802.1X Authentication failed without 802.1X authentication enabled

Unanswered Question
Jan 28th, 2010

Hi,

we are using 2 WISMs, with version 4.2.207 and a WCS to control them.

It seemed to work fine for about 2 weeks, and now we detected the following problem in some users. They were connected to the wireless without problems, and then they lost the connection. For authentication we use WPA2, we also use mac-filter.

When they lost the connection we can see the following error:

Message:

Client 'mac address' which was associated with AP 'mac address', interface '1' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'.

Message:

Client 'mac' which was associated with AP 'mac', interface '0' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'.

I also attach an output of the troubleshoot mac address...

Can some help me with this?

Thank you.

Best regards,

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
George Stefanick Sat, 01/30/2010 - 08:19

Can you drop into the CLI of the WLC and do a client debug on the client in question and post your findings ...

thanks

Norberto Salgado Sun, 01/31/2010 - 13:41

Hi George,

thank you for your reply. I put the debug in attach.

The problem it's in this stage:

Fri Jan 29 11:26:53 2010: 00:16:6f:06:27:0a Initiating RSN PSK to mobile 00:16:6                                                                                             f:06:27:0a

Fri Jan 29 11:26:53 2010: 00:16:6f:06:27:0a dot1x - moving mobile 00:16:6f:06:27                                                                                             :0a into Force Auth state

Fri Jan 29 11:26:53 2010: 00:16:6f:06:27:0a Skipping EAP-Success to mobile 00:16                                                                                             :6f:06:27:0a

Fri Jan 29 11:26:53 2010: Including PMKID in M1  (16)

Fri Jan 29 11:26:53 2010:      [0000] 82 1d f1 e4 2f cc 1b 04 b8 e2 42 1a e1 73                                                                                              4e 07

Fri Jan 29 11:26:53 2010: 00:16:6f:06:27:0a Sending EAPOL-Key Message to mobile                                                                                              00:16:6f:06:27:0a

                    state INITPMK (message 1), replay counter 00.00.00.00.00.00.                                                                                             00.00

Fri Jan 29 11:26:54 2010: 00:16:6f:06:27:0a 802.1x 'timeoutEvt' Timer expired fo                                                                                             r station 00:16:6f:06:27:0a

Fri Jan 29 11:26:54 2010: 00:16:6f:06:27:0a Retransmit 1 of EAPOL-Key M1 (length                                                                                              121) for mobile 00:16:6f:06:27:0a

Fri Jan 29 11:26:55 2010: 00:16:6f:06:27:0a 802.1x 'timeoutEvt' Timer expired fo                                                                                             r station 00:16:6f:06:27:0a

Fri Jan 29 11:26:55 2010: 00:16:6f:06:27:0a Retransmit 2 of EAPOL-Key M1 (length                                                                                              121) for mobile 00:16:6f:06:27:0a

Fri Jan 29 11:26:56 2010: 00:16:6f:06:27:0a 802.1x 'timeoutEvt' Timer expired fo                                                                                             r station 00:16:6f:06:27:0a

Fri Jan 29 11:26:56 2010: 00:16:6f:06:27:0a Retransmit failure for EAPOL-Key M1                                                                                              to mobile 00:16:6f:06:27:0a, retransmit count 3, mscb deauth count 0

Fri Jan 29 11:26:56 2010: 00:16:6f:06:27:0a Sent Deauthenticate to mobile on BSS                                                                                             ID 00:1d:e6:24:e5:00 slot 0(caller 1x_ptsm.c:462)

Fri Jan 29 11:26:56 2010: 00:16:6f:06:27:0a Scheduling deletion of Mobile Statio

Any help understanding why it will be great.

Thanks in advance,

Best regards,

George Stefanick Sun, 01/31/2010 - 14:26

See the lines that state Retransmit 1 and Retransmit 2... This is an indication the PSK key doesnt match on the client and or WLC that the AP is associated to. Double check your PSK on the clients that are having issues. Something is a miss on the key side... I reproduced this in my lab and got the same results as you when the key did not match... see my output below yours ...

As for your 802.1x question. WPA2 / PSK is a form of EAP. Thus why you see 802.1x... Most folks assume 802.1x and radius server... but not the case.  Post back and let me know what you find...

Fri Jan 29 11:26:54 2010: 00:16:6f:06:27:0a Retransmit 1 of EAPOL-Key M1 (length                                                                                              121) for mobile 00:16:6f:06:27:0a

Fri Jan 29 11:26:55 2010: 00:16:6f:06:27:0a 802.1x 'timeoutEvt' Timer expired fo                                                                                             r station 00:16:6f:06:27:0a

Fri Jan 29 11:26:55 2010: 00:16:6f:06:27:0a Retransmit 2 of EAPOL-Key M1 (length                                                                                              121) for mobile 00:16:6f:06:27:0a

Fri Jan 29 11:26:56 2010: 00:16:6f:06:27:0a 802.1x 'timeoutEvt' Timer expired fo

My test ...

Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Received EAPOL-Key from mobile 00:02:10:11:02:68

Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:02:10:11:02:68

Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Received EAPOL-key in PKT_START state (message 2) from mobile 00:02:10:11:02:68

Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Received EAPOL-key M2 with invalid MIC from mobile 00:02:10:11:02:68

Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 802.1x 'timeoutEvt' Timer expired for station 00:02:10:11:02:68

Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 00:02:10:11:02:68

Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Received EAPOL-Key from mobile 00:02:10:11:02:68

Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:02:10:11:02:68

Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Received EAPOL-key in PKT_START state (message 2) from mobile 00:02:10:11:02:68

Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Received EAPOL-key M2 with invalid MIC from mobile 00:02:10:11:02:68

Sun Jan 31 11:12:02 2010: 00:02:10:11:02:68 802.1x 'timeoutEvt' Timer expired for station 00:02:10:11:02:68

Sun Jan 31 11:12:02 2010: 00:02:10:11:02:68 Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 00:02:10:11:02:68

Sun Jan 31 11:12:02 2010: 00:02:10:11:02:68 Received EAPOL-Key from mobile 00:02:10:11:02:68

Sun Jan 31 11:12:02 2010: 00:02:10:11:02:68 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:02:10:11:02:68

Sun Jan 31 11:12:02 2010: 00:02:10:11:02:68 Received EAPOL-key in PKT_START state (message 2) from mobile 00:02:10:11:02:68

Sun Jan 31 11:12:02 2010: 00:02:10:11:02:68 Received EAPOL-key M2 with invalid MIC from mobile 00:02:10:11:02:68

Norberto Salgado Mon, 02/01/2010 - 03:23

Hi again George,

thank you for your reply.

Yes the behavior it's like the password it's incorrect, but that can't be the problem. Because this clients are connected without problems and then the problem starts to occur.

By the way when we disable the 802.11a in the client the problem seems to disappear...

Thank you.

Best regards,

George Stefanick Mon, 02/01/2010 - 04:29

i had an issue like this before... i had 6 WLCs and 1 of the WLCs had the wrong KEY and only had a few APs joined to that controller. when clients would roam to this ap the clients would spin.

i would double check the keys on the WLC. or try and see what aps the clients are trying to attach to when they spin...

make sense?

GCrowley35 Wed, 11/10/2010 - 06:45

I just had the same issue with similar setup.  6 LWAPPs and 1 WLC.  After reading the posts it got me to thinking that I should focus on the PSK.   I changed the key on the WLC, saved config, testing a new client and successfully connected.  Then I went back to the WLC and re-entered the old PSK, saved the config and was able to get clients connected.   Is there some kind of expiration or timeout for the PSK? (Using WPA+WPA2)

kirbus_inc Tue, 02/09/2010 - 07:18

We are also experiencing the same issue. Have you found a solution?

Norberto Salgado Wed, 02/10/2010 - 02:36

Hi Kirbus,

we open a TAC and we were advised for now to do the following changes:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman","serif";}

1.       please make sure to disable Aironet extensions (if present)  , on the WLAN advanced configuration

2.       disable management frame protection (MFP) signature generation (if present) , MFP also on the WLAN advanced configuration

3.       on the WLC general configuration , can you please disable aggressive load balancing

4.       on the security tab on the WLC , please wireless protection policies > disable client exclusion policies

5.       on the AP network configuration please disable short preamble the original standard was long preambles

6.       Wireless -> disable auto-RRM channel & power assignment & try "on demand"

7.       apply these modification on the WLC CLI

Config advanced eap identity-request-timeout 20

Config advanced eap identity-request-retries 10

Config advanced eap request-timeout 20

Config advanced eap request-retries 10

Save config, and see if you still face the problem.

We are still monitoring the solution, but until now we didn't face the problem again.

Let me now how it goes for you.

Thank you.

Best regards,

kirbus_inc Wed, 02/10/2010 - 11:15

Thank you so much for the info. We will look into this and see what we come up with. I am wondering how similar our setups are. What

model AP's do you use? How many WLC do you have? Do you know the NIC manufacturer of your clients? We have been trying to narrow it down to see if is a driver issue or just some config issue. We are actually on version 6.0.188 so it's definatley not the version.

kirbus_inc Mon, 02/22/2010 - 06:55

Hello,

I was just checking back to see if since you have made the changes if you still are experiencing problems or if you have narrowed it down to what it might be?

Norberto Salgado Mon, 02/22/2010 - 06:59

Hi Kirbus,

since that changes the client didn't reported to us any more problems.

What about you? How is it going?

Best regards,

kirbus_inc Mon, 02/22/2010 - 07:10

Hello,

These are the ones we have tried disable Aironet extensions (if present)  , on the WLAN advanced configuration

2.       disable management frame protection (MFP) signature generation (if present) , MFP also on the WLAN advanced configuration

3.       on the WLC general configuration ,  disable aggressive load balancing

4.       on the security tab on the WLC and it looks like we are still getting the same messages I am leary about disabling the wireless protection policies client exclusions for secuirty reason but I am thinking that is the solution to the problem, it seems it  just ignores the failures.

ad

kirbus_inc Thu, 02/25/2010 - 13:56

Hello,

Do you know what the manufacturer of your clients NICs are, or are they all different? We are trying to see if it may be a driver issue. We are getting inconsistant information from Cisco about the cause of the problem.

biotron Mon, 04/12/2010 - 07:13

Hello,

have the same problem with WPA2/dot1x EAP-TLS and MSCHAPv2, but after 16 tries (3 times EAPOL M1 retransmit for each try) the wlc 4400 (v6) accept the client.

Additional I see  CSCsy05945—The "EAPOL-key M2 with invalid RSN IE" error message appears because of multiple PMKIDs. The clients send multiple PMKIDs, but the controller buffers only 64 bytes of the WPA/RSN information element (IE).  Workaround: None.

I disabled step by step all the 6 option and did the cli timeout commands - no change.

Who is handling this part of the protocol , the CSSC, the WLAN driver Hon or MS  XP ?

Greetings

Olaf.

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode