cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10394
Views
20
Helpful
8
Replies

Authentication rejected because of challenge failure ReasonCode: 15

gyip
Level 1
Level 1

I have configured a guest network that authenticates using the local database in my 2500 series wireless controller. When I login, using the username/password I create, I see a success screen and I get an IP address but am not connected to the internet. (Not able to ping 8.8.8.8). When I look at the recent traps, I see the following corresponding entries:

 

1080 Fri Jan 26 18:18:43 2018 Client Disassociated: MACAddress:45:85:00:b1:14:e4 Base Radio MAC:48:90:a5:cb:9c:80 Slot: 1 User Name: test, Ip Address: 10.20.44.106 Reason:Unspecified ReasonCode: 1 TxPkts: 0l TxBytes: 0l RxPkts: 0l RxBytes: 0l
1081 Fri Jan 26 18:18:43 2018 Client Deauthenticated: MACAddress:45:85:00:b1:14:e4 Base Radio MAC:48:90:a5:cb:9c:80 Slot: 1 User Name: test Ip Address: 10.20.44.106 Reason:Unspecified ReasonCode: 1
1082 Fri Jan 26 18:18:43 2018 Client Disassociated: MACAddress:45:85:00:b1:14:e4 Base Radio MAC:48:90:a5:cb:9c:80 Slot: 1 User Name: test, Ip Address: 10.20.44.106 Reason:Unspecified ReasonCode: 1 TxPkts: 0l TxBytes: 0l RxPkts: 0l RxBytes: 0l
1083 Fri Jan 26 18:18:43 2018 Client Disassociated: MACAddress:45:85:00:b1:14:e4 Base Radio MAC:48:90:a5:cb:9c:80 Slot: 1 User Name: test, Ip Address: 10.20.44.106 Reason:Unspecified ReasonCode: 1
1084 Fri Jan 26 18:18:42 2018 Client Association Failure: MACAddress:45:85:00:b1:14:e4 Base Radio MAC:48:90:a5:cb:9c:80 Slot: 1 User Name:test IP Addr: 10.20.44.106 Reason:Authentication rejected because of challenge failure ReasonCode: 15
1092 Fri Jan 26 18:18:09 2018 User test logged in. Client MAC:45:85:00:b1:14:e4, Client IP:10.20.44.106, AP MAC:48:90:a5:cb:9c:80, AP Name:AP4810.7A70.464A
1093 Fri Jan 26 18:18:09 2018 Client Authenticated: MAC Address:45:85:00:b1:14:e4 base Radio MAC:48:90:a5:cb:9c:80 Slot: 1 User Name:test IP Addr:10.20.44.106 SSID:Guest

 

I can't seem to find any information on what "Authentication rejected because of challenge failure ReasonCode: 15" corresponds to.

 

Thanks for your help.

8 Replies 8

Leo Laohoo
Hall of Fame
Hall of Fame

@gyip wrote:

Reason:Authentication rejected because of challenge failure ReasonCode: 15


4-way handshake timeout.

This means that during the initial phase of authentication the wireless client didn't respond or didn't respond within the time frame.

This happens on my mobile device, laptop and other laptops. Because of that I am thinking it has to be a setting on the controller.

It's not just a setting in the controller or WLAN but also the authentication server.

The authentication server is the wireless controller itself. I created a user by hand in the Local Net Users section. As you can also see by the trap that I am authenticated.

The client isn't authenticated. I can see logs showing the clients associating and then attempt to authenticating before getting rejected due to timeout.

What link are you using when you configured 802.1x on the controller? Seems to me that your configuration is most likely not correct.
-Scott
*** Please rate helpful posts ***

I'm not really sure what link you are referring to.
I have Layer 3 configured on the WLAN to be a Web Policy and using Authentication. Then on the AAA Servers tab I only have LOCAL specified in the Authentication priority order for web-auth user.
To me it seems like authentication is working because in trap #1093 and #192 you will see "Client Authenticated" and also "User test logged in." On my computer after I enter the creds, the Success page is displayed and says I am logged in also. I have an IP address but when I ping 8.8.8.8 there is no response.

I've resolved my issue and just wanted to give everyone my resolution.

 

As I mentioned above, the authentication traps are indeed correct and show that the client was authenticated. The signs that point me to this conclusion were the fact that the traps show client authenticated (which is identical traps to when you authenticate with radius and any other method successfully) in addition to the web auth success page.

 

I have a post auth ACL to restrict access of my guest wireless network to internal resources by blocking all private IP address spaces. Because of I have DHCP coming from a server (rather than the wireless controller as the DHCP server), I needed to include the guest wireless network subnet as a permitted address space in the ACL. It seems that the IP address range of the client wasn't implied and I had to explicitly grant access to it. Once I added it, everything works now.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: