EAP-TTLS over WLC4402

Unanswered Question
Apr 19th, 2012

Hi,

I try to use EAP-TTLS on one of my wireless networks and the 802.1x authentification fails at this moment:

*Dot1x_NW_MsgTask_0: Apr 19 16:04:52.800: 00:16:cb:66:29:bc Processing Access-Accept for mobile 00:16:cb:06:09:bc

*Dot1x_NW_MsgTask_0: Apr 19 16:04:52.801: %APF-6-RADIUS_OVERRIDE_DISABLED: apf_ms_radius_override.c:204 Radius overrides disabled, ignoring source 2

*Dot1x_NW_MsgTask_0: Apr 19 16:04:52.801: 00:16:cb:66:29:bc Resetting web acl from 255 to 255

*Dot1x_NW_MsgTask_0: Apr 19 16:04:52.802: 00:16:cb:66:29:bc apfMsDeleteByMscb Scheduling mobile for deletion with deleteReason 20, reasonCode 2

Do you have any idea where I can find what are deleteReason 20 and reasonCode 2?

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Scott Fella Thu, 04/19/2012 - 07:19

So what supplicant are you using on the devices that supports EAP-TTLS? What radius server are you using also?

Thanks,

Scott Fella

Sent from my iPhone

kabassanov Thu, 04/19/2012 - 07:34

It is an issue observed on Apple devices. At least MacosX 10.6 and 10.7 seem to be concerned. EAP-PEAP works fine.

The radius server is a freeradius 2.1.8 that acts as proxy relaying to another freeradius.

Scott Fella Thu, 04/19/2012 - 07:38

To mean it seems like the wireless/radius is confiured correctly, since other devices work fine and EAP-PEAP works fine, but the device (iOS) might not really support that, since you already limited it down to to the MAC OSX 10.6 and 10.7.  You might also want to check on the Apple forums for help on that.

kabassanov Thu, 04/19/2012 - 07:49

The same configuration works perfectly over an Aruba wireless network, so I really think that there is something wrong on the controler... I even checked on the radio and the EAP Success packet is not forwarded by the controller to the client... So I try to find the signification of these 2 error codes in the WLC (deleteReason 20 and reasonCode 2).

nikhilcherian Thu, 04/19/2012 - 08:04

can you increase the EAP timers and try

(Cisco Controller) >config advanced eap ?

eapol-key-timeout Configures EAPOL-Key Timeout in milliseconds.

eapol-key-retries Configures EAPOL-Key Max Retries.

identity-request-timeout Configures EAP-Identity-Request Timeout in seconds.

identity-request-retries Configures EAP-Identity-Request Max Retries.

key-index      Configure the key index used for dynamic WEP (802.1x) unicast key (PTK).

max-login-ignore-identity-response Configure to ignore the same username count reaching max in the EAP identity response

request-timeout Configures EAP-Request Timeout in seconds.

request-retries Configures EAP-Request Max Retries.

(Cisco Controller) >config advanced eap

kabassanov Thu, 04/19/2012 - 08:12

I have these values. What value should I increase?

(Cisco Controller) >show advanced eap


EAP-Identity-Request Timeout (seconds)........... 20
EAP-Identity-Request Max Retries................. 2
EAP Key-Index for Dynamic WEP.................... 0
EAP Max-Login Ignore Identity Response........... enable
EAP-Request Timeout (seconds).................... 30
EAP-Request Max Retries.......................... 2
EAPOL-Key Timeout (milliseconds)................. 2000
EAPOL-Key Max Retries............................ 3
EAP-Broadcast Key Interval....................... 3600

Scott Fella Thu, 04/19/2012 - 08:15

20 seconds is good... Your EAP-PEAP works fine, so that tells me the request are not getting dropped per say.  If you say that it works on the Aruba, then the only setting you have on the WLC is to specifiy 802.1x, its your radius that looks for EAP-TTLS.  You should open a TAC case then, but they will not help much on your radius side of things.

nikhilcherian Thu, 04/19/2012 - 08:38

Try to increase the "EAP-Identity-Request Timeout" and "EAP-Request Timeout " values

kabassanov Thu, 04/19/2012 - 09:35

Actually the client is rejected in less than 0.4 secs... Why should I increase timers that are already at 20 and 30 seconds? Did I miss anything?

Scott Fella Thu, 04/19/2012 - 09:39

If using PEAP works fine, then the radius information is hitting the radius. The timers are fine then. Like I said earlier, there is no other setting on the wlc than to configure the WLAN for 802.1x and point to the radius server. I you believe it's an issue with how the wlc is sending the radius attributes and is making the radius reject the clients, then open a TAC case so they can look at it closer.

Thanks,

Scott Fella

Sent from my iPhone

Scott Fella Thu, 04/19/2012 - 09:46

For the windows clients that work, what supplicant are you using?

Thanks,

Scott Fella

Sent from my iPhone

kabassanov Thu, 04/19/2012 - 09:58

Sorry, I was not clear... This network supports both TTLS and PEAP. PEAP is the most frequently used protocol, but we have to support also EAP-TTLS with PAP... I'm not sure, for the moment, that it works better with other OSs...

Scott Fella Thu, 04/19/2012 - 10:04

Well what I was getting at is there is limited support for EAP-TTLS unless you use a juniper supplicant in windows. I don't know if your trying to do EAP-TLS or EAP-TTLS. I don't know free radius and can't help you out there, but in the WLC to use any type of EAP you just need to have 802.1x configured on your WLAN.

Thanks,

Scott Fella

Sent from my iPhone

kabassanov Thu, 04/19/2012 - 10:14

Yes, you are right. That's why I don't understand the reason my WLC drops the EAP Success message that the radius server sends to the client... It is really an ordinary packet... Opening a TAC case seems to be a good idea...

Thanks.

George Stefanick Thu, 04/19/2012 - 12:31

Im curiuos, what internal EAP are you using with your TTLS?

If you just try and configure TTLS, without using the APPLE PROFILER you cant choose what internal EAP, like PAP for exmaple. So did you use the profiler or just set up a profile on the APPLE device.

EAP-PEAP uses Mschapv2 or GTC. The big difference between PEAP and TTLS is that TTLS uses other inside EAPS.

kabassanov Thu, 04/19/2012 - 12:53

I use PAP.

I use a configuration file (created with iPCU I think)  with EAP-TTLS and PAP defined in it.

What do you mean by "TTLS uses other inside EAPS"? PAP?

George Stefanick Thu, 04/19/2012 - 13:01

Sorry, I get into a habbit ...

Take for exmaple EAP-PEAP with MsChapv2, well MsChapv2 is in fact a EAP as well, right. Or if you use EAP-PEAP with TLS, or EAP-PEAP with GTC, both TLS and GTCs are EAP as well.

So its a EAP inside of a EAP, so to speak. Didnt mean to confuse you.

EAP-PEAP uses TLS, MSCHAPv2, GTC

EAP-TTLS uses all the old stuff, PAP etc ..

Other then that there isnt much difference between the to.

Im curoius, why use TTLS, most devices support PEAP ..

Is your aruba network connected and using the same radius server as your cisco wlc ?

kabassanov Thu, 04/19/2012 - 13:52

This network must support EAP-TTLS/PAP because, it is part of a widely deployed external network where the "proposed" configuration for Mac OS uses this protocol. We need to insure the interoperability...

As WLC keeps trace of the authenticating username, I wonder if it doesn't mess if it receives both real username and the "anonymous" entity in the Access-Accept packet AVP attributes. I have to check what happens when PEAP is used...

I don't think WLC is awared of the data inside of the EAP part of the packet (and its internal protocols).

The Aruba network uses the same radius servers, the only difference is that my WLC communicates to them through a relaying radius server.

George Stefanick Thu, 04/19/2012 - 14:01

I know the WLC will see the outside name. There have been times I would see "anoymous" in the syslog of the WLC. But you raise a good point.

Side note -- What does the radius log show when you try to connect. Does it show indeed a PASS or FAIL for your client.

kabassanov Fri, 04/20/2012 - 01:21

Well, it seems that the Access-Accept message when using EAP-TTLS contains 1 AVP for each anonymous and real usernames unlike the PEAP Access-Accept message that contains only the anonymous username. Probably a misconfiguration of the remote home server... Will ask to check.

Radius logs  have "Login OK" for the client.

kabassanov Sat, 04/21/2012 - 14:23

Well, WLC definitely does not like Access-Accept messages with multiple User-Name AVPs and interrupts the client autentication process. I don't know if this behaviour is expected or if it is simply a bug... A workaround is to filter proxied radius replies in the post-proxy section of the radius server and to remove all User-Name entries from it (I didn't succeed to keep only one of them in the packet). With this, authentication works perfectly.

kabassanov Mon, 04/23/2012 - 00:11

Of course, even if the issue was detected while doing EAP-TTLS authentication, it is not related to TTLS only...

Actions

Login or Register to take actions

This Discussion

Posted April 19, 2012 at 7:13 AM
Stats:
Replies:23 Avg. Rating:
Views:1263 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard