Client Intel card rejecting 802.1x auth or config issue?

Unanswered Question
Jun 18th, 2009

I'm trying to configure the controller to allow clients to connect via WPA/TKIP w/ 802.1x through steel belted radius. I created a wlan with WPA/TKIP and 802.1x and also added my external raidus server on there. The radius server checks with an external ldap server to verify user names and pws. I have it set to use peap and ms-chap v2. I believe I configured my client correctly as well. When I try to a authenticate on an intel 1200 or 3945 it does not work.

I checked the logs and the radius server is passing ldap auth success to the controller. The logs from the controller state:

Jun 18 15:37:38 cont-01**** CONT-01: *Jun 18 15:37:58.545: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: 1x_kxsm.c:128 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1

I tried doing an open ssid and I can connect, i tried wpa/wpa2 psk and I can connect. I only have issues when using 802.1x. I need to find a way to have users connect to the wireless to authenticate through radius/ldap. I went through a lot of configs and cisco docs and can't figure out if I'm missing something. I opened a TAC case and they said it's a vendor card issue. Any help would be greatly appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jicr Fri, 06/19/2009 - 05:39

Configure a local EAP profile map to wlan and create users in local DB try to authenticate clients using that. If it works fine then there is no issues with your wireless card as it is capable of WPA authentication and issue is on configuration part of your radius server.

Enable "debug aaa events enable" while client authenticates which will give you a better idea what is happening behind. In between whic is the inner method you are using for 802.1x auth (PEAP/LEAP/EAP FAST/EAP TLS)

perez.matt Mon, 06/22/2009 - 07:24

I was able to authenticate via local eap (peap) through that wlan. I opened a case with Juniper and everything is set fine on my side and it sends the accept response to the controller but authentication on the controller does not happen. One thing I noticed on the radius server was once I had it authenticate through EAP only on the radius server authentication was instantly rejected by the controller. Usually it just times out. I don't know if this is an Intel issue like tac claims or what.

Actions

This Discussion

 

 

Trending Topics - Security & Network