Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Having problems with one AP

I have a controller configured and authenticates to NPS server. Works and all the clients are connected. I have 2 autonomous AP's, one authenticates to the NPS and clients connect no problem. The other one has the exact config but I cannot get it to connect. Here is the output:

Log Buffer (4096 bytes):

51:16.426: dot11_auth_dot1x_send_id_req_to_client: Client 207c.8f25.3bea timer started for 30 seconds

*Mar  3 23:51:16.474: dot11_auth_parse_client_pak: Received EAPOL packet from 207c.8f25.3bea

*Mar  3 23:51:16.474: EAPOL pak dump rx

*Mar  3 23:51:16.474: EAPOL Version: 0x1  type: 0x0  length: 0x0018

*Mar  3 23:51:16.474: EAP code: 0x2  id: 0x1  length: 0x0018 type: 0x1

03007450: 01000018 02010018 01454E43 53445C41  .........ENCSD\A

03007460: 646D696E 69737472 61746F72           dministrator

*Mar  3 23:51:16.474: dot11_auth_parse_client_pak: id is not matching req-id:1resp-id:2, waiting for response

*Mar  3 23:51:16.530: dot11_auth_parse_client_pak: Received EAPOL packet from 207c.8f25.3bea

*Mar  3 23:51:16.530: EAPOL pak dump rx

*Mar  3 23:51:16.530: EAPOL Version: 0x1  type: 0x0  length: 0x0018

*Mar  3 23:51:16.530: EAP code: 0x2  id: 0x2  length: 0x0018 type: 0x1

030098E0: 01000018 02020018 01454E43 53445C41  .........ENCSD\A

030098F0: 646D696E 69737472 61746F72           dministrator

*Mar  3 23:51:16.530: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 207c.8f25.3bea

*Mar  3 23:51:16.530: dot11_auth_dot1x_send_response_to_server: Sending client 207c.8f25.3bea data to server

*Mar  3 23:51:16.530: AAA/AUTHEN/PPP (00000060): Pick method list 'eap_methods'

*Mar  3 23:51:16.530: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds

*Mar  3 23:51:16.530: RADIUS/ENCODE(00000060):Orig. component type = DOT11

*Mar  3 23:51:16.530: RADIUS:  AAA Unsupported Attr: ssid              [265] 7

*Mar  3 23:51:16.530: RADIUS:   56 65 73 44 77                                   [VesDw]

*Mar  3 23:51:16.530: RADIUS:  AAA Unsupported Attr: interface         [157] 3

*Mar  3 23:51:16.530: RADIUS:   33                                               [3]

*Mar  3 23:51:16.530: RADIUS(00000060): Config NAS IP: 10.100.0.109

*Mar  3 23:51:16.530: RADIUS/ENCODE(00000060): acct_session_id: 96

*Mar  3 23:51:16.530: RADIUS(00000060): Config NAS IP: 10.100.0.109

*Mar  3 23:51:16.530: RADIUS(00000060): sending

*Mar  3 23:51:16.530: RADIUS/DECODE: No response from radius-server; parse response; FAIL

*Mar  3 23:51:16.530: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL

*Mar  3 23:51:16.530: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL

*Mar  3 23:51:16.530: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response

*Mar  3 23:51:16.530: Client 207c.8f25.3bea failed: EAP reason 3

*Mar  3 23:51:16.530: dot11_auth_dot1x_parse_aaa_resp: Failed client 207c.8f25.3bea with aaa_req_status_detail 3

*Mar  3 23:51:16.530: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for 207c.8f25.3bea

*Mar  3 23:51:16.530: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 207c.8f25.3bea

*Mar  3 23:51:16.530: EAPOL pak dump tx

*Mar  3 23:51:16.530: EAPOL Version: 0x1  type: 0x0  length: 0x0004

*Mar  3 23:51:16.530: EAP code: 0x4  id: 0x2  length: 0x0004

030077F0:                   01000004 04020004          ........

03007800:

*Mar  3 23:51:16.530: dot11_auth_send_msg:  sending data to requestor status 1

*Mar  3 23:51:16.530: dot11_auth_send_msg: Sending EAPOL to requestor

*Mar  3 23:51:16.530: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds

*Mar  3 23:51:16.530: dot11_auth_dot1x_send_client_fail: Authentication failed for 207c.8f25.3bea

*Mar  3 23:51:16.530: dot11_auth_send_msg:  sending data to requestor status 0

*Mar  3 23:51:16.530: dot11_auth_send_msg: client FAILED to authenticate 207c.8f25.3bea, node_type 64 for application 0x1

*Mar  3 23:51:16.530: dot11_auth_delete_client_entry: 207c.8f25.3bea is deleted for application 0x1

*Mar  3 23:51:16.534: %DOT11-7-AUTH_FAILED: Station 207c.8f25.3bea Authentication failed

*Mar  3 23:51:16.534: dot11_auth_client_abort: Received abort request for client 207c.8f25.3bea

*Mar  3 23:51:16.534: dot11_auth_client_abort: No client entry to abort: 207c.8f25.3bea for application 0x1

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Having problems with one AP

HUGH LANCASTER wrote:

Thanks,

Got it working. Used the client to install the password.

What do you mean by that?  How was the issue resolved?

10 REPLIES
Hall of Fame Super Gold

Having problems with one AP

Let's try the tried-and-tested method:  Try with an OPEN or no authentication first.  If the clients authenticate without any issues then start piling up the security and encryption method one at a time.

Bronze

Having problems with one AP

2nd Leo's suggestion to get started.

If open or PSK authentication is working; then you can focus on these messages.  It appears that you are not getting any response from NPS. 

*Mar  3 23:51:16.530: RADIUS/DECODE: No response from radius-server; parse response; FAIL

*Mar  3 23:51:16.530: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL

*Mar  3 23:51:16.530: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL

*Mar  3 23:51:16.530: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response

*Mar  3 23:51:16.530: Client 207c.8f25.3bea failed: EAP reason 3

From MS's website.  EAP failure reason code 3 indicates the following: 

3

The Remote Authentication Dial-In User Service (RADIUS) Access-Request message that NPS received from the network access server was malformed.

Essentially, NPS doesn't "like" whatever this AP is sending for the access-request.  I presume you have both APs added as RADIUS clients in NPS?  Can you post the run-config from both your working and non-working autonomous AP configuration? (please specify which is which)

Bronze

Re: Having problems with one AP

OK.

Your working config looks like this. I've omitted all but the essentials of this RADIUS auth.

aaa group server radius rad_eap1

server 10.100.0.16 auth-port 1645 acct-port 1646

!

aaa authentication login eap_methods1 group rad_eap1

!

dot11 ssid WireMassey

   authentication open eap eap_methods1

   authentication key-management wpa

   guest-mode

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.100.0.16 auth-port 1645 acct-port 1646 key 7

radius-server vsa send accounting

You have called eap_methods1 in the SSID which is pointing to rad_eap1 server group, which contains server 10.100.0.16.

For the "non-working" config; the config doesn't appear finished.

aaa group server radius rad_eap

*empty*

!

aaa authentication login eap_methods group rad_eap

!

dot11 ssid VesDwn1

   authentication open

   guest-mode

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.100.0.16 auth-port 1645 acct-port 1646 key 7

radius-server vsa send accounting

In the "non-working" config; you aren't calling any EAP method in the SSID.  Also; you don't have the server added to your server group "rad_eap"

You need to add your 10.100.0.16 host to the "aaa group server radius rad_eap" and then add "authentication open eap eap_methods" to your SSID.

Everything else seems fine.  Although, as Leo suggested; please make sure this is working properly with open authentication first (which it looks like how the non-working is currently configured).

Bronze

Having problems with one AP

Also; in the future "omit" key type 7 hashes from your config as they can be decrypted.  Just so you know; when you decrypt these I see that the client shared-secrets do not match.  The "working" AP is actually missing a letter; kinda strange, since it's the one that is working.

I would suggest retyping the shared secret for the NAS client entry of both APs on your NPS, and then re-add the server with the correctly typed secret.

New Member

Having problems with one AP

Thanks,

I been very busy so I must have made changes to the non working AP following the suggestion of Leo and posted that config.... Funny thing is I have changed the password on the NAS server and on the AP numberous times. I will try to eliminate all the security featues and then let you know... How can I copy the config from the working AP to the non-woking AP? I am going to change the passwords once all is working.

New Member

Having problems with one AP

Ok, just removed all the securty features and works. I am thinking the problem may be from configuring from the browser. Mayber I need to configure from the command line.

New Member

Re: Having problems with one AP

Thanks,

Got it working. Used the client to install the password.

Bronze

Re: Having problems with one AP

HUGH LANCASTER wrote:

Thanks,

Got it working. Used the client to install the password.

What do you mean by that?  How was the issue resolved?

New Member

Having problems with one AP

Sorry, I used the client not the browser to set the authentication password; howver, still not working correctly. One of the  ap's (WLC) on the controller is located upstairs and the AP (VesDwn1) that I had the problem with is located next to the client(xp). After re-awaking the client, it reconnects to the WLC. I tried another client (win 7) it does the same. I click SSID(VesDwn1) and it reconnects on the win 7 clientt. On the XP, it will not reconnect. I walk out of the building to the other autonomus AP (MasseyWire), and it connects.

This problem was solved? I

This problem was solved? I have the same problem with Aironet 1600 and NPS RADIUS 2008 and not find this solution.

May you help me?
 

2696
Views
23
Helpful
10
Replies
CreatePlease to create content