Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3046
Views
0
Helpful
10
Replies

EAP-PEAP Password requested for iPhone / iOS devices

simonwynn
Level 1
Level 1

‎10-04-2011 01:06 PM - edited ‎07-03-2021 08:52 PM

Hi,

I'm using a WLC 2106 running 7.0.116 with EAP-PEAP / Microsft IAS - system worked fine with Autmonomous access points (i.e, RF enviromment / RADIUS etc.), however with the WLC I get requests for usernames and password periodically on iOS devics.

The log shows:

MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:444 Max EAPOL-key M3 retransmissions exceeded for client xxxxx

Is this just an RF issue, or can I tweak something???

Simon

Labels:
0 Helpful
10 Replies 10

George Stefanick
VIP Alumni
VIP Alumni

‎10-04-2011 01:19 PM

Here are the details from your alert:

Explanation    Client authentication failed because the client did not respond to an EAPOL-key message.

Recommended Action    Ensure that user credentials are correct on the client and on the AAA server. "

In short the client isnt responding. Are you having wireless client issues ? Have you tracked down one of the clients?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

simonwynn
Level 1
Level 1
In response to George Stefanick

‎10-04-2011 01:28 PM

Maybe I wasn't clear - username/password box poping up occasiobally on iPhone - otherwise everything is working fine. This didn't used to happen with our non-WLC environment.

Simon

0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to simonwynn

‎10-04-2011 01:33 PM

Sorry, I miss read your post ... my bad...

What security are you using on the device?

What is your session timeout set to ? Under your wlan under advance tab

What is your user idle timeout set to ? Under controller tab at the bottom.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

simonwynn
Level 1
Level 1
In response to George Stefanick

‎10-04-2011 01:37 PM

EAP-PEAP with Microsoft IAS (Server 2003)

session timeout is 1800 seconds

user idle timout is 300

Also, I've been playing with the EAP settings under "Local EAP" (based on Cisco recomendations) - do these still affect things even though I'm using external RADIUS?

Simon

0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to simonwynn

‎10-04-2011 01:50 PM

No local eap is just that -- EAP local to the WLC, no experal radius.

Apple device like iphones and ipads are very clean and dont "chatter". If your device doesnt talk to the network in 5 minutes (user idle timeout) the WLC will drop the client. This may cause your screen pop.

Also, every 30 minutes the WLC will send a deauth to the client telling it to reauth with the session timeout set to 1800 seconds. This again could be an item to look at.

Have you seen any rime or reason to the pop up ?

For testing I would disable the session timeout first by unchecking the box and see if that helps. If it doesnt then make the idle timeout larger to like 20 minutes or so.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

simonwynn
Level 1
Level 1
In response to George Stefanick

‎10-04-2011 03:22 PM

Ok, this all has nothing to do with RADIUS.

The issues apears to be when iPhones are busy playing video etc. they cannot process EAPOL key exchnages in the 100ms defined by the controller.

using the cmd line:

config advanced eap eapol-key-timeout 1000

appears to fix this.

Simon

0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to simonwynn

‎10-04-2011 03:29 PM

Good find. But again, the only reason why they are processing the EAPOL frame is becuase the radius server is authentictaing them again. Either they have romaed or perhaps the session timeout kicked  in and expired.

Timeout 1000 will give the client more than enough time to send the next exchange and the controller will wait for it..

good deal

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

simonwynn
Level 1
Level 1
In response to George Stefanick

‎10-05-2011 11:02 AM

Turns out rolling back to 6.x WLC software appears to fix the issue with iOS devices...

0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to simonwynn

‎10-05-2011 12:28 PM

I though you mentioned the fix was the EAP timer?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

simonwynn
Level 1
Level 1
In response to George Stefanick

‎10-05-2011 02:06 PM

As with all these things, getting a reproducible case was a chore - eventually I set re-auth timouts to 300 seconds and streamed video - at every re-auth I got a password dialog rergardless of EAPOL timeouts. Moving to 6.x has fixed this issue completely.

Simon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top