12-16-2011 08:04 AM - edited 07-03-2021 09:15 PM
With stephens help I was able to get most of my Wireless 802.1x setup configured properly. I'm not having a problem with the client authenticating using user/pass credentials. I have a Wireless XP Client (testing with), which connects to a LWAP, which connects to a WLC 5508, and then Cisco ACS for authentication. I put in my user credentials of tylerp (test account) with the correct password but nothing happens, it just keeps asking me to enter in
credentials after a few seconds. I started Wireshark on my laptop and I can see the following.
Source
Cisco_1e:3a:8f
Destination
IntelCor_85:9e:46
Protocol
EAP
Information
Request, Identity [RFC3748]
It looks like it's asking the client for credentials but when I submit my credentials I dont see any response via wireshark. I'm not sure why that is.
I have included several photos from my WLC/ACS configuration. Any help would be great!
Solved! Go to Solution.
12-21-2011 07:12 AM
You need to use the rule based selection and not use NDG but ip address of the AAA client. Since the NDG doesn't really work the way you think it would, it will always hit your first policy. I have had the same issue and specifiying the ip address is the fix.
12-16-2011 08:13 AM
I'm also getting this error message on my WLC.
AAA Authentication Failure for UserName:tylerp User Type: WLAN USER
Sorry, I meant to add that in my previous post.
12-16-2011 08:16 AM
Hi John,
Did you add the radius server to teh WLC and the WLAN itself with the shared secert and did you add the WLC to the radius server ?
Also on the monitor screen of the WLC hit statistic and then radius ... post a pix of what you see there...
12-16-2011 08:27 AM
you can also run a debug client < mac address>
this will show you the interaction between the WLC and the AAA server.
HTH,
Steve
----------------------------------------------------------------------------------------------------------
Please remember to rate helpful posts or to mark the question as answered so that it can be found later.
12-16-2011 08:34 AM
Yeah I added the radius server to the WLC and the WLAN. I also included the shared secret. I'll post a pic when I try to authenticate via 802.1x George, you'll just have to give me a few minutes. Stephen, would the mac address of the client by the WLC?
12-16-2011 08:35 AM
yes, the mac address of the wireless NIC you are testing with
12-16-2011 08:36 AM
Also, what EAP are you using by chance ...
12-16-2011 08:44 AM
Well on the client I'm using PEAP. I'm really not sure how to see on the WLC.
Here is a picture of the monitor.
12-16-2011 08:47 AM
(Cisco Controller) >debug client 001B77859E46
(Cisco Controller) >*Dec 16 16:53:18.646: 00:1b:77:85:9e:46 802.1x 'txWhen' Timer expired for station 00:1b:77:85:9e:46
*Dec 16 16:53:18.646: 00:1b:77:85:9e:46 dot1x - moving mobile 00:1b:77:85:9e:46 into Connecting state
*Dec 16 16:53:18.646: 00:1b:77:85:9e:46 Sending EAP-Request/Identity to mobile 00:1b:77:85:9e:46 (EAP Id 3)
*Dec 16 16:53:48.646: 00:1b:77:85:9e:46 802.1x 'txWhen' Timer expired for station 00:1b:77:85:9e:46
*Dec 16 16:53:48.646: 00:1b:77:85:9e:46 Reached Max EAP-Identity Request retries (3) for STA 00:1b:77:85:9e:46
*Dec 16 16:53:48.647: 00:1b:77:85:9e:46 Sent Deauthenticate to mobile on BSSID b4:a4:e3:1e:3a:80 slot 1(caller 1x_auth_pae.c:2901)
*Dec 16 16:53:48.647: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station: (callerId: 6) in 10 seconds
*Dec 16 16:53:48.647: 00:1b:77:85:9e:46 dot1x - moving mobile 00:1b:77:85:9e:46 into Disconnected state
*Dec 16 16:53:48.647: 00:1b:77:85:9e:46 Not sending EAP-Failure for STA 00:1b:77:85:9e:46
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 Association received from mobile on AP b4:a4:e3:1e:3a:80
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 Applying site-specific IPv6 override for station 00:1b:77:85:9e:46 - vapId 1, site 'Sadowski', interface 'demsecureinternal'
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 Applying IPv6 Interface Policy for station 00:1b:77:85:9e:46 - vlan 245, interface id 12, interface 'demsecureinternal'
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 STA - rates (8): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 Processing RSN IE type 48, length 22 for mobile 00:1b:77:85:9e:46
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 Received RSN IE with 0 PMKIDs from mobile 00:1b:77:85:9e:46
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 0.0.0.0 8021X_REQD (3) Deleted mobile LWAPP rule on AP [b4:a4:e3:1e:3a:80]
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 Updated location for station old AP b4:a4:e3:1e:3a:80-1, new AP b4:a4:e3:1e:3a:80-0
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 0.0.0.0 8021X_REQD (3) Initializing policy
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*Dec 16 16:53:48.891: 00:1b:77:85:9e:46 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP b4:a4:e3:1e:3a:80 vapId 1 apVapId 1
*Dec 16 16:53:48.891: 00:1b:77:85:9e:46 apfPemAddUser2 (apf_policy.c:213) Changing state for mobile 00:1b:77:85:9e:46 on AP b4:a4:e3:1e:3a:80 from Associated to Associated
*Dec 16 16:53:48.891: 00:1b:77:85:9e:46 Stopping deletion of Mobile Station: (callerId: 48)
*Dec 16 16:53:48.891: 00:1b:77:85:9e:46 Sending Assoc Response to station on BSSID b4:a4:e3:1e:3a:80 (status 0) Vap Id 1 Slot 0
*Dec 16 16:53:48.891: 00:1b:77:85:9e:46 apfProcessAssocReq (apf_80211.c:4389) Changing state for mobile 00:1b:77:85:9e:46 on AP b4:a4:e3:1e:3a:80 from Associated to Associated
*Dec 16 16:53:48.893: 00:1b:77:85:9e:46 Station 00:1b:77:85:9e:46 setting dot1x reauth timeout = 1800
*Dec 16 16:53:48.893: 00:1b:77:85:9e:46 dot1x - moving mobile 00:1b:77:85:9e:46 into Connecting state
*Dec 16 16:53:48.893: 00:1b:77:85:9e:46 Sending EAP-Request/Identity to mobile 00:1b:77:85:9e:46 (EAP Id 1)
*Dec 16 16:53:48.896: 00:1b:77:85:9e:46 Received EAPOL START from mobile 00:1b:77:85:9e:46
*Dec 16 16:53:48.896: 00:1b:77:85:9e:46 dot1x - moving mobile 00:1b:77:85:9e:46 into Connecting state
*Dec 16 16:53:48.896: 00:1b:77:85:9e:46 Sending EAP-Request/Identity to mobile 00:1b:77:85:9e:46 (EAP Id 2)
*Dec 16 16:54:18.847: 00:1b:77:85:9e:46 802.1x 'txWhen' Timer expired for station 00:1b:77:85:9e:46
*Dec 16 16:54:18.847: 00:1b:77:85:9e:46 dot1x - moving mobile 00:1b:77:85:9e:46 into Connecting state
There you go Stephen....
12-16-2011 08:51 AM
Looks like your supplicant isnt responding
*Dec 16 16:53:18.646: 00:1b:77:85:9e:46 Sending EAP-Request/Identity to mobile 00:1b:77:85:9e:46 (EAP Id 3)
*Dec 16 16:53:48.646: 00:1b:77:85:9e:46 802.1x 'txWhen' Timer expired for station 00:1b:77:85:9e:46
*Dec 16 16:53:48.646: 00:1b:77:85:9e:46 Reached Max EAP-Identity Request retries (3) for STA 00:1b:77:85:9e:46
12-16-2011 08:53 AM
Ok, so I keep seeing the 'Sending Identity request to mobile message'
So it looks like the pc isn't responding. So a couple of questions.
1.) the username you are using, is it the one you logged into the machine with?
2.) can you test with credentials you are able to login to the machine with?
If you are using WZC, the native windows supplicant, it tends to send the username/password combo you used to login to the machine, even when you tell it not to. With IntelProset, you are able to set the username that the supplicant sends to the AAA.
You may also want to take a look at my doc on the EAP timers.
https://supportforums.cisco.com/docs/DOC-12110
HTH,
Steve
----------------------------------------------------------------------------------------------------------
Please remember to rate helpful posts or to mark the question as answered so that it can be found later.
12-16-2011 09:26 AM
Thanks for all the help guys. I'm using the default wireless client for XP Stephen. I noticed that in the wireshark logs Stephen, i sent the name of the user I logged on to, as the user/pass as credentials. It only did that though when I left the settings as default, which take the login/pass that you logged on to as credentials, when I choose to let the user provide the information, that's when I stopped seeing EAP-Reponse messages in my wireshark log. I'll give it a try with the IntelProset.
12-16-2011 01:12 PM
AAA Authentication Failure for UserName:tylerp User Type: WLAN USER
I'm still getting the following error message even if I use the Intel Pro Wireless configuration utility.
Here is the updated debug from the WLC
-----------------------------------------------------------
isco Controller) >*Dec 16 16:54:18.847: 00:1b:77:85:9e:46 Sending EAP-Request/Identity to mobile 00:1b:77:85:9e:46 (EAP Id 3)
*Dec 16 21:02:20.050: 00:1b:77:85:9e:46 Adding mobile on LWAPP AP 08:1f:f3:e1:bb:40(0)
*Dec 16 21:02:20.050: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station: (callerId: 23) in 5 seconds
*Dec 16 21:02:20.050: 00:1b:77:85:9e:46 apfProcessProbeReq (apf_80211.c:4722) Changing state for mobile 00:1b:77:85:9e:46 on AP 08:1f:f3:e1:bb:40 from Idle to Probe
*Dec 16 21:02:20.053: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Dec 16 21:02:20.077: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Dec 16 21:02:20.077: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Dec 16 21:02:20.081: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Dec 16 21:02:20.105: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Dec 16 21:02:20.108: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Dec 16 21:02:20.133: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Dec 16 21:02:20.134: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 Association received from mobile on AP b4:a4:e3:1e:3a:80
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 Applying site-specific IPv6 override for station 00:1b:77:85:9e:46 - vapId 1, site 'Sadowski', interface 'demsecureinternal'
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 Applying IPv6 Interface Policy for station 00:1b:77:85:9e:46 - vlan 245, interface id 12, interface 'demsecureinternal'
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 Processing RSN IE type 48, length 22 for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 Received RSN IE with 0 PMKIDs from mobile 00:1b:77:85:9e:46
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [08:1f:f3:e1:bb:40]
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 Updated location for station old AP 08:1f:f3:e1:bb:40-0, new AP b4:a4:e3:1e:3a:80-1
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 0.0.0.0 START (0) Initializing policy
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP b4:a4:e3:1e:3a:80 vapId 1 apVapId 1
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 apfPemAddUser2 (apf_policy.c:213) Changing state for mobile 00:1b:77:85:9e:46 on AP b4:a4:e3:1e:3a:80 from Probe to Associated
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 Stopping deletion of Mobile Station: (callerId: 48)
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 Sending Assoc Response to station on BSSID b4:a4:e3:1e:3a:80 (status 0) Vap Id 1 Slot 1
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 apfProcessAssocReq (apf_80211.c:4389) Changing state for mobile 00:1b:77:85:9e:46 on AP b4:a4:e3:1e:3a:80 from Associated to Associated
*Dec 16 21:02:20.166: 00:1b:77:85:9e:46 Station 00:1b:77:85:9e:46 setting dot1x reauth timeout = 1800
*Dec 16 21:02:20.166: 00:1b:77:85:9e:46 dot1x - moving mobile 00:1b:77:85:9e:46 into Connecting state
*Dec 16 21:02:20.166: 00:1b:77:85:9e:46 Sending EAP-Request/Identity to mobile 00:1b:77:85:9e:46 (EAP Id 1)
*Dec 16 21:02:22.041: 00:1b:77:85:9e:46 Received EAPOL EAPPKT from mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.041: 00:1b:77:85:9e:46 Username entry (tylerp) created for mobile
*Dec 16 21:02:22.041: 00:1b:77:85:9e:46 Received Identity Response (count=1) from mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.041: 00:1b:77:85:9e:46 EAP State update from Connecting to Authenticating for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.041: 00:1b:77:85:9e:46 dot1x - moving mobile 00:1b:77:85:9e:46 into Authenticating state
