WLC Client excluded - web authentication failed 3 times

Similar Messages

• Clients cannot connect: "Reason:802.1x Authentication failed 3 times. Reas"

  As of 1:30 yesterday, no clients can authenticate to my LWAPP Access points. I'm getting this message in the trap logs on my 4404:
  Client Excluded: MACAddress:00:90:4b:86:23:94 Base Radio MAC :00:17:df:7f:c8:60 Slot: 0 Reason:802.1x Authentication failed 3 times. ReasonCode: 3
  And my (MS IAS) RADIUS server has an entry:
  Authentication-Type = EAP
  EAP-Type = <undetermined>
  Reason-Code = 66
  Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.
  The previous successful entries all refer to PEAP. We restored our WCS server from tape yesterday, but why would that affect the authentication on the 4404? Does anyone have any idea what's going wrong?

  There is a command line syntax which will also allow you to export and import an IAS config to other IAS servers. Then you will be sure they are identical...
  http://support.microsoft.com/kb/883619

• Getting a lot of this error:The reason code is '4(802.1X Authentication failed 3 times.)'. - Controller Name:

  Since we upgraded our WCS system to V6.0.196.0 we are receiving a lot of the following error messages and I haven't figured out why.
  Client 'c0:cb:38:3f:a1:0d (anonymous, 0.0.0.0)' which was associated with interface '802.11a/n' of AP 'ACAA01-00.P04-G2C2.1' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'. - Controller Name: 205-dg20-bb3-4/2

  Check you ACS (Radius) logs under failures. You will see why its failing. Sounds like a AD account went bad
  or someone is entering the wrong logon ... But check your radius log it will point you in the right direction.

• Problems with re authentications in a wireless with WLC working with web authentication and a radius server

  Hi everyone, im having problems in a wireless network, the SSID has security layer 2 WPA, layer 3 web authentication (internal default page), and external RADIUS.
  When a client makes a roaming from one AP to another one or when he has a idle time, he needs to re authenticate in the web login page. Somebody knows a solution to avoid this behavior?. Or somebody has a troubleshooting way to determine why the clients have this problems??

  A few things I can share that might help .. Your actually feet on the ground will be importnat to see this issue for yourself.
  I know when a client or if the AP sends a DEAUTH frame the client will need to reestablish its connection and it will 100% of the time require a new web auth. If a client loses connection while roaming and a DEAUTH is sent on either side you will get the page. If youre client isnt romaing cleanly this can be a problem.
  Another problem is your using EAP. Are you using CCK or a device that supports OKC. What does your radius server say when a client roams ?
  You could also simply your config and then reapply your security and see where it breaks. By this I mean. For testing, create a SSID turn off security and leave layer 3 web auth on. Roam and see what happens. If it works, then start to apply the security and see where it breaks.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Central Web Authentication Fail - This device has not been registered.

  Dear All,
  I have problem when apply the cwa. i have wlc and ise,
  I want all user (all type device) that want access to my network by Wifi, will authenticated by AD.
  but user cant connect to network evenly only authenticate.
  My ISE Authorization rule:
  if
  (Wireless_MAB AND AD1:ExternalGroups EQUALS example.com/Users/Domain Users)
  Anyone, have experience like this before, please share..
  nb : my ise licese is Base Package
  Thanks!!

  I had follow the configuration guide from here:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
  but, my authentication always fail with redirect to device registration,
  when user connect the ssid and input the username and password based on active directory,
  then browser will show up like this :
  1. Access with Windows :
  Device Registration
  This device has not been registered.
  You need to manually configure your device. Contact your system administrator for assistance.
  Your device configuration is not supported by the setup wizard.
  Device ID        : my-workstation-mac-address- 
  Description     :
  2. Access with Android
  Device Registration
  This device has not been registered.
  You need to manually configure your device. Contact your system administrator for assistance.
  Unsopported operating system type encountered.
  Device ID        : my-android-mac-address- 
  Description     :
  Thanks,

• Web authentication, failed auth vlan ?

  Hello,
  It is possible to use the radius database for people who have a login, upon successful authentication the people are allowed on a vlan.
  Is it possible to allow the users that don't have a radius login on the wireless lan, but on a different vlan ? or apply different acl ?
  this is like the guest vlan in the wired context. users that failed authentication are allowed on a different vlan.

  Make sure that the RADIUS server always connects behind an authorized port and also
  Enable 802.1x authentication and associated features on FastEthernet ports.
  Connect RADIUS server to VLAN 10 behind FastEthernet port 3/1.
  DHCP server configuration for two IP pools, one for clients in VLAN 2 and other for clients in VLAN 3.
  Inter-VLAN routing to have connectivity between clients after authentication.
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a00808066ba.shtml

• Local web authentication fails

  hello experts!!!
  i'm having trouble making clients authenticate locally on a 2106 controller with ios v.4.1.171.0.
  do i need a radius server to be able to do local auth.
  also the auth login page does not appear automatically when i open a browser and type www.cisco.com or any other url.
  i have to type in vip 1.1.1.1 to be able to bring up the login in page.
  is this how it supposed to be for this particular code.
  thanks for any input... really appreciate it.

  tried the 0 timing but the guest will have unlimited time session like a legit user.
  i wanted to set guest accounts, say guest1=1hour, guest2=2hours, guest3=3hours. and that these accounts should not be deleted automatically when their times expire. so the next time a guest comes to the office i can just choose guest1,2 or 3 account to allow him to use the internet.
  also i notice that after creating the guest account, its timer starts and continues regardless whether i use the account or not. and eventually, deleted after it reached the time limit.
  did i get through...
  thanks-a-banks!!!

• No Web Authentication - but excluded client with reason code 4

  Hello,
  we are using a WLC 4400 with Software Version 5.0.148.0 and WCS Version 5.0.56.2.
  Access Points are AIR-LAP1131AG-E-K9.
  We have problems with one client (Windows XP SP3). The computer loses the wireless connection all the time, but we don't know why. Duration of the connections are different.
  So there are a lot of minor alarms saying “Client which was associated with AP, interface '0' is excluded. The reason code is '4(Web Authentication failed 3 times.)'.”
  But the wireless lan which is used by the client is not configured with Web Authentication!! It is only using MACFilter. That's very strange! (There is another wireless lan configured with Web Authentication.)
  The minor alarms are created by different Access Points, amongst others by the Access Point where the client is connected to! (All Access Points radiate all wireless lans.)
  Regarding to this client the SyslogServer often says:
  Sep 17 16:01:57.187 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max EAPOL-key M1 retransmissions exceeded for client LOCAL USE 0 ERROR CONDITION
  Sep 17 16:02:07.885 1x_ptsm.c:511 DOT1X-3-PSK_CONFIG_ERR: Client may be using an incorrect PSK LOCAL USE 0 ERROR CONDITION
  Last week I tried the trouble shooting of the WCS with the following effect:
  Time :09/18/2009 19:01:39 Message :Controller association request message received.
  Time :09/18/2009 19:01:39 Message :Association request received from a client has an invalid RSN IE.(One reason could be mismatch in WPA2 algorithm).
  Time :09/18/2009 19:01:39 Message :Received reassociation request from client.
  Time :09/18/2009 19:01:39 Message :The wlan to which client is connecting requires 802 1x authentication.
  Time :09/18/2009 19:01:39 Message :Client moved to associated state successfully.
  Time :09/18/2009 19:01:39 Message :802.1x authentication message received, static dynamic wep supported.
  Time :09/18/2009 19:01:39 Message :802.1x authentication was completed successfully.
  Time :09/18/2009 19:01:39 Message :Client has got IP address, no L3 authentication required.
  I think the problem is hidden at the client but I don't know what it could be. The PSK can not be incorrect because the client is able to connect to the wireless lan but later loses the connection.
  Does somebody has an idea or knows the error messages?!
  Greetings lydia

  Hi,
  I'm exactly with the same problem! Can you please tell me if you were able to solve this?
  Thank you!
  Best regards,

• Client Excluded ReasonCode on WLC for Web Auth

  Hi.
  I wonder if you can point me at a table that defines the Reason Code(s) for Client Exclusion Failure? See the example event log entry below from a Guest Controller for Web Authentication failure (that was resolved - Internet router down) but I was wondering if the Reason Codes would be useful in troubleshooting. Many thanks in advance.
  Tue Aug 28 10:45:31 2007 Client Excluded: MACAddress:00:16:6f:b3:20:0a Base Radio MAC :00:00:00:00:00:00 Slot: 0 Reason:Web Authentication failed 3 times. ReasonCode: 4

