Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PEAP, WLC 5508, MS NAP, ASA5510 - Windows 7

Morning all,

I have an issue which I just can't seem to resolve so any help or pointers would be much appreciated.

Firstly the setup:

I have an ASA 5510 that sits between the 'Inside' (core) network and the wireless network.

I have  2 x WLC 5508 that between them support 50 1142 APs that sit in the wireless network.

I have 2 x MS NAP RADIUS servers on the 'Inside network' for AAA. The ASA is configured to pass AAA as well as DHCP and DNS requests.

 

The wireless network historically has been WPA2 -PSK with MAC filtering. However as time has progressed ,more and more users are using the wireless so the WPA-PSK with MAC filtering was an administrative head ache.

So I opted to set up PEAP - though a little daunting at first, the WPA2-Enterprise solution is now up and running. Users can use any device so long as they can provide their correct credentials.

We are able to support Apple devices, Chrombooks, Andriod and Windows 8 without any fuss ( all non-domain ).................however Windows 7 will not connect!

I have been all over the net and though there seem to be many people in the same boat there doesn't seem to be a solution.

I have mimicked the settings from Windows 8 directly onto windows 7 and it still won't work. I had heard that some Intel chips had issues - so I took a Windows 7 device that didn't work on the wireless and loaded Windows 8 - worked perfectly. I thought it may be a driver issue, so I changed the Intel chip to a Broadcom in Windows 7 - still no joy. I have tried various laptops, different makes, chipsets, drivers.......

I'm thinking now that perhaps the supplicant doesn't work in windows 7 with WPA2 - Enterprise. That Windows 7 itself is the issue?

Has anyone else come across this, if so how did you fix it?

Many thanks in advance.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

EDIT*****

I have done some packet sniffing and run through the logs on the WLCs - there seems to be an endless loop going on where the 'access-challenge' is received from the RADIUS server which is followed by a 'Successful transmission of Authentication Packet' - which then eventually culminates in an error.

This ONLY happens with Windows 7, all the other OSes work perfectly. This is going a bit beyond my skillset so if anyone has any experience in dealing with this some help would be appreciated.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

*radiusTransportThread: May 23 10:06:12.928: ****Enter processRadiusResponse: response code=11

*radiusTransportThread: May 23 10:06:12.928: 1c:65:9d:6e:a9:e9 Access-Challenge received from RADIUS server 10.5.107.250 for mobile 1c:65:9d:6e:a9:e9 receiveId = 32
*Dot1x_NW_MsgTask_1: May 23 10:06:12.937: apfVapRadiusClientInfoGet: Client 1C:65:9D:6E:A9:E9  dynamic int attributes srcAddr: 0.0.0.0 , gw: 0.0.0.0 mask: 0.0.0.0 , vlan:0, dpPort:0, srcPort:0
*aaaQueueReader: May 23 10:06:12.938: 1c:65:9d:6e:a9:e9 Successful transmission of Authentication Packet (id 200) to 10.5.107.250:1812, proxy state 1c:65:9d:6e:a9:e9-00:01
*radiusTransportThread: May 23 10:06:12.939: ****Enter processIncomingMessages: response code=11

*radiusTransportThread: May 23 10:06:12.939: ****Enter processRadiusResponse: response code=11

*radiusTransportThread: May 23 10:06:12.939: 1c:65:9d:6e:a9:e9 Access-Challenge received from RADIUS server 10.5.107.250 for mobile 1c:65:9d:6e:a9:e9 receiveId = 32
*Dot1x_NW_MsgTask_1: May 23 10:06:12.956: apfVapRadiusClientInfoGet: Client 1C:65:9D:6E:A9:E9  dynamic int attributes srcAddr: 0.0.0.0 , gw: 0.0.0.0 mask: 0.0.0.0 , vlan:0, dpPort:0, srcPort:0
*aaaQueueReader: May 23 10:06:12.957: 1c:65:9d:6e:a9:e9 Successful transmission of Authentication Packet (id 201) to 10.5.107.250:1812, proxy state 1c:65:9d:6e:a9:e9-00:01
*radiusTransportThread: May 23 10:06:12.958: ****Enter processIncomingMessages: response code=11

*radiusTransportThread: May 23 10:06:12.958: ****Enter processRadiusResponse: response code=11

*radiusTransportThread: May 23 10:06:12.958: 1c:65:9d:6e:a9:e9 Access-Challenge received from RADIUS server 10.5.107.250 for mobile 1c:65:9d:6e:a9:e9 receiveId = 32
*Dot1x_NW_MsgTask_1: May 23 10:06:12.982: apfVapRadiusClientInfoGet: Client 1C:65:9D:6E:A9:E9  dynamic int attributes srcAddr: 0.0.0.0 , gw: 0.0.0.0 mask: 0.0.0.0 , vlan:0, dpPort:0, srcPort:0
*aaaQueueReader: May 23 10:06:12.982: 1c:65:9d:6e:a9:e9 Successful transmission of Authentication Packet (id 202) to 10.5.107.250:1812, proxy state 1c:65:9d:6e:a9:e9-00:01
*radiusTransportThread: May 23 10:06:12.984: ****Enter processIncomingMessages: response code=3

*radiusTransportThread: May 23 10:06:12.984: ****Enter processRadiusResponse: response code=3

*radiusTransportThread: May 23 10:06:12.984: 1c:65:9d:6e:a9:e9 Access-Reject received from RADIUS server 10.5.107.250 for mobile 1c:65:9d:6e:a9:e9 receiveId = 32
*radiusTransportThread: May 23 10:06:12.984: 1c:65:9d:6e:a9:e9 [Error] Client requested no retries for mobile 1C:65:9D:6E:A9:E9
*radiusTransportThread: May 23 10:06:12.985: 1c:65:9d:6e:a9:e9 Returning AAA Error 'Authentication Failed' (-4) for mobile 1c:65:9d:6e:a9:e9

 

 

 

 

 

 

 

 

 

2 REPLIES
Cisco Employee

can you please share the

can you please share the following :

show sysinfo

show WLAN <WLAN id>

debug aaa all enable 

New Member

Morning the info requested

Morning the info requested except for the debug AAA all which spits out reams so I ran the debug client command instead.

Debug Client 1c:65:9d:6e:a9:e9

 

*osapiBsnTimer: Jun 02 08:36:19.872: 1c:65:9d:6e:a9:e9 802.1x 'txWhen' Timer expired for station 1c:65:9d:6e:a9:e9 and for message = M0
*dot1xMsgTask: Jun 02 08:36:19.872: 1c:65:9d:6e:a9:e9 dot1x - moving mobile 1c:65:9d:6e:a9:e9 into Connecting state
*dot1xMsgTask: Jun 02 08:36:19.872: 1c:65:9d:6e:a9:e9 Sending EAP-Request/Identity to mobile 1c:65:9d:6e:a9:e9 (EAP Id 3)


*apfMsConnTask_2: Jun 02 08:36:45.848: 1c:65:9d:6e:a9:e9 Association received from mobile on BSSID 64:d8:14:6f:7d:c4
*apfMsConnTask_2: Jun 02 08:36:45.848: 1c:65:9d:6e:a9:e9 Global 200 Clients are allowed to AP radio

*apfMsConnTask_2: Jun 02 08:36:45.848: 1c:65:9d:6e:a9:e9 Max Client Trap Threshold: 0  cur: 7

*apfMsConnTask_2: Jun 02 08:36:45.848: 1c:65:9d:6e:a9:e9 Rf profile 200 Clients are allowed to AP wlan

*apfMsConnTask_2: Jun 02 08:36:45.848: 1c:65:9d:6e:a9:e9 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0

*apfMsConnTask_2: Jun 02 08:36:45.848: 1c:65:9d:6e:a9:e9 Re-applying interface policy for client

*apfMsConnTask_2: Jun 02 08:36:45.848: 1c:65:9d:6e:a9:e9 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2018)
*apfMsConnTask_2: Jun 02 08:36:45.848: 1c:65:9d:6e:a9:e9 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2246)
*apfMsConnTask_2: Jun 02 08:36:45.848: 1c:65:9d:6e:a9:e9 In processSsidIE:4202 setting Central switched to TRUE
*apfMsConnTask_2: Jun 02 08:36:45.848: 1c:65:9d:6e:a9:e9 In processSsidIE:4205 apVapId = 4 and Split Acl Id = 65535
*apfMsConnTask_2: Jun 02 08:36:45.849: 1c:65:9d:6e:a9:e9 Applying site-specific Local Bridging override for station 1c:65:9d:6e:a9:e9 - vapId 5, site 'Preston', interface 'management'
*apfMsConnTask_2: Jun 02 08:36:45.849: 1c:65:9d:6e:a9:e9 Applying Local Bridging Interface Policy for station 1c:65:9d:6e:a9:e9 - vlan 0, interface id 0, interface 'management'
*apfMsConnTask_2: Jun 02 08:36:45.849: 1c:65:9d:6e:a9:e9 Applying site-specific override for station 1c:65:9d:6e:a9:e9 - vapId 5, site 'Preston', interface 'management'
*apfMsConnTask_2: Jun 02 08:36:45.849: 1c:65:9d:6e:a9:e9 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0

*apfMsConnTask_2: Jun 02 08:36:45.849: 1c:65:9d:6e:a9:e9 Re-applying interface policy for client

*apfMsConnTask_2: Jun 02 08:36:45.849: 1c:65:9d:6e:a9:e9 0.0.0.0 8021X_REQD (3) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2018)
*apfMsConnTask_2: Jun 02 08:36:45.849: 1c:65:9d:6e:a9:e9 0.0.0.0 8021X_REQD (3) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2246)
*apfMsConnTask_2: Jun 02 08:36:45.849: 1c:65:9d:6e:a9:e9 processSsidIE  statusCode is 0 and status is 0
*apfMsConnTask_2: Jun 02 08:36:45.849: 1c:65:9d:6e:a9:e9 processSsidIE  ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_2: Jun 02 08:36:45.849: 1c:65:9d:6e:a9:e9 STA - rates (4): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_2: Jun 02 08:36:45.849: 1c:65:9d:6e:a9:e9 suppRates  statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_2: Jun 02 08:36:45.849: 1c:65:9d:6e:a9:e9 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_2: Jun 02 08:36:45.849: 1c:65:9d:6e:a9:e9 extSuppRates  statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_2: Jun 02 08:36:45.849: 1c:65:9d:6e:a9:e9 Processing RSN IE type 48, length 20 for mobile 1c:65:9d:6e:a9:e9
*apfMsConnTask_2: Jun 02 08:36:45.849: 1c:65:9d:6e:a9:e9 Received RSN IE with 0 PMKIDs from mobile 1c:65:9d:6e:a9:e9
*apfMsConnTask_2: Jun 02 08:36:45.849: 1c:65:9d:6e:a9:e9 Setting active key cache index 8 ---> 8
*apfMsConnTask_2: Jun 02 08:36:45.849: 1c:65:9d:6e:a9:e9 unsetting PmkIdValidatedByAp
*apfMsConnTask_2: Jun 02 08:36:45.849: 1c:65:9d:6e:a9:e9 0.0.0.0 8021X_REQD (3) Initializing policy
*apfMsConnTask_2: Jun 02 08:36:45.849: 1c:65:9d:6e:a9:e9 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)

*apfMsConnTask_2: Jun 02 08:36:45.849: 1c:65:9d:6e:a9:e9 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)

*apfMsConnTask_2: Jun 02 08:36:45.849: 1c:65:9d:6e:a9:e9 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_2: Jun 02 08:36:45.850: 1c:65:9d:6e:a9:e9 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 64:d8:14:6f:7d:c0 vapId 5 apVapId 4 flex-acl-name:
*apfMsConnTask_2: Jun 02 08:36:45.850: 1c:65:9d:6e:a9:e9 apfPemAddUser2 (apf_policy.c:276) Changing state for mobile 1c:65:9d:6e:a9:e9 on AP 64:d8:14:6f:7d:c0 from Associated to Associated

*apfMsConnTask_2: Jun 02 08:36:45.850: 1c:65:9d:6e:a9:e9 apfPemAddUser2:session timeout forstation 1c:65:9d:6e:a9:e9 - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is  0
*apfMsConnTask_2: Jun 02 08:36:45.850: 1c:65:9d:6e:a9:e9 Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_2: Jun 02 08:36:45.850: 1c:65:9d:6e:a9:e9 Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0

*apfMsConnTask_2: Jun 02 08:36:45.850: 1c:65:9d:6e:a9:e9 Sending Assoc Response to station on BSSID 64:d8:14:6f:7d:c3 (status 0) ApVapId 4 Slot 0
*apfMsConnTask_2: Jun 02 08:36:45.850: 1c:65:9d:6e:a9:e9 apfProcessAssocReq (apf_80211.c:7391) Changing state for mobile 1c:65:9d:6e:a9:e9 on AP 64:d8:14:6f:7d:c0 from Associated to Associated

*dot1xMsgTask: Jun 02 08:36:45.852: 1c:65:9d:6e:a9:e9 dot1x - moving mobile 1c:65:9d:6e:a9:e9 into Connecting state
*dot1xMsgTask: Jun 02 08:36:45.852: 1c:65:9d:6e:a9:e9 Sending EAP-Request/Identity to mobile 1c:65:9d:6e:a9:e9 (EAP Id 1)
*Dot1x_NW_MsgTask_1: Jun 02 08:36:45.959: 1c:65:9d:6e:a9:e9 Received EAPOL START from mobile 1c:65:9d:6e:a9:e9
*Dot1x_NW_MsgTask_1: Jun 02 08:36:45.959: 1c:65:9d:6e:a9:e9 dot1x - moving mobile 1c:65:9d:6e:a9:e9 into Connecting state
*Dot1x_NW_MsgTask_1: Jun 02 08:36:45.959: 1c:65:9d:6e:a9:e9 Sending EAP-Request/Identity to mobile 1c:65:9d:6e:a9:e9 (EAP Id 2)
*apfMsConnTask_3: Jun 02 08:36:49.618: Stats update: Non Zero value


*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.711: 1c:65:9d:6e:a9:e9 Received EAPOL EAPPKT from mobile 1c:65:9d:6e:a9:e9
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.711: 1c:65:9d:6e:a9:e9 Received Identity Response (count=2) from mobile 1c:65:9d:6e:a9:e9
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.711: 1c:65:9d:6e:a9:e9 EAP State update from Connecting to Authenticating for mobile 1c:65:9d:6e:a9:e9
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.711: 1c:65:9d:6e:a9:e9 dot1x - moving mobile 1c:65:9d:6e:a9:e9 into Authenticating state
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.711: 1c:65:9d:6e:a9:e9 Entering Backend Auth Response state for mobile 1c:65:9d:6e:a9:e9
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.727: 1c:65:9d:6e:a9:e9 Processing Access-Challenge for mobile 1c:65:9d:6e:a9:e9
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.727: 1c:65:9d:6e:a9:e9 Entering Backend Auth Req state (id=3) for mobile 1c:65:9d:6e:a9:e9
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.727: 1c:65:9d:6e:a9:e9 Sending EAP Request from AAA to mobile 1c:65:9d:6e:a9:e9 (EAP Id 3)
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.740: 1c:65:9d:6e:a9:e9 Received EAPOL EAPPKT from mobile 1c:65:9d:6e:a9:e9
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.741: 1c:65:9d:6e:a9:e9 Received EAP Response from mobile 1c:65:9d:6e:a9:e9 (EAP Id 3, EAP Type 25)
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.741: 1c:65:9d:6e:a9:e9 Entering Backend Auth Response state for mobile 1c:65:9d:6e:a9:e9
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.743: 1c:65:9d:6e:a9:e9 Processing Access-Challenge for mobile 1c:65:9d:6e:a9:e9
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.743: 1c:65:9d:6e:a9:e9 Entering Backend Auth Req state (id=4) for mobile 1c:65:9d:6e:a9:e9
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.743: 1c:65:9d:6e:a9:e9 Sending EAP Request from AAA to mobile 1c:65:9d:6e:a9:e9 (EAP Id 4)
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.759: 1c:65:9d:6e:a9:e9 Received EAPOL EAPPKT from mobile 1c:65:9d:6e:a9:e9
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.759: 1c:65:9d:6e:a9:e9 Received EAP Response from mobile 1c:65:9d:6e:a9:e9 (EAP Id 4, EAP Type 25)
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.759: 1c:65:9d:6e:a9:e9 Entering Backend Auth Response state for mobile 1c:65:9d:6e:a9:e9
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.761: 1c:65:9d:6e:a9:e9 Processing Access-Challenge for mobile 1c:65:9d:6e:a9:e9
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.761: 1c:65:9d:6e:a9:e9 Entering Backend Auth Req state (id=5) for mobile 1c:65:9d:6e:a9:e9
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.761: 1c:65:9d:6e:a9:e9 Sending EAP Request from AAA to mobile 1c:65:9d:6e:a9:e9 (EAP Id 5)
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.794: 1c:65:9d:6e:a9:e9 Received EAPOL EAPPKT from mobile 1c:65:9d:6e:a9:e9
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.795: 1c:65:9d:6e:a9:e9 Received EAP Response from mobile 1c:65:9d:6e:a9:e9 (EAP Id 5, EAP Type 25)
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.795: 1c:65:9d:6e:a9:e9 Entering Backend Auth Response state for mobile 1c:65:9d:6e:a9:e9
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.797: 1c:65:9d:6e:a9:e9 Processing Access-Reject for mobile 1c:65:9d:6e:a9:e9
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.797: 1c:65:9d:6e:a9:e9 Removing PMK cache due to EAP-Failure for mobile 1c:65:9d:6e:a9:e9 (EAP Id 5)
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.797: 1c:65:9d:6e:a9:e9 Sending EAP-Failure to mobile 1c:65:9d:6e:a9:e9 (EAP Id 5)
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.797: 1c:65:9d:6e:a9:e9 Entering Backend Auth Failure state (id=5) for mobile 1c:65:9d:6e:a9:e9
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.797: 1c:65:9d:6e:a9:e9 Setting quiet timer for 5 seconds for mobile 1c:65:9d:6e:a9:e9
*Dot1x_NW_MsgTask_1: Jun 02 08:36:55.797: 1c:65:9d:6e:a9:e9 dot1x - moving mobile 1c:65:9d:6e:a9:e9 into Unknown state
*apfMsConnTask_1: Jun 02 08:36:56.473: Stats update: Non Zero value

 

 

 


(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.4.100.0
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... 6.0.182.0
Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
Build Type....................................... DATA + WPS

System Name...................................... Cisco5508_WLC_Primary
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
Redundancy Mode.................................. Disabled
IP Address....................................... 172.20.255.201
Last Reset....................................... Software reset
System Up Time................................... 12 days 19 hrs 55 mins 32 secs
System Timezone Location.........................
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180

Configured Country............................... GB  - United Kingdom
Operating Environment............................ Commercial (0 to 40 C)

--More-- or (q)uit
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +41 C
External Temperature............................. +29 C
Fan Status....................................... OK

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 4
Number of Active Clients......................... 35

Memory Current Usage............................. Unknown
Memory Average Usage............................. Unknown
CPU Current Usage................................ Unknown
CPU Average Usage................................ Unknown

Burned-in MAC Address............................ 50:57:A8:C7:01:81
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 50

 

(Cisco Controller) >show WLAN summary  

Number of WLANs.................................. 4

WLAN ID  WLAN Profile Name / SSID               Status    Interface Name        PMIPv6 Mobility
-------  -------------------------------------  --------  --------------------  ---------------
1        00001 / 00001                    Enabled   management            none   
2        00002 / 00002                    Enabled   management            none   
4        00003 / 00003                    Enabled   management            none   
5        Test / Test                          Enabled   management            none  

 

 

 

 

 

 

 

 

244
Views
0
Helpful
2
Replies
CreatePlease to create content