*Dec 16 21:02:22.041: 00:1b:77:85:9e:46 Entering Backend Auth Response state for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.043: 00:1b:77:85:9e:46 Processing Access-Challenge for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.043: 00:1b:77:85:9e:46 Entering Backend Auth Req state (id=69) for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.043: 00:1b:77:85:9e:46 WARNING: updated EAP-Identifer 1 ===> 69 for STA 00:1b:77:85:9e:46
*Dec 16 21:02:22.043: 00:1b:77:85:9e:46 Sending EAP Request from AAA to mobile 00:1b:77:85:9e:46 (EAP Id 69)
*Dec 16 21:02:22.044: 00:1b:77:85:9e:46 Received EAPOL EAPPKT from mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.044: 00:1b:77:85:9e:46 Received EAP Response from mobile 00:1b:77:85:9e:46 (EAP Id 69, EAP Type 3)
*Dec 16 21:02:22.044: 00:1b:77:85:9e:46 Entering Backend Auth Response state for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.045: 00:1b:77:85:9e:46 Processing Access-Challenge for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.045: 00:1b:77:85:9e:46 Entering Backend Auth Req state (id=70) for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.045: 00:1b:77:85:9e:46 Sending EAP Request from AAA to mobile 00:1b:77:85:9e:46 (EAP Id 70)
*Dec 16 21:02:22.196: 00:1b:77:85:9e:46 Received EAPOL EAPPKT from mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.196: 00:1b:77:85:9e:46 Received EAP Response from mobile 00:1b:77:85:9e:46 (EAP Id 70, EAP Type 25)
*Dec 16 21:02:22.196: 00:1b:77:85:9e:46 Entering Backend Auth Response state for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.198: 00:1b:77:85:9e:46 Processing Access-Challenge for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.198: 00:1b:77:85:9e:46 Entering Backend Auth Req state (id=71) for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.198: 00:1b:77:85:9e:46 Sending EAP Request from AAA to mobile 00:1b:77:85:9e:46 (EAP Id 71)
*Dec 16 21:02:22.200: 00:1b:77:85:9e:46 Received EAPOL EAPPKT from mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.200: 00:1b:77:85:9e:46 Received EAP Response from mobile 00:1b:77:85:9e:46 (EAP Id 71, EAP Type 25)
*Dec 16 21:02:22.200: 00:1b:77:85:9e:46 Entering Backend Auth Response state for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.203: 00:1b:77:85:9e:46 Processing Access-Challenge for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.203: 00:1b:77:85:9e:46 Entering Backend Auth Req state (id=72) for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.203: 00:1b:77:85:9e:46 Sending EAP Request from AAA to mobile 00:1b:77:85:9e:46 (EAP Id 72)
*Dec 16 21:02:22.214: 00:1b:77:85:9e:46 Received EAPOL EAPPKT from mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.214: 00:1b:77:85:9e:46 Received EAP Response from mobile 00:1b:77:85:9e:46 (EAP Id 72, EAP Type 25)
*Dec 16 21:02:22.214: 00:1b:77:85:9e:46 Entering Backend Auth Response state for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.215: 00:1b:77:85:9e:46 Processing Access-Challenge for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.215: 00:1b:77:85:9e:46 Entering Backend Auth Req state (id=73) for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.215: 00:1b:77:85:9e:46 Sending EAP Request from AAA to mobile 00:1b:77:85:9e:46 (EAP Id 73)
*Dec 16 21:02:22.217: 00:1b:77:85:9e:46 Received EAPOL EAPPKT from mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.217: 00:1b:77:85:9e:46 Received EAP Response from mobile 00:1b:77:85:9e:46 (EAP Id 73, EAP Type 25)
*Dec 16 21:02:22.217: 00:1b:77:85:9e:46 Entering Backend Auth Response state for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.218: 00:1b:77:85:9e:46 Processing Access-Challenge for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.218: 00:1b:77:85:9e:46 Entering Backend Auth Req state (id=74) for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.218: 00:1b:77:85:9e:46 Sending EAP Request from AAA to mobile 00:1b:77:85:9e:46 (EAP
12-16-2011 01:26 PM
it looks like the 802.1x is at least progressing "Entering Backend Auth Req state"
What does the AAA server say in the logs?
12-16-2011 02:52 PM
Yeah, I'm assuming that means it's getting the response from the supplicant and starting to then ask the radius server which is Cisco ACS. Stephen, I have to go to work tomorrow for a little bit in the morning to take down some switches, I'm going to check out the ACS server while I'm in. Hopefully I can get you an answer tomorrow, if not monday morning for sure. Thanks again for all the help, both of you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide