topic Re: Authentication rejected because of challenge failure ReasonCode: 15 in Wireless

Authentication rejected because of challenge failure ReasonCode: 15

gyip — Mon, 05 Jul 2021 15:10:22 GMT

I have configured a guest network that authenticates using the local database in my 2500 series wireless controller. When I login, using the username/password I create, I see a success screen and I get an IP address but am not connected to the internet. (Not able to ping 8.8.8.8). When I look at the recent traps, I see the following corresponding entries:

1080	Fri Jan 26 18:18:43 2018	Client Disassociated: MACAddress:45:85:00:b1:14:e4 Base Radio MAC:48:90:a5:cb:9c:80 Slot: 1 User Name: test, Ip Address: 10.20.44.106 Reason:Unspecified ReasonCode: 1 TxPkts: 0l TxBytes: 0l RxPkts: 0l RxBytes: 0l
1081	Fri Jan 26 18:18:43 2018	Client Deauthenticated: MACAddress:45:85:00:b1:14:e4 Base Radio MAC:48:90:a5:cb:9c:80 Slot: 1 User Name: test Ip Address: 10.20.44.106 Reason:Unspecified ReasonCode: 1
1082	Fri Jan 26 18:18:43 2018	Client Disassociated: MACAddress:45:85:00:b1:14:e4 Base Radio MAC:48:90:a5:cb:9c:80 Slot: 1 User Name: test, Ip Address: 10.20.44.106 Reason:Unspecified ReasonCode: 1 TxPkts: 0l TxBytes: 0l RxPkts: 0l RxBytes: 0l
1083	Fri Jan 26 18:18:43 2018	Client Disassociated: MACAddress:45:85:00:b1:14:e4 Base Radio MAC:48:90:a5:cb:9c:80 Slot: 1 User Name: test, Ip Address: 10.20.44.106 Reason:Unspecified ReasonCode: 1
1084	Fri Jan 26 18:18:42 2018	Client Association Failure: MACAddress:45:85:00:b1:14:e4 Base Radio MAC:48:90:a5:cb:9c:80 Slot: 1 User Name:test IP Addr: 10.20.44.106 Reason:Authentication rejected because of challenge failure ReasonCode: 15
1092	Fri Jan 26 18:18:09 2018	User test logged in. Client MAC:45:85:00:b1:14:e4, Client IP:10.20.44.106, AP MAC:48:90:a5:cb:9c:80, AP Name:AP4810.7A70.464A
1093	Fri Jan 26 18:18:09 2018	Client Authenticated: MAC Address:45:85:00:b1:14:e4 base Radio MAC:48:90:a5:cb:9c:80 Slot: 1 User Name:test IP Addr:10.20.44.106 SSID:Guest

I can't seem to find any information on what "Authentication rejected because of challenge failure ReasonCode: 15" corresponds to.

Thanks for your help.

Re: Authentication rejected because of challenge failure ReasonCode: 15

Leo Laohoo — Sat, 27 Jan 2018 07:26:39 GMT

@gyip wrote:

Reason:Authentication rejected because of challenge failure ReasonCode: 15

4-way handshake timeout.

This means that during the initial phase of authentication the wireless client didn't respond or didn't respond within the time frame.

Re: Authentication rejected because of challenge failure ReasonCode: 15

gyip — Sat, 27 Jan 2018 07:36:14 GMT

This happens on my mobile device, laptop and other laptops. Because of that I am thinking it has to be a setting on the controller.

Re: Authentication rejected because of challenge failure ReasonCode: 15

Leo Laohoo — Sat, 27 Jan 2018 07:43:22 GMT

It's not just a setting in the controller or WLAN but also the authentication server.

Re: Authentication rejected because of challenge failure ReasonCode: 15

gyip — Sat, 27 Jan 2018 08:05:14 GMT

The authentication server is the wireless controller itself. I created a user by hand in the Local Net Users section. As you can also see by the trap that I am authenticated.

Re: Authentication rejected because of challenge failure ReasonCode: 15

Leo Laohoo — Sat, 27 Jan 2018 08:07:57 GMT

The client isn't authenticated. I can see logs showing the clients associating and then attempt to authenticating before getting rejected due to timeout.

Re: Authentication rejected because of challenge failure ReasonCode: 15

Scott Fella — Sun, 28 Jan 2018 20:55:14 GMT

What link are you using when you configured 802.1x on the controller? Seems to me that your configuration is most likely not correct.

Re: Authentication rejected because of challenge failure ReasonCode: 15

gyip — Mon, 29 Jan 2018 01:42:07 GMT

I'm not really sure what link you are referring to.
I have Layer 3 configured on the WLAN to be a Web Policy and using Authentication. Then on the AAA Servers tab I only have LOCAL specified in the Authentication priority order for web-auth user.
To me it seems like authentication is working because in trap #1093 and #192 you will see "Client Authenticated" and also "User test logged in." On my computer after I enter the creds, the Success page is displayed and says I am logged in also. I have an IP address but when I ping 8.8.8.8 there is no response.

Re: Authentication rejected because of challenge failure ReasonCode: 15

gyip — Tue, 30 Jan 2018 05:09:23 GMT

I've resolved my issue and just wanted to give everyone my resolution.

As I mentioned above, the authentication traps are indeed correct and show that the client was authenticated. The signs that point me to this conclusion were the fact that the traps show client authenticated (which is identical traps to when you authenticate with radius and any other method successfully) in addition to the web auth success page.

I have a post auth ACL to restrict access of my guest wireless network to internal resources by blocking all private IP address spaces. Because of I have DHCP coming from a server (rather than the wireless controller as the DHCP server), I needed to include the guest wireless network subnet as a permitted address space in the ACL. It seems that the IP address range of the client wasn't implied and I had to explicitly grant access to it. Once I added it, everything works now.