Problem of user authentication

samir iguedelane · ‎10-23-2012

hello,

I'm having an issue with a cisco 5508 on version 7.0.116.0n, around user authentication timelap.

Indeed, if one tries to authenticate but takes a long time to input his login/password (30sec max), he can't get through authentication process.

However, if he "hurries up", it does work.

Can you please explain to me, what vars can be reconfigured in order to increase the authentication timelap ?

I Change du timer EAP-Identity-Request Timeout =>>Problem not solved

WLC >show advanced EAp

EAP-Identity-Request Timeout (seconds)........... 30 ==========> changed at 60

EAP-Identity-Request Max Retries................. 2

EAP Key-Index for Dynamic WEP.................... 0

EAP Max-Login Ignore Identity Response........... enable

EAP-Request Timeout (seconds).................... 30

EAP-Request Max Retries.......................... 2

EAPOL-Key Timeout (milliseconds)................. 1000

EAPOL-Key Max Retries............................ 2

EAP-Broadcast Key Interval....................... 3600

Thanks and kind regards,

Samir

Stephen Rodriguez · ‎10-23-2012

Take a look at this document.

https://supportforums.cisco.com/docs/DOC-12110

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

samir iguedelane · ‎10-24-2012

hello,

thank you for your answer.

I change full timer but the problem not solved.

Here are some trace:

Time :10/22/2012 15:34:06 CEST Severity :INFO Controller IP :ip-wlc Message :Controller association request message received.

Time :10/22/2012 15:34:06 CEST Severity :INFO Controller IP :ip-wlc Message :Association request received from a client has an invalid RSN IE.(One reason could be mismatch in WPA2 algorithm).

Time :10/22/2012 15:34:06 CEST Severity :INFO Controller IP :ip-wlc Message :Received reassociation request from client.

Time :10/22/2012 15:34:06 CEST Severity :INFO Controller IP :ip-wlc Message :The WLAN to which client is connecting requires 802 1x authentication.

Time :10/22/2012 15:34:06 CEST Severity :INFO Controller IP :ip-wlc Message :Client moved to associated state successfully.

Time :10/22/2012 15:34:06 CEST Severity :INFO Controller IP :ip-wlc Message :Received EAP Response from the client.

Time :10/22/2012 15:34:06 CEST Severity :INFO Controller IP :ip-wlc Message :Received EAPOL start message from client.

Time :10/22/2012 15:34:06 CEST Severity :INFO Controller IP :ip-wlc Message :Received EAP Response from the client.

Time :10/22/2012 15:34:36 CEST Severity :INFO Controller IP :ip-wlc Message :Received EAP Response from the client.

Time :10/22/2012 15:34:36 CEST Severity :INFO Controller IP :ip-wlc Message :Controller association request message received.

Time :10/22/2012 15:34:36 CEST Severity :INFO Controller IP :ip-wlc Message :Association request received from a client has an invalid RSN IE.(One reason could be mismatch in WPA2 algorithm).

Time :10/22/2012 15:34:36 CEST Severity :INFO Controller IP :ip-wlc Message :Received reassociation request from client.

Time :10/22/2012 15:34:36 CEST Severity :INFO Controller IP :ip-wlc Message :The WLAN to which client is connecting requires 802 1x authentication.

Time :10/22/2012 15:34:36 CEST Severity :INFO Controller IP :ip-wlc Message :Client moved to associated state successfully.

Time :10/22/2012 15:34:36 CEST Severity :INFO Controller IP :ip-wlc Message :Received EAP Response from the client.

Time :10/22/2012 15:34:36 CEST Severity :INFO Controller IP :ip-wlc Message :Received EAPOL start message from client.

Time :10/22/2012 15:34:36 CEST Severity :INFO Controller IP :ip-wlc Message :Received EAP Response from the client.

Time :10/22/2012 15:35:06 CEST Severity :INFO Controller IP :ip-wlc Message :Received EAP Response from the client.

Time :10/22/2012 15:35:36 CEST Severity :INFO Controller IP :ip-wlc Message :EAP response from client to AP received.

Time :10/22/2012 15:35:36 CEST Severity :ERROR Controller IP :ip-wlc Message :EAP Id request from AP client failed as maximum 802 1x retries reached.

Time :10/22/2012 15:35:36 CEST Severity :ERROR Controller IP :ip-wlc Message :De-authentication sent to client. slot 0 (claller 1x_auth_pae.c:3021)

Time :10/22/2012 15:35:36 CEST Severity :INFO Controller IP :ip-wlc Message :Controller association request message received.

Time :10/22/2012 15:35:36 CEST Severity :INFO Controller IP :ip-wlc Message :Association request received from a client has an invalid RSN IE.(One reason could be mismatch in WPA2 algorithm).

Time :10/22/2012 15:35:36 CEST Severity :INFO Controller IP :ip-wlc Message :Received reassociation request from client.

Time :10/22/2012 15:35:36 CEST Severity :INFO Controller IP :ip-wlc Message :The WLAN to which client is connecting requires 802 1x authenticatio

Best regards

Samir .

Saravanan Lakshmanan · ‎10-24-2012

lock the wlan in question to use wpa-tkip or wpa2-aes only on wlc and client for that wlan if not already.

Stephen Rodriguez · ‎10-24-2012

what type of EAP are you doing, TLS or PEAP? If it is PEAP, there is a setting in the profile to use the login credentials. If these are corporate devices, this option should be used, and should be enabled by default.

If these are guest or non-corporate devices, you should be using a PSK instead of EAP. <--IMO

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered