Which debug command can find out the wrong authentication method?

Unanswered Question
Mar 16th, 2010

Hi All,

I have configured fat Cisco Aironet 1242 APs on remote site with WPA/TKIP authentication. Local technician configured wireless tec printers with corressponding configuration. I just want to know if there is a debug command to allow me to find out the wrong authentication method. Say WPA2 instead of WPA. I've tried "debug dot11 wpa-cckm-km-dot1x". It didn't help. It can only find out wrong username and password. Which means I know client passed association but failed authentication because of wrong password. I need a debug command for association process. Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
robert.huang Wed, 03/17/2010 - 12:06

Thanks Scott.

I've tried the following command. But none of them can tell the wrong Key Mgmt type(Supposed to be WPA, but input WPA2).

debug dot11 wpa-cckm-km-dot1x

debug dot11 events
debug dot11 packets  
debug dot11 mgmt station detail
debug dot11 aaa authenticator state-machine
debug dot11 aaa manager keys 
debug dot11 station connection failure    
debug dot11 dot11radio 0 trace print

debug dot11 aaa authenticator process

Any input will be appreciated.

Scott Fella Wed, 03/17/2010 - 12:19

What errors doyou see in the logs when a client fails.... usually the info in the logs points to encryption mismatch like this:

apf_80211.c:1923 APF-1-PROC_RSN_WARP_IE_FAILED: Could not process the RSN and WARP IE's. station not using RSN (WPA2) on WLAN requiring RSN.MobileStation:00:0c:f1:0c:51:22, SSID:<>

robert.huang Thu, 03/18/2010 - 06:34

Thanks again for your reply, Scott.

I can get the error message from WLC for lightweight APs.

However, for the autonomous AP, I can't get any error message regarding the wrong key mgmt type from the log. Actually, if I change my wifi card setting from WPA to WPA2, I can see connection failed on my laptop, but there is no logs on the AP. I've tried so many debug command and always got the same result.

I'm pretty sure there must be a debug command to allow me to see the association process on the fat AP.

Scott Fella Thu, 03/18/2010 - 11:47

You should see in the logs when uses associate and disassociate also when users fail.... don't know why you can't see that... maybe check your logging settings.


This Discussion