cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
28290
Views
3
Helpful
21
Replies

802.1x authentication on PSK key mgmt?

danletkeman
Level 1
Level 1

Hello,

I'm setting up a new 5508 WLC (the first wlc I have ever setup) and I have my WLAN setup with our existing WPA/TKIP ssid for transitioning our clients from our existing autonomous system to the wlc. I have selected PSK as the key mgmt and I can get the client's to connect for a few minutes but I keep seeing these errors:

Fri Aug 21 08:50:05 2009 Client Excluded: MACAddress:00:21:00:f9:dd:50 Base Radio MAC :00:23:eb:27:e3:b0 Slot: 1 User Name: unknown Ip Address: unknown Reason:802.1x Authentication failed 3 times. ReasonCode: 4

I don't have nor do I want 802.1x enabled. Is there something I need to disable either on the client or the controller?

Thanks.

Dan.

21 Replies 21

Congrats on getting your first controller set up. Since you don't have any 802.1X configured, could it be that the client in question is trying to use an incorrect PSK?

I don't think so. All of the clients connect, but then get disconnected with the 802.1x error message.

Dan.

My scenery is the next:

 

Acces Client->AP->WLC

Authentication Client->AP->WLC->Radius

Ip Asignament after the authentication Client->DHCP

I had the same log trap "Client Excluded: MACAddress:(..................) Base Radio MAC :(..................) Slot: 0 User Name: unknown Ip Address: (..................) Reason:802.1x Authentication failed 3 times. ReasonCode: 4", i saw the log of the RADIUS and the cause was the algorithm PEAP and the radius talk in EAP, i change it the propieties of my Wireless Network (Control Panel->Internet and Networks->Wireless Mangement), in the security tab in authentication method i chose intenlligent card and other certification and that's it 

 

If I click on the client and look at the client details it shows under the policy manager state that 802.1x is required. Is there something configured wrong on the client?

Clients > Detail

Client Properties

MAC Address 00:21:00:f9:dd:50

IP Address

Client Type

WGB MAC Address

Number of Wired Client(s)

User Name

Port Number

Interface

VLAN ID

CCX Version

E2E Version

Mobility Role

Mobility Peer IP Address

Policy Manager State 8021X_REQD

Management Frame Protection

I have come across some more information reguarding my problem.

When the lap cannot connected to the wlc then everything works! The clients can connect just fine without problems. As soon as I take the acl of the switch port and allow the lap to connect back to the controller, the client's cannot connect.

Just another note.

When i set the Wlan to no authentication (open system) then I can connect to the ap when it is in h-reap mode and communicating with the controller. When i have the Wlan set to wpa/aes/psk i cannot connect.

Is there a know bug in 6.0.182.0?

is there a specific reason to use that 6.0 code, upgrade to latest 7.0.240 code and try to reproduce the issue.

Look at the date of my original post.  It is nearly 4 years ago!  I don't know why people are responding to this thread.

People seem to want to add onto what was posted already... I don't know why, but its better if they did open up their own thread.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

kristoferheyl
Level 1
Level 1

I had a similar problem a while ago, caused by WCS not setting the PSK correctly on the WLC. Cisco TAC informed me that the error message not necessary is a dot1x error message, it can also indicate a PSK error (wrong key).

Are you using WCS to push the PSK to the WLC?

No I am not using WCS. I contacted TAC and it looks like it might be a bug in the 6.x software. There next step was to re-create it in there lab.

If you are using WPA with AES, then I would change that setting - either use WPA with TKIP, or use WPA2 with AES (even if that does not solve your problem). Even though you are supposed to be able to mix and match WPA/WPA2 and TKIP/AES, I have seen some clients that work better using WPA/TKIP or WPA2/AES.

It's not that either. I have tried every combination of WPA and WPA2...the only ones that work is WEP or Open System.

WPA and WPA2 work when the ap connection to the controller is lost. So it looks like the ap is not operating in H-Reap mode when it has a connection to the controller.

mcoverdi_2
Level 1
Level 1

Does your PSK have any numbers, special characters or is it exceptionally long? Try temporarily changing the PSK to something short with lower case characters only to see if that allows you to connect.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: