04-27-2011 07:40 AM - edited 07-03-2021 08:07 PM
We have AP 1130 with local radius service. It has two associated clients - ip phones 7921. All works fine. But when I try to connect a new phone I get an authentication error. Phone settings are the same.
I tried following debug:
dot11/wlccp authenticator:
state machine debugging is on
process debugging is on
radius local:
Radius server error debugging is on
Radius server client failures debugging is on
Radius protocol debugging is on
Radius packet protocol (authentication) debugging is on
Apr 27 12:47:38.378: RADIUS(00001F10): Received from id 1645/93
Apr 27 12:47:38.378: RADIUS/DECODE: EAP-Message fragments, 26, total 26 bytes
Apr 27 12:47:38.378: dot11_auth_dot1x_parse_aaa_resp: Received server response: GET_CHALLENGE_RESPONSE
Apr 27 12:47:38.378: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
Apr 27 12:47:38.378: dot11_auth_dot1x_parse_aaa_resp: found session timeout 120 sec
Apr 27 12:47:38.378: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_REPLY) for 8843.e133.51db
Apr 27 12:47:38.379: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 8843.e133.51db
Apr 27 12:47:38.379: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 120 seconds
Apr 27 12:47:42.978: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
Apr 27 12:47:42.978: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 8843.e133.51db
Apr 27 12:47:42.978: dot11_auth_dot1x_send_id_req_to_client: Client 8843.e133.51db timer started for 30 seconds
Apr 27 12:47:43.022: dot11_auth_parse_client_pak: Received EAPOL packet from 8843.e133.51db
Apr 27 12:47:43.022: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 8843.e133.51db
Apr 27 12:47:43.022: dot11_auth_dot1x_send_response_to_server: Sending client 8843.e133.51db data to server
Apr 27 12:47:43.022: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
Apr 27 12:47:43.023: RADIUS/ENCODE(00001F12):Orig. component type = DOT11_AUTH
Apr 27 12:47:43.023: RADIUS: AAA Unsupported Attr: ssid [263] 9
Apr 27 12:47:43.023: RADIUS: 4B 4D 52 55 53 57 49 [1234567]
Apr 27 12:47:43.023: RADIUS: AAA Unsupported Attr: interface [156] 4
Apr 27 12:47:43.024: RADIUS: 35 34 [54]
Apr 27 12:47:43.024: RADIUS(00001F12): Storing nasport 5405 in rad_db
Apr 27 12:47:43.024: RADIUS(00001F12): Config NAS IP: 10.122.156.138
Apr 27 12:47:43.024: RADIUS/ENCODE(00001F12): acct_session_id: 7954
Apr 27 12:47:43.024: RADIUS(00001F12): Config NAS IP: 10.122.156.138
Apr 27 12:47:43.024: RADIUS(00001F12): sending
Apr 27 12:47:43.024: RADIUS(00001F12): Send Access-Request to 10.122.156.138:1812 id 1645/94, len 137
Apr 27 12:47:43.025: RADIUS: authenticator 82 3E 35 09 1C 77 95 0D - 13 6A DA 01 E5 B2 A5 21
Apr 27 12:47:43.025: RADIUS: User-Name [1] 11 "anonymous"
Apr 27 12:47:43.025: RADIUS: Framed-MTU [12] 6 1400
Apr 27 12:47:43.025: RADIUS: Called-Station-Id [30] 16 "001b.2a6d.2d68"
Apr 27 12:47:43.025: RADIUS: Calling-Station-Id [31] 16 "8843.e133.51db"
Apr 27 12:47:43.025: RADIUS: Service-Type [6] 6 Login [1]
Apr 27 12:47:43.025: RADIUS: Message-Authenticato[80] 18 *
Apr 27 12:47:43.025: RADIUS: EAP-Message [79] 16
Apr 27 12:47:43.026: RADIUS: 02 01 00 0E 01 61 6E 6F 6E 79 6D 6F 75 73 [?????anonymous]
Apr 27 12:47:43.026: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
Apr 27 12:47:43.026: RADIUS: NAS-Port [5] 6 5405
Apr 27 12:47:43.026: RADIUS: NAS-IP-Address [4] 6 10.122.156.138
Apr 27 12:47:43.026: RADIUS: Nas-Identifier [32] 10 "KM-AP-02"
Apr 27 12:47:43.027: RADSRV: Unable to add TEAP client: max client limit reached, 10
Apr 27 12:47:48.010: dot11_auth_parse_client_pak: Received EAPOL packet from 8843.e133.51db
Apr 27 12:47:48.010: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,EAP_START) for 8843.e133.51db
Apr 27 12:47:48.011: dot11_auth_dot1x_ignore_event: Ignore event: do nothing
Apr 27 12:47:48.582: RADIUS: no sg in radius-timers: ctx 0xBAE51C sg 0x0000
8843.e133.51db is mac-address of the problem phone. In additional, among debugging such strings occurs :
%DOT11-4-MAXRETRIES: Packet to client 8843.e133.51db reached max retries, removing the client
But radio environment is good.
Here is part of the AP configuration:
ip ssh source-interface BVI1
ip ssh version 2
aaa new-model
!
!
aaa group server radius RADIUS-LOCAL
server 10.122.156.138 auth-port 1812 acct-port 1813
deadtime 0
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login method_infrastructure group RADIUS-LOCAL
aaa authentication login method_client group RADIUS-LOCAL
aaa authentication login method_eap group RADIUS-LOCAL
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 ssid 123456789
vlan 51
authentication open eap method_eap
authentication network-eap method_eap
authentication key-management wpa cckm
!
dot11 network-map
dot11 phone dot11e
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 51 mode ciphers aes-ccm tkip
!
encryption mode ciphers aes-ccm tkip
!
ssid 123456789!
countermeasure tkip hold-time 90
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
no power client local
power client 14
power local cck -1
power local ofdm -1
channel 2462
station-role root
dot11 extension power native
interface BVI1
ip address 10.122.156.138 255.255.255.192
no ip route-cache
!
ip radius source-interface BVI1
!
radius-server local
no authentication mac
nas 10.122.156.138 key 7 107B3E125C153302161E0C2037
nas 10.122.156.137 key 7 08147B45501B241E08112A0F39
group IP-phones
vlan 51
ssid 123456789
!
user AP-02 nthash 7 143334522E20787B7D71636301475240572001097C037656533A457B0E7103770D
user AP-01 nthash 7 1321314B2928567A727D786516764651422256067D08710C5E214B340F7E07760A
user SEP0021A0249690 nthash 7 101F5B48524F475D5556080D070D176D71372642275072007C750D2B2639467A7D group IP-phones
user SEP0021A0248A2F nthash 7 091D1C584E5D4244525E260C08010C6B660632533252250F7D7E0A712B2248357C group IP-phones
user AP-03 nthash 7 075A02141E593F544433582F21727D010C6160764323325724010A0B027157224A
user AP-04 nthash 7 115C3A5D47422D5D570B78070D6B63073755435751727D0C76035D504933007905
user SEP8843E13351DB nthash 7 091C1E59495547425B5C547A7B7478636572435746535106090803045E53484609 group IP-phones
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.122.156.138 auth-port 1812 acct-port 1813 key 7 113C2E0E4E102A051E300D2F3B
radius-server host 10.122.156.137 auth-port 1812 acct-port 1813 key 7 113C2E0E4E102A051E300D2F3B
radius-server vsa send accounting
If anybody has some experience please help me to find out solution of this problem.
Thanks
Solved! Go to Solution.
04-28-2011 11:38 AM
You are welcome... dont forget to rate the posts and to set this question as answered.
04-27-2011 08:29 AM
the only thing that comes to my mind is:
what is the part name of this phone does it end with -W? or just -A?
Why using anonymous users?
User-Name [1] 11 "anonymous" ?
Did you try using only TKIP alone as encryption?
Check the local radius statistics...
Can you test with a simple username like test and password test?
04-28-2011 04:22 AM
You're absolutely right! The username wasn't set properly.
Thanks a lot!
04-28-2011 11:38 AM
You are welcome... dont forget to rate the posts and to set this question as answered.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide