Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

The log of the Wireless LAN Controller displays the "Reached Max EAP-Identity Request retries" error message

Core Issue

These error messages can appear:

  • [SECURITY] 1x_auth_pae.c 2367: Reached Max EAP-Identity Request retries (21) for STA 00:00:00:00:00:00 "mac address"

  • Month Date time hub05wlc04  [WARNING] apf_80211.c 2156: Received a message with an invalid supported rate from station 00:00:00:00:00:00 "mac address"

This issue possibly occurs due to mismatched data rates, radio frequency (RF) issues, or an older firmware version that runs on the controller.

Resolution

This explanation describes this error message:

[SECURITY] 1x_auth_pae.c 2367: Reached Max EAP-Identity Request retries (21) for STA 00:00:00:00:00:00 "mac address"

The 802.11 standard makes no provision for the prevention of dictionary attacks. Exclusion fills that gap. Exclusion detects authentication attempts that a single device makes, and when that device exceeds a maximum number of failures, the MAC address of the device is no longer allowed to associate with the controller. Exclusion occurs:

  • After five consecutive authentication failures for shared authentications and the sixth attempt is excluded
  • After five consecutive association failures for MAC authentication and the sixth attempt is excluded
  • After three consecutive EAP/802.1X authentication failures and the fourth attempt is excluded
  • After any external policy server failure (NAC)
  • With any IP address duplication instance
  • After three consecutive web authentication failures and the fourth attempt is excluded

The timer can be configured in order to specify how long to exclude a client, and exclusion can be enabled or disabled at the controller or Wireless LAN (WLAN) level.

The failed attempts sometimes do not appear in the Access Control Server (ACS) log. This happens because the option to log failed attempts is disabled by default in a new installation of ACS. It can be enabled from ACS under System Configuration > Logging > CSV Failed Attempts.

Though the correct credentials are provided, the reason for many failed attempts can be:

  1. If the authentication server is not on the same subnet as the Management Interface of the controller, routing can add latency to the dialog, where the client communicates with the authentication server through the controller. This latency can make the authentication server and the controller think there is a problem.

  2. If the RF environment is not clean and packets are corrupted at the lower half of Layer 2, which requires retransmission, Extensible Authentication Protocol (EAP) at the upper half does not necessarily know that an RF retry situation caused the client to not respond in an appropriate amount of time. RF corruption can also effect the contents of the packet, which gives the appearance of bad credentials.

The current version of software for the controller is 3.2.78.0. Use of the current version ensures that some previously resolved bug is not the cause of the problem.

Refer to Cisco Downloads in order to download the latest firmware version.

Month Date time hub05wlc04  [WARNING] apf_80211.c 2156: Received a message with an invalid supported rate from station 00:00:00:00:00:00 "mac address"

This error message suggests that the client cards are configured for data rates that do not match the access point configuration. Review the required and supported data rates on both the client and the controller.

Problem Type

Error message

Products

Wireless LAN Controllers

Security Options

EAP

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 05:07 PM
Updated by: