topic Re: EAP ID mismatch in Wireless

EAP ID mismatch

enghassanf9009 — Thu, 10 Nov 2022 13:33:41 GMT

Hi ,, I am facing connection problems with laptops when try to conect to the WiFi , I am not facing same issue with Mobiles.

when a laptop tries to connect to the WiFi it is often failed and after trying for many times it succeed.

I did debug and I figured out that the problem is the laptops are replaying too late that the server increment EAP ID before they send the response with older EAP ID causing ID mismatch.

Is there a way to maybe disable this check or any other work around.

or if my conclusion is wrong , please advise me .

below is the debugging output :

*apfOpenDtlSocket: Nov 10 11:44:10.906: 18:cf:5e:11:38:d7 Recevied management frame ASSOCIATION REQUEST on BSSID 08:ec:f5:cb:e4:c0 destination addr 08:ec:f5:cb:e4:c0
*spamApTask2: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 Received ADD_MOBILE ack - Initiating 1x to STA 18:cf:5e:11:38:d7 (idx 90)
*spamApTask2: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 APF Initiating 1x to STA 18:cf:5e:11:38:d7
*spamApTask2: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 Sent dot1x auth initiate message for mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 dot1xProcessInitiate1XtoMobile to mobile station 18:cf:5e:11:38:d7 (mscb 2, msg 2)
*Dot1x_NW_MsgTask_7: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 reauth_sm state transition 1 ---> 0 for mobile 18:cf:5e:11:38:d7 at 1x_reauth_sm.c:53
*Dot1x_NW_MsgTask_7: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 EAP-PARAM Debug - eap-params for Wlan-Id :2 is disabled - applying Global eap timers and retries
*Dot1x_NW_MsgTask_7: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 Disable re-auth, use PMK lifetime.
*Dot1x_NW_MsgTask_7: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 dot1x - moving mobile 18:cf:5e:11:38:d7 into Connecting state
*Dot1x_NW_MsgTask_7: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 Sending EAP-Request/Identity to mobile 18:cf:5e:11:38:d7 (EAP Id 1)
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.277: 18:cf:5e:11:38:d7 Received EAPOL START from mobile in dot1x state = 2
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.277: 18:cf:5e:11:38:d7 Reset the reauth counter since EAPOL START has been received!!!
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.277: 18:cf:5e:11:38:d7 reauth_sm state transition 0 ---> 1 for mobile 18:cf:5e:11:38:d7 at 1x_reauth_sm.c:47
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.277: 18:cf:5e:11:38:d7 Received EAPOL START from mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.277: 18:cf:5e:11:38:d7 dot1x - moving mobile 18:cf:5e:11:38:d7 into Connecting state
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.277: 18:cf:5e:11:38:d7 Sending EAP-Request/Identity to mobile 18:cf:5e:11:38:d7 (EAP Id 2)
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.277: 18:cf:5e:11:38:d7 Received EAPOL EAPPKT from mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.277: 18:cf:5e:11:38:d7 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.422: 18:cf:5e:11:38:d7 Received EAPOL EAPPKT from mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.422: 18:cf:5e:11:38:d7 Received Identity Response (count=1) from mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.422: 18:cf:5e:11:38:d7 Resetting reauth count 1 to 0 for mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.423: 18:cf:5e:11:38:d7 EAP State update from Connecting to Authenticating for mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.423: 18:cf:5e:11:38:d7 dot1x - moving mobile 18:cf:5e:11:38:d7 into Authenticating state
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.423: 18:cf:5e:11:38:d7 Entering Backend Auth Response state for mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:42.523: 18:cf:5e:11:38:d7 Processing AAA Error 'Timeout' (-5) for mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:42.523: 18:cf:5e:11:38:d7 Setting active key cache index 8 ---> 8
*Dot1x_NW_MsgTask_7: Nov 10 11:44:42.523: 18:cf:5e:11:38:d7 Deleting the PMK cache when de-authenticating the client.
*Dot1x_NW_MsgTask_7: Nov 10 11:44:42.523: 18:cf:5e:11:38:d7 PMK: Sending Flexconnect group cache delete message to spam task
*Dot1x_NW_MsgTask_7: Nov 10 11:44:42.523: 18:cf:5e:11:38:d7 Removing PMK cache entry for station 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:42.523: 18:cf:5e:11:38:d7 Succesfully freed AID 15, slot 0 on AP 08:ec:f5:cb:e4:c0, #client on this slot 4
*Dot1x_NW_MsgTask_7: Nov 10 11:44:42.523: 18:cf:5e:11:38:d7 Sent Deauthenticate to mobile on BSSID 08:ec:f5:cb:e4:c0 slot 0(caller 1x_auth_pae.c:1888)
*Dot1x_NW_MsgTask_7: Nov 10 11:44:42.523: 18:cf:5e:11:38:d7 Scheduling deletion of Mobile Station: (callerId: 65) in 10 seconds
*osapiBsnTimer: Nov 10 11:44:52.358: 18:cf:5e:11:38:d7 apfMsExpireCallback (apf_ms.c:645) Expiring Mobile!
*apfReceiveTask: Nov 10 11:44:52.358: 18:cf:5e:11:38:d7 apfMsExpireMobileStation (apf_ms.c:7869) Changing state for mobile 18:cf:5e:11:38:d7 on AP 08:ec:f5:cb:e4:c0 from Associated to Disassociated

Re: EAP ID mismatch

Mark Elsen — Thu, 10 Nov 2022 14:28:22 GMT

- Below is the output from your debugging session when analyzed with : https://cway.cisco.com/wireless-debug-analyzer/ (Show all flag was checked) :

TimeTaskTranslated

Nov 10 11:44:10.910	*Dot1x_NW_MsgTask_7	WLC/AP is sending EAP-Identity-Request to the client
Nov 10 11:44:11.277	*Dot1x_NW_MsgTask_7	WLC/AP is sending EAP-Identity-Request to the client
Nov 10 11:44:11.422	*Dot1x_NW_MsgTask_7	Client sent EAP-Identity-Response to WLC/AP
Nov 10 11:44:42.523	*Dot1x_NW_MsgTask_7	Client has been deauthenticated
Nov 10 11:44:42.523	*Dot1x_NW_MsgTask_7	Client expiration timer code set for 10 seconds. The reason: AAA error during dot1x auth (server timeout, no server found, etc), triggering client delete
Nov 10 11:44:52.358	*apfReceiveTask	Client session has timed out

Re: EAP ID mismatch

enghassanf9009 — Thu, 10 Nov 2022 14:34:11 GMT

Hi Sir , thanks a lot for your replay .

This means that the problem is the authentication server is not available ?

if Yes why I dont face this issue with mobiles ?

the problem has nothing to do with EAP ID mismatch ?

Pardon my questions but I am trying to understand .

Re: EAP ID mismatch

JPavonM — Thu, 10 Nov 2022 16:30:46 GMT

Have you tried to upgrade wNIC drivers to latest ones?

Re: EAP ID mismatch

enghassanf9009 — Thu, 10 Nov 2022 16:42:53 GMT

Is there a command to make it ignore the ID mismatch ?

Re: EAP ID mismatch

Mark Elsen — Thu, 10 Nov 2022 17:02:03 GMT

>...This means that the problem is the authentication server is not available ?

- It depends , lookup the mac address of the laptop in the authenticating logs of the authorization server and see how the authentication for the particular mac is processed. If it can not be found then the laptop may not be able to reach the authentication server, as other user said make sure wireless drivers are up to date.

Re: EAP ID mismatch

Rich R — Wed, 16 Nov 2022 12:00:49 GMT

> Is there a command to make it ignore the ID mismatch ?
No - that would break the security of the protocol!

What model of controller?
What version of software?
What model of AP?
What make and model of network adapter on laptop?
What version is the network adapter driver?

Re: EAP ID mismatch

JPavonM — Wed, 16 Nov 2022 12:19:23 GMT

If you are only selecting the SSID on the operating system to connect to, try to manually set the WLAN profile in the OS with the correct configuration. Sometimes automatic connections use improper EAP ID and you need to create the profile manually. This happen to me using Android with public signed certificates, and some legacy Windows ones.