Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3488
Views
0
Helpful
19
Replies

Invalid Message Authenticator in EAP Request

lmslattery
Level 1
Level 1

‎12-11-2007 02:18 PM - edited ‎07-03-2021 03:05 PM

Hi,

I am attemping to configure Infratructure authentication for WDS and WPA/PEAP Client authentication using ACS 4.1(1) Build 23 from an Aironet 1210 running IOS 12.3(8)JEC.

I have a production ACS server that has both LEAP and PEAP enabled under the global configuration options.

The access point has been correctly defined as a NAS using RADIUS-Aironet on the ACS server. The Access point has ACS defined as a RADIUS server and the shared secret set the same as the NAS definition within ACS.

For both WDS Infrastructure authentications(LEAP) and client authentication requests to the access point using PEAP I receive the following message in the ACS failed log:

"Invalid message authenticator in EAP request"

A search on CCO tells me that this is normally the result of a shared secret mismatch. I have however retyped the shared secret several times , and tested with simple strings such as "cisco" and the same result is received. Both the Radius definition on the AP and the NAS definition on ACS have bee re-created with no change in result.

As a test I ran up a clean install of ACS 4.1(1)23 in a VMware session. Configured a NAS object for the AP as I had previously done on the production system and it worked first go.

Would anyone have any clues on what could be wrong with my production ACS. ?

Many Thanks,

Leon

Labels:
0 Helpful
19 Replies 19

jcoke
Level 3
Level 3
In response to Scott Fella

‎01-04-2008 04:02 PM

I don't see where you mentioned about the device groups. The strange part is that another WLC was authing with no problem. Very odd.

0 Helpful

lmslattery
Level 1
Level 1
In response to jcoke

‎01-04-2008 04:09 PM

Thinking about it. The ACS I was originally having problem with was also setup for "Device Groups".

Even though I was having this issue with Autonomous AP's rather than WLC's I'd say our problems are related.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to jcoke

‎01-04-2008 04:22 PM

Device group doesn't have to be configured if you don't want to. One working and the other not is not very strange for some odd reason. At leats you got it to work.

-Scott
*** Please rate helpful posts ***
0 Helpful

apishko
Level 4
Level 4
In response to Scott Fella

‎02-01-2008 05:26 AM

Just want to thank all for this post. Hae just brought up a new 4.1 install and have been fighting with EAP-FAST authentication off an on for the past day or so (should know by now to look here first). Anyway, I removed the WLC from a device group and it started working.

0 Helpful

Premdeep Banga
Level 7
Level 7
In response to jcoke

‎08-28-2008 03:36 AM

I have a question, when you placed the AAA client under a NDG, was there any Shared Key defined on the NDG level. Because it is an expected behavior, that if you define a Shared Key on the NDG level it over-rides key at the AAA Client level.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/NetCfg.html#wp342738

Refer to Step4.,

"Each device that is assigned to the Network Device Group will use the shared key that you enter here. The key that was assigned to the device when it was added to the system is ignored. If the key entry is null, the AAA client key is used."

Regards,

Prem

Please rate if it helps!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card