Clients cannot connect to a wireless network ("Received EAPOL-key M2 with invalid MIC from mobile")

sergeydrako · ‎12-04-2020

Hello Experts!

I'm trying to connect a laptop with Windows 10 to AIR-AP2802I using a native sapplicant.
Security Policy - WPA2Enterprise. Radius Server - External.

In all cases, after authentication on the Radius server, I receive the same error:

"Received EAPOL-key M2 with invalid MIC from mobile"

The same picture with an attempt to connect with Android.

If you put a Cisco NAM on your laptop (in addition to the Cisco AnyConnect Security Mobility Client),
then with Cisco supplicant, the connection occurs without problems.

But with a built-in supplicant, there is always a problem

This may be due to a different version of EAPOL on the AP and client, or an incorrect basic configuration of the AP and controller.

This is my first mobility express device and I may have made some errors in the basic controller and AP configuration.
See the MEC settings screens and client connection logs, please!
Maybe someone will tell me how to solve the problem of connecting Winsows 10 and smartphones.

---------------------------------------------------------
Some Cisco Community recommendations for similar issues are used:
- the latest NIC drivers are delivered to the laptop
- on AP settings PMF - Disabled (default)
- different eapol-key-timeout tried

Scott Fella · ‎12-04-2020

I’m willing to bet it’s your radius policy. Create a new policy with basic rules for EAP-PEAP or EAP-TLS, whichever you plan on using and make sure the policy is getting hit. Then review the logs. On the wireless, it’s pretty basic, you define your 802.1x and then point to your radius.

-Scott
*** Please rate helpful posts ***

marce1000 · ‎12-05-2020

- Interesting remark; the radius-part of the debug logs is shown below , I do not know whether this contradicts your assertion or not, is the subsequent/multiple contacting of the radius server suspicious in that context ?

Nov 29 20:19:04.241	*aaaQueueReader	Radius request with ID 63 sent to 172.16.55.215.
Nov 29 20:19:04.339	*aaaQueueReader	Radius request with ID 64 sent to 172.16.55.215.
Nov 29 20:19:04.436	*aaaQueueReader	Radius request with ID 65 sent to 172.16.55.215.
Nov 29 20:19:04.537	*aaaQueueReader	Radius request with ID 66 sent to 172.16.55.215.
Nov 29 20:19:04.649	*aaaQueueReader	Radius request with ID 67 sent to 172.16.55.215.
Nov 29 20:19:04.745	*aaaQueueReader	Radius request with ID 68 sent to 172.16.55.215.
Nov 29 20:19:04.846	*aaaQueueReader	Radius request with ID 69 sent to 172.16.55.215.
Nov 29 20:19:04.956	*aaaQueueReader	Radius request with ID 70 sent to 172.16.55.215.
Nov 29 20:19:05.053	*aaaQueueReader	Radius request with ID 71 sent to 172.16.55.215.
Nov 29 20:19:05.154	*Dot1x_NW_MsgTask_0	RADIUS Server permitted access

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

sergeydrako · ‎12-05-2020

Thanks for the answer! That's probably the reason. But сreated authentication and authorization policies, judging by the log they pass successfully and access is allowed by Radius server with Authorization Result - PermitAccess

This is the radius server (ISE 2.0) log:

11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - Radius.Called-Station-ID
15004 Matched rule - WiFi Ondskaya GES
11507 Extracted EAP-Response/Identity
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12810 Prepared TLS ServerDone message
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
15041 Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Source - ie.corp
24430 Authenticating user against Active Directory - ie.corp
24325 Resolving identity - ie\DrakoSN
24313 Search for matching accounts at join point - ie.corp
24315 Single matching account found in domain - ie.corp
24367 Skipping unusable domain - RESOURCE.LOCAL,Domain trust is one-way
24323 Identity resolution detected single matching account
24343 RPC Logon request succeeded - DrakoSN@ie.corp
24402 User authentication against Active Directory succeeded - ie.corp
22037 Authentication Passed
11824 EAP-MSCHAP authentication attempt passed
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814 Inner EAP-MSCHAP authentication succeeded
11519 Prepared EAP-Success for inner EAP method
12314 PEAP inner method finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
24423 ISE has not been able to confirm previous successful machine authentication
15036 Evaluating Authorization Policy
15048 Queried PIP - Radius.Called-Station-ID
15004 Matched rule - WiFi Ondskaya GES test
15016 Selected Authorization Profile - PermitAccess
12306 PEAP authentication succeeded
11503 Prepared EAP-Success
11002 Returned RADIUS Access-Accept

sergeydrako · ‎12-07-2020

Thank you for helping everyone who responded! Problem solved. After installing another version of Radius server (delivered more recent), everything worked. The ME Controller setting has not changed.

marce1000 · ‎12-04-2020

- Try to disable 802.11r - fast roaming (too). Below you will find the output from : https://cway.cisco.com/wireless-debug-analyzer/ following the input of Debug_client.txt. You may need to re-run that yourself as the forum may wrap this output. Toggling with the flags at the header of the output may also be useful :

TimeTaskTranslated

Nov 29 20:18:51.438	*apfMsConnTask_0	Client made new Association to AP/BSSID BSSID ac:4a:67:d2:d8:cf AP AP2802i_01
Nov 29 20:18:51.439	*apfMsConnTask_0	The WLC/AP has found from client association request Information Element that claims PMKID Caching support
Nov 29 20:18:51.439	*apfMsConnTask_0	The Reassociation Request from the client comes with 0 PMKID
Nov 29 20:18:51.439	*apfMsConnTask_0	Client is entering the 802.1x or PSK Authentication state
Nov 29 20:18:51.439	*apfMsConnTask_0	Client has successfully cleared AP association phase
Nov 29 20:18:51.440	*apfMsConnTask_0	WLC/AP is sending an Association Response to the client with status code 0 = Successful association
Nov 29 20:18:51.445	*Dot1x_NW_MsgTask_0	Client will be required to Reauthenticate in 1800 seconds
Nov 29 20:18:51.445	*Dot1x_NW_MsgTask_0	WLC/AP is sending EAP-Identity-Request to the client
Nov 29 20:19:04.240	*Dot1x_NW_MsgTask_0	Client sent EAP-Identity-Response to WLC/AP
Nov 29 20:19:04.241	*aaaQueueReader	Radius request with ID 63 sent to 172.16.55.215.
Nov 29 20:19:04.339	*aaaQueueReader	Radius request with ID 64 sent to 172.16.55.215.
Nov 29 20:19:04.436	*aaaQueueReader	Radius request with ID 65 sent to 172.16.55.215.
Nov 29 20:19:04.537	*aaaQueueReader	Radius request with ID 66 sent to 172.16.55.215.
Nov 29 20:19:04.649	*aaaQueueReader	Radius request with ID 67 sent to 172.16.55.215.
Nov 29 20:19:04.745	*aaaQueueReader	Radius request with ID 68 sent to 172.16.55.215.
Nov 29 20:19:04.846	*aaaQueueReader	Radius request with ID 69 sent to 172.16.55.215.
Nov 29 20:19:04.956	*aaaQueueReader	Radius request with ID 70 sent to 172.16.55.215.
Nov 29 20:19:05.053	*aaaQueueReader	Radius request with ID 71 sent to 172.16.55.215.
Nov 29 20:19:05.154	*Dot1x_NW_MsgTask_0	RADIUS Server permitted access
Nov 29 20:19:05.155	*Dot1x_NW_MsgTask_0	Client will be required to Reauthenticate in 1800 seconds
Nov 29 20:19:05.156	*Dot1x_NW_MsgTask_0	4-Way PTK Handshake, Sending M1
Nov 29 20:19:05.167	*Dot1x_NW_MsgTask_0	4-Way PTK Handshake, Received M2
Nov 29 20:19:05.409	*osapiBsnTimer	4-Way PTK Handshake, Client did not respond with M2
Nov 29 20:19:05.409	*Dot1x_NW_MsgTask_0	4-Way PTK Handshake, Retransmitting M1 retry #1
Nov 29 20:19:05.411	*Dot1x_NW_MsgTask_0	4-Way PTK Handshake, Received M2
Nov 29 20:19:05.607	*osapiBsnTimer	4-Way PTK Handshake, Client did not respond with M2
Nov 29 20:19:05.607	*Dot1x_NW_MsgTask_0	4-Way PTK Handshake, Retransmitting M1 retry #2
Nov 29 20:19:05.609	*Dot1x_NW_MsgTask_0	4-Way PTK Handshake, Received M2
Nov 29 20:19:05.806	*osapiBsnTimer	4-Way PTK Handshake, Client did not respond with M2
Nov 29 20:19:05.806	*Dot1x_NW_MsgTask_0	Client has been deauthenticated
Nov 29 20:19:05.806	*Dot1x_NW_MsgTask_0	Client expiration timer code set for 10 seconds. The reason: Roaming failed due to WLAN security policy mismatch between controllers (configuration error). It can also be used to report EAPoL retry errors, and GTK rotation failure (in 8.5)

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

sergeydrako · ‎12-05-2020

Thanks for the answer, but 802.11r disabled in MEC settings.

It is confusing that when using a Cisco (Network Access Manager) supplicant, the connection occurs without problems.

MHM Cisco World · ‎12-05-2020

can we see step you do in wireless client to connect to AP,

also NAM config
if you can.

Rasika Nayanajith · ‎12-05-2020

What version of software running on ME? If you haven't tried with a different (latest) image, I would try that as it could be a bug

HTH

Rasika