Wireless client authentication failed

hi all,
I have a problem I have AP 1602i joined to WISM2 controller with IOS version 7.4.121 
when client try to connect on the SSID, he receive a log "authentication failed" when I tried to rejoin the AP to other controller it work normally and when i back koining to the first controller it joins normally.
when the problem occure i noticed that the AP led is flashing and on the controller i can see the AP.
please advice
thanks in advance

hi Manannalage ras...,
I already issue this command and tried to connect on the SSID but there is no output appeared on the controller it seem to be that the client MAC address is not reach to the controller
note that,
the AP connected through Modem to the controller and get the controller IP address from DNS by resolving its domain name to the controller IP

Similar Messages

  • Wireless Client Authentication issues when roaming Access Points (Local)

    I have a Cisco 5508 with Software version 7.4.121.0 and Field Recovery 7.6.101.1.
    There are a handful of clients that when roaming between AP's with the same SSID that get an authentication issue and have to restart the wireless to get back on.
    From Cisco ISE
    Event
    5400 Authentication failed
    Failure Reason
    11514 Unexpectedly received empty TLS message; treating as a rejection by the client
    Resolution
    Ensure that the client's supplicant does not have any known compatibility issues and that it is properly configured. Also ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!
    Root cause
    While trying to negotiate a TLS handshake with the client, ISE expected to receive a non-empty TLS message or TLS alert message, but instead received an empty TLS message. This could be due to an inconformity in the implementation of the protocol between ISE and the supplicant. For example, it is a known issue that the XP supplicant sends an empty TLS message instead of a non-empty TLS alert message. It might also involve the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.
    I am having a hard time figuring out what is causing this. My assumption is if there were a problem with the Controller or AP configurations then it would happen to everyone. My further assumption is if the client had a problem with their laptop (windows 7) then why does work at other times? So I have checked and the ISE certificate is trusted by client.
    Is something happening that the previous access point is holding on to the mac and the return authentication traffic is going to the old AP instead of the new one or something like that which is corrupting the data?
    I also had this from Splunk for the same client:
    Mar 5 13:44:51 usstlz-piseps01 CISE_Failed_Attempts 0014809622 1 0 2015-03-05 13:44:51.952 +00:00 0865003824 5435 NOTICE RADIUS: NAS conducted several failed authentications of the same scenario
     FailureReason="12929 NAS sends RADIUS accounting update messages too frequently"
    Any help on this would be appreciated. These error messages give me an idea but doesn't give me the exact answer to why the problem occurred and what needs to be done to fix it.
    Thanks

    Further detail From ISE for the failure:
    11001
    Received RADIUS Access-Request
    11017
    RADIUS created a new session
    15049
    Evaluating Policy Group
    15008
    Evaluating Service Selection Policy
    15048
    Queried PIP
    15048
    Queried PIP
    15004
    Matched rule
    15048
    Queried PIP
    15048
    Queried PIP
    15004
    Matched rule
    11507
    Extracted EAP-Response/Identity
    12500
    Prepared EAP-Request proposing EAP-TLS with challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12301
    Extracted EAP-Response/NAK requesting to use PEAP instead
    12300
    Prepared EAP-Request proposing PEAP with challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12302
    Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
    12318
    Successfully negotiated PEAP version 0
    12800
    Extracted first TLS record; TLS handshake started
    12805
    Extracted TLS ClientHello message
    12806
    Prepared TLS ServerHello message
    12807
    Prepared TLS Certificate message
    12810
    Prepared TLS ServerDone message
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    11514
    Unexpectedly received empty TLS message; treating as a rejection by the client
    12512
    Treat the unexpected TLS acknowledge message as a rejection from the client
    11504
    Prepared EAP-Failure
    11003
    Returned RADIUS Access-Reject

  • Apple wireless clients authenticated but show no username in WLC

    Running 7.0.220. There are several 'unknown' users every day reported in WCS. Investigating the connections on the WLC I find the clients are in a run state and passing traffic but there is no username listed on the client detail. (hence the unknown on WCS)
    (mcm-189jsoc-wlc1) >show client detail 60:c5:47:07:b6:5a
    Client MAC Address............................... 60:c5:47:07:b6:5a
    Client Username ................................. N/A
    AP MAC Address................................... 00:1e:13:42:16:a0
    AP Name.......................................... mcm-208dorm-wap1
    Client State..................................... Associated
    Client NAC OOB State............................. Access
    Wireless LAN Id.................................. 1
    BSSID............................................ 00:1e:13:42:16:a0
    Connected For ................................... 599 secs
    Channel.......................................... 11
    Clients in this state are usually Apple products. From initial investigation it looks like the do authenticate with the ACS.
    Any ideas for debugs to run, or fixes on the WLC? Perhaps there's a bug on this behavior?
    Thanks
    Kyle Morrison

    Kyle:
    I suppose you are using PEAP or some EAP that utilizes TLS tunnel.
    The username that appears is what cold "outer identity" username. This is sent to the AAA server outside the TLS channel and need not to be the correct username although it can be the same. So I think with macBooks the outer identity is empty. But I don't remember if it appears on the WLC as unknown.
    For ipad I can see my username explicitly appearing on my WLC which means the outer identity is same asthe correct username.
    What mac devices that you use?
    You need no debugs. Wireless packet capture while the client is trying to authenticate should be enough to show what outer identity is used.
    HTH
    Amjad
    p.s: with windows it depends on the supplicant software if an outer identity can be configured or not.
    Sent from Cisco Technical Support iPad App

  • URL Redirection on Wireless Client Machine Fails

    Wireless users athenticated by ISE internal identity but unable to redirect on URL.               

    Hi. First of all thanks for your reply.
    By mistake I have attached above pdf.
    Let me explain my scenario. WLC is integrated with ISE & ISE is integrated with AD. We have wireless users (not a guest wireless users) who has to go through the ISE process before gonna access the network. These domain users is successfully authenticating by the AD through WLC & ISE. Once the domain users authenticate they have to redirect to URL while accessing any website through browser but it is not happening.
    Moreover, could you please help me that how to configure posture condition for AV & WSUS. Do you have any doc to configure following requirement & apply to profile.
    Thanks

  • Cisco ISE authentication failed because client reject certificate

    Hi Experts,
    I am a newbie in ISE and having problem in my first step in authentication. Please help.
    I am trying to deploy a standalone Cisco ISE 1.1.2 with WLC using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :
    Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
    I've generate a certificate for ISE using Windows Server CA and replace ISE's self-signed certificate with the new certificate but authentication still failed with the same error message. Must I generate a certificate for WLC also? Please help me in solving this problem.
    Regards,
    Ratna

    Certificate-Based User Authentication via Supplicant Failing
    Symptoms or
    Issue
    User authentication is failing on the client machine, and the user is receiving a
    “RADIUS Access-Reject” form of message.
    Conditions (This issue occurs with authentication protocols that require certificate validation.)
    Possible Authentications report failure reasons:
    • “Authentication failed: 11514 Unexpectedly received empty TLS message;
    treating as a rejection by the client”
    • “Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because
    the client rejected the Cisco ISE local-certificate”
    Click the magnifying glass icon from Authentications to display the following output
    in the Authentication Report:
    • 12305 Prepared EAP-Request with another PEAP challenge
    • 11006 Returned RADIUS Access-Challenge
    • 11001 Received RADIUS Access-Request
    • 11018 RADIUS is reusing an existing session
    • 12304 Extracted EAP-Response containing PEAP challenge-response
    • 11514 Unexpectedly received empty TLS message; treating as a rejection by the
    client
    • 12512 Treat the unexpected TLS acknowledge message as a rejection from the
    client
    • 11504 Prepared EAP-Failure
    • 11003 Returned RADIUS Access-Reject
    • 11006 Returned RADIUS Access-Challenge
    • 11001 Received RADIUS Access-Request
    • 11018 RADIUS is re-using an existing session
    • 12104 Extracted EAP-Response containing EAP-FAST challenge-response
    • 12815 Extracted TLS Alert message
    • 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the
    Cisco ISE local-certificate
    • 11504 Prepared EAP-Failure
    • 11003 Returned RADIUS Access-Reject
    Note This is an indication that the client does not have or does not trust the Cisco
    ISE certificates.
    Possible Causes The supplicant or client machine is not accepting the certificate from Cisco ISE.
    The client machine is configured to validate the server certificate, but is not
    configured to trust the Cisco ISE certificate.
    Resolution The client machine must accept the Cisco ISE certificate to enable authentication.

  • Initial configuration of ACS 5.1 for EAP authentication for Wireless clients

    Hi,
    I have set-up with below devices :
    Wireless LAN controller 5508
    LAP 3302i
    and ACS 5.1
    since i am new in ACS 5.1 configuration , I need so information to go ahead to configure ACS 5.1.
    which EAP method to use for wireless client authentication ? what is the best practice ?
    I have gone through some cisco documents and it shows that best practice is to configure PEAP but for the same , I need to install certificate in ACS server as well in client PC. is that so ?
    I have no clear picture for this certificate ?
    from where i can get this certificate or do i need to purchase this certificate separately from cisco. how to install it in ACS server ?
    I will be obliged to get atleast initial configuration for ACS 5.1 to enable the EAP method,
    I need GUI based initial configuration for ACS 5.1
    This mentioned ACS 5.1 is installed on ACS 1121 hardware appliance.

