I'm working on with a customer on a 2106 controller with 1130 series ap's. Everyting seems fine until the client does a reauthentication. At this point the clients send a stream of authentication attempts to the RADIUS server (40 or so a second). The RADIUS (Microsoft IAS) is passing the authetication. The Controller has the error: DOT1X-1-INVALID_WPA_KEY_STATE: Received EAPOL-key message while in invalid state (0) - version 1, type 3, descriptor 254 with the mac address of the offending client in the log, at the same rate of the authentication storm. The clients have current drivers. We are using the Microsoft supplicant and have the Microsoft updates (SP2 and relevant wireless patches) installed.
I'm currently testing using the Intel supplicant, but have not been doing it long enough to see if it is an issue with that supplicant.
Honestly this was so long ago I don't remember what I did to resolve the issue.
Is your radius local to the clients or are they authenticating through the WAN?
What type of encryption are you using and also what authentication method? Do you have the same issue if users are on an ssid that is open.. no type of encryption or authentication?
In WLANs > Edit -> Security Layer 2 I'm choosing WPA+WPA2 with TKIP and PSK.
In WLANs > Edit -> AAA Servers, I mark enabled "Local EAP Authentication" with "LocalEAP" EAP profile name.
Then, in Local Net Users > Edit, I fill the fields.
Is this configuration correct?
Okay.... for this wlan ssid, you selected WPA+WPA2. Here you should define either WPA w/ tkip or WPA2 w/ AES.... or both. WPA2 performs better than WPA, but that depends on your client supporting WPA2. Since you selected PSK, you must of entered a pre-shared key. So in the AAA server tab, you don't have to enable local eap authentication.
For local eap, you need to choose wpa+wpa2 and 802.1x. This will also require a certificate on the WLC. I won't go into this too much because you are using PSK. Now on the client side, you would configure the ssid and either wpa tkip or wpa2 aes and psk... not enterprise. Enter you pre-shared key in the client and you should be good to go!