802.1x authentication on PSK key mgmt?

Unanswered Question
Aug 21st, 2009
User Badges:

Hello,


I'm setting up a new 5508 WLC (the first wlc I have ever setup) and I have my WLAN setup with our existing WPA/TKIP ssid for transitioning our clients from our existing autonomous system to the wlc. I have selected PSK as the key mgmt and I can get the client's to connect for a few minutes but I keep seeing these errors:


Fri Aug 21 08:50:05 2009 Client Excluded: MACAddress:00:21:00:f9:dd:50 Base Radio MAC :00:23:eb:27:e3:b0 Slot: 1 User Name: unknown Ip Address: unknown Reason:802.1x Authentication failed 3 times. ReasonCode: 4


I don't have nor do I want 802.1x enabled. Is there something I need to disable either on the client or the controller?


Thanks.

Dan.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Robert.N.Barrett_2 Fri, 08/21/2009 - 07:12
User Badges:
  • Bronze, 100 points or more

Congrats on getting your first controller set up. Since you don't have any 802.1X configured, could it be that the client in question is trying to use an incorrect PSK?

danletkeman Fri, 08/21/2009 - 08:39
User Badges:

I don't think so. All of the clients connect, but then get disconnected with the 802.1x error message.


Dan.

3d00000bE Wed, 04/22/2015 - 08:45
User Badges:

My scenery is the next:

 

Acces Client->AP->WLC

Authentication Client->AP->WLC->Radius

Ip Asignament after the authentication Client->DHCP

I had the same log trap "Client Excluded: MACAddress:(..................) Base Radio MAC :(..................) Slot: 0 User Name: unknown Ip Address: (..................) Reason:802.1x Authentication failed 3 times. ReasonCode: 4", i saw the log of the RADIUS and the cause was the algorithm PEAP and the radius talk in EAP, i change it the propieties of my Wireless Network (Control Panel->Internet and Networks->Wireless Mangement), in the security tab in authentication method i chose intenlligent card and other certification and that's it 

 

Attachment: 
danletkeman Fri, 08/21/2009 - 09:36
User Badges:

If I click on the client and look at the client details it shows under the policy manager state that 802.1x is required. Is there something configured wrong on the client?


Clients > Detail

Client Properties

MAC Address 00:21:00:f9:dd:50

IP Address

Client Type

WGB MAC Address

Number of Wired Client(s)

User Name

Port Number

Interface

VLAN ID

CCX Version

E2E Version

Mobility Role

Mobility Peer IP Address

Policy Manager State 8021X_REQD

Management Frame Protection

danletkeman Sat, 08/22/2009 - 13:41
User Badges:

I have come across some more information reguarding my problem.


When the lap cannot connected to the wlc then everything works! The clients can connect just fine without problems. As soon as I take the acl of the switch port and allow the lap to connect back to the controller, the client's cannot connect.

danletkeman Sat, 08/22/2009 - 15:11
User Badges:

Just another note.


When i set the Wlan to no authentication (open system) then I can connect to the ap when it is in h-reap mode and communicating with the controller. When i have the Wlan set to wpa/aes/psk i cannot connect.


Is there a know bug in 6.0.182.0?


Saravanan Lakshmanan Sat, 05/25/2013 - 05:06
User Badges:
  • Cisco Employee,

is there a specific reason to use that 6.0 code, upgrade to latest 7.0.240 code and try to reproduce the issue.

dan.letkeman Sat, 05/25/2013 - 06:11
User Badges:

Look at the date of my original post.  It is nearly 4 years ago!  I don't know why people are responding to this thread.

Scott Fella Sat, 05/25/2013 - 07:12
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

People seem to want to add onto what was posted already... I don't know why, but its better if they did open up their own thread.


Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

kristoferheyl Tue, 08/25/2009 - 23:08
User Badges:

I had a similar problem a while ago, caused by WCS not setting the PSK correctly on the WLC. Cisco TAC informed me that the error message not necessary is a dot1x error message, it can also indicate a PSK error (wrong key).


Are you using WCS to push the PSK to the WLC?

danletkeman Wed, 08/26/2009 - 09:41
User Badges:

No I am not using WCS. I contacted TAC and it looks like it might be a bug in the 6.x software. There next step was to re-create it in there lab.

Robert.N.Barrett_2 Wed, 08/26/2009 - 20:44
User Badges:
  • Bronze, 100 points or more

If you are using WPA with AES, then I would change that setting - either use WPA with TKIP, or use WPA2 with AES (even if that does not solve your problem). Even though you are supposed to be able to mix and match WPA/WPA2 and TKIP/AES, I have seen some clients that work better using WPA/TKIP or WPA2/AES.

danletkeman Thu, 08/27/2009 - 09:41
User Badges:

It's not that either. I have tried every combination of WPA and WPA2...the only ones that work is WEP or Open System.


WPA and WPA2 work when the ap connection to the controller is lost. So it looks like the ap is not operating in H-Reap mode when it has a connection to the controller.



mcoverdi_2 Thu, 11/12/2009 - 22:28
User Badges:

Does your PSK have any numbers, special characters or is it exceptionally long? Try temporarily changing the PSK to something short with lower case characters only to see if that allows you to connect.

danletkeman Fri, 11/13/2009 - 06:01
User Badges:

I fixed the problem a while ago with a restart of the controller. I had never restarted it after the initial bootup.

Lukasz.Slemp Wed, 12/08/2010 - 23:44
User Badges:

Hey,

I have same problem with Cisco 2100 Series WLC on software version 7.0.98.0.


I get a lot of error messages in Log Monitor which look like these:



0Thu Dec 9 09:00:28 2010Client Excluded: MACAddress:(..................) Base Radio MAC :(..................) Slot: 0 User Name: unknown Ip Address: (..................) Reason:802.1x Authentication failed 3 times. ReasonCode: 4
1Thu Dec 9 08:57:09 2010Interference Profile Failed for Base Radio MAC: (..................) and slotNo: 0
2Thu Dec 9 08:53:43 2010Client Excluded: MACAddress:(..................) Base Radio MAC :(..................) Slot: 0 User Name: unknown Ip Address: (..................) Reason:802.1x Authentication failed 3 times. ReasonCode: 4
3Thu Dec 9 07:57:15 2010Client Excluded: MACAddress:(..................) Base Radio MAC :(..................) Slot: 0 User Name: unknown Ip Address: (..................) Reason:802.1x Authentication failed 3 times. ReasonCode: 4
4Thu Dec 9 07:54:10 2010Client Excluded: MACAddress:(..................) Base Radio MAC :(..................) Slot: 0 User Name: unknown Ip Address: (..................) Reason:802.1x Authentication failed 3 times. ReasonCode: 4
5Thu Dec 9 07:50:42 2010Client Excluded: MACAddress:(..................) Base Radio MAC :(..................) Slot: 0 User Name: unknown Ip Address: (..................) Reason:802.1x Authentication failed 3 times. ReasonCode: 4



I'm not using 802.X authentication, it's just WPA/TKIP ...not even WPA2/AES. Each client gets disconnected few times per day. Auth fails like you see above, but for the most time connection just works. Not as good as I'd want it to, but it works, somehow.

I have also set up two WLANS for other devices like printers etc - it works just fine. I mean - no errors, no disconnects, it works perfectly, but why the hell is WPA not working?!


Second bigger problem is that every computer connected via WIFI is loosing one ping packet every minute. I have WLC -> 7 x AP -> End devices.

Everything till AP's is connected via ethernet, then it's wifi connection. When I'm pinging WLC or AP's from lan connected PC it works fine, but when I'm pinging wifi connected end devices (6 pc's) - each one is loosing one packet in exact, same time - every minute.

When I'm doing the same but from second side - wifi connected pc pinging AP's, WLC, lan pc - I loose one ping packet to each device including AP, WLC, other end devices.

It's definately fault in WLC configuration because I loose these packetes on AP's <-> WIFI devices. Any idea, any clue? I'm not sure which setting is responsible for that.


Thanks in advance for any hints, suggestions.


Regards,

Łukasz



Saravanan Lakshmanan Sun, 02/24/2013 - 20:44
User Badges:
  • Cisco Employee,

use wpa aes or try the below change to see if that make any difference

disable client exclusion

disable tkip countermeasure

George Stefanick Sat, 12/11/2010 - 19:46
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

I have a similar issue on 7.0.98.0 / 5508.


Version 7.0.98.0 / 5508- WPA/TKIP psk doesn't work

Version 7.0.98.0 / 5508- WPA2/AES psk works


downgraded to 6.0.199.0


Version 7.0.98.0 / 5508- WPA/TKIP psk works

Version 7.0.98.0 / 5508- WPA2/AES psk works


upgraded back to 7.0.98.0


Version 7.0.98.0 / 5508- WPA/TKIP psk doesn't work

Version 7.0.98.0 / 5508- WPA2/AES psk works



I called TAC and they mentioned there was no known issues. Although I have not had a chance to work with them on the issue.

daniel.yuste.aroca Fri, 02/22/2013 - 03:04
User Badges:

Hello all.


Right now I am facing the same issue described here. My controller is running software version 7.2.103.0.


Did you manage to find a cause for this failure and/or a solution for it?


Thanks!!!

maldehne Mon, 02/25/2013 - 00:38
User Badges:
  • Cisco Employee,

Does the issue happen with all your clients or certain client?

Did you verify the driver version of your wireless adapter? make sure to have it updated to the latest firmware version.

Knut Axel Osori... Tue, 05/21/2013 - 14:22
User Badges:

Buenas tardes; Yo tambien tengo el mismo inconveniente, y cuando pongo REMOVE solo se remueve por unos segundos, despues regresa al grupo EXCLUDED CLIENTS, de igual forma he hecho DISABLE, y del grupo DISABLE he hecho REMOVE, pero se excluye nuevamente.


adjunto el mensaje de error.


Client Excluded: MACAddress:9c:b7:0d:2a:5f:cf Base Radio MAC :f4:ea:67:c1:57:10 Slot: 0 User Name: unknown Ip Address: unknown Reason:802.1x Authentication failed 3 times. ReasonCode: 4



Gracias.

Actions

This Discussion

 

 

Trending Topics - Security & Network