    Hi,
    which EAP method to use for wireless client authentication ? what is the best practice ?
    -> I would advise the most widely spread EAP method, which has the best ratio security/easy to deploy: PEAP with MSCHAPv2, which is available by default by all windows machines.
    I  have gone through some cisco documents and it shows that best practice  is to configure PEAP but for the same , I need to install certificate in  ACS server as well in client PC. is that so ?
    -> You will always need to install a server certificate, however, there is no need for client certificate because the authentication is based on the MSCHAP credentials exchange, not certificate based. The only requirement on the client regarding certificates is the following.
    If you want to validate the server certificate, you have to install the server certificate under the trusted CAs of the clients.
    If you do not require to trust the server certificate, you can simply disable the option of server certificate validation.
    I have no clear picture for this certificate ?
    from  where i can get this certificate or do i need to purchase this  certificate separately from cisco. how to install it in ACS server ?
    -> The server certificate can be a simple self signed certificate that you generate and install on the ACS GUI.
    Please feel free to follow this step-by-step guide on
    PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server:
    http://www.cisco.com/en/US/partner/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml or in pdf
    http://www.cisco.com/image/gif/paws/112175/acs51-peap-deployment-00.pdf.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Wireless Clients failing to authenticate via the RADIUS

    Hi friends
    I am trying to use Radius server (NPS) to authenticate my wireless users using 1941W router.
    For some reason it cannot authenticate successfully. I checked the radius server is reachable but still I dont see any luck.
    the config is like this:
    ***************Config snap shot*********************
    aaa new-model
    aaa group server radius group1
    server 10.32.0.154 auth-port 1812 acct-port 1813
    aaa authentication login EAP group group1
    aaa session-id common
    dot11 syslog
    dot11 ssid CORP
       vlan 320
       authentication open eap EAP
       mbssid guest-mode
    interface Loopback1
    ip address 10.51.240.1 255.255.255.255
    no ip route-cache
    interface Dot11Radio0
    no ip address
    no ip route-cache
    encryption vlan 320 mode ciphers aes-ccm
    ssid CORP
    antenna gain 0
    mbssid
    station-role root
    interface Dot11Radio0.1
    encapsulation dot1Q 320 native
    no ip route-cache
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface GigabitEthernet0
    description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
    no ip address
    no ip route-cache
    interface GigabitEthernet0.1
    encapsulation dot1Q 320 native
    no ip route-cache
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    interface BVI1
    ip address 10.51.246.2 255.255.255.0
    no ip route-cache
    ip default-gateway 10.51.246.1
    ip radius source-interface Loopback1
    radius-server host 10.32.0.154 auth-port 1812 acct-port 1646 key V3rv3@mc0m
    bridge 1 route ip
    *********************End of config snap shot*********************
    When i run the debug i see the following messages which I am still trying to understand thought it would be worthwhile mentioning here:
    *******************Debug**********************
    AP1#
    *Mar  1 01:04:41.951: AAA/BIND(0000001E): Bind i/f
    *Mar  1 01:04:41.951: dot11_auth_add_client_entry: Create new client 2477.037e.22d4 for application 0x1
    *Mar  1 01:04:41.951: dot11_auth_initialize_client: 2477.037e.22d4 is added to the client list for application 0x1
    *Mar  1 01:04:41.951: dot11_auth_add_client_entry: req->auth_type 0
    *Mar  1 01:04:41.951: dot11_auth_add_client_entry: auth_methods_inprocess: 2
    *Mar  1 01:04:41.951: dot11_auth_add_client_entry: eap list name: EAP
    *Mar  1 01:04:41.951: dot11_run_auth_methods: Start auth method EAP or LEAP
    *Mar  1 01:04:41.951: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    *Mar  1 01:04:41.951: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 2477.037e.22d4
    *Mar  1 01:04:41.951: EAPOL pak dump tx
    *Mar  1 01:04:41.951: EAPOL Version: 0x1  type: 0x0  length: 0x002F
    *Mar  1 01:04:41.951: EAP code: 0x1  id: 0x1  length: 0x002F type: 0x1
    030017B0: 0100002F 0101002F 01006E65 74776F72  .../.../..networ
    030017C0: 6B69643D 56434F52 502C6E61 7369643D  kid=VCORP,nasid=
    030017D0: 4B414C2D 30322D41 50312C70 6F727469  KAL-02-AP1,porti
    030017E0: 643D30                               d=0
    *Mar  1 01:04:41.955: dot11_auth_send_msg:  sending data to requestor status 1
    *Mar  1 01:04:41.955: dot11_auth_send_msg: Sending EAPOL to requestor
    *Mar  1 01:04:41.955: dot11_auth_dot1x_send_id_req_to_client: Client 2477.037e.22d4 timer started for 30 seconds
    *Mar  1 01:04:41.955: dot11_auth_parse_client_pak: Received EAPOL packet from 2477.037e.22d4
    *Mar  1 01:04:41.955: EAPOL pak dump rx
    *Mar  1 01:04:41.955: EAPOL Version: 0x1  type: 0x1  length: 0x0000
    033E86E0:          01010000                        ....
    *Mar  1 01:04:41.955: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,EAP_START) for 2477.037e.22d4
    *Mar  1 01:04:41.955: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 2477.037e.22d4
    *Mar  1 01:04:41.959: EAPOL pak dump tx
    *Mar  1 01:04:41.959: EAPOL Version: 0x1  type: 0x0  length: 0x002F
    *Mar  1 01:04:41.959: EAP code: 0x1  id: 0x2  length: 0x002F type: 0x1
    03001A20: 0100002F 0102002F 01006E65 74776F72  .../.../..networ
    03001A30: 6B69643D 56434F52 502C6E61 7369643D  kid=VCORP,nasid=
    03001A40: 4B414C2D 30322D41 50312C70 6F727469  KAL-02-AP1,porti
    03001A50: 643D30                               d=0
    *Mar  1 01:04:41.959: dot11_auth_send_msg:  sending data to requestor status 1
    *Mar  1 01:04:41.959: dot11_auth_send_msg: Sending EAPOL to requestor
    *Mar  1 01:04:41.959: dot11_auth_dot1x_send_id_req_to_client: Client 2477.037e.22d4 timer started for 30 seconds
    *Mar  1 01:04:41.963: dot11_auth_parse_client_pak: Received EAPOL packet from 2477.037e.22d4
    *Mar  1 01:04:41.963: EAPOL pak dump rx
    *Mar  1 01:04:41.963: EAPOL Version: 0x1  type: 0x0  length: 0x0012
    *Mar  1 01:04:41.963: EAP code: 0x2  id: 0x1  length: 0x0012 type: 0x1
    033603C0:                            01000012              ....
    033603D0: 02010012 01564552 56455C47 30373532  .....VERVE\G0752
    033603E0: 3736                                 76
    *Mar  1 01:04:41.963: dot11_auth_parse_client_pak: id is not matching req-id:1resp-id:2, waiting for response
    *Mar  1 01:04:41.963: dot11_auth_parse_client_pak: Received EAPOL packet from 2477.037e.22d4
    *Mar  1 01:04:41.963: EAPOL pak dump rx
    *Mar  1 01:04:41.963: EAPOL Version: 0x1  type: 0x0  length: 0x0012
    *Mar  1 01:04:41.963: EAP code: 0x2  id: 0x2  length: 0x0012 type: 0x1
    033AEE90:                   01000012 02020012          ........
    033AEEA0: 01564552 56455C47 30373532 3736      .VERVE\G075276
    *Mar  1 01:04:41.963: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 2477.037e.22d4
    *Mar  1 01:04:41.963: dot11_auth_dot1x_send_response_to_server: Sending client 2477.037e.22d4 data to server
    *Mar  1 01:04:41.963: AAA/AUTHEN/PPP (0000001E): Pick method list 'EAP'
    *Mar  1 01:04:41.963: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
    *Mar  1 01:04:41.963: %AAA-3-BADSERVERTYPEERROR: Cannot process authentication server type *invalid_group_handle*
    *Mar  1 01:04:41.963: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
    *Mar  1 01:04:41.963: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
    *Mar  1 01:04:41.963: Client 2477.037e.22d4 failed: EAP reason 2
    *Mar  1 01:04:41.963: dot11_auth_dot1x_parse_aaa_resp: Failed client 2477.037e.22d4 with aaa_req_status_detail 2
    *Mar  1 01:04:41.963: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for 2477.037e.22d4
    *Mar  1 01:04:41.963: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 2477.037e.22d4
    *Mar  1 01:04:41.963: EAPOL pak dump tx
    *Mar  1 01:04:41.963: EAPOL Version: 0x1  type: 0x0  length: 0x0004
    *Mar  1 01:04:41.963: EAP code: 0x4  id: 0x2  length: 0x0004
    03001DC0:                   01000004 04020004          ........
    03001DD0:
    *Mar  1 01:04:41.963: dot11_auth_send_msg:  sending data to requestor status 1
    *Mar  1 01:04:41.967: dot11_auth_send_msg: Sending EAPOL to requestor
    *Mar  1 01:04:41.967: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
    *Mar  1 01:04:41.967: dot11_auth_dot1x_send_client_fail: Authentication failed for 2477.037e.22d4
    *Mar  1 01:04:41.967: dot11_auth_send_msg:  sending data to requestor status 0
    *Mar  1 01:04:41.967: dot11_auth_send_msg: client FAILED to authenticate 2477.037e.22d4, node_type 64 for application 0x1
    *Mar  1 01:04:41.967: dot11_auth_delete_client_entry: 2477.037e.22d4 is deleted for application 0x1
    *Mar  1 01:04:41.967: %DOT11-7-AUTH_FAILED: Station 2477.037e.22d4 Authentication failed
    *Mar  1 01:04:41.967: dot11_auth_client_abort: Received abort request for client 2477.037e.22d4
    *Mar  1 01:04:41.967: dot11_auth_client_abort: No client entry to abort: 2477.037e.22d4 for application 0x1
    Any Idea where the problem could be?
    Regards,
    Mohit

    Just to add here, i ran another command on the AP/Router which indicates to me that there was no response from the Radius server.
    KAL-02-AP1#sh radius statistics
                                      Auth.      Acct.       Both
             Maximum inQ length:         NA         NA          1
           Maximum waitQ length:         NA         NA          2
           Maximum doneQ length:         NA         NA          1
           Total responses seen:          0          0          0
         Packets with responses:          0          0          0
      Packets without responses:         12          0         12
      Access Rejects           :          0
    Average response delay(ms):          0          0          0
    Maximum response delay(ms):          0          0          0
      Number of Radius timeouts:         48          0         48
           Duplicate ID detects:          0          0          0
    Buffer Allocation Failures:          0          0          0
    Maximum Buffer Size (bytes):        186          0        186
    Source Port Range: (2 ports only)
    1645 - 1646
    Last used Source Port/Identifier:
    1645/12
    1646/0
      Elapsed time since counters last cleared: 1h52m

  • What are steps configure Certificate based authentication for Wireless clients with ACS 5.3?

    I need to autheticate my clients connecting via wireless.
    clients have user certificate installed on them, i need help configuring the ACS to do the authentication.
    can some one please help me with the steps.
    Thanks

    Two primary steps
    - define the trust certificates needed to verify the clients user certificates
    Users and Identity Stores > Certificate Authorities
    - change result of identity policy to select a certificate authorization profile. If have the defautl config
    Access Policies > Access Services > Default Network Access > Identity
    by default can select the "CN Username" as a result

  • Clients cannot connect: "Reason:802.1x Authentication failed 3 times. Reas"

    As of 1:30 yesterday, no clients can authenticate to my LWAPP Access points. I'm getting this message in the trap logs on my 4404:
    Client Excluded: MACAddress:00:90:4b:86:23:94 Base Radio MAC :00:17:df:7f:c8:60 Slot: 0 Reason:802.1x Authentication failed 3 times. ReasonCode: 3
    And my (MS IAS) RADIUS server has an entry:
    Authentication-Type = EAP
    EAP-Type = <undetermined>
    Reason-Code = 66
    Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.
    The previous successful entries all refer to PEAP. We restored our WCS server from tape yesterday, but why would that affect the authentication on the 4404? Does anyone have any idea what's going wrong?

    There is a command line syntax which will also allow you to export and import an IAS config to other IAS servers. Then you will be sure they are identical...
    http://support.microsoft.com/kb/883619

  • Outgoing mail is failing in eM Client, authentication issues

    I cannot send mail through eM Client, it fails and asks for credentials. Up until Friday eM Client was working fine, and nothing has changed in the configurations. I tested eM Client and gmail and it worked without an issue, using port 25, outgoing.verizon.net and not using a secure connection.
    My wife is also having this issue on her computer using the same software as an email client. I would say it's the client, but it works fine with gmail, both sending and receiving. 
    Any help would be appreciated.
    Thanks.

    stjore wrote:
    I am running the latest eM Client (Version 6.0.21040.0) and this problem appeared within the last week.  eM Client incoming mail (POP) works fine but outgoing mail (SMTP) does not work.  I spoke with Verizon Tech Support this morning, but was unable to resolve this problem.  The eM Client SMTP settings that I'm using (and worked previously) are below:
    Server
      Host:  smtp.verizon.net
      Port:  465
      Security policy:  Use SSL/TLS on special port (legacy)
    Authentication
      Server requires authentication (checked)
        Use identity credntials (not selected)
        Use these credentatials: (checked)
          User name:  [email protected]
          Password:  **********
    Enable Service (checked)
    Unless you are a Yahoo user (which also uses different servers) do not use [email protected]  Just use username

  • WLC Client excluded - web authentication failed 3 times

    Is there any more I can do with the following? The customer only has 4400 controllers and WCS' both on the highest firmware currently available...
    An example of the alert generated in the event of an excessive authentication failure is as follows:
    Client '08:60:6e:35:7c:29 (172.16.235.133)' which was associated with interface '802.11b/g/n' of AP '25CS-AP21-24SE' is excluded. The reason code is '5(Web Authentication failed 3 times.)'.
    E-mail will be suppressed up to 30 minutes for these alarms.
    I need clarification of the following so that a process can be put in place to show if it is possible to deal with potential threats/attempts to hack into the network as the customers security are not accepting notification only. Therefore please advise:
    - What does ‘excluded’ mean in this scenario? Is the client permanently excluded or only temporarily?
    - If the client is not permanently excluded - if there are multiple occurrences of this alert for the same client can the client be disabled via the WCS console?
    - If necessary could e-mail suppression be turned off - for this alert only?
    Hope you can help but I think they need Prime and ISE to satisfy their security concerns myself!
    BR
    Rockford

    There is a command line syntax which will also allow you to export and import an IAS config to other IAS servers. Then you will be sure they are identical...
    http://support.microsoft.com/kb/883619

  • I'm trying to connect through the FTP client Filezilla. When I try to login with the wizard, it gives me a "503 Failure of Data Connection" reply; when I attempt to login myself, it gives me a "530 Login Authentication Failed." HELP!!!

    My current softward is: Mac OS X Lion 10.7.5 (11G63)
    When I attempt to use the Filezilla connection wizard I get the following message:
    Connecting to probe.filezilla-project.org
    Response: 220 FZ router and firewall tester ready
    USER FileZilla
    Response: 331 Give any password.
    PASS 3.7.1.1
    Response: 230 logged on.
    Checking for correct external IP address
    Retrieving external IP address from http://ip.filezilla-project.org/ip.php
    Checking for correct external IP address
    IP 27.0.19.56 ch-a-bj-fg
    Response: 200 OK
    PREP 52470
    Response: 200 Using port 52470, data token 1871898076
    PORT 27,0,19,56,204,246
    Response: 200 PORT command successful
    LIST
    Response: 150 opening data connection
    Response: 503 Failure of data connection.
    Server sent unexpected reply.
    Connection closed
    When I attempt to login Host/Username/Password myself I get the following message:
    Status:          Resolving address of amyhoney.com
    Status:          Connecting to 184.168.54.1:21...
    Status:          Connection established, waiting for welcome message...
    Response:          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    Response:          220-You are user number 12 of 500 allowed.
    Response:          220-Local time is now 04:05. Server port: 21.
    Response:          220-This is a private system - No anonymous login
    Response:          220 You will be disconnected after 3 minutes of inactivity.
    Command:          USER 5475****
    Response:          331 User 5475**** OK. Password required
    Command:          PASS ********************
    Response:          530 Login authentication failed
    Error:          Critical error
    Error:          Could not connect to server
    Now before anyone points out the obvious: my username and password are correct. I've already gone through changing them so I know they are.
    Additionally, I've pretty much tried EVERYTHING I've read online, from messing with "terminal" (and subsequently the FTP and STFP options) to changing the sharing options and turning on file sharing/remote management as well as just turning off my Firewall completely.
    Now I've used Filezilla before when I first published my site and everything worked fine. My site is published through Wordpress so most of my editing was done through simply logging into my "wp-login." I recently changed the theme and in order to change the header image in that theme I have to do it through my "wp-content" folder, which means I need to use Filezilla. I feel like a complete moron right now considering I've had my site for about a year and can't even doing something this simple.
    I've read that the newer version of Lion/Mountain Lion don't support automatice FTP anymore, which (as I mentioned prior) I attempted to fix through Terminal. However, nothing I do seem to do works.
    Can someone walk me through fixing this? And I do mean 'walk me through'. I'm not a tech-savvy nerd who knows all the lingo, I just know the basics so sorry if my ignorance offends you.
    HELP!!

    First be sure login and password are OK. Sometimes the address starts wit "http://..." and sometime starts with "ftp://...". Try both normal FTP access and Scure FTP access (SFTP). At the end, contact the site's provider.

  • 802.1x authentication fail

    i have a juniper device linux operating system on that we have radius server configured and i am trying to integrate my WLC with that radius
    i have added WLC as a host there in radius
    on wlc i have configured authentication like radius ip shared secret key and done
    its working i can ping radius server
    also in wlc i configured on Wlan aaa allow override check box and also hited the WPA2 802.1x layer2 security and radius server option brought on top.
    i also configured my windows wireless adaptor as PEAP MSCHAP v2
    i am trying to connect this ssid and its asking for my AD accounts but when i enter that its not authenticating users and giving this logs.
    (WiSM-slot24-1) >debug aaa events enable
    (WiSM-slot24-1) >
    (WiSM-slot24-1) >
    (WiSM-slot24-1) >*apfMsConnTask_0: Dec 31 15:12:03.043: 00:13:e8:3e:26:bf Processing RSN IE type 48, length 22 for mobile 00:13:e8:3e:26:bf
    *apfMsConnTask_0: Dec 31 15:12:03.043: 00:13:e8:3e:26:bf Received RSN IE with 0 PMKIDs from mobile 00:13:e8:3e:26:bf
    *apfMsConnTask_0: Dec 31 15:12:03.043: 00:13:e8:3e:26:bf apfMsAssoStateInc
    *dot1xMsgTask: Dec 31 15:12:03.044: 00:13:e8:3e:26:bf Station 00:13:e8:3e:26:bf setting dot1x reauth timeout = 1800
    *dot1xMsgTask: Dec 31 15:12:03.044: 00:13:e8:3e:26:bf Sending EAP-Request/Identity to mobile 00:13:e8:3e:26:bf (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Dec 31 15:12:03.097: 00:13:e8:3e:26:bf Received EAPOL START from mobile 00:13:e8:3e:26:bf
    *Dot1x_NW_MsgTask_0: Dec 31 15:12:03.097: 00:13:e8:3e:26:bf Sending EAP-Request/Identity to mobile 00:13:e8:3e:26:bf (EAP Id 2)
    *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.596: 00:13:e8:3e:26:bf Received EAPOL EAPPKT from mobile 00:13:e8:3e:26:bf
    *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.596: 00:13:e8:3e:26:bf Received Identity Response (count=2) from mobile 00:13:e8:3e:26:bf
    *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.596: 00:13:e8:3e:26:bf Audit Session ID added to the mscb: 0a8740e10000002e4efefc1c
    *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.596: Creating audit session ID (dot1x_aaa_eapresp_supp) and Radius Request
    *aaaQueueReader: Dec 31 15:12:12.597: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
    *aaaQueueReader: Dec 31 15:12:12.597: 00:13:e8:3e:26:bf Successful transmission of Authentication Packet (id 202) to 10.34.11.2:1812, proxy state 00:13:e8:3e:26:bf-00:00
    *radiusTransportThread: Dec 31 15:12:12.598: ****Enter processIncomingMessages: response code=11
    *radiusTransportThread: Dec 31 15:12:12.598: ****Enter processRadiusResponse: response code=11
    *radiusTransportThread: Dec 31 15:12:12.598: 00:13:e8:3e:26:bf Access-Challenge received from RADIUS server 10.34.11.2 for mobile 00:13:e8:3e:26:bf receiveId = 3
    *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.598: 00:13:e8:3e:26:bf Processing Access-Challenge for mobile 00:13:e8:3e:26:bf
    *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.598: 00:13:e8:3e:26:bf Sending EAP Request from AAA to mobile 00:13:e8:3e:26:bf (EAP Id 3)
    *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.600: 00:13:e8:3e:26:bf Received EAPOL EAPPKT from mobile 00:13:e8:3e:26:bf
    *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.600: 00:13:e8:3e:26:bf Received EAP Response from mobile 00:13:e8:3e:26:bf (EAP Id 3, EAP Type 3)
    *aaaQueueReader: Dec 31 15:12:12.600: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
    *aaaQueueReader: Dec 31 15:12:12.600: 00:13:e8:3e:26:bf Successful transmission of Authentication Packet (id 203) to 10.34.11.2:1812, proxy state 00:13:e8:3e:26:bf-00:00
    *radiusTransportThread: Dec 31 15:12:12.601: ****Enter processIncomingMessages: response code=3
    *radiusTransportThread: Dec 31 15:12:12.601: ****Enter processRadiusResponse: response code=3
    *radiusTransportThread: Dec 31 15:12:12.601: 00:13:e8:3e:26:bf Access-Reject received from RADIUS server 10.34.11.2 for mobile 00:13:e8:3e:26:bf receiveId = 3
    *radiusTransportThread: Dec 31 15:12:12.601: 00:13:e8:3e:26:bf [Error] Client requested no retries for mobile 00:13:E8:3E:26:BF
    *radiusTransportThread: Dec 31 15:12:12.601: 00:13:e8:3e:26:bf Returning AAA Error 'Authentication Failed' (-4) for mobile 00:13:e8:3e:26:bf
    *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.601: 00:13:e8:3e:26:bf Processing Access-Reject for mobile 00:13:e8:3e:26:bf
    *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.602: 00:13:e8:3e:26:bf Removing PMK cache due to EAP-Failure for mobile 00:13:e8:3e:26:bf (EAP Id 3)
    *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.602: 00:13:e8:3e:26:bf Sending EAP-Failure to mobile 00:13:e8:3e:26:bf (EAP Id 3)
    *Dot1x_NW_MsgTask_0: Dec 31 15:12:12.602: 00:13:e8:3e:26:bf Setting quiet timer for 5 seconds for mobile 00:13:e8:3e:26:bf
    *apfMsConnTask_0: Dec 31 15:12:15.319: 00:13:e8:3e:26:bf Processing RSN IE type 48, length 22 for mobile 00:13:e8:3e:26:bf
    *apfMsConnTask_0: Dec 31 15:12:15.319: 00:13:e8:3e:26:bf Received RSN IE with 0 PMKIDs from mobile 00:13:e8:3e:26:bf
    *dot1xMsgTask: Dec 31 15:12:15.320: 00:13:e8:3e:26:bf Sending EAP-Request/Identity to mobile 00:13:e8:3e:26:bf (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Dec 31 15:12:15.389: 00:13:e8:3e:26:bf Received EAPOL START from mobile 00:13:e8:3e:26:bf
    *Dot1x_NW_MsgTask_0: Dec 31 15:12:15.389: 00:13:e8:3e:26:bf Sending EAP-Request/Identity to mobile 00:13:e8:3e:26:bf (EAP Id 2)
    any idea to solve this problem?
    or any one knows that how to configur a radius server on juniper linux operating system?
    many thanks in advance

