Sending EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EAP Id

Hosam Badreldin · ‎05-18-2012

Hello,

I'm facing a problem related to devices authenticating to our wireless network. Below are how it is setup:

WLC 4404 pass authentication to ACS 5.3 (PEAP + MsChapV2) then to AD server.

Client can get stock in this status and it keeps repeating from 1 to 20:

*Dot1x_NW_MsgTask_0: May 18 19:57:47.477: e4:ce:8f:13:e4:de dot1x - moving mobile e4:ce:8f:13:e4:de into Connecting state

*Dot1x_NW_MsgTask_0: May 18 19:57:47.477: e4:ce:8f:13:e4:de Sending EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EAP Id 19)

*Dot1x_NW_MsgTask_0: May 18 19:57:47.481: e4:ce:8f:13:e4:de Received EAPOL EAPPKT from mobile e4:ce:8f:13:e4:de

*Dot1x_NW_MsgTask_0: May 18 19:57:47.483: e4:ce:8f:13:e4:de Received EAPOL EAPPKT from mobile e4:ce:8f:13:e4:de

*Dot1x_NW_MsgTask_0: May 18 19:58:17.482: e4:ce:8f:13:e4:de Received EAPOL START from mobile e4:ce:8f:13:e4:de

*Dot1x_NW_MsgTask_0: May 18 19:58:17.482: e4:ce:8f:13:e4:de dot1x - moving mobile e4:ce:8f:13:e4:de into Connecting state

*Dot1x_NW_MsgTask_0: May 18 19:58:17.482: e4:ce:8f:13:e4:de Sending EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EAP Id 20)

*Dot1x_NW_MsgTask_0: May 18 19:58:17.485: e4:ce:8f:13:e4:de Received EAPOL EAPPKT from mobile e4:ce:8f:13:e4:de

*Dot1x_NW_MsgTask_0: May 18 19:58:17.487: e4:ce:8f:13:e4:de Received EAPOL EAPPKT from mobile e4:ce:8f:13:e4:de

*Dot1x_NW_MsgTask_0: May 18 19:58:47.488: e4:ce:8f:13:e4:de Received EAPOL START from mobile e4:ce:8f:13:e4:de

I have the Max EAP identity request retries set to 20, that is why it stops in 20.

I checked the WLC logs and I'll I can see is:

May 18 14:45:59 10.3.1.10/10.3.1.10 MG-LWAPP-C1: *Dot1x_NW_MsgTask_0: May 18 19:45:59.306: %APF-1-USER_ADD_FAILED: apf_ms.c:5665 Unable to create username joe132 for mobilee4:ce:8f:13:e4:de

The strange thing is on the ACS I can't see any authentication attempts. I think the WLC is trying to use the PMK cache for this but I'm not sure why and how??

Anybody seen something like this??

maldehne · ‎05-20-2012

well well,

From the debugs it is very clear that the cotnroller is sending eap identity request to your lazy wireless client which is not responding at all and accordingly the WLC keps doing that until reaching the max retries.

The client is doing one thing which is sending EAPOL start packet but it never reacts with EAP identity requests fired by the WLC.

There is one possible reason that your client is either corrupted or not configured correctly or you are not populating the identiy info upon being prompted for that which i doubt. So please check the config of your client and try with another one if possible.

Regards

----------------------------------------------------------------

Please don't forget to rate correct answers

Hosam Badreldin · ‎05-21-2012

But it is not 1 client, I have tons of them and they are about 90% Apple products. Any suggestions? I cannot go around campus and check settings on each Apple client .

Do you have Apple clients in your WLAN environment? Any issues?

maldehne · ‎05-21-2012

unfortunately no

it worths to check right at your end ?

George Stefanick · ‎05-21-2012

I have apples on my network and not having any problems.

How is your WLAN configured WPA/TKIP or WPA2/AES?

Are you using CCKM on your WLAN at all?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Hosam Badreldin · ‎05-22-2012

How big is your network?? I have about 10.000 clients.

I have WPA2+AES then PEAP+MSCHARPv2 tunnel back to ACS 5.3

No, I'm using 802.1X

dgohain · ‎05-22-2012

enable broadcast forwarding

++ incrseea the arp timeout

+++ disable short preamble

++ increase DTIM

Hosam Badreldin · ‎05-22-2012

Why do I have to enable broadcast forwarding?

I already have the ARP timeout set to 500, and the short preamble is disabled, and the DTIM set to 5 but the problem is still here .

dgohain · ‎05-22-2012

broadcast forwarding for initial device discovery

George Stefanick · ‎05-22-2012

Peap is only used for authentication. What are you using for encryption Wpa , wpa2 aes tkip ..

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Hosam Badreldin · ‎05-22-2012

I already said that above I use WPA2+EAS

davidgranathkarlsson · ‎02-22-2018

This issue occurred a couple of months ago and it was resolved by replacing the DSL modem on the remote site.

The same problem (eap identity request not received by client on remote site) has occurred again, this time also on a remote site which connects using a DSL modem. Obviously I will ask the provider to replace this modem aswell but does anyone have an explaination to why a DSL wouldn't forward these packets as expected?

Everything but 802.1x identity request is/was working perfectly fine on both these branches.

BR

David