Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Can't connect to wireless using certificate with Android device

     

     

    Core Issue

    User is unable to connect to the wireless network using Android device with certificate

    Topology

    WLC 4402 7.0.235.3

    SSID Security (WPA2 Auth 802.1X + CCKM)

    MS Network Policy Server (NPS)

    WLC Logs

    (Cisco Controller) debug>*apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 Association received from mobile on AP 00:3a:98:7d:cc:30
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 Clearing Address 10.10.168.3 on mobile 
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 10.10.168.3 RUN (20) Skipping TMP rule add
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 apfMsRunStateDec
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 10.10.168.3 RUN (20) Change state to DHCP_REQD (7) last state RUN (20)
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Complete to Mobility-Incomplete
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 0.0.0.0 DHCP_REQD (7) Reached FAILURE: from line 5154
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 Scheduling deletion of Mobile Station:  (callerId: 9) in 10 seconds
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [00:3a:98:7d:cc:30]
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 0.0.0.0 DHCP_REQD (7) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 Applying site-specific IPv6 override for station 20:02:af:a6:0a:85 - vapId 3, site 'BPA-SEDE', interface 'wifi - ip phones'
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 Applying IPv6 Interface Policy for station 20:02:af:a6:0a:85 - vlan 431, interface id 13, interface 'wifi - ip phones'
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 Applying site-specific override for station 20:02:af:a6:0a:85 - vapId 3, site 'BPA-SEDE', interface 'wifi - ip phones'
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 0.0.0.0 DHCP_REQD (7) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 STA - rates (8): 139 22 24 36 48 72 96 108 12 18 0 0 0 0 0 0
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 STA - rates (10): 139 22 24 36 48 72 96 108 12 18 0 0 0 0 0 0
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 Processing RSN IE type 48, length 20 for mobile 20:02:af:a6:0a:85
    *apfMsConnTask_0: Jan 03 08:26:10.866: 20:02:af:a6:0a:85 Received RSN IE with 0 PMKIDs from mobile 20:02:af:a6:0a:85
    *apfMsConnTask_0: Jan 03 08:26:10.867: 20:02:af:a6:0a:85 apfMs1xStateDec
    *apfMsConnTask_0: Jan 03 08:26:10.867: 20:02:af:a6:0a:85 0.0.0.0 DHCP_REQD (7) Change state to START (0) last state DHCP_REQD (7)
    *apfMsConnTask_0: Jan 03 08:26:10.867: 20:02:af:a6:0a:85 pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
    *apfMsConnTask_0: Jan 03 08:26:10.867: 20:02:af:a6:0a:85 0.0.0.0 START (0) Initializing policy
    *apfMsConnTask_0: Jan 03 08:26:10.867: 20:02:af:a6:0a:85 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state DHCP_REQD (7)
    *apfMsConnTask_0: Jan 03 08:26:10.867: 20:02:af:a6:0a:85 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state DHCP_REQD (7)
    *apfMsConnTask_0: Jan 03 08:26:10.867: 20:02:af:a6:0a:85 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 00:3a:98:7d:cc:30 vapId 3 apVapId 4for this client
    *apfMsConnTask_0: Jan 03 08:26:10.867: 20:02:af:a6:0a:85 Not Using WMM Compliance code qosCap 00
    *apfMsConnTask_0: Jan 03 08:26:10.867: 20:02:af:a6:0a:85 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:3a:98:7d:cc:30 vapId 3 apVapId 4
    *apfMsConnTask_0: Jan 03 08:26:10.867: 20:02:af:a6:0a:85 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 20:02:af:a6:0a:85 on AP 00:3a:98:7d:cc:30 from Associated to Associated
    *apfMsConnTask_0: Jan 03 08:26:10.867: 20:02:af:a6:0a:85 Stopping deletion of Mobile Station: (callerId: 48)
    *apfMsConnTask_0: Jan 03 08:26:10.867: 20:02:af:a6:0a:85 Sending Assoc Response to station on BSSID 00:3a:98:7d:cc:30 (status 0) ApVapId 4 Slot 0
    *apfMsConnTask_0: Jan 03 08:26:10.867: 20:02:af:a6:0a:85 apfProcessAssocReq (apf_80211.c:5272) Changing state for mobile 20:02:af:a6:0a:85 on AP 00:3a:98:7d:cc:30 from Associated to Associated
    *pemReceiveTask: Jan 03 08:26:10.873: 20:02:af:a6:0a:85 0.0.0.0 Removed NPU entry.
    *dot1xMsgTask: Jan 03 08:26:10.874: 20:02:af:a6:0a:85 Station 20:02:af:a6:0a:85 setting dot1x reauth timeout = 0
