Re: MAC Authentication on ACS (Debug error)

Derivco12 · ‎03-06-2008

Hi

I have setup my mobile devices to authentication by MAC address on to ACS. I'm using CISCO 1200 APs all over the building.

I've followed ALL the guide docs and set everything up including creating the MAC usernames in ACS and placing them in a group in ACS etc. and also defined the VLANs on the core and referencing them in ACS.

Its seems though once the device authenticates in ACS it stops there and does not return the packed and allow the device to get an IP. I've attached the debug error log. I keep the getting the following erros which I am not sure about:

Mar 6 14:37:16.936: dot11_dot1x_verify_ptk_handshake: verifying PTK msg 2 from 0009.2dff.0510

Mar 6 14:37:16.936: dot11_dot1x_verify_eapol_header: Warning: Invalid key len (exp=0x20, act=0x0)

Mar 6 14:37:16.936: dot11_dot1x_verify_ptk_handshake:

Mar 6 14:37:16.936: dot11_dot1x_ssn_generate_ptk failed

Mar 6 14:37:16.936: dot11_mgr_sm_recv_ptk_msg2:

Mar 6 14:37:16.936: dot11_mgr_sm_recv_ptk_msg2: dot11_dot1x_verify_ptk_handshake failed

ar 6 14:37:16.063: dot11_mgr_sm_handshake_fail: Handshake failure for 0009.2dff.0510

Mar 6 14:37:16.063: %DOT11-7-AUTH_FAILED: Station 0009.2dff.0510 Authentication failed

regards

rduke · ‎03-07-2008

What to the ACS activity logs show. Did they show up as authenticated? Also, you did not mention if you are using encryption. I set up mac authentication recently. It works OK, but you have to make sure the passwords are the mac address and they are lower case. Also you have to make sure the format is unformatted (no spaces). That configuration screen on the AP is on the global tab in the server manager. It kind of looks like a mismatch between the EAP client and the AP. Are you using EAP+MAC. Need more info to help. Hopefully you got it fixed by now. The first ones are frequently a pain to get working.

Randy

Derivco12 · ‎03-10-2008

Thanks for response, still dont have it fixed yet

Yes, we are using TKIP encryption.

In the ACS logs the MAC address shows up as authenticated fine. I've double checked the passwords. Also the format is unformatted in Global Properties.

For client authentication I'm using Open Authentication + MAC with WPA-PSK.

It seems like its something between response handshake from ACS back to the AP....not sure though

Mar 10 07:33:04.787: dot11_mgr_disp_client_send_eapol: sending eapol to client 0009.2dff.0510 on BSSID 0013.19f2.7310

Mar 10 07:33:04.787: dot11_mgr_sm_send_ptk_msg1: [3] Sent PTK msg 1 to 0009.2dff.0510, no timer set

Mar 10 07:33:04.787: dot11_mgr_sm_hs_callback: [3] Handshake msg to 0009.2dff.0510, timer set: timeout 100 ms

Mar 10 07:33:04.886: dot11_mgr_sm_run_machine: Executing Action(PTK_MSG2_WAIT,TIMEOUT) for 0009.2dff.0510

Mar 10 07:33:04.886: dot11_mgr_sm_handshake_fail: Handshake failure for 0009.2dff.0510

Mar 10 07:33:04.886: %DOT11-7-AUTH_FAILED: Station 0009.2dff.0510 Authentication failed

Regards

rduke · ‎03-10-2008

What are the settings on your client end ? i.e. OS, supplicant, and settings ?

Randy

Derivco12 · ‎03-10-2008

This wireless network is for mobile phones connecting with WPA-PSK and TKIP encryption settings. The idea is to have a MAC list so users can roam between APs.

By the way this works fine if we disable MAC auth