WLC Error "Reached Max EAP-Identity Request retries (21) for STA..."
I've deployed a pair of WLC4404-100 (in a mobility group) in an Enterprise Data Center, to control 50 lightweight APs located at a remote branch office, using L3 LWAPP transport mode. WLC software version is 184.108.40.206. AP Fallback is enabled. All APs joined to a Primary WLC; the second WLC functions as hot standby.
Users in the branch office use built-in Intel adapter (on Dell notebooks) to associate to the WLAN and use Windows XP WZC. The WLAN is configured to WPA1+WPA2 and authenticate to a backend Cisco ACS server.
Today an issue happened. 50% of the users can't get connected. I started troubleshooting at 11 A.M. Below is my findings:
In Passed Authentications log, last successful authentication at 10:48 A.M. and no more new log after that. ACS service was confirmed running. From WLC, I can ping to the RADIUS server.
In Failed Attempts log, last log is at 9:24 A.M., with Authen-Failure-Code=Authentication session invalidated. No more new log after that.
Configured WLC to send syslog messages to my workstation. Noticed many of the following error messages:
2007-01-22 10:39:55 Local0.Error 10.0.0.1 [SECURITY] 1x_ptsm.c 407: MAX EAP retransmissions reached for mobile 00:13:ce:10:7f:ed
2007-01-22 10:40:01 Local0.Notice 10.0.0.1 [WARNING] apf_80211.c 2408: Received a message with an invalid supported rate from station 00:12:17:83:ec:b8.
2007-01-22 10:40:02 Local0.Error 10.0.0.1 [SECURITY] 1x_auth_pae.c 2417: Reached Max EAP-Identity Request retries (21) for STA 00:13:ce:10:82:b3
Re: WLC Error "Reached Max EAP-Identity Request retries (21) for
What version of ACS are you running? Older versions have numerous problems with the WLCs. Upgrading to ACS 4.1 will solve many connectivity & latency style problems.
What is the bandwidth on the link to the remote site?
What is the latency between APs at the remote site and the WLC?
How are the Access Points configured? Specifically, are you using H-REAP?
The max EAP re-transmissions error you're seeing is probably the result of a client constantly trying to authenticate, and the requests failing. The WLC comes preconfigured to look for certain behaviours that COULD be attacks. Uncheck the 'excessive failed authentications' rule and it'll stop. (Can't remember exactly what it's called - under the security tab somewhere...)
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...