Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

802.1x authentication fail when trying to implement 802.11N

Hello, I'm trying to deploy 802.11N along with 802.1X and IAS.

Controller comunciates with Radius server (IAS) and this lives in a ESX host along with the Domain controller. Somehow users are not able to authenticate.

WLC: AIR-CT550 - IP 10.152.36.5

IAS: 10.204.34.35

Domain controller: 10.204.35.149

Testing client MAC:  24:77:03:dc:c6:10

Check these logs:

*Jan 29 19:11:45.816: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Jan 29 19:11:45.842: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Jan 29 19:11:45.844: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Jan 29 19:11:50.691: 24:77:03:dc:c6:10 apfMsExpireCallback (apf_ms.c:418) Expiring Mobile!
*Jan 29 19:11:50.692: 24:77:03:dc:c6:10 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [0c:27:24:4e:62:10]
*Jan 29 19:11:50.692: 24:77:03:dc:c6:10 Deleting mobile on AP 0c:27:24:4e:62:10(0)
*Jan 29 19:11:51.727: 24:77:03:dc:c6:10 Adding mobile on LWAPP AP 50:17:ff:df:08:70(1)
*Jan 29 19:11:51.727: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 23) in 5 seconds
*Jan 29 19:11:51.727: 24:77:03:dc:c6:10 apfProcessProbeReq (apf_80211.c:4722) Changing state for mobile 24:77:03:dc:c6:10 on AP 50:17:ff:df:08:70 from Idle to Probe

*Jan 29 19:11:51.729: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Jan 29 19:11:51.742: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Jan 29 19:11:51.743: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Jan 29 19:11:51.758: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Jan 29 19:11:51.758: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Jan 29 19:11:51.773: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Jan 29 19:11:51.774: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Jan 29 19:11:51.943: 24:77:03:dc:c6:10 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Association received from mobile on AP 50:17:ff:de:45:90
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Applying site-specific IPv6 override for station 24:77:03:dc:c6:10 - vapId 3, site 'default-group', interface 'enterprise wireless 3rd floor'
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Applying IPv6 Interface Policy for station 24:77:03:dc:c6:10 - vlan 603, interface id 11, interface 'enterprise wireless 3rd floor'
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Processing RSN IE type 48, length 22 for mobile 24:77:03:dc:c6:10
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Received RSN IE with 0 PMKIDs from mobile 24:77:03:dc:c6:10
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [50:17:ff:df:08:70]
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Updated location for station old AP 50:17:ff:df:08:70-1, new AP 50:17:ff:de:45:90-1
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 0.0.0.0 START (0) Initializing policy
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)

*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)

*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 50:17:ff:de:45:90 vapId 3 apVapId 3
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 apfPemAddUser2 (apf_policy.c:213) Changing state for mobile 24:77:03:dc:c6:10 on AP 50:17:ff:de:45:90 from Probe to Associated

*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Stopping deletion of Mobile Station: (callerId: 48)
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 Sending Assoc Response to station on BSSID 50:17:ff:de:45:90 (status 0) Vap Id 3 Slot 1
*Jan 29 19:11:51.945: 24:77:03:dc:c6:10 apfProcessAssocReq (apf_80211.c:4389) Changing state for mobile 24:77:03:dc:c6:10 on AP 50:17:ff:de:45:90 from Associated to Associated

*Jan 29 19:11:51.947: 24:77:03:dc:c6:10 Station 24:77:03:dc:c6:10 setting dot1x reauth timeout = 0
*Jan 29 19:11:51.947: 24:77:03:dc:c6:10 Stopping reauth timeout for 24:77:03:dc:c6:10
*Jan 29 19:11:51.947: 24:77:03:dc:c6:10 dot1x - moving mobile 24:77:03:dc:c6:10 into Connecting state
*Jan 29 19:11:51.947: 24:77:03:dc:c6:10 Sending EAP-Request/Identity to mobile 24:77:03:dc:c6:10 (EAP Id 1)
*Jan 29 19:11:51.974: 24:77:03:dc:c6:10 Received EAPOL START from mobile 24:77:03:dc:c6:10
*Jan 29 19:11:51.974: 24:77:03:dc:c6:10 dot1x - moving mobile 24:77:03:dc:c6:10 into Connecting state
*Jan 29 19:11:51.974: 24:77:03:dc:c6:10 Sending EAP-Request/Identity to mobile 24:77:03:dc:c6:10 (EAP Id 2)
*Jan 29 19:11:52.006: 24:77:03:dc:c6:10 Received EAPOL EAPPKT from mobile 24:77:03:dc:c6:10
*Jan 29 19:11:52.006: 24:77:03:dc:c6:10 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 24:77:03:dc:c6:10
*Jan 29 19:11:52.030: 24:77:03:dc:c6:10 Received EAPOL EAPPKT from mobile 24:77:03:dc:c6:10
*Jan 29 19:11:52.030: 24:77:03:dc:c6:10 Username entry (NA\a-Gregg.Davis) created for mobile
*Jan 29 19:11:52.030: 24:77:03:dc:c6:10 Received Identity Response (count=2) from mobile 24:77:03:dc:c6:10
*Jan 29 19:11:52.030: 24:77:03:dc:c6:10 EAP State update from Connecting to Authenticating for mobile 24:77:03:dc:c6:10
*Jan 29 19:11:52.030: 24:77:03:dc:c6:10 dot1x - moving mobile 24:77:03:dc:c6:10 into Authenticating state
*Jan 29 19:11:52.030: 24:77:03:dc:c6:10 Entering Backend Auth Response state for mobile 24:77:03:dc:c6:10
*Jan 29 19:11:52.031: apfVapRadiusInfoGet: WLAN(3) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*Jan 29 19:11:52.031: 24:77:03:dc:c6:10 Successful transmission of Authentication Packet (id 62) to 10.204.34.35:1812, proxy state 24:77:03:dc:c6:10-00:00
*Jan 29 19:11:52.051: ****Enter processIncomingMessages: response code=11

*Jan 29 19:11:52.051: Received a RADIUS message from unknown server 10.204.35.149 port 1812
*Jan 29 19:11:54.032: 24:77:03:dc:c6:10 Successful transmission of Authentication Packet (id 62) to 10.204.34.35:1812, proxy state 24:77:03:dc:c6:10-00:00
*Jan 29 19:11:54.049: ****Enter processIncomingMessages: response code=11

*Jan 29 19:11:54.049: Received a RADIUS message from unknown server 10.204.35.149 port 1812
*Jan 29 19:11:56.032: 24:77:03:dc:c6:10 Successful transmission of Authentication Packet (id 62) to 10.204.34.35:1812, proxy state 24:77:03:dc:c6:10-00:00
*Jan 29 19:11:56.048: ****Enter processIncomingMessages: response code=11

*Jan 29 19:11:56.048: Received a RADIUS message from unknown server 10.204.35.149 port 1812

Any idea of what could be the problem?

Thanks.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

802.1x authentication fail when trying to implement 802.11N

What error messages do you see in IAS... you should see something because of this error on the WLC:

Received a RADIUS message from unknown server 10.204.35.149 port 1812

Can you also post the following:

show wlan

show radius summary

show radius auth statistics

show radius acct statistics

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
VIP Purple

Re: 802.1x authentication fail when trying to implement 802.11N

Hi Francisco,

*Jan 29 19:11:52.031: 24:77:03:dc:c6:10 Successful transmission of Authentication Packet (id 62) to 10.204.34.35:1812, proxy state 24:77:03:dc:c6:10-00:00
*Jan 29 19:11:52.051: ****Enter processIncomingMessages: response code=11

*Jan 29 19:11:52.051: Received a RADIUS message from unknown server 10.204.35.149 port 1812
*Jan 29 19:11:54.032: 24:77:03:dc:c6:10 Successful transmission of Authentication Packet (id 62) to 10.204.34.35:1812, proxy state 24:77:03:dc:c6:10-00:00
*Jan 29 19:11:54.049: ****Enter processIncomingMessages: response code=11

*Jan 29 19:11:54.049: Received a RADIUS message from unknown server 10.204.35.149 port 1812

These message indicate there is some issue with RADIUS communication. Looks like WLC send RADIUS packets to IAS, but it does not get any response. Instead it getting RADIUS response from DC.

Pls check this communication

HTH

Rasika

**** Pls rate all useful resposnes *****

4 REPLIES
Hall of Fame Super Silver

802.1x authentication fail when trying to implement 802.11N

What error messages do you see in IAS... you should see something because of this error on the WLC:

Received a RADIUS message from unknown server 10.204.35.149 port 1812

Can you also post the following:

show wlan

show radius summary

show radius auth statistics

show radius acct statistics

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
VIP Purple

Re: 802.1x authentication fail when trying to implement 802.11N

Hi Francisco,

*Jan 29 19:11:52.031: 24:77:03:dc:c6:10 Successful transmission of Authentication Packet (id 62) to 10.204.34.35:1812, proxy state 24:77:03:dc:c6:10-00:00
*Jan 29 19:11:52.051: ****Enter processIncomingMessages: response code=11

*Jan 29 19:11:52.051: Received a RADIUS message from unknown server 10.204.35.149 port 1812
*Jan 29 19:11:54.032: 24:77:03:dc:c6:10 Successful transmission of Authentication Packet (id 62) to 10.204.34.35:1812, proxy state 24:77:03:dc:c6:10-00:00
*Jan 29 19:11:54.049: ****Enter processIncomingMessages: response code=11

*Jan 29 19:11:54.049: Received a RADIUS message from unknown server 10.204.35.149 port 1812

These message indicate there is some issue with RADIUS communication. Looks like WLC send RADIUS packets to IAS, but it does not get any response. Instead it getting RADIUS response from DC.

Pls check this communication

HTH

Rasika

**** Pls rate all useful resposnes *****

Cisco Employee

802.1x authentication fail when trying to implement 802.11N

It seems client is roaming between different AP and different kind of radius authentication is set for the same SSID.

Some radius config issue.

Do you have the running config from controller?

New Member

802.1x authentication fail when trying to implement 802.11N

The problem was the following. Radius server has two IP addresses, and 10.204.35.149 is the secondary of such server. So i updated the controller to use that secondary IP and it worked fine after that. Thanks everyone.

356
Views
0
Helpful
4
Replies
CreatePlease to create content