- Cisco Community
- Technology and Support
- Wireless - Mobility
- Wireless
- What does your radiusserver
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Client excluded 802.1x authentication failed
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2013 11:23 AM - edited 07-04-2021 12:55 AM
We had a wireless controller fail at one of our locations and thus our access points failed over to the controller at our other location, so far so good as my laptop continued to work fine. Once we replaced the failed controller at my location my laptop will not connect to the access points, I see the following error for my laptop:
Client Excluded: MACAddress:xx:xx:xx:xx:xx:bd Base Radio MAC :yy:yy:yy:yy:yy:yy Slot: 0 User Name: unknown Ip Address: unknown Reason:802.1x Authentication failed 3 times. ReasonCode: 4
Just the past Friday I went to our other location and was able to successfully connect to the wireless network there (which is the same name as the wireless network at my location). So here I thought everything was fine, but when I came back to my primary location still getting the same error and I'm unable to connect.
I've run these commands to remove the wifi profile from my laptop:
netsh show profiles
netsh delete="profile name"
I've looked at the setting in the controller and from what I can tell they are the same at both locations.
Any ideas as to what could be causing this?? It is very annoying. No one else has an issue and my Android phone can connect just fine to this wifi network.
- Labels:
-
Wireless Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-28-2014 05:36 AM
Hi guys,
Any suggestion for a similar issue.
Here are the logs for my laptop when attempting to authenticate:
essSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_3: Apr 28 12:47:56.397: 70:18:8b:c6:8a:b8 STA - rates (8): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0
*apfMsConnTask_3: Apr 28 12:47:56.397: 70:18:8b:c6:8a:b8 suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_3: Apr 28 12:47:56.397: 70:18:8b:c6:8a:b8 STA - rates (12): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0
*apfMsConnTask_3: Apr 28 12:47:56.397: 70:18:8b:c6:8a:b8 extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_3: Apr 28 12:47:56.397: 70:18:8b:c6:8a:b8 Processing RSN IE type 48, length 20 for mobile 70:18:8b:c6:8a:b8
*apfMsConnTask_3: Apr 28 12:47:56.397: 70:18:8b:c6:8a:b8 Received RSN IE with 0 PMKIDs from mobile 70:18:8b:c6:8a:b8
*apfMsConnTask_3: Apr 28 12:47:56.397: 70:18:8b:c6:8a:b8 Setting active key cache index 8 ---> 8
*apfMsConnTask_3: Apr 28 12:47:56.397: 70:18:8b:c6:8a:b8 unsetting PmkIdValidatedByAp
*apfMsConnTask_3: Apr 28 12:47:56.397: 70:18:8b:c6:8a:b8 0.0.0.0 8021X_REQD (3) Initializing policy
*apfMsConnTask_3: Apr 28 12:47:56.397: 70:18:8b:c6:8a:b8 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)
*apfMsConnTask_3: Apr 28 12:47:56.397: 70:18:8b:c6:8a:b8 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)
*apfMsConnTask_3: Apr 28 12:47:56.397: 70:18:8b:c6:8a:b8 0.0.0.0 8021X_REQD (3) DHCP required on AP 2c:3e:cf:73:a5:90 vapId 1 apVapId 1for this client
*apfMsConnTask_3: Apr 28 12:47:56.397: 70:18:8b:c6:8a:b8 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_3: Apr 28 12:47:56.397: 70:18:8b:c6:8a:b8 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 2c:3e:cf:73:a5:90 vapId 1 apVapId 1 flex-acl-name:
*apfMsConnTask_3: Apr 28 12:47:56.397: 70:18:8b:c6:8a:b8 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 70:18:8b:c6:8a:b8 on AP 2c:3e:cf:73:a5:90 from Associated to Associated
*apfMsConnTask_3: Apr 28 12:47:56.397: 70:18:8b:c6:8a:b8 apfPemAddUser2:session timeout forstation 70:18:8b:c6:8a:b8 - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is 0
*apfMsConnTask_3: Apr 28 12:47:56.397: 70:18:8b:c6:8a:b8 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_3: Apr 28 12:47:56.397: 70:18:8b:c6:8a:b8 Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0
*apfMsConnTask_3: Apr 28 12:47:56.397: 70:18:8b:c6:8a:b8 Sending Assoc Response to station on BSSID 2c:3e:cf:73:a5:90 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_3: Apr 28 12:47:56.397: 70:18:8b:c6:8a:b8 apfProcessAssocReq (apf_80211.c:7957) Changing state for mobile 70:18:8b:c6:8a:b8 on AP 2c:3e:cf:73:a5:90 from Associated to Associated
*dot1xMsgTask: Apr 28 12:47:56.399: 70:18:8b:c6:8a:b8 dot1x - moving mobile 70:18:8b:c6:8a:b8 into Connecting state
*dot1xMsgTask: Apr 28 12:47:56.399: 70:18:8b:c6:8a:b8 Sending EAP-Request/Identity to mobile 70:18:8b:c6:8a:b8 (EAP Id 1)
*Dot1x_NW_MsgTask_0: Apr 28 12:47:56.437: 70:18:8b:c6:8a:b8 Received EAPOL START from mobile 70:18:8b:c6:8a:b8
*Dot1x_NW_MsgTask_0: Apr 28 12:47:56.437: 70:18:8b:c6:8a:b8 dot1x - moving mobile 70:18:8b:c6:8a:b8 into Connecting state
*Dot1x_NW_MsgTask_0: Apr 28 12:47:56.437: 70:18:8b:c6:8a:b8 Sending EAP-Request/Iden
Here is the SSID config:
show wlan 1
WLAN Identifier.................................. 1
Profile Name..................................... Ste-Internal
Network Name (SSID).............................. Ste
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
--More-- or (q)uit
Number of Active Clients......................... 5
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 12 hours
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... Cisco vWLC
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
--More-- or (q)uit
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
--More-- or (q)uit
Radius Servers
Authentication................................ Global Servers
Accounting.................................... Global Servers
Interim Update............................. Disabled
Framed IPv6 Acct AVP ...................... Prefix
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Enabled
PSK..................................... Disabled
CCKM.................................... Disabled
--More-- or (q)uit
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Disabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
WAPI.......................................... Disabled
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Enabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
flexconnect PPPoE pass-through................ Disabled
--More-- or (q)uit
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Split Tunnel (Printers).......................... Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
--More-- or (q)uit
Multicast Buffer................................. Disabled
Mobility Anchor List
WLAN ID IP Address Status
------- --------------- ------
802.11u........................................ Disabled
MSAP Services.................................. Disabled
Here is some Radius info:
(Cisco Controller) >show radius summary
Vendor Id Backward Compatibility................. Disabled
Call Station Id Case............................. lower
Call Station Id Type............................. Mac Address
Auth Call Station Id Type........................ AP's Mac Address:SSID
Aggressive Failover.............................. Enabled
Keywrap.......................................... Disabled
Fallback Test:
Test Mode.................................... Off
Probe User Name.............................. cisco-probe
Interval (in seconds)........................ 300
MAC Delimiter for Authentication Messages........ colon
MAC Delimiter for Accounting Messages............ hyphen
Authentication Servers
Idx Type Server Address Port State Tout MgmtTout RFC3576 IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
--- ---- ---------------------- ------ -------- ---- -------- ------- ------------------------------------------------
1 NM 172.17.32.71 1812 Enabled 2 2 Enabled Disabled - none/unknown/group-0/0 none/none
2 N 172.17.120.71 1812 Enabled 2 2 Enabled Disabled - none/unknown/group-0/0 none/none
Accounting Servers
--More-- or (q)uit
Idx Type Server Address Port State Tout MgmtTout RFC3576 IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
--- ---- ---------------------- ------ -------- ---- -------- ------- ------------------------------------------------
1 N 172.17.32.71 1813 Enabled 2 2 N/A Disabled - none/unknown/group-0/0 none/none
2 N 172.17.120.71 1813 Enabled 2 2 N/A Disabled - none/unknown/group-0/0 none/none
(Cisco Controller) >show radius auth statistics
Authentication Servers:
Server Index..................................... 1
Server Address................................... 172.17.32.71
Msg Round Trip Time.............................. 82 (msec)
First Requests................................... 136
Retry Requests................................... 0
Accept Responses................................. 11
Reject Responses................................. 117
Challenge Responses.............................. 8
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. 0
Timeout Requests................................. 0
Unknowntype Msgs................................. 0
Other Drops...................................... 0
Server Index..................................... 2
