Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3669
Views
0
Helpful
3
Replies

Client AAA Authentication Failure

hadisharifi
Level 1
Level 1

‎11-17-2011 10:13 PM - edited ‎07-03-2021 09:05 PM

Hi, I have configured a WLAN for AAA authentication and have configured AAA/Radius authentication on the WLC, however the clients don't get authenticated when they try to join. I have run a debug and I am getting an authentication rejected message from the radius server. Below is the output.

Access-Challenge received from RADIUS server 10.24.12.32 for mobile x.x.x.x receiveId = 5

*Dot1x_NW_MsgTask_4: Nov 18 15:52:47.915: x.x.x.x Processing Access-Challenge for mobile x.x.x.x

*Dot1x_NW_MsgTask_4: Nov 18 15:52:47.915: x.x.x.x WARNING: updated EAP-Identifier 1 ===> 27 for STA x.x.x.x

*Dot1x_NW_MsgTask_4: Nov 18 15:52:47.915: x.x.x.x Sending EAP Request from AAA to mobile x.x.x.x (EAP Id 27)

*Dot1x_NW_MsgTask_4: Nov 18 15:52:47.935: x.x.x.x Received EAPOL EAPPKT from mobile x.x.x.x

*Dot1x_NW_MsgTask_4: Nov 18 15:52:47.935: x.x.x.x Received EAP Response from mobile x.x.x.x (EAP Id 27, EAP Type 3)

*aaaQueueReader: Nov 18 15:52:47.935: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0

*aaaQueueReader: Nov 18 15:52:47.935: x.x.x.x Successful transmission of Authentication Packet (id 76) to 10.24.12.32:1812, proxy state x.x.x.x-00:00

*radiusTransportThread: Nov 18 15:52:47.938: ****Enter processIncomingMessages: response code=3

****Enter processRadiusResponse: response code=3

*radiusTransportThread: Nov 18 15:52:47.938: x.x.x.x Access-Reject received from RADIUS server 10.24.12.32 for mobile x.x.x.x receiveId = 5

Labels:
0 Helpful
3 Replies 3

Nicolas Darchis
Cisco Employee
Cisco Employee

‎11-18-2011 02:32 AM

Well if you get a reject from the radius server, WLC is doing nothing wrong but you should check on your radius server what is the reason of the reject. There has to be a message there :-)

0 Helpful

hadisharifi
Level 1
Level 1
In response to Nicolas Darchis

‎11-18-2011 06:08 AM

Thanks for the reply, I checked the logs and it shows the correct username who has attempted to login and then for the same user it shows the machine name trying to login. Could it be something to do with the client's configuration?

Are there any specific config that needs to be made on the clients who are mostly windows based devices, the user doesn't get prompted to enter a username or password even when 802.1X is selected for the Authentication.

0 Helpful

Saravanan Lakshmanan
Cisco Employee
Cisco Employee
In response to hadisharifi

‎11-21-2011 11:52 PM

Take packet capture at the Radius server port, filter for Radius packets with shared secret configured on Wireshark, it should tell why it is failing.

-Van

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card