Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
375
Views
0
Helpful
1
Replies

Rejection message from AP1100

kianghong.teo
Level 1
Level 1

‎09-24-2004 07:26 PM - edited ‎07-04-2021 10:01 AM

While doing some 802.1x testings. We noticed that when there is a failure in the authentication process (example server certificate expired), the AP1100 doesn't seem to provide the correct rejection information to the client supplicant, causing the supplicant to go into a continuous loop of authentication attempt and failure.

If we use AP340/350 (VxWork 12.04), the supplicant will halt the authentication process and display the failure reason.

Just wondering if anyone ever encounter something similar? Any solution to this?

We're doing EAP-TTLS with AP1120B [IOS 12.2(15)XR] and Funk Odyssey v3.03 supplicant. The client card is Orinoco

Labels:
0 Helpful
1 Reply 1

dixho
Level 6
Level 6

‎09-25-2004 10:41 AM

Can you be more specific on "AP1100 doesn't seem to provide the correct rejection information to the client supplicant"? What information are you looking for?

AP1100 is an authenticator in 802.1x. It is no different than a message relay agent. It does not provide any reject information at all. All reject information has to come from radius server (or authentication server in 802.1x terminlogy).

The only revelant command is "dot11 holdoff-time"

http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1100/accsspts/i12215ja/i12215cr/cr15main.htm#wp2442787

The AP just drop any EAP request from the client supplicant for a time defined by you if the client fails authentication 3 times.

Please run the following debugs:

1. debug radius authentication

2. debug dot11 aaa authenticator process

3. debug dot11 aaa authenticator state

4. debug dot11 aaa authenticator rxdata

5. debug dot11 aaa authenticator txdata

From debug radius authenticator, debug dot11 aaa authenticator rxdata, and debug aaa authenticator txdata, you will find out that the AP just take EAP message attribute (type 79) from radius packet from the authentication server and put it into EAPOL packet. For details about the debugs, please go to the following URL:

http://www.cisco.com/en/US/products/hw/wireless/ps430/products_tech_note09186a008024aa4f.shtml

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card