Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WLC 5508 WPA Authentication Problems

Hello,

We have a WLC 5508 with 7.4.100.0 Firmware.

We are using 1141 and 1142 APs and we are having authentication problems with clients that are connecting to our WLAN with WPA+AES autentication. The clients receive in her laptop a password error, and we receive the following log in wlc:


Client Excluded: MACAddress:f8:f1:eb:dd:ff:cd Base Radio MAC :08:ad:dd:76:4d:30 Slot: 0 User Name: unknown Ip Address: unknown Reason:802.1x Authentication failed 3 times. ReasonCode: 4

 

The strange thing is that the problem is solved restarting the Access-points.

Anyone had this problem previusly?

 

Thanks in advance.

  • Security and Network Management
Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions

Hi, Dont be confused, dot1x

Hi,

 

Dont be confused, dot1x is the security frame work as well for 802.1X. While you are using PSK and NOT 802.1X security it will show dot1x.

 

In fact the 4 way handshake is the same as well.

 

Based on what you show and the comments already made. When you have issues like this its always best to pull away the complexity. 

 

I agree, dont mix security user one or the other. Client can be confused at times when they see both IEs in the management frames. 

 

I would also do a client debug and try and catch a client in the act of misbehaving. If you do, post it.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
11 REPLIES
New Member

Use WPA/TKIP or WPA2/AES.

Use WPA/TKIP or WPA2/AES.  Best not to mix & match.

New Member

I made the configuration

I made the configuration using the Cisco Recommended settings, the strange thing its that the users connect normally, until they starts with authentication problems. I restart the access points and the problem its solved.

 

 

 

 

 

Cisco Recommended  and not recommended Authentication Settings

 

Security encryption settings need to be identical for WPA and WPA2 for TKIP and AES as shown in this image:

office-extend-config-10.gif

These images provide examples of incompatible settings for TKIP and AES:

office-extend-config-11.gif

Note: Be aware that security settings permit unsupported features.

These images provide examples of compatible settings:

office-extend-config-12.gif

Cisco Employee

do you use PSK ? for the WLAN

do you use PSK ? for the WLAN or dot1x?

 

and is disabling the WLAN and enable it again solve the issue ?

New Member

Hello, we are using PSK, but

Hello, we are using PSK, but we didnt try to disable and enable the WLAN, do you think its good idea?

Cisco Employee

yes as we can see a

yes as we can see a misbehaving that the traplog show us that the client is fail the dot1x while the WLAN is not configured with dot1x

New Member

Yes, the error says dot1x but

Yes, the error says dot1x but in our config we have selected in L2 Security WPA.WPA2

Its stange

New Member

And 802.1x its disabled

And 802.1x its disabled

Hi, Dont be confused, dot1x

Hi,

 

Dont be confused, dot1x is the security frame work as well for 802.1X. While you are using PSK and NOT 802.1X security it will show dot1x.

 

In fact the 4 way handshake is the same as well.

 

Based on what you show and the comments already made. When you have issues like this its always best to pull away the complexity. 

 

I agree, dont mix security user one or the other. Client can be confused at times when they see both IEs in the management frames. 

 

I would also do a client debug and try and catch a client in the act of misbehaving. If you do, post it.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Please provide a screen shot

Please provide a screen shot of your WLAN security configuration.

Remember, use only WPA/TKIP OR WPA2/AES on a particular WLAN, not both.

664
Views
11
Helpful
11
Replies