01-28-2010 11:49 AM - edited 07-03-2021 06:27 PM
Hi,
we are using 2 WISMs, with version 4.2.207 and a WCS to control them.
It seemed to work fine for about 2 weeks, and now we detected the following problem in some users. They were connected to the wireless without problems, and then they lost the connection. For authentication we use WPA2, we also use mac-filter.
When they lost the connection we can see the following error:
Message:
Client 'mac address' which was associated with AP 'mac address', interface '1' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'.
Message:
Client 'mac' which was associated with AP 'mac', interface '0' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'.
I also attach an output of the troubleshoot mac address...
Can some help me with this?
Thank you.
Best regards,
01-30-2010 08:19 AM
Can you drop into the CLI of the WLC and do a client debug on the client in question and post your findings ...
thanks
01-31-2010 01:41 PM
Hi George,
thank you for your reply. I put the debug in attach.
The problem it's in this stage:
Fri Jan 29 11:26:53 2010: 00:16:6f:06:27:0a Initiating RSN PSK to mobile 00:16:6 f:06:27:0a
Fri Jan 29 11:26:53 2010: 00:16:6f:06:27:0a dot1x - moving mobile 00:16:6f:06:27 :0a into Force Auth state
Fri Jan 29 11:26:53 2010: 00:16:6f:06:27:0a Skipping EAP-Success to mobile 00:16 :6f:06:27:0a
Fri Jan 29 11:26:53 2010: Including PMKID in M1 (16)
Fri Jan 29 11:26:53 2010: [0000] 82 1d f1 e4 2f cc 1b 04 b8 e2 42 1a e1 73 4e 07
Fri Jan 29 11:26:53 2010: 00:16:6f:06:27:0a Sending EAPOL-Key Message to mobile 00:16:6f:06:27:0a
state INITPMK (message 1), replay counter 00.00.00.00.00.00. 00.00
Fri Jan 29 11:26:54 2010: 00:16:6f:06:27:0a 802.1x 'timeoutEvt' Timer expired fo r station 00:16:6f:06:27:0a
Fri Jan 29 11:26:54 2010: 00:16:6f:06:27:0a Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 00:16:6f:06:27:0a
Fri Jan 29 11:26:55 2010: 00:16:6f:06:27:0a 802.1x 'timeoutEvt' Timer expired fo r station 00:16:6f:06:27:0a
Fri Jan 29 11:26:55 2010: 00:16:6f:06:27:0a Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 00:16:6f:06:27:0a
Fri Jan 29 11:26:56 2010: 00:16:6f:06:27:0a 802.1x 'timeoutEvt' Timer expired fo r station 00:16:6f:06:27:0a
Fri Jan 29 11:26:56 2010: 00:16:6f:06:27:0a Retransmit failure for EAPOL-Key M1 to mobile 00:16:6f:06:27:0a, retransmit count 3, mscb deauth count 0
Fri Jan 29 11:26:56 2010: 00:16:6f:06:27:0a Sent Deauthenticate to mobile on BSS ID 00:1d:e6:24:e5:00 slot 0(caller 1x_ptsm.c:462)
Fri Jan 29 11:26:56 2010: 00:16:6f:06:27:0a Scheduling deletion of Mobile Statio
Any help understanding why it will be great.
Thanks in advance,
Best regards,
01-31-2010 02:26 PM
See the lines that state Retransmit 1 and Retransmit 2... This is an indication the PSK key doesnt match on the client and or WLC that the AP is associated to. Double check your PSK on the clients that are having issues. Something is a miss on the key side... I reproduced this in my lab and got the same results as you when the key did not match... see my output below yours ...
As for your 802.1x question. WPA2 / PSK is a form of EAP. Thus why you see 802.1x... Most folks assume 802.1x and radius server... but not the case. Post back and let me know what you find...
Fri Jan 29 11:26:54 2010: 00:16:6f:06:27:0a Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 00:16:6f:06:27:0a
Fri Jan 29 11:26:55 2010: 00:16:6f:06:27:0a 802.1x 'timeoutEvt' Timer expired fo r station 00:16:6f:06:27:0a
Fri Jan 29 11:26:55 2010: 00:16:6f:06:27:0a Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 00:16:6f:06:27:0a
Fri Jan 29 11:26:56 2010: 00:16:6f:06:27:0a 802.1x 'timeoutEvt' Timer expired fo
My test ...
Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Received EAPOL-Key from mobile 00:02:10:11:02:68
Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:02:10:11:02:68
Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Received EAPOL-key in PKT_START state (message 2) from mobile 00:02:10:11:02:68
Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Received EAPOL-key M2 with invalid MIC from mobile 00:02:10:11:02:68
Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 802.1x 'timeoutEvt' Timer expired for station 00:02:10:11:02:68
Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 00:02:10:11:02:68
Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Received EAPOL-Key from mobile 00:02:10:11:02:68
Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:02:10:11:02:68
Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Received EAPOL-key in PKT_START state (message 2) from mobile 00:02:10:11:02:68
Sun Jan 31 11:12:01 2010: 00:02:10:11:02:68 Received EAPOL-key M2 with invalid MIC from mobile 00:02:10:11:02:68
Sun Jan 31 11:12:02 2010: 00:02:10:11:02:68 802.1x 'timeoutEvt' Timer expired for station 00:02:10:11:02:68
Sun Jan 31 11:12:02 2010: 00:02:10:11:02:68 Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 00:02:10:11:02:68
Sun Jan 31 11:12:02 2010: 00:02:10:11:02:68 Received EAPOL-Key from mobile 00:02:10:11:02:68
Sun Jan 31 11:12:02 2010: 00:02:10:11:02:68 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:02:10:11:02:68
Sun Jan 31 11:12:02 2010: 00:02:10:11:02:68 Received EAPOL-key in PKT_START state (message 2) from mobile 00:02:10:11:02:68
Sun Jan 31 11:12:02 2010: 00:02:10:11:02:68 Received EAPOL-key M2 with invalid MIC from mobile 00:02:10:11:02:68
02-01-2010 03:23 AM
Hi again George,
thank you for your reply.
Yes the behavior it's like the password it's incorrect, but that can't be the problem. Because this clients are connected without problems and then the problem starts to occur.
By the way when we disable the 802.11a in the client the problem seems to disappear...
Thank you.
Best regards,
02-01-2010 04:29 AM
i had an issue like this before... i had 6 WLCs and 1 of the WLCs had the wrong KEY and only had a few APs joined to that controller. when clients would roam to this ap the clients would spin.
i would double check the keys on the WLC. or try and see what aps the clients are trying to attach to when they spin...
make sense?
11-10-2010 06:45 AM
I just had the same issue with similar setup. 6 LWAPPs and 1 WLC. After reading the posts it got me to thinking that I should focus on the PSK. I changed the key on the WLC, saved config, testing a new client and successfully connected. Then I went back to the WLC and re-entered the old PSK, saved the config and was able to get clients connected. Is there some kind of expiration or timeout for the PSK? (Using WPA+WPA2)
02-09-2010 07:18 AM
We are also experiencing the same issue. Have you found a solution?
02-10-2010 02:36 AM
Hi Kirbus,
we open a TAC and we were advised for now to do the following changes:
1. please make sure to disable Aironet extensions (if present) , on the WLAN advanced configuration
2. disable management frame protection (MFP) signature generation (if present) , MFP also on the WLAN advanced configuration
3. on the WLC general configuration , can you please disable aggressive load balancing
4. on the security tab on the WLC , please wireless protection policies > disable client exclusion policies
5. on the AP network configuration please disable short preamble the original standard was long preambles
6. Wireless -> disable auto-RRM channel & power assignment & try "on demand"
7. apply these modification on the WLC CLI
Config advanced eap identity-request-timeout 20
Config advanced eap identity-request-retries 10
Config advanced eap request-timeout 20
Config advanced eap request-retries 10
Save config, and see if you still face the problem.
We are still monitoring the solution, but until now we didn't face the problem again.
Let me now how it goes for you.
Thank you.
Best regards,
02-10-2010 11:15 AM
Thank you so much for the info. We will look into this and see what we come up with. I am wondering how similar our setups are. What
model AP's do you use? How many WLC do you have? Do you know the NIC manufacturer of your clients? We have been trying to narrow it down to see if is a driver issue or just some config issue. We are actually on version 6.0.188 so it's definatley not the version.
02-22-2010 06:55 AM
Hello,
I was just checking back to see if since you have made the changes if you still are experiencing problems or if you have narrowed it down to what it might be?
02-22-2010 06:59 AM
Hi Kirbus,
since that changes the client didn't reported to us any more problems.
What about you? How is it going?
Best regards,
02-22-2010 07:10 AM
Hello,
These are the ones we have tried disable Aironet extensions (if present) , on the WLAN advanced configuration
2. disable management frame protection (MFP) signature generation (if present) , MFP also on the WLAN advanced configuration
3. on the WLC general configuration , disable aggressive load balancing
4. on the security tab on the WLC and it looks like we are still getting the same messages I am leary about disabling the wireless protection policies client exclusions for secuirty reason but I am thinking that is the solution to the problem, it seems it just ignores the failures.
ad
02-25-2010 01:56 PM
Hello,
Do you know what the manufacturer of your clients NICs are, or are they all different? We are trying to see if it may be a driver issue. We are getting inconsistant information from Cisco about the cause of the problem.
04-12-2010 07:13 AM
Hello,
have the same problem with WPA2/dot1x EAP-TLS and MSCHAPv2, but after 16 tries (3 times EAPOL M1 retransmit for each try) the wlc 4400 (v6) accept the client.
Additional I see CSCsy05945—The "EAPOL-key M2 with invalid RSN IE" error message appears because of multiple PMKIDs. The clients send multiple PMKIDs, but the controller buffers only 64 bytes of the WPA/RSN information element (IE). Workaround: None.
I disabled step by step all the 6 option and did the cli timeout commands - no change.
Who is handling this part of the protocol , the CSSC, the WLAN driver Hon or MS XP ?
Greetings
Olaf.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: