topic Excessive Client Authentication/Association Failure's. What is g in Wireless

Excessive Client Authentication/Association Failure's. What is going on!?

Craddockc — Sun, 04 Jul 2021 06:26:43 GMT

Hello Community,

Once again I am reaching out to you for help. I am hoping someone can help me. I have been noticing in my trap logs that there are an excessive amount of Client Association/Authentication Failures. I cannot figure out why. I have a Cisco 5508 WLC with 81 AP's (1131ag, 1142abgn, 1262N) models. The wireless devices are on a Windows Domain and use 802.1x EAP authentication, authenticating the user and computer info with a RADIUS Server. I look at the logs and all it can tell me is Reason:Unspecified ReasonCode:1. I read that the Reason Code is due to "Client associated but no longer authorized" but to be honest I am not sure what that means. It could mean many things, unfortunately it is too ambiguous to make heads or tails of. Can someone point me in the right direction? Things I can check? I posted below some of the Trap Logs, they go on and on like that. Thank you for any help you can provide.


1	Tue Jan 29 11:42:51 2013	Client Association Failure: MACAddress:e4:8b:7f:9d:e9:5c Base Radio MAC:10:bd:18:a7:41:e0 Slot: 1 User Name:unknown IP Addr: unknown Reason:Unspecified ReasonCode: 1
2	Tue Jan 29 11:40:40 2013	Client Association Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 0 User Name:unknown IP Addr: unknown Reason:Unspecified ReasonCode: 1
3	Tue Jan 29 11:40:40 2013	Client Association Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 0 User Name:unknown IP Addr: unknown Reason:Unspecified ReasonCode: 1
4	Tue Jan 29 11:40:39 2013	Client Association Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 0 User Name:unknown IP Addr: unknown Reason:Unspecified ReasonCode: 1
5	Tue Jan 29 11:40:39 2013	Client Association Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 0 User Name:unknown IP Addr: unknown Reason:Unspecified ReasonCode: 1
6	Tue Jan 29 11:40:39 2013	Client Association Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 0 User Name:unknown IP Addr: unknown Reason:Unspecified ReasonCode: 1
7	Tue Jan 29 11:40:38 2013	Client Association Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 1 User Name:unknown IP Addr: unknown Reason:Unspecified ReasonCode: 1
8	Tue Jan 29 11:40:38 2013	Client Authentication Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 1 User Name: unknown Ip Address: unknown Reason:Unspecified ReasonCode: 1
9	Tue Jan 29 11:40:38 2013	Client Association Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 1 User Name:unknown IP Addr: unknown Reason:Unspecified ReasonCode: 1
10	Tue Jan 29 11:40:38 2013	Client Authentication Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 1 User Name: unknown Ip Address: unknown Reason:Unspecified ReasonCode: 1
11	Tue Jan 29 11:40:38 2013	Client Association Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 1 User Name:unknown IP Addr: unknown Reason:Unspecified ReasonCode: 1
12	Tue Jan 29 11:40:37 2013	Client Authentication Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 1 User Name: unknown Ip Address: unknown Reason:Unspecified ReasonCode: 1
13	Tue Jan 29 11:40:37 2013	Client Association Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 1 User Name:unknown IP Addr: unknown Reason:Unspecified ReasonCode: 1
14	Tue Jan 29 11:40:37 2013	Client Authentication Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 1 User Name: unknown Ip Address: unknown Reason:Unspecified ReasonCode: 1
15	Tue Jan 29 11:40:37 2013	Client Association Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 1 User Name:unknown IP Addr: unknown Reason:Unspecified ReasonCode: 1
16	Tue Jan 29 11:40:36 2013	Client Authentication Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:a8:b1:d4:c4:7c:80 Slot: 1 User

Re: Excessive Client Authentication/Association Failure's. What

David Watkins — Wed, 06 Feb 2013 17:11:51 GMT

Can you take a client debug on one of the problem clients?

1. >config sessions timeout 0

2. >debug client

2. Connect the client and keep the debug running until the device is deauthenticated and post/attach your collected debug output.

Is this happening on a particular SSID? Can you provide the

>show wlan

so we can see the existing WLAN configuration.

What flavor of RADIUS are you using? Can you provide some example of any attributes/results you are setting for this particular profile?

Also, what type of clients are these? What OS, and WiFi adapter make/model/driver? What are you using as your suppliicant? Windows WZC, Intel ProSet, other?

Excessive Client Authentication/Association Failure's. What is g

Craddockc — Fri, 08 Feb 2013 00:38:08 GMT

David,

I would love to run a debug on a problem client but the problem is that I have no way to tell where the client is or who the device belongs to. I can see what AP is refusing the connection by plugging in the base radio MAC, but also no way of telling what SSID they are trying to connect to either. I am assuming these clients are attemting to connect to the network but are failing, but do not know why. As far as the clients go, again no way to tell. We run laptops as well as iPads (I work at a private K-12 College Prep school) and any other wireless device they may be trying to connect to the network. The laptops run Windows 7 Pro and the WZC supplicant handles the WLAN adapter.

My concern is the inordinant amount of failures to connect. is someone trying to hack my network? Here is the output of the wlan (smesw) that I suspect it may be happening on as this is the only wlan that uses 802.1x authentication. All others require a password and are mac filtered.

WLAN ID WLAN Profile Name / SSID Status Interface Name PMIPv6 Mobility

------- ------------------------------------- -------- -------------------- ---------------

3 SMES Wireless / smesw Enabled smesw none

4 US Wireless / USWireless Enabled us-wireless none

5 MS Wireless / MSWireless Enabled ms-wireless none

6 LS Wireless / LSWireless Enabled ls-wireless none

7 Guest / Guest Enabled guest none

10 Apple TV / ATV Enabled atvmcast none

(Cisco Controller) >show wlan 3

WLAN Identifier.................................. 3

Profile Name..................................... SMES Wireless

Network Name (SSID).............................. smesw

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

AAA Policy Override.............................. Disabled

Network Admission Control

Client Profiling Status ....................... Disabled

DHCP ......................................... Disabled

HTTP ......................................... Disabled

Radius-NAC State............................... Disabled

SNMP-NAC State................................. Disabled

Quarantine VLAN................................ 0

Maximum number of Associated Clients............. 0

Maximum number of Clients per AP Radio........... 200

Number of Active Clients......................... 196

Exclusionlist.................................... Disabled

Session Timeout.................................. 1800 seconds

User Idle Timeout................................ 300 seconds

--More-- or (q)uit

User Idle Threshold.............................. 0 Bytes

NAS-identifier................................... Cisco_93:f1:84

CHD per WLAN..................................... Enabled

Webauth DHCP exclusion........................... Disabled

Interface........................................ smesw

Multicast Interface.............................. Not Configured

WLAN IPv4 ACL.................................... unconfigured

WLAN IPv6 ACL.................................... unconfigured

mDNS Status...................................... Enabled

mDNS Profile Name................................ default-mdns-profile

DHCP Server...................................... 10.10.0.6

DHCP Address Assignment Required................. Enabled

Static IP client tunneling....................... Disabled

PMIPv6 Mobility Type............................. none

Quality of Service............................... Silver

Per-SSID Rate Limits............................. Upstream Downstream

Average Data Rate................................ 0 0

Average Realtime Data Rate....................... 0 0

Burst Data Rate.................................. 0 0

Burst Realtime Data Rate......................... 0 0

Per-Client Rate Limits........................... Upstream Downstream

Average Data Rate................................ 0 0

Average Realtime Data Rate....................... 0 0

--More-- or (q)uit

Burst Data Rate.................................. 0 0

Burst Realtime Data Rate......................... 0 0

Scan Defer Priority.............................. 5,6

Scan Defer Time.................................. 100 milliseconds

WMM.............................................. Allowed

WMM UAPSD Compliant Client Support............... Disabled

Media Stream Multicast-direct.................... Disabled

CCX - AironetIe Support.......................... Enabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

Passive Client Feature........................... Disabled

Peer-to-Peer Blocking Action..................... Disabled

Radio Policy..................................... All

DTIM period for 802.11a radio.................... 1

DTIM period for 802.11b radio.................... 1

Radius Servers

Authentication................................ 10.10.0.6 1812

Accounting.................................... Disabled

Dynamic Interface............................. Disabled

Dynamic Interface Priority.................... wlan

LDAP Servers

--More-- or (q)uit

Server 1...................................... 10.10.1.5 389

Local EAP Authentication......................... Disabled

Security

802.11 Authentication:........................ Open System

FT Support.................................... Disabled

Static WEP Keys............................... Disabled

802.1X........................................ Disabled

Wi-Fi Protected Access (WPA/WPA2)............. Enabled

WPA (SSN IE)............................... Disabled

WPA2 (RSN IE).............................. Enabled

TKIP Cipher............................. Enabled

AES Cipher.............................. Enabled

Auth Key Management

802.1x.................................. Enabled

PSK..................................... Disabled

CCKM.................................... Disabled

FT-1X(802.11r).......................... Disabled

FT-PSK(802.11r)......................... Disabled

PMF-1X(802.11w)......................... Disabled

PMF-PSK(802.11w)........................ Disabled

FT Reassociation Timeout................... 20

FT Over-The-DS mode........................ Disabled

--More-- or (q)uit

GTK Randomization.......................... Disabled

SKC Cache Support.......................... Disabled

CCKM TSF Tolerance......................... 1000

WAPI.......................................... Disabled

Wi-Fi Direct policy configured................ Disabled

EAP-Passthrough............................... Disabled

CKIP ......................................... Disabled

Web Based Authentication...................... Disabled

Web-Passthrough............................... Disabled

Conditional Web Redirect...................... Disabled

Splash-Page Web Redirect...................... Disabled

Auto Anchor................................... Disabled

FlexConnect Local Switching................... Disabled

flexconnect Central Dhcp Flag................. Disabled

flexconnect nat-pat Flag...................... Disabled

flexconnect Dns Override Flag................. Disabled

FlexConnect Vlan based Central Switching ..... Disabled

FlexConnect Local Authentication.............. Disabled

FlexConnect Learn IP Address.................. Enabled

Client MFP.................................... Disabled

PMF........................................... Disabled

PMF Association Comeback Time................. 1

PMF SA Query RetryTimeout..................... 200

--More-- or (q)uit

Tkip MIC Countermeasure Hold-down Timer....... 60

AVC Visibilty.................................... Disabled

AVC Profile Name................................. None

Flow Monitor Name................................ None

Call Snooping.................................... Disabled

Roamed Call Re-Anchor Policy..................... Disabled

SIP CAC Fail Send-486-Busy Policy................ Enabled

SIP CAC Fail Send Dis-Association Policy......... Disabled

KTS based CAC Policy............................. Disabled

Assisted Roaming Prediction Optimization......... Disabled

802.11k Neighbor List............................ Disabled

802.11k Neighbor List Dual Band.................. Disabled

Band Select...................................... Enabled

Load Balancing................................... Client-Count Based

Multicast Buffer................................. Disabled

Mobility Anchor List

WLAN ID IP Address Status

------- --------------- ------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

Excessive Client Authentication/Association Failure's. What is g

Craddockc — Fri, 08 Feb 2013 00:52:33 GMT

David,

I went ahead and set up client exclusion on my wlans as well without an infinite timeout value. This may also help me to identify who/where the problem is.

Excessive Client Authentication/Association Failure's. What is g

Scott Fella — Fri, 08 Feb 2013 03:12:32 GMT

This can cause an issue:

WPA2 (RSN IE).............................. Enabled

TKIP Cipher............................. Enabled

AES Cipher.............................. Enabled

WPA2 uses AES and not TKIP.... disable TKIP.

Also maybe disable this:

DHCP Address Assignment Required................. Enabled

DISABLE THIS!!!!!!

Load Balancing................................... Client-Count Based

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Excessive Client Authentication/Association Failure's. What is g

Craddockc — Fri, 08 Feb 2013 18:06:30 GMT

Scott,

Thank you for the reply. So the Client Load balancing is not a good option to enable? May I ask why? I went ahead and disabled the other options you recommended. Thanks for all your input

Chris.

Re: Excessive Client Authentication/Association Failure's. What

Scott Fella — Fri, 08 Feb 2013 18:20:36 GMT

Bottom line is that many clients don't support it and causes clients to hang.

Makes the changes and let me know if it fixes your issue or not.

I would do this for all your ssids also.

Sent from Cisco Technical Support iPhone App

Re: Excessive Client Authentication/Association Failure's. What

Craddockc — Fri, 08 Feb 2013 18:37:29 GMT

Scott,

Thank you. I made the changes and will monitor. I will be sure to get back to you and rate the postings

Re: Excessive Client Authentication/Association Failure's. What

Scott Fella — Fri, 08 Feb 2013 18:42:10 GMT

Sounds good!

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Excessive Client Authentication/Association Failure's. What is g

Craddockc — Fri, 22 Mar 2013 22:13:46 GMT

Scott and David,

I am sorry I have not gotten back to this post in some time...been very busy. I have found the culprit to these pesky logon failures. Come to find out, they were miscellaneous devices such as smartphones attempting to connect to WLANs that had MAC filtering on them. Since the controller did not have a profile for them they were being refused the connection. I was able to figure this out by enabling Client Exclusion and cross referencing the excluded clients in the list as they populated with the mac addresses of the offending devices in the Trap Logs. Come to find out all these devices that were being excluded were trying to connect to WLANs that they had no authentication to. Not the biggest of deals other than those devices transmitting and hogging up airtime, but atleast my security measures are doing their job and blocking these devices from authenticating/associating.

As always, I truly value your input and help. The Cisco Support community is a tremendous asset to me and I do not know where I would be without it. Thanks again guys!

Chris.