Excessive Client Authentication/Association Failure's. What is going on!?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2013 11:50 AM - edited 07-03-2021 11:26 PM
Hello Community,
Once again I am reaching out to you for help. I am hoping someone can help me. I have been noticing in my trap logs that there are an excessive amount of Client Association/Authentication Failures. I cannot figure out why. I have a Cisco 5508 WLC with 81 AP's (1131ag, 1142abgn, 1262N) models. The wireless devices are on a Windows Domain and use 802.1x EAP authentication, authenticating the user and computer info with a RADIUS Server. I look at the logs and all it can tell me is Reason:Unspecified ReasonCode:1. I read that the Reason Code is due to "Client associated but no longer authorized" but to be honest I am not sure what that means. It could mean many things, unfortunately it is too ambiguous to make heads or tails of. Can someone point me in the right direction? Things I can check? I posted below some of the Trap Logs, they go on and on like that. Thank you for any help you can provide.
| 1 | Tue Jan 29 11:42:51 2013 | Client Association Failure: MACAddress:e4:8b:7f:9d:e9:5c Base Radio MAC:10:bd:18:a7:41:e0 Slot: 1 User Name:unknown IP Addr: unknown Reason:Unspecified ReasonCode: 1 |
| 2 | Tue Jan 29 11:40:40 2013 | Client Association Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 0 User Name:unknown IP Addr: unknown Reason:Unspecified ReasonCode: 1 |
| 3 | Tue Jan 29 11:40:40 2013 | Client Association Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 0 User Name:unknown IP Addr: unknown Reason:Unspecified ReasonCode: 1 |
| 4 | Tue Jan 29 11:40:39 2013 | Client Association Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 0 User Name:unknown IP Addr: unknown Reason:Unspecified ReasonCode: 1 |
| 5 | Tue Jan 29 11:40:39 2013 | Client Association Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 0 User Name:unknown IP Addr: unknown Reason:Unspecified ReasonCode: 1 |
| 6 | Tue Jan 29 11:40:39 2013 | Client Association Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 0 User Name:unknown IP Addr: unknown Reason:Unspecified ReasonCode: 1 |
| 7 | Tue Jan 29 11:40:38 2013 | Client Association Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 1 User Name:unknown IP Addr: unknown Reason:Unspecified ReasonCode: 1 |
| 8 | Tue Jan 29 11:40:38 2013 | Client Authentication Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 1 User Name: unknown Ip Address: unknown Reason:Unspecified ReasonCode: 1 |
| 9 | Tue Jan 29 11:40:38 2013 | Client Association Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 1 User Name:unknown IP Addr: unknown Reason:Unspecified ReasonCode: 1 |
| 10 | Tue Jan 29 11:40:38 2013 | Client Authentication Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 1 User Name: unknown Ip Address: unknown Reason:Unspecified ReasonCode: 1 |
| 11 | Tue Jan 29 11:40:38 2013 | Client Association Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 1 User Name:unknown IP Addr: unknown Reason:Unspecified ReasonCode: 1 |
| 12 | Tue Jan 29 11:40:37 2013 | Client Authentication Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 1 User Name: unknown Ip Address: unknown Reason:Unspecified ReasonCode: 1 |
| 13 | Tue Jan 29 11:40:37 2013 | Client Association Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 1 User Name:unknown IP Addr: unknown Reason:Unspecified ReasonCode: 1 |
| 14 | Tue Jan 29 11:40:37 2013 | Client Authentication Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 1 User Name: unknown Ip Address: unknown Reason:Unspecified ReasonCode: 1 |
| 15 | Tue Jan 29 11:40:37 2013 | Client Association Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:00:17:0f:e5:ee:50 Slot: 1 User Name:unknown IP Addr: unknown Reason:Unspecified ReasonCode: 1 |
| 16 | Tue Jan 29 11:40:36 2013 | Client Authentication Failure: MACAddress:64:20:0c:b9:59:0f Base Radio MAC:a8:b1:d4:c4:7c:80 Slot: 1 User |
- Labels:
-
Wireless Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2013 09:11 AM
Can you take a client debug on one of the problem clients?
1. >config sessions timeout 0
2. >debug client
2. Connect the client and keep the debug running until the device is deauthenticated and post/attach your collected debug output.
Is this happening on a particular SSID? Can you provide the
>show wlan
so we can see the existing WLAN configuration.
What flavor of RADIUS are you using? Can you provide some example of any attributes/results you are setting for this particular profile?
Also, what type of clients are these? What OS, and WiFi adapter make/model/driver? What are you using as your suppliicant? Windows WZC, Intel ProSet, other?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-07-2013 04:38 PM
David,
I would love to run a debug on a problem client but the problem is that I have no way to tell where the client is or who the device belongs to. I can see what AP is refusing the connection by plugging in the base radio MAC, but also no way of telling what SSID they are trying to connect to either. I am assuming these clients are attemting to connect to the network but are failing, but do not know why. As far as the clients go, again no way to tell. We run laptops as well as iPads (I work at a private K-12 College Prep school) and any other wireless device they may be trying to connect to the network. The laptops run Windows 7 Pro and the WZC supplicant handles the WLAN adapter.
My concern is the inordinant amount of failures to connect. is someone trying to hack my network? Here is the output of the wlan (smesw) that I suspect it may be happening on as this is the only wlan that uses 802.1x authentication. All others require a password and are mac filtered.
WLAN ID WLAN Profile Name / SSID Status Interface Name PMIPv6 Mobility
------- ------------------------------------- -------- -------------------- ---------------
3 SMES Wireless / smesw Enabled smesw none
4 US Wireless / USWireless Enabled us-wireless none
5 MS Wireless / MSWireless Enabled ms-wireless none
6 LS Wireless / LSWireless Enabled ls-wireless none
7 Guest / Guest Enabled guest none
10 Apple TV / ATV Enabled atvmcast none
(Cisco Controller) >show wlan 3
WLAN Identifier.................................. 3
Profile Name..................................... SMES Wireless
Network Name (SSID).............................. smesw
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status ....................... Disabled
DHCP ......................................... Disabled
HTTP ......................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 196
Exclusionlist.................................... Disabled
Session Timeout.................................. 1800 seconds
User Idle Timeout................................ 300 seconds
--More-- or (q)uit
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... Cisco_93:f1:84
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ smesw
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
mDNS Status...................................... Enabled
mDNS Profile Name................................ default-mdns-profile
DHCP Server...................................... 10.10.0.6
DHCP Address Assignment Required................. Enabled
Static IP client tunneling....................... Disabled
PMIPv6 Mobility Type............................. none
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
--More-- or (q)uit
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ 10.10.0.6 1812
Accounting.................................... Disabled
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
LDAP Servers
--More-- or (q)uit
Server 1...................................... 10.10.1.5 389
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Enabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Enabled
PSK..................................... Disabled
CCKM.................................... Disabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Disabled
--More-- or (q)uit
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
WAPI.......................................... Disabled
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Disabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Disabled
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
--More-- or (q)uit
Tkip MIC Countermeasure Hold-down Timer....... 60
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Enabled
Load Balancing................................... Client-Count Based
Multicast Buffer................................. Disabled
Mobility Anchor List
WLAN ID IP Address Status
------- --------------- ------
802.11u........................................ Disabled
MSAP Services.................................. Disabled
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-07-2013 04:52 PM
David,
I went ahead and set up client exclusion on my wlans as well without an infinite timeout value. This may also help me to identify who/where the problem is.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-07-2013 07:12 PM
This can cause an issue:
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Enabled
AES Cipher.............................. Enabled
WPA2 uses AES and not TKIP.... disable TKIP.
Also maybe disable this:
DHCP Address Assignment Required................. Enabled
DISABLE THIS!!!!!!
Load Balancing................................... Client-Count Based
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
*** Please rate helpful posts ***
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2013 10:06 AM
Scott,
Thank you for the reply. So the Client Load balancing is not a good option to enable? May I ask why? I went ahead and disabled the other options you recommended. Thanks for all your input
Chris.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2013 10:20 AM
Bottom line is that many clients don't support it and causes clients to hang.
Makes the changes and let me know if it fixes your issue or not.
I would do this for all your ssids also.
Sent from Cisco Technical Support iPhone App
*** Please rate helpful posts ***
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2013 10:37 AM
Scott,
Thank you. I made the changes and will monitor. I will be sure to get back to you and rate the postings
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2013 10:42 AM
Sounds good!
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
*** Please rate helpful posts ***
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-22-2013 03:13 PM
Scott and David,
I am sorry I have not gotten back to this post in some time...been very busy. I have found the culprit to these pesky logon failures. Come to find out, they were miscellaneous devices such as smartphones attempting to connect to WLANs that had MAC filtering on them. Since the controller did not have a profile for them they were being refused the connection. I was able to figure this out by enabling Client Exclusion and cross referencing the excluded clients in the list as they populated with the mac addresses of the offending devices in the Trap Logs. Come to find out all these devices that were being excluded were trying to connect to WLANs that they had no authentication to. Not the biggest of deals other than those devices transmitting and hogging up airtime, but atleast my security measures are doing their job and blocking these devices from authenticating/associating.
As always, I truly value your input and help. The Cisco Support community is a tremendous asset to me and I do not know where I would be without it. Thanks again guys!
Chris.
