cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Client failed 802.1x/EAP authentication on wlan

Client failed 802.1x/EAP authentication on wlan

Alexandr_P
Valued Contributor

Hello!

 

WiNG 5.9

VX9000 + AP7632.

RADIUS in AP’s (Internal Self) with test user.

Smartphone normally connecting.

Lap-top with Win7 - no.

Could you please help - where to look at? How to debug this issue?

 

[ap7632-6F2CC7] 10:09:38.724: radius:RAD_MSG_AUTHENTICATOR (radius.c:1182)
[ap7632-6F2CC7] 10:09:38.724: radius:rx access-challenge from radius server for 00-13-E8-93-D4-19 (radius.c:3888)
[ap7632-6F2CC7] 10:09:38.724: eap:sending eap-code-request code 1, type 25 to 00-13-E8-93-D4-19 (eap.c:964)
[ap7632-6F2CC7] 10:09:38.724: eap:sending eap-req [eap_type:25(peap)] to 00-13-E8-93-D4-19 (eap.c:1001)
[ap7632-6F2CC7] 10:09:38.730: eap:rx eap pkt from 00-13-E8-93-D4-19 (eap.c:720)
[ap7632-6F2CC7] 10:09:38.731: radius:access-req sent to 127.0.0.1:1812 (attempt 1) for 00-13-E8-93-D4-19 (user:Extreme) (radius.c:3054)
[ap7632-6F2CC7] 10:09:38.736: radius:RAD_MSG_AUTHENTICATOR (radius.c:1182)
[ap7632-6F2CC7] 10:09:38.736: radius:rx access-reject for 00-13-E8-93-D4-19 (radius.c:3781)
[ap7632-6F2CC7] 10:09:38.736: eap:sending eap-failure to 00-13-E8-93-D4-19 (eap.c:1009)
[ap7632-6F2CC7] %%%%>10:09:38.736: radius:alarm num_eap_f ++ 1 (radius.c:3859)

[ap7632-6F2CC7] 10:09:38.736: client:clearing cached credentials for 00-13-E8-93-D4-19 (credcache.c:241)
[ap7632-6F2CC7] 10:09:38.739: mgmt:tx deauthentication [reason: authentication rejected by radius server (code:23)] to 00-13-E8-93-D4-19 (mgmt
[ap7632-6F2CC7] 10:09:38.739: client:wireless client 00-13-E8-93-D4-19 changing state from [802.1x/EAP Auth] to [Roaming] (mgmt.c:635)

 

AP config

!
aaa-policy "Onboard RADIUS"
 authentication server 1 onboard self
!
!
wlan Extreme802-1xTest
 ssid Extreme802-1xTest
 vlan 241
 bridging-mode local
 encryption-type ccmp
 authentication-type eap
 use aaa-policy "Onboard RADIUS"
!
!
radius-group 802-1xTestGroup
 policy vlan 241
!

!
radius-user-pool-policy Extreme802-1x
 user Extreme password 0 Extreme group 802-1xTestGroup
!
radius-user-pool-policy Guest
 user Test password 0 Test group Guests
!
radius-server-policy "Onboard RADIUS"
 use radius-user-pool-policy Extreme802-1x
 use radius-user-pool-policy Guest
 authentication eap-auth-type peap-mschapv2 #(also tryed with ā€œAllā€) 
 chase-referral
!

 

Thank you!

8 REPLIES 8

Alexandr_P
Valued Contributor

Hi, Tomasz!

 

From Client side no specific info ā€œmissing keywords
use the search to find solutions to fixā€.

 

It’s enabled ā€œFast BSS Transition over DSā€ and disabled ā€œFast BSS Transitionā€.
But if I’ll disable 802.11r - it will decrease time of client’s roaming. 

 

Thank you!

Tomasz
Valued Contributor II

Hi Alexandr,

 

Quick guess - 802.11r enabled and Intel AC-xxxx card within the laptop?

Apparently, it might be helpful sometimes if you click on troubleshooting option in Windows when it pops up ā€˜unable to connect’. Then it will most probably fail but you can see detailed results and it shows at which point (from supplicant/STA point of view) it failed. It was really helpful to me when troubleshooting IdentiFi network once (and it was 11r case actually, so WPA2 4-way handshake couldn’t finish, I’m not sure if the logs here are relevant but just a guess).

 

Hope that helps,

Tomasz

Alexandr_P
Valued Contributor

Hi!

 

Christopher, all configuration steps we have made within Win7?

[ap7632-6F2CC7] 09:00:57.12: mgmt:rx auth-req from 00-13-E8-93-D4-19 on radio 1 (mgmt.c:4032)
[ap7632-6F2CC7] 09:00:57.12: mgmt:tx auth-rsp to 00-13-E8-93-D4-19 on radio 1. status: success (mgmt.c:1348)
[ap7632-6F2CC7] 09:00:57.16: mgmt:rx association-req from 00-13-E8-93-D4-19 on radio ap7632-6F2CC7:R2 signal-strength is -52dBm (mgmt.c:4006)
[ap7632-6F2CC7] 09:00:57.16: client:MU 00-13-E8-93-D4-19 panBU enab_cap=00 00 00 00, supp_cap=00 00 00 00 (mgmt.c:3195)
[ap7632-6F2CC7] 09:00:57.16: client:using cached vlan 241 for wireless client 00-13-E8-93-D4-19 (mgmt.c:3442)
[ap7632-6F2CC7] 09:00:57.16: mgmt:Client 00-13-E8-93-D4-19 negotiated WPA2-EAP on wlan (Extreme802-1xTest) (mgmt.c:3534)
[ap7632-6F2CC7] 09:00:57.16: mgmt:tx association-rsp success to 00-13-E8-93-D4-19 on wlan (Extreme802-1xTest) (ssid:Extreme802-1xTest) with ft
[ap7632-6F2CC7] 09:00:57.17: client:no pmkid from client 00-13-E8-93-D4-19 (mgmt.c:1243)
[ap7632-6F2CC7] 09:00:57.17: client:state MU_STATE_DOT1X for client 00-13-E8-93-D4-19 (mgmt.c:1252)
[ap7632-6F2CC7] 09:00:57.17: client:wireless client 00-13-E8-93-D4-19 changing state from [Roaming] to [802.1x/EAP Auth] (mgmt.c:635)
[ap7632-6F2CC7] 09:00:57.17: eap:sending eap-code-request code 1, type 1 to 00-13-E8-93-D4-19 (eap.c:964)
[ap7632-6F2CC7] 09:00:57.17: eap:sending eap-id-req to 00-13-E8-93-D4-19 (eap.c:993)
[ap7632-6F2CC7] 09:00:57.17: client:transmitting roam notification for 00-13-E8-93-D4-19 (mgmt.c:349)
[ap7632-6F2CC7] 09:00:57.17: client:os-info in credcache for 00-13-E8-93-D4-19 (OS:Unknown/Browser:Unknown/Type:Unknown) (credcache.c:1221)
[ap7632-6F2CC7] 09:00:57.17: client:user-info in credcache for 00-13-E8-93-D4-19 (loyalty_app:0) (credcache.c:1306)
[ap7632-6F2CC7] 09:00:57.54: eap:rx eap-start from 00-13-E8-93-D4-19 (eap.c:655)
[ap7632-6F2CC7] 09:00:57.54: eap:sending eap-code-request code 1, type 1 to 00-13-E8-93-D4-19 (eap.c:964)
[ap7632-6F2CC7] 09:00:57.54: eap:sending eap-id-req to 00-13-E8-93-D4-19 (eap.c:993)
[ap7632-6F2CC7] 09:00:57.64: client:rx deauthentication from 00-13-E8-93-D4-19 on radio 1 (mgmt.c:4043)
[ap7632-6F2CC7] 09:00:57.64: mgmt:rx deauthentication (unspecified error (code:1)) from wireless client 00-13-E8-93-D4-19 on bss DC-B8-08-46-E

[ap7632-6F2CC7] 09:00:57.64: client:wireless client 00-13-E8-93-D4-19 changing state from [802.1x/EAP Auth] to [Roaming] (mgmt.c:635)
[ap7632-6F2CC7] 09:00:57.64: client:starting hold timer for 00-13-E8-93-D4-19 (mgmt.c:703)
[ap7632-6F2CC7] 09:00:57.64: client:update_app_policy_name_to_credcache (credcache.c:1408)
[ap7632-6F2CC7] 09:00:57.64: client:Adding app_policy_name to credcache and sync00-13-E8-93-D4-19 (credcache.c:1409)
[ap7632-6F2CC7] 09:00:57.65: client:Credcache updated with app_policy None, for MU 00-13-E8-93-D4-19 (credcache.c:1423)
[ap7632-6F2CC7] 09:00:57.65: client:cleared packet counters on client 00-13-E8-93-D4-19 (mgmt.c:764)
[ap7632-6F2CC7] 09:00:57.65: client:CHD: chd_stop_mu (chd.c:635)

 

Any ideas?

 

Thank you!

Christopher_Fra
Extreme Employee

I would ensure that the radius policy is ,mapped to the AP (no AP Profile and/or Self config provided). I am assuming that no certificates have been generated.

For Win7 supplicant, you will need to manually configure the profile and ensure under Security/Choose a network authentication method is configure for Microsoft: Protocol EAP (PEAP) and and un-check Validate server certificate. Under Select Authentication Method, ensure Secured password (EAP-MSCHAP-v2) is selected and click on Configure and un-check box (Auto use my Windows logon name and password).

 

GTM-P2G8KFN