Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EAP Id 20)

Hello,

I'm facing a problem related to devices authenticating to our wireless network. Below are how it is setup:

WLC 4404 pass authentication to ACS 5.3 (PEAP + MsChapV2) then to AD server.

Client can get stock in this status and it keeps repeating from 1 to 20:

*Dot1x_NW_MsgTask_0: May 18 19:57:47.477: e4:ce:8f:13:e4:de dot1x - moving mobile e4:ce:8f:13:e4:de into Connecting state

*Dot1x_NW_MsgTask_0: May 18 19:57:47.477: e4:ce:8f:13:e4:de Sending EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EAP Id 19)

*Dot1x_NW_MsgTask_0: May 18 19:57:47.481: e4:ce:8f:13:e4:de Received EAPOL EAPPKT from mobile e4:ce:8f:13:e4:de

*Dot1x_NW_MsgTask_0: May 18 19:57:47.483: e4:ce:8f:13:e4:de Received EAPOL EAPPKT from mobile e4:ce:8f:13:e4:de

*Dot1x_NW_MsgTask_0: May 18 19:58:17.482: e4:ce:8f:13:e4:de Received EAPOL START from mobile e4:ce:8f:13:e4:de

*Dot1x_NW_MsgTask_0: May 18 19:58:17.482: e4:ce:8f:13:e4:de dot1x - moving mobile e4:ce:8f:13:e4:de into Connecting state

*Dot1x_NW_MsgTask_0: May 18 19:58:17.482: e4:ce:8f:13:e4:de Sending EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EAP Id 20)

*Dot1x_NW_MsgTask_0: May 18 19:58:17.485: e4:ce:8f:13:e4:de Received EAPOL EAPPKT from mobile e4:ce:8f:13:e4:de

*Dot1x_NW_MsgTask_0: May 18 19:58:17.487: e4:ce:8f:13:e4:de Received EAPOL EAPPKT from mobile e4:ce:8f:13:e4:de

*Dot1x_NW_MsgTask_0: May 18 19:58:47.488: e4:ce:8f:13:e4:de Received EAPOL START from mobile e4:ce:8f:13:e4:de

I have the Max EAP identity request retries set to 20, that is why it stops in 20.

I checked the WLC logs and I'll I can see is:

May  18 14:45:59 10.3.1.10/10.3.1.10 MG-LWAPP-C1: *Dot1x_NW_MsgTask_0: May  18 19:45:59.306: %APF-1-USER_ADD_FAILED: apf_ms.c:5665 Unable to create  username joe132 for mobilee4:ce:8f:13:e4:de

The  strange thing is on the ACS I can't see any authentication attempts. I  think the WLC is trying to use the PMK cache for this but I'm not sure  why and how??

Anybody seen something like this??

1 REPLY

Re: EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EAP Id 20)

From that debug the WLC sends the identity request an the clue t sends two eap packet then the client sends an EAPOL start which tells the WLC to start all over.

Steve

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
382
Views
0
Helpful
1
Replies
CreatePlease to create content