PEAP failure

Unanswered Question
Jul 7th, 2008
User Badges:

I have a 4404 controller with a Microsoft IAS server running radius. I can connect to the WLAN when I have no encryption. When I turn on WPA2 with AES and try to connect it fails. I ran the debug dot1x events enable and here is the output. There is one line that states AAA Error no Server.


Mon Jul 7 18:29:58 2008: 00:13:02:14:c7:b3 Sending EAP-Request/Identity to mobile 00:13:02:14:c7:b3 (EAP Id 1)

Mon Jul 7 18:29:59 2008: 00:13:02:14:c7:b3 Received EAPOL EAPPKT from mobile 00:13:02:14:c7:b3

Mon Jul 7 18:29:59 2008: 00:13:02:14:c7:b3 Received Identity Response (count=1) from mobile 00:13:02:14:c7:b3

Mon Jul 7 18:29:59 2008: 00:13:02:14:c7:b3 Processing AAA Error 'No Server' (-7) for mobile 00:13:02:14:c7:b3

Mon Jul 7 18:29:59 2008: 00:13:02:14:c7:b3 Processing RSN IE type 48, length 22 for mobile 00:13:02:14:c7:b3

Mon Jul 7 18:29:59 2008: 00:13:02:14:c7:b3 Received RSN IE with 0 PMKIDs from mobile 00:13:02:14:c7:b3

Mon Jul 7 18:29:59 2008: 00:13:02:14:c7:b3 Station 00:13:02:14:c7:b3 setting dot1x reauth timeout = 0

Mon Jul 7 18:29:59 2008: 00:13:02:14:c7:b3 Stopping reauth timeout for 00:13:02:14:c7:b3


I can ping the server from the 4404, have re-entered the shared secret several times. I even deleted and re-added the radius information with no luck.


Does anyone have any ideas?


Seth

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rseiler Mon, 07/07/2008 - 18:46
User Badges:
  • Silver, 250 points or more

Send a 'show wlan summary' and a 'show wlan ' for the ssid that you are having this issue with.

Scott Fella Mon, 07/07/2008 - 19:24
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Take a look at the event viewer in the IAS box to see if it even receiving anything from the WLC. Also you have the IAS set to Radius Standard when you created the Radius Client?

srosenthal Mon, 07/14/2008 - 06:39
User Badges:

Here are outputs


show>wlan summary


Number of WLANs.................................. 2


WLAN ID WLAN Profile Name / SSID Status Interface Name

------- ------------------------------------- -------- --------------------

1 EOC / EOC Enabled management

2 Guest / EOCGuest Enabled guest



Here is the output from the show wlan 1 command:


(Cisco Controller) show>wlan 1



WLAN Identifier.................................. 1

Profile Name..................................... EOC

Network Name (SSID).............................. EOC

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

AAA Policy Override.............................. Disabled

Number of Active Clients......................... 0

Exclusionlist Timeout............................ 60 seconds

Session Timeout.................................. Infinity

Webauth DHCP exclusion........................... Disabled

Interface........................................ management

WLAN ACL......................................... unconfigured

DHCP Server...................................... Default

DHCP Address Assignment Required................. Enabled

Quality of Service............................... Silver (best effort)

WMM.............................................. Allowed

CCX - AironetIe Support.......................... Enabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

--More-- or (q)uit

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

IPv6 Support..................................... Disabled

Peer-to-Peer Blocking Action..................... Disabled

Radio Policy..................................... All

DTIM period for 802.11a radio.................... 1

DTIM period for 802.11b radio.................... 1

Radius Servers

Authentication................................ 172.23.4.4 1812

Local EAP Authentication......................... Disabled

Security


802.11 Authentication:........................ Open System

Static WEP Keys............................... Disabled

802.1X........................................ Disabled

Wi-Fi Protected Access (WPA/WPA2)............. Enabled

WPA (SSN IE)............................... Disabled

WPA2 (RSN IE).............................. Enabled

TKIP Cipher............................. Disabled

AES Cipher.............................. Enabled

Auth Key Management

802.1x.................................. Enabled

PSK..................................... Disabled

--More-- or (q)uit

CCKM.................................... Disabled

CKIP ......................................... Disabled

IP Security................................... Disabled

IP Security Passthru.......................... Disabled

Web Based Authentication...................... Disabled

Web-Passthrough............................... Disabled

Conditional Web Redirect...................... Disabled

Splash-Page Web Redirect...................... Disabled

Auto Anchor................................... Disabled

Cranite Passthru.............................. Disabled

Fortress Passthru............................. Disabled

H-REAP Local Switching........................ Disabled

Infrastructure MFP protection................. Enabled (Global Infrastructure MFP Disabled)

Client MFP.................................... Optional

Tkip MIC Countermeasure Hold-down Timer....... 60


Mobility Anchor List

WLAN ID IP Address Status

------- --------------- ------



Scott Fella Mon, 07/14/2008 - 17:48
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

This wlan looks like it is setup correcdtly for 802.1x and wpa2/AES. What errors do you see in the IAS server event viewer.

srosenthal Tue, 07/15/2008 - 12:30
User Badges:

Nothing is showing up in the event viewever. Can anyone direct me to a guide on setting up IAS 2003 to work with the WLC?


Thanx

Actions

This Discussion

 

 

Trending Topics - Security & Network