RADIUS rlm_mschap: authentication failed -14090
We have a Mac mini server running Snow Leopard, and we have configured the RADIUS server to provide WPA2 Enterprise authentication for our Airport Base Stations. I thought I'd share the solution to a problem we were experiencing from time to time where a user could not fully-authenticate to the network. Our logs radiusd would show:
Auth: rlm_opendirectory: User <username> is authorized
Auth: rlm_mschap: authentication failed -14090
Auth: rlm_opendirectory: Could not get the user's uuid
This happened most recently when a user got a new laptop and had migrated everything from a Time Machine back-up. I tried restarting the server, RADIUS, resetting the user's password, etc. Nothing seemed to make a difference, and these logs might as well say nothing at all -- completely unhelpful.
I then had the user log in to his Mac under a different account and try to connect and it was successful. Back to the original account, and we found a whole bunch duplicated profiles under the 802.1X tab in the Network panel of System Preferences. After deleting all of those and trying it again, it finally worked.
Not sure why the server side couldn't be a little more helpful in diagnosing the problem, but there you go...
I have similar issues, and tried what you suggested, but no dice. Cross-posted here: http://discussions.apple.com/thread.jspa?messageID=11894473
Summary, one OD account is able to authenticate via AEBS, other accounts are not, and I cannot see any difference.
Similar Messages
-
802.1x authentication fail
i have a juniper device linux operating system on that we have radius server configured and i am trying to integrate my WLC with that radius
i have added WLC as a host there in radius
on wlc i have configured authentication like radius ip shared secret key and done
its working i can ping radius server
also in wlc i configured on Wlan aaa allow override check box and also hited the WPA2 802.1x layer2 security and radius server option brought on top.
i also configured my windows wireless adaptor as PEAP MSCHAP v2
i am trying to connect this ssid and its asking for my AD accounts but when i enter that its not authenticating users and giving this logs.
(WiSM-slot24-1) >debug aaa events enable
(WiSM-slot24-1) >
(WiSM-slot24-1) >
(WiSM-slot24-1) >*apfMsConnTask_0: Dec 31 15:12:03.043: 00:13:e8:3e:26:bf Processing RSN IE type 48, length 22 for mobile 00:13:e8:3e:26:bf
*apfMsConnTask_0: Dec 31 15:12:03.043: 00:13:e8:3e:26:bf Received RSN IE with 0 PMKIDs from mobile 00:13:e8:3e:26:bf
*apfMsConnTask_0: Dec 31 15:12:03.043: 00:13:e8:3e:26:bf apfMsAssoStateInc
*dot1xMsgTask: Dec 31 15:12:03.044: 00:13:e8:3e:26:bf Station 00:13:e8:3e:26:bf setting dot1x reauth timeout = 1800
*dot1xMsgTask: Dec 31 15:12:03.044: 00:13:e8:3e:26:bf Sending EAP-Request/Identity to mobile 00:13:e8:3e:26:bf (EAP Id 1)
*Dot1x_NW_MsgTask_0: Dec 31 15:12:03.097: 00:13:e8:3e:26:bf Received EAPOL START from mobile 00:13:e8:3e:26:bf
*Dot1x_NW_MsgTask_0: Dec 31 15:12:03.097: 00:13:e8:3e:26:bf Sending EAP-Request/Identity to mobile 00:13:e8:3e:26:bf (EAP Id 2)
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.596: 00:13:e8:3e:26:bf Received EAPOL EAPPKT from mobile 00:13:e8:3e:26:bf
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.596: 00:13:e8:3e:26:bf Received Identity Response (count=2) from mobile 00:13:e8:3e:26:bf
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.596: 00:13:e8:3e:26:bf Audit Session ID added to the mscb: 0a8740e10000002e4efefc1c
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.596: Creating audit session ID (dot1x_aaa_eapresp_supp) and Radius Request
*aaaQueueReader: Dec 31 15:12:12.597: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*aaaQueueReader: Dec 31 15:12:12.597: 00:13:e8:3e:26:bf Successful transmission of Authentication Packet (id 202) to 10.34.11.2:1812, proxy state 00:13:e8:3e:26:bf-00:00
*radiusTransportThread: Dec 31 15:12:12.598: ****Enter processIncomingMessages: response code=11
*radiusTransportThread: Dec 31 15:12:12.598: ****Enter processRadiusResponse: response code=11
*radiusTransportThread: Dec 31 15:12:12.598: 00:13:e8:3e:26:bf Access-Challenge received from RADIUS server 10.34.11.2 for mobile 00:13:e8:3e:26:bf receiveId = 3
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.598: 00:13:e8:3e:26:bf Processing Access-Challenge for mobile 00:13:e8:3e:26:bf
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.598: 00:13:e8:3e:26:bf Sending EAP Request from AAA to mobile 00:13:e8:3e:26:bf (EAP Id 3)
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.600: 00:13:e8:3e:26:bf Received EAPOL EAPPKT from mobile 00:13:e8:3e:26:bf
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.600: 00:13:e8:3e:26:bf Received EAP Response from mobile 00:13:e8:3e:26:bf (EAP Id 3, EAP Type 3)
*aaaQueueReader: Dec 31 15:12:12.600: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*aaaQueueReader: Dec 31 15:12:12.600: 00:13:e8:3e:26:bf Successful transmission of Authentication Packet (id 203) to 10.34.11.2:1812, proxy state 00:13:e8:3e:26:bf-00:00
*radiusTransportThread: Dec 31 15:12:12.601: ****Enter processIncomingMessages: response code=3
*radiusTransportThread: Dec 31 15:12:12.601: ****Enter processRadiusResponse: response code=3
*radiusTransportThread: Dec 31 15:12:12.601: 00:13:e8:3e:26:bf Access-Reject received from RADIUS server 10.34.11.2 for mobile 00:13:e8:3e:26:bf receiveId = 3
*radiusTransportThread: Dec 31 15:12:12.601: 00:13:e8:3e:26:bf [Error] Client requested no retries for mobile 00:13:E8:3E:26:BF
*radiusTransportThread: Dec 31 15:12:12.601: 00:13:e8:3e:26:bf Returning AAA Error 'Authentication Failed' (-4) for mobile 00:13:e8:3e:26:bf
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.601: 00:13:e8:3e:26:bf Processing Access-Reject for mobile 00:13:e8:3e:26:bf
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.602: 00:13:e8:3e:26:bf Removing PMK cache due to EAP-Failure for mobile 00:13:e8:3e:26:bf (EAP Id 3)
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.602: 00:13:e8:3e:26:bf Sending EAP-Failure to mobile 00:13:e8:3e:26:bf (EAP Id 3)
*Dot1x_NW_MsgTask_0: Dec 31 15:12:12.602: 00:13:e8:3e:26:bf Setting quiet timer for 5 seconds for mobile 00:13:e8:3e:26:bf
*apfMsConnTask_0: Dec 31 15:12:15.319: 00:13:e8:3e:26:bf Processing RSN IE type 48, length 22 for mobile 00:13:e8:3e:26:bf
*apfMsConnTask_0: Dec 31 15:12:15.319: 00:13:e8:3e:26:bf Received RSN IE with 0 PMKIDs from mobile 00:13:e8:3e:26:bf
*dot1xMsgTask: Dec 31 15:12:15.320: 00:13:e8:3e:26:bf Sending EAP-Request/Identity to mobile 00:13:e8:3e:26:bf (EAP Id 1)
*Dot1x_NW_MsgTask_0: Dec 31 15:12:15.389: 00:13:e8:3e:26:bf Received EAPOL START from mobile 00:13:e8:3e:26:bf
*Dot1x_NW_MsgTask_0: Dec 31 15:12:15.389: 00:13:e8:3e:26:bf Sending EAP-Request/Identity to mobile 00:13:e8:3e:26:bf (EAP Id 2)
any idea to solve this problem?
or any one knows that how to configur a radius server on juniper linux operating system?
many thanks in advanceYou should post on the Juniper forums regarding your policy configuration. You should stick with using a radius than just doing ldap through the wlc. Here is a link for webauth using ldap, but should get you close. Again... you should look at getting your juniper radius configuration fixed first.
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a03e09.shtml -
802.1x port authentication failing after getting a access-accept packet
Hi all,
Im not 100% sure what the hell is going on here.
Any idea's or help will be appreciated.
Heres the topology.
1 x windows 2012 NPS
1x 3750X
1x Windows 7 x64
data flow
<laptop> - - [gi 1/0/13]<3750X>[gi 1/0/48]- -[gi 5/39]<6513>[po 1] - - [po 4]<6509><5/1> - - <VMWARE>[NPS Server]
The switch that is doing the authentication is the 3750X. Here is the IOS version.
Switch Ports Model SW Version SW Image
* 1 54 WS-C3750X-48 15.2(1)E C3750E-UNIVERSALK9-M
A wireshark trace on the NPS server shows that the packets are arriving and being sent back
Wireshark on a mirror of the trunk port connecting the 6513. It also shows packets being sent and arriving. access-accept packets are being recieved.
As you can see in the debug output, the switch is getting a access-accept, then it is stating a AAA failure.
here is a debug output as you plug in the laptop.
Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
Oct 24 10:53:44.653: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
Oct 24 10:53:45.643: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:46.641: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:47.538: dot1x-ev:[Gi1/0/13] Interface state changed to UP
Oct 24 10:53:47.564: dot1x-packet:[6431.500e.9b00, Gi1/0/13] queuing an EAPOL pkt on Auth Q
Oct 24 10:53:47.572: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/0/13
Oct 24 10:53:47.572: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x1
Oct 24 10:53:47.572: dot1x-packet: length: 0x0000
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 0,TYPE= 0,LEN= 0
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0101.0000
Oct 24 10:53:47.572: dot1x-ev:[Gi1/0/13] Couldn't find the supplicant in the list
Oct 24 10:53:47.572: dot1x-ev:[6431.500e.9b00, Gi1/0/13] New client detected, sending session start event for 6431.500e.9b00
Oct 24 10:53:47.572: AAA/BIND(00000047): Bind i/f
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Sending create new context event to EAP for 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.580: EAP-EVENT: Received context create from LL (Dot1x-Authenticator) (0x15000045)
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received AAA ID 0x00000047 from LL
Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: Assigning AAA ID 0x00000047
Oct 24 10:53:47.580: EAP-AUTH-AAA-EVENT: CTS not enabled on interface Gi1/0/13
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Received Session ID "C0A846660000004700DF6030" from LL
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Setting authentication mode: Passthrough
Oct 24 10:53:47.580: eap_authen : initial state eap_auth_initialize has enter
Oct 24 10:53:47.580: EAP-EVENT: Allocated new EAP context (handle = 0xE8000047)
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Created a client entry (0x15000045)
Oct 24 10:53:47.580: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Dot1x authentication started for 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.580: %AUTHMGR-5-START: Starting 'dot1x' for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.580: EAP-EVENT: Received EAP event 'EAP_AUTHENTICATOR_START' on handle 0xE8000047
Oct 24 10:53:47.580: eap_authen : during state eap_auth_initialize, got event 25(eapStartTmo)
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_initialize -> eap_auth_select_action
Oct 24 10:53:47.580: eap_authen : during state eap_auth_select_action, got event 20(eapDecisionPropose)
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_select_action -> eap_auth_propose_method
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_propose_method
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_propose_method -> eap_auth_method_request
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_method_request
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_method_request -> eap_auth_tx_packet
Oct 24 10:53:47.580: EAP-AUTH-EVENT: Current method = Identity
Oct 24 10:53:47.580: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_ID_REQUEST' on handle 0xE8000047
Oct 24 10:53:47.580: eap_authen : idle during state eap_auth_tx_packet
Oct 24 10:53:47.580: @@@ eap_authen : eap_auth_tx_packet -> eap_auth_idle
Oct 24 10:53:47.589: EAP-AUTH-TX-PAK: Code:REQUEST ID:0x1 Length:0x0005 Type:IDENTITY
Oct 24 10:53:47.589: EAP-EVENT: Started 'Authenticator ReqId Retransmit' timer (30s) for EAP sesion handle 0xE8000047
Oct 24 10:53:47.589: EAP-EVENT: Started EAP tick timer
Oct 24 10:53:47.589: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_TX_PACKET' on handle 0xE8000047
Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
Oct 24 10:53:47.597: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
Oct 24 10:53:47.597: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Oct 24 10:53:47.597: dot1x-packet: length: 0x0005
Oct 24 10:53:47.597: dot1x-packet:EAP code: 0x1 id: 0x1 length: 0x0005
Oct 24 10:53:47.597: dot1x-packet: type: 0x1
Oct 24 10:53:47.597: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL packet sent to client 0x15000045
Oct 24 10:53:47.606: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Queuing an EAPOL pkt on Authenticator Q
Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Dequeued pkt: Int Gi1/0/13 CODE= 2,TYPE= 1,LEN= 31
Oct 24 10:53:47.606: dot1x-ev:[Gi1/0/13] Received pkt saddr =6431.500e.9b00 , daddr = 0180.c200.0003, pae-ether-type = 888e.0100.001f
Oct 24 10:53:47.606: dot1x-packet:EAPOL pak rx - Ver: 0x1 type: 0x0
Oct 24 10:53:47.606: dot1x-packet: length: 0x001F
Oct 24 10:53:47.606: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Response sent to the server from 0x15000045
Oct 24 10:53:47.606: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_RX_PACKET' on handle 0xE8000047
Oct 24 10:53:47.606: EAP-AUTH-RX-PAK: Code:RESPONSE ID:0x1 Length:0x001F Type:IDENTITY
Oct 24 10:53:47.606: Payload: 47454E4552414C5C72616E64792E636F ...
Oct 24 10:53:47.606: eap_authen : during state eap_auth_idle, got event 1(eapRxPacket)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_idle -> eap_auth_received
Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response received by context 0xE8000047
Oct 24 10:53:47.606: EAP-AUTH-EVENT: EAP Response type = Identity
Oct 24 10:53:47.606: EAP-EVENT: Stopping 'Authenticator ReqId Retransmit' timer for EAP sesion handle 0xE8000047
Oct 24 10:53:47.606: eap_authen : during state eap_auth_received, got event 10(eapMethodData)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_received -> eap_auth_method_response
Oct 24 10:53:47.606: EAP-AUTH-EVENT: Received peer identity: GENERAL\randy.coburn.admin
Oct 24 10:53:47.606: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_IDENTITY' on handle 0xE8000047
Oct 24 10:53:47.606: eap_authen : during state eap_auth_method_response, got event 13(eapMethodEnd)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_method_response -> eap_auth_select_action
Oct 24 10:53:47.606: eap_authen : during state eap_auth_select_action, got event 19(eapDecisionPass)
Oct 24 10:53:47.606: @@@ eap_authen : eap_auth_select_action -> eap_auth_passthru_init
Oct 24 10:53:47.606: eap_authen : during state eap_auth_passthru_init, got event 22(eapPthruIdentity)
Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_passthru_init -> eap_auth_aaa_req
Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_GET_PEER_MAC_ADDRESS' on handle 0xE8000047
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding Audit-Session-ID "C0A846660000004700DF6030" to RADIUS Req
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added Audit-Session-ID
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Adding IDB "0x070B90F8" to RADIUS Req
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Added IDB
Oct 24 10:53:47.614: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_CUSTOMIZE_AAA_REQUEST' on handle 0xE8000047
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: eap_auth_aaa_authen_request_shim aaa_service 19, eap aaa_list handle 0, mlist handle 0
Oct 24 10:53:47.614: AAA/AUTHEN/8021X (00000000): Pick method list 'default'
Oct 24 10:53:47.614: EAP-AUTH-AAA-EVENT: Request sent successfully
Oct 24 10:53:47.614: eap_authen : during state eap_auth_aaa_req, got event 24(eapAAAReqOk)
Oct 24 10:53:47.614: @@@ eap_authen : eap_auth_aaa_req -> eap_auth_aaa_idle
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute hwidb
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-type
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-authen-service
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute clid-mac-addr
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute target-scope
Oct 24 10:53:47.614: RADIUS/ENCODE(00000000): Unsupported AAA attribute aaa-unique-id
Oct 24 10:53:47.614: RADIUS(00000000): Config NAS IP: 0.0.0.0
Oct 24 10:53:47.614: RADIUS(00000000): sending
Oct 24 10:53:47.614: RADIUS/ENCODE: Best Local IP-Address 192.168.70.102 for Radius-Server 192.168.19.121
Oct 24 10:53:47.614: RADIUS(00000000): Send Access-Request to 192.168.19.121:1645 id 1645/21, len 288
Oct 24 10:53:47.614: RADIUS: authenticator F1 BA E5 31 71 54 BF 1A - A2 B1 5E 1A 63 72 1E 72
Oct 24 10:53:47.614: RADIUS: User-Name [1] 28 "GENERAL\randy.coburn.admin"
Oct 24 10:53:47.614: RADIUS: Service-Type [6] 6 Framed [2]
Oct 24 10:53:47.614: RADIUS: Vendor, Cisco [26] 27
Oct 24 10:53:47.614: RADIUS: Cisco AVpair [1] 21 "service-type=Framed"
Oct 24 10:53:47.614: RADIUS: Framed-MTU [12] 6 1500
Oct 24 10:53:47.614: RADIUS: Called-Station-Id [30] 19 "AC-F2-C5-75-7D-0D"
Oct 24 10:53:47.614: RADIUS: Calling-Station-Id [31] 19 "64-31-50-0E-9B-00"
Oct 24 10:53:47.614: RADIUS: EAP-Message [79] 33
Oct 24 10:53:47.614: RADIUS: 02 01 00 1F 01 47 45 4E 45 52 41 4C 5C 72 61 6E 64 79 2E 63 6F [GENERAL\randy.co]
Oct 24 10:53:47.622: RADIUS: 62 75 72 6E 2E 61 64 6D 69 6E [ burn.admin]
Oct 24 10:53:47.622: RADIUS: Message-Authenticato[80] 18
Oct 24 10:53:47.622: RADIUS: EE 52 4D ED B9 06 F3 CE 63 AC 9D 73 24 1B A7 ED [ RMcs$]
Oct 24 10:53:47.622: RADIUS: EAP-Key-Name [102] 2 *
Oct 24 10:53:47.622: RADIUS: Vendor, Cisco [26] 49
Oct 24 10:53:47.622: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A846660000004700DF6030"
Oct 24 10:53:47.622: RADIUS: Vendor, Cisco [26] 20
Oct 24 10:53:47.622: RADIUS: Cisco AVpair [1] 14 "method=dot1x"
Oct 24 10:53:47.622: RADIUS: NAS-IP-Address [4] 6 192.168.70.102
Oct 24 10:53:47.622: RADIUS: NAS-Port [5] 6 60000
Oct 24 10:53:47.622: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/13"
Oct 24 10:53:47.622: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Oct 24 10:53:47.622: RADIUS(00000000): Sending a IPv4 Radius Packet
Oct 24 10:53:47.622: RADIUS(00000000): Started 10 sec timeout
Oct 24 10:53:47.622: RADIUS: Received from id 1645/21 192.168.19.121:1645, Access-Accept, len 66
Oct 24 10:53:47.622: RADIUS: authenticator 92 F6 07 AF C1 AB 0B 4C - 1D 9E A0 D1 01 36 27 26
Oct 24 10:53:47.622: RADIUS: Class [25] 46
Oct 24 10:53:47.622: RADIUS: 76 E3 06 66 00 00 01 37 00 01 02 00 C0 A8 13 79 00 00 00 00 00 00 00 00 00 00 00 00 01 CE CF F8 1F 7B 75 41 00 00 00 00 00 00 00 50 [ vf7y{uAP]
Oct 24 10:53:47.622: RADIUS(00000000): Received from id 1645/21
Oct 24 10:53:47.622: EAP-EVENT: eap_aaa_reply
Oct 24 10:53:47.622: EAP-AUTH-AAA-EVENT: Reply received session_label 72000033
Oct 24 10:53:47.622: EAP-EVENT: Received AAA event 'EAP_AAA_FAIL' on handle 0xE8000047
Oct 24 10:53:47.622: eap_authen : during state eap_auth_aaa_idle, got event 8(eapAAAFail)
Oct 24 10:53:47.622: @@@ eap_authen : eap_auth_aaa_idle -> eap_auth_failure
Oct 24 10:53:47.631: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
Oct 24 10:53:47.631: EAP-AUTH-TX-PAK: Code:FAILURE ID:0x1 Length:0x0004
Oct 24 10:53:47.631: EAP-AUTH-EVENT: FAIL for EAP method ID: 1, name: , on handle 0xE8000047
Oct 24 10:53:47.631: EAP-EVENT: Sending LL (Dot1x-Authenticator) event 'EAP_FAIL' on handle 0xE8000047
Oct 24 10:53:47.631: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Received an EAP Fail
Oct 24 10:53:47.639: %DOT1X-5-FAIL: Authentication failed for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Added username in dot1x
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] Dot1x did not receive any key data
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Processing client delete for hdl 0x15000045 sent by Auth Mgr
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] 6431.500e.9b00: sending canned failure due to method termination
Oct 24 10:53:47.639: EAP-EVENT: Received get canned status from lower layer (0xE8000047)
Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending EAPOL packet to group PAE address
Oct 24 10:53:47.639: dot1x-ev:[Gi1/0/13] Sending out EAPOL packet
Oct 24 10:53:47.639: dot1x-packet:EAPOL pak Tx - Ver: 0x3 type: 0x0
Oct 24 10:53:47.639: dot1x-packet: length: 0x0004
Oct 24 10:53:47.639: dot1x-packet:EAP code: 0x4 id: 0x1 length: 0x0004
Oct 24 10:53:47.639: dot1x-packet:[6431.500e.9b00, Gi1/0/13] EAPOL canned status packet sent to client 0x15000045
Oct 24 10:53:47.639: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Deleting client 0x15000045 (6431.500e.9b00)
Oct 24 10:53:47.639: %AUTHMGR-7-STOPPING: Stopping 'dot1x' for client 6431.500e.9b00 on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.639: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (6431.500e.9b00) on Interface Gi1/0/13 AuditSessionID C0A846660000004700DF6030
Oct 24 10:53:47.648: dot1x-ev:[6431.500e.9b00, Gi1/0/13] Delete auth client (0x15000045) message
Oct 24 10:53:47.648: EAP-EVENT: Received free context (0xE8000047) from LL (Dot1x-Authenticator)
Oct 24 10:53:47.648: dot1x-ev:Auth client ctx destroyed
Oct 24 10:53:47.648: EAP-EVENT: Received LL (Dot1x-Authenticator) event 'EAP_DELETE' on handle 0xE8000047
Oct 24 10:53:47.648: EAP-AUTH-EVENT: Freed EAP auth context
Oct 24 10:53:47.648: EAP-EVENT: Freed EAP context
Oct 24 10:53:48.621: EAP-EVENT: Stopped EAP tick timer
Oct 24 10:53:49.485: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to up
Oct 24 10:53:50.491: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to up
Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] Interface state changed to DOWN
Oct 24 10:53:53.528: dot1x-ev:[Gi1/0/13] No DOT1X subblock found for port down
Oct 24 10:53:54.518: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down
Oct 24 10:53:55.524: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/13, changed state to downHi Jatin,
See below the data that you have requested.
show run bits.
aaa new-model
aaa authentication dot1x default group radius
aaa session-id common
clock timezone BST 0 0
clock summer-time UTC recurring last Sun Mar 1:00 last Sun Oct 2:00
dot1x system-auth-control
interface GigabitEthernet1/0/13
switchport access vlan 80
switchport mode access
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface GigabitEthernet1/0/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 70
switchport mode trunk
radius server NPS1
address ipv4 192.168.19.121 auth-port 1645 acct-port 1646
timeout 10
key thesecret
ip default-gateway 192.168.70.1
SW1-randy#show auth sessions interface gig 1/0/13
Interface MAC Address Method Domain Status Fg Session ID
Gi1/0/13 803f.5d09.189e N/A UNKNOWN Unauth C0A846660000002F00251DBC
SW1-randy#Show mac address-table Interface GigabitEthernet1/0/13
Mac Address Table
Vlan Mac Address Type Ports
80 803f.5d09.189e DYNAMIC Drop
SW1-randy#ping 192.168.19.121
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.19.121, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Here is a wireshark of the accept packet.
Message was edited by: randy coburn
Added wireshark trace -
NPS Authentication Fails (Reason 16) After Migration to 2012 R2 from 2008 R2
I'm using NPS for wired dot1x authentication and I just migrated my NPS server from 2008 R2 to 2012 R2. When I point the network switch to start using the new 2012 R2 NPS as the RADIUS server, I get authentication failures - event 6273, reason code
16. When I switch it back to the 2008 R2 server, it works fine. The two servers are configured EXACTLY the same as far as I can tell - same RADIUS client config, same connection request policies, same network policies - and it should be since I
used the MS prescribed migration process. The only thing that differs is the server's certificate name used in the PEAP setup screen.
I'm using computer authentication only, so everything is based on computer accounts and I've selected to NOT validate server credentials on the group policy.
I've verified the shared secrets multiple times. Both servers are domain controllers.
Here is an example of the errors logged on the 2012 R2 server.
========================================
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: FAITHCHURCH\youthroom$
Account Name: host/YOUTHROOM.faithchurch.net
Account Domain: FAITHCHURCH
Fully Qualified Account Name: FAITHCHURCH\youthroom$
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: 44-37-E6-C0-32-CA
NAS:
NAS IPv4 Address: 192.168.1.1
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Ethernet
NAS Port: 1010
RADIUS Client:
Client Friendly Name: Extreme X440
Client IP Address: 192.168.1.1
Authentication Details:
Connection Request Policy Name: Secure Wired (Ethernet) Connections 2
Network Policy Name: Secure Wired (Ethernet) Connections 2
Authentication Provider: Windows
Authentication Server: Sigma.faithchurch.net
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
========================================Hi,
Have you added the NPS server to the RAS and IAS Servers
security group in AD DS?
The NPS server needs permission to read the dial-in properties of user accounts during the authorization process.
Try to add a loal user on the NPS server, then test with the local user. If it works, it means that there is something wrong between NPS and DC.
If the issue persists, it means that the configuration between NPS and NAS is wrong.
Steven Lee
TechNet Community Support -
Authentication Failed to 2008 NPS from Cisco IOS VPN
I'm trying to authenticate VPN connections to a Windows 2008 NPS Radius server.
Local authentication works fine.
Here are cisco configs:
aaa new-model
aaa authentication login default local
aaa authentication login VPNauth group radius local
aaa authorization network VPNgroup local
aaa session-id common
ip radius source-interface Loopback0
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 xxxx
crypto map VPNMAP client authentication list VPNauth
crypto map VPNMAP isakmp authorization list VPNgroup
crypto map VPNMAP client configuration address respond
crypto map VPNMAP 10 ipsec-isakmp dynamic dynmap
... other crypto commands
This is the section of the log from NPS:
Authentication Details:
Connection Request Policy Name: VPN
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: x.x.x.x
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
I do have PAP enabled on the Network/Connection Request Policies...
I'm stuck
Please helpCan you run a "teat aaa " command to see if the user can be authenticated successfully?
I think this might be a configuration issue on NPS. You can google it. Here is one I found, refer to "irishHam" post.
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/bfbbbae4-a280-4b3f-b214-02867b7d33e3 -
Hello,
I got a report from a branch office which is getting trouble to authenticate users to the WLAN this is a stand alone AP which has a configuration script that we use for all our branch offices but in this case is not working. It seems to be an issue with RADIUS but if it was the case the whole company would be experiencing problems since it is a central RADIUS server.
Here is a log from the AP
By the way I modified the radius server timeout to 90 sec
APIMMEXP01#
Sep 1 17:01:47.240: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:01:53.503: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failed
Sep 1 17:01:58.739: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
failed
Sep 1 17:02:35.587: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.27:1812,1646
is not responding.
Sep 1 17:02:35.589: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.27:1812,1646
is being marked alive.
Sep 1 17:02:47.476: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:02:50.344: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.28:1812,1646
is not responding.
Sep 1 17:02:50.344: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.28:1812,1646
is being marked alive.
Sep 1 17:02:53.768: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failed
Sep 1 17:02:58.966: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
failed
Sep 1 17:04:00.953: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:04:07.050: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failed
Sep 1 17:04:12.332: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
failed
Sep 1 17:04:33.294: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.27:1812,1646
is not responding.
Sep 1 17:04:33.294: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.27:1812,1646
is being marked alive.
Sep 1 17:04:36.577: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.28:1812,1646
is not responding.
Sep 1 17:04:36.577: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.28:1812,1646
is being marked alive.
Sep 1 17:05:01.009: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:05:07.175: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failed
Sep 1 17:05:12.517: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
failed
Sep 1 17:06:01.247: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:06:19.739: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.28:1812,1646
is not responding.
Sep 1 17:06:19.739: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.28:1812,1646
is being marked alive.
Sep 1 17:06:20.707: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failed
Sep 1 17:06:25.241: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.27:1812,1646
is not responding.
Sep 1 17:06:25.243: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.27:1812,1646
is being marked alive.
Sep 1 17:06:25.836: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
failed
Sep 1 17:07:01.237: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:07:20.694: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failed
Sep 1 17:07:25.818: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
failed
Sep 1 17:08:01.623: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:08:13.834: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.28:1812,1646
is not responding.
Sep 1 17:08:13.834: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.28:1812,1646
is being marked alive.
Sep 1 17:08:27.978: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.27:1812,1646
is not responding.
Sep 1 17:08:27.979: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.27:1812,1646
is being marked alive.
Sep 1 17:08:34.301: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failed
Sep 1 17:08:39.325: %DOT11-7-AUTH_FAILED: Station 001e.65cf.9ca8 Authentication
failed
Sep 1 17:09:15.042: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:09:34.664: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failed
Sep 1 17:09:47.790: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.28:1812,1646
is not responding.
Sep 1 17:09:47.790: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.28:1812,1646
is being marked alive.
Sep 1 17:10:15.184: %DOT11-7-AUTH_FAILED: Station 0021.5c7f.1739 Authentication
failed
Sep 1 17:10:16.644: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.51.16.27:1812,1646
is not responding.
Sep 1 17:10:16.644: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.51.16.27:1812,1646
is being marked alive.
Sep 1 17:10:48.062: %DOT11-7-AUTH_FAILED: Station 0026.c64b.c3d6 Authentication
failedWhat error is the AAA server showing for these errors?
Sent from Cisco Technical Support iPad App -
Cisco ISE authentication failed because client reject certificate
Hi Experts,
I am a newbie in ISE and having problem in my first step in authentication. Please help.
I am trying to deploy a standalone Cisco ISE 1.1.2 with WLC using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :
Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
I've generate a certificate for ISE using Windows Server CA and replace ISE's self-signed certificate with the new certificate but authentication still failed with the same error message. Must I generate a certificate for WLC also? Please help me in solving this problem.
Regards,
RatnaCertificate-Based User Authentication via Supplicant Failing
Symptoms or
Issue
User authentication is failing on the client machine, and the user is receiving a
“RADIUS Access-Reject” form of message.
Conditions (This issue occurs with authentication protocols that require certificate validation.)
Possible Authentications report failure reasons:
• “Authentication failed: 11514 Unexpectedly received empty TLS message;
treating as a rejection by the client”
• “Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because
the client rejected the Cisco ISE local-certificate”
Click the magnifying glass icon from Authentications to display the following output
in the Authentication Report:
• 12305 Prepared EAP-Request with another PEAP challenge
• 11006 Returned RADIUS Access-Challenge
• 11001 Received RADIUS Access-Request
• 11018 RADIUS is reusing an existing session
• 12304 Extracted EAP-Response containing PEAP challenge-response
• 11514 Unexpectedly received empty TLS message; treating as a rejection by the
client
• 12512 Treat the unexpected TLS acknowledge message as a rejection from the
client
• 11504 Prepared EAP-Failure
• 11003 Returned RADIUS Access-Reject
• 11006 Returned RADIUS Access-Challenge
• 11001 Received RADIUS Access-Request
• 11018 RADIUS is re-using an existing session
• 12104 Extracted EAP-Response containing EAP-FAST challenge-response
• 12815 Extracted TLS Alert message
• 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the
Cisco ISE local-certificate
• 11504 Prepared EAP-Failure
• 11003 Returned RADIUS Access-Reject
Note This is an indication that the client does not have or does not trust the Cisco
ISE certificates.
Possible Causes The supplicant or client machine is not accepting the certificate from Cisco ISE.
The client machine is configured to validate the server certificate, but is not
configured to trust the Cisco ISE certificate.
Resolution The client machine must accept the Cisco ISE certificate to enable authentication. -
EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake
Hi All ,
I am trying to test EAP_TLS authentication on acs 4.2.1.15 running on Appliance 1120 , I have installed my server certficate along with CA certficate on my appliance box , I have enabled features of EAP_TLS under golbal authentication setup .
I have downloaded client supplicant certficate file for my windows XP machine .
When i tried to authenticated i am finding following error message under failed attempts(EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake) on my acs appliance box .
Under certficate revocation list , I have forced my CA as CRL in use . Attached snap shot of all .
Suggest me whether i need to enable all corresponding CA certficate undercertficate trust list , Kindly let me know were i am doing wrong on this ..Hello,
I am NO expert on certificates but I have seen your error dozens of times from wireless clients on my Cisco ACS 4.2 Radius server.
Through trial and error I wrote up this procedure for our Helpdesk for installing certs in Windows XP and Windows 7. These steps haven't failed me yet and the Helpdesk doesn't bother me as much anymore so see if this helps you:
- Manually install the Global CA under BOTH Trusted Root Certification Authorities\Certificates AND Intermediate Certification Authorities\Certificates
- Manually install the Intermediate CA under JUST the Intermediate Certification Authorities\Certificates
- Delete the wireless network from the computer
- REBOOT!!
- Open the Microsoft Management Console, “mmc”.
- Go FILE\Add Remove SnapIn. Select Certificates ..
- If promoted, do it for “My User Account”.
- Make sure the certificates are where you put them.
- If you see any of these exact certificates out of place in either Trusted Root Certification Authorities\Certificates or Intermediate Certification Authorities\Certificates, remove them.
- Redo wireless network setup again
I hope this helps you.
Mike -
FT akm with 802.1x authentication failed at eapol key 2(invalid MIC)
My testing controller s/w version is 7.0.250.0, and testing clients were iphone5, iphone6 and macbook pro13, all debug inform showed failed because of invalid MIC, is this a bug or other reason ?
WLAN configuration:
(Cisco Controller) >show wlan 100
WLAN Identifier.................................. 100
Profile Name..................................... test-qh
Network Name (SSID).............................. test-qh
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 10
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
--More-- or (q)uit
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Disabled
Accounting.................................... Global Servers
--More-- or (q)uit
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Enabled (Profile 'test')
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Disabled
CCKM.................................... Disabled
FT(802.11r)............................. Enabled
FT-PSK(802.11r)......................... Disabled
FT Reassociation Timeout......................... 20
FT Over-The-Air mode............................. Enabled
FT Over-The-Ds mode.............................. Disabled
CCKM tsf Tolerance............................... 1000
CKIP ......................................... Disabled
--More-- or (q)uit
IP Security................................... Disabled
IP Security Passthru.......................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
H-REAP Local Authentication................... Disabled
H-REAP Learn IP Address....................... Enabled
Client MFP.................................... Optional
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Mobility Anchor List
WLAN ID IP Address Status
debug info:
Cisco Controller) >*apfMsConnTask_0: Apr 27 21:46:09.971: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
*apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
*apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
*apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b apfMsAssoStateInc
*apfMsConnTask_0: Apr 27 21:46:09.971: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
*apfMsConnTask_0: Apr 27 21:46:09.971: Adding MDIE, ID is:0x4e57
*apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
*apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
*apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
*apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
*spamReceiveTask: Apr 27 21:46:09.973: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:09.974: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_0: Apr 27 21:46:09.974: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.037: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.037: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.117: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.117: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 2)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.133: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.133: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 2, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.135: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.135: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 3)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.139: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.139: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 3, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.140: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.140: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 4)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.200: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.201: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 4, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.309: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.309: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 5)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.312: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.313: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 5, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.314: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.314: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 6)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.321: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.321: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 6, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.322: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.322: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 7)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.325: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.325: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 7, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.326: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.326: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 8)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.329: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.329: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 8, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.331: 68:96:7b:cd:89:1b Processing Access-Accept for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.331: 68:96:7b:cd:89:1b Setting re-auth timeout to 1800 seconds, got from WLAN config.
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Creating a PKC PMKID Cache entry for station 68:96:7b:cd:89:1b (RSN 2)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Adding BSSID 00:27:0d:2e:d0:5e to PMKID cache for station 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: New PMKID: (16)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: [0000] 80 a9 e3 16 d9 c8 28 9a 37 11 bd 56 ca 01 d5 ce
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Disabling re-auth since PMK lifetime can take care of same.
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Created PMK Cache Entry for TGr AKM:802.1x 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b R0KH-ID:192.168.20.244 R1KH-ID:00:24:14:7e:74:c0 MSK Len:48
pmkValidTime:1772
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b PMK sent to mobility group
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Sending EAP-Success to mobile 68:96:7b:cd:89:1b (EAP Id 8)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: Including PMKID in M1 (16)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: [0000] 80 a9 e3 16 d9 c8 28 9a 37 11 bd 56 ca 01 d5 ce
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Starting key exchange to mobile 68:96:7b:cd:89:1b, data packets will be dropped
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Sending EAPOL-Key Message to mobile 68:96:7b:cd:89:1b
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Received Auth Success while in Authenticating state for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.336: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.336: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.337: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
*osapiBsnTimer: Apr 27 21:46:10.560: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
*dot1xMsgTask: Apr 27 21:46:10.562: 68:96:7b:cd:89:1b Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.565: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.565: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.566: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
*osapiBsnTimer: Apr 27 21:46:10.960: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
*dot1xMsgTask: Apr 27 21:46:10.960: 68:96:7b:cd:89:1b Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.048: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.048: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.048: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
*osapiBsnTimer: Apr 27 21:46:11.360: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
*dot1xMsgTask: Apr 27 21:46:11.360: 68:96:7b:cd:89:1b Retransmit 3 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.364: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.364: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.364: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
*osapiBsnTimer: Apr 27 21:46:11.760: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
*dot1xMsgTask: Apr 27 21:46:11.760: 68:96:7b:cd:89:1b Retransmit 4 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.763: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.764: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.764: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
*osapiBsnTimer: Apr 27 21:46:12.160: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
*dot1xMsgTask: Apr 27 21:46:12.161: 68:96:7b:cd:89:1b Retransmit failure for EAPOL-Key M1 to mobile 68:96:7b:cd:89:1b, retransmit count 5, mscb deauth count 0
*dot1xMsgTask: Apr 27 21:46:12.162: 68:96:7b:cd:89:1b Removing PMK cache entry for station 68:96:7b:cd:89:1b
*apfMsConnTask_0: Apr 27 21:46:12.185: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
*apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
*apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
*apfMsConnTask_0: Apr 27 21:46:12.185: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
*apfMsConnTask_0: Apr 27 21:46:12.185: Adding MDIE, ID is:0x4e57
*apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
*apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
*apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
*apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
*spamReceiveTask: Apr 27 21:46:12.187: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.188: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.188: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.191: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.191: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.271: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.271: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 2)
*apfMsConnTask_0: Apr 27 21:46:12.563: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
*apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
*apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
*apfMsConnTask_0: Apr 27 21:46:12.563: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
*apfMsConnTask_0: Apr 27 21:46:12.563: Adding MDIE, ID is:0x4e57
*apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
*apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
*apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
*apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
*spamReceiveTask: Apr 27 21:46:12.565: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.566: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.571: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.571: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.572: 68:96:7b:cd:89:1b Processing Access-Reject for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.573: 68:96:7b:cd:89:1b Removing PMK cache due to EAP-Failure for mobile 68:96:7b:cd:89:1b (EAP Id -1)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.573: 68:96:7b:cd:89:1b Sending EAP-Failure to mobile 68:96:7b:cd:89:1b (EAP Id -1)
(Cisco Controller) >*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.573: 68:96:7b:cd:89:1b Setting quiet timer for 5 seconds for mobile 68:96:7b:cd:89:1b
*osapiBsnTimer: Apr 27 21:46:17.560: 68:96:7b:cd:89:1b 802.1x 'quiteWhile' Timer expired for station 68:96:7b:cd:89:1b and for message = M0
*dot1xMsgTask: Apr 27 21:46:17.561: 68:96:7b:cd:89:1b quiet timer completed for mobile 68:96:7b:cd:89:1b
*dot1xMsgTask: Apr 27 21:46:17.561: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
(Cisco Controller) >*apfMsConnTask_0: Apr 27 21:46:19.793: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
*apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
*apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
*apfMsConnTask_0: Apr 27 21:46:19.793: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
*apfMsConnTask_0: Apr 27 21:46:19.793: Adding MDIE, ID is:0x4e57
*apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
*apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
*apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
*apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
*spamReceiveTask: Apr 27 21:46:19.796: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.798: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.825: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.826: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.905: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.905: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 2)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.918: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.918: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 2, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.920: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.920: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 3)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.923: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.924: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 3, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.924: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
d*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.925: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 4)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.964: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.964: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 4, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.073: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
e*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.073: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 5)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.076: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.076: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 5, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.077: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.077: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 6)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.083: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.083: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 6, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.084: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.084: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 7)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.087: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.087: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 7, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.088: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.088: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 8)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.090: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.090: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 8, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Processing Access-Accept for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Setting re-auth timeout to 1800 seconds, got from WLAN config.
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Creating a PKC PMKID Cache entry for station 68:96:7b:cd:89:1b (RSN 2)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Adding BSSID 00:27:0d:2e:d0:5e to PMKID cache for station 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: New PMKID: (16)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: [0000] 16 3d 85 48 73 81 21 c9 dc 14 19 2e 40 65 7c 74
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b Disabling re-auth since PMK lifetime can take care of same.
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b Created PMK Cache Entry for TGr AKM:802.1x 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b R0KH-ID:192.168.20.244 R1KH-ID:00:24:14:7e:74:c0 MSK Len:48
pmkValidTime:1813
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b PMK sent to mobility group
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b Sending EAP-Success to mobile 68:96:7b:cd:89:1b (EAP Id 8)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: Including PMKID in M1 (16)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: [0000] 16 3d 85 48 73 81 21 c9 dc 14 19 2e 40 65 7c 74
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: 68:96:7b:cd:89:1b Starting key exchange to mobile 68:96:7b:cd:89:1b, data packets will be dropped
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: 68:96:7b:cd:89:1b Sending EAPOL-Key Message to mobile 68:96:7b:cd:89:1b
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: 68:96:7b:cd:89:1b Received Auth Success while in Authenticating state for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.096: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.096: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.096: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
*osapiBsnTimer: Apr 27 21:46:20.360: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
*dot1xMsgTask: Apr 27 21:46:20.361: 68:96:7b:cd:89:1b Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.364: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.364: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.364: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
bug *osapiBsnTimer: Apr 27 21:46:20.760: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
*dot1xMsgTask: Apr 27 21:46:20.760: 68:96:7b:cd:89:1b Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.763: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.764: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.764: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
*osapiBsnTimer: Apr 27 21:46:21.160: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
*dot1xMsgTask: Apr 27 21:46:21.160: 68:96:7b:cd:89:1b Retransmit 3 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:21.164: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:21.164: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:21.164: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
=============================
qh
thanks in advance!Can anyone help me?
-
802.1x authentication fails
Setup: two 5500 (v6.0.188.0, mix of 1131 and 1141 AP`s
Laptops running fine for random number of weeks suddenly can´t connect to the wireless network. The output from Client troubleshoot shows:
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Controller association request message received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Association request received from a client has an invalid RSN IE.(One reason could be mismatch in WPA2 algorithm).
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received reassociation request from client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
The wlan to which client is connecting requires 802 1x authentication.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Client moved to associated state successfully.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received EAP Response from the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received EAPOL start message from client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received EAP Response from the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received Access-Challenge from the RADIUS server for the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Sending EAP request to client from radius server.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received Access-Challenge from the RADIUS server for the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Sending EAP request to client from radius server.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received Access-Challenge from the RADIUS server for the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Sending EAP request to client from radius server.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received Access-Challenge from the RADIUS server for the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Sending EAP request to client from radius server.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received Access-Challenge from the RADIUS server for the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Sending EAP request to client from radius server.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received Access-Challenge from the RADIUS server for the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Sending EAP request to client from radius server.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received Access-Challenge from the RADIUS server for the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Sending EAP request to client from radius server.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received Access-Challenge from the RADIUS server for the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Sending EAP request to client from radius server.
05/07/2010 07:03:44 CEST
ERROR
10.1.1.101
Retransmitting EAP-ID request to client,retransmission timer expired.
05/07/2010 07:04:14 CEST
ERROR
10.1.1.101
Retransmitting EAP-ID request to client,retransmission timer expired.
05/07/2010 07:04:44 CEST
ERROR
10.1.1.101
Authentication failed for client as EAP ID request from AP reached maxmium retransmissions.
05/07/2010 07:04:44 CEST
ERROR
10.1.1.101
De-authentication sent to client. slot 0 (claller 1x_ptsm.c:467)
05/07/2010 07:04:44 CEST
ERROR
10.1.1.101
05/07/2010 07:04:44 CEST
ERROR
10.1.1.101
EAPOL-key is invalid, scheduling client for deletion.We are using PEAP-MS-CHAP v2 . The IAS certificate is valid to 2014. We have about 300 laptops, but now and then some of them fails to authenticate. Yesterday I noticed that if I had one of the failing computers connected with wire, after some minutes it suddenly authenticated wireless!
-
Since we upgraded our WCS system to V6.0.196.0 we are receiving a lot of the following error messages and I haven't figured out why.
Client 'c0:cb:38:3f:a1:0d (anonymous, 0.0.0.0)' which was associated with interface '802.11a/n' of AP 'ACAA01-00.P04-G2C2.1' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'. - Controller Name: 205-dg20-bb3-4/2Check you ACS (Radius) logs under failures. You will see why its failing. Sounds like a AD account went bad
or someone is entering the wrong logon ... But check your radius log it will point you in the right direction. -
As of 1:30 yesterday, no clients can authenticate to my LWAPP Access points. I'm getting this message in the trap logs on my 4404:
Client Excluded: MACAddress:00:90:4b:86:23:94 Base Radio MAC :00:17:df:7f:c8:60 Slot: 0 Reason:802.1x Authentication failed 3 times. ReasonCode: 3
And my (MS IAS) RADIUS server has an entry:
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.
The previous successful entries all refer to PEAP. We restored our WCS server from tape yesterday, but why would that affect the authentication on the 4404? Does anyone have any idea what's going wrong?There is a command line syntax which will also allow you to export and import an IAS config to other IAS servers. Then you will be sure they are identical...
http://support.microsoft.com/kb/883619 -
Cisco 2960 802.1x authentication fail
Physical switch version:
C2960 Boot Loader (C2960-HBOOT-M) Version 15.0(2r)EZ1, RELEASE SOFTWARE (fc1)
System image file is "flash:/c2960-lanbasek9-mz.150-2.SE5/c2960-lanbasek9-mz.150-2.SE5.bin"
The goal of this lab is only authenticated by the MAC address of the laptop.
Currently,I have a trouble as following and don't know what is this root cause .
Please give me a guide point.
Thanks so much
*Mar 2 20:45:03.908: %AUTHMGR-5-START: Starting 'mab' for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:04.218: %MAB-5-FAIL: Authentication failed for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:04.218: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:04.218: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:04.218: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:04.218: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (3c97.0e04.7075) on Interface Fa0/1 AuditSessionID C0A8DCA9000000AE099A3F70
*Mar 2 20:45:05.720: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 2 20:45:06.726: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to upI have a few questions:
1. What type of Radius server do you have?
2. Can you post a screen shot of your Radius AAA policies
3. Do you have the mac address entered in your Radius server
4. Provide the output from the following commands:
- show aaa servers
- show authentication session interface interface_name_number
Thank you for rating helpful posts! -
I am using Cisco1941W.
When I connect CliantPC to Wireless(1941W) I got bellow massage from 1941AP.
"%DOT11-7-AUTH_FAILED: Station 0011.f596.eecb Authentication failed"
And I couldn't ping from my PC to AP and Router.
Its possible communication from AP to Router.
I show 1941AP configration.
Could you find wrong?
By the way, my PC connected to AP by 108Mbps.
But my PC supported only 802.11a/b/g .
My PC use Static IP Address and use TEST-2 ssid.
I couldn't find error from my PC.
(start)
hostname TEST
enable secret test
aaa new-model
aaa group server radius rad_eap
server 10.73.12.2 auth-port 1645 acct-port 1646
aaa session-id common
dot11 syslog
dot11 ssid TEST-1
vlan 100
authentication open eap eap_methods
authentication key-management wpa
mbssid guest-mode
dot11 ssid TEST-2
vlan 200
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii testtesttesttesttest
dot11 aaa csid ietf
username Cisco password 7 05280F1C2243
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
no shut
encryption vlan 100 mode ciphers aes-ccm
encryption vlan 200 mode ciphers aes-ccm
ssid TEST-1
ssid TEST-2
mbssid
antenna gain 0
station-role root
interface Dot11Radio0.100
encapsulation dot1Q 100 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.200
encapsulation dot1Q 200
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
no shut
encryption vlan 100 mode ciphers aes-ccm
encryption vlan 200 mode ciphers aes-ccm
ssid TEST-1
ssid TEST-2
antenna gain 0
no dfs band block
channel 5180
station-role root
interface Dot11Radio1.100
encapsulation dot1Q 100 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1.200
encapsulation dot1Q 200
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
bridge-group 5
no bridge-group 5 source-learning
bridge-group 5 spanning-disabled
no shut
interface GigabitEthernet0.100
encapsulation dot1Q 100 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface GigabitEthernet0.200
encapsulation dot1Q 200
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
interface BVI1
ip address 10.73.12.7 255.255.255.0
no ip route-cache
ip default-gateway 10.73.12.1
ip http server
no ip http secure-server
radius-server deadtime 1440
bridge 1 route ip
(end)
I guess errer massage is telling Radio Frequency error.
I tried to change configuration "speed".
But still get error massage and I couldn't ping from my PC.Thanks, leolaohoo.
> My PC use Static IP Address and use TEST-2 ssid.
so I use TEST-2.
in this case, ignore TEST-1.
I just paste real configuration.
I tried to connect again.
But still I can't ping from PC to AP.
I use other PC.
I configured bellow.
-interface dot11Radio0
-speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
It was same resault.
Is cisco1941w broken?
I'd like to know one more.
I configured bellow, but I couldn't use 802.11a.
-interface dot11Radio0
-shutdown
how to use 802.11a(5GHz)? -
We have a Cisco 7920 that I can't seem to get configured to authenticate to our AP1242AG's. Everything seem to be set correctly on the 7920, but I don't even see an "authentication failed" message on the AP!! Am I missing something in configuring the AP for use with this device. We are using a radius server, and I'm not seeing a request from the 7920 there either. Any suggestions would be GREATLY appreciated.
I ran a debug and this is what I got:
Syslog logging: enabled (0 messages dropped, 2 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
Console logging: level debugging, 3883 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 3884 messages logged, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Trap logging: level informational, 2035 message lines logged
Log Buffer (4096 bytes):
t_pak: Received EAPOL packet from 001b.54e0.0ae6
Aug 7 16:41:24.064: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6
Aug 7 16:41:24.179: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6
Aug 7 16:42:01.474: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
Aug 7 16:42:01.477: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6
Aug 7 16:42:01.481: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6
Aug 7 16:42:01.481: dot11_auth_parse_client_pak: id is not matching req-id:1resp-id:2, waiting for response
Aug 7 16:42:01.483: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6
Aug 7 16:42:01.597: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6
Aug 7 16:42:01.711: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6
Aug 7 16:42:48.564: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
Aug 7 16:42:48.568: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6
Aug 7 16:42:48.571: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6
Aug 7 16:42:48.572: dot11_auth_parse_client_pak: id is not matching req-id:1resp-id:2, waiting for response
Aug 7 16:42:48.573: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6
Aug 7 16:42:48.688: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6
Aug 7 16:42:48.804: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6
Aug 7 16:43:24.304: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
Aug 7 16:43:24.308: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6
Aug 7 16:43:24.312: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6
Aug 7 16:43:24.312: dot11_auth_parse_client_pak: id is not matching req-id:1resp-id:2, waiting for response
Aug 7 16:43:24.314: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6
Aug 7 16:43:24.428: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6
Aug 7 16:43:24.543: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6
Maybe you are looking for
-
I added an 1TB external usb hard disk to my time capsule as the existing 1TB hard disk is nearly full (less than 12 GB left on time capslule hard disk). Initially, I connected external hard disk to my MacBookPro (late 2009 Intel machine) and erased
-
I am making a form in Adobe Acrobat Professional and everything is going great and I put in image fields and activated the users so I could send it out to anyone that needed to use this form to place images. So all they had to do was click and find t
-
Copy / move input schedules and reports to a team folder
Hi, Is there a way to take a group of input schedules / reports that are currently saved in one team folder and copy them to another in one go or do I have to do it one by one, i.e. individually? Thanks, Arnold
-
Help with frozen process, retry delay and transaction rolled back
Hi all, </br> </br> Is there a way to create a JPD that will be able to retry a specific logic for several times with <b>delay</b> in between and <b>freeze</b> on the last retry. Also, at the same time, <b>not rollback</b> any database commits? </br>
-
Where is the Apache home for WLS 10.3.5.0?
Hi everyone, Where is the ${APACHE_HOME} on WLS 10.3.5.0? Also how do I check the version of apache? -=Joe