Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3768
Views
20
Helpful
7
Replies

EAP ID mismatch

enghassanf9009
Community Member

‎11-10-2022 05:33 AM

Hi ,, I am facing connection problems with laptops when try to conect to the WiFi , I am not facing same issue with Mobiles.

when a laptop tries to connect to the WiFi it is often failed and after trying for many times it succeed.

I did debug and I figured out that the problem is the laptops are replaying too late that the server increment EAP ID  before they send the response  with older EAP ID causing ID mismatch.

Is there a way to maybe disable this check or any other work around.

or if my conclusion is wrong , please advise me .

below is the debugging output :

*apfOpenDtlSocket: Nov 10 11:44:10.906: 18:cf:5e:11:38:d7 Recevied management frame ASSOCIATION REQUEST on BSSID 08:ec:f5:cb:e4:c0 destination addr 08:ec:f5:cb:e4:c0
*spamApTask2: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 Received ADD_MOBILE ack - Initiating 1x to STA 18:cf:5e:11:38:d7 (idx 90)
*spamApTask2: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 APF Initiating 1x to STA 18:cf:5e:11:38:d7
*spamApTask2: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 Sent dot1x auth initiate message for mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 dot1xProcessInitiate1XtoMobile to mobile station 18:cf:5e:11:38:d7 (mscb 2, msg 2)
*Dot1x_NW_MsgTask_7: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 reauth_sm state transition 1 ---> 0 for mobile 18:cf:5e:11:38:d7 at 1x_reauth_sm.c:53
*Dot1x_NW_MsgTask_7: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 EAP-PARAM Debug - eap-params for Wlan-Id :2 is disabled - applying Global eap timers and retries
*Dot1x_NW_MsgTask_7: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 Disable re-auth, use PMK lifetime.
*Dot1x_NW_MsgTask_7: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 dot1x - moving mobile 18:cf:5e:11:38:d7 into Connecting state
*Dot1x_NW_MsgTask_7: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 Sending EAP-Request/Identity to mobile 18:cf:5e:11:38:d7 (EAP Id 1)
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.277: 18:cf:5e:11:38:d7 Received EAPOL START from mobile in dot1x state = 2
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.277: 18:cf:5e:11:38:d7 Reset the reauth counter since EAPOL START has been received!!!
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.277: 18:cf:5e:11:38:d7 reauth_sm state transition 0 ---> 1 for mobile 18:cf:5e:11:38:d7 at 1x_reauth_sm.c:47
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.277: 18:cf:5e:11:38:d7 Received EAPOL START from mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.277: 18:cf:5e:11:38:d7 dot1x - moving mobile 18:cf:5e:11:38:d7 into Connecting state
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.277: 18:cf:5e:11:38:d7 Sending EAP-Request/Identity to mobile 18:cf:5e:11:38:d7 (EAP Id 2)
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.277: 18:cf:5e:11:38:d7 Received EAPOL EAPPKT from mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.277: 18:cf:5e:11:38:d7 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.422: 18:cf:5e:11:38:d7 Received EAPOL EAPPKT from mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.422: 18:cf:5e:11:38:d7 Received Identity Response (count=1) from mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.422: 18:cf:5e:11:38:d7 Resetting reauth count 1 to 0 for mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.423: 18:cf:5e:11:38:d7 EAP State update from Connecting to Authenticating for mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.423: 18:cf:5e:11:38:d7 dot1x - moving mobile 18:cf:5e:11:38:d7 into Authenticating state
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.423: 18:cf:5e:11:38:d7 Entering Backend Auth Response state for mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:42.523: 18:cf:5e:11:38:d7 Processing AAA Error 'Timeout' (-5) for mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:42.523: 18:cf:5e:11:38:d7 Setting active key cache index 8 ---> 8
*Dot1x_NW_MsgTask_7: Nov 10 11:44:42.523: 18:cf:5e:11:38:d7 Deleting the PMK cache when de-authenticating the client.
*Dot1x_NW_MsgTask_7: Nov 10 11:44:42.523: 18:cf:5e:11:38:d7 PMK: Sending Flexconnect group cache delete message to spam task
*Dot1x_NW_MsgTask_7: Nov 10 11:44:42.523: 18:cf:5e:11:38:d7 Removing PMK cache entry for station 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:42.523: 18:cf:5e:11:38:d7 Succesfully freed AID 15, slot 0 on AP 08:ec:f5:cb:e4:c0, #client on this slot 4
*Dot1x_NW_MsgTask_7: Nov 10 11:44:42.523: 18:cf:5e:11:38:d7 Sent Deauthenticate to mobile on BSSID 08:ec:f5:cb:e4:c0 slot 0(caller 1x_auth_pae.c:1888)
*Dot1x_NW_MsgTask_7: Nov 10 11:44:42.523: 18:cf:5e:11:38:d7 Scheduling deletion of Mobile Station: (callerId: 65) in 10 seconds
*osapiBsnTimer: Nov 10 11:44:52.358: 18:cf:5e:11:38:d7 apfMsExpireCallback (apf_ms.c:645) Expiring Mobile!
*apfReceiveTask: Nov 10 11:44:52.358: 18:cf:5e:11:38:d7 apfMsExpireMobileStation (apf_ms.c:7869) Changing state for mobile 18:cf:5e:11:38:d7 on AP 08:ec:f5:cb:e4:c0 from Associated to Disassociated

 

Labels:
0 Helpful
7 Replies 7

Mark Elsen
Hall of Fame
Hall of Fame

‎11-10-2022 06:28 AM

 

 - Below is the output from your debugging session when analyzed with : https://cway.cisco.com/wireless-debug-analyzer/ (Show all flag was checked) :

 TimeTaskTranslated

Nov 10 11:44:10.910 *Dot1x_NW_MsgTask_7 WLC/AP is sending EAP-Identity-Request to the client
Nov 10 11:44:11.277 *Dot1x_NW_MsgTask_7 WLC/AP is sending EAP-Identity-Request to the client
Nov 10 11:44:11.422 *Dot1x_NW_MsgTask_7 Client sent EAP-Identity-Response to WLC/AP
Nov 10 11:44:42.523 *Dot1x_NW_MsgTask_7 Client has been deauthenticated
Nov 10 11:44:42.523 *Dot1x_NW_MsgTask_7 Client expiration timer code set for 10 seconds. The reason: AAA error during dot1x auth (server timeout, no server found, etc), triggering client delete
Nov 10 11:44:52.358 *apfReceiveTask Client session has timed out


-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

enghassanf9009
Community Member
In response to Mark Elsen

‎11-10-2022 06:34 AM

Hi Sir , thanks a lot for your replay .

This means that the problem is the authentication server is not available ?

if Yes why I dont face this issue with mobiles ?

the problem has nothing to do with EAP ID mismatch ?

Pardon my questions but I am trying to understand .

0 Helpful

Mark Elsen
Hall of Fame
Hall of Fame
In response to enghassanf9009

‎11-10-2022 09:02 AM

 

                  >...This means that the problem is the authentication server is not available ?

 - It depends  , lookup the mac address of  the laptop  in the authenticating  logs of the authorization server and see how the authentication for the particular mac is processed. If it can not be found then the laptop may not be able to reach the authentication server, as other user said make sure wireless drivers are  up to date.

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

JPavonM
VIP Alumni
VIP Alumni

‎11-10-2022 08:30 AM

Have you tried to upgrade wNIC drivers to latest ones?

enghassanf9009
Community Member

‎11-10-2022 08:42 AM

Is there a command to make it  ignore  the ID mismatch ? 

0 Helpful

Rich R
VIP
VIP

‎11-16-2022 04:00 AM

Is there a command to make it  ignore  the ID mismatch ?
No - that would break the security of the protocol!

What model of controller?
What version of software?
What model of AP?
What make and model of network adapter on laptop?
What version is the network adapter driver?

------------------------------
Please click Helpful if this post helped you and Accept as Solution if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

JPavonM
VIP Alumni
VIP Alumni

‎11-16-2022 04:19 AM

If you are only selecting the SSID on the operating system to connect to, try to manually set the WLAN profile in the OS with the correct configuration. Sometimes automatic connections use improper EAP ID and you need to create the profile manually. This happen to me using Android with public signed certificates, and some legacy Windows ones.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card