Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Webauth frequently prompting for user credentials, How to avoid

Why end user frequently getting prompted for user credentials when using L2 security WPA/WPA2-PSK on webauth wlan.

Wireless Guest client Affected scenarios:

#When client at the edge of the cell/RF blind spot, client thinks it has lost connection, it starts fresh connection and it may delay responding to WPA negotiation will let wlc to send deauth on delayed or no response. Keeping long EAP timer could try helpout, however it may affect clients on other wlan.

#Switching between two ssid using different L2 security on same controller, WLC removes the client before it adds under new wlan.

#Client wpa decrypt or handshake error occurred while back to the same RF network from radio down/power save.

#Client resetting the connection on any network layer due to bad driver.

#Using incorrect ssid to connect to hidden guest ssid, WLC/AP will send deauth and remove the client from its database.

Wireless Guest client Unaffected scenarios:

#Moving Out of RF and back to RF coverage immediately/after couple of hours without dhcp/wpa negotiation/handshake issues.

#Wireless client come back from reboot/Wireless Radio down/powersave mode.

#Client went to power save and lost its ip and a come back.

#Client sending out disassoc/deauth on its radio shutdown/reboot, WLC doesn't honor disasso/deauth from its connected client.

What happens when client comes back to RF network from powersave/radio down/reboot?

#Association to new AP -- Client assinged New AID, it doesn't cause deauth to client. client coming out from idle can connect to different AP in same WLC, it shouldn't try to join different WLC that doesn't have its entry.

#open auth -- It has no state to maintain.

#WPA/WAP2 4-way handshake - Deauth occurs only there is unexpected delay or no response to complete the negotiation process.

#Broadcast key rotation - connection reset due to client doesn't have updated broadcast key, deauth will be sent to client when client comes from idle. increase the braodcast key rotation timer.

#Dhcp ip - dhcp policy timeout will occur & client will get deauth if there's a delay in dhcp handshake or if no dhcp response in 3 tries otherwise fine. Disable dhcp required, it could introduce hiccup and lead to deauth.

#Guest anchor - Webauth state 'RUN' is maintained in the anchor similar to Foreign in 'non anchor' scenario.

#L2/L3 Mobility/Roaming - on RF blind spot, Failover roaming occurs between AP connected to different WLC(on same mobility group) will deauth the client due to Mobility handoff timeout and client initiates fresh/new connection on new WLC.

#Disable - User idle timeout, Session timeout, Aironet IE, Client exclusion, wmm required, mfp client protection, Max allowed client per Radio/WLAN, client load balancing and client band select to avoid deauth in negotiation or timer expiration.

#webauthentication - RUN state -- On client come back it will be Last State RUN -> RUN state.

***********

WLC>config advanced eap bcast-key-interval <seconds>

where <seconds> is a value between 120 and 86400. This is a global command

and applies to WPA configured on all WLANs.

*dot1xMsgTask: Jun 16 10:46:57.760: 00:23:76:d5:68:61 Updated broadcast key

sent to mobile 00:23:76:D5:68:61

*osapiBsnTimer: Jun 16 10:46:58.960: 00:23:76:d5:68:61 802.1x 'timeoutEvt'

Timer expired for station 00:23:76:d5:68:61 and for message = M5

*dot1xMsgTask: Jun 16 10:46:58.960: 00:23:76:d5:68:61 Retransmit 1 of

EAPOL-Key M5 (length 131) for mobile 00:23:76:d5:68:61

*osapiBsnTimer: Jun 16 10:46:59.960: 00:23:76:d5:68:61 802.1x 'timeoutEvt'

Timer expired for station 00:23:76:d5:68:61 and for message = M5

*dot1xMsgTask: Jun 16 10:46:59.960: 00:23:76:d5:68:61 Retransmit 2 of

EAPOL-Key M5 (length 131) for mobile 00:23:76:d5:68:61

*osapiBsnTimer: Jun 16 10:47:00.960: 00:23:76:d5:68:61 802.1x 'timeoutEvt'

Timer expired for station 00:23:76:d5:68:61 and for message = M5

*dot1xMsgTask: Jun 16 10:47:00.960: 00:23:76:d5:68:61 Retransmit failure for

EAPOL-Key M5 to mobile 00:23:76:d5:68:61, retransmit count 3, mscb deauth

count 0

*dot1xMsgTask: Jun 16 10:47:00.961: 00:23:76:d5:68:61 Sent Deauthenticate to

mobile on BSSID f0:25:72:13:f5:c0 slot 0(caller 1x_ptsm.c:534)

*************

Traplog:

Client Deauthenticated: MACAddress:00:23:76:d5:68:61 Base Radio

MAC:f0:25:72:13:f5:c0 Slot: 0 User Name: unknown Ip Address: 10.230.129.192

Reason:Unspecified ReasonCode: 1

Code:1     

Meaning: Unspecified failure

Where: All messages                      

When:

  There is no ssid specified in an association request                 

   Failed Radius processing for foreign client

   Failure to add client to PEM

   Client not sending RSN IE on WPA2 WLAN 

   Failure processing CCKM

   During "ping-pong" protection: client  is on the process for mobility hand-off, and tries to reassociate back to previous controller

  CCKM received, and AP is not on local mode

   Failed Radius request sent for mac address filtering

   If on capability IE processing, the radio type is unsupported

   CCKM Processing: CCKM received and not configured on wlan, invalid CCKM IE, invalid OUI, invalid length, invalid timestampt, no cached entry, MIC computation failed

  CKIP Processing: no CKIP present and required

********************

Advantage: WLC doesn't honor Broadcast/Unicast disassociation/deauthentication received for its connected/authenticated clients, So no client disconnection happens even if client sends deauth to AP before powersave/radio down.

Workaround: Use webpassthrough(Button click), open security, wired webauth.

Bottomline: Client shouldn't receive deauth from WLC/AP. When the issue happens use wireless sniffer and debug client to RCA.

Show & Debugs:

Before client goes to powersave/radio down/reboot get these:

WLC>show client detail <MAC of client in question>

WLC>debug client <MAC of client in question>

Once the client comes back from powersave/radio down/reboot get these:

WLC>show client detail <MAC of client in question>

WLC>debug client <MAC of client in question>

WLC>debug dhcp enable


Version history
Revision #:
1 of 1
Last update:
‎03-15-2013 10:40 PM
Updated by:
 
Labels (1)