Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Wireless Authentication EAP

I recently removed some configuration from an AP but added it back in.  Now when the clients connect to it they are unable to authenticate.  On the ACS server I get this message, "Invalid message authenticator in EAP request".  I have confirmed that the keys on the AP and on the ACS server are correct.  What else I could be missing here?

aaa new-model

!

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius rad_infrastructure

server 10.206.110.225 auth-port 1645 acct-port 1646

server 10.202.110.225 auth-port 1645 acct-port 1646

!

aaa group server radius rad_client

server 10.206.110.225 auth-port 1645 acct-port 1646

server 10.202.110.225 auth-port 1645 acct-port 1646

!

aaa group server radius rad_admin

server 10.206.110.225 auth-port 1645 acct-port 1646

server 10.202.110.225 auth-port 1645 acct-port 1646

!

aaa group server radius rad_eap

server 10.206.110.225 auth-port 1645 acct-port 1646

server 10.202.110.225 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

server 10.206.110.225 auth-port 1645 acct-port 1646

server 10.202.110.225 auth-port 1645 acct-port 1646

!

aaa group server radius rad_acct

server 10.206.110.225 auth-port 1645 acct-port 1646

server 10.202.110.225 auth-port 1645 acct-port 1646

!

aaa group server tacacs+ tac_admin

server 10.206.110.225

server 10.202.110.225

!

aaa authentication login default group tac_admin local

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login method_rad_infrastructure group rad_infrastructure

aaa authentication login method_rad_client group rad_client

aaa authentication enable default group tac_admin enable

aaa authorization console

aaa authorization exec default group tac_admin local

aaa authorization network default group tac_admin if-authenticated

aaa accounting send stop-record authentication failure

aaa accounting exec default start-stop group tac_admin

aaa accounting commands 1 default start-stop group tac_admin

aaa accounting commands 15 default start-stop group tac_admin

aaa accounting network acct_methods start-stop group rad_acct

aaa accounting connection default start-stop group tac_admin

aaa accounting system default start-stop group tac_admin

!

aaa session-id common

clock timezone CST -6

clock summer-time CST recurring

ip telnet source-interface BVI1

ip tftp source-interface BVI1

ip name-server 10.200.10.5

!

!

ip ssh source-interface BVI1

ip ssh logging events

ip ssh version 2

!

dot11 ssid InfManagement

   vlan 1

   authentication open eap eap_methods

   authentication network-eap eap_methods

   authentication key-management wpa

   accounting acct_methods

!

dot11 ssid CORP-Phones

   vlan 20

   authentication open eap eap_methods

   authentication network-eap eap_methods

   authentication key-management wpa

   accounting acct_methods

!

dot11 ssid CORP-WiFi

   vlan 40

   authentication open eap eap_methods

   authentication network-eap eap_methods

   authentication key-management wpa

   accounting acct_methods

!

dot11 ssid dartyyz.ca

   vlan 1000

   authentication open

!

power inline negotiation prestandard source

!

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 1 mode ciphers tkip

!

encryption vlan 20 mode ciphers tkip

!

encryption vlan 40 mode ciphers tkip

!

encryption vlan 1000 mode wep mandatory

!

ssid InfManagement

!

ssid CORP-Phones

!

ssid CORP-WIFI

!

ssid dartyyz.ca

!

station-role root

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.20

encapsulation dot1Q 20

no ip route-cache

bridge-group 20

bridge-group 20 subscriber-loop-control

bridge-group 20 block-unknown-source

no bridge-group 20 source-learning

no bridge-group 20 unicast-flooding

bridge-group 20 spanning-disabled

!

interface Dot11Radio0.40

encapsulation dot1Q 40

no ip route-cache

bridge-group 40

bridge-group 40 subscriber-loop-control

bridge-group 40 block-unknown-source

no bridge-group 40 source-learning

no bridge-group 40 unicast-flooding

bridge-group 40 spanning-disabled

!

interface Dot11Radio0.1000

encapsulation dot1Q 1000

no ip route-cache

bridge-group 100

bridge-group 100 subscriber-loop-control

bridge-group 100 block-unknown-source

no bridge-group 100 source-learning

no bridge-group 100 unicast-flooding

bridge-group 100 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

!

encryption vlan 1 mode ciphers tkip

!

encryption vlan 20 mode ciphers tkip

!

encryption vlan 40 mode ciphers tkip

!

encryption vlan 1000 mode wep mandatory

!

ssid InfManagement

!

ssid CORP-Phones

!

ssid CORP-WiFi

!

ssid dartyyz.ca

!

dfs band 3 block

channel dfs

station-role root

!

interface Dot11Radio1.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1.20

encapsulation dot1Q 20

no ip route-cache

bridge-group 20

bridge-group 20 subscriber-loop-control

bridge-group 20 block-unknown-source

no bridge-group 20 source-learning

no bridge-group 20 unicast-flooding

bridge-group 20 spanning-disabled

!

interface Dot11Radio1.40

encapsulation dot1Q 40

no ip route-cache

bridge-group 40

bridge-group 40 subscriber-loop-control

bridge-group 40 block-unknown-source

no bridge-group 40 source-learning

no bridge-group 40 unicast-flooding

bridge-group 40 spanning-disabled

!

interface Dot11Radio1.1000

encapsulation dot1Q 1000

no ip route-cache

bridge-group 100

bridge-group 100 subscriber-loop-control

bridge-group 100 block-unknown-source

no bridge-group 100 source-learning

no bridge-group 100 unicast-flooding

bridge-group 100 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

hold-queue 160 in

!

interface FastEthernet0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface FastEthernet0.20

encapsulation dot1Q 20

no ip route-cache

bridge-group 20

no bridge-group 20 source-learning

bridge-group 20 spanning-disabled

!

interface FastEthernet0.40

encapsulation dot1Q 40

no ip route-cache

bridge-group 40

no bridge-group 40 source-learning

bridge-group 40 spanning-disabled

!

interface FastEthernet0.1000

encapsulation dot1Q 1000

no ip route-cache

bridge-group 100

no bridge-group 100 source-learning

bridge-group 100 spanning-disabled

!

interface BVI1

ip address 10.139.32.41 255.255.255.128

no ip route-cache

!

ip default-gateway 10.139.32.1

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

logging trap debugging

logging 10.3.10.88

logging 10.202.106.95

access-list 19 permit 10.3.10.88

access-list 19 permit 10.202.0.20

access-list 19 permit 10.202.110.0 0.0.0.255

access-list 19 permit 10.200.40.0 0.0.0.255

access-list 19 deny   any log

snmp-server trap-source BVI1

tacacs-server host 10.206.110.225 key

tacacs-server host 10.202.110.225 key

tacacs-server directed-request

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.206.110.225 auth-port 1645 acct-port 1646 key

radius-server host 10.202.110.225 auth-port 1645 acct-port 1646 key

radius-server timeout 10

radius-server vsa send accounting

bridge 1 route ip

  • Getting Started with Wireless
2 REPLIES
Cisco Employee

Wireless Authentication EAP

"

"Invalid message authenticator in EAP request" message means:-

wrong radius key or dont use short key.. like cisco .. use some bigger password and then try..

Wireless Authentication EAP

Well weird tried different keys and nothing worked.  I changed the key back to what it was originally and it works now.  For some reason even though I deleted everything from the ACS server it was caching the settings some where.

217
Views
0
Helpful
2
Replies
This widget could not be displayed.