Server Address................................... 172.17.120.71
Msg Round Trip Time.............................. 0 (msec)
First Requests................................... 0
--More-- or (q)uit
Retry Requests................................... 0
Accept Responses................................. 0
Reject Responses................................. 0
Challenge Responses.............................. 0
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. 0
Timeout Requests................................. 0
Unknowntype Msgs................................. 0
Other Drops...................................... 0
Authentication Total:
First Requests................................... 36926
Retry Requests................................... 232
Accept Responses................................. 2488
Reject Responses................................. 23560
Challenge Responses.............................. 10862
Some WLC info:
show>sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.5.102.0
RTOS Version..................................... 7.5.102.0
Bootloader Version............................... 7.5.102.0
Emergency Image Version.......................... 7.5.102.0
Build Type....................................... DATA + WPS
System Name...................................... Cisco vWLC
System Location.................................. Bucharest
System Contact................................... florinb@Ste.com
System ObjectID.................................. 1.3.6.1.4.1.9.1.1631
IP Address....................................... 172.17.32.52
System Up Time................................... 10 days 5 hrs 29 mins 44 secs
System Timezone Location......................... (GMT +2:00) Jerusalem
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180
Configured Country............................... Multiple Countries:BE,PL,RO
--More-- or (q)uit
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 3
Number of Active Clients......................... 37
Burned-in MAC Address............................ 00:50:56:81:62:34
Maximum number of APs supported.................. 15
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-28-2014 02:45 PM
What does your radiusserver tell you in the logs?
Your WLC config seems to be fine.
Regards,
Erik
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-29-2014 12:20 AM
As usual the Window Server runs on 2008 R2 and they said to me, there are no logs for the yesterday's outage.
I also have opened a TAC ticket and I will return with their answer. If you guys have any suggestion in the mean time....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-29-2014 01:53 AM
Hi All,
Is this case solved.
Florin, can you inform us about your case?
I have the same problem:
*apfMsConnTask_4: Dec 29 10:31:38.962: 0c:37:dc:ed:65:92 Association received from mobile on AP 00:08:30:4a:16:70
*apfMsConnTask_4: Dec 29 10:31:38.962: 0c:37:dc:ed:65:92 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
*apfMsConnTask_4: Dec 29 10:31:38.962: 0c:37:dc:ed:65:92 Applying site-specific IPv6 override for station 0c:37:dc:ed:65:92 - vapId 5, site 'ACS5_APGroup', interface 'ses'
*apfMsConnTask_4: Dec 29 10:31:38.962: 0c:37:dc:ed:65:92 Applying IPv6 Interface Policy for station 0c:37:dc:ed:65:92 - vlan 20, interface id 12, interface 'ses'
*apfMsConnTask_4: Dec 29 10:31:38.962: 0c:37:dc:ed:65:92 Applying site-specific override for station 0c:37:dc:ed:65:92 - vapId 5, site 'ACS5_APGroup', interface 'ses'
*apfMsConnTask_4: Dec 29 10:31:38.962: 0c:37:dc:ed:65:92 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
*apfMsConnTask_4: Dec 29 10:31:38.963: 0c:37:dc:ed:65:92 STA - rates (8): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_4: Dec 29 10:31:38.963: 0c:37:dc:ed:65:92 STA - rates (12): 130 132 139 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_4: Dec 29 10:31:38.963: 0c:37:dc:ed:65:92 apfProcessAssocReq (apf_80211.c:5122) Changing state for mobile 0c:37:dc:ed:65:92 on AP 00:08:30:4a:16:70 from Authenticated to AAA Pending
*apfMsConnTask_4: Dec 29 10:31:38.963: 0c:37:dc:ed:65:92 Scheduling deletion of Mobile Station: (callerId: 20) in 10 seconds
*apfReceiveTask: Dec 29 10:31:38.970: 0c:37:dc:ed:65:92 Sending Assoc Response to station on BSSID 00:08:30:4a:16:70 (status 1) ApVapId 1 Slot 0
*apfReceiveTask: Dec 29 10:31:38.970: 0c:37:dc:ed:65:92 apfProcessRadiusAssocResp (apf_80211.c:2271) Changing state for mobile 0c:37:dc:ed:65:92 on AP 00:08:30:4a:16:70 from AAA Pending to Authenticated
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
