Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3203
Views
0
Helpful
4
Replies

%DOT11-7-AUTH_FAILED

Christian Overrein
Level 1
Level 1

‎01-14-2011 01:34 PM - edited ‎07-03-2021 07:40 PM

Hello,

I have problem med wireless authentication.

Have tried following Operative system on clients. Windows XP, Windows Vista and Windows 7.

Radius Server is working normally.

Under here is debug, version and configuration. Kan somebody se something wrong ? I have no Idea..

Please help me to solve this problem.

Thanks,

Christian Overrein

Debug report.

000272: *Jan 14 21:18:10.331 UTC: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,EAP_START) for 0017.3f78.977b
000273: *Jan 14 21:18:10.331 UTC: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0017.3f78.977b
000274: *Jan 14 21:18:10.331 UTC: EAPOL pak dump tx
000275: *Jan 14 21:18:10.331 UTC: EAPOL Version: 0x1  type: 0x0  length: 0x0032
000276: *Jan 14 21:18:10.331 UTC: EAP code: 0x1  id: 0x2  length: 0x0032 type: 0x1
07403990:                   01000032 01020032          ...2...2
074039A0: 01006E65 74776F72 6B69643D 56656C66  ..networkid=Velf
074039B0: 65726465 6E2C6E61 7369643D 56454C57  erden,nasid=VELW
074039C0: 52303030 312C706F 72746964 3D30      R0001,portid=0
000277: *Jan 14 21:18:10.331 UTC: dot11_auth_send_msg:  sending data to requestor status 1
000278: *Jan 14 21:18:10.331 UTC: dot11_auth_send_msg: Sending EAPOL to requestor
000279: *Jan 14 21:18:10.331 UTC: dot11_auth_dot1x_send_id_req_to_client: Client 0017.3f78.977b timer started for 30 seconds
000280: *Jan 14 21:18:10.331 UTC: dot11_auth_parse_client_pak: Received EAPOL packet from 0017.3f78.977b
000281: *Jan 14 21:18:10.331 UTC: EAPOL pak dump rx
000282: *Jan 14 21:18:10.331 UTC: EAPOL Version: 0x1  type: 0x1  length: 0x0000
074030D0:                   01010000                   ....
000283: *Jan 14 21:18:10.331 UTC: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,EAP_START) for 0017.3f78.977b
000284: *Jan 14 21:18:10.335 UTC: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0017.3f78.977b
000285: *Jan 14 21:18:10.335 UTC: EAPOL pak dump tx
000286: *Jan 14 21:18:10.335 UTC: EAPOL Version: 0x1  type: 0x0  length: 0x0032
000287: *Jan 14 21:18:10.335 UTC: EAP code: 0x1  id: 0x3  length: 0x0032 type: 0x1

07404390:                   01000032 01030032          ...2...2
074043A0: 01006E65 74776F72 6B69643D 56656C66  ..networkid=Velf
074043B0: 65726465 6E2C6E61 7369643D 56454C57  erden,nasid=VELW
074043C0: 52303030 312C706F 72746964 3D30      R0001,portid=0
000288: *Jan 14 21:18:10.335 UTC: dot11_auth_send_msg:  sending data to requestor status 1
VELWR0001#
000289: *Jan 14 21:18:10.335 UTC: dot11_auth_send_msg: Sending EAPOL to requestor
000290: *Jan 14 21:18:10.335 UTC: dot11_auth_dot1x_send_id_req_to_client: Client 0017.3f78.977b timer started for 30 seconds

000328: *Jan 14 21:23:47.627 UTC: %DOT11-7-AUTH_FAILED: Station 0017.3f78.977b Authentication failed
--More--
000329: *Jan 14 21:24:21.727 UTC: %DOT11-7-AUTH_FAILED: Station 0017.3f78.977b Authentication failed
--More--
000330: *Jan 14 21:24:55.823 UTC: %DOT11-7-AUTH_FAILED: Station 0017.3f78.977b Authentication failed
--More--
000331: *Jan 14 21:25:29.823 UTC: %DOT11-7-AUTH_FAILED: Station 0017.3f78.977b Authentication failed

Show Version.


System returned to ROM by reload at 20:58:46 UTC Fri Jan 14 2011
System image file is "flash:/c181x-adventerprisek9-mz.151-3.T.bin"
Last reload type: Normal Reload


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 1812W (MPC8500) processor (revision 0x400) with 118784K/12288K bytes of memory.
Processor board ID FCZ120995G1, with hardware revision 0000

10 FastEthernet interfaces
1 ISDN Basic Rate interface
1 Virtual Private Network (VPN) Module
2 802.11 Radios
31360K bytes of ATA CompactFlash (Read/Write)


License Info:

License UDI:

-------------------------------------------------
Device#   PID                   SN
-------------------------------------------------
*0        CISCO1812W-AG-E/K9    FCZ120995G1

Show running-config


version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname VELWR0001
!
boot-start-marker
boot system flash:/c181x-adventerprisek9-mz.151-3.T.bin
boot-end-marker
!
!
logging userinfo
logging buffered 20000
enable secret 5 $1$TGe/$Bnajd6kvDh/E8pMtAAND00
enable password 7 104D000A0618
!
aaa new-model
!
!
aaa group server radius rad_acct
server 10.0.1.10 auth-port 1645 acct-port 1646
!
aaa group server radius rad_eap
server 10.0.1.10 auth-port 1645 acct-port 1646
!
aaa group server radius Velferden_group
server-private 10.0.1.10 auth-port 1645 acct-port 1646 key 7 047602101C705C460D
!
aaa authentication login default group radius local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login Velferden_list group Velferden_group
aaa authorization exec default local
aaa accounting network acct_methods
action-type start-stop
group rad_acct
!
!
!
!
!
!
aaa session-id common
!

dot11 syslog
dot11 activity-timeout unknown default 1800
dot11 activity-timeout client default 1800
dot11 activity-timeout repeater default 1800
dot11 activity-timeout workgroup-bridge default 1800
dot11 activity-timeout bridge default 1800
!
dot11 ssid Velferden
vlan 102
authentication open eap Velferden_list
authentication key-management wpa
accounting acct_methods
mbssid guest-mode
!
no ip source-route
!
!
!
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name velferden.local
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
archive
log config
  hidekeys
username backup privilege 15 secret 5 $1$1/JH$cqnXDVsAd/hjPE6lyLOVe.
!
!
ip tcp synwait-time 10
!
!
!
bridge irb
!
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
shutdown
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
encryption vlan 102 mode ciphers aes-ccm
!
broadcast-key vlan 102 change 30
!
!
ssid Velferden
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.102
encapsulation dot1Q 102
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
encryption vlan 102 mode ciphers aes-ccm
!
broadcast-key vlan 102 change 30
!
!
ssid Velferden
!
mbssid
speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio1.102
encapsulation dot1Q 102
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
description VELAR0001
switchport access vlan 100
!
interface FastEthernet3
description VELDC0001
switchport access vlan 100
spanning-tree portfast
!
interface FastEthernet4
description BORDSWITCH
switchport access vlan 100
!
interface FastEthernet5
description KLIENTER
switchport access vlan 100
spanning-tree portfast
!
interface FastEthernet6
description VELSK0001
switchport access vlan 100
spanning-tree portfast
!
interface FastEthernet7
description KLIENTER
switchport access vlan 100
spanning-tree portfast
!
interface FastEthernet8
description SPERRET
switchport access vlan 100
shutdown
spanning-tree portfast
!
interface FastEthernet9
description SPERRET
switchport access vlan 100
shutdown
spanning-tree portfast
!
interface Vlan1
no ip address
shutdown
!
interface Vlan100
description User
ip address 10.0.1.9 255.255.255.128
ip helper-address 10.0.1.10
!
interface Vlan102
no ip address
bridge-group 1
!
interface Group-Async9
physical-layer async
no ip address
encapsulation slip
!
interface BVI1
ip address 10.0.1.129 255.255.255.128
ip helper-address 10.0.1.10
!
ip default-gateway 10.0.1.8
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip dns server
!
ip radius source-interface Vlan100
logging esm config
logging trap debugging
logging source-interface Vlan100
logging 10.0.1.10
!
!
!
!
!
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.0.1.10 auth-port 1645 acct-port 1646 key 7 153427232D011F
radius-server vsa send accounting
radius-server vsa send authentication
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
logging synchronous
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler interval 500
end

Labels:
0 Helpful
4 Replies 4

Sebastian Helmer
Level 5
Level 5

‎01-17-2011 11:29 AM

Hi Christian

which Radius do you use? Windows?

Maybe you see there more details why the client is not authenticated. If you see there no requests maybe the way to the radius is the problem..

regards,

Sebastian

0 Helpful

Christian Overrein
Level 1
Level 1
In response to Sebastian Helmer

‎01-18-2011 08:21 AM

Hi Sebastian!

OS: I am using Windows 2003 SP2

Radius: IAS (Internet Authentication Service)

I cannot se any errors in the IAS log. The reason is the router doesnt send request to the service for authentication because ut is not been redirected.

Connectivity is checked. I am using radius as login authentication, that works. It is wireless that is the problem.

In my latest post I have posted the configuration.

I hope you may can help me to solve the problem.

regards,

Christian

0 Helpful

Raul Manzano Barroso
Level 1
Level 1
In response to Christian Overrein

‎01-19-2011 02:35 AM

Hi Christian.

Which authetication method are you using???

In the configuration the only different I see is the radius set for the velferden_list, which it also has a key and maybe if this key is not correct could be the problem.

Regards the eap method used, It could be the problem for the authentication failed message, remember IAS only permit PEAP or EAP-TLS which needs a PKI infrastructure.

Best Regards.

0 Helpful

Sebastian Helmer
Level 5
Level 5
In response to Raul Manzano Barroso

‎01-20-2011 11:49 AM

Hi,

Maybe Stupid but just an idea.

You told authentication for administration or else is working.

Maybe the Wireless use the BVI address which is not in the same subnet like the other interfaces and the BVI IP is not able to reach the Radius?

Like I told just a stupid idea but I don't want to keep it just in my mind.

Sebastian

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card