7920 Authentication Fail

Unanswered Question
Aug 6th, 2007

We have a Cisco 7920 that I can't seem to get configured to authenticate to our AP1242AG's. Everything seem to be set correctly on the 7920, but I don't even see an "authentication failed" message on the AP!! Am I missing something in configuring the AP for use with this device. We are using a radius server, and I'm not seeing a request from the 7920 there either. Any suggestions would be GREATLY appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
migilles Mon, 08/06/2007 - 10:21

Would suggest to start simple first. Open SSID w/o encryption.

Ensure no WEP key is defined on the 7920.

Should associate fine then if SSID matches.

If not, then can sniff wirelessly to see if there are packets coming from the phone (probe request, authentication and assoication requests).

aherringiii Mon, 08/06/2007 - 10:51

unfortantely that's not an option right now. I'm testing the phone for a remote client. At that remote site, they have a call manager and WCS, here at corporate we don't use wireless phones. But I should be able at the very least obtain an IP address for the phone on our production wireless network, yet this is not the case.

Here at corporate we use a Radius server, and Cisco believes that may be the issue. I just got off the phone with TAC, and they stated that the Radius must have a EAP-FAST PAC for the phone to download in order to authenticate with the AP.

migilles Mon, 08/06/2007 - 12:29

So you are trying to use EAP-FAST w/ the 7920s. Ok, so if controller is set to 802.1x, then set the 7920 to EAP and if WPA or CCKM, then set to AKM on the 7920.

For EAP-FAST to be successful must increase the 802.1x timeout to at least 20 seconds on the controller.

See the 7920 release notes @ http://www.cisco.com/univercd/cc/td/doc/product/voice/c_ipphon/english/wip7920/relnotes/rn302.htm#wp169464.

Would better to try open first, especially if it's not working currently. Must crawl before you can run.

aherringiii Tue, 08/07/2007 - 09:34

I ran a debug and this is what I got:

Syslog logging: enabled (0 messages dropped, 2 messages rate-limited,

0 flushes, 0 overruns, xml disabled, filtering disabled)

Console logging: level debugging, 3883 messages logged, xml disabled,

filtering disabled

Monitor logging: level debugging, 0 messages logged, xml disabled,

filtering disabled

Buffer logging: level debugging, 3884 messages logged, xml disabled,

filtering disabled

Logging Exception size (4096 bytes)

Count and timestamp logging messages: disabled

Trap logging: level informational, 2035 message lines logged

Log Buffer (4096 bytes):

t_pak: Received EAPOL packet from 001b.54e0.0ae6

Aug 7 16:41:24.064: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6

Aug 7 16:41:24.179: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6

Aug 7 16:42:01.474: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start

Aug 7 16:42:01.477: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6

Aug 7 16:42:01.481: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6

Aug 7 16:42:01.481: dot11_auth_parse_client_pak: id is not matching req-id:1resp-id:2, waiting for response

Aug 7 16:42:01.483: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6

Aug 7 16:42:01.597: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6

Aug 7 16:42:01.711: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6

Aug 7 16:42:48.564: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start

Aug 7 16:42:48.568: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6

Aug 7 16:42:48.571: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6

Aug 7 16:42:48.572: dot11_auth_parse_client_pak: id is not matching req-id:1resp-id:2, waiting for response

Aug 7 16:42:48.573: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6

Aug 7 16:42:48.688: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6

Aug 7 16:42:48.804: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6

Aug 7 16:43:24.304: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start

Aug 7 16:43:24.308: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6

Aug 7 16:43:24.312: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6

Aug 7 16:43:24.312: dot11_auth_parse_client_pak: id is not matching req-id:1resp-id:2, waiting for response

Aug 7 16:43:24.314: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6

Aug 7 16:43:24.428: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6

Aug 7 16:43:24.543: dot11_auth_parse_client_pak: Received EAPOL packet from 001b.54e0.0ae6

aherringiii Thu, 08/09/2007 - 04:54

GOT IT!!!!! The 7920 broadcast a default username for EAP-FAST authorization. (FAST-MAC ADDRESS), this has to match the username put on the physical phone in the Network Profiles-->Custom Profile-->802.11b Config-->EAP-->username. This name must also be created in a VOIP profile on the ACS.

migilles Thu, 08/09/2007 - 14:02

Shouldn't be the case unless you are doing MAC authentication as well.

Identity response shouldn't matter with EAP-FAST. 7920 uses FAST-MAC like you stated. 7921 uses anonymous.

Of course w/ LEAP, this would be the true configured username on the client.

aherringiii Fri, 08/10/2007 - 04:25

Take a look a this debug, specifically the RADIUS Username. (FAST-and the MAC)

Actions

This Discussion