WAP4410N WPA2-Enterprise - reconnect failed

We have a WAP4410N wireless ap configured for WPA2-Enterprise. Initially everything works. Issue the user the proper certificate and they sign on correctly but once they disconnect and try to reconnect later it get stuck on "Validating Identity". The request never get to RADIUS server (no success/failure log entry, no radius traffic). Once I reboot the access point everyone can connect again but as soon as they disconnect the problem happen again.
We testing other security settings (WPA-ENT, RADIUS(!), WPA2-Personal etc) and no problems. With older firmware have the same issue.
Operating system: XP SP3, RADIUS server: IAS. Firmware: 2.0.1.0
Anyone have any ideas?
thx
rokai

I tried everything without result. Nobody have same problem? The hardware version is WAP4410N-E V01. Is it possible, that v02 units resolve this issue?
Thanks in advance.

Similar Messages

  • WAP4410N WPA2 Enterprise Mixed authentication problem against Cisco ACS 4.2

    We have 3 x WAP4410N at new office setup in Singapore.
    Customer asked us to setup those 3 AP to make client auth against an ACS 4.2 sitting in US office.
    All the user notebooks were joined to Windows domain in US office, before sent out to Singapore office.
    We configured APs with WPA2 Enterprise Mixed mode and entered radius server address and secrects correctly.
    Logging from ACS shows that users are authenticated successfully but, on the user notebooks, authentication never seems successful and keeps authenticating.
    We have tried with other option (RADIUS) but, problem persists.
    Please help.

    Hi Robert,
    Firmware version is 2.0.4.2.
    We have tested with WPA-personal, WPA2-personal and all worked.
    For enterprise, we have tested using WPA-ent, WPA2-ent, WPA2-ent-mixed and RADIUS.
    All did not work.
    Client keeps flapping between auth and validation.
    ACS logs showed that auth OK.
    Syslog from AP showed that client was assiciated but it happened repeatedly.
    <134>Oct 28 16:13:27 MVIS-SG-AP01 kernel: [sg-internal][A0:88:B4:40:41:D4] Open Authentication    10.200.4.12    28/10 16:13:28.720   
    <134>Oct 28 16:13:27 MVIS-SG-AP01 kernel: [sg-internal][A0:88:B4:40:41:D4] Associated    10.200.4.12    28/10 16:13:28.720   
    <134>Oct 28 16:13:29 MVIS-SG-AP01 kernel: [][A0:88:B4:40:41:D4] SUBTYPE_AUTH    10.200.4.12    28/10 16:13:30.720   
    <134>Oct 28 16:13:29 MVIS-SG-AP01 kernel: [sg-internal][A0:88:B4:40:41:D4] Open Authentication    10.200.4.12    28/10 16:13:30.720   
    <134>Oct 28 16:13:29 MVIS-SG-AP01 kernel: [sg-internal][A0:88:B4:40:41:D4] Associated    10.200.4.12    28/10 16:13:30.736   
    <134>Oct 28 16:13:31 MVIS-SG-AP01 kernel: [][A0:88:B4:40:41:D4] SUBTYPE_AUTH    10.200.4.12    28/10 16:13:32.689   
    Below is the diagram for your kind ref.
          US Office          Site-to-Site VPN    SG Office 
    ACS --- ASA ------------ Internet ------------ ASA5505 ------ 2960 PoE SW ----- 3 x WAP4410N
                                                                                                       \ \___ DNS/DHCP Server
                                                                                                        \____ Wired Clients
    Note: SG office ASA is 5505 and outside interface is on Vlan 2, inside interface is on Vlan 1. 2960 switch is configured with all ports in Vlan 2. Vlan feature on WAP4410N is disabled. Layer3 communication among US office ACS, SG office ASA5505, DHCP server and WAP4410N is fine. All wired clients in SG office get IP from DHCP server. I feel this is a bit odd and you may need to know.
    Do feel free to let me know, should you need further input from me. Thanks!

  • Can the WAP4410N be setup with WPA2-Enterprise and also be repeater by another WAP4410N?

    I have AP1 setup with WPA2-Enterprise. How would I setup AP2 (WAP4410N) to be a repeater for AP1?

    Hi Alec,
    Thanks for participating in the Small Business Support Community. I've posed your question to our engineers and the short answer is "no".
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    WAP4410N can only repeat or bridge other supported Small Business APs/Routers.
    Thanks again for your participation and, although probably not the answer you wanted, I hope this helps.
    Stephanie Reaves
    Cisco Small Business

  • WAP4410N width Security-Mode WPA2-Enterprise and WDS-Repeater

    Hi,
    i have two WAP4410N with same Firmware 2.0.7.4. One Configured as AccessPoint with "Allow wireless signal to be repeated by a repeater." and correct MAC of the repeater.
    The Repeater has same settings (WPA2-Enterprise, both WAP4410N in B/G/N-Mode) configured as "Wireless WDS-Repeater" width correct MAC of first AP.
    Problem is, that the Repeater does not repeat anything, nothing in the logfile. Are my settings correct or should i use "Wireless Client/Repeater" in my case. Does WAP4410N support Repeating in WPA2-Enterprise?
    Thanks for your assistance

    A dumb question first of all - when you entered the mac address to repeat, did you use the wireless rather than the wired mac address?
    I also found that enabling http (wireless) access to the wap4410n repeater and then disconnecting the wired connection to the wap4410n ap helped set things up better.
    If you search these forums I uploaded beta firmware that works much better than the one you're using. Alternatively you could use wap encryption, it seems that using wpa2-personnel is what messes up the firmware you're using.

  • IPhone (and Mac) 802.1x WPA2-Enterprise fail

    Large enterprise with lots of access points (Cisco AIR-AP-1131) using RADIUS authentication going back to Windows (2k3) servers running IAS. WPA2-Enterprise.
    Windows devices are able to authenticate fine. Our servers do present an authentication certificate. No certs are required on clients.
    When Macs and iPhones try to connect, they are able to successfully authenticate (username/password successfully passed to RADIUS and is accepted), and the client device then asks if we want to accept the server certificate. We do, but we never get an IP address from DHCP.
    If we configure a static IP on the client device, it associates but is unable to communicate with anything.
    This seems to only happen with Apple devices.
    Any ideas? We've tried this with multiple Apple devices running multiple versions of iOS and MacOS.

    Fixed. Our Cisco APs were configured with WPA2 but were using TKIP encryption only. Enabled AES, and blammo - works.

  • Connecting to WPA/WPA2-Enterprised network

    hi all,
    i just came to mcgill and was trying to connect to the school network. But it kept saying something like 'authorization failed'. School website has only instructions for BlackBerrys:
    "Select wpa.mcgill.ca * (WPA/WPA2-Enterprise). Fill in the following fields:
    Name: wpa.mcgill.ca *
    SSID: wpa.mcgill.ca *
    Security Type: PEAP
    User Name: McGill Username
    User password: McGill Password
    CA Certificate: Thawte Premium Server CA
    Inner Link Security: EAP-MS-CHAP V2
    Token: None Selected
    Server subject: blank
    Server San: blank                                                                         "
    Help plz
    Solved!
    Go to Solution.

    idecline wrote:
    hi all,
    i just came to mcgill and was trying to connect to the school network. But it kept saying something like 'authorization failed'. School website has only instructions for BlackBerrys:
    "Select wpa.mcgill.ca * (WPA/WPA2-Enterprise). Fill in the following fields:
    Name: wpa.mcgill.ca *
    SSID: wpa.mcgill.ca *
    Security Type: PEAP
    User Name: McGill Username
    User password: McGill Password
    CA Certificate: Thawte Premium Server CA
    Inner Link Security: EAP-MS-CHAP V2
    Token: None Selected
    Server subject: blank
    Server San: blank                                                                         "
    Help plz
    Try configuring your N97 with these instructions:
    Since your WLAN network seems to require more advanced PEAP authentication settings you should probably create / edit appriate WLAN connection profile, known as (Internet) Access Point, manually in a following manner:
    1. Go to Tools -> Settings -> Connection -> Network Destinations
    2. Check if your earlier failed attempt to connect has already created an non-funtional IAP named as your WLAN network SSID (look for a entry named wpa.mcgill.ca) under "Internet" destination.
    3. If you can see existing IAP named as your WLAN SSID then you can Edit that one with necessary changes. (skip to 7.)
    4. If you don't see any existing IAPs that are named like your WLAN network then go to the desired "Destination" (e.g. Internet) and select Options -> Add Connection Method.
    5. Assuming you are in the coverage area of your WLAN network you can let phone "Automatically check for connection methods" (i.e. phone scans available WLAN networks) and you should be able to select the correct WLAN network name (wpa.mcgill.ca) from the list. Once you have selected the WLAN network your "Internet" Destination should now have been added with a new Access Point (IAP) that is named "wpa.mcgill.ca". Note that at this point the particular connection method is still incorrectly configured for your purposes (since by defaul it has EAP-SIM & EAP-AKA authentication methods enabled).
    6. Now you should manually Edit your newly created wpa.mcgill.ca Internet Access Point with necessary PEAP settings.
    7. Configure following WLAN and authentication settings:
      "Connection name" defaults to name of your WLAN network (wpa.mcgill.ca) but you can also change this if you wish
    - "Data Bearer" naturally needs to be "Wireless LAN"
    - "WLAN network name" should match your WLAN network's name (SSID) exactly (wpa.mcgill.ca)
    - "Network status": Public
    - "WLAN network mode": Infrastructure
    - "WLAN Security mode": WPA/WPA2
     => Go to "WLAN security settings"
    - Ensure that "WPA/WPA2 mode is set to "EAP"
    - Leave "WPA-2 Only mode" to "OFF" unless you are absolutely sure that your WLAN network is configured to stricly pure WPA2 mode (i.e. network might be configured to support both WPA and WPA2 security thus enabling WPA-2 Only mode on the phone will cause all your connection attempts to fail).
     => Go to "EAP plug-in configuration"
    - Enable "EAP-PEAP" and make sure that "EAP-SIM" and "EAP-AKA" are disabled (via Options -> Disable)
     => Select "Configure" for EAP-PEAP authentication method
     - Leave "Personal Certificate" to "Not defined"
    - Select "Thawte Premium Server CA" to be used as an "Authority certificate"
    - Set "User name in use" to "User defined" (since there is no Personal Certificate where it could be read automatically)
    - Enter your username (McGill Username) to "Username" field
    - Set "Realm in use" to "User defined" and leave following "Realm" field empty.
    - Note that in case your username (McGill Username) contains the realm (i.e. format is username@realm ) then you can enter realm part of your ID to "Realm" field and enter only the username part to the "Username" field.
    - Configure "Allow PEAPv0" to Yes
    - Configure both "Allow PEAPv1" and "Allow PEAPv2" to "No"
    => Go to "EAP's" tab to configure inner authentication method for the PEAP (use the small arrow pointing right on top of the screen to move between tabs)
    - Enable "EAP-MSCHAPv2" authentication method and Disable all other methods (Option -> Enable / Disable)
    - Select "Edit" for the EAP-MSCHAPv2
    - Enter you username (McGill Username) to "User name" field
    - Configure "Prompt password" to No or Yes depending on whether you want your password to be prompted everytime you make an connection or if you prefer saving your password to following "Password" field permanenly so that it won't be prompted during everytime you connect to this WLAN network with PEAP/EAP-MSCHAPv2 authentication.
    - If you you selected "No" to password prompting then enter your password (McGill Password) to "Password" field.
    => Exit the configuration with "Back" (several times) and you should hopefully be able to connect with this setup.
    If needed you can also change the priority order of the connection methods (IAP's) within the Internet Destination since your new connection most likely ended up being lowest priority WLAN connection within your Internet destination. This should however not be a problem unless you have some other WLAN networks defined as an IAP and these other WLAN networks are simultaneously available at the location of the wpa.mcgill.ca WLAN network.
    Hope this helps you to get connected!!
    Message Edited by saataja on 17-Sep-2009 05:16 PM

