cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21695
Views
4
Helpful
14
Replies

802.1X Authentication failed without 802.1X authentication enabled

Hi,

we are using 2 WISMs, with version 4.2.207 and a WCS to control them.

It seemed to work fine for about 2 weeks, and now we detected the following problem in some users. They were connected to the wireless without problems, and then they lost the connection. For authentication we use WPA2, we also use mac-filter.

When they lost the connection we can see the following error:

Message:

Client 'mac address' which was associated with AP 'mac address', interface '1' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'.

Message:

Client 'mac' which was associated with AP 'mac', interface '0' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'.

I also attach an output of the troubleshoot mac address...

Can some help me with this?

Thank you.

Best regards,

14 Replies 14

George Stefanick
VIP Alumni
VIP Alumni

Can you drop into the CLI of the WLC and do a client debug on the client in question and post your findings ...

thanks

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Hi George,

thank you for your reply. I put the debug in attach.

The problem it's in this stage:

Fri Jan 29 11:26:53 2010: 00:16:6f:06:27:0a Initiating RSN PSK to mobile 00:16:6                                                                                             f:06:27:0a

Fri Jan 29 11:26:53 2010: 00:16:6f:06:27:0a dot1x - moving mobile 00:16:6f:06:27                                                                                             :0a into Force Auth state

Fri Jan 29 11:26:53 2010: 00:16:6f:06:27:0a Skipping EAP-Success to mobile 00:16                                                                                             :6f:06:27:0a

Fri Jan 29 11:26:53 2010: Including PMKID in M1  (16)

Fri Jan 29 11:26:53 2010:      [0000] 82 1d f1 e4 2f cc 1b 04 b8 e2 42 1a e1 73                                                                                              4e 07

Fri Jan 29 11:26:53 2010: 00:16:6f:06:27:0a Sending EAPOL-Key Message to mobile                                                                                              00:16:6f:06:27:0a

                    state INITPMK (message 1), replay counter 00.00.00.00.00.00.                                                                                             00.00

Fri Jan 29 11:26:54 2010: 00:16:6f:06:27:0a 802.1x 'timeoutEvt' Timer expired fo                                                                                             r station 00:16:6f:06:27:0a

Fri Jan 29 11:26:54 2010: 00:16:6f:06:27:0a Retransmit 1 of EAPOL-Key M1 (length                                                                                              121) for mobile 00:16:6f:06:27:0a

Fri Jan 29 11:26:55 2010: 00:16:6f:06:27:0a 802.1x 'timeoutEvt' Timer expired fo                                                                                             r station 00:16:6f:06:27:0a

Fri Jan 29 11:26:55 2010: 00:16:6f:06:27:0a Retransmit 2 of EAPOL-Key M1 (length                                                                                              121) for mobile 00:16:6f:06:27:0a

Fri Jan 29 11:26:56 2010: 00:16:6f:06:27:0a 802.1x 'timeoutEvt' Timer expired fo                                                                                             r station 00:16:6f:06:27:0a

Fri Jan 29 11:26:56 2010: 00:16:6f:06:27:0a Retransmit failure for EAPOL-Key M1                                                                                              to mobile 00:16:6f:06:27:0a, retransmit count 3, mscb deauth count 0

Fri Jan 29 11:26:56 2010: 00:16:6f:06:27:0a Sent Deauthenticate to mobile on BSS                                                                                             ID 00:1d:e6:24:e5:00 slot 0(caller 1x_ptsm.c:462)

Fri Jan 29 11:26:56 2010: 00:16:6f:06:27:0a Scheduling deletion of Mobile Statio

Any help understanding why it will be great.

Thanks in advance,

Best regards,

See the lines that state Retransmit 1 and Retransmit 2... This is an indication the PSK key doesnt match on the client and or WLC that the AP is associated to. Double check your PSK on the clients that are having issues. Something is a miss on the key side... I reproduced this in my lab and got the same results as you when the key did not match... see my output below yours ...

As for your 802.1x question. WPA2 / PSK is a form of EAP. Thus why you see 802.1x... Most folks assume 802.1x and radius server... but not the case.  Post back and let me know what you find...

Fri Jan 29 11:26:54 2010: 00:16:6f:06:27:0a Retransmit 1 of EAPOL-Key M1 (length                                                                                              121) for mobile 00:16:6f:06:27:0a

Fri Jan 29 11:26:55 2010: 00:16:6f:06:27:0a 802.1x 'timeoutEvt' Timer expired fo                                                                                             r station 00:16:6f:06:27:0a

Fri Jan 29 11:26:55 2010: 00:16:6f:06:27:0a Retransmit 2 of EAPOL-Key M1 (length                                                                                              121) for mobile 00:16:6f:06:27:0a

Fri Jan 29 11:26:56 2010: 00:16:6f:06:27:0a 802.1x 'timeoutEvt' Timer expired fo

My test ...

Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Received EAPOL-Key from mobile 00:02:10:11:02:68

Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:02:10:11:02:68

Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Received EAPOL-key in PKT_START state (message 2) from mobile 00:02:10:11:02:68

Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Received EAPOL-key M2 with invalid MIC from mobile 00:02:10:11:02:68

Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 802.1x 'timeoutEvt' Timer expired for station 00:02:10:11:02:68

Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 00:02:10:11:02:68

Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Received EAPOL-Key from mobile 00:02:10:11:02:68

Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:02:10:11:02:68

Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Received EAPOL-key in PKT_START state (message 2) from mobile 00:02:10:11:02:68

Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Received EAPOL-key M2 with invalid MIC from mobile 00:02:10:11:02:68

Sun Jan 31 11:12:02 2010: 00:02:10:11:02:68 802.1x 'timeoutEvt' Timer expired for station 00:02:10:11:02:68

Sun Jan 31 11:12:02 2010: 00:02:10:11:02:68 Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 00:02:10:11:02:68

Sun Jan 31 11:12:02 2010: 00:02:10:11:02:68 Received EAPOL-Key from mobile 00:02:10:11:02:68

Sun Jan 31 11:12:02 2010: 00:02:10:11:02:68 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:02:10:11:02:68

Sun Jan 31 11:12:02 2010: 00:02:10:11:02:68 Received EAPOL-key in PKT_START state (message 2) from mobile 00:02:10:11:02:68

Sun Jan 31 11:12:02 2010: 00:02:10:11:02:68 Received EAPOL-key M2 with invalid MIC from mobile 00:02:10:11:02:68

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Hi again George,

thank you for your reply.

Yes the behavior it's like the password it's incorrect, but that can't be the problem. Because this clients are connected without problems and then the problem starts to occur.

By the way when we disable the 802.11a in the client the problem seems to disappear...

Thank you.

Best regards,

i had an issue like this before... i had 6 WLCs and 1 of the WLCs had the wrong KEY and only had a few APs joined to that controller. when clients would roam to this ap the clients would spin.

i would double check the keys on the WLC. or try and see what aps the clients are trying to attach to when they spin...

make sense?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

I just had the same issue with similar setup.  6 LWAPPs and 1 WLC.  After reading the posts it got me to thinking that I should focus on the PSK.   I changed the key on the WLC, saved config, testing a new client and successfully connected.  Then I went back to the WLC and re-entered the old PSK, saved the config and was able to get clients connected.   Is there some kind of expiration or timeout for the PSK? (Using WPA+WPA2)

kirbus_inc
Level 1
Level 1

We are also experiencing the same issue. Have you found a solution?

Hi Kirbus,

we open a TAC and we were advised for now to do the following changes:

1.       please make sure to disable Aironet extensions (if present)  , on the WLAN advanced configuration

2.       disable management frame protection (MFP) signature generation (if present) , MFP also on the WLAN advanced configuration

3.       on the WLC general configuration , can you please disable aggressive load balancing

4.       on the security tab on the WLC , please wireless protection policies > disable client exclusion policies

5.       on the AP network configuration please disable short preamble the original standard was long preambles

6.       Wireless -> disable auto-RRM channel & power assignment & try "on demand"

7.       apply these modification on the WLC CLI

Config advanced eap identity-request-timeout 20

Config advanced eap identity-request-retries 10

Config advanced eap request-timeout 20

Config advanced eap request-retries 10

Save config, and see if you still face the problem.

We are still monitoring the solution, but until now we didn't face the problem again.

Let me now how it goes for you.

Thank you.

Best regards,

kirbus_inc
Level 1
Level 1

Thank you so much for the info. We will look into this and see what we come up with. I am wondering how similar our setups are. What

model AP's do you use? How many WLC do you have? Do you know the NIC manufacturer of your clients? We have been trying to narrow it down to see if is a driver issue or just some config issue. We are actually on version 6.0.188 so it's definatley not the version.

kirbus_inc
Level 1
Level 1

Hello,

I was just checking back to see if since you have made the changes if you still are experiencing problems or if you have narrowed it down to what it might be?

Hi Kirbus,

since that changes the client didn't reported to us any more problems.

What about you? How is it going?

Best regards,

kirbus_inc
Level 1
Level 1

Hello,

These are the ones we have tried disable Aironet extensions (if present)  , on the WLAN advanced configuration

2.       disable management frame protection (MFP) signature generation (if present) , MFP also on the WLAN advanced configuration

3.       on the WLC general configuration ,  disable aggressive load balancing

4.       on the security tab on the WLC and it looks like we are still getting the same messages I am leary about disabling the wireless protection policies client exclusions for secuirty reason but I am thinking that is the solution to the problem, it seems it  just ignores the failures.

ad

kirbus_inc
Level 1
Level 1

Hello,

Do you know what the manufacturer of your clients NICs are, or are they all different? We are trying to see if it may be a driver issue. We are getting inconsistant information from Cisco about the cause of the problem.

Hello,

have the same problem with WPA2/dot1x EAP-TLS and MSCHAPv2, but after 16 tries (3 times EAPOL M1 retransmit for each try) the wlc 4400 (v6) accept the client.

Additional I see  CSCsy05945—The "EAPOL-key M2 with invalid RSN IE" error message appears because of multiple PMKIDs. The clients send multiple PMKIDs, but the controller buffers only 64 bytes of the WPA/RSN information element (IE).  Workaround: None.

I disabled step by step all the 6 option and did the cli timeout commands - no change.

Who is handling this part of the protocol , the CSSC, the WLAN driver Hon or MS  XP ?

Greetings

Olaf.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: