Solved: Re: 7921 phone. authentication problem with local radius Cisco A

Ruslan Kravets · ‎04-27-2011

We have AP 1130 with local radius service. It has two associated clients - ip phones 7921. All works fine. But when I try to connect a new phone I get an authentication error. Phone settings are the same.

I tried following debug:

dot11/wlccp authenticator:
state machine debugging is on
process debugging is on

radius local:
Radius server error debugging is on
Radius server client failures debugging is on
Radius protocol debugging is on
Radius packet protocol (authentication) debugging is on

Apr 27 12:47:38.378: RADIUS(00001F10): Received from id 1645/93
Apr 27 12:47:38.378: RADIUS/DECODE: EAP-Message fragments, 26, total 26 bytes
Apr 27 12:47:38.378: dot11_auth_dot1x_parse_aaa_resp: Received server response: GET_CHALLENGE_RESPONSE
Apr 27 12:47:38.378: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
Apr 27 12:47:38.378: dot11_auth_dot1x_parse_aaa_resp: found session timeout 120 sec
Apr 27 12:47:38.378: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_REPLY) for 8843.e133.51db
Apr 27 12:47:38.379: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 8843.e133.51db
Apr 27 12:47:38.379: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 120 seconds
Apr 27 12:47:42.978: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
Apr 27 12:47:42.978: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 8843.e133.51db
Apr 27 12:47:42.978: dot11_auth_dot1x_send_id_req_to_client: Client 8843.e133.51db timer started for 30 seconds
Apr 27 12:47:43.022: dot11_auth_parse_client_pak: Received EAPOL packet from 8843.e133.51db
Apr 27 12:47:43.022: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 8843.e133.51db
Apr 27 12:47:43.022: dot11_auth_dot1x_send_response_to_server: Sending client 8843.e133.51db data to server
Apr 27 12:47:43.022: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
Apr 27 12:47:43.023: RADIUS/ENCODE(00001F12):Orig. component type = DOT11_AUTH
Apr 27 12:47:43.023: RADIUS: AAA Unsupported Attr: ssid [263] 9
Apr 27 12:47:43.023: RADIUS: 4B 4D 52 55 53 57 49 [1234567]

Apr 27 12:47:43.023: RADIUS: AAA Unsupported Attr: interface         [156] 4
Apr 27 12:47:43.024: RADIUS:   35 34                                            [54]
Apr 27 12:47:43.024: RADIUS(00001F12): Storing nasport 5405 in rad_db
Apr 27 12:47:43.024: RADIUS(00001F12): Config NAS IP: 10.122.156.138
Apr 27 12:47:43.024: RADIUS/ENCODE(00001F12): acct_session_id: 7954
Apr 27 12:47:43.024: RADIUS(00001F12): Config NAS IP: 10.122.156.138
Apr 27 12:47:43.024: RADIUS(00001F12): sending
Apr 27 12:47:43.024: RADIUS(00001F12): Send Access-Request to 10.122.156.138:1812 id 1645/94, len 137
Apr 27 12:47:43.025: RADIUS: authenticator 82 3E 35 09 1C 77 95 0D - 13 6A DA 01 E5 B2 A5 21
Apr 27 12:47:43.025: RADIUS: User-Name           [1]   11 "anonymous"
Apr 27 12:47:43.025: RADIUS: Framed-MTU          [12] 6   1400
Apr 27 12:47:43.025: RADIUS: Called-Station-Id   [30] 16 "001b.2a6d.2d68"
Apr 27 12:47:43.025: RADIUS: Calling-Station-Id [31] 16 "8843.e133.51db"
Apr 27 12:47:43.025: RADIUS: Service-Type        [6]   6   Login                     [1]
Apr 27 12:47:43.025: RADIUS: Message-Authenticato[80] 18 *
Apr 27 12:47:43.025: RADIUS: EAP-Message         [79] 16
Apr 27 12:47:43.026: RADIUS:   02 01 00 0E 01 61 6E 6F 6E 79 6D 6F 75 73        [?????anonymous]
Apr 27 12:47:43.026: RADIUS: NAS-Port-Type       [61] 6   802.11 wireless           [19]
Apr 27 12:47:43.026: RADIUS: NAS-Port            [5]   6   5405
Apr 27 12:47:43.026: RADIUS: NAS-IP-Address      [4]   6   10.122.156.138
Apr 27 12:47:43.026: RADIUS: Nas-Identifier      [32] 10 "KM-AP-02"
Apr 27 12:47:43.027: RADSRV: Unable to add TEAP client: max client limit reached, 10
Apr 27 12:47:48.010: dot11_auth_parse_client_pak: Received EAPOL packet from 8843.e133.51db
Apr 27 12:47:48.010: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,EAP_START) for 8843.e133.51db
Apr 27 12:47:48.011: dot11_auth_dot1x_ignore_event: Ignore event: do nothing
Apr 27 12:47:48.582: RADIUS: no sg in radius-timers: ctx 0xBAE51C sg 0x0000

8843.e133.51db is mac-address of the problem phone. In additional, among debugging such strings occurs :

%DOT11-4-MAXRETRIES: Packet to client 8843.e133.51db reached max retries, removing the client

But radio environment is good.

Here is part of the AP configuration:

ip ssh source-interface BVI1
ip ssh version 2
aaa new-model
!
!
aaa group server radius RADIUS-LOCAL
server 10.122.156.138 auth-port 1812 acct-port 1813
deadtime 0
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login method_infrastructure group RADIUS-LOCAL
aaa authentication login method_client group RADIUS-LOCAL
aaa authentication login method_eap group RADIUS-LOCAL
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common

dot11 ssid 123456789

   vlan 51
   authentication open eap method_eap
   authentication network-eap method_eap
   authentication key-management wpa cckm
!
dot11 network-map
dot11 phone dot11e

interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 51 mode ciphers aes-ccm tkip
!
encryption mode ciphers aes-ccm tkip
!
ssid 123456789!
countermeasure tkip hold-time 90
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
no power client local
power client 14
power local cck -1
power local ofdm -1
channel 2462
station-role root
dot11 extension power native

interface BVI1
ip address 10.122.156.138 255.255.255.192
no ip route-cache
!
ip radius source-interface BVI1
!
radius-server local
no authentication mac
nas 10.122.156.138 key 7 107B3E125C153302161E0C2037
nas 10.122.156.137 key 7 08147B45501B241E08112A0F39
group IP-phones
vlan 51
ssid 123456789
!
user AP-02 nthash 7 143334522E20787B7D71636301475240572001097C037656533A457B0E7103770D
user AP-01 nthash 7 1321314B2928567A727D786516764651422256067D08710C5E214B340F7E07760A
user SEP0021A0249690 nthash 7 101F5B48524F475D5556080D070D176D71372642275072007C750D2B2639467A7D group IP-phones
user SEP0021A0248A2F nthash 7 091D1C584E5D4244525E260C08010C6B660632533252250F7D7E0A712B2248357C group IP-phones
user AP-03 nthash 7 075A02141E593F544433582F21727D010C6160764323325724010A0B027157224A
user AP-04 nthash 7 115C3A5D47422D5D570B78070D6B63073755435751727D0C76035D504933007905
user SEP8843E13351DB nthash 7 091C1E59495547425B5C547A7B7478636572435746535106090803045E53484609 group IP-phones
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.122.156.138 auth-port 1812 acct-port 1813 key 7 113C2E0E4E102A051E300D2F3B
radius-server host 10.122.156.137 auth-port 1812 acct-port 1813 key 7 113C2E0E4E102A051E300D2F3B
radius-server vsa send accounting

If anybody has some experience please help me to find out solution of this problem.

Thanks

dmantill · ‎04-28-2011

You are welcome... dont forget to rate the posts and to set this question as answered.

View solution in original post

dmantill · ‎04-27-2011

the only thing that comes to my mind is:

what is the part name of this phone does it end with -W? or just -A?

Why using anonymous users?

User-Name [1] 11 "anonymous" ?

Did you try using only TKIP alone as encryption?

Check the local radius statistics...

Can you test with a simple username like test and password test?

Ruslan Kravets · ‎04-28-2011

You're absolutely right! The username wasn't set properly.

Thanks a lot!

dmantill · ‎04-28-2011

You are welcome... dont forget to rate the posts and to set this question as answered.

7921 phone. authentication problem with local radius Cisco Aironet 1130