Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2471
Views
5
Helpful
2
Replies

Unable to authenticate using LDAP server

Go to solution
Francisco Sequeira
Level 1
Level 1

‎11-08-2010 02:41 AM - edited ‎07-03-2021 07:22 PM

Hi everyone,

I'm trying to configure WPA2 authentication using LEAP and the offices LDAP server. I collected the following LOGs from the 5508 controller but i'm unable to find out what the problem is. Anyone has a clue on what's happening?

Thanks

*Nov 08 10:35:44.851: 00:21:6a:61:61:ba Entering Backend Auth Response state for mobile 00:21:6a:61:61:ba
*Nov 08 10:35:44.851: LOCAL_AUTH: EAP: Received an auth request
*Nov 08 10:35:44.851: LOCAL_AUTH: Creating new context
*Nov 08 10:35:44.851: EAP-EVENT: Received context create from lower layer (0x00000035)
*Nov 08 10:35:44.851: id_manager.c-AUTH-SM: Got new ID 1a000036 - id_get
*Nov 08 10:35:44.851: EAP-EVENT: Received credential profile name: "(null)" from LL
*Nov 08 10:35:44.851: EAP-EVENT: Allocated new EAP context (handle = 0x1A000036)
*Nov 08 10:35:44.851: LOCAL_AUTH: Created new context eap session handle 1a000036
*Nov 08 10:35:44.851: LOCAL_AUTH: (EAP:53) Sending the Rxd EAP packet (id 2) to EAP subsys
*Nov 08 10:35:44.851: EAP-EVENT: Received event 'EAP_RX_PACKET' on handle 0x1A000036
*Nov 08 10:35:44.851: EAP-AUTH-RX-PAK:
*Nov 08 10:35:44.851: eap_core.c:1484: Code:RESPONSE  ID:0x 2  Length:0x000f  Type:IDENTITY
*Nov 08 10:35:44.851: eap_core.c:1422:     Payload:  616F5C78333332313238
*Nov 08 10:35:44.851: EAP-AUTH-EVENT: EAP Response received by context 0x1A000036
*Nov 08 10:35:44.851: EAP-AUTH-EVENT: EAP Response type = Identity
*Nov 08 10:35:44.851: EAP-AUTH-EVENT: Received peer identity: ao\x332128
*Nov 08 10:35:44.852: EAP-EVENT: Sending lower layer event 'EAP_GET_CREDENTIAL_PROFILE_FROM_USERNAME' on handle 0x1A000036
*Nov 08 10:35:44.852: LOCAL_AUTH: Found matching context for id - 53
*Nov 08 10:35:44.852: LOCAL_AUTH: (EAP) Sending user credential request username 'ao\x332128' to LDAP
*Nov 08 10:35:44.852: EAP-AUTH-EVENT: Waiting for asynchronous reply from LL
*Nov 08 10:35:44.852: AuthenticationRequest: 0x1afd445c


*Nov 08 10:35:44.852:   Callback.....................................0x1078ccf0

*Nov 08 10:35:44.852:   protocolType.................................0x00100002

*Nov 08 10:35:44.852:   proxyState...................................00:21:6A:61:61:BA-00:00

*Nov 08 10:35:44.852:   Packet contains 2 AVPs (not shown)

*Nov 08 10:35:44.852: ldapTask [1] received msg 'REQUEST' (2) in state 'CONNECTED' (3)
*Nov 08 10:35:44.852: disabled LDAP_OPT_REFERRALS

*Nov 08 10:35:44.852: LDAP_CLIENT: UID Search (base=ou=XNUC,ou=Organization Users,dc=ao,dc=bcpcorp,dc=net, pattern=(&(objectclass=XNUC)(sAMAccountName=ao\5cx332128)))
*Nov 08 10:35:44.853: LDAP_CLIENT: ldap_search_ext_s returns 0 85
*Nov 08 10:35:44.853: LDAP_CLIENT: Returned 1 msgs including 0 references
*Nov 08 10:35:44.853: LDAP_CLIENT: Returned msg 1 type 0x65
*Nov 08 10:35:44.853: LDAP_CLIENT : No matched DN
*Nov 08 10:35:44.853: LDAP_CLIENT : Check result error 0 rc 1013
*Nov 08 10:35:44.853: LDAP_CLIENT: Received no referrals in search result msg
*Nov 08 10:35:44.853: LDAP_CLIENT: Received 1 attributes in search result msg
*Nov 08 10:35:44.853: ldapAuthRequest [1] called lcapi_query base="ou=XNUC,ou=Organization Users,dc=ao,dc=bcpcorp,dc=net" type="XNUC" attr="sAMAccountName" user="ao\5cx332128" (rc = 0 - Success)
*Nov 08 10:35:44.853: Handling LDAP response Authentication Failed
*Nov 08 10:35:44.853: 00:21:6a:61:61:ba [Response] Client requested no retries for mobile 00:21:6A:61:61:BA
*Nov 08 10:35:44.854: 00:21:6a:61:61:ba Returning AAA Error 'Authentication Failed' (-4) for mobile 00:21:6a:61:61:ba
*Nov 08 10:35:44.854: AuthorizationResponse: 0x1b1be0fc


*Nov 08 10:35:44.854:   structureSize................................32

*Nov 08 10:35:44.854:   resultCode...................................-4

*Nov 08 10:35:44.854:   protocolUsed.................................0x00000002

*Nov 08 10:35:44.854:   proxyState...................................00:21:6A:61:61:BA-00:00

*Nov 08 10:35:44.854:   Packet contains 0 AVPs:

*Nov 08 10:35:44.854: LOCAL_AUTH: Found context matching MAC address - 53
*Nov 08 10:35:44.854: LOCAL_AUTH: (EAP:53) User credential callback invoked
*Nov 08 10:35:44.854: LOCAL_AUTH: EAP Unable to find username in credentials. Returning dummy profile 'ao\x332128'
*Nov 08 10:35:44.854: LOCAL_AUTH: EAP Unable to find password in credentials. Skipped
*Nov 08 10:35:44.854: LOCAL_AUTH: EAP Unable to find wlan in credentials. Skipped
*Nov 08 10:35:44.854: EAP-EVENT: Received event 'EAP_LL_REPLY' on handle 0x1A000036
*Nov 08 10:35:44.854: EAP-AUTH-EVENT: Using credential profile name: ao\x332128 (0x1A000036)
*Nov 08 10:35:44.854: EAP-AUTH-EVENT: Maximum EAP packet size: 1000
*Nov 08 10:35:44.854: EAP-AUTH-EVENT: Sending method new context directive for EAP context 0x1A000036
*Nov 08 10:35:44.854: EAP-EVENT: Sending method directive 'New Context' on handle 0x1A000036
*Nov 08 10:35:44.854: eap_leap.c-EVENT: New context (EAP handle = 0x1A000036)
*Nov 08 10:35:44.854: id_manager.c-AUTH-SM: Got new ID 5d00000d - id_get
*Nov 08 10:35:44.854: eap_leap.c-EVENT: Allocated new EAP-LEAP context (handle = 0x5D00000D)
*Nov 08 10:35:44.854: EAP-EVENT: Sending lower layer event 'EAP_GET_CREDENTIAL_PROFILE_FROM_PROFILE_NAME' on handle 0x1A000036
*Nov 08 10:35:44.854: LOCAL_AUTH: Found matching context for id - 53
*Nov 08 10:35:44.854: LOCAL_AUTH: (EAP:53) Returning profile 'ao\x332128' (username '<EMPTY>')
*Nov 08 10:35:44.854: EAP-ERROR NULL password for profile: ao\x332128
*Nov 08 10:35:44.854: eap_leap.c-ERROR: Unable to get user password
*Nov 08 10:35:44.854: eap_leap.c-ERROR: Unable to allocate EAP-LEAP context
*Nov 08 10:35:44.854: eap_leap.c-EVENT: Free context (EAP handle = 0x1A000036)
*Nov 08 10:35:44.854: id_manager.c-AUTH-SM: Entry deleted fine id 5d00000d - id_delete
*Nov 08 10:35:44.854: EAP-AUTH-ERROR: Method initialisation failed
*Nov 08 10:35:44.854: EAP-EVENT: Received get canned status from lower layer (0x1A000036)
*Nov 08 10:35:44.854: EAP-EVENT: Sending lower layer event 'EAP_FAIL' on handle 0x1A000036
*Nov 08 10:35:44.854: LOCAL_AUTH: Found matching context for id - 53
*Nov 08 10:35:44.854: LOCAL_AUTH: (EAP:53) Received eap fail event
*Nov 08 10:35:44.854: 00:21:6a:61:61:ba Processing Access-Reject for mobile 00:21:6a:61:61:ba
*Nov 08 10:35:44.854: 00:21:6a:61:61:ba Sending EAP-Failure to mobile 00:21:6a:61:61:ba (EAP Id -1)
*Nov 08 10:35:44.855: 00:21:6a:61:61:ba Entering Backend Auth Failure state (id=-1) for mobile 00:21:6a:61:61:ba
*Nov 08 10:35:44.855: 00:21:6a:61:61:ba Setting quiet timer for 5 seconds for mobile 00:21:6a:61:61:ba
*Nov 08 10:35:44.855: 00:21:6a:61:61:ba dot1x - moving mobile 00:21:6a:61:61:ba into Unknown state
*Nov 08 10:35:44.855: EAP-EVENT: Received free context (0x1A000036) from lower layer
*Nov 08 10:35:44.855: EAP-EVENT: Received event 'EAP_DELETE' on handle 0x1A000036
*Nov 08 10:35:44.855: id_manager.c-AUTH-SM: Entry deleted fine id 1a000036 - id_delete
*Nov 08 10:35:44.855: EAP-AUTH-EVENT: Freed EAP auth context
*Nov 08 10:35:44.855: EAP-EVENT: Freed EAP context

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee

‎11-08-2010 10:40 AM

From config guide :

The LDAP backend database supports these local EAP methods: EAP-TLS, EAP-FAST/GTC, and PEAPv1/GTC. LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are also supported but only if the LDAP server is set up to return a clear-text password. For example, Microsoft Active Directory is not supported because it does not return a clear-text password. If the LDAP server cannot be configured to return a clear-text password, LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are not supported.

It all depends if your backend LDAP supports LEAP or not. Actually it's if the LDAP db supports returning clear-text password or not.

Nicolas

===

Don't forget to rate answers that you find useful.

View solution in original post

2 Replies 2

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee

‎11-08-2010 10:40 AM

From config guide :

The LDAP backend database supports these local EAP methods: EAP-TLS, EAP-FAST/GTC, and PEAPv1/GTC. LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are also supported but only if the LDAP server is set up to return a clear-text password. For example, Microsoft Active Directory is not supported because it does not return a clear-text password. If the LDAP server cannot be configured to return a clear-text password, LEAP, EAP-FAST/MSCHAPv2, and PEAPv0/MSCHAPv2 are not supported.

It all depends if your backend LDAP supports LEAP or not. Actually it's if the LDAP db supports returning clear-text password or not.

Nicolas

===

Don't forget to rate answers that you find useful.

Go to solution
Ahmed Alani
Level 1
Level 1

‎04-03-2020 06:51 AM

I have the same issue, what was the fix ? did you get it to work? 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card