  • Support for WPA-Enterprise, WPA2-Enterprise wifi s...

    hi all
    I try to connect my phone to corporate wifi but failed because the phones hangs. my company uses WPA2-Enterprise wifi. my phone clearly works with WPA2-Personal wifi security at home. will these profiles of security be supported in future update?

    Although this is the right section for this question, let us continue with your original post …

  • WiFi WPA2 enterprise

    I’m encountering problem setting up a wifi wpa2 Enterprise on my Iphone 4s. I set it up using Iphone configuration utility and settings are correct. The problem is that the connection don’t works. I’m sure setting are correct because I set it up the same wifi also on the Airbook with Lion and parameter and certificates used for authentication are exactly the same. Any idea on why on the iphon it don’t work?
    Below some the log file.
    Thanks
    andrea
    Jan 11 16:14:18 Scoia-Aifone Preferences[558] <Warning>: -[VPNBundleController _vpnConfigurationChanged:] (0xde41320:<VPNBundleController: 0xde41320>): _serviceCount(1), serviceCount(1), toggleInRootMenu(1), RootMenuItem(1)
    Jan 11 16:14:20 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore::setDISASSOCIATE() [wifid]:
    Jan 11 16:14:20 Scoia-Aifone timed[679] <Notice>: (Note ) CoreTime: Not setting system time to 01/11/2012 15:14:20 from NTP because time is unchanged
    Jan 11 16:14:20 Scoia-Aifone eapolclient[680] <Notice>: en0 START
    Jan 11 16:14:20 Scoia-Aifone timed[679] <Notice>: (Note ) CoreTime: Not setting time zone to Europe/Rome from Location
    Jan 11 16:14:21 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore::setASSOCIATE() [wifid]:  lowerAuth = AUTHTYPE_OPEN, upperAuth = AUTHTYPE_WPA_8021X, key = CIPHER_NONE    , 802.1X .
    Jan 11 16:14:21 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANJoinManager::handleAssoc(): status = 2, reason = 0, flags = 0x0, authtype = 0, addr = 00:3a:98:7d:ee:30
    Jan 11 16:14:21 Scoia-Aifone wifid[29] <Error>: WiFi:[347987661.158384]: Processing link event UP
    Jan 11 16:14:21 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANJoinManager::handleAssoc(): status = 2, reason = 0, flags = 0x0, authtype = 0, addr = 00:3a:98:7d:ee:30
    Jan 11 16:14:21 Scoia-Aifone kernel[0] <Debug>: [14591.399631250]: AppleBCMWLANNetManager::prepareToBringUpLink(): Delaying powersave entry in order to get an IP address
    Jan 11 16:14:21 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLAN Joined BSS:     @ 0xc0bc4000, BSSID = 00:3a:98:7d:ee:30, rssi = -73, rate = 54 (100%), channel = 6, encryption = 0x4, ap = 1, failures = 0, age = 1, ssid[ 6] = "WIFI3D"
    Jan 11 16:14:21 Scoia-Aifone kernel[0] <Debug>: AirPort: Link Up on en0
    Jan 11 16:14:21 Scoia-Aifone kernel[0] <Debug>: en0: BSSID changed to 00:3a:98:7d:ee:30
    Jan 11 16:14:21 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore:startRoamScan(): 2843 Delaying RoamScan; because  Join Mgr Busy 0 isWaitingforIP 1
    Jan 11 16:14:22 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore::setCIPHER_KEY() [eapolclient]: type = CIPHER_PMK, index = 0, flags = 0x0, key lenght 0, key rsc lenght 0
    Jan 11 16:14:24 Scoia-Aifone mDNSResponder[47] <Error>: mDNS_RegisterInterface: Frequent transitions for interface en0 (FE80:0000:0000:0000:F2CB:A1FF:FECB:ED60)
    Jan 11 16:14:26 Scoia-Aifone UserEventAgent[12] <Warning>: Unable to cancel system wake for 2012-01-11 16:14:11 +0100. IOPMCancelScheduledPowerEvent() returned 0xe00002c2
    Jan 11 16:14:27 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANNetManager::checkRealTimeTraffic(): set roam parameters: counters Rx:1204 Tx:22
    Jan 11 16:14:28 Scoia-Aifone eapolclient[680] <Notice>: en0 TLS: authentication failed with status 1
    Jan 11 16:14:28 Scoia-Aifone wifid[29] <Error>: WiFi:[347987668.238433]: Network WIFI3D Both autojoin and user join dates are NULL
    Jan 11 16:14:28 Scoia-Aifone wifid[29] <Error>: WiFi:[347987668.246099]: Processing link event DOWN
    Jan 11 16:14:28 Scoia-Aifone eapolclient[680] <Notice>: en0 STOP
    Jan 11 16:14:28 Scoia-Aifone eapolclient[681] <Notice>: en0 START
    Jan 11 16:14:28 Scoia-Aifone Preferences[558] <Warning>: -[VPNBundleController _vpnConfigurationChanged:] (0xde41320:<VPNBundleController: 0xde41320>): _serviceCount(1), serviceCount(1), toggleInRootMenu(1), RootMenuItem(1)
    Jan 11 16:14:28 Scoia-Aifone wifid[29] <Error>: WiFi:[347987668.683288]: Processing link event UP
    Jan 11 16:14:28 Scoia-Aifone UserEventAgent[12] <Warning>: Unable to cancel system wake for 2012-01-11 16:14:18 +0100. IOPMCancelScheduledPowerEvent() returned 0xe00002c2
    Jan 11 16:14:29 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANNetManager::handleDeauth(): status = 0, reason = 23, flags = 0x0, authtype = 0, addr = 00:3a:98:7d:ee:30
    Jan 11 16:14:29 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore::setCIPHER_KEY() [eapolclient]: type = CIPHER_PMK, index = 0, flags = 0x0, key lenght 0, key rsc lenght 0
    Jan 11 16:14:29 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANNetManager::leaveNetworkAsync(): kDeauthdCurrNetwork already set. Skipping call to leaveNetworkASync
    Jan 11 16:14:29 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLAN Left BSS:       @ 0xc0bc4000, BSSID = 00:3a:98:7d:ee:30, rssi = -77, rate = 54 (100%), channel = 6, encryption = 0x4, ap = 1, failures = 0, age = 8, ssid[ 6] = "WIFI3D"
    Jan 11 16:14:29 Scoia-Aifone kernel[0] <Debug>: AirPort: Link Down on en0. Reason 1 (Unspecified).
    Jan 11 16:14:29 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore::setDISASSOCIATE() [wifid]:
    Jan 11 16:14:29 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore::setASSOCIATE() [wifid]:  lowerAuth = AUTHTYPE_OPEN, upperAuth = AUTHTYPE_WPA_8021X, key = CIPHER_NONE    , 802.1X .
    Jan 11 16:14:29 Scoia-Aifone kernel[0] <Debug>: [14598.930095541]: AppleBCMWLANNetManager::prepareToBringUpLink(): Delaying powersave entry in order to get an IP address
    Jan 11 16:14:29 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLAN Joined BSS:     @ 0xc0bc4000, BSSID = 00:3a:98:7d:ee:30, rssi = -77, rate = 54 (100%), channel = 6, encryption = 0x4, ap = 1, failures = 0, age = 8, ssid[ 6] = "WIFI3D"
    Jan 11 16:14:29 Scoia-Aifone kernel[0] <Debug>: AirPort: Link Up on en0
    Jan 11 16:14:29 Scoia-Aifone kernel[0] <Debug>: en0: BSSID changed to 00:3a:98:7d:ee:30
    Jan 11 16:14:29 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore:startRoamScan(): 2843 Delaying RoamScan; because  Join Mgr Busy 0 isWaitingforIP 1
    Jan 11 16:14:29 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore::setCIPHER_KEY() [eapolclient]: type = CIPHER_PMK, index = 0, flags = 0x0, key lenght 0, key rsc lenght 0
    Jan 11 16:14:31 Scoia-Aifone eapolclient[681] <Notice>: en0 TLS: authentication failed with status 1
    Jan 11 16:14:31 Scoia-Aifone wifid[29] <Error>: WiFi:[347987671.532160]: Network WIFI3D Both autojoin and user join dates are NULL
    Jan 11 16:14:31 Scoia-Aifone eapolclient[681] <Notice>: en0 STOP
    Jan 11 16:14:31 Scoia-Aifone wifid[29] <Error>: WiFi:[347987671.542420]: Processing link event DOWN
    Jan 11 16:14:31 Scoia-Aifone UserEventAgent[12] <Warning>: Unable to cancel system wake for 2012-01-11 16:14:18 +0100. IOPMCancelScheduledPowerEvent() returned 0xe00002c2
    Jan 11 16:14:31 Scoia-Aifone eapolclient[682] <Notice>: en0 START
    Jan 11 16:14:31 Scoia-Aifone Preferences[558] <Warning>: -[VPNBundleController _vpnConfigurationChanged:] (0xde41320:<VPNBundleController: 0xde41320>): _serviceCount(1), serviceCount(1), toggleInRootMenu(1), RootMenuItem(1)
    Jan 11 16:14:31 Scoia-Aifone wifid[29] <Error>: WiFi:[347987671.974798]: Processing link event UP
    Jan 11 16:14:31 Scoia-Aifone UserEventAgent[12] <Warning>: Unable to cancel system wake for 2012-01-11 16:14:21 +0100. IOPMCancelScheduledPowerEvent() returned 0xe00002c2
    Jan 11 16:14:32 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore::setCIPHER_KEY() [eapolclient]: type = CIPHER_PMK, index = 0, flags = 0x0, key lenght 0, key rsc lenght 0
    Jan 11 16:14:32 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANNetManager::handleDeauth(): status = 0, reason = 23, flags = 0x0, authtype = 0, addr = 00:3a:98:7d:ee:30
    Jan 11 16:14:32 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANNetManager::leaveNetworkAsync(): kDeauthdCurrNetwork already set. Skipping call to leaveNetworkASync
    Jan 11 16:14:32 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLAN Left BSS:       @ 0xc0bc4000, BSSID = 00:3a:98:7d:ee:30, rssi = -77, rate = 54 (100%), channel = 6, encryption = 0x4, ap = 1, failures = 0, age = 11, ssid[ 6] = "WIFI3D"
    Jan 11 16:14:32 Scoia-Aifone kernel[0] <Debug>: AirPort: Link Down on en0. Reason 1 (Unspecified).
    Jan 11 16:14:32 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore::setDISASSOCIATE() [wifid]:
    Jan 11 16:14:32 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore::setASSOCIATE() [wifid]:  lowerAuth = AUTHTYPE_OPEN, upperAuth = AUTHTYPE_WPA_8021X, key = CIPHER_NONE    , 802.1X .
    Jan 11 16:14:32 Scoia-Aifone kernel[0] <Debug>: [14602.222531083]: AppleBCMWLANNetManager::prepareToBringUpLink(): Delaying powersave entry in order to get an IP address
    Jan 11 16:14:32 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLAN Joined BSS:     @ 0xc0bc4000, BSSID = 00:3a:98:7d:ee:30, rssi = -77, rate = 54 (100%), channel = 6, encryption = 0x4, ap = 1, failures = 0, age = 12, ssid[ 6] = "WIFI3D"
    Jan 11 16:14:32 Scoia-Aifone kernel[0] <Debug>: AirPort: Link Up on en0
    Jan 11 16:14:32 Scoia-Aifone kernel[0] <Debug>: en0: BSSID changed to 00:3a:98:7d:ee:30
    Jan 11 16:14:32 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore:startRoamScan(): 2843 Delaying RoamScan; because  Join Mgr Busy 0 isWaitingforIP 1
    Jan 11 16:14:32 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore::setCIPHER_KEY() [eapolclient]: type = CIPHER_PMK, index = 0, flags = 0x0, key lenght 0, key rsc lenght 0
    Jan 11 16:14:34 Scoia-Aifone eapolclient[682] <Notice>: en0 TLS: authentication failed with status 1
    Jan 11 16:14:34 Scoia-Aifone wifid[29] <Error>: WiFi:[347987674.708487]: Network WIFI3D Both autojoin and user join dates are NULL
    Jan 11 16:14:34 Scoia-Aifone wifid[29] <Error>: WiFi:[347987674.716635]: Processing link event DOWN
    Jan 11 16:14:34 Scoia-Aifone UserEventAgent[12] <Warning>: Unable to cancel system wake for 2012-01-11 16:14:21 +0100. IOPMCancelScheduledPowerEvent() returned 0xe00002c2
    Jan 11 16:14:34 Scoia-Aifone eapolclient[682] <Notice>: en0 STOP
    Jan 11 16:14:35 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANNetManager::handleDeauth(): status = 0, reason = 23, flags = 0x0, authtype = 0, addr = 00:3a:98:7d:ee:30
    Jan 11 16:14:35 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANCore::setCIPHER_KEY() [eapolclient]: type = CIPHER_PMK, index = 0, flags = 0x0, key lenght 0, key rsc lenght 0
    Jan 11 16:14:35 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLANNetManager::leaveNetworkAsync(): kDeauthdCurrNetwork already set. Skipping call to leaveNetworkASync
    Jan 11 16:14:35 Scoia-Aifone kernel[0] <Debug>: AppleBCMWLAN Left BSS:       @ 0xc0bc4000, BSSID = 00:3a:98:7d:ee:30, rssi = -76, rate = 54 (100%), channel = 6, encryption = 0x4, ap = 1, failures = 0, age = 14, ssid[ 6] = "WIFI3D"
    Jan 11 16:14:35 Scoia-Aifone kernel[0] <Debug>: AirPort: Link Down on en0. Reason 1 (Unspecified).
    Jan 11 16:14:37 Scoia-Aifone mDNSResponder[47] <Error>: DeregisterInterface: Frequent transitions for interface en0 (FE80:0000:0000:0000:F2CB:A1FF:FECB:ED60)
    Jan 11 16:14:39 Scoia-Aifone UserEventAgent[12] <Warning>: Unable to cancel system wake for 2012-01-11 16:14:24 +0100. IOPMCancelScheduledPowerEvent() returned 0xe00002c2

    I did see those screenshots however that settings screen comes from selecting the Configure button next to the Authentication Method in the User Authentication section under Users.  In each of your screenshots, the RADIUS Server ID number is 1 so I would also ensure that I've configured RADIUS Server ID 1 which can only be configured by going to Users -> RADIUS Servers.
    All that said, I did see that your tests succeeded and I also don't understand the point of having RADIUS settings on the other screens and then having RADIUS ID info.  My thinking is that you would be able to configure RADIUS once in the Users -> RADIUS Servers screen and then select the RADIUS Server ID in all the remaining screens without having to enter the RADIUS info over and over again.  It would also think that you could skip the Users -> RADIUS Server screen and enter the RADIUS information over and over again and it should work...just like you set it up originally.  However, based on past experience of programmatic errors, I would recommend configuring the RADIUS Server ID 1 under Users -> RADIUS Servers if you haven't already...just in case. 
    Shawn Eftink
    CCNA/CCDA
    Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

  • WPA2 Enterprise connections don't work

    Hi everyone,
    Configuration: MacBook Pro 7,1, 2,4GHz, Mac OS X 10.6.5.
    Three user accounts (one for me, two for friend's backup), two of them have admin rights. I'm using one of these accounts.
    I'm having a strange issue with *WPA2 Enterprise*-based access points, namely, the private one on my university's campus, and the eduroam one. Eduroam is, roughly, a SSID that is available in participating institutions worldwide, and allows connection from personnel registered in any of these institutions without having to ask for a guest access.
    On eduroam, one is supposed to select the eduroam SSID in the list of network available, select "Security: WPA2 Enterprise", and type his institutional email address as a username. "Password" should remain blank for now, and in front of the "802.1X", select "Auto". On clicking the "Connect" button for the first time, a "Check certificate" dialog should appear with three buttons, "Display", "Cancel", "Continue", where one would click "Continue". Finally, a "802.1X authentication" dialog would appear, when a user would put his email address as username, and type in his institutional password to log in. Then, the user would be online without further fuss.
    On my university network, it's even simpler. One should select it, type in the IT login, then the corresponding password, before being allowed to be online.
    On my normal user account, I never get the "Check certificate" dialog for eduroam, an on the uni's network, it never seems to connect. Ultimately, I get the exclamation point over the wireless waves, meaning that the card self-assigned an IP. Then it tries to connect again (the icon is waving), then fails again. No other authentication is affected, and a quick look in the logs doesn't show anything salient.
    On the other user account, the connection to either of these SSID works as written, on the first try.
    So it's no hardware issue.
    I first tried to create a new wireless profile, and recreate the connection. It failed, once again, for both networks.
    So to the Genius Bar I went. Since it's a login issue, we deleted the ~/Library/Keychans/login.keychain item, rebooted. Since the issue couldn't be reproduced in store, he advised me to delete the "session" keychain and reboot if the problem persisted. He asked me if the computer crashed while I was logged in anywhere in the past (before 10.6.5), and yes I said, adding that I let AppleJack do the automated repair. He checked with a colleague, on a tech forum, spent 30 min with me, but came back with the dreaded conclusion that, at least in that store, they ended up doing what he named "partial restore" to correct a similar issue, in contrast to "archive and install".
    Off to the uni I went, and recreating the connection failed again. In the Access Keychain, I then removed the session keychain, with both the references and files (default is reference only), since they referred to passwords I already knew, rebooted, logged in, and tried to connect, to no avail. The other user account still works.
    What else should I try? Ironically enough, I reinstalled OS X more times in two years than I did Windows in eight, and want to avoid the time-consuming step of reinstalling applications, and the very tricky part - ownership issues - of manually importing documents and only selected settings.

    I was chasing a similar authentication issue on OS X ≥ 10.5.8 for quite some weeks. My setup does use MS 2008 Server (AD, NPS, Radius) and SonicWall SonicPoint (multi SSID on VLAN).
    When I started evaluating the different options, I didn't realize such issues But when it came to the final usage guidelines I had serious issue connecting with Mac OS X to the WPA2 Enterprise Network (BlackBerry and iOS was never an issue)!
    I finally did work out, that you can only authenticate once successfully if you use the "Ask to join networks" popup - instead I had to select the network manually from the airport, provide my credentials and select "remember this network"to store the network and it's radius profile! I guess this behavior may have something to do with the credentials stored/reused in/from the keychain for the second login.
    Also, I did notice you have to make sure you quit your system preferences each time you expect a change due to newly stored networks or radius profiles!
    Hope this may help other users to troubleshoot similar issues!

  • WPA2 enterprise, Can not authenticate with ACS

    Hi, I am setting up WPA2 enterprise for wireless users with PEAP authentication, but can not get authentication server to authenticate them, and failed reason is generic "EAP-TLS or PEAP authentication failed during SSL handshake"
    The AP I am using is 1240AG running 12.3(8)JA, Radius server is ACS 4.0, I don't have any problem to get dot1x with PEAP authentication working for wired access, and I have almost identical client side configuration for wired and wireless user.
    From ACS's point of view, it should not be aware of any difference between wired and wireless user, but ACS log shows otherwise:
    1)AP is connected to a cat4k switch, I suppose AP should be the authenticator for wireless users, but ACS "failed attempts" log for attempted wireless user shows that the NAS IP is cat4k in stead of AP, why?
    2)I am using the same laptop for both wireless/wired testing, ACS "failed attempts" log shows that for wired user, it correctly interpreted cached domain\login name, but for failed wireless user, the user-name field is totally different, yet debug on AP clearly shows that correct domain\login has been received by AP.
    Debug output on AP is attached, hope experts here can quickly identify the problem.

    Got it working by adding radius server configuration under GUI generated configuration:
    aaa group server radius your-AAA-group-name
    server your-radius-server#1-IPaddress auth-port 1645 acct-port 1646

  • WPA2-enterprise WIFI can't connect after upgrading to 6.1 or higher

    Hi. Please help.
    We have a campus wifi with two ssids: one open for everyone and one closed with wpa2-enterprise (PEAP) security for staff. All iphones and ipads works just fine on ios version 6.01 but they can't connect to secured wifi network after updating to ios ver 6.1 and higher (tried 6.1.2). They still able to connect to open wlan ssid. Our WIFI equipment is: Extremenetworks WM3600 controllers and AP4600/AP4511 access points running WM5.4.1. WMM enabled.
    WM3600 controller use Windows2008 r2 NPS server + active directory for authorization (selfsigned certificates is 2048 bit length).
    WM3600 wlan staff configuration settings:
    wlan Staff
    description TOGU staff network
    ssid STAFF
    vlan 238
    bridging-mode tunnel
    encryption-type tkip-ccmp
    authentication-type eap
    no answer-broadcast-probes
    protected-mgmt-frames optional
    radius vlan-assignment
    no motorola-extensions symbol-load-information
    use aaa-policy Domain_aaa
    Here is the log from iphone configuration utility with connection error:
    Feb 20 17:18:00  kernel[0] <Debug>: en0::IO80211Interface::postMessage bssid changed 
    Feb 20 17:18:00  Preferences[132] <Warning>: -[VPNConnectionStore reloadVPN]: The active VPN configuration has changed from  to (null)
    Feb 20 17:18:00  Preferences[132] <Warning>: -[VPNBundleController _vpnConfigurationChanged:] (0x1edbea10:<VPNBundleController: 0x1edbea10>): _serviceCount(0), serviceCount(0), toggleInRootMenu(0), RootMenuItem(1)
    Feb 20 17:18:00  wifid[14] <Error>: WiFi:[383033880.387575]: Failed to associate with STAFF: -3900
    Hope to get any help.

    Yes. We tried to reboot iphone(s), tried also with ipads 6.1. We tried to reset network settings.
    We tried to add wifi profile to clean new iphone using iphone configuration utility.
    Wireless supplier can't help - they told it is an ios issue and I think this is true because all
    ipads/iphones works just fine on  ios5 or 6.0.1 but can't connect on 6.1

  • IOS 5 can't connect to WPA/WPA2 Enterprise Wireless Network

    After upgrading multiple iPhone 4 (CDMA versions) to IOS 5.0, I have not been able to get them to connect to our WPA/WPA2 Enterprise wirless network.  We use a Cisco Wireless LAN Controller.  The wireless network is capable of doing WPA or WPA2 Enterprise with PEAP.  These phones all connected to this network fine before the upgrade.
    When connecteding to the network, it prompts me for the username and password and when I tap join it sits for about 10-15 seconds then says "Unable to join the network" with a Dismiss button.
    It connects to non-Enterprise networks just fine.  I have tested it on WPA Personal and WPA2 Personal networks and it has worked on several without issue.
    I have tried "forget this network" with no success.
    Is anyone else having this problem?  I know of at least three Verizon iPhone 4's that have this exact same problem.  I haven't seen one working with this configuration yet.

    I have the same problem:
    Cisco WLC's -> WPA2 Enterprise AES + EAP-PEAP 802.1x with CCKM
    Pre 5.0 - all worked fine
    Post 5.0 - it tries to connect and after few moments i get error - couldn't connect.
    Info from controller:
    10/17/2011 12:16:37 CEST           INFO           172.16.16.X           Sending EAP request to client from radius server. 6.f. ..l
    10/17/2011 12:16:38 CEST           ERROR           172.16.16.X           Retransmitting EAP-ID request to client,retransmission timer expired. 5.y. ..l
    10/17/2011 12:16:39 CEST           ERROR           172.16.16.X           Retransmitting EAP-ID request to client,retransmission timer expired. 5.y. ..l
    10/17/2011 12:16:40 CEST           ERROR           172.16.16.X           Authentication failed for client as EAP ID request from AP reached maxmium retransmissions. 5.yp ..l
    10/17/2011 12:16:40 CEST           ERROR           172.16.16.X           De-authentication sent to client. 5.oP ..l
    10/17/2011 12:16:40 CEST           ERROR           172.16.16.X           5.yp ..l
    10/17/2011 12:16:40 CEST           ERROR           172.16.16.X           EAPOL-key is invalid, scheduling client for deletion. 5.yp ..l
    On the Radius server i don't see any activity regarding this device.
    I had this network configured on my iPhone - after upgrade and restore it remembered it. Every time i was in vicinity of my Enterprise WLAN it tried to connect - resulting int express battery drain - 6-7 hrs and battery was empty from 100%

  • WPA2-Enterprise TLS not working in iOS 5

    We have over 200 iPhone on our Corporate Wi-Fi network. We started having calls from our users saying that their Wi-Fi is not working anymore since they upgraded to iOS 5. It was working fine with previous version of iOS. We are using WPA2-Enterprise with TLS authentication. We were able to reproduce the issue. With my iPad, i'm not able anmore to connect to our corporate wi-fi on both vendor we use (Cisco and Motorola). The SSId was  hidden, we tryed to broadcast it with no change. The only thing both vendor are sharing is the TLS authentication for the WPA2 auth. Can anyone help us ?

    I had to:
    1) connect the Ipad with a cable and enable "synch via wi-fi" option.
    2) eject the ipad
    3) restart the MAC
    attempt synch --- FAILED
    after looking at my set-up the MAC (or PC) must be conneced to the same wireless connection. My router has dual band capability. one connection is 2.4 ghz with one name, and 5 ghz with another name. Even though ALL the computers have same workgroup name, wi-fi synch would not work unless they were all on the same wireless connection (same ssID). go figure. once my mac was connected to the 2.4 Ghz SSID, wi-fi sync worked fine.

  • Wifi problem after connecting to wpa2 enterprise

    hi all.
    I have iphone 3gs with me. It has doing great on all the wifi connection before. I can connect to my home wpa2 wifi and office hidden wpa2 wifi with no problem. Then, I tried to join my office enterprise wifi with wpa2 enterprise. It was successfull. However, just after that, i can't get connected back to my office hidden wpa2 wifi. it just like deny the connection. I reset the network connection, forget network still fail. Even i disable the wpa2 security but failed also. Anyway, i still able to connect to my home wifi and office enterprise wifi.
    please help as. I can't say the hardwar problem as it can get connected at my home network. sight

    anybody care to help me please?

  • WPA2 Enterprise Wi-Fi trouble

    I ran the apple iphone config web utility and created a profile for connecting my itouch to my company's secure WiFi last Friday and it worked great. I also set up a coworkers itouch as well as well. Once the profile was installed it asked me to accept a certificate and then everything worked. We use WPA2, AES, PEAP with MS-CHAPV2.
    However, I came in Monday and it wouldn't reconnect. Interestingly enough, my coworkers itouch remembered the settings, reconnected, and still works.
    Try as I may, I have Erased Network settings about 8 times, and reinstalled the exact same profile which worked Friday, and it will never work again. The itouch WiFi works fine at home, restaurants, and other networks.
    Anyone have any ideas? Maybe the network settings don't get erased properly when you hit erase?

    Our proxy server is autodetect. However, my problems are worse than just not being able to use web. I cannot get DHCP to give me an IP address.
    I did try reset network settings and that does not seem to help.
    I would imagine that "WPA2-Personal" is a lot easier to set up and keep working than "WPA2-Enterprise" due to not needing to make a "profile" on a separate PC which includes settings that are invisible to the itouch GUI (PEAP, MSCHAP, etc)
    These problems I'm having are most likely specific to "WPA2-Enterprise".
    I just don't get how I got it working one time, and then it just quit on me forever... Maybe its just random.

Maybe you are looking for