    You should post on the Juniper forums regarding your policy configuration.  You should stick with using a radius than just doing ldap through the wlc.  Here is a link for webauth using ldap, but should get you close.  Again... you should look at getting your juniper radius configuration fixed first.
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a03e09.shtml

  • EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake

    Hi All ,
                 I am trying to test EAP_TLS authentication on acs 4.2.1.15 running on Appliance 1120 , I have installed my server certficate along with CA certficate on my appliance box , I have enabled features of  EAP_TLS under golbal authentication setup .
                 I have downloaded client supplicant certficate file for my windows XP machine .
    When i tried to authenticated i am finding following error message under  failed attempts(EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake) on my acs appliance box .
    Under certficate revocation list , I have forced my CA as CRL in use . Attached snap shot of all .
    Suggest me whether i need to enable all corresponding CA certficate undercertficate trust list , Kindly let me know were i am doing wrong on this ..

    Hello,
    I am NO expert on certificates but I have seen your error dozens of times from wireless clients on my Cisco ACS 4.2 Radius server.
    Through trial and error I wrote up this procedure for our Helpdesk for installing certs in Windows XP and Windows 7. These steps haven't failed me yet and the Helpdesk doesn't bother me as much anymore so see if this helps you:
    -          Manually install the Global CA under BOTH Trusted Root Certification Authorities\Certificates AND Intermediate Certification                      Authorities\Certificates
    -          Manually install the Intermediate CA under JUST the Intermediate Certification Authorities\Certificates
    -          Delete the wireless network from the computer
    -          REBOOT!!
    -          Open the Microsoft Management Console, “mmc”.
    -          Go FILE\Add Remove SnapIn. Select Certificates ..
    -          If promoted, do it for “My User Account”.
    -          Make sure the certificates are where you put them. 
    -          If you see any of these exact certificates out of place in either Trusted Root Certification Authorities\Certificates or Intermediate Certification                      Authorities\Certificates, remove them.
    -          Redo wireless network setup again
    I hope this helps you.
    Mike

  • EAP-TLS or PEAP authentication failed during SSL handshake error

    I have 2 Windows 2003 ACS 3.2 servers. I am in the process of upgrading them to ACS 4.0. I am using them for WPA2/PEAP wireless authentication in a WDS environment. I recently upgraded one to ACS 4.0 and ever since that time some (not all) of my Windows XP clients have started to not be authenticated and logging the error "EAP-TLS or PEAP authentication failed during SSL handshake" on the ACS 4.0 server. During the upgrade (which was successful) I did change the Certificate since the current one was going to expire November 2007.
    The clients that do not authenticate on the ACS 4.0 server I can point to the ACS 3.2 server and they successfully authenticate there. I am able to resolve the issue by recreating the Windows XP PEAP profile for the wireless network and by getting a new client Cert. But, I have a couple of questions:
    Is the "EAP-TLS or PEAP authentication failed during SSL handshake" error due to the upgrade to ACS 4.0 or to the fact that I changed the Certificate, or both?
    Can this error ("EAP-TLS or PEAP authentication failed during SSL handshake") be resolved without me touching every Windows XP client (we have over 250+)?
    Thanks for the help

    My experience suggests that the problem is the certificate.
    I'm running ACS 3.3.
    I received the same error message when my clients copied the certificate to the wrong location, or otherwise did not correctly follow the provided instructions.
    Correctly following the instructions led to a successful connection and no more error message.

Maybe you are looking for

  • HELP! My iTunes won't open after entering in script!

    I was getting really annoyed every time I tried to listen to something in VLC player and when I'd hit the "pause/play" button, iTunes would open and start playing. So I searched around for a fix for this and all I could find was some script to stop i

  • Javascript error in ReportViewer

    Post Author: dallex CA Forum: WebIntelligence Reporting Dear all, I'm using Business X1's Java reporting component. The JRC is configured with websphere App server 5. The reports are displayed properly in the web browser. The toolbar also displays co

  • How to start with payroll

    Hi, I have worked more on PA and OM. And now I wanted to learn Payroll. For this is it mandatory to know time management. As I am more keen in learning payroll. I know few basics of payroll, i.e creation of IT0008 and I know its jus a drop in the oce

  • Apple TV usb port

    Set up new Airport router with new name and now Apple TV will not reset.  Just keeps cycling for date and time settings.  Trying reset with remote does not work.  Any way to restore to factory settings?

  • Interactivity Abstraction

    Hi All, I have chosen Captivate to make a training video for my softare much like I am sure many of you have done before. I have been having a hard time with one thing though. My goal is to have many small 200px by 100px sections of software demo'd.