Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

802.1x authentication on PSK key mgmt?

Hello,

I'm setting up a new 5508 WLC (the first wlc I have ever setup) and I have my WLAN setup with our existing WPA/TKIP ssid for transitioning our clients from our existing autonomous system to the wlc. I have selected PSK as the key mgmt and I can get the client's to connect for a few minutes but I keep seeing these errors:

Fri Aug 21 08:50:05 2009 Client Excluded: MACAddress:00:21:00:f9:dd:50 Base Radio MAC :00:23:eb:27:e3:b0 Slot: 1 User Name: unknown Ip Address: unknown Reason:802.1x Authentication failed 3 times. ReasonCode: 4

I don't have nor do I want 802.1x enabled. Is there something I need to disable either on the client or the controller?

Thanks.

Dan.

21 REPLIES

Re: 802.1x authentication on PSK key mgmt?

Congrats on getting your first controller set up. Since you don't have any 802.1X configured, could it be that the client in question is trying to use an incorrect PSK?

New Member

Re: 802.1x authentication on PSK key mgmt?

I don't think so. All of the clients connect, but then get disconnected with the 802.1x error message.

Dan.

New Member

My scenery is the next: Acces

My scenery is the next:

 

Acces Client->AP->WLC

Authentication Client->AP->WLC->Radius

Ip Asignament after the authentication Client->DHCP

I had the same log trap "Client Excluded: MACAddress:(..................) Base Radio MAC :(..................) Slot: 0 User Name: unknown Ip Address: (..................) Reason:802.1x Authentication failed 3 times. ReasonCode: 4", i saw the log of the RADIUS and the cause was the algorithm PEAP and the radius talk in EAP, i change it the propieties of my Wireless Network (Control Panel->Internet and Networks->Wireless Mangement), in the security tab in authentication method i chose intenlligent card and other certification and that's it 

 

New Member

Re: 802.1x authentication on PSK key mgmt?

If I click on the client and look at the client details it shows under the policy manager state that 802.1x is required. Is there something configured wrong on the client?

Clients > Detail

Client Properties

MAC Address 00:21:00:f9:dd:50

IP Address

Client Type

WGB MAC Address

Number of Wired Client(s)

User Name

Port Number

Interface

VLAN ID

CCX Version

E2E Version

Mobility Role

Mobility Peer IP Address

Policy Manager State 8021X_REQD

Management Frame Protection

New Member

Re: 802.1x authentication on PSK key mgmt?

I have come across some more information reguarding my problem.

When the lap cannot connected to the wlc then everything works! The clients can connect just fine without problems. As soon as I take the acl of the switch port and allow the lap to connect back to the controller, the client's cannot connect.

New Member

Re: 802.1x authentication on PSK key mgmt?

Just another note.

When i set the Wlan to no authentication (open system) then I can connect to the ap when it is in h-reap mode and communicating with the controller. When i have the Wlan set to wpa/aes/psk i cannot connect.

Is there a know bug in 6.0.182.0?

Cisco Employee

802.1x authentication on PSK key mgmt?

is there a specific reason to use that 6.0 code, upgrade to latest 7.0.240 code and try to reproduce the issue.

New Member

802.1x authentication on PSK key mgmt?

Look at the date of my original post.  It is nearly 4 years ago!  I don't know why people are responding to this thread.

Hall of Fame Super Silver

802.1x authentication on PSK key mgmt?

People seem to want to add onto what was posted already... I don't know why, but its better if they did open up their own thread.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Re: 802.1x authentication on PSK key mgmt?

I had a similar problem a while ago, caused by WCS not setting the PSK correctly on the WLC. Cisco TAC informed me that the error message not necessary is a dot1x error message, it can also indicate a PSK error (wrong key).

Are you using WCS to push the PSK to the WLC?

New Member

Re: 802.1x authentication on PSK key mgmt?

No I am not using WCS. I contacted TAC and it looks like it might be a bug in the 6.x software. There next step was to re-create it in there lab.

Re: 802.1x authentication on PSK key mgmt?

If you are using WPA with AES, then I would change that setting - either use WPA with TKIP, or use WPA2 with AES (even if that does not solve your problem). Even though you are supposed to be able to mix and match WPA/WPA2 and TKIP/AES, I have seen some clients that work better using WPA/TKIP or WPA2/AES.

New Member

Re: 802.1x authentication on PSK key mgmt?

It's not that either. I have tried every combination of WPA and WPA2...the only ones that work is WEP or Open System.

WPA and WPA2 work when the ap connection to the controller is lost. So it looks like the ap is not operating in H-Reap mode when it has a connection to the controller.

New Member

Re: 802.1x authentication on PSK key mgmt?

Does your PSK have any numbers, special characters or is it exceptionally long? Try temporarily changing the PSK to something short with lower case characters only to see if that allows you to connect.

New Member

Re: 802.1x authentication on PSK key mgmt?

I fixed the problem a while ago with a restart of the controller. I had never restarted it after the initial bootup.

New Member

Re: 802.1x authentication on PSK key mgmt?

Hey,

I have same problem with Cisco 2100 Series WLC on software version 7.0.98.0.

I get a lot of error messages in Log Monitor which look like these:

0Thu Dec 9 09:00:28 2010Client Excluded: MACAddress:(..................) Base Radio MAC :(..................) Slot: 0 User Name: unknown Ip Address: (..................) Reason:802.1x Authentication failed 3 times. ReasonCode: 4
1Thu Dec 9 08:57:09 2010Interference Profile Failed for Base Radio MAC: (..................) and slotNo: 0
2Thu Dec 9 08:53:43 2010Client Excluded: MACAddress:(..................) Base Radio MAC :(..................) Slot: 0 User Name: unknown Ip Address: (..................) Reason:802.1x Authentication failed 3 times. ReasonCode: 4
3Thu Dec 9 07:57:15 2010Client Excluded: MACAddress:(..................) Base Radio MAC :(..................) Slot: 0 User Name: unknown Ip Address: (..................) Reason:802.1x Authentication failed 3 times. ReasonCode: 4
4Thu Dec 9 07:54:10 2010Client Excluded: MACAddress:(..................) Base Radio MAC :(..................) Slot: 0 User Name: unknown Ip Address: (..................) Reason:802.1x Authentication failed 3 times. ReasonCode: 4
5Thu Dec 9 07:50:42 2010Client Excluded: MACAddress:(..................) Base Radio MAC :(..................) Slot: 0 User Name: unknown Ip Address: (..................) Reason:802.1x Authentication failed 3 times. ReasonCode: 4

I'm not using 802.X authentication, it's just WPA/TKIP ...not even WPA2/AES. Each client gets disconnected few times per day. Auth fails like you see above, but for the most time connection just works. Not as good as I'd want it to, but it works, somehow.

I have also set up two WLANS for other devices like printers etc - it works just fine. I mean - no errors, no disconnects, it works perfectly, but why the hell is WPA not working?!

Second bigger problem is that every computer connected via WIFI is loosing one ping packet every minute. I have WLC -> 7 x AP -> End devices.

Everything till AP's is connected via ethernet, then it's wifi connection. When I'm pinging WLC or AP's from lan connected PC it works fine, but when I'm pinging wifi connected end devices (6 pc's) - each one is loosing one packet in exact, same time - every minute.

When I'm doing the same but from second side - wifi connected pc pinging AP's, WLC, lan pc - I loose one ping packet to each device including AP, WLC, other end devices.

It's definately fault in WLC configuration because I loose these packetes on AP's <-> WIFI devices. Any idea, any clue? I'm not sure which setting is responsible for that.

Thanks in advance for any hints, suggestions.

Regards,

Łukasz

Cisco Employee

802.1x authentication on PSK key mgmt?

use wpa aes or try the below change to see if that make any difference

disable client exclusion

disable tkip countermeasure

Re: 802.1x authentication on PSK key mgmt?

I have a similar issue on 7.0.98.0 / 5508.

Version 7.0.98.0 / 5508- WPA/TKIP psk doesn't work

Version 7.0.98.0 / 5508- WPA2/AES psk works

downgraded to 6.0.199.0

Version 7.0.98.0 / 5508- WPA/TKIP psk works

Version 7.0.98.0 / 5508- WPA2/AES psk works


upgraded back to 7.0.98.0

Version 7.0.98.0 / 5508- WPA/TKIP psk doesn't work

Version 7.0.98.0 / 5508- WPA2/AES psk works


I called TAC and they mentioned there was no known issues. Although I have not had a chance to work with them on the issue.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

802.1x authentication on PSK key mgmt?

Hello all.

Right now I am facing the same issue described here. My controller is running software version 7.2.103.0.

Did you manage to find a cause for this failure and/or a solution for it?

Thanks!!!

Cisco Employee

802.1x authentication on PSK key mgmt?

Does the issue happen with all your clients or certain client?

Did you verify the driver version of your wireless adapter? make sure to have it updated to the latest firmware version.

802.1x authentication on PSK key mgmt?

Buenas tardes; Yo tambien tengo el mismo inconveniente, y cuando pongo REMOVE solo se remueve por unos segundos, despues regresa al grupo EXCLUDED CLIENTS, de igual forma he hecho DISABLE, y del grupo DISABLE he hecho REMOVE, pero se excluye nuevamente.

adjunto el mensaje de error.

Client Excluded: MACAddress:9c:b7:0d:2a:5f:cf Base Radio MAC :f4:ea:67:c1:57:10 Slot: 0 User Name: unknown Ip Address: unknown Reason:802.1x Authentication failed 3 times. ReasonCode: 4

Gracias.

Knut Axel Osorio Alayo ======================== Profesional en Redes y Comunicaciones de Datos
18113
Views
3
Helpful
21
Replies
CreatePlease to create content