cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3445
Views
0
Helpful
19
Replies

Invalid Message Authenticator in EAP Request

lmslattery
Level 1
Level 1

Hi,

I am attemping to configure Infratructure authentication for WDS and WPA/PEAP Client authentication using ACS 4.1(1) Build 23 from an Aironet 1210 running IOS 12.3(8)JEC.

I have a production ACS server that has both LEAP and PEAP enabled under the global configuration options.

The access point has been correctly defined as a NAS using RADIUS-Aironet on the ACS server. The Access point has ACS defined as a RADIUS server and the shared secret set the same as the NAS definition within ACS.

For both WDS Infrastructure authentications(LEAP) and client authentication requests to the access point using PEAP I receive the following message in the ACS failed log:

"Invalid message authenticator in EAP request"

A search on CCO tells me that this is normally the result of a shared secret mismatch. I have however retyped the shared secret several times , and tested with simple strings such as "cisco" and the same result is received. Both the Radius definition on the AP and the NAS definition on ACS have bee re-created with no change in result.

As a test I ran up a clean install of ACS 4.1(1)23 in a VMware session. Configured a NAS object for the AP as I had previously done on the production system and it worked first go.

Would anyone have any clues on what could be wrong with my production ACS. ?

Many Thanks,

Leon

19 Replies 19

irisrios
Level 6
Level 6

VMaware would work only if the client adaptor works successfully. I could guess no reason other than wrong key between AP and ACS that could have caused this issue. Nothing specific about the error.

jcoke
Level 3
Level 3

I'm having this exact issue and have performed all the steps you have. Have you gotten anywhere with it?

I ended up performing a clean install of ACS on another server to get around it.

I still have no idea what the root cause was.

One issue could of been a bad shared secret between the WLC and the ACS.... you would get the same error message that you did.

-Scott
*** Please rate helpful posts ***

Not the issue. Like the OP I have reset it numerous times using copy/paste.

To be honest.... the cut and paste is the issue. we had to manually type out the shared secret for it to work. This was on the 4.1 code. Type it out on boththe ACS and WLC.

-Scott
*** Please rate helpful posts ***

Yeah, I've manually typed "secret" in the thing as well.

Are you using symbols? try setting the shared secret as something simple like testtest on both and see if that works. If not then it has to be a configuration on the ACS.

-Scott
*** Please rate helpful posts ***

Nope, I got to the point of bargaining with the things. Using secrets like "please" and "iwillgiveyou100dollarstowork" Well, maybe not the last one. :-)

I would think that it would be a configuration on the ACS server then. Are you using autonomous or LWAP?

Here is a simple config setup tha might help..

http://cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml

-Scott
*** Please rate helpful posts ***

LWAP on 4402s (v4.2) and ACS 4.1 I saw that and this article.

PEAP under Unified Wireless Networks with ACS 4.0 and Windows 2003

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00807917aa.shtml

I'm going to set up a new ACS tomorrow and see if that works. Thanks for the advice.

Bug in 4.1.1 build 23

- remove the AAA Client from device group to non-assigned group.

jcoke
Level 3
Level 3

I got this resolved today and thought I would pass the workaround along. We opened a TAC case on the WLC and the engineer first suggested that we check the shared secret. Since I'd reset it so many times in so many ways my head almost exploded :-) She also mentioned this:

"We also sometimes see 'strange issues' in ACS if the device is part of a device-group, so if you would remove the WLC from any device group, put it in by itself (not in a group), be sure Aironet or Airespace is chosen for the device-type, & recycle the ACS services.

This turned out to be the solu^H^H^H^Hworkaround. Not sure yet if its in the pipeline to be fixed in ACS. FYI the case number is 607634169.

That is what I mentioned earlier. rule of thumb is to restart ACS when making major changes. Always worked for me.

-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: