cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6855
Views
20
Helpful
77
Replies

Wireless 5508 802.1x Part 2

JohnTylerPearce
Level 7
Level 7

With stephens help I was able to get most of my Wireless 802.1x setup configured properly. I'm not having a problem with the client authenticating using user/pass credentials. I have a Wireless XP Client (testing with), which connects to a LWAP, which connects to a WLC 5508, and then Cisco ACS for authentication. I put in my user credentials of tylerp (test account) with the correct password but nothing happens, it just keeps asking me to enter in

credentials after a few seconds. I started Wireshark on my laptop and I can see the following.

Source

Cisco_1e:3a:8f

Destination

IntelCor_85:9e:46

Protocol

EAP

Information

Request, Identity [RFC3748]

It looks like it's asking the client for credentials but when I submit my credentials I dont see any response via wireshark. I'm not sure why that is.

I have included several photos from my WLC/ACS configuration. Any help would be great!

1 Accepted Solution

Accepted Solutions

You need to use the rule based selection and not use NDG but ip address of the AAA client.  Since the NDG doesn't really work the way you think it would, it will always hit your first policy.  I have had the same issue and specifiying the ip address is the fix.

-Scott
*** Please rate helpful posts ***

View solution in original post

77 Replies 77

JohnTylerPearce
Level 7
Level 7

I'm also getting this error message on my WLC.

AAA Authentication Failure for UserName:tylerp User Type: WLAN USER

Sorry, I meant to add that in my previous post.

Hi John,

Did you add the radius server to teh WLC and the WLAN itself with the shared secert and did you add the WLC to the radius server ?

Also on the monitor screen of the WLC hit statistic and then radius ... post a pix of what you see there...

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

you can also run a debug client < mac address>

this will show you the interaction between the WLC and the AAA server.

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Yeah I added the radius server to the WLC and the WLAN. I also included the shared secret. I'll post a pic when I try to authenticate via 802.1x George, you'll just have to give me a few minutes. Stephen, would the mac address of the client by the WLC?

yes, the mac address of the wireless NIC you are testing with

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Also, what EAP are you using by chance ...

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Well on the client I'm using PEAP. I'm really not sure how to see on the WLC.

Here is a picture of the monitor.

(Cisco Controller) >debug client 001B77859E46

(Cisco Controller) >*Dec 16 16:53:18.646: 00:1b:77:85:9e:46 802.1x 'txWhen' Timer expired for station 00:1b:77:85:9e:46
*Dec 16 16:53:18.646: 00:1b:77:85:9e:46 dot1x - moving mobile 00:1b:77:85:9e:46 into Connecting state
*Dec 16 16:53:18.646: 00:1b:77:85:9e:46 Sending EAP-Request/Identity to mobile 00:1b:77:85:9e:46 (EAP Id 3)
*Dec 16 16:53:48.646: 00:1b:77:85:9e:46 802.1x 'txWhen' Timer expired for station 00:1b:77:85:9e:46
*Dec 16 16:53:48.646: 00:1b:77:85:9e:46 Reached Max EAP-Identity Request retries (3) for STA 00:1b:77:85:9e:46
*Dec 16 16:53:48.647: 00:1b:77:85:9e:46 Sent Deauthenticate to mobile on BSSID b4:a4:e3:1e:3a:80 slot 1(caller 1x_auth_pae.c:2901)
*Dec 16 16:53:48.647: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station:  (callerId: 6) in 10 seconds
*Dec 16 16:53:48.647: 00:1b:77:85:9e:46 dot1x - moving mobile 00:1b:77:85:9e:46 into Disconnected state
*Dec 16 16:53:48.647: 00:1b:77:85:9e:46 Not sending EAP-Failure for STA 00:1b:77:85:9e:46
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 Association received from mobile on AP b4:a4:e3:1e:3a:80
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 Applying site-specific IPv6 override for station 00:1b:77:85:9e:46 - vapId 1, site 'Sadowski', interface 'demsecureinternal'
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 Applying IPv6 Interface Policy for station 00:1b:77:85:9e:46 - vlan 245, interface id 12, interface 'demsecureinternal'
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 STA - rates (8): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 Processing RSN IE type 48, length 22 for mobile 00:1b:77:85:9e:46
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 Received RSN IE with 0 PMKIDs from mobile 00:1b:77:85:9e:46
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 0.0.0.0 8021X_REQD (3) Deleted mobile LWAPP rule on AP [b4:a4:e3:1e:3a:80]
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 Updated location for station old AP b4:a4:e3:1e:3a:80-1, new AP b4:a4:e3:1e:3a:80-0
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 0.0.0.0 8021X_REQD (3) Initializing policy
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)

*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)

*Dec 16 16:53:48.891: 00:1b:77:85:9e:46 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP b4:a4:e3:1e:3a:80 vapId 1 apVapId 1
*Dec 16 16:53:48.891: 00:1b:77:85:9e:46 apfPemAddUser2 (apf_policy.c:213) Changing state for mobile 00:1b:77:85:9e:46 on AP b4:a4:e3:1e:3a:80 from Associated to Associated

*Dec 16 16:53:48.891: 00:1b:77:85:9e:46 Stopping deletion of Mobile Station: (callerId: 48)
*Dec 16 16:53:48.891: 00:1b:77:85:9e:46 Sending Assoc Response to station on BSSID b4:a4:e3:1e:3a:80 (status 0) Vap Id 1 Slot 0
*Dec 16 16:53:48.891: 00:1b:77:85:9e:46 apfProcessAssocReq (apf_80211.c:4389) Changing state for mobile 00:1b:77:85:9e:46 on AP b4:a4:e3:1e:3a:80 from Associated to Associated

*Dec 16 16:53:48.893: 00:1b:77:85:9e:46 Station 00:1b:77:85:9e:46 setting dot1x reauth timeout = 1800
*Dec 16 16:53:48.893: 00:1b:77:85:9e:46 dot1x - moving mobile 00:1b:77:85:9e:46 into Connecting state
*Dec 16 16:53:48.893: 00:1b:77:85:9e:46 Sending EAP-Request/Identity to mobile 00:1b:77:85:9e:46 (EAP Id 1)
*Dec 16 16:53:48.896: 00:1b:77:85:9e:46 Received EAPOL START from mobile 00:1b:77:85:9e:46
*Dec 16 16:53:48.896: 00:1b:77:85:9e:46 dot1x - moving mobile 00:1b:77:85:9e:46 into Connecting state
*Dec 16 16:53:48.896: 00:1b:77:85:9e:46 Sending EAP-Request/Identity to mobile 00:1b:77:85:9e:46 (EAP Id 2)
*Dec 16 16:54:18.847: 00:1b:77:85:9e:46 802.1x 'txWhen' Timer expired for station 00:1b:77:85:9e:46
*Dec 16 16:54:18.847: 00:1b:77:85:9e:46 dot1x - moving mobile 00:1b:77:85:9e:46 into Connecting state

There you go Stephen....

Looks like your supplicant isnt responding

*Dec 16 16:53:18.646: 00:1b:77:85:9e:46 Sending EAP-Request/Identity to mobile 00:1b:77:85:9e:46 (EAP Id 3)

*Dec 16 16:53:48.646: 00:1b:77:85:9e:46 802.1x 'txWhen' Timer expired for station 00:1b:77:85:9e:46

*Dec 16 16:53:48.646: 00:1b:77:85:9e:46 Reached Max EAP-Identity Request retries (3) for STA 00:1b:77:85:9e:46

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Ok, so I keep seeing the 'Sending Identity request to mobile message'

So it looks like the pc isn't responding.  So a couple of questions.

1.) the username you are using, is it the one you logged into the machine with?

2.) can you test with credentials you are able to login to the machine with?

If you are using WZC, the native windows supplicant, it tends to send the username/password combo you used to login to the machine, even when you tell it not to.  With IntelProset, you are able to set the username that the supplicant sends to the AAA.

You may also want to take a look at my doc on the EAP timers.

https://supportforums.cisco.com/docs/DOC-12110

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Thanks for all the help guys. I'm using the default wireless client for XP Stephen. I noticed that in the wireshark logs Stephen, i sent the name of the user I logged on to, as the user/pass as credentials. It only did that though when I left the settings as default, which take the login/pass that you logged on to as credentials, when I choose to let the user provide the information, that's when I stopped seeing EAP-Reponse messages in my wireshark log. I'll give it a try with the IntelProset.

AAA Authentication Failure for UserName:tylerp User Type: WLAN USER

I'm still getting the following error message even if I use the Intel Pro Wireless configuration utility.

Here is the updated debug from the WLC

-----------------------------------------------------------

isco Controller) >*Dec 16 16:54:18.847: 00:1b:77:85:9e:46 Sending EAP-Request/Identity to mobile 00:1b:77:85:9e:46 (EAP Id 3)
*Dec 16 21:02:20.050: 00:1b:77:85:9e:46 Adding mobile on LWAPP AP 08:1f:f3:e1:bb:40(0)
*Dec 16 21:02:20.050: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station:  (callerId: 23) in 5 seconds
*Dec 16 21:02:20.050: 00:1b:77:85:9e:46 apfProcessProbeReq (apf_80211.c:4722) Changing state for mobile 00:1b:77:85:9e:46 on AP 08:1f:f3:e1:bb:40 from Idle to Probe

*Dec 16 21:02:20.053: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Dec 16 21:02:20.077: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Dec 16 21:02:20.077: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Dec 16 21:02:20.081: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Dec 16 21:02:20.105: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Dec 16 21:02:20.108: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Dec 16 21:02:20.133: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Dec 16 21:02:20.134: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 Association received from mobile on AP b4:a4:e3:1e:3a:80
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 Applying site-specific IPv6 override for station 00:1b:77:85:9e:46 - vapId 1, site 'Sadowski', interface 'demsecureinternal'
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 Applying IPv6 Interface Policy for station 00:1b:77:85:9e:46 - vlan 245, interface id 12, interface 'demsecureinternal'
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 Processing RSN IE type 48, length 22 for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 Received RSN IE with 0 PMKIDs from mobile 00:1b:77:85:9e:46
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [08:1f:f3:e1:bb:40]
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 Updated location for station old AP 08:1f:f3:e1:bb:40-0, new AP b4:a4:e3:1e:3a:80-1
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 0.0.0.0 START (0) Initializing policy
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)

*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)

*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP b4:a4:e3:1e:3a:80 vapId 1 apVapId 1
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 apfPemAddUser2 (apf_policy.c:213) Changing state for mobile 00:1b:77:85:9e:46 on AP b4:a4:e3:1e:3a:80 from Probe to Associated

*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 Stopping deletion of Mobile Station: (callerId: 48)
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 Sending Assoc Response to station on BSSID b4:a4:e3:1e:3a:80 (status 0) Vap Id 1 Slot 1
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 apfProcessAssocReq (apf_80211.c:4389) Changing state for mobile 00:1b:77:85:9e:46 on AP b4:a4:e3:1e:3a:80 from Associated to Associated

*Dec 16 21:02:20.166: 00:1b:77:85:9e:46 Station 00:1b:77:85:9e:46 setting dot1x reauth timeout = 1800
*Dec 16 21:02:20.166: 00:1b:77:85:9e:46 dot1x - moving mobile 00:1b:77:85:9e:46 into Connecting state
*Dec 16 21:02:20.166: 00:1b:77:85:9e:46 Sending EAP-Request/Identity to mobile 00:1b:77:85:9e:46 (EAP Id 1)
*Dec 16 21:02:22.041: 00:1b:77:85:9e:46 Received EAPOL EAPPKT from mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.041: 00:1b:77:85:9e:46 Username entry (tylerp) created for mobile
*Dec 16 21:02:22.041: 00:1b:77:85:9e:46 Received Identity Response (count=1) from mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.041: 00:1b:77:85:9e:46 EAP State update from Connecting to Authenticating for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.041: 00:1b:77:85:9e:46 dot1x - moving mobile 00:1b:77:85:9e:46 into Authenticating state
*Dec 16 21:02:22.041: 00:1b:77:85:9e:46 Entering Backend Auth Response state for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.043: 00:1b:77:85:9e:46 Processing Access-Challenge for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.043: 00:1b:77:85:9e:46 Entering Backend Auth Req state (id=69) for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.043: 00:1b:77:85:9e:46 WARNING: updated EAP-Identifer 1 ===> 69 for STA 00:1b:77:85:9e:46
*Dec 16 21:02:22.043: 00:1b:77:85:9e:46 Sending EAP Request from AAA to mobile 00:1b:77:85:9e:46 (EAP Id 69)
*Dec 16 21:02:22.044: 00:1b:77:85:9e:46 Received EAPOL EAPPKT from mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.044: 00:1b:77:85:9e:46 Received EAP Response from mobile 00:1b:77:85:9e:46 (EAP Id 69, EAP Type 3)
*Dec 16 21:02:22.044: 00:1b:77:85:9e:46 Entering Backend Auth Response state for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.045: 00:1b:77:85:9e:46 Processing Access-Challenge for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.045: 00:1b:77:85:9e:46 Entering Backend Auth Req state (id=70) for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.045: 00:1b:77:85:9e:46 Sending EAP Request from AAA to mobile 00:1b:77:85:9e:46 (EAP Id 70)
*Dec 16 21:02:22.196: 00:1b:77:85:9e:46 Received EAPOL EAPPKT from mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.196: 00:1b:77:85:9e:46 Received EAP Response from mobile 00:1b:77:85:9e:46 (EAP Id 70, EAP Type 25)
*Dec 16 21:02:22.196: 00:1b:77:85:9e:46 Entering Backend Auth Response state for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.198: 00:1b:77:85:9e:46 Processing Access-Challenge for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.198: 00:1b:77:85:9e:46 Entering Backend Auth Req state (id=71) for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.198: 00:1b:77:85:9e:46 Sending EAP Request from AAA to mobile 00:1b:77:85:9e:46 (EAP Id 71)
*Dec 16 21:02:22.200: 00:1b:77:85:9e:46 Received EAPOL EAPPKT from mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.200: 00:1b:77:85:9e:46 Received EAP Response from mobile 00:1b:77:85:9e:46 (EAP Id 71, EAP Type 25)
*Dec 16 21:02:22.200: 00:1b:77:85:9e:46 Entering Backend Auth Response state for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.203: 00:1b:77:85:9e:46 Processing Access-Challenge for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.203: 00:1b:77:85:9e:46 Entering Backend Auth Req state (id=72) for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.203: 00:1b:77:85:9e:46 Sending EAP Request from AAA to mobile 00:1b:77:85:9e:46 (EAP Id 72)
*Dec 16 21:02:22.214: 00:1b:77:85:9e:46 Received EAPOL EAPPKT from mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.214: 00:1b:77:85:9e:46 Received EAP Response from mobile 00:1b:77:85:9e:46 (EAP Id 72, EAP Type 25)
*Dec 16 21:02:22.214: 00:1b:77:85:9e:46 Entering Backend Auth Response state for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.215: 00:1b:77:85:9e:46 Processing Access-Challenge for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.215: 00:1b:77:85:9e:46 Entering Backend Auth Req state (id=73) for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.215: 00:1b:77:85:9e:46 Sending EAP Request from AAA to mobile 00:1b:77:85:9e:46 (EAP Id 73)
*Dec 16 21:02:22.217: 00:1b:77:85:9e:46 Received EAPOL EAPPKT from mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.217: 00:1b:77:85:9e:46 Received EAP Response from mobile 00:1b:77:85:9e:46 (EAP Id 73, EAP Type 25)
*Dec 16 21:02:22.217: 00:1b:77:85:9e:46 Entering Backend Auth Response state for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.218: 00:1b:77:85:9e:46 Processing Access-Challenge for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.218: 00:1b:77:85:9e:46 Entering Backend Auth Req state (id=74) for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.218: 00:1b:77:85:9e:46 Sending EAP Request from AAA to mobile 00:1b:77:85:9e:46 (EAP

it looks like the 802.1x is at least progressing "Entering Backend Auth Req state"

What does the AAA server say in the logs?

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Yeah, I'm assuming that means it's getting the response from the supplicant and starting to then ask the radius server which is Cisco ACS. Stephen, I have to go to work tomorrow for a little bit in the morning to take down some switches, I'm going to check out the ACS server while I'm in. Hopefully I can get you an answer tomorrow, if not monday morning for sure. Thanks again for all the help, both of you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: