wireless client EAP-FAST authentication fail with ACS

Unanswered Question
Apr 26th, 2010

When I use no certificate EAP-FAST authentication (Anonymous In−band PAC provisioning) to authenticate access wireless client, always authenticate fail, and can not access to wireless which is controlled by WLC.

When I debug dot1x messages of WLC. Always prompt following messages:  I am so confused with this situation and really hope guys can help me.

Sun Apr 25 15:53:51 2010: 00:40:96:af:6e:af [Error] Client requested no retries for mobile 00:40:96:AF:6E:AF
Sun Apr 25 15:53:51 2010: 00:40:96:af:6e:af Returning AAA Error 'Timeout' (-5) for mobile 00:40:96:af:6e:af
Sun Apr 25 15:53:51 2010: AuthorizationResponse: 0xbadff8d4
Sun Apr 25 15:53:51 2010:       structureSize................................28
Sun Apr 25 15:53:51 2010:       resultCode...................................-5
Sun Apr 25 15:53:51 2010:       protocolUsed.................................0xffffffff
Sun Apr 25 15:53:51 2010:       proxyState...................................00:40:96:AF:6E:AF-34:00
Sun Apr 25 15:53:51 2010:       Packet contains 0 AVPs:
Sun Apr 25 15:53:51 2010: 00:40:96:af:6e:af Processing AAA Error 'Timeout' (-5) for mobile 00:40:96:af:6e:af
Sun Apr 25 15:53:53 2010: 00:40:96:af:6e:af Processing RSN IE type 48, length 20 for mobile 00:40:96:af:6e:af
Sun Apr 25 15:53:53 2010: 00:40:96:af:6e:af Received RSN IE with 0 PMKIDs from mobile 00:40:96:af:6e:af
Sun Apr 25 15:53:53 2010: 00:40:96:af:6e:af Station 00:40:96:af:6e:af setting dot1x reauth timeout = 1800
Sun Apr 25 15:53:53 2010: 00:40:96:af:6e:af Sending EAP-Request/Identity to mobile 00:40:96:af:6e:af (EAP Id 1)
Sun Apr 25 15:53:53 2010: 00:40:96:af:6e:af Sending 802.11 EAPOL message  to mobile 00:40:96:af:6e:af
Sun Apr 25 15:53:53 2010: 00000000: 02 00 00 31 01 01 00 31  01 00 6e 65 74 77 6f 72  ...1...1..networ
Sun Apr 25 15:53:53 2010: 00000010: 6b 69 64 3d 57 43 4c 2c  6e 61 73 69 64 3d 43 69  kid=WCL,nasid=Ci
Sun Apr 25 15:53:53 2010: 00000020: 73 63 6f 5f 39 35 3a 38  61 3a 38 30 2c 70 6f 72  sco_95:8a:80,por
Sun Apr 25 15:53:53 2010: 00000030: 74 69 64 3d 31                                    tid=1
Sun Apr 25 15:53:53 2010: 00:40:96:af:6e:af Received 802.11 EAPOL message (len 4) from mobile 00:40:96:af:6e:af
Sun Apr 25 15:53:53 2010: 00000000: 01 01 00 00                                       ....
Sun Apr 25 15:53:53 2010: 00:40:96:af:6e:af Received EAPOL START from mobile 00:40:96:af:6e:af
Sun Apr 25 15:53:53 2010: 00:40:96:af:6e:af Sending EAP-Request/Identity to mobile 00:40:96:af:6e:af (EAP Id 2)
Sun Apr 25 15:53:53 2010: 00:40:96:af:6e:af Sending 802.11 EAPOL message  to mobile 00:40:96:af:6e:af
Sun Apr 25 15:53:53 2010: 00000000: 02 00 00 31 01 02 00 31  01 00 6e 65 74 77 6f 72  ...1...1..networ
Sun Apr 25 15:53:53 2010: 00000010: 6b 69 64 3d 57 43 4c 2c  6e 61 73 69 64 3d 43 69  kid=WCL,nasid=Ci
Sun Apr 25 15:53:53 2010: 00000020: 73 63 6f 5f 39 35 3a 38  61 3a 38 30 2c 70 6f 72  sco_95:8a:80,por
Sun Apr 25 15:53:53 2010: 00000030: 74 69 64 3d 31                                    tid=1
Sun Apr 25 15:53:53 2010: 00:40:96:af:6e:af Received 802.11 EAPOL message (len 31) from mobile 00:40:96:af:6e:af
Sun Apr 25 15:53:53 2010: 00000000: 01 00 00 1b 02 01 00 1b  01 50 45 41 50 2d 30 30  .........PEAP-00
Sun Apr 25 15:53:53 2010: 00000010: 2d 34 30 2d 39 36 2d 41  46 2d 36 45 2d 41 46     -40-96-AF-6E-AF
Sun Apr 25 15:53:53 2010: 00:40:96:af:6e:af Received EAPOL EAPPKT from mobile 00:40:96:af:6e:af
Sun Apr 25 15:53:53 2010: 00:40:96:af:6e:af Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 00:40:96:af:6e:af
Sun Apr 25 15:53:53 2010: 00:40:96:af:6e:af Received 802.11 EAPOL message (len 31) from mobile 00:40:96:af:6e:af
Sun Apr 25 15:53:53 2010: 00000000: 01 00 00 1b 02 02 00 1b  01 50 45 41 50 2d 30 30  .........PEAP-00
Sun Apr 25 15:53:53 2010: 00000010: 2d 34 30 2d 39 36 2d 41  46 2d 36 45 2d 41 46     -40-96-AF-6E-AF
Sun Apr 25 15:53:53 2010: 00:40:96:af:6e:af Received EAPOL EAPPKT from mobile 00:40:96:af:6e:af
Sun Apr 25 15:53:53 2010: 00:40:96:af:6e:af Received Identity Response (count=2) from mobile 00:40:96:af:6e:af
Sun Apr 25 15:53:53 2010: AuthenticationRequest: 0xb14e64c
Sun Apr 25 15:53:53 2010:       Callback.....................................0x85ef9f8
Sun Apr 25 15:53:53 2010:       protocolType.................................0x00140001
Sun Apr 25 15:53:53 2010:       proxyState...................................00:40:96:AF:6E:AF-35:00
Sun Apr 25 15:53:53 2010:       Packet contains 15 AVPs (not shown)
Sun Apr 25 15:53:53 2010: 00:40:96:af:6e:af Successful transmission of Authentication Packet (id 155) to 172.24.128.152:1812, proxy state 00:40:96:af:6e:af-00:00
Sun Apr 25 15:53:53 2010: 00000000: 01 9b 00 d0 65 1e d8 5e  94 1a 78 64 99 ce 05 a2  ....e..^..xd....
Sun Apr 25 15:53:53 2010: 00000010: 57 a3 4a 65 01 18 50 45  41 50 2d 30 30 2d 34 30  W.Je..PEAP-00-40
Sun Apr 25 15:53:53 2010: 00000020: 2d 39 36 2d 41 46 2d 36  45 2d 41 46 1f 13 30 30  -96-AF-6E-AF..00
Sun Apr 25 15:53:53 2010: 00000030: 2d 34 30 2d 39 36 2d 41  46 2d 36 45 2d 41 46 1e  -40-96-AF-6E-AF.
Sun Apr 25 15:53:53 2010: 00000040: 17 30 30 2d 31 43 2d 42  30 2d 30 36 2d 39 42 2d  .00-1C-B0-06-9B-
Sun Apr 25 15:53:53 2010: 00000050: 37 30 3a 57 43 4c 05 06  00 00 00 01 04 06 ac 18  70:WCL..........
Sun Apr 25 15:53:53 2010: 00000060: 80 23 20 10 43 69 73 63  6f 5f 39 35 3a 38 61 3a  .#..Cisco_95:8a:
Sun Apr 25 15:53:53 2010: 00000070: 38 30 1a 0c 00 00 37 63  01 06 00 00 00 01 06 06  80....7c........
Sun Apr 25 15:53:53 2010: 00000080: 00 00 00 02 0c 06 00 00  05 14 3d 06 00 00 00 13  ..........=.....
Sun Apr 25 15:53:53 2010: 00000090: 40 06 00 00 00 0d 41 06  00 00 00 06 51 05 31 32  @.....A.....Q.12
Sun Apr 25 15:53:53 2010: 000000a0: 38 4f 1d 02 02 00 1b 01  50 45 41 50 2d 30 30 2d  8O......PEAP-00-
Sun Apr 25 15:53:53 2010: 000000b0: 34 30 2d 39 36 2d 41 46  2d 36 45 2d 41 46 50 12  40-96-AF-6E-AFP.
Sun Apr 25 15:53:53 2010: 000000c0: e5 9f 90 3b 53 1f b9 17  02 4a e9 44 37 31 ef 80  ...;S....J.D71..
Sun Apr 25 15:53:55 2010: 00:40:96:af:6e:af Successful transmission of Authentication Packet (id 155) to 172.24.128.152:1812, proxy state 00:40:96:af:6e:af-00:00

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion