DOT1X-1-INVALID_WPA_KEY_STATE: Received EAPOL-key message while in invalid

Unanswered Question
Jan 31st, 2008
User Badges:

I'm working on with a customer on a 2106 controller with 1130 series ap's. Everyting seems fine until the client does a reauthentication. At this point the clients send a stream of authentication attempts to the RADIUS server (40 or so a second). The RADIUS (Microsoft IAS) is passing the authetication. The Controller has the error: DOT1X-1-INVALID_WPA_KEY_STATE: Received EAPOL-key message while in invalid state (0) - version 1, type 3, descriptor 254 with the mac address of the offending client in the log, at the same rate of the authentication storm. The clients have current drivers. We are using the Microsoft supplicant and have the Microsoft updates (SP2 and relevant wireless patches) installed.


I'm currently testing using the Intel supplicant, but have not been doing it long enough to see if it is an issue with that supplicant.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Loading.
SHANNON WYATT Thu, 04/10/2008 - 01:27
User Badges:

Honestly this was so long ago I don't remember what I did to resolve the issue.

Scott Fella Tue, 09/16/2008 - 09:11
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Is your radius local to the clients or are they authenticating through the WAN?

acgri1982 Tue, 09/16/2008 - 11:19
User Badges:

Is local, in the same LAN. And Cisco Controller is configured with LocalEAP

Scott Fella Tue, 09/16/2008 - 11:23
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

What type of encryption are you using and also what authentication method? Do you have the same issue if users are on an ssid that is open.. no type of encryption or authentication?

acgri1982 Tue, 09/16/2008 - 11:31
User Badges:

In WLANs > Edit -> Security Layer 2 I'm choosing WPA+WPA2 with TKIP and PSK.


In WLANs > Edit -> AAA Servers, I mark enabled "Local EAP Authentication" with "LocalEAP" EAP profile name.


Then, in Local Net Users > Edit, I fill the fields.


Is this configuration correct?

Scott Fella Tue, 09/16/2008 - 17:25
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Okay.... for this wlan ssid, you selected WPA+WPA2. Here you should define either WPA w/ tkip or WPA2 w/ AES.... or both. WPA2 performs better than WPA, but that depends on your client supporting WPA2. Since you selected PSK, you must of entered a pre-shared key. So in the AAA server tab, you don't have to enable local eap authentication.


For local eap, you need to choose wpa+wpa2 and 802.1x. This will also require a certificate on the WLC. I won't go into this too much because you are using PSK. Now on the client side, you would configure the ssid and either wpa tkip or wpa2 aes and psk... not enterprise. Enter you pre-shared key in the client and you should be good to go!

Actions

This Discussion

 

 

Trending Topics - Security & Network