05-18-2012 01:04 PM - edited 07-03-2021 10:11 PM
Hello,
I'm facing a problem related to devices authenticating to our wireless network. Below are how it is setup:
WLC 4404 pass authentication to ACS 5.3 (PEAP + MsChapV2) then to AD server.
Client can get stock in this status and it keeps repeating from 1 to 20:
*Dot1x_NW_MsgTask_0: May 18 19:57:47.477: e4:ce:8f:13:e4:de dot1x - moving mobile e4:ce:8f:13:e4:de into Connecting state
*Dot1x_NW_MsgTask_0: May 18 19:57:47.477: e4:ce:8f:13:e4:de Sending EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EAP Id 19)
*Dot1x_NW_MsgTask_0: May 18 19:57:47.481: e4:ce:8f:13:e4:de Received EAPOL EAPPKT from mobile e4:ce:8f:13:e4:de
*Dot1x_NW_MsgTask_0: May 18 19:57:47.483: e4:ce:8f:13:e4:de Received EAPOL EAPPKT from mobile e4:ce:8f:13:e4:de
*Dot1x_NW_MsgTask_0: May 18 19:58:17.482: e4:ce:8f:13:e4:de Received EAPOL START from mobile e4:ce:8f:13:e4:de
*Dot1x_NW_MsgTask_0: May 18 19:58:17.482: e4:ce:8f:13:e4:de dot1x - moving mobile e4:ce:8f:13:e4:de into Connecting state
*Dot1x_NW_MsgTask_0: May 18 19:58:17.482: e4:ce:8f:13:e4:de Sending EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EAP Id 20)
*Dot1x_NW_MsgTask_0: May 18 19:58:17.485: e4:ce:8f:13:e4:de Received EAPOL EAPPKT from mobile e4:ce:8f:13:e4:de
*Dot1x_NW_MsgTask_0: May 18 19:58:17.487: e4:ce:8f:13:e4:de Received EAPOL EAPPKT from mobile e4:ce:8f:13:e4:de
*Dot1x_NW_MsgTask_0: May 18 19:58:47.488: e4:ce:8f:13:e4:de Received EAPOL START from mobile e4:ce:8f:13:e4:de
I have the Max EAP identity request retries set to 20, that is why it stops in 20.
I checked the WLC logs and I'll I can see is:
May 18 14:45:59 10.3.1.10/10.3.1.10 MG-LWAPP-C1: *Dot1x_NW_MsgTask_0: May 18 19:45:59.306: %APF-1-USER_ADD_FAILED: apf_ms.c:5665 Unable to create username joe132 for mobilee4:ce:8f:13:e4:de
The strange thing is on the ACS I can't see any authentication attempts. I think the WLC is trying to use the PMK cache for this but I'm not sure why and how??
Anybody seen something like this??
05-20-2012 06:03 AM
well well,
From the debugs it is very clear that the cotnroller is sending eap identity request to your lazy wireless client which is not responding at all and accordingly the WLC keps doing that until reaching the max retries.
The client is doing one thing which is sending EAPOL start packet but it never reacts with EAP identity requests fired by the WLC.
There is one possible reason that your client is either corrupted or not configured correctly or you are not populating the identiy info upon being prompted for that which i doubt. So please check the config of your client and try with another one if possible.
Regards
----------------------------------------------------------------
Please don't forget to rate correct answers
05-21-2012 07:21 AM
But it is not 1 client, I have tons of them and they are about 90% Apple products. Any suggestions? I cannot go around campus and check settings on each Apple client .
Do you have Apple clients in your WLAN environment? Any issues?
05-21-2012 07:48 AM
unfortunately no
it worths to check right at your end ?
05-21-2012 10:59 PM
I have apples on my network and not having any problems.
How is your WLAN configured WPA/TKIP or WPA2/AES?
Are you using CCKM on your WLAN at all?
05-22-2012 06:10 AM
How big is your network?? I have about 10.000 clients.
I have WPA2+AES then PEAP+MSCHARPv2 tunnel back to ACS 5.3
No, I'm using 802.1X
05-22-2012 06:04 AM
enable broadcast forwarding
++ incrseea the arp timeout
+++ disable short preamble
++ increase DTIM
05-22-2012 06:18 AM
Why do I have to enable broadcast forwarding?
I already have the ARP timeout set to 500, and the short preamble is disabled, and the DTIM set to 5 but the problem is still here .
05-22-2012 07:41 AM
broadcast forwarding for initial device discovery
05-22-2012 06:43 AM
Peap is only used for authentication. What are you using for encryption Wpa , wpa2 aes tkip ..
Sent from Cisco Technical Support iPhone App
05-22-2012 06:49 AM
I already said that above I use WPA2+EAS
02-22-2018 07:14 AM
This issue occurred a couple of months ago and it was resolved by replacing the DSL modem on the remote site.
The same problem (eap identity request not received by client on remote site) has occurred again, this time also on a remote site which connects using a DSL modem. Obviously I will ask the provider to replace this modem aswell but does anyone have an explaination to why a DSL wouldn't forward these packets as expected?
Everything but 802.1x identity request is/was working perfectly fine on both these branches.
BR
David
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide