cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
644
Views
0
Helpful
1
Replies

EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EAP Id 20)

Hosam Badreldin
Level 1
Level 1

Hello,

I'm facing a problem related to devices authenticating to our wireless network. Below are how it is setup:

WLC 4404 pass authentication to ACS 5.3 (PEAP + MsChapV2) then to AD server.

Client can get stock in this status and it keeps repeating from 1 to 20:

*Dot1x_NW_MsgTask_0: May 18 19:57:47.477: e4:ce:8f:13:e4:de dot1x - moving mobile e4:ce:8f:13:e4:de into Connecting state

*Dot1x_NW_MsgTask_0: May 18 19:57:47.477: e4:ce:8f:13:e4:de Sending EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EAP Id 19)

*Dot1x_NW_MsgTask_0: May 18 19:57:47.481: e4:ce:8f:13:e4:de Received EAPOL EAPPKT from mobile e4:ce:8f:13:e4:de

*Dot1x_NW_MsgTask_0: May 18 19:57:47.483: e4:ce:8f:13:e4:de Received EAPOL EAPPKT from mobile e4:ce:8f:13:e4:de

*Dot1x_NW_MsgTask_0: May 18 19:58:17.482: e4:ce:8f:13:e4:de Received EAPOL START from mobile e4:ce:8f:13:e4:de

*Dot1x_NW_MsgTask_0: May 18 19:58:17.482: e4:ce:8f:13:e4:de dot1x - moving mobile e4:ce:8f:13:e4:de into Connecting state

*Dot1x_NW_MsgTask_0: May 18 19:58:17.482: e4:ce:8f:13:e4:de Sending EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EAP Id 20)

*Dot1x_NW_MsgTask_0: May 18 19:58:17.485: e4:ce:8f:13:e4:de Received EAPOL EAPPKT from mobile e4:ce:8f:13:e4:de

*Dot1x_NW_MsgTask_0: May 18 19:58:17.487: e4:ce:8f:13:e4:de Received EAPOL EAPPKT from mobile e4:ce:8f:13:e4:de

*Dot1x_NW_MsgTask_0: May 18 19:58:47.488: e4:ce:8f:13:e4:de Received EAPOL START from mobile e4:ce:8f:13:e4:de

I have the Max EAP identity request retries set to 20, that is why it stops in 20.

I checked the WLC logs and I'll I can see is:

May  18 14:45:59 10.3.1.10/10.3.1.10 MG-LWAPP-C1: *Dot1x_NW_MsgTask_0: May  18 19:45:59.306: %APF-1-USER_ADD_FAILED: apf_ms.c:5665 Unable to create  username joe132 for mobilee4:ce:8f:13:e4:de

The  strange thing is on the ACS I can't see any authentication attempts. I  think the WLC is trying to use the PMK cache for this but I'm not sure  why and how??

Anybody seen something like this??

1 Reply 1

Stephen Rodriguez
Cisco Employee
Cisco Employee

From that debug the WLC sends the identity request an the clue t sends two eap packet then the client sends an EAPOL start which tells the WLC to start all over.

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: