Intermittent authentication problems

david.chicote — Thu, 25 Nov 2021 15:29:12 GMT

Hi,

On a WLC 8510 - 8.5.171.0 - we have several clients that are sometimes unable to authenticate properly against a radius server. We have multiple WLANs with 802.1x and CCKM enabled and clients logs in SSIDs with username and password.

WLAN configuration

WLAN Identifier.................................. xx
Profile Name..................................... xxx_name
Network Name (SSID).............................. xxx_name
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum Clients Allowed.......................... Unlimited
Security Group Tag............................... Unknown(0)

--More-- or (q)uit
Maximum number of Clients per AP Radio........... 200
ATF Policy....................................... 0
Number of Active Clients......................... 3
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 21600 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 720 minutes
Web Auth Captive Bypass Mode..................... None
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... none
CHD per WLAN..................................... Disabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ if_vlan_xxx
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Enabled
mDNS Profile Name................................ default-mdns-profile
DHCP Server...................................... Default
Central NAT Peer-Peer Blocking................... Unknown
DHCP Address Assignment Required................. Disabled

CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... 802.1P (Tag=0)
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ xxx.xxx.xxx.xx 1812 *
Accounting.................................... xxx.xx.x.xxx 1813 *
Interim Update............................. Enabled
Interim Update Interval.................... 0
Framed IPv6 Acct AVP ...................... Prefix
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Radius NAI-Realm................................. Disabled
Mu-Mimo.......................................... Enabled
Security


--More-- or (q)uit
802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
CCMP256 Cipher.......................... Disabled
GCMP128 Cipher.......................... Disabled
GCMP256 Cipher.......................... Disabled
OSEN IE.................................... Disabled
Auth Key Management
802.1x.................................. Enabled
PSK..................................... Disabled
CCKM.................................... Enabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Disabled
OSEN-1X................................. Disabled
SUITEB-1X............................... Disabled

--More-- or (q)uit
SUITEB192-1X............................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Enabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web Authentication Timeout.................... 300
Web-Passthrough............................... Disabled
Mac-auth-server............................... 0.0.0.0
Web-portal-server............................. 0.0.0.0
qrscan-des-key................................ 
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Disabled
FlexConnect Central Association............... Disabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled

--More-- or (q)uit
flexconnect PPPoE pass-through................ Disabled
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Disabled
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
OpenDns Profile Name............................. None
OpenDns Wlan Mode................................ ignore
Flow Monitor Name................................ None
Split Tunnel Configuration
Split Tunnel................................. Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled

--More-- or (q)uit
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
802.11v Directed Multicast Service............... Disabled
802.11v BSS Max Idle Service..................... Enabled
802.11v BSS Transition Service................... Disabled
802.11v BSS Transition Disassoc Imminent......... Disabled
802.11v BSS Transition Disassoc Timer............ 200
802.11v BSS Transition OpRoam Disassoc Timer..... 40
DMS DB is empty
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Universal Ap Admin............................... Disabled
Broadcast Tagging................................ Disabled
PRP.............................................. Disabled

EAP PArameters:

EAP-Identity-Request Timeout (seconds)........... 3
EAP-Identity-Request Max Retries................. 10
EAP Key-Index for Dynamic WEP.................... 0
EAP Max-Login Ignore Identity Response........... enable
EAP-Request Timeout (seconds).................... 3
EAP-Request Max Retries.......................... 10
EAPOL-Key Timeout (milliseconds)................. 1000
EAPOL-Key Max Retries............................ 2
EAP-Broadcast Key Interval....................... 3600
RSN Capability Validation........................ enable

Sometimes, the client authenticates correctly but after 30 minutes or roams to another AP, the autentication fails and they cant re-authenticate on the same SSID.

In the WLC log, we can see the following logs:

*Dot1x_NW_MsgTask_4: Nov 25 10:57:15.016: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client 84:ad:8d:bd:a1:04 Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*Dot1x_NW_MsgTask_4: Nov 25 10:57:13.511: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 1 failed; port status 1, key available 0, key tx enabled 1
*Dot1x_NW_MsgTask_4: Nov 25 10:57:10.392: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_0: Nov 25 10:57:10.349: %DOT1X-3-PSK_CONFIG_ERR: [PA]1x_ptsm.c:749 Client a8:91:3d:84:c1:88 may be using an incorrect PSK
*Dot1x_NW_MsgTask_6: Nov 25 10:57:04.480: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*spamApTask3: Nov 25 10:57:02.768: %CAPWAP-3-DTLS_CLOSED_ERR: [PA]capwap_ac_sm.c:7130 20:3a:07:85:45:a0: DTLS connection closed forAP 77:26:73:5 (53978), Controller: 10:35:0:78 (5246) Join Request Process Failed
*spamApTask3: Nov 25 10:57:02.768: %CAPWAP-3-JOIN_UNSUPP_AP: [PA]capwap_ac_sm.c:5104 The system has received a join request from an unsupported AP 20:3a:07:85:45:a0 CEL000A015 (model AIR-LAP1261N-E-K9), dropping the packet
*Dot1x_NW_MsgTask_4: Nov 25 10:57:01.899: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_6: Nov 25 10:57:01.061: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*apfMsConnTask_7: Nov 25 10:57:00.946: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*apfMsConnTask_4: Nov 25 10:57:00.885: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_7: Nov 25 10:56:57.992: %DOT1X-3-INVALID_REPLAY_CTR: [PA]1x_eapkey.c:452 Invalid replay counter from client f4:f5:db:c4:d8:8f - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*Dot1x_NW_MsgTask_4: Nov 25 10:56:57.613: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client 84:ad:8d:bd:a1:04 Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*Dot1x_NW_MsgTask_2: Nov 25 10:56:57.396: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_3: Nov 25 10:56:56.881: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_6: Nov 25 10:56:52.852: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_4: Nov 25 10:56:52.605: %DOT1X-3-AAA_AUTH_SEND_FAIL: [PA]1x_aaa.c:848 Unable to send AAA message for client 84:ad:8d:bd:a1:04
*Dot1x_NW_MsgTask_4: Nov 25 10:56:52.593: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client 84:ad:8d:bd:a1:04 Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*dot1xMsgTask: Nov 25 10:56:51.362: %DOT1X-3-WPA_SEND_STATE_ERR: [PA]1x_kxsm.c:1724 Unable to send EAPOL-key msg - invalid WPA state (0) - client e4:76:84:aa:cf:c7
*apfMsConnTask_4: Nov 25 10:56:50.499: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0

--More-- or (q)uit
*spamApTask3: Nov 25 10:56:48.066: %LWAPP-3-REPLAY_ERR: [PA]spam_lrad.c:45310 The system has received replay error on slot 1, WLAN ID 2, count 1 from AP 00:d7:8f:8c:62:b0
*Dot1x_NW_MsgTask_2: Nov 25 10:56:45.198: %DOT1X-3-PSK_CONFIG_ERR: [PA]1x_ptsm.c:749 Client 3c:f8:62:0d:91:a2 may be using an incorrect PSK
*Dot1x_NW_MsgTask_0: Nov 25 10:56:44.762: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_5: Nov 25 10:56:43.763: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_5: Nov 25 10:56:39.144: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client 58:e6:ba:05:2d:1d Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*Dot1x_NW_MsgTask_6: Nov 25 10:56:38.965: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_5: Nov 25 10:56:38.910: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*apfMsConnTask_7: Nov 25 10:56:38.791: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*apfMsConnTask_4: Nov 25 10:56:38.747: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_5: Nov 25 10:56:34.137: %DOT1X-3-AAA_AUTH_SEND_FAIL: [PA]1x_aaa.c:848 Unable to send AAA message for client 58:e6:ba:05:2d:1d
*Dot1x_NW_MsgTask_5: Nov 25 10:56:34.129: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client 58:e6:ba:05:2d:1d Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*haSSOServiceTask1: Nov 25 10:56:32.850: %APF_HA-3-SYNC_RETRANSMIT_FAIL: [PA]apf_ha.c:4483 Maximum retransmission exceeded for client (c0:bd:c8:d8:f2:f9 )data sync block:0x80000. Retry after 150 secs.
*Dot1x_NW_MsgTask_1: Nov 25 10:56:32.081: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_0: Nov 25 10:56:30.580: %DOT1X-3-INVALID_REPLAY_CTR: [PA]1x_eapkey.c:452 Invalid replay counter from client fc:18:3c:54:b5:d0 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*dot1xMsgTask: Nov 25 10:56:30.577: %DOT1X-3-WPA_SEND_STATE_ERR: [PA]1x_kxsm.c:1724 Unable to send EAPOL-key msg - invalid WPA state (0) - client 4c:f2:02:3a:55:fe
*Dot1x_NW_MsgTask_4: Nov 25 10:56:29.086: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*apfMsConnTask_4: Nov 25 10:56:26.829: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_2: Nov 25 10:56:26.651: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_4: Nov 25 10:56:26.623: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_4: Nov 25 10:56:23.714: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*dot1xMsgTask: Nov 25 10:56:23.373: %DOT1X-3-WPA_SEND_STATE_ERR: [PA]1x_kxsm.c:1724 Unable to send EAPOL-key msg - invalid WPA state (0) - client ea:c0:b0:de:e5:9e
*Dot1x_NW_MsgTask_2: Nov 25 10:56:19.334: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_7: Nov 25 10:56:18.845: %DOT1X-3-INVALID_REPLAY_CTR: [PA]1x_eapkey.c:452 Invalid replay counter from client b2:4e:26:af:fd:d7 - got 00 00 00 00 00 00 00 01, expected 00 00 00 00 00 00 00 02

--More-- or (q)uit
*Dot1x_NW_MsgTask_5: Nov 25 10:56:18.425: %DOT1X-3-PSK_CONFIG_ERR: [PA]1x_ptsm.c:749 Client 4a:91:f0:e6:d9:15 may be using an incorrect PSK
*dot1xMsgTask: Nov 25 10:56:17.395: %DOT1X-3-WPA_SEND_STATE_ERR: [PA]1x_kxsm.c:1724 Unable to send EAPOL-key msg - invalid WPA state (0) - client 5a:84:0e:bc:f2:ee
*apfMsConnTask_4: Nov 25 10:56:15.766: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_1: Nov 25 10:56:15.079: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_3: Nov 25 10:56:14.242: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 1 failed; port status 1, key available 0, key tx enabled 1
*dot1xMsgTask: Nov 25 10:56:10.591: %DOT1X-3-WPA_SEND_STATE_ERR: [PA]1x_kxsm.c:1724 Unable to send EAPOL-key msg - invalid WPA state (0) - client 04:f1:28:75:70:cc
*spamApTask1: Nov 25 10:56:07.214: %LWAPP-3-REPLAY_ERR: [PA]spam_lrad.c:45310 The system has received replay error on slot 0, WLAN ID 2, count 3 from AP 58:97:bd:08:0c:f0
*Dot1x_NW_MsgTask_1: Nov 25 10:56:05.518: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*apfMsConnTask_4: Nov 25 10:56:04.651: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*spamApTask5: Nov 25 10:56:01.729: %LWAPP-3-REPLAY_ERR: [PA]spam_lrad.c:45310 The system has received replay error on slot 1, WLAN ID 4, count 1 from AP d8:b1:90:f2:95:d0
*dot1xMsgTask: Nov 25 10:56:00.695: %DOT1X-3-WPA_SEND_STATE_ERR: [PA]1x_kxsm.c:1724 Unable to send EAPOL-key msg - invalid WPA state (0) - client a0:57:e3:90:7d:6b
*Dot1x_NW_MsgTask_3: Nov 25 10:55:58.095: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_4: Nov 25 10:55:57.208: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 1 failed; port status 1, key available 0, key tx enabled 1
*apfMsConnTask_4: Nov 25 10:55:54.110: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_3: Nov 25 10:55:50.535: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*spamApTask7: Nov 25 10:55:49.009: %LWAPP-3-REPLAY_ERR: [PA]spam_lrad.c:45310 The system has received replay error on slot 1, WLAN ID 6, count 106 from AP d8:b1:90:d3:cb:60
*Dot1x_NW_MsgTask_1: Nov 25 10:55:48.232: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*spamApTask3: Nov 25 10:55:48.000: %CAPWAP-3-DTLS_CLOSED_ERR: [PA]capwap_ac_sm.c:7130 20:3a:07:85:45:a0: DTLS connection closed forAP 77:26:73:5 (53978), Controller: 10:35:0:78 (5246) Join Request Process Failed
*spamApTask3: Nov 25 10:55:48.000: %CAPWAP-3-JOIN_UNSUPP_AP: [PA]capwap_ac_sm.c:5104 The system has received a join request from an unsupported AP 20:3a:07:85:45:a0 CEL000A015 (model AIR-LAP1261N-E-K9), dropping the packet
*Dot1x_NW_MsgTask_7: Nov 25 10:55:47.005: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_3: Nov 25 10:55:46.699: %DOT1X-3-AAA_AUTH_SEND_FAIL: [PA]1x_aaa.c:848 Unable to send AAA message for client e4:a7:c5:ad:98:43
*Dot1x_NW_MsgTask_2: Nov 25 10:55:46.453: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_5: Nov 25 10:55:45.552: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1

--More-- or (q)uit
*apfMsConnTask_4: Nov 25 10:55:42.722: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*spamApTask6: Nov 25 10:55:42.060: %LWAPP-3-REPLAY_ERR: [PA]spam_lrad.c:45310 The system has received replay error on slot 0, WLAN ID 3, count 10 from AP 00:fe:c8:2d:97:20
*spamApTask6: Nov 25 10:55:39.114: %LWAPP-3-REPLAY_ERR: [PA]spam_lrad.c:45310 The system has received replay error on slot 0, WLAN ID 1, count 6 from AP cc:46:d6:ea:27:70
*Dot1x_NW_MsgTask_5: Nov 25 10:55:37.590: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client 46:5a:96:e3:99:bd Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*spamApTask5: Nov 25 10:55:35.526: %LWAPP-3-REPLAY_ERR: [PA]spam_lrad.c:45310 The system has received replay error on slot 0, WLAN ID 0, count 1 from AP 58:97:bd:80:8e:40
*Dot1x_NW_MsgTask_7: Nov 25 10:55:33.778: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_5: Nov 25 10:55:32.581: %DOT1X-3-AAA_AUTH_SEND_FAIL: [PA]1x_aaa.c:848 Unable to send AAA message for client 46:5a:96:e3:99:bd
*Dot1x_NW_MsgTask_5: Nov 25 10:55:32.572: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client 46:5a:96:e3:99:bd Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*Dot1x_NW_MsgTask_3: Nov 25 10:55:31.490: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_1: Nov 25 10:55:30.963: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*apfMsConnTask_4: Nov 25 10:55:30.646: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_0: Nov 25 10:55:28.039: %DOT1X-3-AAA_AUTH_SEND_FAIL: [PA]1x_aaa.c:848 Unable to send AAA message for client 2c:33:61:88:82:58
*Dot1x_NW_MsgTask_0: Nov 25 10:55:28.031: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client 2c:33:61:88:82:58 Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*apfMsConnTask_4: Nov 25 10:55:20.418: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_2: Nov 25 10:55:18.754: %DOT1X-3-PSK_CONFIG_ERR: [PA]1x_ptsm.c:749 Client 3c:f8:62:0d:91:a2 may be using an incorrect PSK
*Dot1x_NW_MsgTask_5: Nov 25 10:55:18.304: %DOT1X-3-AAA_AUTH_SEND_FAIL: [PA]1x_aaa.c:848 Unable to send AAA message for client 46:5a:96:e3:99:bd
*Dot1x_NW_MsgTask_5: Nov 25 10:55:18.295: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client 46:5a:96:e3:99:bd Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*Dot1x_NW_MsgTask_1: Nov 25 10:55:14.132: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_5: Nov 25 10:55:13.283: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client 46:5a:96:e3:99:bd Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*Dot1x_NW_MsgTask_0: Nov 25 10:55:12.492: %DOT1X-3-INVALID_REPLAY_CTR: [PA]1x_eapkey.c:452 Invalid replay counter from client 52:9a:3a:c2:b6:68 - got 00 00 00 00 00 00 00 03, expected 00 00 00 00 00 00 00 04
*Dot1x_NW_MsgTask_0: Nov 25 10:55:12.492: %DOT1X-3-INVALID_REPLAY_CTR: [PA]1x_eapkey.c:452 Invalid replay counter from client 52:9a:3a:c2:b6:68 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 04
*Dot1x_NW_MsgTask_0: Nov 25 10:55:10.928: %DOT1X-3-INVALID_REPLAY_CTR: [PA]1x_eapkey.c:452 Invalid replay counter from client 62:68:20:d1:0f:a8 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
*spamApTask4: Nov 25 10:55:10.876: %LWAPP-3-VENDOR_PLD_VALIDATE_ERR: [PA]spam_lrad.c:12016 Validation of SPAM_VENDOR_SPECIFIC_PAYLOAD(185) with length=9 failed - AP 5c:83:8f:f3:7b:90

--More-- or (q)uit
*Dot1x_NW_MsgTask_4: Nov 25 10:55:08.590: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*apfMsConnTask_4: Nov 25 10:55:08.394: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_5: Nov 25 10:55:08.275: %DOT1X-3-AAA_AUTH_SEND_FAIL: [PA]1x_aaa.c:848 Unable to send AAA message for client 46:5a:96:e3:99:bd
*Dot1x_NW_MsgTask_5: Nov 25 10:55:08.268: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client 46:5a:96:e3:99:bd Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*dot1xMsgTask: Nov 25 10:55:06.772: %DOT1X-3-WPA_SEND_STATE_ERR: [PA]1x_kxsm.c:1724 Unable to send EAPOL-key msg - invalid WPA state (0) - client be:ea:df:16:61:3f
*Dot1x_NW_MsgTask_4: Nov 25 10:55:06.234: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_4: Nov 25 10:55:02.098: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_4: Nov 25 10:55:00.126: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_5: Nov 25 10:54:57.943: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*apfMsConnTask_4: Nov 25 10:54:57.293: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_5: Nov 25 10:54:51.970: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client 46:5a:96:e3:99:bd Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*Dot1x_NW_MsgTask_2: Nov 25 10:54:48.331: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_6: Nov 25 10:54:48.129: %DOT1X-3-INVALID_WPA_KEY_STATE: [PA]1x_eapkey.c:2909 Received EAPOL-key message while in invalid state (4) - version 1, type 3, descriptor 2, client e2:19:6c:7c:91:be
*Dot1x_NW_MsgTask_5: Nov 25 10:54:46.842: %DOT1X-3-AAA_AUTH_SEND_FAIL: [PA]1x_aaa.c:848 Unable to send AAA message for client 46:5a:96:e3:99:bd
*Dot1x_NW_MsgTask_5: Nov 25 10:54:46.833: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client 46:5a:96:e3:99:bd Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*Dot1x_NW_MsgTask_0: Nov 25 10:54:46.718: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 1 failed; port status 1, key available 0, key tx enabled 1
*Dot1x_NW_MsgTask_0: Nov 25 10:54:46.143: %DOT1X-3-INVALID_REPLAY_CTR: [PA]1x_eapkey.c:452 Invalid replay counter from client e0:aa:96:cf:1e:88 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01
*apfMsConnTask_4: Nov 25 10:54:43.124: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*apfMsConnTask_4: Nov 25 10:54:42.169: %APF-3-PREAUTH_FAILURE: [PA]apf_80211.c:14799 There is no PMK cache entry for clientfa:8d:29:c8:f7:d7. Can't do preauth
*dot1xMsgTask: Nov 25 10:54:39.210: %DOT1X-3-WPA_SEND_STATE_ERR: [PA]1x_kxsm.c:1724 Unable to send EAPOL-key msg - invalid WPA state (0) - client b4:86:55:62:48:16
*Dot1x_NW_MsgTask_5: Nov 25 10:54:39.009: %DOT1X-3-PSK_CONFIG_ERR: [PA]1x_ptsm.c:749 Client c2:af:b7:6c:c1:d5 may be using an incorrect PSK
*Dot1x_NW_MsgTask_4: Nov 25 10:54:36.330: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_3: Nov 25 10:54:35.265: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1

--More-- or (q)uit
*spamApTask2: Nov 25 10:54:33.741: %CAPWAP-3-DTLS_CLOSED_ERR: [PA]capwap_ac_sm.c:7130 5c:83:8f:f3:7b:90: DTLS connection closed forAP 85:152:137:39 (54443), Controller: 10:35:0:78 (5246) AP Message Timeout
*spamApTask2: Nov 25 10:54:33.741: %CAPWAP-3-MAX_RETRANSMISSIONS_REACHED: [PA]capwap_ac_sm.c:7677 Max retransmissions reached on AP(5c:83:8f:f3:7b:90),message (CAPWAP_CONFIGURATION_UPDATE_REQUEST
),number of pending messages(2)
*spamApTask3: Nov 25 10:54:33.232: %CAPWAP-3-JOIN_UNSUPP_AP: [PA]capwap_ac_sm.c:5104 The system has received a join request from an unsupported AP 20:3a:07:85:45:a0 CEL000A015 (model AIR-LAP1261N-E-K9), dropping the packet
*apfMsConnTask_4: Nov 25 10:54:32.158: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_2: Nov 25 10:54:29.891: %DOT1X-3-INVALID_REPLAY_CTR: [PA]1x_eapkey.c:452 Invalid replay counter from client ae:07:de:6a:f1:0a - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
*haSSOServiceTask1: Nov 25 10:54:26.610: %APF_HA-3-SYNC_RETRANSMIT_FAIL: [PA]apf_ha.c:4483 Maximum retransmission exceeded for client (c0:bd:c8:d8:f2:f9 )data sync block:0x80000. Retry after 120 secs.
*Dot1x_NW_MsgTask_0: Nov 25 10:54:24.267: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*apfMsConnTask_4: Nov 25 10:54:20.981: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_0: Nov 25 10:54:12.823: %DOT1X-3-PSK_CONFIG_ERR: [PA]1x_ptsm.c:749 Client a8:91:3d:84:c1:88 may be using an incorrect PSK
*apfMsConnTask_4: Nov 25 10:54:09.897: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_4: Nov 25 10:54:07.948: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_0: Nov 25 10:54:04.784: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_4: Nov 25 10:54:04.131: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*apfMsConnTask_4: Nov 25 10:53:59.774: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_7: Nov 25 10:53:58.610: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_2: Nov 25 10:53:56.499: %DOT1X-3-INVALID_REPLAY_CTR: [PA]1x_eapkey.c:452 Invalid replay counter from client fa:1b:24:3d:5f:f2 - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
*Dot1x_NW_MsgTask_0: Nov 25 10:53:55.996: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*dot1xMsgTask: Nov 25 10:53:55.417: %DOT1X-3-WPA_SEND_STATE_ERR: [PA]1x_kxsm.c:1724 Unable to send EAPOL-key msg - invalid WPA state (0) - client e6:93:e8:fa:a3:55
*Dot1x_NW_MsgTask_2: Nov 25 10:53:54.961: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_2: Nov 25 10:53:53.979: %DOT1X-3-PSK_CONFIG_ERR: [PA]1x_ptsm.c:749 Client 3c:f8:62:0d:91:a2 may be using an incorrect PSK
*Dot1x_NW_MsgTask_2: Nov 25 10:53:53.891: %DOT1X-3-INVALID_REPLAY_CTR: [PA]1x_eapkey.c:452 Invalid replay counter from client 58:20:59:8e:73:5a - got 00 00 00 00 00 00 00 02, expected 00 00 00 00 00 00 00 03
*Dot1x_NW_MsgTask_5: Nov 25 10:53:53.568: %DOT1X-3-PSK_CONFIG_ERR: [PA]1x_ptsm.c:749 Client 4a:91:f0:e6:d9:15 may be using an incorrect PSK

--More-- or (q)uit
*Dot1x_NW_MsgTask_0: Nov 25 10:53:52.212: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_7: Nov 25 10:53:50.694: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_6: Nov 25 10:53:50.419: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*apfMsConnTask_4: Nov 25 10:53:48.957: %APF-3-VALIDATE_DOT11i_CIPHERS_FAILED: [PA]apf_rsn_utils.c:1212 Could not validate Dot11i security IE. Received an unsupported Multicast 802.11i OUI code from mobile.Mobile:84:b5:41:fe:aa:f0
*Dot1x_NW_MsgTask_4: Nov 25 10:53:44.727: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1
*Dot1x_NW_MsgTask_3: Nov 25 10:53:43.203: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1

I have to say that this is a large deployment where the WLC and APs are not in the same city and I think the issue could be due to congestion regarding these events:

*Dot1x_NW_MsgTask_3: Nov 25 16:31:32.312: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: [PA]1x_kxsm.c:130 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1

Does anyone know the reason for these logs?

The following link does not help to find the root cause:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/message/guide/sysmsg76/dot1d_dot1q_dot1x_dot3ad_msgs8.html

Regards

topic Re: Intermittent authentication problems in Wireless

Intermittent authentication problems

Re: Intermittent authentication problems

Re: Intermittent authentication problems

Re: Intermittent authentication problems

Re: Intermittent authentication problems

Re: Intermittent authentication problems

Re: Intermittent authentication problems