Run 802.1x authenticator on wired interface
Is it possible to run a Linux-based 802.1x authenticator on a wired ethernet port? Basically, I'm trying to protect physical network access to a server. The server has only one client, connected via 1Gbps crossover cable, so there is no switch involved.
I've found countless examples where Linux acts as supplicant, and the hardware switch acts as authenticator, but this would be exactly the opposite.
So my question is, is this possible? And if it is, how? Or perhaps there is some better way to secure a crossover cable connection between two machines on network level that is transparent to applications, and possibly also prevents eavesdropping and MITM attacks? Any suggestions are welcome.
Thanks!
bachtiar wrote:
Is it possible to run a Linux-based 802.1x authenticator on a wired ethernet port? Basically, I'm trying to protect physical network access to a server. The server has only one client, connected via 1Gbps crossover cable, so there is no switch involved.
I've found countless examples where Linux acts as supplicant, and the hardware switch acts as authenticator, but this would be exactly the opposite.
So my question is, is this possible? And if it is, how? Or perhaps there is some better way to secure a crossover cable connection between two machines on network level that is transparent to applications, and possibly also prevents eavesdropping and MITM attacks? Any suggestions are welcome.
Thanks!
Sure
pacman -S hostapd
Similar Messages
-
802.1x Authentication on Wired and Wireless LAN
I have successfully configured 802.1x authentication on wired and wireless Lan. We have Cisco Switches, ACS SE and Windows AD.
But i have one issue regarding the Single Sign on while authentication using the 802.1x with Windows Active directory the users that are login first time not able to logon but the users that have their profiles already existed in their PC then there is no issue and they successfully authenticated and login easily.
Is there any way of login successfully for the users first time using 802.1x authentication with Windows AD like a Single Sign On?We ran into the same situation from time to time. We implemented 802.1x authentication using the Cisco Secure Services Client (SSC) on the windows hosts.
At the beginning we were completly unable to logon on the maschines where no locally stored windows profile exists. After change to timeout to authenticate at the network in the SSC options we are able to logon to the network and also be authenticated by the domain controller.
Sadly this works out often as a timing issue. Most times the user needs to try a couple of times. At the moment, I'm also very interessted in a good way to avoid this (as it seems to be) racecondition.
Hope that someone else has any clue? -
802.1x authentication on Macbooks running Lion..
Hi Guys,
I was wondering if anyone has experienced problems with 802.1x authentication on their Cisco Wifi network using Macbook Pro/Airs running Lion.
We have..
2x Controllers with WiSMs running 7.0.116.0
A mixture of 1131 and 1142 APs.. ( APs mainly in HREAP mode with some APs located on the same local network as the Controller in Local Mode )
Macbook Airs/ Pro running Lion
The symptoms we are experiencing are very similar to those described in this thread.. https://supportforums.cisco.com/message/3485552
In summary, we are finding that when our MacBooks are coming out of sleep/standby or roaming between APs, the devices get stuck during the 802.1x authentication process and will either get the self assigned 169 address or continuously try to authenticate.
This can occasionally be solved by turning the wifi interface off and on or manually stopping and starting the 802.1x process on the Mac
From reading various online forums, we have tried the following to resolve this..
- Disabled WPA across our wifi network as we don't use it anymore.. We now just use WPA2 with AES and Dot1x authentication.
- Disabled Client Load Balancing on the SSID configuration… this does not seem to have made things any better or worse although we are seeing more Load Profile threshold notification alerts for some of our APs which are used heavily.
- The 802.1x time out is currently set at 20secs.
- Some APs which are in Local mode ( due to them being on the same local network as our wifi controllers ) have been changed to HREAP mode and assigned a static IP address.. We found that this was required at our spoke sites where we were originally experiencing issues with our old Windows based devices.. Incidentally, we have not experienced any of these delayed authentication issues with our Window laptops, all our problems seem to be with our MacBooks running Lion..
As I mentioned earlier, there seems to be many discussions online regarding problems with the Lion OS and 802.1x authentication..
Has anyone experienced these problems in the past on there Cisco Aps and successfully managed to resolve it.. ?
Any ideas would be appreciated..
Many thanks.
Jon.Ran across this old post while researching this same issue. For us, the problem appears to be with the Mac's trying to request an IPv6 address if set to Automatically or Link-local only for Configure IPv6 under the TCP/IP tab. When we changed this to Manually and set a manual link local address, the problem went away and could reconnect after roaming between APs or coming out of sleep/standby.
Enjoy,
Wayne
UPDATE 1: This 'fix' did not solve the issue. After a day, we're still seeing the problem.
UPDATE 2: Found the solution to my problem. It was the cert chain of trust and CRL lookup. The link below describes the problem, but basically the Mac's were unable to check the certs and causing a time out. No network = no CRL lookup = no network......
http://support.apple.com/kb/TS5258?viewlocale=en_US&locale=en_US -
How to access 802.1x authentication wired nework with digital certificate?
How can I access 802.1x authentication wired network with digital certificate?
I can access the network in windows with the following configutaion:
BUT in my lion, I had import the digital certifacte. While I connected to the network, I was prompted:
Enter the name and password for this 802.1X network
I could not get the opportunity to select my digital certificate? But my colleague can.
iPhone Configuration Utility seemed to provide wireless 802.1X authentication configuration file . And in my work background, most people use the windows. And there isnot a lion server to provide a configuration file.Dear Rune,
Thank you for reaching Small Business Support Community.
If you have already followed the 802.1X Supplicant configuration described in page 112, chapter 6, on the admin guide;
http://www.cisco.com/en/US/docs/wireless/access_point/csbap/wap121/administration/guide/WAP121_321_AG_en.pdf
All I can suggest you is to make sure you are running on the latest firmware release version 1.0.4.2;
http://software.cisco.com/download/release.html?mdfid=284152656&flowid=32563&softwareid=282463166&release=1.0.4.2&relind=AVAILABLE&rellifecycle=&reltype=latest
And then contact the Small Business Support Center to have a TAC engineer figure this out;
https://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
Please do not hesitate to reach me back if there is anything I may assist you with in the meantime.
Kind regards,
Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer
*Please rate the Post so other will know when an answer has been found. -
Configuring Wired 802.1x Authentication step-by-step guide
Hello All
I don't have a question at the moment, but I wrote a step-by-step guide on how to configure Wired 802.1x Authentication on Windows Server 2012 using Cisco switches.
You can find the document on my website http://www.accessdenied.be/blog
regards
Johan Loos CISSP,MCT,ISO 27001 and othersHi Johan,
Thanks for your sharing.
As this post is not a question, I will change it to Discussion. In addition, I would recommend that you to publish guide at TechNet Wiki.
http://social.technet.microsoft.com/wiki
Best Regards,
Aiden
Aiden Cao
TechNet Community Support -
802.1x authentication problem on C2960S-48TS-L with Linux clients
Hi,
Due to implementing wired 802.1x in my company I fased with problem of authentication of some Linux computers (Ubuntu 13.10+) via mab at the one of my Access switches(C2960S-48TS-L). The problem exist on IOS 12.55 and 15.0(2)SE6.
It seems that Authenticator can't detect MAC address of supplicant. In debug the MAC address is (Unknown MAC) or (0000.0000.0000).
Before authentication I could see registered MAC address on the switchport interface(without 802.1x settings on the port):
sh mac address-table interface g1/0/2 "before 802.1x authentication"
Vlan Mac Address Type Ports
2 0015.990f.60d9 STATIC Gi1/0/2
The host should get to Vlan 2 after failed authentication(according to port settings). But actually after trying to authenticate the host on this port
loses connection with network and doesn't get in 2 Vlan
sh mac address-table interface g1/0/2 "after 802.1x authentication"
Vlan Mac Address Type Ports
sh authentication sessions
Interface MAC Address Method Domain Status Session ID
Gi1/0/24 (unknown) dot1x DATA Authz Success 6A7D1FAF0000000000023E32
Gi1/0/25 (unknown) dot1x DATA Authz Success 6A7D1FAF0000000200024193
Gi1/0/2 (unknown) mab UNKNOWN Running 6A7D1FAF000000280011BA1A
sh dot1x interface g1/0/2 details
Dot1x Info for GigabitEthernet1/0/2
PAE = AUTHENTICATOR
QuietPeriod = 5
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 2
MaxReq = 2
TxPeriod = 3
sh run int g1/0/2
interface GigabitEthernet1/0/2
description ## User Port ##
switchport access vlan 2
switchport mode access
switchport voice vlan 5
switchport port-security maximum 5
switchport port-security
switchport port-security aging time 2
switchport port-security aging type inactivity
ip arp inspection limit rate 120
authentication event fail retry 0 action authorize vlan 2
authentication event server dead action authorize vlan 2
authentication event no-response action authorize vlan 2
authentication host-mode multi-host
authentication port-control auto
authentication periodic
authentication timer reauthenticate 3900
authentication timer inactivity 300
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 3
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action trap
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
end
I have tried to change authentication host-mode to multi-domain but the problem remains.
"debug dot1x all" in the attached file.
Please help me to resolve this issueI have removed port security but still have failed authentication on the port
002262: Mar 26 16:23:26.516: dot1x-ev(Gi1/0/2): Deleting client 0x9A000053 (0000.0000.0000)
002263: Mar 26 16:23:26.516: dot1x-ev:Delete auth client (0x9A000053) message
002264: Mar 26 16:23:26.516: dot1x-ev:Auth client ctx destroyed
002265: Mar 26 16:23:26.715: dot1x_auth Gi1/0/2: initial state auth_initialize has enter
002266: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_initialize_enter called
002267: Mar 26 16:23:26.715: dot1x_auth Gi1/0/2: during state auth_initialize, got event 0(cfg_auto)
002268: Mar 26 16:23:26.715: @@@ dot1x_auth Gi1/0/2: auth_initialize -> auth_disconnected
002269: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_disconnected_enter called
002270: Mar 26 16:23:26.715: dot1x_auth Gi1/0/2: idle during state auth_disconnected
002271: Mar 26 16:23:26.715: @@@ dot1x_auth Gi1/0/2: auth_disconnected -> auth_restart
002272: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_restart_enter called
002273: Mar 26 16:23:26.715: dot1x-ev(Gi1/0/2): Sending create new context event to EAP for 0x6D000054 (0000.0000.0000)
002274: Mar 26 16:23:26.715: dot1x_auth_bend Gi1/0/2: initial state auth_bend_initialize has enter
002275: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_initialize_enter called
002276: Mar 26 16:23:26.715: dot1x_auth_bend Gi1/0/2: initial state auth_bend_initialize has idle
002277: Mar 26 16:23:26.715: dot1x_auth_bend Gi1/0/2: during state auth_bend_initialize, got event 16383(idle)
002278: Mar 26 16:23:26.715: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_initialize -> auth_bend_idle
002279: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_idle_enter called
002280: Mar 26 16:23:26.715: dot1x-ev(Gi1/0/2): Created a client entry (0x6D000054)
002281: Mar 26 16:23:26.715: dot1x-ev(Gi1/0/2): Dot1x authentication started for 0x6D000054 (0000.0000.0000)
002282: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): Posting !EAP_RESTART on Client 0x6D000054
002283: Mar 26 16:23:26.715: dot1x_auth Gi1/0/2: during state auth_restart, got event 6(no_eapRestart)
002284: Mar 26 16:23:26.715: @@@ dot1x_auth Gi1/0/2: auth_restart -> auth_connecting
002285: Mar 26 16:23:26.715: dot1x-sm(Gi1/0/2): 0x6D000054:auth_connecting_enter called
002286: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_restart_connecting_action called
002287: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): Posting RX_REQ on Client 0x6D000054
002288: Mar 26 16:23:26.721: dot1x_auth Gi1/0/2: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
002289: Mar 26 16:23:26.721: @@@ dot1x_auth Gi1/0/2: auth_connecting -> auth_authenticating
002290: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_authenticating_enter called
002291: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_connecting_authenticating_action called
002292: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): Posting AUTH_START for 0x6D000054
002293: Mar 26 16:23:26.721: dot1x_auth_bend Gi1/0/2: during state auth_bend_idle, got event 4(eapReq_authStart)
002294: Mar 26 16:23:26.721: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_idle -> auth_bend_request
002295: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_enter called
002296: Mar 26 16:23:26.721: dot1x-ev(Gi1/0/2): Sending EAPOL packet to group PAE address
002297: Mar 26 16:23:26.721: dot1x-ev(Gi1/0/2): Role determination not required
002298: Mar 26 16:23:26.721: dot1x-registry:registry:dot1x_ether_macaddr called
002299: Mar 26 16:23:26.721: dot1x-ev(Gi1/0/2): Sending out EAPOL packet
002300: Mar 26 16:23:26.721: EAPOL pak dump Tx
002301: Mar 26 16:23:26.721: EAPOL Version: 0x3 type: 0x0 length: 0x0005
002302: Mar 26 16:23:26.721: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
002303: Mar 26 16:23:26.721: dot1x-packet(Gi1/0/2): EAPOL packet sent to client 0x6D000054 (0000.0000.0000)
002304: Mar 26 16:23:26.721: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_idle_request_action called
002305: Mar 26 16:23:29.814: dot1x-sm(Gi1/0/2): Posting EAP_REQ for 0x6D000054
002306: Mar 26 16:23:29.814: dot1x_auth_bend Gi1/0/2: during state auth_bend_request, got event 7(eapReq)
002307: Mar 26 16:23:29.814: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_request -> auth_bend_request
002308: Mar 26 16:23:29.814: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_request_action called
002309: Mar 26 16:23:29.814: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_enter called
002310: Mar 26 16:23:29.814: dot1x-ev(Gi1/0/2): Sending EAPOL packet to group PAE address
002311: Mar 26 16:23:29.814: dot1x-ev(Gi1/0/2): Role determination not required
002312: Mar 26 16:23:29.814: dot1x-registry:registry:dot1x_ether_macaddr called
002313: Mar 26 16:23:29.814: dot1x-ev(Gi1/0/2): Sending out EAPOL packet
002314: Mar 26 16:23:29.814: EAPOL pak dump Tx
002315: Mar 26 16:23:29.814: EAPOL Version: 0x3 type: 0x0 length: 0x0005
002316: Mar 26 16:23:29.814: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
002317: Mar 26 16:23:29.814: dot1x-packet(Gi1/0/2): EAPOL packet sent to client 0x6D000054 (0000.0000.0000)
002318: Mar 26 16:23:32.907: dot1x-sm(Gi1/0/2): Posting EAP_REQ for 0x6D000054
002319: Mar 26 16:23:32.907: dot1x_auth_bend Gi1/0/2: during state auth_bend_request, got event 7(eapReq)
002320: Mar 26 16:23:32.907: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_request -> auth_bend_request
002321: Mar 26 16:23:32.907: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_request_action called
002322: Mar 26 16:23:32.907: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_enter called
002323: Mar 26 16:23:32.913: dot1x-ev(Gi1/0/2): Sending EAPOL packet to group PAE address
002324: Mar 26 16:23:32.913: dot1x-ev(Gi1/0/2): Role determination not required
002325: Mar 26 16:23:32.913: dot1x-registry:registry:dot1x_ether_macaddr called
002326: Mar 26 16:23:32.913: dot1x-ev(Gi1/0/2): Sending out EAPOL packet
002327: Mar 26 16:23:32.913: EAPOL pak dump Tx
002328: Mar 26 16:23:32.913: EAPOL Version: 0x3 type: 0x0 length: 0x0005
002329: Mar 26 16:23:32.913: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1
002330: Mar 26 16:23:32.913: dot1x-packet(Gi1/0/2): EAPOL packet sent to client 0x6D000054 (0000.0000.0000)
002331: Mar 26 16:23:36.001: dot1x-ev(Gi1/0/2): Received an EAP Timeout
002332: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): Posting EAP_TIMEOUT for 0x6D000054
002333: Mar 26 16:23:36.001: dot1x_auth_bend Gi1/0/2: during state auth_bend_request, got event 12(eapTimeout)
002334: Mar 26 16:23:36.001: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_request -> auth_bend_timeout
002335: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_timeout_enter called
002336: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_request_timeout_action called
002337: Mar 26 16:23:36.001: dot1x_auth_bend Gi1/0/2: idle during state auth_bend_timeout
002338: Mar 26 16:23:36.001: @@@ dot1x_auth_bend Gi1/0/2: auth_bend_timeout -> auth_bend_idle
002339: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_bend_idle_enter called
002340: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): Posting AUTH_TIMEOUT on Client 0x6D000054
002341: Mar 26 16:23:36.001: dot1x_auth Gi1/0/2: during state auth_authenticating, got event 14(authTimeout)
002342: Mar 26 16:23:36.001: @@@ dot1x_auth Gi1/0/2: auth_authenticating -> auth_authc_result
002343: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_authenticating_exit called
002344: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): 0x6D000054:auth_authc_result_enter called
002345: Mar 26 16:23:36.001: %DOT1X-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Gi1/0/2 AuditSessionID 6A7D1FAF0000006001916AC3
002346: Mar 26 16:23:36.001: dot1x-ev(Gi1/0/2): Sending event (2) to Auth Mgr for 0000.0000.0000
002347: Mar 26 16:23:36.001: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/2 AuditSessionID 6A7D1FAF0000006001916AC3
002348: Mar 26 16:23:36.001: dot1x-ev(Gi1/0/2): Received Authz fail for the client 0x6D000054 (0000.0000.0000)
002349: Mar 26 16:23:36.001: dot1x-ev(Gi1/0/2): Deleting client 0x6D000054 (0000.0000.0000)
002350: Mar 26 16:23:36.001: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (Unknown MAC) on Interface Gi1/0/2 AuditSessionID 6A7D1FAF0000006001916AC3
002351: Mar 26 16:23:36.001: dot1x-sm(Gi1/0/2): Posting_AUTHZ_FAIL on Client 0x6D000054
002352: Mar 26 16:23:36.001: dot1x_auth Gi1/0/2: during state auth_authc_result, got event 22(authzFail)
002353: Mar 26 16:23:36.006: @@@ dot1x_auth Gi1/0/2: auth_authc_result -> auth_held
002354: Mar 26 16:23:36.006: dot1x-ev:Delete auth client (0x6D000054) message
002355: Mar 26 16:23:36.006: dot1x-ev:Auth client ctx destroyed
002356: Mar 26 16:23:36.006: dot1x-ev:Aborted posting message to authenticator state machine: Invalid client -
802.1X authentication not happening in Voice Domain for IP Phone
I am trying to lab as many scenarios as I can for 802.1x. I seem to have hit a problem with IP Phones running EAP-MD5 authentication. The phone sare always being authenticated in the Data Domain. This is regardless of whether or no the port configuration is in: host-mode multi-auth ,or, host-mode multi-domain. After a while of both ports appearing to authenticate in the data VLAN, neither the PC or Phone will work
I have checked that my ACS5.1 server is sending the appropriate AV pair of "device-traffic-class=voice" as I can see it in a wireshark trace.
What other aspects might i need to check to get the phone to authenticate itself properly?
The problem shows itself as:
C3750G#sh authentication sessions int gi 1/0/16
Interface: GigabitEthernet1/0/16
MAC Address: 001d.452d.53e0
IP Address: Unknown
User-Name: CP-7942G-SEP001D452D53E0
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A8FE2500000014000F6B8F
Acct Session ID: 0x00000036
Handle: 0xC8000014
Runnable methods list:
Method State
dot1x Authc Success
Interface: GigabitEthernet1/0/16
MAC Address: 0014.c209.896f
IP Address: 192.168.10.2
User-Name: TEST\TestAdmin
Status: Running
Domain: UNKNOWN
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A8FE2500000013000F5A42
Acct Session ID: 0x00000034
Handle: 0x27000013
Runnable methods list:
Method State
dot1x Running
My port config is:
interface GigabitEthernet1/0/16
description * 802.1x Multi Domain (1Phone + 1PC) *
switchport access vlan 10
switchport mode access
switchport voice vlan 11
priority-queue out
authentication host-mode multi-domain
authentication port-control auto
udld port aggressive
mls qos trust dscp
dot1x pae authenticator
spanning-tree portfast
endFor information, the debugs you request are:
Jan 29 10:58:46.317: %ILPOWER-7-DETECT: Interface Gi1/0/16: Power Device detected: IEEE PD
Jan 29 10:58:46.770: %ILPOWER-5-POWER_GRANTED: Interface Gi1/0/16: Power granted
Jan 29 10:58:50.377: AAA/BIND(0000001D): Bind i/f
Jan 29 10:58:52.373: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/16, changed state to up
Jan 29 10:58:53.380: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/16, changed state to up
Jan 29 10:58:54.789: %AUTHMGR-5-START: Starting 'dot1x' for client (001d.452d.53e0) on Interface Gi1/0/16 AuditSessionID C0A 8FE2500000018002FB1D0
Jan 29 10:58:56.920: AAA/AUTHEN/8021X (0000001D): Pick method list 'default'
Jan 29 10:58:56.920: RADIUS/ENCODE(0000001D):Orig. component type = DOT1X
Jan 29 10:58:56.920: RADIUS(0000001D): Config NAS IP: 192.168.254.37
Jan 29 10:58:56.920: RADIUS/ENCODE(0000001D): acct_session_id: 54
Jan 29 10:58:56.920: RADIUS(0000001D): sending
Jan 29 10:58:56.920: RADIUS(0000001D): Send Access-Request to 192.168.254.51:1645 id 1645/52, len 237
Jan 29 10:58:56.920: RADIUS: authenticator 89 81 92 2C AA 6B E6 E6 - CA 2C 3A 0D E1 C5 28 ED
Jan 29 10:58:56.928: RADIUS: User-Name [1] 26 "CP-7942G-SEP001D452D53E0"
Jan 29 10:58:56.928: RADIUS: Service-Type [6] 6 Framed [2]
Jan 29 10:58:56.928: RADIUS: Framed-MTU [12] 6 1500
Jan 29 10:58:56.928: RADIUS: Called-Station-Id [30] 19 "30-37-A6-AB-8E-90"
