Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

WLC: EAP authentication issue - client doesn't authenticate

Hello,

i have got a Problem with an WLC 5508 with Software Ver. 7.2.103.0.

i added a simple network design. Site A and Site B are connected through an L3 Interface with normal Routing without any Firewalls.

At Site A the user can authenticate to the network, using EAP with certificates.

When User 1 is at Site B, he is not able to Connect to the WLAN.

for me it looks like a problem with latency.

But why does the Controller send the Sending EAP-Request/Identity Pakets so fast without any delay?

Debug Client output Site B:

*apfMsConnTask_1: Jul 19 13:16:06.895: 00:24:d6:10:05:b2 processSsidIE  statusCode is 0 and status is 0
*apfMsConnTask_1: Jul 19 13:16:06.895: 00:24:d6:10:05:b2 processSsidIE  ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_1: Jul 19 13:16:06.895: 00:24:d6:10:05:b2 STA - rates (8): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_1: Jul 19 13:16:06.895: 00:24:d6:10:05:b2 suppRates  statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_1: Jul 19 13:16:06.895: 00:24:d6:10:05:b2 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_1: Jul 19 13:16:06.895: 00:24:d6:10:05:b2 extSuppRates  statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_1: Jul 19 13:16:06.895: 00:24:d6:10:05:b2 Processing RSN IE type 48, length 22 for mobile 00:24:d6:10:05:b2
*apfMsConnTask_1: Jul 19 13:16:06.895: 00:24:d6:10:05:b2 Received RSN IE with 0 PMKIDs from mobile 00:24:d6:10:05:b2
*apfMsConnTask_1: Jul 19 13:16:06.895: 00:24:d6:10:05:b2 Setting active key cache index 8 ---> 8
*apfMsConnTask_1: Jul 19 13:16:06.895: 00:24:d6:10:05:b2 unsetting PmkIdValidatedByAp
*apfMsConnTask_1: Jul 19 13:16:06.895: 00:24:d6:10:05:b2 0.0.0.0 8021X_REQD (3) Initializing policy
*apfMsConnTask_1: Jul 19 13:16:06.895: 00:24:d6:10:05:b2 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)

*apfMsConnTask_1: Jul 19 13:16:06.895: 00:24:d6:10:05:b2 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)

*apfMsConnTask_1: Jul 19 13:16:06.895: 00:24:d6:10:05:b2 0.0.0.0 8021X_REQD (3) DHCP Not required on AP b8:62:1f:41:8d:80 vapId 18 ap
VapId 2for this client
*apfMsConnTask_1: Jul 19 13:16:06.895: 00:24:d6:10:05:b2 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP b8:62:1f:41:8d:80 vap Id 18 apVapId 2
*apfMsConnTask_1: Jul 19 13:16:06.895: 00:24:d6:10:05:b2 apfPemAddUser2 (apf_policy.c:268) Changing state for mobile 00:24:d6:10:05:b
2 on AP b8:62:1f:41:8d:80 from Associated to Associated

*apfMsConnTask_1: Jul 19 13:16:06.895: 00:24:d6:10:05:b2 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_1: Jul 19 13:16:06.896: 00:24:d6:10:05:b2 Sending Assoc Response to station on BSSID b8:62:1f:41:8d:80 (status 0) ApVa
pId 2 Slot 0
*apfMsConnTask_1: Jul 19 13:16:06.896: 00:24:d6:10:05:b2 apfProcessAssocReq (apf_80211.c:6290) Changing state for mobile 00:24:d6:10:
05:b2 on AP b8:62:1f:41:8d:80 from Associated to Associated

*dot1xMsgTask: Jul 19 13:16:03.356: 00:24:d6:10:05:b2 dot1x - moving mobile 00:24:d6:10:05:b2 into Connecting state
*dot1xMsgTask: Jul 19 13:16:03.356: 00:24:d6:10:05:b2 Sending EAP-Request/Identity to mobile 00:24:d6:10:05:b2 (EAP Id 1)
*Dot1x_NW_MsgTask_2: Jul 19 13:16:03.386: 00:24:d6:10:05:b2 Received EAPOL START from mobile 00:24:d6:10:05:b2
*Dot1x_NW_MsgTask_2: Jul 19 13:16:03.386: 00:24:d6:10:05:b2 dot1x - moving mobile 00:24:d6:10:05:b2 into Connecting state
*Dot1x_NW_MsgTask_2: Jul 19 13:16:03.386: 00:24:d6:10:05:b2 Sending EAP-Request/Identity to mobile 00:24:d6:10:05:b2 (EAP Id 2)
*Dot1x_NW_MsgTask_2: Jul 19 13:16:03.386: 00:24:d6:10:05:b2 Received EAPOL START from mobile 00:24:d6:10:05:b2
*Dot1x_NW_MsgTask_2: Jul 19 13:16:03.386: 00:24:d6:10:05:b2 dot1x - moving mobile 00:24:d6:10:05:b2 into Connecting state
*Dot1x_NW_MsgTask_2: Jul 19 13:16:03.386: 00:24:d6:10:05:b2 Sending EAP-Request/Identity to mobile 00:24:d6:10:05:b2 (EAP Id 3)
*Dot1x_NW_MsgTask_2: Jul 19 13:16:03.392: 00:24:d6:10:05:b2 Received EAPOL EAPPKT from mobile 00:24:d6:10:05:b2
*Dot1x_NW_MsgTask_2: Jul 19 13:16:03.392: 00:24:d6:10:05:b2 Received EAP Response packet with mismatching id (currentid=3, eapid=1) from mobile 00:24:d6:10:05:b2
*Dot1x_NW_MsgTask_2: Jul 19 13:16:03.392: 00:24:d6:10:05:b2 Reached Max EAP-Identity Request retries (3) for STA 00:24:d6:10:05:b2
*Dot1x_NW_MsgTask_2: Jul 19 13:16:03.393: 00:24:d6:10:05:b2 Sent Deauthenticate to mobile on BSSID b8:62:1f:41:8d:80 slot 0(caller 1x_auth_pae.c:3117)
*Dot1x_NW_MsgTask_2: Jul 19 13:16:03.393: 00:24:d6:10:05:b2 Scheduling deletion of Mobile Station:  (callerId: 6) in 10 seconds
*Dot1x_NW_MsgTask_2: Jul 19 13:16:03.393: 00:24:d6:10:05:b2 dot1x - moving mobile 00:24:d6:10:05:b2 into Disconnected state
*Dot1x_NW_MsgTask_2: Jul 19 13:16:03.393: 00:24:d6:10:05:b2 Not sending EAP-Failure for STA 00:24:d6:10:05:b2
*Dot1x_NW_MsgTask_2: Jul 19 13:16:03.394: 00:24:d6:10:05:b2 Station 00:24:d6:10:05:b2 setting dot1x reauth timeout = 3600
*Dot1x_NW_MsgTask_2: Jul 19 13:16:03.394: 00:24:d6:10:05:b2 Received EAPOL EAPPKT from mobile 00:24:d6:10:05:b2
*Dot1x_NW_MsgTask_2: Jul 19 13:16:03.394: 00:24:d6:10:05:b2 Received EAP Response packet with mismatching id (currentid=0, eapid=1) from mobile 00:24:d6:10:05:b2
*apfMsConnTask_1: Jul 19 13:16:06.894: 00:24:d6:10:05:b2 Association received from mobile on AP b8:62:1f:41:8d:80

Debug Output Site A:

*dot1xMsgTask: Jul 19 16:09:48.523: 00:24:d6:10:05:b2 dot1x - moving mobile 00:24:d6:10:05:b2 into Connecting state
*dot1xMsgTask: Jul 19 16:09:48.523: 00:24:d6:10:05:b2 Sending EAP-Request/Identity to mobile 00:24:d6:10:05:b2 (EAP Id 1)
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.553: 00:24:d6:10:05:b2 Received EAPOL START from mobile 00:24:d6:10:05:b2
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.553: 00:24:d6:10:05:b2 dot1x - moving mobile 00:24:d6:10:05:b2 into Connecting state
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.553: 00:24:d6:10:05:b2 Sending EAP-Request/Identity to mobile 00:24:d6:10:05:b2 (EAP Id 2)
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.558: 00:24:d6:10:05:b2 Received EAPOL EAPPKT from mobile 00:24:d6:10:05:b2
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.558: 00:24:d6:10:05:b2 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 00:24:d6:10:05:b2
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.561: 00:24:d6:10:05:b2 Received EAPOL EAPPKT from mobile 00:24:d6:10:05:b2
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.561: 00:24:d6:10:05:b2 Received Identity Response (count=2) from mobile 00:24:d6:10:05:b2
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.561: 00:24:d6:10:05:b2 EAP State update from Connecting to Authenticating for mobile 00:24:d6:10:05:b2
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.561: 00:24:d6:10:05:b2 dot1x - moving mobile 00:24:d6:10:05:b2 into Authenticating state
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.561: 00:24:d6:10:05:b2 Entering Backend Auth Response state for mobile 00:24:d6:10:05:b2
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.568: 00:24:d6:10:05:b2 Processing Access-Challenge for mobile 00:24:d6:10:05:b2
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.568: 00:24:d6:10:05:b2 Entering Backend Auth Req state (id=3) for mobile 00:24:d6:10:05:b2
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.568: 00:24:d6:10:05:b2 Sending EAP Request from AAA to mobile 00:24:d6:10:05:b2 (EAP Id 3)
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.570: 00:24:d6:10:05:b2 Received EAPOL EAPPKT from mobile 00:24:d6:10:05:b2
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.570: 00:24:d6:10:05:b2 Received EAP Response from mobile 00:24:d6:10:05:b2 (EAP Id 3, EAP Type 13)
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.570: 00:24:d6:10:05:b2 Entering Backend Auth Response state for mobile 00:24:d6:10:05:b2
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.574: 00:24:d6:10:05:b2 Processing Access-Challenge for mobile 00:24:d6:10:05:b2
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.574: 00:24:d6:10:05:b2 Entering Backend Auth Req state (id=4) for mobile 00:24:d6:10:05:b2
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.574: 00:24:d6:10:05:b2 Sending EAP Request from AAA to mobile 00:24:d6:10:05:b2 (EAP Id 4)
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.577: 00:24:d6:10:05:b2 Received EAPOL EAPPKT from mobile 00:24:d6:10:05:b2
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.577: 00:24:d6:10:05:b2 Received EAP Response from mobile 00:24:d6:10:05:b2 (EAP Id 4, EAP Type 13)
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.577: 00:24:d6:10:05:b2 Entering Backend Auth Response state for mobile 00:24:d6:10:05:b2
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.583: 00:24:d6:10:05:b2 Processing Access-Accept for mobile 00:24:d6:10:05:b2
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.583: 00:24:d6:10:05:b2 Resetting web IPv4 acl from 255 to 255

*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.583: 00:24:d6:10:05:b2 Setting re-auth timeout to 3600 seconds, got from WLAN config.
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.583: 00:24:d6:10:05:b2 Station 00:24:d6:10:05:b2 setting dot1x reauth timeout = 3600
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.583: 00:24:d6:10:05:b2 Creating a PKC PMKID Cache entry for station 00:24:d6:10:05:b2 (RSN 2)
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.583: 00:24:d6:10:05:b2 Resetting MSCB PMK Cache Entry 0 for station 00:24:d6:10:05:b2
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.583: 00:24:d6:10:05:b2 Setting active key cache index 8 ---> 8
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.583: 00:24:d6:10:05:b2 Setting active key cache index 8 ---> 0
*Dot1x_NW_MsgTask_2: Jul 19 16:09:48.583: 00:24:d6:10:05:b2 Adding BSSID 1c:aa:07:7b:5a:9e to PMKID cache at index 0 for station 00:24:d6:10:05:b2

2 REPLIES
Hall of Fame Super Silver

Re: WLC: EAP authentication issue - client doesn't authenticate

You can adjust the EAP timers.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

WLC: EAP authentication issue - client doesn't authenticate

You can increase the timers either from CLI or GUI.

CLI:

(WiSM-slot13-2) >config advanced eap identity-request-retries ?

      Enter the number of retries between 1 and 20

from GUI:

Security-> Local EAP-> General.

change the value of

Identity Request Timeout.

The point is that the  Identity Request Timeout is 30 seconds by default. you better check what is the current value:

show advanced eap.

If it is not a problem with the delay then make sure that the communication with the radius server in the location B is OK. It seems you have problem with the communication between the site B and radius server.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"
3104
Views
0
Helpful
2
Replies
CreatePlease to create content