Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

802.1x needs stronger wifi signal?

Hi, I am having a werid issue with 802.1x, we have both WPA2 pre-shared SSID and 802.1x EAP SSID co-exist, we plan to slowly migrate all pre-shared key SSID users to 802.1x EAP authentication. The problem I am having is that on the same laptop, if the laptop is far from an AP, pre-shared key SSID works perfectly, but for dot1x SSID, the client will be dropped out frequently showing that client is trying to get DHCP IP address. If the laptop is moved closer to an AP then both SSIDs will have stable connection. Both WLAN have the same radio polies, what might be the possible cause? I can not imagine that 802.1x will need stronger wifi signal to operate ...

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

802.1x needs stronger wifi signal?

Wireless client can be stable/immobile however based on the received RSSI, Packet error rate the wireless client decide to roam to different AP from its learnt AP list.

what WLC model, code version used.

the OUI says htc for the mobile client. does it uses pkc or okc. only the 7.2 WLC code supports both key handles.

It is just a wild guess that you're using code that is not running 7.2 on WLC and HTC mobile supports sticky key.

5 REPLIES
New Member

802.1x needs stronger wifi signal?

The following is the debug output from the controller, as you can see, the client is authentciated and successfuly obtained IP address (10.128.33.15) from DHCP server, but then it is going to the re-authentication state again:

Jul 10 22:07:39.442: 38:e7:d8:ac:dc:d0 10.128.33.15 RUN (20) Successfully plumbed mobile rule (ACL ID 255)

*Jul 10 22:07:39.443: 38:e7:d8:ac:dc:d0 Assigning Address 10.128.33.15 to mobile

*Jul 10 22:07:39.443: 38:e7:d8:ac:dc:d0 DHCP sending REPLY to STA (len 414, port 8, vlan 0)

*Jul 10 22:07:39.443: 38:e7:d8:ac:dc:d0 DHCP transmitting DHCP ACK (5)

*Jul 10 22:07:39.443: 38:e7:d8:ac:dc:d0 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0

*Jul 10 22:07:39.443: 38:e7:d8:ac:dc:d0 DHCP   xid: 0xe13bbcbd (3778788541), secs: 0, flags: 0

*Jul 10 22:07:39.444: 38:e7:d8:ac:dc:d0 DHCP   chaddr: 38:e7:d8:ac:dc:d0

*Jul 10 22:07:39.444: 38:e7:d8:ac:dc:d0 DHCP   ciaddr: 0.0.0.0,  yiaddr: 10.128.33.15

*Jul 10 22:07:39.444: 38:e7:d8:ac:dc:d0 DHCP   siaddr: 10.128.64.100,  giaddr: 0.0.0.0

*Jul 10 22:07:39.444: 38:e7:d8:ac:dc:d0 DHCP   server id: 10.128.17.1  rcvd server id: 10.128.66.10

*Jul 10 22:07:39.457: 38:e7:d8:ac:dc:d0 10.128.33.15 Added NPU entry of type 1, dtlFlags 0x0

*Jul 10 22:07:39.457: 38:e7:d8:ac:dc:d0 Sending a gratuitous ARP for 10.128.33.15, VLAN Id 33

*Jul 10 22:07:46.801: 38:e7:d8:ac:dc:d0 Reassociation received from mobile on AP 00:1f:6c:ca:d7:90

*Jul 10 22:07:46.801: 38:e7:d8:ac:dc:d0 Applying site-specific IPv6 override for station 38:e7:d8:ac:dc:d0 - vapId 4, site 'default-group', interface 'management'

*Jul 10 22:07:46.801: 38:e7:d8:ac:dc:d0 Applying IPv6 Interface Policy for station 38:e7:d8:ac:dc:d0 - vlan 0, interface id 0, interface 'management'

*Jul 10 22:07:46.801: 38:e7:d8:ac:dc:d0 STA - rates (8): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0

*Jul 10 22:07:46.801: 38:e7:d8:ac:dc:d0 STA - rates (12): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0

*Jul 10 22:07:46.801: 38:e7:d8:ac:dc:d0 Processing RSN IE type 48, length 56 for mobile 38:e7:d8:ac:dc:d0

*Jul 10 22:07:46.801: 38:e7:d8:ac:dc:d0 Received RSN IE with 1 PMKIDs from mobile 38:e7:d8:ac:dc:d0

*Jul 10 22:07:46.801: Received PMKID:  (16)

*Jul 10 22:07:46.801:      [0000] e1 71 5c 86 ab 89 b3 aa 40 6e 42 a5 15 61 d9 01

*Jul 10 22:07:46.801: 38:e7:d8:ac:dc:d0 No valid PMKID found in the cache for mobile 38:e7:d8:ac:dc:d0

*Jul 10 22:07:46.801: CCKM: Find PMK in cache: BSSID =  (6)

*Jul 10 22:07:46.801:      [0000] 00 1f 6c ca d7 90

*Jul 10 22:07:46.801: CCKM: Find PMK in cache: realAA =  (6)

*Jul 10 22:07:46.801:      [0000] 00 1f 6c ca d7 93

*Jul 10 22:07:46.802: CCKM: Find PMK in cache: PMKID =  (16)

*Jul 10 22:07:46.802:      [0000] e1 71 5c 86 ab 89 b3 aa 40 6e 42 a5 15 61 d9 01

*Jul 10 22:07:46.802: 38:e7:d8:ac:dc:d0 Unable to compute a valid PMKID from dot1x PMK cache for mobile 38:e7:d8:ac:dc:d0

*Jul 10 22:07:46.802: 38:e7:d8:ac:dc:d0 Found an entry in the global PMK cache for station 38:e7:d8:ac:dc:d0

*Jul 10 22:07:46.802: CCKM: AA (6)

*Jul 10 22:07:46.802:      [0000] 00 1f 6c ca d7 93

*Jul 10 22:07:46.802: CCKM: SPA (6)

*Jul 10 22:07:46.802:      [0000] 38 e7 d8 ac dc d0

*Jul 10 22:07:46.802: 38:e7:d8:ac:dc:d0 Unable to compute a valid PMKID from global PMK cache for mobile 38:e7:d8:ac:dc:d0

*Jul 10 22:07:46.802: 38:e7:d8:ac:dc:d0 Processing WPA/RSN IE type 48, length 56 for mobile 38:e7:d8:ac:dc:d0 processed only 38 bytes

*Jul 10 22:07:46.802: 38:e7:d8:ac:dc:d0 10.128.33.15 RUN (20) Deleted mobile LWAPP rule on AP [00:23:04:f2:dd:80]

*Jul 10 22:07:46.803: 38:e7:d8:ac:dc:d0 Updated location for station old AP 00:23:04:f2:dd:80-0, new AP 00:1f:6c:ca:d7:90-0

*Jul 10 22:07:46.803: 38:e7:d8:ac:dc:d0 10.128.33.15 RUN (20) Change state to START (0) last state RUN (20)

*Jul 10 22:07:46.803: 38:e7:d8:ac:dc:d0 10.128.33.15 START (0) Initializing policy

*Jul 10 22:07:46.803: 38:e7:d8:ac:dc:d0 10.128.33.15 START (0) Change state to AUTHCHECK (2) last state RUN (20)

*Jul 10 22:07:46.803: 38:e7:d8:ac:dc:d0 10.128.33.15 AUTHCHECK (2) Change state to 8021X_REQD (3) last state RUN (20)

*Jul 10 22:07:46.803: 38:e7:d8:ac:dc:d0 10.128.33.15 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:1f:6c:ca:d7:90 vapId 4 apVapId 4

*Jul 10 22:07:46.803: 38:e7:d8:ac:dc:d0 apfPemAddUser2 (apf_policy.c:212) Changing state for mobile 38:e7:d8:ac:dc:d0 on AP 00:1f:6c:ca:d7:90 from Associated to Associated

*Jul 10 22:07:46.803: 38:e7:d8:ac:dc:d0 Stopping deletion of Mobile Station: (callerId: 48)

*Jul 10 22:07:46.803: 38:e7:d8:ac:dc:d0 Sending Assoc Response to station on BSSID 00:1f:6c:ca:d7:90 (status 0)

*Jul 10 22:07:46.803: 38:e7:d8:ac:dc:d0 apfProcessAssocReq (apf_80211.c:4361) Changing state for mobile 38:e7:d8:ac:dc:d0 on AP 00:1f:6c:ca:d7:90 from Associated to Associated

*Jul 10 22:07:46.808: 38:e7:d8:ac:dc:d0 Disable re-auth, use PMK lifetime.

*Jul 10 22:07:46.817: 38:e7:d8:ac:dc:d0 dot1x - moving mobile 38:e7:d8:ac:dc:d0 into Connecting state

*Jul 10 22:07:46.817: 38:e7:d8:ac:dc:d0 Sending EAP-Request/Identity to mobile 38:e7:d8:ac:dc:d0 (EAP Id 1)

*Jul 10 22:07:46.824: 38:e7:d8:ac:dc:d0 10.128.33.15 Removed NPU entry.

*Jul 10 22:07:46.854: 38:e7:d8:ac:dc:d0 Received EAPOL EAPPKT from mobile 38:e7:d8:ac:dc:d0

*Jul 10 22:07:46.854: 38:e7:d8:ac:dc:d0 Received Identity Response (count=1) from mobile 38:e7:d8:ac:dc:d0

*Jul 10 22:07:46.854: 38:e7:d8:ac:dc:d0 EAP State update from Connecting to Authenticating for mobile 38:e7:d8:ac:dc:d0

*Jul 10 22:07:46.854: 38:e7:d8:ac:dc:d0 dot1x - moving mobile 38:e7:d8:ac:dc:d0 into Authenticating state

*Jul 10 22:07:46.854: 38:e7:d8:ac:dc:d0 Entering Backend Auth Response state for mobile 38:e7:d8:ac:dc:d0

*Jul 10 22:07:46.857: 38:e7:d8:ac:dc:d0 Processing Access-Challenge for mobile 38:e7:d8:ac:dc:d0

*Jul 10 22:07:46.857: 38:e7:d8:ac:dc:d0 Entering Backend Auth Req state (id=2) for mobile 38:e7:d8:ac:dc:d0

*Jul 10 22:07:46.857: 38:e7:d8:ac:dc:d0 Sending EAP Request from AAA to mobile 38:e7:d8:ac:dc:d0 (EAP Id 2)

*Jul 10 22:07:46.864: 38:e7:d8:ac:dc:d0 Received EAPOL EAPPKT from mobile 38:e7:d8:ac:dc:d0

*Jul 10 22:07:46.864: 38:e7:d8:ac:dc:d0 Received EAP Response from mobile 38:e7:d8:ac:dc:d0 (EAP Id 2, EAP Type 25)

*Jul 10 22:07:46.864: 38:e7:d8:ac:dc:d0 Entering Backend Auth Response state for mobile 38:e7:d8:ac:dc:d0

*Jul 10 22:07:46.866: 38:e7:d8:ac:dc:d0 Processing Access-Challenge for mobile 38:e7:d8:ac:dc:d0

*Jul 10 22:07:46.866: 38:e7:d8:ac:dc:d0 Entering Backend Auth Req state (id=3) for mobile 38:e7:d8:ac:dc:d0

*Jul 10 22:07:46.866: 38:e7:d8:ac:dc:d0 Sending EAP Request from AAA to mobile 38:e7:d8:ac:dc:d0 (EAP Id 3)

*Jul 10 22:07:46.876: 38:e7:d8:ac:dc:d0 Received EAPOL EAPPKT from mobile 38:e7:d8:ac:dc:d0

*Jul 10 22:07:46.876: 38:e7:d8:ac:dc:d0 Received EAP Response from mobile 38:e7:d8:ac:dc:d0 (EAP Id 3, EAP Type 25)

*Jul 10 22:07:46.876: 38:e7:d8:ac:dc:d0 Entering Backend Auth Response state for mobile 38:e7:d8:ac:dc:d0

*Jul 10 22:07:46.881: 38:e7:d8:ac:dc:d0 Processing Access-Challenge for mobile 38:e7:d8:ac:dc:d0

*Jul 10 22:07:46.881: 38:e7:d8:ac:dc:d0 Entering Backend Auth Req state (id=6) for mobile 38:e7:d8:ac:dc:d0

*Jul 10 22:07:46.881: 38:e7:d8:ac:dc:d0 WARNING: updated EAP-Identifer 3 ===> 6 for STA 38:e7:d8:ac:dc:d0

*Jul 10 22:07:46.881: 38:e7:d8:ac:dc:d0 Sending EAP Request from AAA to mobile 38:e7:d8:ac:dc:d0 (EAP Id 6)

*Jul 10 22:07:46.888: 38:e7:d8:ac:dc:d0 Received EAPOL EAPPKT from mobile 38:e7:d8:ac:dc:d0

*Jul 10 22:07:46.888: 38:e7:d8:ac:dc:d0 Received EAP Response from mobile 38:e7:d8:ac:dc:d0 (EAP Id 6, EAP Type 25)

*Jul 10 22:07:46.888: 38:e7:d8:ac:dc:d0 Entering Backend Auth Response state for mobile 38:e7:d8:ac:dc:d0

*Jul 10 22:07:46.890: 38:e7:d8:ac:dc:d0 Processing Access-Accept for mobile 38:e7:d8:ac:dc:d0

*Jul 10 22:07:46.890: 38:e7:d8:ac:dc:d0 Inserting AAA Override struct for mobile

Cisco Employee

802.1x needs stronger wifi signal?

don't think it is an RF issue.

Smooth roaming is not happening in 802.1X case, every time it roams fresh AAA auth is happening. Also preshared key is quicker and you don't see disconnect on roaming.

*Jul 10 22:07:46.802: CCKM: Find PMK in cache: PMKID =  (16)

*Jul 10 22:07:46.802:      [0000] e1 71 5c 86 ab 89 b3 aa 40 6e 42 a5 15 61 d9 01

*Jul 10 22:07:46.802: 38:e7:d8:ac:dc:d0 Unable to compute a valid PMKID from dot1x PMK cache for mobile 38:e7:d8:ac:dc:d0

*Jul 10 22:07:46.802: 38:e7:d8:ac:dc:d0 Found an entry in the global PMK cache for station 38:e7:d8:ac:dc:d0

*Jul 10 22:07:46.802: CCKM: AA (6)

*Jul 10 22:07:46.802:      [0000] 00 1f 6c ca d7 93

*Jul 10 22:07:46.802: CCKM: SPA (6)

*Jul 10 22:07:46.802:      [0000] 38 e7 d8 ac dc d0

*Jul 10 22:07:46.802: 38:e7:d8:ac:dc:d0 Unable to compute a valid PMKID from global PMK cache for mobile 38:e7:d8:ac:dc:d0

New Member

802.1x needs stronger wifi signal?

Hi, Thanks a lot for your reply, I think that is what is happening, I am getting strong RF signal for different APs, any idea why smooth roaming is not happening? actually the client was not moving at all. The client associcates with one AP fine, stayed for several minutes, suddenly the following message came up from a different AP, then everything started over again:

*Jul 10 23:33:42.385: 38:e7:d8:ac:dc:d0 Association received from mobile on AP 00:23:04:f2:dd:80

then,

Jul 10 23:35:37.741: 38:e7:d8:ac:dc:d0 Reassociation received from mobile on AP 00:1f:6c:ca:d7:90

Cisco Employee

802.1x needs stronger wifi signal?

Wireless client can be stable/immobile however based on the received RSSI, Packet error rate the wireless client decide to roam to different AP from its learnt AP list.

what WLC model, code version used.

the OUI says htc for the mobile client. does it uses pkc or okc. only the 7.2 WLC code supports both key handles.

It is just a wild guess that you're using code that is not running 7.2 on WLC and HTC mobile supports sticky key.

New Member

802.1x needs stronger wifi signal?

Thanks again for your valuable insights, the client in question is a HTC android 2.1 mobile phone, the same problem happens to iPhone and MacAir, this mostly due to that I am running old controller code (6.0 on 4406), I will try to upgrade the WLC code first to see whether the problem will go away.

935
Views
0
Helpful
5
Replies
CreatePlease to create content