    *dot1xMsgTask: Jan 03 08:26:10.874: 20:02:af:a6:0a:85 Stopping reauth timeout for 20:02:af:a6:0a:85 
    *dot1xMsgTask: Jan 03 08:26:10.874: 20:02:af:a6:0a:85 dot1x - moving mobile 20:02:af:a6:0a:85 into Connecting state
    *dot1xMsgTask: Jan 03 08:26:10.874: 20:02:af:a6:0a:85 Sending EAP-Request/Identity to mobile 20:02:af:a6:0a:85 (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.880: 20:02:af:a6:0a:85 Received EAPOL EAPPKT from mobile 20:02:af:a6:0a:85
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.880: 20:02:af:a6:0a:85 Received Identity Response (count=1) from mobile 20:02:af:a6:0a:85
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.880: 20:02:af:a6:0a:85 EAP State update from Connecting to Authenticating for mobile 20:02:af:a6:0a:85
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.880: 20:02:af:a6:0a:85 dot1x - moving mobile 20:02:af:a6:0a:85 into Authenticating state
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.881: 20:02:af:a6:0a:85 Entering Backend Auth Response state for mobile 20:02:af:a6:0a:85
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.886: 20:02:af:a6:0a:85 Processing Access-Challenge for mobile 20:02:af:a6:0a:85
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.886: 20:02:af:a6:0a:85 Entering Backend Auth Req state (id=2) for mobile 20:02:af:a6:0a:85
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.886: 20:02:af:a6:0a:85 Sending EAP Request from AAA to mobile 20:02:af:a6:0a:85 (EAP Id 2)
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.888: 20:02:af:a6:0a:85 Received EAPOL EAPPKT from mobile 20:02:af:a6:0a:85
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.888: 20:02:af:a6:0a:85 Received EAP Response from mobile 20:02:af:a6:0a:85 (EAP Id 2, EAP Type 3)
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.889: 20:02:af:a6:0a:85 Entering Backend Auth Response state for mobile 20:02:af:a6:0a:85
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.891: 20:02:af:a6:0a:85 Processing Access-Reject for mobile 20:02:af:a6:0a:85
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.891: 20:02:af:a6:0a:85 Removing PMK cache due to EAP-Failure for mobile 20:02:af:a6:0a:85 (EAP Id 2)
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.891: 20:02:af:a6:0a:85 Sending EAP-Failure to mobile 20:02:af:a6:0a:85 (EAP Id 2)
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.891: 20:02:af:a6:0a:85 Entering Backend Auth Failure state (id=2) for mobile 20:02:af:a6:0a:85
    *Dot1x_NW_MsgTask_0: Jan 03 08:26:10.891: 20:02:af:a6:0a:85 Setting quiet timer for 5 seconds for mobile 20:02:af:a6:0a:85*Dot1x_NW_MsgTask_0: Jan 03 08:26:10.891: 20:02:af:a6:0a:85 dot1x - moving mobile 20:02:af:a6:0a:85 into Unknown state
    *osapiBsnTimer: Jan 03 08:26:15.740: 20:02:af:a6:0a:85 802.1x 'quiteWhile' Timer expired for station 20:02:af:a6:0a:85 and for message = M0
    *dot1xMsgTask: Jan 03 08:26:15.740: 20:02:af:a6:0a:85 quiet timer completed for mobile 20:02:af:a6:0a:85
    *dot1xMsgTask: Jan 03 08:26:15.740: 20:02:af:a6:0a:85 dot1x - moving mobile 20:02:af:a6:0a:85 into Connecting state
    *dot1xMsgTask: Jan 03 08:26:15.741: 20:02:af:a6:0a:85 Sending EAP-Request/Identity to mobile 20:02:af:a6:0a:85 (EAP Id 4)

    When Used only 802.1x without CCKM,

    Authentication Failure logs

    Authentication Details:
    Connection Request Policy Name:         Use Windows authentication for all users
    Network Policy Name:                    Wireless
    Authentication Provider:                Windows
    Authentication Server:                  NPSServer.domain.local
    Authentication Type:                    EAP
    EAP Type:                          -
    Account Session Identifier:        -
    Logging Results:                        Accounting information was written to the local log file.
    Reason Code:                            22
    Reason:                                 The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

    Solution

    NPS requires certificate to authentication users.

    Reason code 22 means mismatch between server and client on EAP

    doc pic - NPS Eap.jpg

    The problem was regarding a certificate mismatch on server and a mismatch EAP method.

    Reference

    http://technet.microsoft.com/en-us/library/dd197464(v=ws.10).aspx

    Source

    This document was generated from the following discussion: