Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
19751
Views
41
Helpful
12
Replies

Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM

KAIABOSS
Level 1
Level 1

‎06-26-2020 06:31 AM - edited ‎07-05-2021 12:13 PM

Hi All,

 

I have 2 SSID and it works with pre share key and now i want to create 2 SSID to replace the olds for more security.

 

One SSID will be with authentification  certificate and the other one will be with MAC address for the smartphone. 

 

On the first I created a simple authentication without certificat. The users who are in the AD groups "G_CorporateWifi_BlachereGroupe" will access to the network so the authentification will be with their login and password (PEAP) by RADIUS.

 

I don't see anything on the RADIUS and there is no communicate between WLC and RADIUS. So I checked the controller's logs.

 

here are the logs from the controller:

 

*Dot1x_NW_MsgTask_6: Jun 26 15:08:21.380: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:487 Authentication Aborted for client 18:1d:ea:64:0f:6e Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*Dot1x_NW_MsgTask_6: Jun 26 15:08:05.359: %DOT1X-3-AAA_AUTH_SEND_FAIL: 1x_aaa.c:848 Unable to send AAA message for client 18:1d:ea:64:0f:6e
*Dot1x_NW_MsgTask_6: Jun 26 15:08:05.299: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:487 Authentication Aborted for client 18:1d:ea:64:0f:6e Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*Dot1x_NW_MsgTask_6: Jun 26 15:07:40.082: %DOT1X-3-AAA_AUTH_SEND_FAIL: 1x_aaa.c:848 Unable to send AAA message for client 18:1d:ea:64:0f:6e
*Dot1x_NW_MsgTask_6: Jun 26 15:07:31.806: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:487 Authentication Aborted for client 18:1d:ea:64:0f:6e Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM
*Dot1x_NW_MsgTask_6: Jun 26 15:07:01.104: %DOT1X-3-AAA_AUTH_SEND_FAIL: 1x_aaa.c:848 Unable to send AAA message for client 18:1d:ea:64:0f:6e
*Dot1x_NW_MsgTask_6: Jun 26 15:07:01.063: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:487 Authentication Aborted for client 18:1d:ea:64:0f:6e Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM

 

informations about the controller: Cisco 2500 Series Model 2504

Software Version8.5.135.0
Field Recovery Image Version

 

thanks,

Regards

3 people had this problem
Labels:
12 Replies 12

KAIABOSS
Level 1
Level 1

‎06-26-2020 06:36 AM

WLANs Configuration: see attached file

 

Preview file
17 KB
Preview file
20 KB
Preview file
23 KB
0 Helpful

KAIABOSS
Level 1
Level 1
In response to KAIABOSS

‎06-26-2020 06:48 AM

Radius authentification configurations: see attached file

 

shared key "kaiaboss"

 

Radius NPS server configuration: see attached file

Preview file
18 KB
Preview file
174 KB
Preview file
282 KB
Preview file
148 KB
Preview file
412 KB
Preview file
226 KB
Preview file
35 KB
Preview file
293 KB
Preview file
268 KB
0 Helpful

Sandeep Choudhary
VIP Alumni
VIP Alumni
In response to KAIABOSS

‎06-26-2020 07:19 AM

More info about NPS config:

 

http://uat.aventistech.com/cisco-wlc-peap-with-windows-nps-server/

 

Regards

Dont forget to rate helpful posts

KAIABOSS
Level 1
Level 1
In response to Sandeep Choudhary

‎06-26-2020 07:41 AM

I also did this configuration but it is not working. There is no communicate between controller and NPS (see attached file)

Preview file
31 KB

Sandeep Choudhary
VIP Alumni
VIP Alumni
In response to KAIABOSS

‎06-26-2020 07:18 AM

You checked the box "Radius server overwrite interface"--> Do you need this or not ? if not then uncheck the box.

 

and try again.

KAIABOSS
Level 1
Level 1
In response to Sandeep Choudhary

‎06-26-2020 07:36 AM

I unchecked this box but it doesn't work . I have always the same errors in the controller's logs. (see attached file)

 

RADIUS Servers
RADIUS Server Overwrite interfaceEnabled
Preview file
38 KB

KAIABOSS
Level 1
Level 1
In response to Sandeep Choudhary

‎06-26-2020 07:44 AM

see attached file

Preview file
23 KB

KAIABOSS
Level 1
Level 1
In response to Sandeep Choudhary

‎06-29-2020 12:35 AM

Hi,

 

I have always the same problem. 

see attached file for the controller's logs

Preview file
10 KB
0 Helpful

Rich R
VIP
VIP
In response to KAIABOSS

‎06-29-2020 02:15 AM

Does the WLC have a route to the radius server?
Do you have any CPU ACLs which could be blocking the radius?
------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

KAIABOSS
Level 1
Level 1
In response to Rich R

‎06-30-2020 06:20 AM

WLC has a route to the radius and the ping is ok.

 

I will try to desactivate the windows FW and try again. may be windows defender block

0 Helpful

KAIABOSS
Level 1
Level 1

‎07-06-2020 06:57 AM

Hi All,

 

All is working well now. I migrated the server on the new network. We were using an old network (192.168.0.0/22) with HP Core but it was a black box for us. The configuration was so bad and we decided to migrate on the new network 10.0.x.0/24) with cisco meraki and FW PaloAlto. So I could see the packet into FW and I opened the necessary rules and then I could see the message on the NPS 's evenments. 

So the WLC's configuration was correct, NPS's configurations were correct. I not realy want to waste my time to investigate the old network. 

 

Thanks all and thanks you very much @Sandeep Choudhary 

 

Best Regards

0 Helpful

Emre Ozel
Level 1
Level 1

‎02-26-2021 01:46 AM

Hi,


I have encountered the same problems and errors.

I noticed that I typed the wrong character in the shared secret area.
The problem was resolved when I entered the same shared key on the Cisco ISE and WLC side.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card