Trouble with 802.1x authentication

Hello. I live in a dorm, and we connect to the Net over 802.1x authentication. Everything worked OK, until two days ago. Now I can no longer authenticate my Mac on the network and connect to the Net.
I get the following error:
"802.1X is unable to authenticate. It is possible that the configuration you have provided is invalid. If you are unsure about what configuration to connect with, check with your network administrator.
(Error: 1 on port en0)"
My configuration seems to be ok (I didn't change anything about it, it just stopped working), username and password are also correct. Also other computers can connect to the network, and my LAN card works normally otherwise, only it can't pass the 802.1x authentication :S I'm connected now over my LinuxBox which shares the connection to my Mac, so obviously my LAN card is not broken...
What could be the problem?
cheers!

hi, if the problem still persists, have you tried clearing out any 802.1x profiles you have saved?
Go to System Preferences > Network, click on Airport, choose Advanced, go to the 802.1x tab, look at the section on the left side that has User Profiles. Select the profile and hit the minus button at the bottom of the pane.
A lot of these issues seem to be helped by clearing out any saved data about the wireless network, and setting it up manually again. We have seen many issues here at Notre Dame with Macs vs 802.1x. Hoping Apple makes it more reliable soon.

Similar Messages

  • CCKM with 802.1x authentication

    Hi,
    Can we use CCKM authentication with 802.1x layer 2 authentication method. I read it one cisco article that we can't use CCKM with 802.1x authentication.  Please find the url below, its says that is you choose layer 2 authentication method is 802.1x, then we can't use cckm. Kindly suggest
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/82135-wlc-authenticate.html
    Regards,
    Jubair.S

    Yes, You can. 
    Refer this document which clearly state it
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01001110.html#ID963
    802.1X+CCKM—During normal operation, 802.1X-enabled clients mutually authenticate with a new access point by performing a complete 802.1X authentication, including communication with the main RADIUS server. However, when you configure your WLAN for 802.1X and CCKM fast secure roaming, CCKM-enabled clients securely roam from one access point to another without the need to reauthenticate to the RADIUS server. 802.1X+CCKM is considered optional CCKM because both CCKM and non-CCKM clients are supported when this option is selected.
    HTH
    Rasika
    **** Pls rate all useful responses ***

  • WPA with 802.1x authentication

    Hi experts,
    I need clarification in a fundamental concept.
    Is it possible to configure WPA with 802.1x authentication without external AAA / ACS server.
    If the username and password is configured in local device, is it possible to create 802.1x authentication without RADIUS server
    Thanks in advance
    regards,RB

    You can't do 802.1x without RADIUS. But you can use Local EAP on an Autonomous AP or on a LAP Controller. They can both act as RADIUS servers. Here's an example config for an autonomous AP:
    aaa group server radius rad_eap
    server 192.168.0.1 auth-port 1812 acct-port 1813
    aaa authentication login eap_methods group rad_eap
    dot11 ssid ccie
    authentication open eap eap_methods
    authentication network-eap eap_methods
    guest-mode
    radius-server local
    nas 192.168.0.1 key cisco
    user test password test
    radius-server host 192.168.0.1 auth-port 1812 acct-port 1813 key cisco
    LAP Controller local EAP is configurable through GUI

  • FT akm with 802.1x authentication failed at eapol key 2(invalid MIC)

    My testing controller s/w version is 7.0.250.0, and testing clients were iphone5, iphone6 and macbook pro13, all debug inform showed failed because of invalid MIC, is this a bug or other reason ?
    WLAN configuration:
    (Cisco Controller) >show wlan 100
    WLAN Identifier.................................. 100
    Profile Name..................................... test-qh
    Network Name (SSID).............................. test-qh
    Status........................................... Enabled
    MAC Filtering.................................... Disabled
    Broadcast SSID................................... Enabled
    AAA Policy Override.............................. Disabled
    Network Admission Control
      Radius-NAC State............................... Disabled
      SNMP-NAC State................................. Disabled
      Quarantine VLAN................................ 0
    Maximum number of Associated Clients............. 10
    Number of Active Clients......................... 0
    Exclusionlist Timeout............................ 60 seconds
    Session Timeout.................................. 1800 seconds
    CHD per WLAN..................................... Enabled
    Webauth DHCP exclusion........................... Disabled
    Interface........................................ management
    Multicast Interface.............................. Not Configured
    --More-- or (q)uit
    WLAN ACL......................................... unconfigured
    DHCP Server...................................... Default
    DHCP Address Assignment Required................. Disabled
    Static IP client tunneling....................... Disabled
    Quality of Service............................... Silver (best effort)
    Scan Defer Priority.............................. 4,5,6
    Scan Defer Time.................................. 100 milliseconds
    WMM.............................................. Allowed
    WMM UAPSD Compliant Client Support............... Disabled
    Media Stream Multicast-direct.................... Disabled
    CCX - AironetIe Support.......................... Enabled
    CCX - Gratuitous ProbeResponse (GPR)............. Disabled
    CCX - Diagnostics Channel Capability............. Disabled
    Dot11-Phone Mode (7920).......................... Disabled
    Wired Protocol................................... None
    IPv6 Support..................................... Disabled
    Peer-to-Peer Blocking Action..................... Disabled
    Radio Policy..................................... All
    DTIM period for 802.11a radio.................... 1
    DTIM period for 802.11b radio.................... 1
    Radius Servers
       Authentication................................ Disabled
       Accounting.................................... Global Servers
    --More-- or (q)uit
       Dynamic Interface............................. Disabled
    Local EAP Authentication......................... Enabled (Profile 'test')
    Security
       802.11 Authentication:........................ Open System
       Static WEP Keys............................... Disabled
       802.1X........................................ Disabled
       Wi-Fi Protected Access (WPA/WPA2)............. Enabled
          WPA (SSN IE)............................... Disabled
          WPA2 (RSN IE).............................. Enabled
             TKIP Cipher............................. Disabled
             AES Cipher.............................. Enabled
                                                                   Auth Key Management
             802.1x.................................. Disabled
             PSK..................................... Disabled
             CCKM.................................... Disabled
             FT(802.11r)............................. Enabled
             FT-PSK(802.11r)......................... Disabled
    FT Reassociation Timeout......................... 20
    FT Over-The-Air mode............................. Enabled
    FT Over-The-Ds mode.............................. Disabled
    CCKM tsf Tolerance............................... 1000
       CKIP ......................................... Disabled
    --More-- or (q)uit
       IP Security................................... Disabled
       IP Security Passthru.......................... Disabled
       Web Based Authentication...................... Disabled
       Web-Passthrough............................... Disabled
       Conditional Web Redirect...................... Disabled
       Splash-Page Web Redirect...................... Disabled
       Auto Anchor................................... Disabled
       H-REAP Local Switching........................ Disabled
       H-REAP Local Authentication................... Disabled
       H-REAP Learn IP Address....................... Enabled
       Client MFP.................................... Optional
       Tkip MIC Countermeasure Hold-down Timer....... 60
    Call Snooping.................................... Disabled
    Roamed Call Re-Anchor Policy..................... Disabled
    SIP CAC Fail Send-486-Busy Policy................ Enabled
    SIP CAC Fail Send Dis-Association Policy......... Disabled
    Band Select...................................... Disabled
    Load Balancing................................... Disabled
     Mobility Anchor List
     WLAN ID     IP Address            Status
    debug info:
    Cisco Controller) >*apfMsConnTask_0: Apr 27 21:46:09.971: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b apfMsAssoStateInc
    *apfMsConnTask_0: Apr 27 21:46:09.971: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:09.971: Adding MDIE, ID is:0x4e57
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
    *apfMsConnTask_0: Apr 27 21:46:09.971: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
    *spamReceiveTask: Apr 27 21:46:09.973: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:09.974: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:09.974: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.037: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.037: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.117: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.117: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 2)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.133: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.133: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 2, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.135: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.135: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 3)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.139: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.139: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 3, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.140: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.140: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 4)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.200: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.201: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 4, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.309: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.309: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 5)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.312: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.313: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 5, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.314: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.314: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 6)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.321: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.321: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 6, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.322: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.322: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 7)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.325: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.325: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 7, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.326: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.326: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 8)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.329: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.329: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 8, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.331: 68:96:7b:cd:89:1b Processing Access-Accept for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.331: 68:96:7b:cd:89:1b Setting re-auth timeout to 1800 seconds, got from WLAN config.
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Creating a PKC PMKID Cache entry for station 68:96:7b:cd:89:1b (RSN 2)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Adding BSSID 00:27:0d:2e:d0:5e to PMKID cache for station 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: New PMKID: (16)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332:      [0000] 80 a9 e3 16 d9 c8 28 9a 37 11 bd 56 ca 01 d5 ce
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Disabling re-auth since PMK lifetime can take care of same.
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b Created PMK Cache Entry for TGr AKM:802.1x 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.332: 68:96:7b:cd:89:1b   R0KH-ID:192.168.20.244   R1KH-ID:00:24:14:7e:74:c0  MSK Len:48
                                                                                                                                  pmkValidTime:1772
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b PMK sent to mobility group
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Sending EAP-Success to mobile 68:96:7b:cd:89:1b (EAP Id 8)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: Including PMKID in M1  (16)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333:      [0000] 80 a9 e3 16 d9 c8 28 9a 37 11 bd 56 ca 01 d5 ce
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Starting key exchange to mobile 68:96:7b:cd:89:1b, data packets will be dropped
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Sending EAPOL-Key Message to mobile 68:96:7b:cd:89:1b
                                                                                                                        state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.333: 68:96:7b:cd:89:1b Received Auth Success while in Authenticating state for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.336: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.336: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.337: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:10.560: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:10.562: 68:96:7b:cd:89:1b Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.565: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.565: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:10.566: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:10.960: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:10.960: 68:96:7b:cd:89:1b Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.048: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.048: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.048: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:11.360: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:11.360: 68:96:7b:cd:89:1b Retransmit 3 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.364: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.364: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.364: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:11.760: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:11.760: 68:96:7b:cd:89:1b Retransmit 4 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.763: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.764: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:11.764: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:12.160: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:12.161: 68:96:7b:cd:89:1b Retransmit failure for EAPOL-Key M1 to mobile 68:96:7b:cd:89:1b, retransmit count 5, mscb deauth count 0
    *dot1xMsgTask: Apr 27 21:46:12.162: 68:96:7b:cd:89:1b Removing PMK cache entry for station 68:96:7b:cd:89:1b
    *apfMsConnTask_0: Apr 27 21:46:12.185: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
    *apfMsConnTask_0: Apr 27 21:46:12.185: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:12.185: Adding MDIE, ID is:0x4e57
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
    *apfMsConnTask_0: Apr 27 21:46:12.185: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
    *spamReceiveTask: Apr 27 21:46:12.187: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.188: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.188: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.191: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.191: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.271: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.271: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 2)
    *apfMsConnTask_0: Apr 27 21:46:12.563: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
    *apfMsConnTask_0: Apr 27 21:46:12.563: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:12.563: Adding MDIE, ID is:0x4e57
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
    *apfMsConnTask_0: Apr 27 21:46:12.563: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
    *spamReceiveTask: Apr 27 21:46:12.565: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.566: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.571: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.571: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.572: 68:96:7b:cd:89:1b Processing Access-Reject for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.573: 68:96:7b:cd:89:1b Removing PMK cache due to EAP-Failure for mobile 68:96:7b:cd:89:1b (EAP Id -1)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:12.573: 68:96:7b:cd:89:1b Sending EAP-Failure to mobile 68:96:7b:cd:89:1b (EAP Id -1)
    (Cisco Controller) >*Dot1x_NW_MsgTask_0: Apr 27 21:46:12.573: 68:96:7b:cd:89:1b Setting quiet timer for 5 seconds for mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:17.560: 68:96:7b:cd:89:1b 802.1x 'quiteWhile' Timer expired for station 68:96:7b:cd:89:1b and for message = M0
    *dot1xMsgTask: Apr 27 21:46:17.561: 68:96:7b:cd:89:1b quiet timer completed for mobile 68:96:7b:cd:89:1b
    *dot1xMsgTask: Apr 27 21:46:17.561: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
    (Cisco Controller) >*apfMsConnTask_0: Apr 27 21:46:19.793: Processing assoc-req station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Marking this mobile as TGr capable.
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Processing RSN IE type 48, length 20 for mobile 68:96:7b:cd:89:1b
    *apfMsConnTask_0: Apr 27 21:46:19.793: Sending assoc-resp station:68:96:7b:cd:89:1b AP:00:27:0d:2e:d0:50-01 thread:333140024
    *apfMsConnTask_0: Apr 27 21:46:19.793: Adding MDIE, ID is:0x4e57
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Including FT Mobility Domain IE (length 5) in Initial assoc Resp to mobile
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Sending R0KH-ID as:192.168.20.244
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Sending R1KH-ID as 00:24:14:7e:74:c0
    *apfMsConnTask_0: Apr 27 21:46:19.793: 68:96:7b:cd:89:1b Including FT IE (length 98) in Initial Assoc Resp to mobile
    *spamReceiveTask: Apr 27 21:46:19.796: 68:96:7b:cd:89:1b Sent 1x initiate message to multi thread task for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.798: 68:96:7b:cd:89:1b Sending EAP-Request/Identity to mobile 68:96:7b:cd:89:1b (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.825: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.826: 68:96:7b:cd:89:1b Received Identity Response (count=1) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.905: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.905: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 2)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.918: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.918: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 2, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.920: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.920: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 3)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.923: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.924: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 3, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.924: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    d*Dot1x_NW_MsgTask_0: Apr 27 21:46:19.925: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 4)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.964: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:19.964: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 4, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.073: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    e*Dot1x_NW_MsgTask_0: Apr 27 21:46:20.073: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 5)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.076: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.076: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 5, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.077: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.077: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 6)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.083: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.083: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 6, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.084: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.084: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 7)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.087: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.087: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 7, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.088: 68:96:7b:cd:89:1b Processing Access-Challenge for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.088: 68:96:7b:cd:89:1b Sending EAP Request from AAA to mobile 68:96:7b:cd:89:1b (EAP Id 8)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.090: 68:96:7b:cd:89:1b Received EAPOL EAPPKT from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.090: 68:96:7b:cd:89:1b Received EAP Response from mobile 68:96:7b:cd:89:1b (EAP Id 8, EAP Type 25)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Processing Access-Accept for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Setting re-auth timeout to 1800 seconds, got from WLAN config.
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Station 68:96:7b:cd:89:1b setting dot1x reauth timeout = 1800
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Creating a PKC PMKID Cache entry for station 68:96:7b:cd:89:1b (RSN 2)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.091: 68:96:7b:cd:89:1b Adding BSSID 00:27:0d:2e:d0:5e to PMKID cache for station 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: New PMKID: (16)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092:      [0000] 16 3d 85 48 73 81 21 c9 dc 14 19 2e 40 65 7c 74
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b Disabling re-auth since PMK lifetime can take care of same.
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b Created PMK Cache Entry for TGr AKM:802.1x 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b   R0KH-ID:192.168.20.244   R1KH-ID:00:24:14:7e:74:c0  MSK Len:48
                                                                                                                                  pmkValidTime:1813
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b PMK sent to mobility group
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.092: 68:96:7b:cd:89:1b Sending EAP-Success to mobile 68:96:7b:cd:89:1b (EAP Id 8)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: Including PMKID in M1  (16)
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093:      [0000] 16 3d 85 48 73 81 21 c9 dc 14 19 2e 40 65 7c 74
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: 68:96:7b:cd:89:1b Starting key exchange to mobile 68:96:7b:cd:89:1b, data packets will be dropped
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: 68:96:7b:cd:89:1b Sending EAPOL-Key Message to mobile 68:96:7b:cd:89:1b
                                                                                                                        state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.093: 68:96:7b:cd:89:1b Received Auth Success while in Authenticating state for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.096: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.096: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.096: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:20.360: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:20.361: 68:96:7b:cd:89:1b Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.364: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.364: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.364: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    bug *osapiBsnTimer: Apr 27 21:46:20.760: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:20.760: 68:96:7b:cd:89:1b Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.763: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.764: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:20.764: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    *osapiBsnTimer: Apr 27 21:46:21.160: 68:96:7b:cd:89:1b 802.1x 'timeoutEvt' Timer expired for station 68:96:7b:cd:89:1b and for message = M2
    *dot1xMsgTask: Apr 27 21:46:21.160: 68:96:7b:cd:89:1b Retransmit 3 of EAPOL-Key M1 (length 121) for mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:21.164: 68:96:7b:cd:89:1b Received EAPOL-Key from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:21.164: 68:96:7b:cd:89:1b Received EAPOL-key in PTK_START state (message 2) from mobile 68:96:7b:cd:89:1b
    *Dot1x_NW_MsgTask_0: Apr 27 21:46:21.164: 68:96:7b:cd:89:1b Received EAPOL-key M2 with invalid MIC from mobile 68:96:7b:cd:89:1b
    =============================
    qh
    thanks in advance!

    Can anyone help me?

  • Send vlan via Radius with 802.1x Authentication

    Hi all.
    I am trying to set up 802.1x authentication using Windows XP Supplicant, Catalyst 2950 and FreeRadius as radius server.
    I can login correctly so I have the port in Authorized mode, but I can't download the vlan id through the radius server.
    Reading docs, I have found these attributes:
    cisco-avpair="tunnel-type(#64)=VLAN(13)"
    cisco-avpair="tunnel-medium-type(#65)=802 media(6)"
    cisco-avpair="tunnel-private-group-ID(#81)=2" (2 is my vlan id)
    but when I insert these into radius DB (I have also tryed with text file config...) I can see from Radius debugs that only the first one (cisco-avpair="tunnel-type(#64)=VLAN(13)" is passed in the access-accept packet.
    Here are some outputs:
    Sending Access-Challenge of id 80 to 128.0.0.21:1812
    Cisco-AVPair = "tunnel-type=VLAN"
    EAP-Message = 0x0101001604103ee52f729eb199689ef4fc77a18a6a08
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xf88b9673c199cb13def96563250cf8a7
    I issued a "debug radius" on the switch Catalyst 2950 also, and the output is:
    02:49:39: RADIUS: Received from id 73 128.0.0.243:1812, Access-Accept, len 129
    02:49:39: Attribute 26 75 0000000901457475
    02:49:39: Attribute 79 6 03010004
    02:49:39: Attribute 80 18 1ABB3507
    02:49:39: Attribute 1 10 74657374
    02:49:39: RADIUS: EAP-login: length of eap packet = 4
    02:49:39: RADIUS: EAP-login: radius didn't send any vlan
    so I can see that radius is not sending anything about vlan...
    Has anyone alredy tried this set up?
    Thank you in advance.
    Massimo Magnani.

    OK, so I may have glossed over that before. From your debug post, you had:
    Cisco-AVPair = "tunnel-type=VLAN"
    Unless I'm missing something, that looks like a VSA (or RADIUS Attribute [26\9\1].
    You don't need VSAs for VLAN Assignment. You can do this with three standard RADIUS Attributes. Here they are (and an example of what they should look like):
    [64] Tunnel-Type – “VLAN” (13)
    [65] Tunnel-Medium-Type – “802” (6)
    [81] Tunnel-Private-Group-ID - "" OR ""
    They are defined in RFC 2868.
    Hope this helps,

  • Trouble with 802.1x profile

    Hi there,
    I work at a University, and after a recent network change all of our campus wifi networks require 802.1x authentication. This works fine for all but a couple of labs which use laptops, and thus require an 802.1x profile be built for the loginwindow so students can use their AD accounts to log in.
    I should probably also mention that the accounts are mobile accounts, and are removed after logoff (via a LogoutHook). We're running OS X 10.8.5 through 10.10.2.
    So far, I've built n-thousand variations of the 802.1x profile in ProfileManager, but am still completely unable to get this working.
    I'll start off with a rough overview our security settings, and what I've done so far:
    WPA2 Enterprise, PEAP with MSCHAPv2
    When logged in to a machine, trusting the following certificates and saving the user-supplied credentials will successfully allow a user to reconnect unprompted for credentials, but the (seemingly) same settings in the 802.1x profile don't work (or I'm configuring it incorrectly).
    Symantec Class 3 Secure Server CA - G4
    VeriSign Class 3 Public Primary Certification Authority - G5
    Also, the leaf / radius server certificate becomes trusted, but does not have to be explicitly downloaded (as far as I know- but I have tried supplying it as well).
    In the 802.1x profile, I've tried just about every permutation of settings I can think of, but I'll outline my general process (in case I'm missing something).
    I add the certificate payload with the 2 certificates listed above (I've also tried it with the leaf certificate).
    In the network payload, I
    1) enter the SSID
    2) set to AutoJoin
    3) set WPA2 Enterprise security
    4) check "Use as LoginWindow configuration"
    5) check PEAP under protocols
    6) add a 'filler' name to OuterIdentity (everything I read said it doesn't matter what's entered)
    In the Trust tab:
    7) check the 2 certificates added in the cert payload
    8) enter the FQDN of the RADIUS server (xxx-radius.xx.xxxxx.edu) in the Trusted Server Certificate Names (this is the same as the cert for the server found in Keychain Access)
    I've figuratively tried millions of variants (e.g. add the leaf cert to the cert payload / trust settings | add no cert payload, just radius server fqdn under TSCN section | etc.)
    Any tips on what I'm doing wrong?
    Thank you,
    Eric

    hi, if the problem still persists, have you tried clearing out any 802.1x profiles you have saved?
    Go to System Preferences > Network, click on Airport, choose Advanced, go to the 802.1x tab, look at the section on the left side that has User Profiles. Select the profile and hit the minus button at the bottom of the pane.
    A lot of these issues seem to be helped by clearing out any saved data about the wireless network, and setting it up manually again. We have seen many issues here at Notre Dame with Macs vs 802.1x. Hoping Apple makes it more reliable soon.

  • Enable Session Timeout with 802.1X authentication help

    I have a scenario where there are 3 controllers with flex connect enabled.  I am broadcasting an 802.1x WLAN through all 3 controllers, "WLAN A". WLAN A on Controller 1 and Controller 2 have "enable session timeout" checked and set for 1800s.  Controller 3 does not have this feature enabled.  In my deployment, I am connecting tablet PC's to the wireless network.  All the tablets between the sites using Controllers 1, 2 and 3 were functioning fine while connecting to the 802.1x, but just recently, the tablets conneting to AP's on Controller 3 are not able to connect anymore. Is this an issue with the tablets not renewing authentication encryption? Not really sure why the tablets originally connecting to WLAN A are no longer doing so. Other WLAN's are functioning fine and the tablets are able to connect to the PSK WLAN's. Thanks
    Best Regards,
    Sean

    it's hard to tell from the description, you'll need to do some troubleshooting to find out.
    Does this only happen when a user roams to Controller 3?
          You'll want to debug the client, and the mobility handoff
    Does this happen on a new connection on Controller 3?
       debug the client and the aaa process.
    I'd also take a look at the logs on your AAA server and see if it is showing an error when Controller 3 tries to auth a user.
    Steve

  • NAC Framework with 802.1x authentication

    I am having trouble getting support and information on NAC framework. According to the cisco web NAC framework is in Phase 2 and is useable. According to Cisco representitives it is not supported yet. I have ACS 4.1, CTA 2.0, Symantec 10.1.4, and CSA 4.5. I can get NAC to work Layer 2, 802.1x to authenticate, but I cannot get both to work at the same time. Also, I have found no support for Symantec being checked even after I loaded the posture plugin, adf, etc. Is it time to give up on NAC framework? Thanks.

    My friend, i have a customer with whis configuration and worki fine.
    symantec need antivirus version 10 (8 or 9 no !!!!), the symantec posture plug installed in the clients.
    work fine wiht w2k and xp
    cta 2.x work fine. 1.x only work with L3 ip, no 802.1x.
    csa i don?t have experience.
    take care, it is hard to configure, if you need something more ask me to.
    Leo.

  • Windows 7 – 802.1x Authentication fails after wakeup from Sleep/Hibernation

    In our environment we randomly have issues with 802.1x authentications after Sleep or Hibernation of our client-systems.
    Clients have Windows 7 as OS and are up-to-date regarding regular updates/patches. Drivers (at least
    network and chipset) on affected machines have also been updated.
    802.1x authentication method is PEAP (EAP-MSCHAPv2) and systems are validated
    against Active Directory by RADIUS.
    Analyzing the logs of our RADIUS-Server you can see that the client trys to authenticate
    via MAC instead of its DNS-Name/FQDN (desired method). So the request fails and the client is assigned to a different VLAN without access to the company’s resources. Following steps like DHCP work correctly.
    We have enabled the tracing of RAS-components on some of our clients by executing the following command-line: netsh ras set tracing
    * enabled
    Analyzing the client’s log-file “C:\Windows\tracing\svchost_RASCHAP.LOG” it looks like that the
    component is simply not up at that point in time, because there are absolutely no entries making it impossible to search for a specific error/error-code. Side-fact: unplugging the network-cable and plugging it in again forces the client to
    authenticate again – successfully and with entries in the given log.
    There has been an article KB980295 describing my issue but that does not apply to Windows 7. Hotfix KB2736878 cannot be applied (0x80240017
    - install is not needed because no updates are applicable).
    Does anyone have an idea how you could force the component to initialize earlier (if it is possible at all)?
    Any other advice is highly appreciated as well!
    Thanks a lot

    Hi Deason,
    sorry for my very very late reply on this.
    Even if I could not solve the problem yet, I can tell about some progress.
    As both KB-Files (980295 and 2481614) sadly did not help with this at all and even setting the blockperiod to 1 (I saw that 0 doesn't seem to be supported here: https://technet.microsoft.com/en-us/library/hh831813.aspx) didn't make any difference I
    have been working on how to reproduce the issue. So I wrote a tiny script disabling and enabling the client's network-port on and on (I have removed outputs and logging to keep it short):
    $doAllTheTime = $true
    $i = 0
    $DomainName = (Get-WmiObject -Class Win32_ComputerSystem).domain
    $NWAdapter = Get-WmiObject -Class Win32_NetworkAdapter | ? {$_.name -like "*gigabit*"}
    while ($doAllTheTime -eq $true)
    $i++
    $NWAdapter.disable() | out-null; Start-Sleep -Seconds 10
    $NWAdapter.enable() | out-null; Start-Sleep -Seconds 10
    $ping = $null
    $ping = test-connection $DomainName -count 1
    if ($ping -eq $null)
    "Error with connection"; return
    So I kept it running and after a dozens of loops the issue reoccurred. I could see that it is the dot3svc-Service that does not response anymore by the RASCHAP-log given above. Restarting the service manually triggered a re-authentication that was then successful.
    So I added the restart-service-cmdlet to my script in case that the error was detected and configured a Scheduled Task triggered by the event that a network-cable has been plugged in (has to be provided by the driver). Script and Scheduled Task
    have then been deployed to our clients.
    Even if this is no solution it definitely helps with a high rate of incidents -
    but not entirely... so I am still looking for further steps to
    solve this. Any ideas are highly appreciated.
    Thank you very much for your support!!! Uhle

  • 802.1x authentication on Macbooks running Lion..

    Hi Guys,
    I was wondering if anyone has experienced problems with 802.1x authentication on their Cisco Wifi network using Macbook Pro/Airs running Lion.
    We have..
    2x Controllers with WiSMs running 7.0.116.0
    A mixture of 1131 and 1142 APs..  ( APs mainly in HREAP mode with some APs located on the same local network as the Controller in Local Mode )
    Macbook Airs/ Pro running Lion
    The symptoms we are experiencing are very similar to those described in this thread.. https://supportforums.cisco.com/message/3485552
    In summary, we are finding that when our MacBooks are coming out of sleep/standby or roaming between APs, the devices get stuck during the 802.1x authentication process and will either get the self assigned 169 address or continuously try to authenticate.
    This can occasionally be solved by turning the wifi interface off and on or manually stopping and starting the 802.1x process on the Mac
    From reading various online forums, we have tried the following to resolve this..
    - Disabled WPA across our wifi network as we don't use it anymore.. We now just use WPA2 with AES and Dot1x authentication.
    - Disabled Client Load Balancing on the SSID configuration… this does not seem to have made things any better or worse although we are seeing more Load Profile threshold notification alerts for some of our APs which are used heavily.
    - The 802.1x time out is currently set at 20secs.
    - Some APs which are in Local mode ( due to them being on the same local network as our wifi controllers ) have been changed to HREAP mode and assigned a static IP address.. We found that this was required at our spoke sites where we were originally experiencing issues with our old Windows based devices.. Incidentally, we have not experienced any of these delayed authentication issues with our Window laptops, all our problems seem to be with our MacBooks running Lion..
    As I mentioned earlier, there seems to be many discussions online regarding problems with the Lion OS and 802.1x authentication..
    Has anyone experienced these problems in the past on there Cisco Aps and successfully managed to resolve it.. ?
    Any ideas would be appreciated..
    Many thanks.
    Jon.

    Ran across this old post while researching this same issue. For us, the problem appears to be with the Mac's trying to request an IPv6 address if set to Automatically or Link-local only for Configure IPv6 under the TCP/IP tab. When we changed this to Manually and set a manual link local address, the problem went away and could reconnect after roaming between APs or coming out of sleep/standby.
    Enjoy,
    Wayne 
    UPDATE 1: This 'fix' did not solve the issue. After a day, we're still seeing the problem. 
    UPDATE 2: Found the solution to my problem. It was the cert chain of trust and CRL lookup. The link below describes the problem, but basically the Mac's were unable to check the certs and causing a time out. No network = no CRL lookup = no network......
    http://support.apple.com/kb/TS5258?viewlocale=en_US&locale=en_US

  • 802.1x authentication manager ..!

    Dear Team ,
    I have miss understanding on dot1x authentication manager so, if someone can help me to understand those scenarios :-
    •1- If I have port configured to authenticate through dot1x first and failover to MAB if dot1x is not successfully. I have phone & PC behind it connected to port so, logically first dot1x should start to send EAPOL request and wait for 90 second if the phone doesn’t response to this request the port will wait some time and failover to MAB. Is it possible to get response first from the PC or its mandatory to get response first from the phone? I mean does the port block all data traffic first until the Voice traffic authenticated ? if yes so, if the phone does not authenticated at all whats happened to Data traffic ? suppose the phone send his mac-address to the port and start to run over MAB authentication process if it successful the port will change to authorization state. if it is not. the MAB authentication failed does the authentication manager process start from the beginning to run 802.1x process again.? Or will assign the Voice traffic on restricted vlan ?
    •2- If I have vice versa scenario by run MAB authentication process first and failover to 802.1x process if the authentication fails. So, the phone authenticated successfully first. does the port send MAB request to the PC which is behind the Phone or directly send EAPOL to the PC ?? if the PC doesn’t authenticated or the time was expired before sending the identity does the port start the authentication process from the beginning by sending MAB request to the PC or it should stuck with 802.1x authentication process ?. does the port assign the data traffic on restricted, gust vlan ? if I didn’t configured any gust or restricted vlan so, what will happen?
    •3- On both way if the port receive EAP response back does it stuck on 802.1x authentication for the Data traffic when the PC response back and never failover to MAB?

    hi gents, one more thing,
    - if I enable dot1x on the port without configure guest & restriction vlan so, what will happend when the authentication faild.?
    the port should be assigned to unauthorized state but to which vlan should be assigned ?
    - if I enable reauthentication feature without faild-authentication vlan. what will happend when the reuthentication timout finish and the authentication process start again with faild authentication from the client. the port should shift to unauthorized state but which vlan should be assigned ? and does the popup authentication appear again on the client machine or the authenticator will used the same cached authenticated credintial since the port doesn't recevie any EAP logoff or link down? does the reauthentication feature work with MAB or just only with dot1x authentication protocols ?
    - whats the diff between authentication order & authentication priority ?
    thanks

  • 802.1x authentication for win XP2 client

    HI,
    I am using Aironet 1200 AP, ACS 3.3 with 802.1x authentication, when I am enabling win XP utility insted of Cisco ACU it's wait for certificate credentials.
    I installed CA authority in windows 2000 server. But i am unable to accessing wireless network with 802.1x authentications
    Please help on this required configuration of CA role in server side and Client side.

    Hi,
    You probably need to install a root certificate into your Mac's system keychain so that your Mac knows it can trust the University's Certificate Authority (CA).
    They should be able to provide you with a file for the CA and instructions.
    cheers

  • I hope this might interest someone. The situation; 3 floors,I am having trouble with an an Airport Extreme, 802.11n on the top floor and a Mac Pro 3.1 on the bottom floor. Not always but often it has trouble seeing the Airport and making a connection. I h

    I'm not sure how to post a message. I hope this might interest someone. The situation; 3 floors,I am having trouble with an an Airport Extreme, 802.11n on the top floor and a Mac Pro 3.1 on the bottom floor. Not always but often it has trouble seeing the Airport and making a connection. I have an older Airport Express, would it help to install it? would it work best if it was installed in the same room? should it be installed half way in between? Get another Extreme? The Mac Book Pro on the middle floor can see 11 networks in the neighbourhood if that might be causing a problem or would if I installed the Express. Thank for your consideration.   

    Thanks for your time ... I appologize for the font and colour, I compossed the question in pages and failed to notice the font colour as grey ... there are a variety of computers of various ages so I think it is using a setting that allows both 5G and 2.4 ... the connection to the Airport is thru a cable modem and cable does run throuhout the house ... maybe those hard wires would be a place to look at ... do you think that putting the 'Express' on the second floor might help ... thanks again ...

  • Having trouble with web authentication in 5504

    Hi everybody,
    We´re experiencing a trouble with our Wireles LAN solution. We have a WLC 5504, a ACS 4.2 and APs 1131AG.
    After deploying the solution and doing some tests we noticed when a user attempted to connect by wireless network there was too much delay since they clicked ie (internet explorer) until web authentication into WLC was shown. the delay was around 3 minutes. This issue also ocurrs despite of doing a test from my laptop that was next to one access point, then, I moved to another access point and the result was the same, a laptop problem is ruled out.
    Has anybody ever had this kind of trouble? , How could I reduce this time?, is it possible?, Which part of configuration shoud I check?
    Regards,
    Manuel

    Friends,
    I´ve made a mistake. Our WLC is a 4404.  
    Regards,
    Manuel

  • Windows 7 Wireless Logon - Problems with 802.1X Machine & User Authentication

    Hello All,
    We’ve had difficulty with our Windows 7 clients authenticating to our wireless network. I’m hoping someone out there has experienced the same thing and can offer some help.
    Some info about our environment:
    Single Windows 2008 R2 domain with 6 DCs
    MS Radius server
    Aruba wireless controllers
    The Problem:
    The client computer boots,
    Auths as machine (802.1X successful)
    User enters creds
    User auth (802.1X successful)
    To this point, everything is working normally. Next is where it gets weird.
    During the logon process, there is another machine auth
    2-5 minutes later another User auth
    OS is up and usable (connected to wireless network); however, no homefolder is mapped and GPP didn’t apply properly.
    From what I understand, after the user has logged in, Windows never attempts another machine authentication. When the user logs out, Windows can attempt it.
    Can anyone offer some insight to what is causing this? I have logs available if anyone is interested.
    Thanks in advance for any help you can offer!
    Brett
    -- Brett

    I did a network trace to gain more insight. I don’t understand why after 802.1X auth is successful on port 1, it then initiates 802.1X auth on port 2.
    Can you offer any insight?
    10487    3:50:19 PM 8/23/2012    63.0340126                                                         
    ONEX_MicrosoftWindowsOneX                ONEX_MicrosoftWindowsOneX:Port(1 (0x1)): Authentication Starting   {ONEX_MicrosoftWindowsOneX:126, NetEvent:5}
    10867    3:50:19 PM 8/23/2012    63.3403904                                                         
    ONEX_MicrosoftWindowsOneX                ONEX_MicrosoftWindowsOneX:Port(1 (0x1)): Time taken for this authentication = 281 (0x119) ms               
    {ONEX_MicrosoftWindowsOneX:126, NetEvent:5}
    Then >>>
    11718    3:50:35 PM 8/23/2012    79.3196653                                                         
    ONEX_MicrosoftWindowsOneX                ONEX_MicrosoftWindowsOneX:OneXDestroySupplicantPort     {ONEX_MicrosoftWindowsOneX:126, NetEvent:5}
    11938    3:50:36 PM 8/23/2012    80.0530315                                                         
    ONEX_MicrosoftWindowsOneX                ONEX_MicrosoftWindowsOneX:Finished initializing a new port with id=2 (0x2) and friendly name=Dell Wireless 1504 802.11b/g/n (2.4GHz)         
    {ONEX_MicrosoftWindowsOneX:126, NetEvent:5}
    11959    3:50:36 PM 8/23/2012    80.0556734                                                         
    ONEX_MicrosoftWindowsOneX                ONEX_MicrosoftWindowsOneX:OneXStartAuthentication           {ONEX_MicrosoftWindowsOneX:126,
    NetEvent:5}
    11964 3:50:36 PM 8/23/2012
    80.0557074 svchost.exe (1036)
    ONEX_MicrosoftWindowsOneX ONEX_MicrosoftWindowsOneX:Port(2 (0x2)): Starting a new 802.1X authentication (MSM initiated)
    11965 3:50:36 PM 8/23/2012
    80.0557333 svchost.exe (1036)
    ONEX_MicrosoftWindowsOneX ONEX_MicrosoftWindowsOneX:Port(2 (0x2)): Authentication Starting
    -- Brett

Maybe you are looking for

  • Translation for SAP Query

    Hi, Is it posible to change the texts for coulmn in the report (ALV Grid) created though SAP Query (SQVI)? Ex: if the Column has Number -> it should be changed to Nummer. This will be done based on some conditions. Thanks, Prashanth

  • Triggering the process chain

    Hi all, I just installed a couple of process chains(content). And i can see them in Process chain maintenance too .. What are the steps that need to be followed to trigger the process chains .. and how do i know, the process chians are in process or

  • Layout Access problem

    Hi, When i started my work in webdynpro using remote access to the customer system , i got an error like website cannot found, after some discussion they opened some port and i am able to access the layout . But suddenly the problem reoccured , I hav

  • Automatic UD in background

    Hii experts!!! In my scenario there is 80% raw material is skipped from Quality inspection after GR. I have been told that if a material is not manualy decided for UD, it will automaticaly accepted. Now my problem is if I check for a particular user'

  • Review FIFO layers for an Item

    In 2007, you can see the open fifo layers and their item costs in the stock revaluation screen. However is it possible to review the previous fifo layers and their item costs for an item.