Jan 29 10:58:56.928: RADIUS: Calling-Station-Id [31] 19 "00-1D-45-2D-53-E0"
Jan 29 10:58:56.928: RADIUS: EAP-Message [79] 31
Jan 29 10:58:56.928: RADIUS: 02 01 00 1D 01 43 50 2D 37 39 34 32 47 2D 53 45 50 30 30 31 44 [CP-7942G-SEP001D]
Jan 29 10:58:56.928: RADIUS: 34 35 32 44 35 33 45 30 [ 452D53E0]
Jan 29 10:58:56.928: RADIUS: Message-Authenticato[80] 18
Jan 29 10:58:56.928: RADIUS: 83 AF F8 DB 44 0D 0A 46 70 2F 1E 8D 67 CE BC DD [ DFp/g]
Jan 29 10:58:56.928: RADIUS: EAP-Key-Name [102] 2 *
Jan 29 10:58:56.928: RADIUS: Vendor, Cisco [26] 49
Jan 29 10:58:56.928: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A8FE2500000018002FB1D0"
Jan 29 10:58:56.928: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Jan 29 10:58:56.928: RADIUS: NAS-Port [5] 6 50116
Jan 29 10:58:56.928: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/16"
Jan 29 10:58:56.928: RADIUS: NAS-IP-Address [4] 6 192.168.254.37
Jan 29 10:58:56.928: RADIUS(0000001D): Started 4 sec timeout
Jan 29 10:58:56.928: RADIUS: Received from id 1645/52 192.168.254.51:1645, Access-Challenge, len 76
Jan 29 10:58:56.928: RADIUS: authenticator DA 45 B9 F8 80 48 A0 4B - F7 99 9B 1F DE 4F B2 9E
Jan 29 10:58:56.928: RADIUS: State [24] 30
Jan 29 10:58:56.937: RADIUS: 32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F [25SessionID=ACS/]
Jan 29 10:58:56.937: RADIUS: 38 35 36 37 30 35 31 38 2F 33 33 3B [ 85670518/33;]
Jan 29 10:58:56.937: RADIUS: EAP-Message [79] 8
Jan 29 10:58:56.937: RADIUS: 01 51 00 06 0D 20 [ Q ]
Jan 29 10:58:56.937: RADIUS: Message-Authenticato[80] 18
Jan 29 10:58:56.937: RADIUS: 3C F4 D9 93 82 EA FB 25 A7 9D C4 8F 14 3F 33 4F [ <??3O]
Jan 29 10:58:56.937: RADIUS(0000001D): Received from id 1645/52
Jan 29 10:58:56.937: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
Jan 29 10:58:57.046: AAA/AUTHEN/8021X (0000001D): Pick method list 'default'
Jan 29 10:58:57.046: RADIUS/ENCODE(0000001D):Orig. component type = DOT1X
Jan 29 10:58:57.046: RADIUS(0000001D): Config NAS IP: 192.168.254.37
Jan 29 10:58:57.046: RADIUS/ENCODE(0000001D): acct_session_id: 54
Jan 29 10:58:57.046: RADIUS(0000001D): sending
Jan 29 10:58:57.046: RADIUS(0000001D): Send Access-Request to 192.168.254.51:1645 id 1645/53, len 244
Jan 29 10:58:57.046: RADIUS: authenticator BE 9B 32 59 45 BF 15 45 - E4 43 02 B5 B5 D7 ED 83
Jan 29 10:58:57.046: RADIUS: User-Name [1] 26 "CP-7942G-SEP001D452D53E0"
Jan 29 10:58:57.046: RADIUS: Service-Type [6] 6 Framed [2]
Jan 29 10:58:57.046: RADIUS: Framed-MTU [12] 6 1500
Jan 29 10:58:57.054: RADIUS: Called-Station-Id [30] 19 "30-37-A6-AB-8E-90"
Jan 29 10:58:57.054: RADIUS: Calling-Station-Id [31] 19 "00-1D-45-2D-53-E0"
Jan 29 10:58:57.054: RADIUS: EAP-Message [79] 8
Jan 29 10:58:57.054: RADIUS: 02 51 00 06 03 04 [ Q]
Jan 29 10:58:57.054: RADIUS: Message-Authenticato[80] 18
Jan 29 10:58:57.054: RADIUS: E0 B5 99 82 7E 9E 35 0F 78 D9 BD 4B 96 97 34 47 [ ~5xK4G]
Jan 29 10:58:57.054: RADIUS: EAP-Key-Name [102] 2 *
Jan 29 10:58:57.054: RADIUS: Vendor, Cisco [26] 49
Jan 29 10:58:57.054: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A8FE2500000018002FB1D0"
Jan 29 10:58:57.054: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Jan 29 10:58:57.054: RADIUS: NAS-Port [5] 6 50116
Jan 29 10:58:57.054: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/16"
Jan 29 10:58:57.054: RADIUS: State [24] 30
Jan 29 10:58:57.054: RADIUS: 32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F [25SessionID=ACS/]
Jan 29 10:58:57.054: RADIUS: 38 35 36 37 30 35 31 38 2F 33 33 3B [ 85670518/33;]
Jan 29 10:58:57.054: RADIUS: NAS-IP-Address [4] 6 192.168.254.37
Jan 29 10:58:57.054: RADIUS(0000001D): Started 4 sec timeout
Jan 29 10:58:57.054: RADIUS: Received from id 1645/53 192.168.254.51:1645, Access-Challenge, len 95
Jan 29 10:58:57.054: RADIUS: authenticator D9 62 B7 27 8F 55 E9 88 - 41 01 D0 83 52 DF 36 29
Jan 29 10:58:57.054: RADIUS: State [24] 30
Jan 29 10:58:57.054: RADIUS: 32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F [25SessionID=ACS/]
Jan 29 10:58:57.063: RADIUS: 38 35 36 37 30 35 31 38 2F 33 33 3B [ 85670518/33;]
Jan 29 10:58:57.063: RADIUS: EAP-Message [79] 27
Jan 29 10:58:57.063: RADIUS: 01 52 00 19 04 10 AA 6A A2 BC 63 1A C0 93 B8 58 67 F7 1A A5 FD 45 41 43 53 [ RjcXgEAC S]
Jan 29 10:58:57.063: RADIUS: Message-Authenticato[80] 18
Jan 29 10:58:57.063: RADIUS: 29 D2 66 87 4A 2F B3 9E B5 EC F9 4E 9F 62 82 5E [ )fJ/Nb^]
Jan 29 10:58:57.063: RADIUS(0000001D): Received from id 1645/53
Jan 29 10:58:57.063: RADIUS/DECODE: EAP-Message fragments, 25, total 25 bytes
Jan 29 10:58:57.079: AAA/AUTHEN/8021X (0000001D): Pick method list 'default'
Jan 29 10:58:57.079: RADIUS/ENCODE(0000001D):Orig. component type = DOT1X
Jan 29 10:58:57.079: RADIUS(0000001D): Config NAS IP: 192.168.254.37
Jan 29 10:58:57.079: RADIUS/ENCODE(0000001D): acct_session_id: 54
Jan 29 10:58:57.079: RADIUS(0000001D): sending
Jan 29 10:58:57.079: RADIUS(0000001D): Send Access-Request to 192.168.254.51:1645 id 1645/54, len 284
Jan 29 10:58:57.079: RADIUS: authenticator 91 F4 7C C1 4E 79 27 AB - 2F 36 20 A8 9C 3F A9 76
Jan 29 10:58:57.079: RADIUS: User-Name [1] 26 "CP-7942G-SEP001D452D53E0"
Jan 29 10:58:57.088: RADIUS: Service-Type [6] 6 Framed [2]
Jan 29 10:58:57.088: RADIUS: Framed-MTU [12] 6 1500
Jan 29 10:58:57.088: RADIUS: Called-Station-Id [30] 19 "30-37-A6-AB-8E-90"
Jan 29 10:58:57.088: RADIUS: Calling-Station-Id [31] 19 "00-1D-45-2D-53-E0"
Jan 29 10:58:57.088: RADIUS: EAP-Message [79] 48
Jan 29 10:58:57.088: RADIUS: 02 52 00 2E 04 10 45 2F B1 FC 60 CF 09 08 7B C4 F9 56 74 AF 44 E9 43 50 2D 37 39 34 32 [R.E/ `{VtDCP-7942]
Jan 29 10:58:57.088: RADIUS: 47 2D 53 45 50 30 30 31 44 34 35 32 44 35 33 45 [G-SEP001D452D53E]
Jan 29 10:58:57.088: RADIUS: 30 [ 0]
Jan 29 10:58:57.088: RADIUS: Message-Authenticato[80] 18
Jan 29 10:58:57.088: RADIUS: 45 42 58 9F 75 14 09 A1 FC DD CD 26 B4 88 42 CF [ EBXu&B]
Jan 29 10:58:57.088: RADIUS: EAP-Key-Name [102] 2 *
Jan 29 10:58:57.088: RADIUS: Vendor, Cisco [26] 49
Jan 29 10:58:57.088: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C0A8FE2500000018002FB1D0"
Jan 29 10:58:57.088: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Jan 29 10:58:57.088: RADIUS: NAS-Port [5] 6 50116
Jan 29 10:58:57.088: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/16"
Jan 29 10:58:57.088: RADIUS: State [24] 30
Jan 29 10:58:57.088: RADIUS: 32 35 53 65 73 73 69 6F 6E 49 44 3D 41 43 53 2F [25SessionID=ACS/]
Jan 29 10:58:57.088: RADIUS: 38 35 36 37 30 35 31 38 2F 33 33 3B [ 85670518/33;]
Jan 29 10:58:57.088: RADIUS: NAS-IP-Address [4] 6 192.168.254.37
Jan 29 10:58:57.088: RADIUS(0000001D): Started 4 sec timeout
Jan 29 10:58:57.222: RADIUS: Received from id 1645/54 192.168.254.51:1645, Access-Accept, len 126
Jan 29 10:58:57.222: RADIUS: authenticator 7B A5 E0 B2 D6 15 90 26 - 8F 8F 64 B0 E6 94 D8 C7
Jan 29 10:58:57.222: RADIUS: User-Name [1] 26 "CP-7942G-SEP001D452D53E0"
Jan 29 10:58:57.222: RADIUS: Class [25] 22
Jan 29 10:58:57.222: RADIUS: 43 41 43 53 3A 41 43 53 2F 38 35 36 37 30 35 31 [CACS:ACS/8567051]
Jan 29 10:58:57.222: RADIUS: 38 2F 33 33 [ 8/33]
Jan 29 10:58:57.222: RADIUS: EAP-Message [79] 6
Jan 29 10:58:57.222: RADIUS: 03 52 00 04 [ R]
Jan 29 10:58:57.222: RADIUS: Message-Authenticato[80] 18
Jan 29 10:58:57.222: RADIUS: E8 2E 9B FD C2 A8 D7 5E 86 DD 3C 67 FF 37 75 02 [ .^Jan 29 10:58:57.222: RADIUS: Vendor, Cisco [26] 34
Jan 29 10:58:57.222: RADIUS: Cisco AVpair [1] 28 "device-traffic-class=voice"
Jan 29 10:58:57.222: RADIUS(0000001D): Received from id 1645/54
Jan 29 10:58:57.222: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
Jan 29 10:58:57.222: AAA/AUTHOR (0000001D): Method list id=0 not configured. Skip author
Jan 29 10:58:57.222: %DOT1X-5-SUCCESS: Authentication successful for client (001d.452d.53e0) on Interface Gi1/0/16 AuditSess ionID
Jan 29 10:58:57.222: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (001d.452d.53e0) on Interfac e Gi1/0/16 AuditSessionID C0A8FE2500000018002FB1D0
Jan 29 10:58:57.239: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
Jan 29 10:58:58.262: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (001d.452d.53e0) on Interface Gi1/0/16 AuditSess ionID C0A8FE2500000018002FB1D0 -
FT akm with 802.1x authentication failed at eapol key 2(invalid MIC)
My testing controller s/w version is 7.0.250.0, and testing clients were iphone5, iphone6 and macbook pro13, all debug inform showed failed because of invalid MIC, is this a bug or other reason ?
WLAN configuration:
(Cisco Controller) >show wlan 100
WLAN Identifier.................................. 100
Profile Name..................................... test-qh
Network Name (SSID).............................. test-qh
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 10
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
--More-- or (q)uit
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Disabled
Accounting.................................... Global Servers
--More-- or (q)uit
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Enabled (Profile 'test')
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Disabled
CCKM.................................... Disabled
FT(802.11r)............................. Enabled
FT-PSK(802.11r)......................... Disabled
FT Reassociation Timeout......................... 20
FT Over-The-Air mode............................. Enabled
FT Over-The-Ds mode.............................. Disabled
CCKM tsf Tolerance............................... 1000
CKIP ......................................... Disabled
--More-- or (q)uit
IP Security................................... Disabled
IP Security Passthru.......................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
H-REAP Local Authentication................... Disabled
H-REAP Learn IP Address....................... Enabled
Client MFP.................................... Optional
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Mobility Anchor List
WLAN ID IP Address Status
debug info:
Cisco Controller) >*apfMsConnTask_0: Apr 27 21:46:09.971: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
*apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
*apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
*apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b apfMsAssoStateInc
*apfMsConnTask_0: Apr 27 21:46:09.971: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
*apfMsConnTask_0: Apr 27 21:46:09.971: Adding MDIE, ID is:0x4e57
*apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
*apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
*apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
*apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
*spamReceiveTask: Apr 27 21:46:09.973: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:09.974: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_0: Apr 27 21:46:09.974: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.037: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.037: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.117: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.117: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 2)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.133: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.133: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 2, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.135: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.135: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 3)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.139: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.139: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 3, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.140: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.140: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 4)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.200: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.201: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 4, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.309: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.309: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 5)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.312: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.313: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 5, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.314: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.314: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 6)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.321: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.321: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 6, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.322: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.322: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 7)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.325: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.325: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 7, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.326: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.326: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 8)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.329: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.329: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 8, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.331: 68:96:7b:cd:89:1b Processing Access-Accept for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.331: 68:96:7b:cd:89:1b Setting re-auth timeout to 1800 seconds, got from WLAN config.
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Creating a PKC PMKID Cache entry for station 68:96:7b:cd:89:1b (RSN 2)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Adding BSSID 00:27:0d:2e:d0:5e to PMKID cache for station 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: New PMKID: (16)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: [0000] 80 a9 e3 16 d9 c8 28 9a 37 11 bd 56 ca 01 d5 ce
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Disabling re-auth since PMK lifetime can take care of same.
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Created PMK Cache Entry for TGr AKM:802.1x 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b R0KH-ID:192.168.20.244 R1KH-ID:00:24:14:7e:74:c0 MSK Len:48
pmkValidTime:1772
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b PMK sent to mobility group
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Sending EAP-Success to mobile 68:96:7b:cd:89:1b (EAP Id 8)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: Including PMKID in M1 (16)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: [0000] 80 a9 e3 16 d9 c8 28 9a 37 11 bd 56 ca 01 d5 ce
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Starting key exchange to mobile 68:96:7b:cd:89:1b, data packets will be dropped
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Sending EAPOL-Key Message to mobile 68:96:7b:cd:89:1b
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Received Auth Success while in Authenticating state for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.336: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.336: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.337: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
*osapiBsnTimer: Apr 27 21:46:10.560: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
*dot1xMsgTask: Apr 27 21:46:10.562: 68:96:7b:cd:89:1b Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.565: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.565: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:10.566: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
*osapiBsnTimer: Apr 27 21:46:10.960: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
*dot1xMsgTask: Apr 27 21:46:10.960: 68:96:7b:cd:89:1b Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.048: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.048: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.048: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
*osapiBsnTimer: Apr 27 21:46:11.360: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
*dot1xMsgTask: Apr 27 21:46:11.360: 68:96:7b:cd:89:1b Retransmit 3 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.364: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.364: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.364: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
*osapiBsnTimer: Apr 27 21:46:11.760: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
*dot1xMsgTask: Apr 27 21:46:11.760: 68:96:7b:cd:89:1b Retransmit 4 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.763: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.764: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:11.764: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
*osapiBsnTimer: Apr 27 21:46:12.160: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
*dot1xMsgTask: Apr 27 21:46:12.161: 68:96:7b:cd:89:1b Retransmit failure for EAPOL-Key M1 to mobile 68:96:7b:cd:89:1b, retransmit count 5, mscb deauth count 0
*dot1xMsgTask: Apr 27 21:46:12.162: 68:96:7b:cd:89:1b Removing PMK cache entry for station 68:96:7b:cd:89:1b
*apfMsConnTask_0: Apr 27 21:46:12.185: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
*apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
*apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
*apfMsConnTask_0: Apr 27 21:46:12.185: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
*apfMsConnTask_0: Apr 27 21:46:12.185: Adding MDIE, ID is:0x4e57
*apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
*apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
*apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
*apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
*spamReceiveTask: Apr 27 21:46:12.187: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.188: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.188: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.191: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.191: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.271: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.271: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 2)
*apfMsConnTask_0: Apr 27 21:46:12.563: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
*apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
*apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
*apfMsConnTask_0: Apr 27 21:46:12.563: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
*apfMsConnTask_0: Apr 27 21:46:12.563: Adding MDIE, ID is:0x4e57
*apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
*apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
*apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
*apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
*spamReceiveTask: Apr 27 21:46:12.565: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.566: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.571: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.571: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.572: 68:96:7b:cd:89:1b Processing Access-Reject for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.573: 68:96:7b:cd:89:1b Removing PMK cache due to EAP-Failure for mobile 68:96:7b:cd:89:1b (EAP Id -1)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.573: 68:96:7b:cd:89:1b Sending EAP-Failure to mobile 68:96:7b:cd:89:1b (EAP Id -1)
(Cisco Controller) >*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.573: 68:96:7b:cd:89:1b Setting quiet timer for 5 seconds for mobile 68:96:7b:cd:89:1b
*osapiBsnTimer: Apr 27 21:46:17.560: 68:96:7b:cd:89:1b 802.1x 'quiteWhile' Timer expired for station 68:96:7b:cd:89:1b and for message = M0
*dot1xMsgTask: Apr 27 21:46:17.561: 68:96:7b:cd:89:1b quiet timer completed for mobile 68:96:7b:cd:89:1b
*dot1xMsgTask: Apr 27 21:46:17.561: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
(Cisco Controller) >*apfMsConnTask_0: Apr 27 21:46:19.793: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
*apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
*apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
*apfMsConnTask_0: Apr 27 21:46:19.793: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
*apfMsConnTask_0: Apr 27 21:46:19.793: Adding MDIE, ID is:0x4e57
*apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
*apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
*apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
*apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
*spamReceiveTask: Apr 27 21:46:19.796: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.798: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.825: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.826: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.905: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.905: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 2)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.918: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.918: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 2, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.920: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.920: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 3)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.923: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.924: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 3, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.924: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
d*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.925: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 4)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.964: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.964: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 4, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.073: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
e*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.073: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 5)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.076: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.076: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 5, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.077: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.077: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 6)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.083: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.083: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 6, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.084: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.084: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 7)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.087: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.087: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 7, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.088: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.088: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 8)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.090: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.090: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 8, EAP Type 25)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Processing Access-Accept for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Setting re-auth timeout to 1800 seconds, got from WLAN config.
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Creating a PKC PMKID Cache entry for station 68:96:7b:cd:89:1b (RSN 2)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Adding BSSID 00:27:0d:2e:d0:5e to PMKID cache for station 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: New PMKID: (16)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: [0000] 16 3d 85 48 73 81 21 c9 dc 14 19 2e 40 65 7c 74
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b Disabling re-auth since PMK lifetime can take care of same.
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b Created PMK Cache Entry for TGr AKM:802.1x 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b R0KH-ID:192.168.20.244 R1KH-ID:00:24:14:7e:74:c0 MSK Len:48
pmkValidTime:1813
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b PMK sent to mobility group
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b Sending EAP-Success to mobile 68:96:7b:cd:89:1b (EAP Id 8)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: Including PMKID in M1 (16)
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: [0000] 16 3d 85 48 73 81 21 c9 dc 14 19 2e 40 65 7c 74
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: 68:96:7b:cd:89:1b Starting key exchange to mobile 68:96:7b:cd:89:1b, data packets will be dropped
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: 68:96:7b:cd:89:1b Sending EAPOL-Key Message to mobile 68:96:7b:cd:89:1b
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: 68:96:7b:cd:89:1b Received Auth Success while in Authenticating state for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.096: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.096: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.096: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
*osapiBsnTimer: Apr 27 21:46:20.360: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
*dot1xMsgTask: Apr 27 21:46:20.361: 68:96:7b:cd:89:1b Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.364: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.364: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.364: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
bug *osapiBsnTimer: Apr 27 21:46:20.760: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
*dot1xMsgTask: Apr 27 21:46:20.760: 68:96:7b:cd:89:1b Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.763: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.764: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.764: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
*osapiBsnTimer: Apr 27 21:46:21.160: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
*dot1xMsgTask: Apr 27 21:46:21.160: 68:96:7b:cd:89:1b Retransmit 3 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:21.164: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:21.164: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
*Dot1x_NW_MsgTask_0: Apr 27 21:46:21.164: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
=============================
qh
thanks in advance!Can anyone help me?
-
SCCM 2012 - 802.1x authentication for zero touch installation
Hi guys,
I'm setting up a demo environment for sccm 2012. Our customer has the requirement to enforce 802.1x authentication (username & password without certificates) on the network. So I need a 802.1x integration into the WinPE image, that clients can access
the install vlan instead of the guest vlan during the zero touch Windows 7 OS install process.
What I did before:
- mount the SCCM modified WinPE image (boot.XXX99999.wim)
- integration of the KB972831 hotfix into the WinPE
- creation of a lan profile and eap profile file
- copy both files into the mounted image
- creation of new wim file
I've booted the boot wim via a usb stick to test the 802.1x integration with the following commands:
net start dot3svc
=> The Wired AutoConfig service was started successfully
netsh lan add profile filename="X:\8021x\Local Area Connection.xml " interface="Local Area Connection"
=> The profile was added successfully on the interface Local Area connection
netsh lan set eapuserdata filename=x:\8021x\Wired-WinPE-UserData-PEAP-MSChapv2.xml allusers=yes interface="Local Area Connection"
=> Error setting user data for interface Local Area Connection. The operation is not supported.
Actually I can't post web links here. If the files are needed I can send them per mail.
What can I do to solve this problem?
Thanks!
Regards
BastianHi!
Did you gave a look at this website: http://myitforum.com/cs2/blogs/lakey81/archive/2011/07/06/configuring-802-1x-network-authentication-for-winpe-3-0-and-configmgr-deployments.aspx
I've followed those steps and it worked as a charm, even for WinPE 4.0.
If you have questions let me know.
Cheers. -
802.1X Authentication issues when moving between switch ports
Hi Guys,
We are having some issues at our office where when users move from one switch to another, the 802.1X authentication does not want to take place. The PC just gets an APIPA address. Now I have read about features that MAC Move and MAC replace but they seem to be used when moving from one port a switch to another port on that same switch. Will MAC move help for issues between switches? And should I focus my attention on the switch's configuration or have a look at the NPS server that might be blocking that authentication as the user is already authenticated?
My configuration we have on the switch ports look as follows:
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
dot1x pae authenticator
Your help is greatly appreciated.
GrantHi Neno,
Thanks for the reply. We are using NPS on a Server 2008 R2 virtual machine. The switches are stacked 2960S-48FPS-L running 15.0(2)SE. I will quickly do the debugs and get back to you.
Here is the config:
aaa group server radius customer-nps
server name radius1
server name radius2
aaa authentication dot1x default group radius
dot1x system-auth-control
radius server radius1
address ipv4 172.28.130.52 auth-port 1645 acct-port 1646
key 7 05392415365959251C283630083D2F0B3B2E22253A
radius server radius2
address ipv4 172.28.131.52 auth-port 1645 acct-port 1646
key 7 107C2B031202052709290B092719181432190D000C
interface GigabitEthernet1/0/1
switchport access vlan 300
switchport mode access
switchport voice vlan 2
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate 28800
authentication timer inactivity 1800
mab
no snmp trap link-status
mls qos trust cos
dot1x pae authenticator
auto qos trust cos
storm-control broadcast level 1.00
storm-control multicast level 1.00
spanning-tree portfast
spanning-tree bpdufilter enable -
Why Unable to identify a user for 802.1X authentication (0x50001)?
Hello,
We are trying to set up wifi single-sign-on. When logging to a laptop get a message
"Connecting to Pivot_Users" and after some time "Unable to connect to Pivot_Users" and after that we are logged in to a laptop and successfully connected to Pivot_Users wifi network.
Server: windows server 2003 (with all updates)
laptop: windows 7 professional SP1 (with all updates)
When looking to event log i found this error:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2012-10-10 10:38:01
Event ID: 5632
Task Category: Other Logon/Logoff Events
Level: Information
Keywords: Audit Failure
User: N/A
Computer: sba01-nb
Description:
A request was made to authenticate to a wireless network.
Subject:
Security ID:
Account Name: -
Account Domain: -
Logon ID: 0x0
Network Information:
Name (SSID): Pivot_Users
Interface GUID: {64773f24-bf8b-4e91-bbd7-eb199e3c2c5e}
Local MAC Address: C4:85:08:12:77:44
Peer MAC Address: 00:24:97:83:8E:61
Additional Information:
Reason Code: Unable to identify a user for 802.1X authentication (0x50001)
Error Code: 0x525
EAP Reason Code: 0x0
EAP Root Cause String:
EAP Error Code: 0x0
Event Xml:
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5632</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2012-10-10T07:38:01.093305500Z" />
<EventRecordID>37791</EventRecordID>
<Correlation />
<Execution ProcessID="760" ThreadID="2224" />
<Channel>Security</Channel>
<Computer>sba01-nb</Computer>
<Security />
</System>
<EventData>
<Data Name="SSID">Pivot_Users</Data>
<Data Name="Identity">
</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="PeerMac">00:24:97:83:8E:61</Data>
<Data Name="LocalMac">C4:85:08:12:77:44</Data>
<Data Name="IntfGuid">{64773F24-BF8B-4E91-BBD7-EB199E3C2C5E}</Data>
<Data Name="ReasonCode">0x50001</Data>
<Data Name="ReasonText">Unable to identify a user for 802.1X authentication</Data>
<Data Name="ErrorCode">0x525</Data>
<Data Name="EAPReasonCode">0x0</Data>
<Data Name="EapRootCauseString">
</Data>
<Data Name="EAPErrorCode">0x0</Data>
</EventData>
</Event>
Thank you for answer and help.
Regards,
TadasHi,
Thanks for your post.
Have you configured the client to only use user authentication for 802.1X? If so, I would like to inform you that this is expected when you configure the 802.1X to user only authentication.
Here is the process that is followed.
1. As soon as client is connected to the network the Authenticator (switch) periodically sends EAP request packet/frame to the client/supplicant.
2. The client has to respond back with an identify and if its configured only for User authentication then it will send blank identity.
3. The Authenticator cannot validate and the authentication would fail.
4. Windows client is configured for a block time of 20 min. So, once the authentication fails the NIC card will go in block time for 20 min until there is a change in credentials. So, even if the authenticatior(swithch) is periodically sending EAP request
it will just ignore them
5. You will see event 15506 after the event 15514.
Here’s the technet that you we can refer for the reason code : Reason: 0x50001 that we see in the event 15514
http://technet.microsoft.com/en-us/library/cc727747(WS.10).aspx
0x50001 = Dec 327681
Reason code: 327681 Event log message: The 802.1X module was unable to identify a set of credentials to be used. [An example is when the authentication mode is set to “User” but no user is logged on.] # def name:
ONEX_UNABLE_TO_IDENTIFY_USER
Best Regards,
Aiden
Aiden Cao
TechNet Community Support -
802.1X authentication process in Active Directory joined computer.
Hi,
I'm not really sure my understanding of the authentication process of an Active Directory joined computer, and I would like to know the purpose of multiple times auth as described below:
1. When Windows start up,
2. it will authenticate to the 802.1x network using computer account.
3. When user entering AD credential and pressing login, it will disconnect the current 802.1x connection. Re-auth to the network through AD user account.
4. once 3 is done, the AD credential will be used to auth to AD again to login.
Why do we need 3 times of authentication? Why do we need steps 3?
Note: this is just my current understanding on one of the mode of 802.1x authentication. Please feel free to correct and add more information so that I can understand 802.1x authentication more precisely.
Thank you!
Ah_Chao|| MCSE,VCP,EMCSAeHi,
According to your description, my understanding is that you want to know the reason why 802.1x has 3 times authentication.
It is depends on your 802.1x settings. The option Computer Authentication (allows you to specify how computer authentication works with user authentication). One of the possible settings is
With User Re-Authentication. When users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is performed using the user credentials. When a user
logs off of the computer, authentication is performed with the computer credentials. This is the recommended setting because it ensures that the connection to the wireless AP is always using the security credentials of the computer's current security context
(computer credentials when no user is logged on and user credentials when a user is logged on).
Detailed description you may reference:
https://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx?f=255&MSPPError=-2147217396
And more information about 802.1x, you may reference:
Understanding 802.1X authentication for wireless networks
https://technet.microsoft.com/en-us/library/cc759077(v=ws.10).aspx
IEEE 802.1X Wired Authentication
https://technet.microsoft.com/en-us/magazine/2008.02.cableguy.aspx
Creating a secure 802.1x wireless infrastructure using Microsoft Windows
http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Windows 7 – 802.1x Authentication fails after wakeup from Sleep/Hibernation
In our environment we randomly have issues with 802.1x authentications after Sleep or Hibernation of our client-systems.
Clients have Windows 7 as OS and are up-to-date regarding regular updates/patches. Drivers (at least
network and chipset) on affected machines have also been updated.
802.1x authentication method is PEAP (EAP-MSCHAPv2) and systems are validated
against Active Directory by RADIUS.
Analyzing the logs of our RADIUS-Server you can see that the client trys to authenticate
via MAC instead of its DNS-Name/FQDN (desired method). So the request fails and the client is assigned to a different VLAN without access to the company’s resources. Following steps like DHCP work correctly.
We have enabled the tracing of RAS-components on some of our clients by executing the following command-line: netsh ras set tracing
* enabled
Analyzing the client’s log-file “C:\Windows\tracing\svchost_RASCHAP.LOG” it looks like that the
component is simply not up at that point in time, because there are absolutely no entries making it impossible to search for a specific error/error-code. Side-fact: unplugging the network-cable and plugging it in again forces the client to
authenticate again – successfully and with entries in the given log.
There has been an article KB980295 describing my issue but that does not apply to Windows 7. Hotfix KB2736878 cannot be applied (0x80240017
- install is not needed because no updates are applicable).
Does anyone have an idea how you could force the component to initialize earlier (if it is possible at all)?
Any other advice is highly appreciated as well!
Thanks a lotHi Deason,
sorry for my very very late reply on this.
Even if I could not solve the problem yet, I can tell about some progress.
As both KB-Files (980295 and 2481614) sadly did not help with this at all and even setting the blockperiod to 1 (I saw that 0 doesn't seem to be supported here: https://technet.microsoft.com/en-us/library/hh831813.aspx) didn't make any difference I
have been working on how to reproduce the issue. So I wrote a tiny script disabling and enabling the client's network-port on and on (I have removed outputs and logging to keep it short):
$doAllTheTime = $true
$i = 0
$DomainName = (Get-WmiObject -Class Win32_ComputerSystem).domain
$NWAdapter = Get-WmiObject -Class Win32_NetworkAdapter | ? {$_.name -like "*gigabit*"}
while ($doAllTheTime -eq $true)
$i++
$NWAdapter.disable() | out-null; Start-Sleep -Seconds 10
$NWAdapter.enable() | out-null; Start-Sleep -Seconds 10
$ping = $null
$ping = test-connection $DomainName -count 1
if ($ping -eq $null)
"Error with connection"; return
So I kept it running and after a dozens of loops the issue reoccurred. I could see that it is the dot3svc-Service that does not response anymore by the RASCHAP-log given above. Restarting the service manually triggered a re-authentication that was then successful.
So I added the restart-service-cmdlet to my script in case that the error was detected and configured a Scheduled Task triggered by the event that a network-cable has been plugged in (has to be provided by the driver). Script and Scheduled Task
have then been deployed to our clients.
Even if this is no solution it definitely helps with a high rate of incidents -
but not entirely... so I am still looking for further steps to
solve this. Any ideas are highly appreciated.
Thank you very much for your support!!! Uhle -
802.1x Authentication with Windows and MAC
Hello Team;
I have one SSID configured with 802.1x . The clients with Mac machines can directly join to the network by just entering the AD usrename and password. For the windows machines we need to do some configuration in the clients machines to work with the SSID.
Could you please clarify ? Whether the windows machines will just work like the Mac or the preconfiguration is mandatory to work windows with 802.1x.Hello Sreejith,
As per your query i can suggest you the following steps-
No, the preconfiguration is not mandatory to work windows with 802.1x.To enable 802.1x authntication on wireless follow the steps-
1.Open Manage Wireless Networks by clicking the Start button , clicking Control Panel, clicking Network and Internet, clicking Network and Sharing Center, and then, in the left pane, clicking Manage wireless networks.
2.Right-click the network that you want to enable 802.1X authentication for, and then click Properties.
3.Click the Security tab, and then, in the Security Type list, click 802.1X.
4.In the Encryption Type list, click the encryption type you want to use.
On wireless networks, 802.1X can be used with Wired Equivalent Privacy (WEP) or Wi‑Fi Protected Access (WPA) encryption.
5.In the Choose a network authentication method list, click the method you want to use.
To configure additional settings, click Settings.
Hope this will help you. -
Setup: two 5500 (v6.0.188.0, mix of 1131 and 1141 AP`s
Laptops running fine for random number of weeks suddenly can´t connect to the wireless network. The output from Client troubleshoot shows:
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Controller association request message received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Association request received from a client has an invalid RSN IE.(One reason could be mismatch in WPA2 algorithm).
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received reassociation request from client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
The wlan to which client is connecting requires 802 1x authentication.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Client moved to associated state successfully.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received EAP Response from the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received EAPOL start message from client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received EAP Response from the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received Access-Challenge from the RADIUS server for the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Sending EAP request to client from radius server.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received Access-Challenge from the RADIUS server for the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Sending EAP request to client from radius server.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received Access-Challenge from the RADIUS server for the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Sending EAP request to client from radius server.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received Access-Challenge from the RADIUS server for the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Sending EAP request to client from radius server.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received Access-Challenge from the RADIUS server for the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Sending EAP request to client from radius server.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received Access-Challenge from the RADIUS server for the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Sending EAP request to client from radius server.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received Access-Challenge from the RADIUS server for the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Sending EAP request to client from radius server.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
EAP response from client to AP received.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Radius packet received. Access-Challenge received from RADIUS server 10.1.1.81, receiveId = 10
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Received Access-Challenge from the RADIUS server for the client.
05/07/2010 07:03:14 CEST
INFO
10.1.1.101
Sending EAP request to client from radius server.
05/07/2010 07:03:44 CEST
ERROR
10.1.1.101
Retransmitting EAP-ID request to client,retransmission timer expired.
05/07/2010 07:04:14 CEST
ERROR
10.1.1.101
Retransmitting EAP-ID request to client,retransmission timer expired.
05/07/2010 07:04:44 CEST
ERROR
10.1.1.101
Authentication failed for client as EAP ID request from AP reached maxmium retransmissions.
05/07/2010 07:04:44 CEST
ERROR
10.1.1.101
De-authentication sent to client. slot 0 (claller 1x_ptsm.c:467)
05/07/2010 07:04:44 CEST
ERROR
10.1.1.101
05/07/2010 07:04:44 CEST
ERROR
10.1.1.101
EAPOL-key is invalid, scheduling client for deletion.We are using PEAP-MS-CHAP v2 . The IAS certificate is valid to 2014. We have about 300 laptops, but now and then some of them fails to authenticate. Yesterday I noticed that if I had one of the failing computers connected with wire, after some minutes it suddenly authenticated wireless!
Maybe you are looking for
-
A3 Reference masters from fat 32 to Mac OS Extended (Journaled)
I have A3 and all of my photos are organized as referenced masters on a Fat 32 formated external. The A3 library (where all my alterations are) is on my imac pictures folder on the imac HD. My Vault is on my current MAc OS extended (journaled) extern
-
Don't know where to go. With the new mouse how do I go about copy and paste. I usually hi-lite, press the left and a menu came down to "copy" Can't seem to do that with the new mouse?
-
Creating an Alert on a Parameter
Hello, I have a parameter that is defined as a range and I want to limit the user to only enter or select up to 4 enteries, how do I set up an alert to accomplish this? I have tried HasUpperBound with no success, any help will be greatly appreciated
-
Capital cash flow report thru internal order
Hello experts Our client needs report inrespect of procurement of capital assets through internal order.(We use both statistical and real orders)The report is to be consists of 1.sanction number(Internal order KO01),2.sanction amount maintained in th
-
I scroll through my incoming mail and find a message I want to reply to or forward. I move my cursor to the body of the message and swipe up and down to try to make the mini tool bar (trash reply reply all forward) appear within the message. Someti