01-31-2008 10:28 AM - edited 07-03-2021 03:18 PM
I'm working on with a customer on a 2106 controller with 1130 series ap's. Everyting seems fine until the client does a reauthentication. At this point the clients send a stream of authentication attempts to the RADIUS server (40 or so a second). The RADIUS (Microsoft IAS) is passing the authetication. The Controller has the error: DOT1X-1-INVALID_WPA_KEY_STATE: Received EAPOL-key message while in invalid state (0) - version 1, type 3, descriptor 254 with the mac address of the offending client in the log, at the same rate of the authentication storm. The clients have current drivers. We are using the Microsoft supplicant and have the Microsoft updates (SP2 and relevant wireless patches) installed.
I'm currently testing using the Intel supplicant, but have not been doing it long enough to see if it is an issue with that supplicant.
04-09-2008 08:24 PM
Hi, Any progress with this?
04-10-2008 01:27 AM
Honestly this was so long ago I don't remember what I did to resolve the issue.
06-23-2008 06:50 AM
Hi,How did u resolve the isssue ..
06-23-2008 07:09 AM
It was so long ago that I don't remember.
09-16-2008 05:20 AM
Does anyone solve this issue??
09-16-2008 09:11 AM
Is your radius local to the clients or are they authenticating through the WAN?
09-16-2008 11:19 AM
Is local, in the same LAN. And Cisco Controller is configured with LocalEAP
09-16-2008 11:23 AM
What type of encryption are you using and also what authentication method? Do you have the same issue if users are on an ssid that is open.. no type of encryption or authentication?
09-16-2008 11:31 AM
In WLANs > Edit -> Security Layer 2 I'm choosing WPA+WPA2 with TKIP and PSK.
In WLANs > Edit -> AAA Servers, I mark enabled "Local EAP Authentication" with "LocalEAP" EAP profile name.
Then, in Local Net Users > Edit, I fill the fields.
Is this configuration correct?
09-16-2008 05:25 PM
Okay.... for this wlan ssid, you selected WPA+WPA2. Here you should define either WPA w/ tkip or WPA2 w/ AES.... or both. WPA2 performs better than WPA, but that depends on your client supporting WPA2. Since you selected PSK, you must of entered a pre-shared key. So in the AAA server tab, you don't have to enable local eap authentication.
For local eap, you need to choose wpa+wpa2 and 802.1x. This will also require a certificate on the WLC. I won't go into this too much because you are using PSK. Now on the client side, you would configure the ssid and either wpa tkip or wpa2 aes and psk... not enterprise. Enter you pre-shared key in the client and you should be good to go!
08-15-2023 07:45 PM
Hey Scott, I'm having similar issues I believe. I'm using PSK and WPA2+WPA3. These are messages I'm seeing from our controller:
*Dot1x_NW_MsgTask_0: Aug 15 17:01:35.938: %LOG-3-Q_IND: [SA]1x_eapkey.c:3080 Received EAPOL-key message while in invalid state (4) - version 2, type 3, descriptor 2, client x.x.x.x.x.x[...It occurred 2 times.!]
*Dot1x_NW_MsgTask_4: Aug 15 17:01:34.691: %DOT1X-3-INVALID_WPA_KEY_STATE: [SA]1x_eapkey.c:3080 Received EAPOL-key message while in invalid state (4) - version 2, type 3, descriptor 2, client x.x.x.x.x.x
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: