Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2358
Views
0
Helpful
5
Replies

%DOT11-7-AUTH_FAILED

lni1
Level 1
Level 1

‎05-11-2012 10:05 AM - edited ‎03-10-2019 07:05 PM

Dear Cisco,

Since we installed the mbssid feature on certain access points to broadcast 2 ssid's on the

same time, we are experiencing strange behaviour concerning certain users trying to log in :

May 11 17:16:49: %DOT11-7-AUTH_FAILED: Station 0018.debf.14f1 Authentication failed

In ACS 5.2 we see the users didn't enter the correct pswd and after a certain time (and many

attemps) we see AD sets the user account locked. Our windows people see our ACS as the

guilty one, somehow the user/pswd info comes from the AP.

It seems some clients are tying "automatically" to connect to the access point because the ssid

was broadcasted. It must have something to do with the mssid feature, all our AP's without

this command doesn't seem to have the problem.

Any thoughts on this issue ?

Many thanks,

Lieven Stubbe

Belgian Railways

Labels:
0 Helpful
5 Replies 5

maldehne
Cisco Employee
Cisco Employee

‎05-13-2012 02:44 AM

MBSSID has nothing to do with authentication failure.

In the meantime please upload the following

Show run form the AP

The RADIUS authentication failure reason on ACS 5 with detailed steps of the failure

0 Helpful

lni1
Level 1
Level 1
In response to maldehne

‎05-14-2012 12:12 AM

Dear maldehne,

ACS -> 24408 : User authentication against AD failed since user has entered the wrong password.

Did some study of the logs, and it seems a great deal of these errors were caused bij "exotic" devices

on our network, like Apple devices, HTC devices,...

This is very annoying, because after a while AD puts the user in a locked state.

In attach you find the (reduced) config of one of our AP's.

Thanks,

Lieven Stubbe

Belgian Railways

127915-apdelta18.txt.zip
0 Helpful

maldehne
Cisco Employee
Cisco Employee
In response to lni1

‎05-14-2012 12:23 AM

Dear Lieven

Please send the deteailed steps of failed attempt from RADIUS Authentication report

If you define an internal user on ACS and try do you have the same issue?

0 Helpful

lni1
Level 1
Level 1
In response to maldehne

‎05-14-2012 12:54 AM

Maldehne,

To test the local user, I have to set up our test ACS, this will take some time.

Somehow, most of our wireless authentications pass fine.

Thanks,

Lieven Stubbe

Belgian Railways

35 KB
0 Helpful

maldehne
Cisco Employee
Cisco Employee
In response to lni1

‎05-16-2012 12:09 AM

The issue seems between the ACS and AD , so now try the following

debug-adclient enable

reproduce the issue

no denug-adclient enable

Collect the output of:

show acs-logs filename ACSADAgent.log

Make sure to provide the timestamp and userid used while the issue is happenning

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents