---

scottwe wrote:

I have a client that cannot connect to our production wireless network but can connect to a development network on the same access point. The client is using the same machine and 802.1x authentication for each network. I have debug logs for a successful (dev) and a failed (prd) session but the main difference I see is:

 

//a success

Mar 20 13:24:56 :522035:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx Station UP: BSSID=d8:c7:c8:xx:2f:41 ESSID=dev VLAN=2 AP-name=ab208

Mar 20 13:24:56 :522004:  <DBUG> |authmgr|  MAC=68:a3:c4:c9:xx:xx ingress 0x10f1 (tunnel 145), u_encr 16, m_encr 4112, slotport 0x1000 

Mar 20 13:25:25 :522038:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=ACS-B

//role, IP and other good stuff happen

 

//a failure

Mar 20 13:24:12 :522035:  <INFO> |authmgr|  MAC=68:a3:c4:c9:xx:xx Station UP: BSSID=d8:c7:c8:xx:2f:40 ESSID=prd VLAN=2 AP-name=ab208

Mar 20 13:24:12 :522004:  <DBUG> |authmgr|  MAC=68:a3:c4:c9:xx:xx ingress 0x11b6 (tunnel 342), u_encr 16, m_encr 4112, slotport 0x1000 

//repeat the previous message five more times, then

Mar 20 13:24:31 :501106:  <NOTI> |stm|  Deauth to sta: 68:a3:c4:c9:xx:xx: Ageout AP 10.xxx.70.210-d8:c7:xx:xx:2f:40-ab208 handle_sapcp

//followed by similar messages

 

 

Anybody have an idea?

---

While the client is failing, type "show auth-tracebuf mac <mac address of client>" to see why.

Thank you, neat command!

I see:

Mar 21 13:32:52  station-up             *  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     wpa tkip

Mar 21 13:32:52  eap-id-req            <-  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  1    5     

Mar 21 13:32:53  station-up             *  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     wpa tkip

Mar 21 13:32:53  eap-id-req            <-  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  1    5     

Mar 21 13:32:53  eap-start             ->  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     

Mar 21 13:32:53  eap-id-req            <-  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  1    5     

Mar 21 13:32:55  station-up             *  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     wpa tkip

Mar 21 13:32:55  eap-id-req            <-  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  1    5     

Mar 21 13:32:55  eap-start             ->  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     

Mar 21 13:32:55  eap-id-req            <-  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  1    5     

Mar 21 13:32:56  station-up             *  68:a3:c4:c9:xx:xx  d8:c7:c8:bf:xx:xx                  -    -     wpa tkip

over and over again, credentials are never passed and authentication servers don't get into the mix, which is different from a successful logon. I don't understand what the command reference guide is telling me about the arrows andif this is on the client or server side. 

yes. we went through and manually set it for wpa2-enterprise and aes as a test, still could not get it to go. we run in mixed mode, either tkip or aes is valid.

Are these 802.11n access points?  If so, the 802.11n standard only allows cipher types of AES and Open.  TKIP is not allowed.

They are N. Good point. When I manually configure the client to use WPA2 and AES (which I can see using the command you gave me, thanks again) they still cannot connect. I'm beginning to think it is the clients system but it is at a remote location and the clientdoes not have other devices available to test with.

You probably want to open a case so that they can see the full picture...  Has this EVER worked?

With this device no it has never worked. Other devices, yes.

Have you considered upgrading the client drivers?