13:5f:fb:0f:40(0)
*Oct 11 16:12:25.219: 00:23:12:08:25:28 Adding mobile on LWAPP AP 00:11:5c:14:6d:d0(0)
*Oct 11 16:12:25.219: 00:23:12:08:25:28 Reassociation received from mobile on AP 00:11:5c:14:6d:d0
*Oct 11 16:12:25.219: 00:23:12:08:25:28 STA - rates (8): 139 150 24 36 48 72 96 108 0 0 0 0 0 0 0 0
*Oct 11 16:12:25.219: 00:23:12:08:25:28 STA - rates (10): 139 150 24 36 48 72 96 108 12 18 0 0 0 0 0 0
*Oct 11 16:12:25.219: 00:23:12:08:25:28 Processing RSN IE type 48, length 20 for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.219: 00:23:12:08:25:28 Received RSN IE with 0 PMKIDs from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 START (0) Initializing policy
*Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:11:5c:14:6d:d0 vapId 4 apVapId 4
*Oct 11 16:12:25.220: 00:23:12:08:25:28 apfPemAddUser2 (apf_policy.c:208) Changing state for mobile 00:23:12:08:25:28 on AP 00:11:5c:14:6d:d0 from Idle to Associated
*Oct 11 16:12:25.220: 00:23:12:08:25:28 Stopping deletion of Mobile Station: (callerId: 48)
*Oct 11 16:12:25.220: 00:23:12:08:25:28 Sending Assoc Response to station on BSSID 00:11:5c:14:6d:d0 (status 0)
*Oct 11 16:12:25.220: 00:23:12:08:25:28 apfProcessAssocReq (apf_80211.c:4310) Changing state for mobile 00:23:12:08:25:28 on AP 00:11:5c:14:6d:d0 from Associated to Associated
*Oct 11 16:12:25.223: 00:23:12:08:25:28 Disable re-auth, use PMK lifetime.
*Oct 11 16:12:25.223: 00:23:12:08:25:28 Station 00:23:12:08:25:28 setting dot1x reauth timeout = 7200
*Oct 11 16:12:25.223: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Connecting state
*Oct 11 16:12:25.223: 00:23:12:08:25:28 Sending EAP-Request/Identity to mobile 00:23:12:08:25:28 (EAP Id 1)
*Oct 11 16:12:25.243: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.243: 00:23:12:08:25:28 Received Identity Response (count=1) from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.243: 00:23:12:08:25:28 EAP State update from Connecting to Authenticating for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.243: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Authenticating state
*Oct 11 16:12:25.243: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.250: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.250: 00:23:12:08:25:28 Entering Backend Auth Req state (id=2) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.251: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 2)
*Oct 11 16:12:25.260: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.262: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 2, EAP Type 25)
*Oct 11 16:12:25.262: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.265: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.265: 00:23:12:08:25:28 Entering Backend Auth Req state (id=3) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.265: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 3)
*Oct 11 16:12:25.269: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.269: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 3, EAP Type 25)
*Oct 11 16:12:25.269: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.270: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.271: 00:23:12:08:25:28 Entering Backend Auth Req state (id=4) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.271: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 4)
*Oct 11 16:12:25.274: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.274: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 4, EAP Type 25)
*Oct 11 16:12:25.274: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.275: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.275: 00:23:12:08:25:28 Entering Backend Auth Req state (id=5) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.275: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 5)
*Oct 11 16:12:25.285: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.286: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 5, EAP Type 25)
*Oct 11 16:12:25.286: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.292: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.292: 00:23:12:08:25:28 Entering Backend Auth Req state (id=6) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.292: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 6)
*Oct 11 16:12:25.318: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.318: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 6, EAP Type 25)
*Oct 11 16:12:25.318: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.320: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.320: 00:23:12:08:25:28 Entering Backend Auth Req state (id=7) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.320: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 7)
*Oct 11 16:12:25.321: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.323: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 7, EAP Type 25)
*Oct 11 16:12:25.323: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.326: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.326: 00:23:12:08:25:28 Entering Backend Auth Req state (id=8) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.326: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 8)
At this point, the username and password dialog pops up again.
If credentials are not entered, the following timeout message pops up....
*Oct 11 16:12:53.973: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
If the credentials are re-entered the it continues:
*Oct 11 16:12:53.975: 00:23:12:08:25:28 Retransmit 1 of EAP-Request (length 79) for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 8, EAP Type 25)
*Oct 11 16:13:01.094: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.098: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.098: 00:23:12:08:25:28 Entering Backend Auth Req state (id=9) for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.098: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 9)
*Oct 11 16:13:01.102: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:13:01.102: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 9, EAP Type 25)
*Oct 11 16:13:01.102: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.106: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.106: 00:23:12:08:25:28 Entering Backend Auth Req state (id=10) for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.106: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 10)
*Oct 11 16:13:01.108: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:13:01.108: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 10, EAP Type 25)
*Oct 11 16:13:01.108: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.113: 00:23:12:08:25:28 Processing Access-Accept for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.113: 00:23:12:08:25:28 Setting re-auth timeout to 7200 seconds, got from WLAN config.
*Oct 11 16:13:01.113: 00:23:12:08:25:28 Station 00:23:12:08:25:28 setting dot1x reauth timeout = 7200
*Oct 11 16:13:01.113: 00:23:12:08:25:28 Creating a PKC PMKID Cache entry for station 00:23:12:08:25:28 (RSN 2)
*Oct 11 16:13:01.113: 00:23:12:08:25:28 Adding BSSID 00:11:5c:14:6d:d3 to PMKID cache for station 00:23:12:08:25:28
*Oct 11 16:13:01.113: New PMKID: (16)
*Oct 11 16:13:01.113: [0000] 15 9e 3d 61 e3 94 bb 82 2b 6f 7e 05 74 49 81 52
*Oct 11 16:13:01.113: 00:23:12:08:25:28 Disabling re-auth since PMK lifetime can take care of same.
*Oct 11 16:13:01.116: 00:23:12:08:25:28 PMK sent to mobility group
*Oct 11 16:13:01.116: 00:23:12:08:25:28 Sending EAP-Success to mobile 00:23:12:08:25:28 (EAP Id 10)
*Oct 11 16:13:01.116: Including PMKID in M1 (16)
*Oct 11 16:13:01.116: [0000] 15 9e 3d 61 e3 94 bb 82 2b 6f 7e 05 74 49 81 52
*Oct 11 16:13:01.116: 00:23:12:08:25:28 Starting key exchange to mobile 00:23:12:08:25:28, data packets will be dropped
*Oct 11 16:13:01.116: 00:23:12:08:25:28 Sending EAPOL-Key Message to mobile 00:23:12:08:25:28
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Oct 11 16:13:01.116: 00:23:12:08:25:28 Entering Backend Auth Success state (id=10) for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.116: 00:23:12:08:25:28 Received Auth Success while in Authenticating state for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.116: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Authenticated state
*Oct 11 16:13:01.996: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
*Oct 11 16:13:01.997: 00:23:12:08:25:28 Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.999: 00:23:12:08:25:28 Received EAPOL-Key from mobile 00:23:12:08:25:28
*Oct 11 16:13:01.999: 00:23:12:08:25:28 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:23:12:08:25:28
*Oct 11 16:13:01.999: 00:23:12:08:25:28 Received EAPOL-key in PTK_START state (message 2) from mobile 00:23:12:08:25:28
*Oct 11 16:13:01.999: 00:23:12:08:25:28 Stopping retransmission timer for mobile 00:23:12:08:25:28
*Oct 11 16:13:02.000: 00:23:12:08:25:28 Sending EAPOL-Key Message to mobile 00:23:12:08:25:28
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.02
*Oct 11 16:13:02.002: 00:23:12:08:25:28 Received EAPOL-Key from mobile 00:23:12:08:25:28
*Oct 11 16:13:02.002: 00:23:12:08:25:28 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:23:12:08:25:28
*Oct 11 16:13:02.002: 00:23:12:08:25:28 Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 00:23:12:08:25:28
*Oct 11 16:13:02.002: 00:23:12:08:25:28 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
*Oct 11 16:13:02.004: 00:23:12:08:25:28 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:11:5c:14:6d:d0 vapId 4 apVapId 4
*Oct 11 16:13:02.004: 00:23:12:08:25:28 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
*Oct 11 16:13:02.006: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4391, Adding TMP rule
*Oct 11 16:13:02.007: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
ACL Id = 255, Jumbo F
*Oct 11 16:13:02.007: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*Oct 11 16:13:02.007: 00:23:12:08:25:28 Stopping retransmission timer for mobile 00:23:12:08:25:28
*Oct 11 16:13:02.010: 00:23:12:08:25:28 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*Oct 11 16:13:02.010: 00:23:12:08:25:28 Sent an XID frame
*Oct 11 16:13:02.283: 00:23:12:08:25:28 DHCP received op BOOTREQUEST (1) (len 308, port 29, encap 0xec03)
*Oct 11 16:13:02.283: 00:23:12:08:25:28 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmQueryRequested'
*Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4072, Adding TMP rule
*Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
type = Airespace AP - Learn IP address
on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
ACL Id = 255, Jumb
*Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*Oct 11 16:13:03.909: 00:23:12:08:25:28 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*Oct 11 16:13:03.909: 00:23:12:08:25:28 Sent an XID frame
*Oct 11 16:13:04.879: 00:23:12:08:25:28 DHCP received op BOOTREQUEST (1) (len 308, port 29, encap 0xec03)
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP selecting relay 1 - control block settings:
dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
dhcpGateway: 0.0.0.0, dhcpRelay: 0.0.0.0 VLAN: 0
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP selected relay 1 - 172.19.0.50 (local address 172.23.24.2, gateway 172.23.24.1, VLAN 110, port 29)
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP transmitting DHCP REQUEST (3)
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP xid: 0x53839a5f (1401133663), secs: 4, flags: 0
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP chaddr: 00:23:12:08:25:28
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP siaddr: 0.0.0.0, giaddr: 172.23.24.2
*Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP requested ip: 172.23.26.53
*Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP sending REQUEST to 172.23.24.1 (len 350, port 29, vlan 110)
*Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP selecting relay 2 - control block settings:
dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
dhcpGateway: 0.0.0.0, dhcpRelay: 172.23.24.2 VLAN: 110
*Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP selected relay 2 - 172.19.0.51 (local address 172.23.24.2, gateway 172.23.24.1, VLAN 110, port 29)
*Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP transmitting DHCP REQUEST (3)
*Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 2
*Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP xid: 0x53839a5f (1401133663), secs: 4, flags: 0
*Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP chaddr: 00:23:12:08:25:28
*Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP siaddr: 0.0.0.0, giaddr: 172.23.24.2
*Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP requested ip: 172.23.26.53
*Oct 11 16:13:04.885: 00:23:12:08:25:28 DHCP sending REQUEST to 172.23.24.1 (len 350, port 29, vlan 110)
*Oct 11 16:13:04.890: 00:23:12:08:25:28 DHCP received op BOOTREPLY (2) (len 327, port 29, encap 0xec00)
*Oct 11 16:13:04.890: 00:23:12:08:25:28 DHCP setting server from ACK (server 172.19.0.50, yiaddr 172.23.26.53)
*Oct 11 16:13:04.890: 00:23:12:08:25:28 172.23.26.53 DHCP_REQD (7) Change state to RUN (20) last state RUN (20)
*Oct 11 16:13:04.890: 00:23:12:08:25:28 172.23.26.53 RUN (20) Reached PLUMBFASTPATH: from line 4856
*Oct 11 16:13:04.891: 00:23:12:08:25:28 172.23.26.53 RUN (20) Replacing Fast Path rule
type = Airespace AP Client
on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
ACL Id = 255, Jumbo Frames = N
*Oct 11 16:13:04.891: 00:23:12:08:25:28 172.23.26.53 RUN (20) Successfully plumbed mobile rule (ACL ID 255)
*Oct 11 16:13:04.891: 00:23:12:08:25:28 Assigning Address 172.23.26.53 to mobile
*Oct 11 16:13:04.891: 00:23:12:08:25:28 DHCP sending REPLY to STA (len 430, port 29, vlan 0)
*Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP transmitting DHCP ACK (5)
*Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP xid: 0x53839a5f (1401133663), secs: 0, flags: 0
*Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP chaddr: 00:23:12:08:25:28
*Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP ciaddr: 0.0.0.0, yiaddr: 172.23.26.53
*Oct 11 16:13:04.894: 00:23:12:08:25:28 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*Oct 11 16:13:04.894: 00:23:12:08:25:28 DHCP server id: 1.1.1.1 rcvd server id: 172.19.0.50
*Oct 11 16:13:04.898: 00:23:12:08:25:28 172.23.26.53 Added NPU entry of type 1, dtlFlags 0x0
*Oct 11 16:13:04.900: 00:23:12:08:25:28 Sending a gratuitous ARP for 172.23.26.53, VLAN Id 110
*Oct 11 16:13:04.907: 00:23:12:08:25:28 DHCP received op BOOTREPLY (2) (len 327, port 29, encap 0xec00)
*Oct 11 16:13:04.907: 00:23:12:08:25:28 DHCP dropping ACK from 172.19.0.51 (yiaddr: 172.23.26.53)
At this point, the client is connected and everything is working.Hi,
It looks like some issue on the client side...
Thelogs presented here are not related with the Web Auth WLAN and it has no impact on the behavior you are seeing.
Looking at the logs:
*Oct 11 16:12:25.326: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 8)
At this point, the username and password dialog pops up again.
If credentials are not entered, the following timeout message pops up....
*Oct 11 16:12:53.973: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
If the credentials are re-entered the it continues:
*Oct 11 16:12:53.975: 00:23:12:08:25:28 Retransmit 1 of EAP-Request (length 79) for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
===================
This logs show exactly what you describe...
The AAA sends an EAP request asking for the credentials.
The login pops up and the EAP timeout starts decrementing.
If the user does not enter credentials, it will expire and another EAP Request is sent.
If you let the EAP timeout it is expected that you enter credentials twice, if by the time you press enter, the timeout has already expired.
As you say, if you have a profile configured, this should not happen and the authentication should be smooth.
HTH,
Tiago -
Hi,
I configured a Cisco AP 1200 IOS with PEAP.
Hereby the AP Config:
aaa new-model
aaa group server radius rad_eap
server 192.168.4.58 auth-port 1645 acct-port 1646
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 arp-cache optional
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 184 key 1 size 128bit 7 xxxx transmit-key
encryption vlan 184 mode wep mandatory mic key-hash
encryption key 1 size 128bit 7 xxxxx transmit-key
encryption mode wep mandatory
broadcast-key vlan 184 change 3600
ssid test
vlan 184
authentication open eap eap_methods
authentication network-eap eap_methods
world-mode
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
rts threshold 2312
station-role root
dot1x reauth-period 1800
dot1x client-timeout 1800
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.184
encapsulation dot1Q 184
no ip route-cache
bridge-group 184
bridge-group 184 subscriber-loop-control
bridge-group 184 block-unknown-source
no bridge-group 184 source-learning
no bridge-group 184 unicast-flooding
bridge-group 184 spanning-disabled
interface FastEthernet0
no ip address
ip accounting output-packets
no ip route-cache
speed 100
full-duplex
interface FastEthernet0.3
encapsulation dot1Q 3 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface FastEthernet0.184
encapsulation dot1Q 184
no ip route-cache
bridge-group 184
no bridge-group 184 source-learning
bridge-group 184 spanning-disabled
interface BVI1
ip address 192.168.4.98 255.255.254.0
ip accounting output-packets
no ip route-cache
ip default-gateway 192.168.4.3
ip http server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
ip radius source-interface BVI1
radius-server local
radius-server host 192.168.4.58 auth-port 1645 acct-port xxxx key xxx
radius-server timeout 120
radius-server deadtime 1200
radius-server domain-stripping
radius-server attribute 32 include-in-access-req format %h
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
bridge 1 protocol ieee
bridge 1 route ip
bridge 184 protocol ieee
W're using a Cisco Wireless client adaptor with the latest ACU version fully installed and configured my client for PEAP. I also configured the Windows XP network settings appropriately.
The RADIUS we are using is a Cisco ACS 3.2.1. We used a Microsoft certificate for the server that we issued ourselves.
Without configuring security, the client can associate with the AP, but when we enable PEAP and I open the ACU status screan, the client associates with the AP, but canot authenticate successfully. Status hangs on 'autenticating'. I don't see any traffic to the RADIUS server.
Who can help us?
Thanks in advance!I just opened a TAC case on this one whereby I have already installed the latest client, made sure PEAP is installed, had the latest WAP image, network security setup on the ACU as per the documentation to select the "host base EAP(802.1x) and select dynamic wep, then turned on debug options on the WAP to see the communication between the client and the WAP:
debug radius authentication
debug dot11 aaa dot1x process
debug dot11 aaa dot1x state-machine
Guess what... there is no communication between the client and the wap for authentication. You can see association and even get an ip address from dhcp but...
The advise as per the TAC engineer is to put in a Static WEP key for now and you should get the communication going. They have already noticed this on some calls and have not seen a bug case # assigned to it. They will be working a fix on the next release. Once you do that you should see the Raduis and 802.1x communication going on.
After doing this I can then concentrate on why I am not getting PEAP authenticated on our Funk Radius EE Server v4.7.
The other thing...remove the "authentication network-eap eap_methods" when you are doing PEAP. You enable that for LEAP so you have to create a different vlan for that.
I use 1812/1813 for the radius server.
:-) Ed -
Wireless Client Authentication issues when roaming Access Points (Local)
I have a Cisco 5508 with Software version 7.4.121.0 and Field Recovery 7.6.101.1.
There are a handful of clients that when roaming between AP's with the same SSID that get an authentication issue and have to restart the wireless to get back on.
From Cisco ISE
Event
5400 Authentication failed
Failure Reason
11514 Unexpectedly received empty TLS message; treating as a rejection by the client
Resolution
Ensure that the client's supplicant does not have any known compatibility issues and that it is properly configured. Also ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!
Root cause
While trying to negotiate a TLS handshake with the client, ISE expected to receive a non-empty TLS message or TLS alert message, but instead received an empty TLS message. This could be due to an inconformity in the implementation of the protocol between ISE and the supplicant. For example, it is a known issue that the XP supplicant sends an empty TLS message instead of a non-empty TLS alert message. It might also involve the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.
I am having a hard time figuring out what is causing this. My assumption is if there were a problem with the Controller or AP configurations then it would happen to everyone. My further assumption is if the client had a problem with their laptop (windows 7) then why does work at other times? So I have checked and the ISE certificate is trusted by client.
Is something happening that the previous access point is holding on to the mac and the return authentication traffic is going to the old AP instead of the new one or something like that which is corrupting the data?
I also had this from Splunk for the same client:
Mar 5 13:44:51 usstlz-piseps01 CISE_Failed_Attempts 0014809622 1 0 2015-03-05 13:44:51.952 +00:00 0865003824 5435 NOTICE RADIUS: NAS conducted several failed authentications of the same scenario
FailureReason="12929 NAS sends RADIUS accounting update messages too frequently"
Any help on this would be appreciated. These error messages give me an idea but doesn't give me the exact answer to why the problem occurred and what needs to be done to fix it.
ThanksFurther detail From ISE for the failure:
11001
Received RADIUS Access-Request
11017
RADIUS created a new session
15049
Evaluating Policy Group
15008
Evaluating Service Selection Policy
15048
Queried PIP
15048
Queried PIP
15004
Matched rule
15048
Queried PIP
15048
Queried PIP
15004
Matched rule
11507
Extracted EAP-Response/Identity
12500
Prepared EAP-Request proposing EAP-TLS with challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12301
Extracted EAP-Response/NAK requesting to use PEAP instead
12300
Prepared EAP-Request proposing PEAP with challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12302
Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318
Successfully negotiated PEAP version 0
12800
Extracted first TLS record; TLS handshake started
12805
Extracted TLS ClientHello message
12806
Prepared TLS ServerHello message
12807
Prepared TLS Certificate message
12810
Prepared TLS ServerDone message
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
11514
Unexpectedly received empty TLS message; treating as a rejection by the client
12512
Treat the unexpected TLS acknowledge message as a rejection from the client
11504
Prepared EAP-Failure
11003
Returned RADIUS Access-Reject -
EAP-TLS or PEAP authentication failed during SSL handshake
Hi Pros,
I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
When I check my log in the failed attemps, there is what I found:
Date
Time
Message-Type
User-Name
Group-Name
Caller-ID
Network Access Profile Name
Authen-Failure-Code
Author-Failure-Code
Author-Data
NAS-Port
NAS-IP-Address
Filter Information
PEAP/EAP-FAST-Clear-Name
EAP Type
EAP Type Name
Reason
Access Device
Network Device Group
06/23/2010
17:39:51
Authen failed
000e.9b6e.e834
Default Group
000e.9b6e.e834
(Default)
EAP-TLS or PEAP authentication failed during SSL handshake
1101
10.111.22.24
25
MS-PEAP
wbr-1121-zozo-test
Office Networ
06/23/2010
17:39:50
Authen failed
[email protected]
Default Group
000e.9b6e.e834
(Default)
EAP-TLS or PEAP authentication failed during SSL handshake
1098
10.111.22.24
25
MS-PEAP
wbr-1121-zozo-test
Office Network
[email protected] = my windows active directory name
1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
2. Why sometimes it just shows the MAC of the client for username?
3. Why it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
2. Secondly, When I check in pass authentications... there is what i saw
Date
Time
Message-Type
User-Name
Group-Name
Caller-ID
NAS-Port
NAS-IP-Address
Network Access Profile Name
Shared RAC
Downloadable ACL
System-Posture-Token
Application-Posture-Token
Reason
EAP Type
EAP Type Name
PEAP/EAP-FAST-Clear-Name
Access Device
Network Device Group
06/23/2010
17:30:49
Authen OK
groszozo
NOC Tier 2
10.11.10.105
1
10.111.22.24
(Default)
wbr-1121-zozo-test
Office Network
06/23/2010
17:29:27
Authen OK
groszozo
NOC Tier 2
10.11.10.105
1
10.111.22.24
(Default)
wbr-1121-zozo-test
Office Network
In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did check ENABLE EAP-TLS machine authentication.
Thanks in advance for your help,
Crazy---Any ideas on this guys?? In my end, i've been reading some docs... Things started to make sens to me, but I still cannot authenticate, still the same errors. One more thing that catch my attention now is the time it takes to open a telnet session to cisco device which has the ACS for auth server.
My AD(Active Direct) and the ACS server are local same subnet(server subnet). Ping to the ACS from my desktop which is in different subnet is only take 1ms. To confirm that the issue is the ACS server, I decided to use another server in remote location, the telnet connection is way faster than the local ACS.
Let's brain storm together to figure out this guys.
Thanks in advance,
----Paul -
EAP-TLS or PEAP authentication failed during SSL handshake to the ACS serve
We are running the LWAPP (2006 wlc's and 1242 AP's) and using the ACS 4.0 for authentication. Our users are
experiencing an issue, where they are successfully authenticated the first time, however as the number of them is increasing, they're starting to drop the connections and being prompted to re-authenticate. At this point, they are not being able to authenticate again.
We're using PEAP for the authentication and Win XP SP2 clients as the supplicants. The error message that we are seeing on the ACS for that controller is "EAP-TLS or PEAP authentication failed during SSL handshake to the ACS server"...Not sure if this error msg is relevant since we have other WLC's that are working OK and still generating the same error msg on the ACS...
Thanks..Here are some configs you can try:
config advanced eap identity-request-timeout 120
config advanced eap identity-request-retries 20
config advanced eap request-timeout 120
config advanced eap request-retries 20
save config -
EAP-TLS or PEAP authentication failed during SSL handshake error
I have 2 Windows 2003 ACS 3.2 servers. I am in the process of upgrading them to ACS 4.0. I am using them for WPA2/PEAP wireless authentication in a WDS environment. I recently upgraded one to ACS 4.0 and ever since that time some (not all) of my Windows XP clients have started to not be authenticated and logging the error "EAP-TLS or PEAP authentication failed during SSL handshake" on the ACS 4.0 server. During the upgrade (which was successful) I did change the Certificate since the current one was going to expire November 2007.
The clients that do not authenticate on the ACS 4.0 server I can point to the ACS 3.2 server and they successfully authenticate there. I am able to resolve the issue by recreating the Windows XP PEAP profile for the wireless network and by getting a new client Cert. But, I have a couple of questions:
Is the "EAP-TLS or PEAP authentication failed during SSL handshake" error due to the upgrade to ACS 4.0 or to the fact that I changed the Certificate, or both?
Can this error ("EAP-TLS or PEAP authentication failed during SSL handshake") be resolved without me touching every Windows XP client (we have over 250+)?
Thanks for the helpMy experience suggests that the problem is the certificate.
I'm running ACS 3.3.
I received the same error message when my clients copied the certificate to the wrong location, or otherwise did not correctly follow the provided instructions.
Correctly following the instructions led to a successful connection and no more error message. -
Authentication issue getting "UMELoginException"
Dear Guys,
I am facing an authentication issue. The situation is like this,
My NT password was about to expire (had 6 more days for expiry). I was able to login till yesterday and all of the sudden today, when I was trying to login, I was not able to (it gave me password change message). So I went back and changed my NT password and tried to login again into the portal, however I am still not able to. I am pasting the stack trace,
#1.5#001143FDCEA7006700000008000018C40004196E4AD849E8#1153861399615#com.sap.security.core.imp#sap.com/irj#com.sap.security.core.imp.[cf=com.sap.security.core.sapmimp.logon.SAPMLogonLogic][md=doLogon][cl=20282]#Guest#192####fff21cf01c2011dba425001143fdcea7#SAPEngine_Application_Thread[impl:3]_0##0#0#Error##Java###doLogon failed
[EXCEPTION]
#1#com.sap.security.core.logon.imp.UMELoginException
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:318)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.login(AuthenticationService.java:344)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:126)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)
at java.security.AccessController.doPrivileged(Native Method)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:312)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:368)
at com.sap.portal.navigation.Gateway.service(Gateway.java:101)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
Please help.
Regards,
DeepakHi Deepak,
it is most times that it needs to replicate through your system(s).
Regards,
Kai
PS: Please reward points if that was helpful. -
Authentication Issue, When Profile ReCreate
Hi,
i face authentication issue in SQL Server 2012 Evalution after i login in new account.
Take a look situation and what i did.
1) I install SQL Server 2012 in Member Server (Server 2012 Standard).
2). Every Thing i Did i by using AD User name "SP_Farm"
3). I install SQL in Windows Authentication Mode only and i provide User ****\SP_Farm, when Ever Installation Ask.
Note: during the whole process i only use SP_Farm (AD Admin User)
Every thing going working fine till my mistake. By mistake i delete account SP_Farm from AD and i re create it.
after that i cant access Management Studio. :(
Please Guide if is there any other way.
Thanks you
Shariq Ayaz
[email protected]
www.shariqdon.com
www.shariqdon.com/itworld
www.shariqdon.comHi,
i face authentication issue in SQL Server 2012 Evalution after i login in new account.
Take a look situation and what i did.
1) I install SQL Server 2012 in Member Server (Server 2012 Standard).
2). Every Thing i Did i by using AD User name "SP_Farm"
3). I install SQL in Windows Authentication Mode only and i provide User ****\SP_Farm, when Ever Installation Ask.
Note: during the whole process i only use SP_Farm (AD Admin User)
Every thing going working fine till my mistake. By mistake i delete account SP_Farm from AD and i re create it.
Creating a user with the same name is
not the same user :-)
A user has a unique ID and you did not create the same ID, but a new user with same name.
after that i cant access Management Studio. :(
Please Guide if is there any other way.
Thanks you
Shariq Ayaz
[email protected]
www.shariqdon.com
www.shariqdon.com/itworld
www.shariqdon.com
You can try to use This solution:
http://blogs.msdn.com/b/raulga/archive/2007/07/12/disaster-recovery-what-to-do-when-the-sa-account-password-is-lost-in-sql-server-2005.aspx
* After the SQL Server Instance starts in single-user mode, the Windows Administrator account is able to connect to SQL Server using the sqlcmd utility using Windows authentication.
[Personal Site] [Blog] [Facebook] -
Essbase 6.5 External Authentication Issue!! Urgent Please!!
Hi all,
I am great trouble over an external authentication issue in Essbase 6.5. I request you all to please give me your feedback on the same as soon as possible.
I am in a situation where I need to get my Essbase 6.5 external Authentication converted from LDAP to Active Directory services.
I suppose there has been necessary changes done to the .cfg file for the same. However, I think I am getting an error
"User [vikc]'c external authentication protocol [MSEX]'s password check module is not loaded".
Please let me know if you have come across such an issue earlier and can anybody to able to help me with the same.
Its kinda Urgent. so any replies for the same will be appreciated.
Thanks and Regards,
VikramVikram,
Yes you will have to reconfigure the CSS.xml and cfg file for external auth.
Here is the Sample CSS
<spi>
<provider>
<msad name="full360">
<trusted>false</trusted>
<url>ldap://192.168.1.100:389/DC=full360,DC=com</url>
<userDN>CN=Ravinder Singh,DC=full360,DC=com</userDN>
<password>full@360</password>
<authType>simple</authType>
<identityAttribute>dn</identityAttribute>
<maxSize>1000</maxSize>
<user>
<loginAttribute>sAMAccountName</loginAttribute>
<nameAttribute>dn</nameAttribute>
</user>
<group>
<nameAttribute>cn</nameAttribute>
<objectclass>
<entry>group?member</entry>
</objectclass>
</group>
</msad>
Download this toll "http://www.ldapbrowser.com/download.htm"
LDAP browser to get the perfact DN information.
Let me know the status
Ravikant -
ACS 5.2 Authentication Issue with Local & Global ADs
Hi I am facing authentication issue with ACS 5.2. Below is AAA flow (EAP-TLS),
- Wireless Users >> Cisco WLC >> ADs <-- everything OK
- Wireless Users >> Cisco WLC >> ACS 5.2 >> ADs <-- problem
Last time I tested with ACS, it worked but didn't do migration as there'll be changes from ADs.
Now my customer wants ACS migration by creating new Group in AD, I also update ACS config.
For the user from the old group, authentication is ok.
For the user from the new group, authentication fails. With subject not found error, showing the user is from the old group.
Seems like ACS is querying from old records (own cache or database). Already restared the ACS but still the same error.
Can anyone advice to troubleshoot the issue?
Note: My customer can only access their local ADs (trusted by Global ADs). Local ADs & ACS are in the same network, ACS should go to local AD first.
How can we check or make sure it?
Thanks ahead,
YeHello,
There is an enhacement request open already:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte92062
ACS should be able to query only desired DCs
Symptom:
Currently on 5.0 and 5.1, the ACS queries the DNS with the domain, in order to get a list of all the DCs in the domain and then tries to communicate with all of them.If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.A lot of customers are asking for a change on this behavior.
It should be possible to define which DCs to contact and/or make ACS to interpret DNS Resource Records Registered by the Active Directory Domain Controller to facilitate the location of domain controllers. Active Directory uses service locator, or SRV, records. An SRV record is a new type of DNS record described in RFC 2782, and is used to identify services located on a Transmission Control Protocol/Internet Protocol (TCP/IP) network.
Conditions:
Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.
Workaround:
Make sure ALL DCs are UP and reachable from the ACS.
At the moment, we cannot determine which Domain Controller on the AD the ACS will contact. The enhacement request will include a feature on which we can specify the appropriate the Domain Controllers the ACS should contact on a AD Domain.
Hope this clarifies it.
Regards. -
EAP-TLS & ACE Appliance "EAP-TLS or PEAP authentication failed"
Hello - I have a version 3.2 of the ACS appliance and I am trying to set up a successful test of EAP-TLS. I have a W2K server for a CA and I believe I have the certificate install properly. However, I get the "EAP-TLS or PEAP authentication failed during SSL handshake" error message in my failed attempts log. The troubleshooting document tells me to look at the CSAuth.log file but I can't seem to find in on the ACS Appliance.
Does anyone have any ideas how to troubleshoot this problem with the appliance?If the client's certificate on the ACS is invalid (which depends on the certificate's valid "from" and "to" dates, the server's date and time settings, and CA trust), then the server will reject it and authentication will fail. The ACS will log the failed authentication in the web interface under Reports and Activity > Failed Attempts > Failed Attempts XXX.csv with the Authentication Failure-Code similar to "EAP-TLS or PEAP authentication failed during SSL handshake." If the ACS rejects the client's certificate because the ACS does not trust the CA, the expected error message in the CSAuth.log file is similar to the following.
AUTH 06/04/2003 15:47:43 E 0345 1696 EAP: ProcessResponse:
SSL handshake failed, status = 3 (SSL alert fatal:unknown CA certificate)If the ACS rejects the client's certificate because the certificate has expired, the expected error message in the CSAuth.log file is similar to the following.
AUTH 06/04/2005 15:02:08 E 0345 1692 EAP: ProcessResponse:
SSL handshake failed, status = 3 (SSL alert fatal:certificate expired)
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml -
EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake
Hi All ,
I am trying to test EAP_TLS authentication on acs 4.2.1.15 running on Appliance 1120 , I have installed my server certficate along with CA certficate on my appliance box , I have enabled features of EAP_TLS under golbal authentication setup .
I have downloaded client supplicant certficate file for my windows XP machine .
When i tried to authenticated i am finding following error message under failed attempts(EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake) on my acs appliance box .
Under certficate revocation list , I have forced my CA as CRL in use . Attached snap shot of all .
Suggest me whether i need to enable all corresponding CA certficate undercertficate trust list , Kindly let me know were i am doing wrong on this ..Hello,
I am NO expert on certificates but I have seen your error dozens of times from wireless clients on my Cisco ACS 4.2 Radius server.
Through trial and error I wrote up this procedure for our Helpdesk for installing certs in Windows XP and Windows 7. These steps haven't failed me yet and the Helpdesk doesn't bother me as much anymore so see if this helps you:
- Manually install the Global CA under BOTH Trusted Root Certification Authorities\Certificates AND Intermediate Certification Authorities\Certificates
- Manually install the Intermediate CA under JUST the Intermediate Certification Authorities\Certificates
- Delete the wireless network from the computer
- REBOOT!!
- Open the Microsoft Management Console, “mmc”.
- Go FILE\Add Remove SnapIn. Select Certificates ..
- If promoted, do it for “My User Account”.
- Make sure the certificates are where you put them.
- If you see any of these exact certificates out of place in either Trusted Root Certification Authorities\Certificates or Intermediate Certification Authorities\Certificates, remove them.
- Redo wireless network setup again
I hope this helps you.
Mike -
Strip domain name in PEAP Authentication
Is there ny chance to strip domain name (domain\username) in PEAP Authentication?
We need to configured the proxy distribution to strip the domain name from the username
before checking the database. Lets say Our domain name is SERVNET. We need to have
configured Character String "SERVNET\ " , Position "Prefix" , Strip "Yes " Forward to
local server. When the users authenticate via 802.1x (PEAP), the domain name is stripped
from the username.
Also please checkout this bug CSCeg01533 before you try it.
Regards,
~JG
Do rate helpful posts -
We've had authentication issues with Infinity since the install just over a week ago (BT Business package)
The router will drop the connection and then we have a problem reconnecting (won't). Out of sheer frustration I've discovered a workaround that sometimes works that is to change the user name to the BT test account, connect, and then change the router user name setting back to our own. The BT test account always works, so despite a BT engineer being sent to trace the problem onsite yesterday the issue remains. We've also been sent a new router, and the BT engineer arrived with yet another new one yesterday
The problem seems to be purely authentication. The Technical Helpdesk have changed our password (twice) but we still get the problem. Yesterday I was told that some other users in our area have also had an authentication issue and that over the weekend 'patches' were going to be applied at our local exchange.
When the service works we get quite good speeds (37 down, 8 up) but we're frustrated with the lack of knowledge from the help-desk and have doubts that the 'patches' will resolve the issue
Such is the problem that BT will downgrade us back to ADSL2 (which was rock solid in comparison) next week if we're still unhappy
I did ask if our user name could be changed but told no. I'm curious to know as to what the switch to fibre could cause authentication problems?hi this is a BT Residential forum as a Business user you may get more help from the BT business forum
http://business.forums.bt.com/t5/Broadband-and-internet/bd-p/Broadband
If you want to say thanks for a helpful answer,please click on the Ratings star on the left-hand side If the reply answers your question then please mark as ’Mark as Accepted Solution’
Maybe you are looking for
-
Initial entry of stock balance
hi everbody what will be the account posting in case 1) of initial entry of stock balance 2) of gr witout reference to po (mvt type 501) in both case raw material account is hitting with transaction key bsx posting key 89 then what will be secind acc
-
Are some apps just not compatible with iTunes 10.5/iOS 5.0?
Seems some apps on my iPod, conflict with iTunes 10.5. I started having the Store issue, which ALWAYS showed and worked, never had trouble accessing, never got a blank page... that started happening. (I think live search when typing is a bad idea) I
-
I am trying to edit my pictures but everytime i try to clone the picture glitches or flickers. and when i crop the image turns black until i click it. every other tool works fine but these. i tried customer service but they suck and told me it's beca
-
11g Documentation can be found here: http://download.oracle.com/docs/cd/E14571_01/ecm.htm 11g UCM OTN downloads can be found here: http://www.oracle.com/technology/products/content-management/downloads.html or you can download via the Oracle eDeliver
-
Print Gantt chart without wasting paper
I have few tasks but a long date range to plot- a short and wide gantt chart. Is there a way to wrap the gantt chart onto one page or set printing options so that it only plots say the top 4 inches of each page?