Client failed EAP authentication with following reason: Cred failed - Page 2

thuy.hoang · ‎06-07-2023

Hello Friends,

I have a WLC C9800 with the Local EAP configuration, but when the client with the local account, it shows Unable to connect.

I did some troubleshooting and found this logging:

2023/06/07 14:17:33.484807549 {wncd_x_R0-0}{1}: [errmsg] [15175]: (note): %DOT1X-5-FAIL: R0/0: wncd: Authentication failed for client (f8e9.4eae.ac0f) with reason (Cred Fail) on Interface capwap_90000005 AuditSessionID 03FA5D0A0000006C96384712 Username: user1
2023/06/07 14:17:33.484816399 {wncd_x_R0-0}{1}: [auth-mgr] [15175]: (info): [f8e9.4eae.ac0f:capwap_90000005] Authc failure from Dot1X, Auth event fail
2023/06/07 14:17:33.484824401 {wncd_x_R0-0}{1}: [auth-mgr] [15175]: (info): [f8e9.4eae.ac0f:capwap_90000005] Method dot1x changing state from 'Running' to 'Authc Failed'

I already see a post with the same issue as link below but not resolved

https://community.cisco.com/t5/wireless/wlc-9800-local-eap-authentication-failed-for-client/td-p/4420304

Is there anyone have a experience on that?

Thanks much.

zachhoiberg · ‎07-19-2023

That is the driver that is installed when I run that executable.

Leo Laohoo · ‎07-19-2023

@zachhoiberg wrote:
Radio types supported : 802.11b 802.11g 802.11n

Please check the controller to determine which radio (2.4 Ghz or 5.0 Ghz) the laptop has joined.

@zachhoiberg wrote:
Just doesn't work with laptops from HP, Notebook HP 240 G7.

Wait, that just not make any sense! Works for anything-n-everything except one particular model of laptop with an ancient wireless NIC?

Try creating a SSID with OPEN authentication and see if the laptops (plural) works or not. IF it works, then crank up to PSK. IF that works, then keep cranking until it breaks.

If OPEN SSID does not work, then something horribly is happening at the SOE level.

zachhoiberg · ‎08-15-2023

Open works, PSK works, PSK with local MAB works. DOT1X results in the following:

Aug 15 13:41:04.094: %DOT1X-5-FAIL: Chassis 1 R0/0: wncd: Authentication failed for client (e8b1.fcdc.827d) with reason (Cred Fail) on Interface capwap_90000098 AuditSessionID 8201C10A003A898CF96DAD1F Username: user@domain.local
Aug 15 13:41:04.094: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (e8b1.fcdc.827d) on Interface capwap_90000098 AuditSessionID 8201C10A003A898CF96DAD1F. Failure reason: Authc fail. Authc failure reason: Cred Fail.

Certificate based authentication, both with a cert requested from the same CA via the AD enrollment policy.

When connected via PSK with MAB,

"Capabilities

802.11ac Spatial Stream: 2"

This is from the AC 7260:

Interface name: Wi-Fi

Driver : Intel(R) Dual Band Wireless-AC 7260
Vendor : Intel Corporation
Provider : Intel
Date : 4/29/2019
Version : 18.33.17.1
INF file : oem13.inf
Type : Native Wi-Fi Driver
Radio types supported : 802.11b 802.11g 802.11n 802.11a 802.11ac

Leo Laohoo · ‎08-15-2023

(Hot dang! This is probably the best response(s) I've seen from anyone!)

If open, PSK and MAB works but it fails on Dot1X then we start troubleshooting the authentication server.

Let's start with the most basic: Is there an expired certificate involved?

zachhoiberg · ‎08-16-2023

It's definitely not a certificate issue, nor an issue with the authentication server.

When we disable Central Authentication on that WLAN and keep all other settings the same, the specific devices that are having issues connect just fine. Same certificate, same Radius servers, same NPS policies. I've collected some packet captures and radioactive traces and I'm now working with TAC on this bizarre issue.

On these specific devices, no packets are sent by the WLC to the authentication server, and within a tenth of a second, it marks the device as failing authentication.

We've actually had two different model laptops, both with extremely similar NIC drivers, fail and succeed on Central Auth, while both work when the APs themselves are the ones doing the DOT1X requests.
Non workng:

Driver : Intel(R) Wi-Fi 6 AX201 160MHz

Vendor : Intel Corporation

Provider : Intel

Date : 11/23/2022

Version : 22.190.0.4

INF file : oem12.inf

Type : Native Wi-Fi Driver

Radio types supported : 802.11b 802.11g 802.11n 802.11a 802.11ac 802.11ax

FIPS 140-2 mode supported : Yes

802.11w Management Frame Protection supported : Yes

Hosted network supported : No

Authentication and cipher supported in infrastructure mode:

Open None

Open WEP-40bit

Open WEP-104bit

Open WEP

WPA-Enterprise TKIP

WPA-Enterprise CCMP

WPA-Personal TKIP

WPA-Personal CCMP

WPA2-Enterprise TKIP

WPA2-Enterprise CCMP

WPA2-Personal TKIP

WPA2-Personal CCMP

Open Vendor defined

WPA3-Personal CCMP

Vendor defined Vendor defined

WPA3-Enterprise GCMP-256

OWE CCMP

IHV service present : Yes

IHV adapter OUI : [00 00 00], type: [00]

IHV extensibility DLL path: C:\WINDOWS\system32\IntelIHVRouter10.dll

IHV UI extensibility ClSID: {00000000-0000-0000-0000-000000000000}

IHV diagnostics CLSID : {00000000-0000-0000-0000-000000000000}

Wireless Display Supported: Yes (Graphics Driver: Yes, Wi-Fi Driver: Yes)

Working:
Driver : Intel(R) Wi-Fi 6 AX201 160MHz
Vendor : Intel Corporation
Provider : Intel
Date : 11/23/2022
Version : 22.190.0.4
INF file : oem84.inf
Type : Native Wi-Fi Driver
Radio types supported : 802.11b 802.11g 802.11n 802.11a 802.11ac 802.11ax
FIPS 140-2 mode supported : Yes
802.11w Management Frame Protection supported : Yes
Hosted network supported : No
Authentication and cipher supported in infrastructure mode:
Open None
Open WEP-40bit
Open WEP-104bit
Open WEP
WPA-Enterprise TKIP
WPA-Enterprise CCMP
WPA-Personal TKIP
WPA-Personal CCMP
WPA2-Enterprise TKIP
WPA2-Enterprise CCMP
WPA2-Personal TKIP
WPA2-Personal CCMP
Open Vendor defined
WPA3-Personal CCMP
Vendor defined Vendor defined
WPA3-Enterprise 192 Bits GCMP-256
OWE CCMP
Number of supported bands : 2
2.4 GHz [ 0 MHz - 0 MHz]
5 GHz [ 0 MHz - 0 MHz]
IHV service present : Yes
IHV adapter OUI : [00 00 00], type: [00]
IHV extensibility DLL path: C:\Windows\system32\IntelIHVRouter10.dll
IHV UI extensibility ClSID: {00000000-0000-0000-0000-000000000000}
IHV diagnostics CLSID : {00000000-0000-0000-0000-000000000000}
Wireless Display Supported: Yes (Graphics Driver: Yes, Wi-Fi Driver: Yes)

The only difference I see between the two "netsh wlan show drivers" outputs is the WPA-3 Enterprise bits for GCMP, the driver INF file, and then supported bands.

We are only using WPA/WPA-2, however.

Rich R · ‎08-16-2023

Well you just should NOT be using that driver (22.190.0.4) - Intel has withdrawn it because it's unsupportable!
https://quickview.cloudapps.cisco.com/quickview/bug/CSCwe50033
And even Microsoft has updated their platforms to the new drivers - for example:
https://support.microsoft.com/en-us/surface/surface-laptop-4-update-history-607537fa-c595-4797-9a2e-ee77015472f6
August 2023 updates - August 1 release
The following update is available for Surface Laptop 4 devices with Intel Processor running Windows 10 October 2020 Update, Version 20H2 or greater. This update improves wireless stability.
Windows Update Name Device Manager
Intel - Net - 22.230.0.8 Intel(R) Wi-Fi 6 AX201 160MHz - Network adapters

Latest driver: https://www.intel.com/content/www/us/en/download/19351/windows-10-and-windows-11-wi-fi-drivers-for-intel-wireless-adapters.html

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Leo Laohoo · ‎08-16-2023

@zachhoiberg wrote:
Version : 22.190.0.4

Have a look at CSCwe50033, particularly, the information about the Intel wireless NIC versions that fixed the issue (of the bug).

In addition to what @Rich R said, I would recommend updating the wireless NIC firmware. I would also like to add/recommend the following Intel-based setting changes:

802.11n/ac/ax Wireless Mode: 3. 802.11ac
Preferred Band: 3. Prefer 5Ghz band
Roaming Aggressiveness: 4. Medium-High
Throughput Booster: Disabled
U-APSD support: Disabled

thuy.hoang · ‎07-30-2023

Hello Friends,

Just shared that I have resolved the issue.

I changed the EAP certificate to self signed certs and local user should be created without password encrypted.

Thanks.

JPavonM · ‎07-19-2023

Have you checked thsi laptop has the correct certificate and the correct options in the WLAN profile? (cert server validation, user/machine creds,...)