Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Sending EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EAP Id 19)

Hello,

I'm facing a problem related to devices authenticating to our wireless network. Below are how it is setup:

WLC 4404 pass authentication to ACS 5.3 (PEAP + MsChapV2) then to AD server.

Client can get stock in this status and it keeps repeating from 1 to 20:

*Dot1x_NW_MsgTask_0: May 18 19:57:47.477: e4:ce:8f:13:e4:de dot1x - moving mobile e4:ce:8f:13:e4:de into Connecting state

*Dot1x_NW_MsgTask_0: May 18 19:57:47.477: e4:ce:8f:13:e4:de Sending EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EAP Id 19)

*Dot1x_NW_MsgTask_0: May 18 19:57:47.481: e4:ce:8f:13:e4:de Received EAPOL EAPPKT from mobile e4:ce:8f:13:e4:de

*Dot1x_NW_MsgTask_0: May 18 19:57:47.483: e4:ce:8f:13:e4:de Received EAPOL EAPPKT from mobile e4:ce:8f:13:e4:de

*Dot1x_NW_MsgTask_0: May 18 19:58:17.482: e4:ce:8f:13:e4:de Received EAPOL START from mobile e4:ce:8f:13:e4:de

*Dot1x_NW_MsgTask_0: May 18 19:58:17.482: e4:ce:8f:13:e4:de dot1x - moving mobile e4:ce:8f:13:e4:de into Connecting state

*Dot1x_NW_MsgTask_0: May 18 19:58:17.482: e4:ce:8f:13:e4:de Sending EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EAP Id 20)

*Dot1x_NW_MsgTask_0: May 18 19:58:17.485: e4:ce:8f:13:e4:de Received EAPOL EAPPKT from mobile e4:ce:8f:13:e4:de

*Dot1x_NW_MsgTask_0: May 18 19:58:17.487: e4:ce:8f:13:e4:de Received EAPOL EAPPKT from mobile e4:ce:8f:13:e4:de

*Dot1x_NW_MsgTask_0: May 18 19:58:47.488: e4:ce:8f:13:e4:de Received EAPOL START from mobile e4:ce:8f:13:e4:de

I have the Max EAP identity request retries set to 20, that is why it stops in 20.

I checked the WLC logs and I'll I can see is:

May 18 14:45:59 10.3.1.10/10.3.1.10 MG-LWAPP-C1: *Dot1x_NW_MsgTask_0: May 18 19:45:59.306: %APF-1-USER_ADD_FAILED: apf_ms.c:5665 Unable to create username joe132 for mobilee4:ce:8f:13:e4:de

The strange thing is on the ACS I can't see any authentication attempts. I think the WLC is trying to use the PMK cache for this but I'm not sure why and how??

Anybody seen something like this??

10 REPLIES
Cisco Employee

Sending EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EAP Id

well well,

From the debugs it is very clear that the cotnroller is sending eap identity request to your lazy wireless client which is not responding at all and accordingly the WLC keps doing that until reaching the max retries.

The client is doing one thing which is sending EAPOL start packet but it never reacts with EAP identity requests fired by the WLC.

There is one possible reason that your client is either corrupted or not configured correctly or you are not populating the identiy info upon being prompted for that which i doubt. So please check the config of your client and try with another one if possible.

Regards

----------------------------------------------------------------

Please don't forget to rate correct answers

New Member

Sending EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EAP Id

But it is not 1 client, I have tons of them and they are about 90% Apple products. Any suggestions? I cannot go around campus and check settings on each Apple client .

Do you have Apple clients in your WLAN environment? Any issues?

Cisco Employee

Sending EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EAP Id

unfortunately no

it worths to check right at your end ?

Sending EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EAP Id

I have apples on my network and not having any problems.

How is your WLAN configured WPA/TKIP or WPA2/AES?

Are you using CCKM on your WLAN at all?

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Sending EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EAP Id

How big is your network?? I have about 10.000 clients.

I have WPA2+AES then PEAP+MSCHARPv2 tunnel back to ACS 5.3

No, I'm using 802.1X

Cisco Employee

Sending EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EAP Id

enable broadcast forwarding

++ incrseea the arp timeout

+++ disable short preamble

++ increase DTIM

New Member

Sending EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EAP Id

Why do I have to enable broadcast forwarding?

I already have the ARP timeout set to 500, and the short preamble is disabled, and the DTIM set to 5 but the problem is still here .

Cisco Employee

Sending EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EAP Id

broadcast forwarding  for initial device discovery

Re: Sending EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EA

Peap is only used for authentication. What are you using for encryption Wpa , wpa2 aes tkip ..

Sent from Cisco Technical Support iPhone App

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Re: Sending EAP-Request/Identity to mobile e4:ce:8f:13:e4:de (EA

I already said that above I use WPA2+EAS

1439
Views
0
Helpful
10
Replies
CreatePlease login to create content