04-27-2011 07:40 AM - edited 07-03-2021 08:07 PM
We have AP 1130 with local radius service. It has two associated clients - ip phones 7921. All works fine. But when I try to connect a new phone I get an authentication error. Phone settings are the same.
I tried following debug:
dot11/wlccp authenticator:
state machine debugging is on
process debugging is on
radius local:
Radius server error debugging is on
Radius server client failures debugging is on
Radius protocol debugging is on
Radius packet protocol (authentication) debugging is on
Apr 27 12:47:38.378: RADIUS(00001F10): Received from id 1645/93
Apr 27 12:47:38.378: RADIUS/DECODE: EAP-Message fragments, 26, total 26 bytes
Apr 27 12:47:38.378: dot11_auth_dot1x_parse_aaa_resp: Received server response: GET_CHALLENGE_RESPONSE
Apr 27 12:47:38.378: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
Apr 27 12:47:38.378: dot11_auth_dot1x_parse_aaa_resp: found session timeout 120 sec
Apr 27 12:47:38.378: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_REPLY) for 8843.e133.51db
Apr 27 12:47:38.379: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 8843.e133.51db
Apr 27 12:47:38.379: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 120 seconds
Apr 27 12:47:42.978: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
Apr 27 12:47:42.978: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 8843.e133.51db
Apr 27 12:47:42.978: dot11_auth_dot1x_send_id_req_to_client: Client 8843.e133.51db timer started for 30 seconds
Apr 27 12:47:43.022: dot11_auth_parse_client_pak: Received EAPOL packet from 8843.e133.51db
Apr 27 12:47:43.022: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 8843.e133.51db
Apr 27 12:47:43.022: dot11_auth_dot1x_send_response_to_server: Sending client 8843.e133.51db data to server
Apr 27 12:47:43.022: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
Apr 27 12:47:43.023: RADIUS/ENCODE(00001F12):Orig. component type = DOT11_AUTH
Apr 27 12:47:43.023: RADIUS: AAA Unsupported Attr: ssid [263] 9
Apr 27 12:47:43.023: RADIUS: 4B 4D 52 55 53 57 49 [1234567]
Apr 27 12:47:43.023: RADIUS: AAA Unsupported Attr: interface [156] 4
Apr 27 12:47:43.024: RADIUS: 35 34 [54]
Apr 27 12:47:43.024: RADIUS(00001F12): Storing nasport 5405 in rad_db
Apr 27 12:47:43.024: RADIUS(00001F12): Config NAS IP: 10.122.156.138
Apr 27 12:47:43.024: RADIUS/ENCODE(00001F12): acct_session_id: 7954
Apr 27 12:47:43.024: RADIUS(00001F12): Config NAS IP: 10.122.156.138
Apr 27 12:47:43.024: RADIUS(00001F12): sending
Apr 27 12:47:43.024: RADIUS(00001F12): Send Access-Request to 10.122.156.138:1812 id 1645/94, len 137
Apr 27 12:47:43.025: RADIUS: authenticator 82 3E 35 09 1C 77 95 0D - 13 6A DA 01 E5 B2 A5 21
Apr 27 12:47:43.025: RADIUS: User-Name [1] 11 "anonymous"
Apr 27 12:47:43.025: RADIUS: Framed-MTU [12] 6 1400
Apr 27 12:47:43.025: RADIUS: Called-Station-Id [30] 16 "001b.2a6d.2d68"
Apr 27 12:47:43.025: RADIUS: Calling-Station-Id [31] 16 "8843.e133.51db"
Apr 27 12:47:43.025: RADIUS: Service-Type [6] 6 Login [1]
Apr 27 12:47:43.025: RADIUS: Message-Authenticato[80] 18 *
Apr 27 12:47:43.025: RADIUS: EAP-Message [79] 16
Apr 27 12:47:43.026: RADIUS: 02 01 00 0E 01 61 6E 6F 6E 79 6D 6F 75 73 [?????anonymous]
Apr 27 12:47:43.026: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
Apr 27 12:47:43.026: RADIUS: NAS-Port [5] 6 5405
Apr 27 12:47:43.026: RADIUS: NAS-IP-Address [4] 6 10.122.156.138
Apr 27 12:47:43.026: RADIUS: Nas-Identifier [32] 10 "KM-AP-02"
Apr 27 12:47:43.027: RADSRV: Unable to add TEAP client: max client limit reached, 10
Apr 27 12:47:48.010: dot11_auth_parse_client_pak: Received EAPOL packet from 8843.e133.51db
Apr 27 12:47:48.010: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,EAP_START) for 8843.e133.51db
Apr 27 12:47:48.011: dot11_auth_dot1x_ignore_event: Ignore event: do nothing
Apr 27 12:47:48.582: RADIUS: no sg in radius-timers: ctx 0xBAE51C sg 0x0000
8843.e133.51db is mac-address of the problem phone. In additional, among debugging such strings occurs :
%DOT11-4-MAXRETRIES: Packet to client 8843.e133.51db reached max retries, removing the client
But radio environment is good.
Here is part of the AP configuration:
ip ssh source-interface BVI1
ip ssh version 2
aaa new-model
!
!
aaa group server radius RADIUS-LOCAL
server 10.122.156.138 auth-port 1812 acct-port 1813
deadtime 0
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login method_infrastructure group RADIUS-LOCAL
aaa authentication login method_client group RADIUS-LOCAL
aaa authentication login method_eap group RADIUS-LOCAL
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 ssid 123456789
vlan 51
authentication open eap method_eap
authentication network-eap method_eap
authentication key-management wpa cckm
!
dot11 network-map
dot11 phone dot11e
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 51 mode ciphers aes-ccm tkip
!
encryption mode ciphers aes-ccm tkip
!
ssid 123456789!
countermeasure tkip hold-time 90
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
no power client local
power client 14
power local cck -1
power local ofdm -1
channel 2462
station-role root
dot11 extension power native
interface BVI1
ip address 10.122.156.138 255.255.255.192
no ip route-cache
!
ip radius source-interface BVI1
!
radius-server local
no authentication mac
nas 10.122.156.138 key 7 107B3E125C153302161E0C2037
nas 10.122.156.137 key 7 08147B45501B241E08112A0F39
group IP-phones
vlan 51
ssid 123456789
!
user AP-02 nthash 7 143334522E20787B7D71636301475240572001097C037656533A457B0E7103770D
user AP-01 nthash 7 1321314B2928567A727D786516764651422256067D08710C5E214B340F7E07760A
user SEP0021A0249690 nthash 7 101F5B48524F475D5556080D070D176D71372642275072007C750D2B2639467A7D group IP-phones
user SEP0021A0248A2F nthash 7 091D1C584E5D4244525E260C08010C6B660632533252250F7D7E0A712B2248357C group IP-phones
user AP-03 nthash 7 075A02141E593F544433582F21727D010C6160764323325724010A0B027157224A
user AP-04 nthash 7 115C3A5D47422D5D570B78070D6B63073755435751727D0C76035D504933007905
user SEP8843E13351DB nthash 7 091C1E59495547425B5C547A7B7478636572435746535106090803045E53484609 group IP-phones
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.122.156.138 auth-port 1812 acct-port 1813 key 7 113C2E0E4E102A051E300D2F3B
radius-server host 10.122.156.137 auth-port 1812 acct-port 1813 key 7 113C2E0E4E102A051E300D2F3B
radius-server vsa send accounting
If anybody has some experience please help me to find out solution of this problem.
Thanks
Solved! Go to Solution.
04-28-2011 11:38 AM
You are welcome... dont forget to rate the posts and to set this question as answered.
04-27-2011 08:29 AM
the only thing that comes to my mind is:
what is the part name of this phone does it end with -W? or just -A?
Why using anonymous users?
User-Name [1] 11 "anonymous" ?
Did you try using only TKIP alone as encryption?
Check the local radius statistics...
Can you test with a simple username like test and password test?
04-28-2011 04:22 AM
You're absolutely right! The username wasn't set properly.
Thanks a lot!
04-28-2011 11:38 AM
You are welcome... dont forget to rate the posts and to set this question as answered.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: