05-18-2012 01:09 PM - edited 07-03-2021 10:11 PM
Hello,
I'm facing a problem related to devices authenticating to our wireless network. Below are how it is setup:
WLC 4404 pass authentication to ACS 5.3 (PEAP + MsChapV2) then to AD server.
Client can get stock in this status and it keeps repeating from 1 to 20:
*Dot1x_NW_MsgTask_0: May 18 19:57:47.477: e4:ce:8f:13:e4:de dot1x - moving mobile e4:ce:8f:13:e4:de into Connecting state
*Dot1x_NW_MsgTask_0: May 18 19:57:47.477: e4:ce:8f:13:e4:de Sending EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EAP Id 19)
*Dot1x_NW_MsgTask_0: May 18 19:57:47.481: e4:ce:8f:13:e4:de Received EAPOL EAPPKT from mobile e4:ce:8f:13:e4:de
*Dot1x_NW_MsgTask_0: May 18 19:57:47.483: e4:ce:8f:13:e4:de Received EAPOL EAPPKT from mobile e4:ce:8f:13:e4:de
*Dot1x_NW_MsgTask_0: May 18 19:58:17.482: e4:ce:8f:13:e4:de Received EAPOL START from mobile e4:ce:8f:13:e4:de
*Dot1x_NW_MsgTask_0: May 18 19:58:17.482: e4:ce:8f:13:e4:de dot1x - moving mobile e4:ce:8f:13:e4:de into Connecting state
*Dot1x_NW_MsgTask_0: May 18 19:58:17.482: e4:ce:8f:13:e4:de Sending EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EAP Id 20)
*Dot1x_NW_MsgTask_0: May 18 19:58:17.485: e4:ce:8f:13:e4:de Received EAPOL EAPPKT from mobile e4:ce:8f:13:e4:de
*Dot1x_NW_MsgTask_0: May 18 19:58:17.487: e4:ce:8f:13:e4:de Received EAPOL EAPPKT from mobile e4:ce:8f:13:e4:de
*Dot1x_NW_MsgTask_0: May 18 19:58:47.488: e4:ce:8f:13:e4:de Received EAPOL START from mobile e4:ce:8f:13:e4:de
I have the Max EAP identity request retries set to 20, that is why it stops in 20.
I checked the WLC logs and I'll I can see is:
May 18 14:45:59 10.3.1.10/10.3.1.10 MG-LWAPP-C1: *Dot1x_NW_MsgTask_0: May 18 19:45:59.306: %APF-1-USER_ADD_FAILED: apf_ms.c:5665 Unable to create username joe132 for mobilee4:ce:8f:13:e4:de
The strange thing is on the ACS I can't see any authentication attempts. I think the WLC is trying to use the PMK cache for this but I'm not sure why and how??
Anybody seen something like this??
05-18-2012 04:12 PM
From that debug the WLC sends the identity request an the clue t sends two eap packet then the client sends an EAPOL start which tells the WLC to start all over.
Steve
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide