cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4311
Views
20
Helpful
13
Replies

Slow 802.1x authentication

JlassiAhmed0345
Level 1
Level 1

 

I have two WLC 5520 on HA SOO  with flexconnect APs 702i, and I have configured SSID corporate flexconnect local switching with 802.1x authentication using ISE server 2.3 as AAA server. so when we tested the network, we have faced a problem of connectivity in corporate SSID, for example when the endpoint  (phone or desktop ) attempted to access the SSID and authenticate the network with the appropriate credentials, it takes a long time before letting it access and the most of times the devices fail to access to the network.

I tried to troubleshoot this issue and changed the EAP timers from the default to :

 

Identity Request timeout 30

Identity Request max retires 2

 

another problem for the devices that succeed the authentication, I remarked through the cmd that there is a loss of packets each 15-20 packets.

 

any idea related to this issue dear Cisco community.

Thanks

 

 

 

 

 

13 Replies 13

In dot1X, most time-consuming part is EAP exchanges. From ISE log or WLC debug, can you check how long it takes from "EAP-Identy Request" message to the "EAP-Success" message? Depend on where is your ISE server and where is your client, this can take a longer time and that could be the primary reason for Authentication delay.

 

HTH

Rasika

 

Thanks, sir for your quick reply, the client and the ISE server are located in the same building, but this phenome is happening randomly same time you can access the network without any problem and same time when you want to re-enter the network with the same devices and the same credentials you will face an issue of the authentication.

i get a debug client from my wireless controller for a client that faced this problem, you can check it.

Here is the output parsed by debug Analyzer tool (you can do it yourself in the future when analyzing debug output)

https://cway.cisco.com/wireless-debug-analyzer/ 

 

I can see multiple time client trying to connect, but he did not complete the process. In attempt #2, client failing in 4 way handshake, due to not respond to M3 message.

 

Can you test with different client devices and see all have the same problem (eg iphone, android phone, tablet, windows laptop & apple laptop)

 

Connection Attempt #1 
55:08.9 *apfMsConnTask_4 "Client made new Association to AP/BSSID BSSID 28:52:61:5d:e2:c0 AP AP0038.df0a.1566
"
55:08.9 *apfMsConnTask_4 WLC recognizes that the client is 802.11r-capable
55:08.9 *apfMsConnTask_4 The WLC/AP has found from client association request Information Element that claims PMKID Caching support
55:08.9 *apfMsConnTask_4 Client is entering the 802.1x or PSK Authentication state
55:08.9 *apfMsConnTask_4 WLC/AP is sending an Association Response to the client with status code 0 = Successful association

Connection Attempt #2
55:09.6 *apfMsConnTask_4 "Client made new Association to AP/BSSID BSSID 28:52:61:5d:e2:c0 AP AP0038.df0a.1566
"
55:09.6 *apfMsConnTask_4 WLC recognizes that the client is 802.11r-capable
55:09.6 *apfMsConnTask_4 The WLC/AP has found from client association request Information Element that claims PMKID Caching support
55:09.6 *apfMsConnTask_4 Client is entering the 802.1x or PSK Authentication state
55:09.6 *apfMsConnTask_4 WLC/AP is sending an Association Response to the client with status code 0 = Successful association
55:10.0 *Dot1x_NW_MsgTask_5 "Client will be required to Reauthenticate in 1800
seconds"
55:11.8 *Dot1x_NW_MsgTask_5 WLC/AP is sending EAP-Identity-Request to the client
55:11.8 *Dot1x_NW_MsgTask_5 WLC/AP is sending EAP-Identity-Request to the client
55:12.1 *Dot1x_NW_MsgTask_5 Client sent EAP-Identity-Response to WLC/AP
55:26.2 *Dot1x_NW_MsgTask_5 RADIUS Server permitted access
55:26.2 *Dot1x_NW_MsgTask_5 "Client will be required to Reauthenticate in 1800
seconds"
55:26.2 *Dot1x_NW_MsgTask_5 WLC creates a PMK cache entry for this client, which is used for FT with AKM:802.1xin this case, so the PMKID is computed with the AP MAC address
55:26.2 *Dot1x_NW_MsgTask_5 4-Way PTK Handshake, Sending M1
55:26.6 *Dot1x_NW_MsgTask_5 4-Way PTK Handshake, Received M2
55:26.6 *Dot1x_NW_MsgTask_5 4-Way PTK Handshake, Sending M3
55:27.6 *osapiBsnTimer "4-Way PTK Handshake, Client did not respond with M3
"
55:27.6 *Dot1x_NW_MsgTask_5 4-Way PTK Handshake, Retransmitting M3 retry #1
55:28.7 *osapiBsnTimer "4-Way PTK Handshake, Client did not respond with M3
"
55:28.7 *Dot1x_NW_MsgTask_5 4-Way PTK Handshake, Retransmitting M3 retry #2
55:29.7 *osapiBsnTimer "4-Way PTK Handshake, Client did not respond with M3
"
55:29.7 *Dot1x_NW_MsgTask_5 Client disassociation due to Authentication timeout. Auth or Key Exchange max-retransmissions reached. Check/update client driver, security config, certificates etc.
55:29.7 *Dot1x_NW_MsgTask_5 Client has been deauthenticated
55:29.7 *Dot1x_NW_MsgTask_5 "Client expiration timer code set for 10 seconds. The reason: Roaming failed due to WLAN security policy mismatch between controllers (configuration error). It can also be used to report EAPoL retry errors, and GTK rotation failure (in 8.5)
"
55:38.5 *Dot1x_NW_MsgTask_5 "Client will be required to Reauthenticate in 1800
seconds"
55:38.5 *Dot1x_NW_MsgTask_5 WLC/AP is sending EAP-Identity-Request to the client
55:40.1 *apfReceiveTask Client session has timed out
55:40.1 *apfReceiveTask "Client expiration timer code set for 10 seconds. The reason: Client was marked for deletion, and it was on associated, power save or blacklist state. Other message would provide reason for delete
"
Connection Attempt #3
55:45.3 *apfMsConnTask_4 "Client made new Association to AP/BSSID BSSID 28:52:61:5d:fa:40 AP AP0038.df0a.16de
"
55:45.3 *apfMsConnTask_4 WLC recognizes that the client is 802.11r-capable
55:45.3 *apfMsConnTask_4 The WLC/AP has found from client association request Information Element that claims PMKID Caching support
55:45.3 *apfMsConnTask_4 Client is entering the 802.1x or PSK Authentication state
55:45.3 *apfMsConnTask_4 Client has successfully cleared AP association phase
55:45.3 *apfMsConnTask_4 WLC/AP is sending an Association Response to the client with status code 0 = Successful association
55:45.3 *Dot1x_NW_MsgTask_5 "Client will be required to Reauthenticate in 1800
seconds"
55:45.3 *Dot1x_NW_MsgTask_5 WLC/AP is sending EAP-Identity-Request to the client

Connection Attempt #4
55:45.6 *apfMsConnTask_4 "Client made new Association to AP/BSSID BSSID 28:52:61:5d:e2:c0 AP AP0038.df0a.1566
"
55:45.6 *apfMsConnTask_4 WLC recognizes that the client is 802.11r-capable
55:45.6 *apfMsConnTask_4 The WLC/AP has found from client association request Information Element that claims PMKID Caching support
55:45.6 *apfMsConnTask_4 Client is entering the 802.1x or PSK Authentication state
55:45.6 *apfMsConnTask_4 WLC/AP is sending an Association Response to the client with status code 0 = Successful association
55:48.6 *Dot1x_NW_MsgTask_5 WLC/AP is sending EAP-Identity-Request to the client
55:50.3 *Dot1x_NW_MsgTask_5 WLC/AP is sending EAP-Identity-Request to the client
55:55.5 *Dot1x_NW_MsgTask_5 WLC/AP is sending EAP-Identity-Request to the client
56:00.6 *Dot1x_NW_MsgTask_5 WLC/AP is sending EAP-Identity-Request to the client
56:05.8 *Dot1x_NW_MsgTask_5 WLC/AP is sending EAP-Identity-Request to the client
56:11.0 *Dot1x_NW_MsgTask_5 WLC/AP is sending EAP-Identity-Request to the client

Connection Attempt #5
56:11.7 *apfMsConnTask_4 "Client made new Association to AP/BSSID BSSID 28:52:61:5d:e2:c0 AP AP0038.df0a.1566
"
56:11.7 *apfMsConnTask_4 WLC recognizes that the client is 802.11r-capable
56:11.7 *apfMsConnTask_4 The WLC/AP has found from client association request Information Element that claims PMKID Caching support
56:11.7 *apfMsConnTask_4 Client is entering the 802.1x or PSK Authentication state
56:11.7 *apfMsConnTask_4 WLC/AP is sending an Association Response to the client with status code 0 = Successful association
56:11.8 *Dot1x_NW_MsgTask_5 WLC/AP is sending EAP-Identity-Request to the client

Connection Attempt #6
56:12.2 *apfMsConnTask_4 "Client made new Association to AP/BSSID BSSID 28:52:61:5d:e2:c0 AP AP0038.df0a.1566
"
56:12.2 *apfMsConnTask_4 WLC recognizes that the client is 802.11r-capable
56:12.2 *apfMsConnTask_4 The WLC/AP has found from client association request Information Element that claims PMKID Caching support
56:12.2 *apfMsConnTask_4 Client is entering the 802.1x or PSK Authentication state
56:12.2 *apfMsConnTask_4 WLC/AP is sending an Association Response to the client with status code 0 = Successful association
56:12.4 *Dot1x_NW_MsgTask_5 Client sent EAP-Identity-Response to WLC/AP
56:15.2 *Dot1x_NW_MsgTask_5 WLC/AP is sending EAP-Identity-Request to the client
56:15.6 *Dot1x_NW_MsgTask_5 Client sent EAP-Identity-Response to WLC/AP
56:18.7 *osapiBsnTimer "4-Way PTK Handshake, Client did not respond with M0
"

 

What was the reason behind FlexConnect deployment if everything on the same site (ISE, WLC, AP)?

 

H TH

Rasika

*** Pls rate all useful devices***

I tested with different devices ( laptops Lenovo windows 10, iPhone, Android, Dell, Xiaomi redmi 9 pro ... ) and I have faced the same issue, sometimes the authentication takes a long time, sometimes the devices cannot even associate with the SSID, and sometimes the authentication passe seamless.

Remark new devices that want to join the network, fails many times before they succeed to access.

 

is there any recommendation to fix this issue,  or may be  I faced a bug in my wireless controller v 8.3.150 

 

 

Did you ever get this to work ? What if anything fixed it ? Seeing similar issue with painfully slow auths or failed auths on Windows 10 clients on code version 8.10.130.0. Sometimes they will connect other times not. Random.  

@Reginald Pugh you should open a new thread to include your equipment and details on what you are seeing and how you are replicating the issue.

-Scott
*** Please rate helpful posts ***

What was the reason behind FlexConnect deployment if everything on the same site (ISE, WLC, AP)?

 

it's a choice to deploy flexconnect because we will add another APs that are located in the Branch site.

Just for a simple test, see if you can put one AP into local mode and see the difference. At least in that way we can narrow down it is an issue only with FlexConnect mode

 

HTH

Rasika 

 

can I know the type of the auth?

 is there roaming from one AP to other ? or you test under same AP?

Hi, the type of authentication is 802.1x with ISE 2.3 .

there is no roaming, we test under the many APs.

pure-edit.png

do two SSID 
one with FT 802.1x enable and other without enable it, 

I think the client support this feature face some issue.

Fast transition is not enabled, i still face the same issue 

https://www.wiresandwi.fi/blog/configuring-fast-transition-ft-80211r-on-a-cisco-wlc

 

some client is FT and other is Not, so if I am right you need mix mode.

from the debug you share there is indicate that WLC is detect that client support 802.11r and this 802.11r have different key management.

so check the link above and see if it solve your issue or not. 

Review Cisco Networking for a $25 gift card