  I haven't tried it recently. But I'm afraid of this one :
  CSCsy88149 Chained certificate can not have Wildcard * character in hostname
  Even if bought at verisign or any root CA, your cert has a good chance of being chained since they very often use an intermediate CA. I know wildcard certs are supported but this bug seems to say that it doesn't work for chained.
  again, I didn't verify it mysefl

• 802.1X Authentication failed without 802.1X authentication enabled

  Hi,
  we are using 2 WISMs, with version 4.2.207 and a WCS to control them.
  It seemed to work fine for about 2 weeks, and now we detected the following problem in some users. They were connected to the wireless without problems, and then they lost the connection. For authentication we use WPA2, we also use mac-filter.
  When they lost the connection we can see the following error:
  Message:
  Client 'mac address' which was associated with AP 'mac address', interface '1' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'.
  Message:
  Client 'mac' which was associated with AP 'mac', interface '0' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'.
  I also attach an output of the troubleshoot mac address...
  Can some help me with this?
  Thank you.
  Best regards,

  Hi Kirbus,
  we open a TAC and we were advised for now to do the following changes:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman","serif";}
  1.       please make sure to disable Aironet extensions (if present)  , on the WLAN advanced configuration
  2.       disable management frame protection (MFP) signature generation (if present) , MFP also on the WLAN advanced configuration
  3.       on the WLC general configuration , can you please disable aggressive load balancing
  4.       on the security tab on the WLC , please wireless protection policies > disable client exclusion policies
  5.       on the AP network configuration please disable short preamble the original standard was long preambles
  6.       Wireless -> disable auto-RRM channel & power assignment & try "on demand"
  7.       apply these modification on the WLC CLI
  Config advanced eap identity-request-timeout 20
  Config advanced eap identity-request-retries 10
  Config advanced eap request-timeout 20
  Config advanced eap request-retries 10
  Save config, and see if you still face the problem.
  We are still monitoring the solution, but until now we didn't face the problem again.
  Let me now how it goes for you.
  Thank you.
  Best regards,

• Web Authentication Catalyst 2960

  Hi,
  I am trying to configure fallback Web Authentication on a catalyst 2960 switch. The goal is to authenticate clients via web authentication who are not 802.1x compliant (the 802.1x part is working fine) and allow them restricted access to the network. The problem is that the web authentication seems to fail.
  The equipment regarding my question : catalyst 2960 switch (version : 122-37.SE) and a FreeRadius.
  Here's what happens :
  The authentication window pops up in my browser and the Access-Request is sent to the RADIUS.
  The RADIUS in term responds with a Access-Accept. The debugs running on the switch show that all this information arrives correctly at the switch and the Authentication debug outputs a 'status = PASS' and the Authorization debug outputs a 'status = PASS_ADD'. In spite of this the browser on the client outputs a 'Authentication failed' message.
  I've read the manual and the Cisco-attribute Value pairs were mentioned : 'priv-lvl=15' and 'proxyacl ...'. Are these mandatory for it to work? Since I'm not configuring any switch login authentication via RADIUS.
  Any suggestions ?
  Thanx in advance

  Yes, they are mandatory.
  If priv-lvl=15 is not returned to the switch, the user will see ?Authentication Failed? and the access-list will not be applied. If the source field in the proxyacl statements is not ?any? or there are other syntax errors, the user will see ?Authentication Successful? but the access-list will not be applied and the user will be denied access to the network.
  Not sure about the specific FreeRADIUS config, but you need to setup the ?[026\009\001] cisco-av-pair VSA. It would look something like:
  priv-lvl=15
  proxyacl#10=permit ip any any
  Let me know if this gets you squared away,

• Internal Web Authentication + Local Net User

  Hi all,
  I'm trying to setup the WLC with internal web authentication + local net user account. I've setup a WLAN for this local net user configure the user profile map to this WLAN.
  When the laptop get associated with the designated WLAN, and user tried to browse to the internet, the internal web authentication page doesn't appear on the browser.
  I'm just curious is there any DNS server require in order to direct the user entered URL request to the virtual interface?
  regards.

  Well if you are using webauth for guest users, you really want to have an open ssid and wither have a username and password on the wlc or use a passthrough webauth where the guest users just have to click submit or accept. If you are using this for internal users, then you really shouldn't use webauth since this will not be single sign on. Again, you can if you want your internal users to sign on again. There is wpa/wpa2 PSK and then there is wpa/wpa2 8021.x in which this will require either using local EAP or a Radius Server. Ther radius server will either have the local user accounts or you can point this to AD. Depending on if you use EAP-PEAP (certificate on the radius server only) or EAP-TLS (certificate on both the radius and clinet) you will need a certificate.
  For webauth only, you do not need a certificate on the user or radius server, a certificate will be required on the wlc if you don't want users to be promted with a certifcate error message. 5.1 supports unchained certificates, but I always use RapiddSSL for a root ca cert just to make deployment mush simpler for the client. So webauth and EAP will require certifcates with webauth being optional.

• Does this support EAP? LEAP? PEAP? Web Authentication?

  I am trying to access my college network at Baruch, and its not letting me get pass the authentication. Safari just freezes. Is the iPAD EAP compliant? The iPhone works fine. If its not, is Apple working on a fix?
  Honestly for a an app to promote keynotes, logging into a clients network before a presentation, I see huge problems with this. What if the client uses web authentication to have to access Wifi. Is there a fix around this?
  Thanks

  i assume eap types are supported just like on an iphone. if you manually configure to connect to a wireless network are wpa/2 enterprise choices listed? if so that implies eap support.
  i believe i saw other complaints about web auth not working. i assume that's an issue with ipad safari not being able to interpret the web auth page coming from the wireless access point/controller.
  i'm unclear on what your trying to connect to. a wlan using web auth or leap/peap/etc? they are usually not used together.

• External Web authentication server for Guest access

  I have a guest wireless wlan setup. When guest users attach to our guest wireless they are prompted by the built in web security on the WLC's.
  Cisco talks about how to setup the WLC to route web authentication to an external web server, but they don't say what kind of web server to use or examples.
  I need some help on getting an external web server to do web authentication. With the server we would like to get some basic info from the user. name, email, pupose of using wlan, and some background info they don't see like, computer name, mac address. This is all for tracking purposes.
  Hotels do this type of web authentication for example.
  Any help would be great.

  Hi Patrick,
  I'm having the same problem here. I configured my WLC that redirect the login page to WEB Server, but I don't know how configure the Web Server to back the credentials to WLC. Did you can solve this problem?
  thanks!
  Claudio

• Repeated wlc 5508 client web authentication

  I'm trying to troubleshoot a situation where many of our guest wireless users are repeatedly being prompted to reauthenticate via the web interface.  the session timeout is set to 4 hours, however, many times a client is presented with a web authentication screen right in the middle of browsing at random times.
  I do have several system log entries, but cannot find the specific entries in the Error code reference for the WLC.  For example, I don't find anything on %AAA-3-VALIDATE_GUEST_SESSION_FAILED: file_db.c:4022 Guest user session validation failed for guest1. Index provided is out of range..
  I'm running a WLC 5508 with 7.0.98.0 and have read through all of the release notes, error code references, etc., and don't see anything regarding this issue.
  The WCS screenshot shows a good example of how often this occurs!  Is the client actually re-associating with the AP (which in turn would require a web reauth)?  Not sure if I'm barking up the wrong tree - focusing on web auth when I may actually need to be focusing on AP association...
  I do have a TAC case opened up, but was wondering if anyone has experienced this before?
  Sorry for the rambling...

  Rene,
  I did several things and at least one of them seemed to resolve the issue:
  These notes are directly from my TAC case and I will try to provide a little more information [in brackets].
  1.       Upgrade WLC to 7.0.98.218 [self explanatory]
  2.       Upgrade WCS to 7.0.172.0 [current version, as of this note]
  3.       Increase DHCP scope time on ASA from default (30 minutes) to 4
  days [DHCP running external from the WLC]
  4.       Remove TKIP from the WLAN - only allow AES [had both configured but tech advised to only use AES]
  5.       Increased session timeout from 14400 seconds to 64800 seconds
  (4 hours to 18 hours) [don't think this helped resolve the issue, but it certainly was more convenient for our longer-term guests]
  I think that the TKIP and/or DHCP setting was integral as part of the resolution.  I upgraded the WLC because the version that I was running didn't have the web-auth debug option, so I'm not sure that that actually contributed to the resolution.
  Good Luck,
  Rob.