cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11716
Views
1
Helpful
11
Replies

DOT1X-1-INVALID_WPA_KEY_STATE: Received EAPOL-key message while in invalid

SHANNON WYATT
Level 1
Level 1

I'm working on with a customer on a 2106 controller with 1130 series ap's. Everyting seems fine until the client does a reauthentication. At this point the clients send a stream of authentication attempts to the RADIUS server (40 or so a second). The RADIUS (Microsoft IAS) is passing the authetication. The Controller has the error: DOT1X-1-INVALID_WPA_KEY_STATE: Received EAPOL-key message while in invalid state (0) - version 1, type 3, descriptor 254 with the mac address of the offending client in the log, at the same rate of the authentication storm. The clients have current drivers. We are using the Microsoft supplicant and have the Microsoft updates (SP2 and relevant wireless patches) installed.

I'm currently testing using the Intel supplicant, but have not been doing it long enough to see if it is an issue with that supplicant.

11 Replies 11

m-ketchum
Level 1
Level 1

Hi, Any progress with this?

Honestly this was so long ago I don't remember what I did to resolve the issue.

murtaza786
Level 1
Level 1

Hi,How did u resolve the isssue ..

It was so long ago that I don't remember.

Does anyone solve this issue??

Is your radius local to the clients or are they authenticating through the WAN?

-Scott
*** Please rate helpful posts ***

Is local, in the same LAN. And Cisco Controller is configured with LocalEAP

What type of encryption are you using and also what authentication method? Do you have the same issue if users are on an ssid that is open.. no type of encryption or authentication?

-Scott
*** Please rate helpful posts ***

In WLANs > Edit -> Security Layer 2 I'm choosing WPA+WPA2 with TKIP and PSK.

In WLANs > Edit -> AAA Servers, I mark enabled "Local EAP Authentication" with "LocalEAP" EAP profile name.

Then, in Local Net Users > Edit, I fill the fields.

Is this configuration correct?

Okay.... for this wlan ssid, you selected WPA+WPA2. Here you should define either WPA w/ tkip or WPA2 w/ AES.... or both. WPA2 performs better than WPA, but that depends on your client supporting WPA2. Since you selected PSK, you must of entered a pre-shared key. So in the AAA server tab, you don't have to enable local eap authentication.

For local eap, you need to choose wpa+wpa2 and 802.1x. This will also require a certificate on the WLC. I won't go into this too much because you are using PSK. Now on the client side, you would configure the ssid and either wpa tkip or wpa2 aes and psk... not enterprise. Enter you pre-shared key in the client and you should be good to go!

-Scott
*** Please rate helpful posts ***

Hey Scott, I'm having similar issues I believe. I'm using PSK and WPA2+WPA3. These are messages I'm seeing from our controller:

*Dot1x_NW_MsgTask_0: Aug 15 17:01:35.938: %LOG-3-Q_IND: [SA]1x_eapkey.c:3080 Received EAPOL-key message while in invalid state (4) - version 2, type 3, descriptor 2, client x.x.x.x.x.x[...It occurred 2 times.!]

*Dot1x_NW_MsgTask_4: Aug 15 17:01:34.691: %DOT1X-3-INVALID_WPA_KEY_STATE: [SA]1x_eapkey.c:3080 Received EAPOL-key message while in invalid state (4) - version 2, type 3, descriptor 2, client x.x.x.x.x.x

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: