unpredictable, non-stop PEAP authentication on clients. HELP!!!

Answered Question
Feb 8th, 2008

I set up a WLC 2106 v4.2 in the lab with an upgraded LWAPP Aironet 1220b (also upgraded to G module). I have two vlans set up on it, one being the corporate using RADIUS/PEAP with MS IAS server, the other being guest using Web authentication.

The guest WLAN works great. Our current corporate WLAN is using PEAP with the fat APs and MS RADIUS server. So I configured the 2106 to use the same setup and servers. The corporate WLAN on this new network worked fine at first. Then I noticed at different times, the wireless card would go into constant reauthentication with the little yellow ball by the wifi systray icon flashing like crazy, cycling between "connected", "attempting to authenticate", and "validating identity". Although I am still on the network, this has badly degraded network speed. Occasionally it will snap out of it but most of the time I have to repair it. After a while it will start it again.

I modified all the power settings including the wlan card. It still happens.

I tried two different laptops with different wifi cards. Tried B, G only or Mixed. Both runs XP sp1. Our network is all 2000 servers with AD. Console logs on the LW AP shows numerous attack attempts from these laptops, of course:

%WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:12 Channel:11 Source MAC:001c.bf12.c8d7

%WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:12 Channel:11

On the WLC 2106, numerous Trap log entries when this happens:

Decrypt errors occurred for client 00:1c:bf:12:c8:d7 using unknown key on 802.11b/g interface of AP 00:07:0e:15:1b:10

WLC management logs:

Feb 08 10:35:14.098 spam_lrad.c:21624 LWAPP-4-SIG_INFO1: Signature information; AP 00:07:0e:15:1b:10, alarm ON, standard sig EAPOL flood, track per-Macprecedence 12, hits 30, slot 0, channel 11, most offending MAC 00:1c:bf:12:c8:d7

Feb 08 10:05:19.463 dtl_net.c:1299 DTL-1-ARP_POISON_DETECTED: STA [00:1c:bf:12:c8:d7, 0.0.0.0] ARP (op 1) received with invalid SPA 172.16.7.63/TPA 172.16.7.1

Meanwhile, MS eventlog on the IAS RADIUS server shows 15-16 successful PEAP authentications PER SECOND from the same user.

These two laptops are right next to the LW AP and controller. Signal level from production APs are very low.

I have this problem too.
0 votes
Correct Answer by rseiler about 8 years 10 months ago

The PEAP authentication loop may be a Cisco WLC bug, check the release notes for 4.2.99.0 which was released on Monday...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
rduke Fri, 02/08/2008 - 12:00

Perhaps it is a certificate issue. You can test that easy enough by going into the advanced properties and unchecking the box that says "check server certificate". If it connects that is the problem.

Randy

DANIEL WANG Fri, 02/08/2008 - 12:24

Check box for Validate Server Certificate has been off.

I suspect there may still be some sort interference from my production APs. So I dropped power by half on an production AP that at Channel 10 (the test AP runs at Chan. 11 but at much higher signal strength). That did not seem to bring the test laptop out of the authenticating loop.

So I turned the production AP power back to its previous level and left for lunch. I just came back. Now the test laptop is out of loop and normal again. But it was looping the entire morning.

I wonder if this problem will go away once I convert all prod. APs to Light Weight then WLC will manage them all for power and channel selection.

Any other ideas?

Thanks a lot!

rseiler Mon, 02/11/2008 - 16:55

First, Windows XP Service Pack 1 is essentially useless for wireless using any eap type and 802.1x. All issues are fixed on a fully patched XP Service Pack 2 system with the KB917021 update applied. I have no idea if XP SP1 will even work in your scenerio.

Second, what version of Windows Server are you running that is your IAS server? Assuming Server 2000 what service pack are you currently running? I'm not sure that MS IAS even works for wireless EAP types on Windows 2000. I would assume that 99% of your peers out there are running IAS on Windows Server 2003 SP2 or R2. Even then, there are a bunch of fixes for IAS issues related to EAP types on wired or wireless networks, make sure you research them and apply the appropriate updates to the IAS server(s).

Third, what are the radio types on the wireless clients? You say you tried 'different wifi' cards, but what types, exactly? And what driver versions, exactly?

Finally, you have provided incomplete information regarding the version of software you are running on the WLC, version 4.2.what.what? There are several bugs in software version 4.2.61.0 related to EAP, some that are still not fixed in 4.2.99.0. Most issues have workarounds, but you need to know what you are doing specific to client drivers and configuration and WLC configuration.

If you fill in these numerous blanks in your posted question then you will more likely get some specific steps to take to address your problem.

DANIEL WANG Tue, 02/12/2008 - 08:07

Oops. That was a typo. All of my laptops are running XP SP2. All of my servers (incld. IAS RADIUS server) are running 2000 SP4. I have run PEAP for five years starting on W2k clients with 802.1x supplicant. Since moving to XP SP2 the wireless connection has been quite stable.

All my production APs 1220B-IOSUPGRADE fat APs. We have three VLANs on these APs: vlan 8 (untagged)for management, vlan 7 Corporate, vlan9 guest (which is redirected straight thru our proxy server to the Internet by Policy Routing on the Core switch)

My 2106 controller version is 4.2.61.0. I configured the same Vlan assignments on it as our production, with Vlan9 guest local Web authentication and Vlan7 corporate MS-PEAP using the same production IAS RADIUS server. I converted one of APs to LWAP and set them both up in my office where I normally can't get a connection to our production WLAN (our building is a WWII-era bombshell). I also further drop the radio output of the production AP closest to my office.

My laptops are:

HP/compaq 6720s with Intel Pro Wireless 3945ABG v11.1.1.16, 6/20/2007

an old IBM Thinkpad with Cisco Aironet 350 802.11b PCMCIA card, v7.29.0.0, 7/1/2001

I didn't bother to check the client driver issues because they are so diverse in everyway.

Thank you very much for pointing me toward issues in the WLC version. Initially I suspected radio/co-channel interference and client drivers. The problem did go away when I turn off radio on nearby production AP.

I just started to learn the AP/Controller architecture. Please bear with me for not providing sufficient detailed information. Sometimes I got long in my messages with details and no one wanted to read them :))

DANIEL WANG Tue, 02/12/2008 - 08:14

Corrections. At the end of my last posting, when the intermittent PEAP authentication loop DID NOT go way when I turned of radio on nearby production APs.

Oh, BTW, I meant our office was rebuilt solidly with a bombshelter, not bombshell.

I need to check my fingers today :))

Correct Answer
rseiler Wed, 02/13/2008 - 09:56

The PEAP authentication loop may be a Cisco WLC bug, check the release notes for 4.2.99.0 which was released on Monday...

DANIEL WANG Wed, 02/13/2008 - 11:39

Yes, it turned out you were right.

Right after my last reply I upgraded my WLC from 4.2.60 to the latest. Both laptops have been running wireless for 28 hours without a single problem. I think the new IOS fixed it.

Thank you thank you thank you for the quick diagnosis. I gave you the best rating.

Daniel

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode