cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1719
Views
20
Helpful
7
Replies

EAP ID mismatch

enghassanf9009
Level 1
Level 1

Hi ,, I am facing connection problems with laptops when try to conect to the WiFi , I am not facing same issue with Mobiles.

when a laptop tries to connect to the WiFi it is often failed and after trying for many times it succeed.

I did debug and I figured out that the problem is the laptops are replaying too late that the server increment EAP ID  before they send the response  with older EAP ID causing ID mismatch.

Is there a way to maybe disable this check or any other work around.

or if my conclusion is wrong , please advise me .

below is the debugging output :

*apfOpenDtlSocket: Nov 10 11:44:10.906: 18:cf:5e:11:38:d7 Recevied management frame ASSOCIATION REQUEST on BSSID 08:ec:f5:cb:e4:c0 destination addr 08:ec:f5:cb:e4:c0
*spamApTask2: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 Received ADD_MOBILE ack - Initiating 1x to STA 18:cf:5e:11:38:d7 (idx 90)
*spamApTask2: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 APF Initiating 1x to STA 18:cf:5e:11:38:d7
*spamApTask2: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 Sent dot1x auth initiate message for mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 dot1xProcessInitiate1XtoMobile to mobile station 18:cf:5e:11:38:d7 (mscb 2, msg 2)
*Dot1x_NW_MsgTask_7: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 reauth_sm state transition 1 ---> 0 for mobile 18:cf:5e:11:38:d7 at 1x_reauth_sm.c:53
*Dot1x_NW_MsgTask_7: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 EAP-PARAM Debug - eap-params for Wlan-Id :2 is disabled - applying Global eap timers and retries
*Dot1x_NW_MsgTask_7: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 Disable re-auth, use PMK lifetime.
*Dot1x_NW_MsgTask_7: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 dot1x - moving mobile 18:cf:5e:11:38:d7 into Connecting state
*Dot1x_NW_MsgTask_7: Nov 10 11:44:10.910: 18:cf:5e:11:38:d7 Sending EAP-Request/Identity to mobile 18:cf:5e:11:38:d7 (EAP Id 1)
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.277: 18:cf:5e:11:38:d7 Received EAPOL START from mobile in dot1x state = 2
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.277: 18:cf:5e:11:38:d7 Reset the reauth counter since EAPOL START has been received!!!
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.277: 18:cf:5e:11:38:d7 reauth_sm state transition 0 ---> 1 for mobile 18:cf:5e:11:38:d7 at 1x_reauth_sm.c:47
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.277: 18:cf:5e:11:38:d7 Received EAPOL START from mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.277: 18:cf:5e:11:38:d7 dot1x - moving mobile 18:cf:5e:11:38:d7 into Connecting state
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.277: 18:cf:5e:11:38:d7 Sending EAP-Request/Identity to mobile 18:cf:5e:11:38:d7 (EAP Id 2)
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.277: 18:cf:5e:11:38:d7 Received EAPOL EAPPKT from mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.277: 18:cf:5e:11:38:d7 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.422: 18:cf:5e:11:38:d7 Received EAPOL EAPPKT from mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.422: 18:cf:5e:11:38:d7 Received Identity Response (count=1) from mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.422: 18:cf:5e:11:38:d7 Resetting reauth count 1 to 0 for mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.423: 18:cf:5e:11:38:d7 EAP State update from Connecting to Authenticating for mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.423: 18:cf:5e:11:38:d7 dot1x - moving mobile 18:cf:5e:11:38:d7 into Authenticating state
*Dot1x_NW_MsgTask_7: Nov 10 11:44:11.423: 18:cf:5e:11:38:d7 Entering Backend Auth Response state for mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:42.523: 18:cf:5e:11:38:d7 Processing AAA Error 'Timeout' (-5) for mobile 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:42.523: 18:cf:5e:11:38:d7 Setting active key cache index 8 ---> 8
*Dot1x_NW_MsgTask_7: Nov 10 11:44:42.523: 18:cf:5e:11:38:d7 Deleting the PMK cache when de-authenticating the client.
*Dot1x_NW_MsgTask_7: Nov 10 11:44:42.523: 18:cf:5e:11:38:d7 PMK: Sending Flexconnect group cache delete message to spam task
*Dot1x_NW_MsgTask_7: Nov 10 11:44:42.523: 18:cf:5e:11:38:d7 Removing PMK cache entry for station 18:cf:5e:11:38:d7
*Dot1x_NW_MsgTask_7: Nov 10 11:44:42.523: 18:cf:5e:11:38:d7 Succesfully freed AID 15, slot 0 on AP 08:ec:f5:cb:e4:c0, #client on this slot 4
*Dot1x_NW_MsgTask_7: Nov 10 11:44:42.523: 18:cf:5e:11:38:d7 Sent Deauthenticate to mobile on BSSID 08:ec:f5:cb:e4:c0 slot 0(caller 1x_auth_pae.c:1888)
*Dot1x_NW_MsgTask_7: Nov 10 11:44:42.523: 18:cf:5e:11:38:d7 Scheduling deletion of Mobile Station: (callerId: 65) in 10 seconds
*osapiBsnTimer: Nov 10 11:44:52.358: 18:cf:5e:11:38:d7 apfMsExpireCallback (apf_ms.c:645) Expiring Mobile!
*apfReceiveTask: Nov 10 11:44:52.358: 18:cf:5e:11:38:d7 apfMsExpireMobileStation (apf_ms.c:7869) Changing state for mobile 18:cf:5e:11:38:d7 on AP 08:ec:f5:cb:e4:c0 from Associated to Disassociated

 

7 Replies 7

marce1000
VIP
VIP

 

 - Below is the output from your debugging session when analyzed with : https://cway.cisco.com/wireless-debug-analyzer/ (Show all flag was checked) :

 TimeTaskTranslated

Nov 10 11:44:10.910 *Dot1x_NW_MsgTask_7 WLC/AP is sending EAP-Identity-Request to the client
Nov 10 11:44:11.277 *Dot1x_NW_MsgTask_7 WLC/AP is sending EAP-Identity-Request to the client
Nov 10 11:44:11.422 *Dot1x_NW_MsgTask_7 Client sent EAP-Identity-Response to WLC/AP
Nov 10 11:44:42.523 *Dot1x_NW_MsgTask_7 Client has been deauthenticated
Nov 10 11:44:42.523 *Dot1x_NW_MsgTask_7 Client expiration timer code set for 10 seconds. The reason: AAA error during dot1x auth (server timeout, no server found, etc), triggering client delete
Nov 10 11:44:52.358 *apfReceiveTask Client session has timed out


-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Hi Sir , thanks a lot for your replay .

This means that the problem is the authentication server is not available ?

if Yes why I dont face this issue with mobiles ?

the problem has nothing to do with EAP ID mismatch ?

Pardon my questions but I am trying to understand .

 

                  >...This means that the problem is the authentication server is not available ?

 - It depends  , lookup the mac address of  the laptop  in the authenticating  logs of the authorization server and see how the authentication for the particular mac is processed. If it can not be found then the laptop may not be able to reach the authentication server, as other user said make sure wireless drivers are  up to date.

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

JPavonM
VIP
VIP

Have you tried to upgrade wNIC drivers to latest ones?

enghassanf9009
Level 1
Level 1

Is there a command to make it  ignore  the ID mismatch ? 

Rich R
VIP
VIP

Is there a command to make it  ignore  the ID mismatch ?
No - that would break the security of the protocol!

What model of controller?
What version of software?
What model of AP?
What make and model of network adapter on laptop?
What version is the network adapter driver?

JPavonM
VIP
VIP

If you are only selecting the SSID on the operating system to connect to, try to manually set the WLAN profile in the OS with the correct configuration. Sometimes automatic connections use improper EAP ID and you need to create the profile manually. This happen to me using Android with public signed certificates, and some legacy Windows ones.

Review Cisco Networking for a $25 gift card