cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4824
Views
0
Helpful
1
Replies

DOT1X-3-MAX_EAPOL_KEY_RETRANS

sancaksancak
Level 1
Level 1

We have two 5508 WLCs. In addition to our 3 current SSIDs, We added a new test SSID which is directed to a NAC device for 802.1x authentication. The configuration selected only WPA2 Policy, AES and 802.x for AUth Key Mgmt. The problem is that the new SSID/signal fluctuating and sometimes users disconnect. The signal level changes about every 15-20 minutes and user can easily notice that icon. I collected logs and debugs, moreover I opened a TAC case. The answer I want to find out is which side responsbile for this problem, AAA servers or wireless devices? I did following steps:

-Collected debugs for specific clients who face the problem and encountered similar log messages repeatedly below the message.

-Created a new open authentication SSID which was directed to same AAA server. The clients did not report any connection problem. Tac thought this output was related to AAA servers.

- Then, I individually added and tested each AAA server for test SSID again, the clients reported same problem. So previous doubts for AAA was invalid.

- I tested SSID on an HP and MAC devices for wireless chipsets, then we got same problem. Interestingly an iphone device user reported less problems and no logs, error or message about tramsmission, retries were captured except first initiation message at the connection first. But the user's wireless signal was still weaking. 

Other 3 ssids are working fine.

No connection lost for new AAA servers.

Sysinfo:

Product Version.................................. 7.0.116.0

Bootloader Version............................... 1.0.1

Field Recovery Image Version..................... 6.0.182.0

Firmware Version................................. FPGA 1.3, Env 1.6,

I am adding the logs I mainly collected from syslog for the users within the explanation from Cisco Error and System Messages Faq:

%DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:843 Received EAPOL-key M2 msg has invalid information when mobile is in START  state - invalid secure bit; KeyLen 24, Key type 1, client xx:xx:xx:xx:xx:xx[...It occurred 2 times/sec!.]

Explanation    Client authentication failed because of an authentication protocol error between the client and access point.

%DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:444 Max EAPOL-key M1 retransmissions exceeded for client xx:xx:xx:xx:xx:xx

Explanation    Client authentication failed because the client did not respond to an EAPOL-key message.

Recommended Action    Ensure that user credentials are correct on the client and on the AAA server.

%DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client xx:xx:xx:xx:xx:xx

Explanation    An internal error caused 802.1X authentication to be aborted.

%DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2992 Max EAP identity request retries (3) exceeded for client xx:xx:xx:xx:xx:xx

Explanation    Client authentication failed because the maximum number of permitted attempts was exceeded.

Recommended Action    Ensure that user credentials are correct on the client and on the AAA server.

1 Reply 1

Justin Kurynny
Level 4
Level 4

sancaksancak,

You wrote:

-Created a new open authentication SSID which was directed to same AAA server. The clients did not report any connection problem. Tac thought this output was related to AAA servers.

Can you explain this a little more? How is this different than your problem SSID, and if it's not using 802.1x, what exactly are you "directing to the same AAA server?"

Justin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: