Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4518
Views
5
Helpful
13
Replies

PSK WLAN and 802.1X Auth Failure

SonusFaber
Level 1
Level 1

‎12-09-2019 01:02 AM - edited ‎07-05-2021 11:24 AM

Good morning,

I have two 1815i AP with Mobility Express at home.

They are running since a couple of months and there is just one WLAN configured with PSK security.

Since 5 days more or less I started experiencing connectivity issues: mobile devices (laptops, smartphones and tablets) started to being disconnected when moving from one AP to the the other one.

in the ME GUI such clients were labeled as "excluded" in the client devices summary tab

By using the CLI, there is the evidence that the reason of the exclusion was "802.1X authentication failure" with some kind of "countdown". 

The problem was not apparently affecting fixed devices (printers, media players, desktop PC, etc.) but trying to move than away from the original AP, also they started to being affected.

There is only one WLAN configured and the security was set to PSK, so I can not understand why this problem with 802.1X.

By using the CLI I disabled the exclusion check for 802.1X and for any other.

The behaviour then changed, but still connectivity issues: no more auth failures or exclusions, but client were no more able to roam from one AP to the other so that when they were moving, they found the new and better AP, tried to connect, but no way.

Then I restarted the Mobility Express and all the problems were solved.

 

Any idea?

1 person had this problem
Labels:
0 Helpful
13 Replies 13

Scott Fella
Hall of Fame
Hall of Fame

‎12-09-2019 03:18 AM

Seems like something was hung on one of the AP’s. PSK encryption and decryption happens on the ap, so it could of been the issue with the master. Might also be a bug so maybe look at a different code release if it happens again.
-Scott
*** Please rate helpful posts ***

SonusFaber
Level 1
Level 1
In response to Scott Fella

‎12-11-2019 03:11 PM

I am not in the position to open a case to the TAC, unfortunately and also can not download alternative ME software.

Anyway, even if after the reboot of both APs everything is working fine, I can not understand why I see these events in the client's log:

the only security configured is PSK and 802.1X is disabled.

Thu Dec 12 2019 00:06:26 GMT+0100 (Ora standard dell’Europa centrale)Dot1xERRORAUTH_DOT1XWLAN_REQUIRES_802_1X_AUT
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to SonusFaber

‎12-11-2019 04:12 PM

If everything is working fine, then that can be a cosmetic bug or a device trying to connect that doesn’t have access and is failing. Don’t really know.
-Scott
*** Please rate helpful posts ***
0 Helpful

SonusFaber
Level 1
Level 1
In response to Scott Fella

‎12-11-2019 04:17 PM - edited ‎12-11-2019 04:18 PM

I understand but... it is the Cisco that is saying that the WLAN requires 802.1X even if the WLAN itself is not configured for 802.1X.

Moreover... I am checking all the clients, one by one, and this message is in the debug of every client (Windows, Android, etc.) and this is mentioned as an ERROR not just generic information.

 

Thanks

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to SonusFaber

‎12-11-2019 07:16 PM

Here are some suggestions. Create a new ssid and see if that give you error messages also. You need to rule thing out to determine what the root cause is.
-Scott
*** Please rate helpful posts ***
0 Helpful

SonusFaber
Level 1
Level 1
In response to Scott Fella

‎12-14-2019 09:31 AM

I did it. I created a new SSID, accepting defaults and the problem is still there.

Disabled 802.11k,r,v and still there.

Moreover I downgraded the software to 8.5.140 and no improvement.

If i define the WLAN as OPEN, I do not get these errors.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to SonusFaber

‎12-14-2019 11:08 AM

Seems to just be a cosmetic bug then which would most likely get resolved in future code. Did you search the bug tool to see if that is a documented bug?
-Scott
*** Please rate helpful posts ***
0 Helpful

SonusFaber
Level 1
Level 1
In response to Scott Fella

‎12-16-2019 03:45 AM

I tried to search the bug, but I am not able to do that.

Tha bug search tool asks to me the BUG ID (CSCxxxxxxx) and I do not have that.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to SonusFaber

‎12-16-2019 06:22 AM

There is a key work search. You don’t need to enter a bug id. You can just enter a few detail or even select the product and a keyword.

https://bst.cloudapps.cisco.com/bugsearch/?referring_site=shp
-Scott
*** Please rate helpful posts ***
0 Helpful

TsvetanVladimirov81607
Level 1
Level 1

‎12-16-2019 11:28 PM

All Layer 2 Authentication method errors are showing as 802.1x. Not sure why, but this is how it is set up even when using PSK.

One thing that might be an issue as you say is, if the mobility APs lost sync between each other, so that they cannot form the handoff when the user was moving from AP to AP. That way the device had to authenticate, but failed because of the interference between the unsynced APs and got in the excluded list..


Glad to hear that the reboot fixed things for ya. 
I might disable the client exclusion in future as if the devices fail to re-associate to next AP for three attempts, they get excluded.

0 Helpful

SonusFaber
Level 1
Level 1
In response to TsvetanVladimirov81607

‎12-18-2019 03:00 AM - edited ‎12-18-2019 03:48 AM

There are no sync problems between APs. Moreover it happens even with just one AP only.

Disabling exclusion list of course prevents the problem to have clients excluded, but in any case the error is still there

 

Look at the Cisco client's log when a client associates with an AP

 

Thu Dec 12 2019 14:46:56 GMT+0100 (W. Europe Standard Time) Dot11 ERROR AUTH_RES NOT_FROM_RELAY slot 0 (claller apf_ms.c:8214)
Thu Dec 12 2019 14:46:56 GMT+0100 (W. Europe Standard Time) Dot11 INFO ASSOC_REQ MESSAGE_RECEIVED None
Thu Dec 12 2019 14:46:56 GMT+0100 (W. Europe Standard Time) Dot11 INFO ASSOC_REQ INVALID_RSN_IE None
Thu Dec 12 2019 14:46:56 GMT+0100 (W. Europe Standard Time) PEM INFO PEM_EVENT_MSG IP_ACQUIRED_AND_AUTH_NOT_REQ_OR_STATIC_DYNAMIC_WEP_SUPPORTED None
Thu Dec 12 2019 14:46:56 GMT+0100 (W. Europe Standard Time) Dot11 INFO ASSOC_REQ CLIENT_MOVED_TO_ASSOCIATED_STATE None
Thu Dec 12 2019 14:46:56 GMT+0100 (W. Europe Standard Time) Dot1x ERROR AUTH_DOT1X WLAN_REQUIRES_802_1X_AUTH None
Thu Dec 12 2019 14:46:56 GMT+0100 (W. Europe Standard Time) PEM INFO PEM_EVENT_MSG WEB_AUTH_MAX_RETRY_EXCEEDED None
Thu Dec 12 2019 14:46:56 GMT+0100 (W. Europe Standard Time) PEM INFO PEM_EVENT_MSG ADDING_WGB_CLIENT None
Thu Dec 12 2019 14:46:56 GMT+0100 (W. Europe Standard Time) PEM INFO PEM_EVENT_MSG CALL_TERMINATED from Unassociated to Local Peer = 0.0.0.0, Old Anchor = 0.0.0.0, New Anchor = 192.168.1.4
Thu Dec 12 2019 14:46:56 GMT+0100 (W. Europe Standard Time) PEM INFO PEM_EVENT_MSG CALL_DURATION State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED

0 Helpful

TsvetanVladimirov81607
Level 1
Level 1
In response to SonusFaber

‎12-19-2019 11:17 PM

I think that is only cosmetic, nothing to worry about.


Would you mind sharing the WLAN configuration and the software version that you are running?

0 Helpful

SonusFaber
Level 1
Level 1
In response to TsvetanVladimirov81607

‎12-21-2019 08:44 AM

tested both the 8.5.140 (the one preinstalled out of the box) and 8.10.105

the WLAN config is the very basic one: just configured the SSID and WPA2-PSK password. Nothing more.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card