cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
166
Views
0
Helpful
8
Replies
Highlighted
Beginner

Cisco AP - EAP failing

Hi.  Our office has installed a couple of new Cisco 2700 Autonomous Access Points and we are trying to setup EAP 802.1x authentication to our laptops, so we can have a Wireless LAN.

 

The access points back the authentication off to Cisco ISE (version 2.2) , which does a machine and user authentication against Active Directory.  Cisco ISE shows that authentication succeeds and a Radius Access-Accept message is returned back to the AP.  The AP logs show that the Radius Access-Accept message is received.
"RADIUS: Received from id 1645/238 X.X.X.X:1645, Access-Accept"

 

ISE:

Event5200 Authentication succeeded
Username

XXX\XXXXXXX

 

Returned RADIUS Access-Accept

 

Event5200 Authentication succeeded
Usernamehost/XXXXXXX
Returned RADIUS Access-Accept

 

When trying to connect to the Wireless on our laptops we enter our username/password and we get a "Unable to connect to network" message.

Note, we can connect normally using a different SSID that is WPA2.  Our drivers are up to date.

Windows Event Logs show this sequence:

 

WLAN AutoConfig service started a connection to a wireless network.

Network Adapter: Intel(R) Dual Band Wireless-AC 8265

Interface GUID: XXX

Connection Mode: Connection to a secure network without a profile

Profile Name: XXX

SSID: XXX

BSS Type: Infrastructure

 

Wireless network association started.

Network Adapter: Intel(R) Dual Band Wireless-AC 8265

Interface GUID: XXX

Local MAC Address: XXX

Network SSID: XXX

BSS Type: Infrastructure

Authentication: Open

Encryption: WEP

802.1X Enabled: Yes

 

Wireless network association succeeded.

Network Adapter: Intel(R) Dual Band Wireless-AC 8265

Interface GUID: XXX

Local MAC Address: XXX

Network SSID: XXX

BSS Type: Infrastructure

Management Frame Protection Enabled: 0x7600000000

 

Wireless security started.

Network Adapter: Intel(R) Dual Band Wireless-AC 8265

Interface GUID: XXX

Local MAC Address: XXX

Network SSID: XXX

BSS Type: Infrastructure

Authentication: Open

Encryption: WEP

FIPS Mode: Disabled

802.1x Enabled: Yes

 

Wireless 802.1x authentication started.

Network Adapter: Intel(R) Dual Band Wireless-AC 8265

Interface GUID: XXX

Local MAC Address: XXX

Network SSID: XXX

BSS Type: Infrastructure

Eap Information: Type 0, Vendor ID 0, Vendor Type 0, Author ID 0

 

Wireless 802.1x authentication succeeded.

Network Adapter: Intel(R) Dual Band Wireless-AC 8265

Interface GUID: XXX

Local MAC Address: XXX

Network SSID: XXX

BSS Type: Infrastructure

Identity: XXXXXXXXXXXX

User: 

Domain: 

 

Wireless security failed.

Network Adapter: Intel(R) Dual Band Wireless-AC 8265

Interface GUID: XXX

Local MAC Address: XXX

Network SSID: XXX

BSS Type: Infrastructure

Peer MAC Address: XXX

Reason: Dynamic key exchange did not succeed within configured time

Error: 0x0

 

I cannot find anything to think why this might be the case and not a lot online when I have a look about "Dynamic key exchange did not succeed within configured time".  I am using the default Windows wireless settings, and WPA2 is fine.

 

Any help would be appreciated.

8 REPLIES 8
VIP Engager

Re: Cisco AP - EAP failing

EVIL: Encryption: WEP
Do you use a WLC or are all the APs on autonomous?
If autonomous, can you post the configuration (minus passwords)?

If WLC check the manual here: https://www.networkstraining.com/configuration-of-cisco-wpa2-enterprise-and-personal/ the chapter "Configuring WPA2 Enterprise on Cisco 5508 Wireless LAN Controller:"
Beginner

Re: Cisco AP - EAP failing

Hi.  Thanks for your response.  The AP's are autonomous.

Config:

 

Building configuration...

Current configuration : 9165 bytes
!

version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname XXX
!
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa group server radius rad_eap
server name XXX
server name XXX
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
server name XXX
server name XXX
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius XXX
!
aaa authentication login default local group rad_admin
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login method_XXX group XXX
aaa authorization exec default local group rad_admin
aaa accounting network acct_methods start-stop group rad_acct
aaa cache profile admin_cache
all
!
!
!
!
!
!
aaa session-id common
no ip source-route
no ip cef
ip admission name webauth proxy http
ip admission name webpass consent
ip domain name XXX
!
!
!
!
dot11 pause-time 100
dot11 syslog
dot11 vlan-name DATA vlan 200
dot11 vlan-name GUEST_WIFI vlan 20
!
dot11 ssid XXX
vlan 200
band-select
authentication open eap eap_methods
authentication network-eap eap_methods
mbssid guest-mode
no ids mfp client
11w-pmf client optional
!
dot11 ssid XXX
vlan 20
band-select
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 XXX
11w-pmf client optional
!
dot11 band-select parameters
cycle-count 3
cycle-threshold 200
expire-supression 20
expire-dual-band 60
client-rssi 80
!
!
no ipv6 cef
!
crypto pki trustpoint TP-self-signed-XXX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-XXX
revocation-check none
rsakeypair TP-self-signed-XXX
!
!
crypto pki certificate chain TP-self-signed-XXX
certificate self-signed 01
XXX


quit
username XX privilege 15 password 7 XXX
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
!
encryption vlan 20 mode ciphers aes-ccm
!
encryption vlan 200 mode ciphers aes-ccm
!
ssid XXX
!
ssid XXX
!
antenna gain 0
traffic-stream priority 5 sta-rates nom-5.5 nom-11.0 nom-6.0 nom-12.0 nom-24.0
traffic-stream priority 6 sta-rates nom-5.5 nom-11.0 nom-6.0 nom-12.0 nom-24.0
stbc
mbssid
packet max-retries 3 0 fail-threshold 100 500 priority 5 drop-packet
packet max-retries 3 0 fail-threshold 100 500 priority 6 drop-packet
packet speed 5.5 11.0 6.0 12.0 24.0 priority 6
station-role root
no cdp enable
!
interface Dot11Radio0.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 port-protected
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface Dot11Radio0.200
encapsulation dot1Q 200 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
!
encryption vlan 20 mode ciphers aes-ccm
!
encryption vlan 200 mode ciphers aes-ccm
!
ssid XXX
!
ssid XXX
!
antenna gain 0
peakdetect
no dfs band block
traffic-stream priority 5 sta-rates nom-6.0 nom-12.0 nom-24.0
traffic-stream priority 6 sta-rates nom-6.0 nom-12.0 nom-24.0
stbc
mbssid
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23. a1ss9 a2ss9 a3ss9
packet max-retries 3 0 fail-threshold 100 500 priority 5 drop-packet
packet max-retries 3 0 fail-threshold 100 500 priority 6 drop-packet
channel dfs
station-role root
no cdp enable
!
interface Dot11Radio1.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 port-protected
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface Dot11Radio1.200
encapsulation dot1Q 200 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 spanning-disabled
no bridge-group 20 source-learning
!
interface GigabitEthernet0.200
encapsulation dot1Q 200 native
no cdp enable
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface BVI1
mac-address XXX
ip address XXX
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
!
ip forward-protocol nd
no ip http server
ip http authentication aaa
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
!
logging trap debugging
logging host XXX
logging host XXX
!
snmp-server group XXX v3 priv read MGMTview
snmp-server view MGMTview internet included
snmp-server view MGMTview mib-2 included
snmp-server view MGMTview system included
snmp-server view MGMTview interfaces included
snmp-server view MGMTview ip included
snmp-server view MGMTview local included
snmp-server view MGMTview temporary included
snmp-server view MGMTview chassis included
snmp-server view MGMTview ciscoMemoryPoolMIB included
snmp-server view MGMTview transmission.127.1.1.4 included
snmp-server view MGMTview entAliasMappingEntry.2 included
snmp-server view MGMTview cdpGlobal.1 included
snmp-server view MGMTview cdpCacheEntry included
snmp-server location XXX
snmp-server contact XXX
snmp-server enable traps tty
radius-server attribute 32 include-in-access-req format %h
radius-server timeout 30
!
radius server XXX
address ipv4 XXX auth-port 1645 acct-port 1646
key 7 XXX
!
radius serverXXX
address ipv4 XXX auth-port 1645 acct-port 1646
key 7 XXX
!
access-list 16 permit XXXXXXXXX
access-list 111 permit tcp any any neq telnet
bridge 1 route ip
!
!
wlccp authentication-server infrastructure method_XXX
!
line con 0
access-class 16 in
password 7 XXX
logging synchronous
line vty 0 4
access-class 16 in
length 0
transport input ssh
transport output ssh
!
sntp server XXX
sntp broadcast client
end

Beginner

Re: Cisco AP - EAP failing

Not sure if this is relevant, but I did a radius debug on the AP and tried to access the AP and it seems it sends multiple radius requests, is this normal?

 

Line 10: *Mar 1 03:49:59.259: RADIUS(0000067A): Send Access-Request to XXX.XXX.XXX.XXX:1645 id 1645/209, len 273
Line 58: *Mar 1 03:49:59.271: RADIUS(0000067A): Send Access-Request to XXX.XXX.XXX.XXX:1645 id 1645/210, len 351
Line 112: *Mar 1 03:49:59.283: RADIUS(0000067A): Send Access-Request to XXX.XXX.XXX.XXX:1645 id 1645/211, len 560
Line 200: *Mar 1 03:49:59.335: RADIUS(0000067A): Send Access-Request to XXX.XXX.XXX.XXX:1645 id 1645/212, len 350
Line 300: *Mar 1 03:49:59.343: RADIUS(0000067A): Send Access-Request to XXX.XXX.XXX.XXX:1645 id 1645/213, len 350
Line 381: *Mar 1 03:49:59.355: RADIUS(0000067A): Send Access-Request to XXX.XXX.XXX.XXX:1645 id 1645/214, len 350
Line 413: *Mar 1 03:49:59.415: RADIUS(0000067A): Send Access-Request to XXX.XXX.XXX.XXX:1645 id 1645/218, len 480
Line 471: *Mar 1 03:50:00.639: RADIUS(0000067A): Send Access-Request to XXX.XXX.XXX.XXX:1645 id 1645/219, len 350
Line 525: *Mar 1 03:50:00.651: RADIUS(0000067A): Send Access-Request to XXX.XXX.XXX.XXX:1645 id 1645/220, len 415
Line 581: *Mar 1 03:50:00.663: RADIUS(0000067A): Send Access-Request to XXX.XXX.XXX.XXX:1645 id 1645/221, len 469
Line 638: *Mar 1 03:50:00.691: RADIUS(0000067A): Send Access-Request to XXX.XXX.XXX.XXX:1645 id 1645/222, len 381
Line 692: *Mar 1 03:50:00.699: RADIUS(0000067A): Send Access-Request to XXX.XXX.XXX.XXX:1645 id 1645/223, len 390
Line 758: *Mar 1 03:50:08.643: RADIUS(0000067B): Send Access-Request to XXX.XXX.XXX.XXX:1645 id 1645/224, len 241
Line 805: *Mar 1 03:50:08.655: RADIUS(0000067B): Send Access-Request to XXX.XXX.XXX.XXX:1645 id 1645/225, len 335
Line 859: *Mar 1 03:50:08.667: RADIUS(0000067B): Send Access-Request to XXX.XXX.XXX.XXX:1645 id 1645/226, len 544
Line 947: *Mar 1 03:50:08.715: RADIUS(0000067B): Send Access-Request to XXX.XXX.XXX.XXX:1645 id 1645/227, len 334
Line 1047: *Mar 1 03:50:08.727: RADIUS(0000067B): Send Access-Request to XXX.XXX.XXX.XXX:1645 id 1645/228, len 334
Line 1091: *Mar 1 03:50:10.159: RADIUS(0000067B): Send Access-Request to XXX.XXX.XXX.XXX:1645 id 1645/234, len 334
Line 1145: *Mar 1 03:50:10.167: RADIUS(0000067B): Send Access-Request to XXX.XXX.XXX.XXX:1645 id 1645/235, len 383
Line 1201: *Mar 1 03:50:10.179: RADIUS(0000067B): Send Access-Request to XXX.XXX.XXX.XXX:1645 id 1645/236, len 437
Line 1258: *Mar 1 03:50:10.199: RADIUS(0000067B): Send Access-Request to XXX.XXX.XXX.XXX:1645 id 1645/237, len 365
Line 1313: *Mar 1 03:50:10.207: RADIUS(0000067B): Send Access-Request to XXX.XXX.XXX.XXX:1645 id 1645/238, len 374

VIP Engager

Re: Cisco AP - EAP failing

Ok, only small details that I see, can you change this:
encryption vlan 200 mode ciphers aes-ccm
to this:
encryption vlan 200 mode ciphers aes-ccmp #if this is available

Trusts the client the certificate from the Radius server? This is required, or the authentication silently fails on the client.

From my link before, can you compare the configuration to the chapter "Configuring WPA2 Enterprise on Autonomous Access Point:"?
Beginner

Re: Cisco AP - EAP failing

Hi.  CCMP isn't an option unfortunately only CCM.

I am following your guide, but we are using Cisco ISE servers to authenticate the user and machine.  That has been working fine, so do I ignore your steps at the end to configure a local radius server?

Beginner

Re: Cisco AP - EAP failing

I noticed that on my existing config I had no selected mandatory or WPA2, I think that is why the key part was failing but the authentication was ok.  The office is remote so I will ask a user down there to test, probably on Monday.  I will let you know the outcome, I really appreciate your help, your guide did point my change out to me as well.

VIP Engager

Re: Cisco AP - EAP failing

Yes those steps you can ignore.

So you say it was working, did you change anything? Did maybe the Radius certificate change?


Beginner

Re: Cisco AP - EAP failing

I won't know until Monday if it worked or not.
But I had no WPA key configured, only the EAP.

I had not ticked the mandatory box or the WPA box, or selected WPA2.

I am hopeful this will work because it explains why 802.1x authentication passed (on the external radius server), but failed the dynamic key exchange (WPA2 keys not configured).

I will let you know, thanks again :)

CreatePlease to create content