Security

Good Afternoon,

I have a fully patched iMAC 10.9.1 (M that I am trying to get connected to my Controller.  WPA2 enterprise.  I have two other fully patched MACs that are working just fine, they are not the same hardware though (MB Pro, Air)  windows, ios and android are just fine

It connects just fine to my unsecured SSID, but not to the WPA2  I was connected and connecting fine before I upgraded to 6.3.1.2 

what are some troubleshooting steps that I can take?  

Please run these commands :

show  auth-tracebuf | include <mac address> - You will be able to see the EAP process

Enable logging level debugging security process authmgr abd run the show log security all | include <device mac>

What are you using for RADIUS ?

We are using Windows 2008 r2 for the RADIUS.

here is a little more information:

When we upgraded to the new firware on the controller, we also replaces our AP125 with an AP225.  I physically moved the iMAC to a location with an AP125 that is beyond the reach of the AP225.  I can connect just fine to our WPA2 SSIDs now.  Did some reboots and shutdowns (which was killing the connection when trying to connect to the AP225) 

very strange

Here is the output

Feb 4 14:28:44 :132030: <ERRS> |authmgr| Dropping EAPOL packet sent by Station d4:9a:20:54:d0:a0 9c:1c:12:94:0e:10
Feb 4 15:09:12 :126065: <WARN> |wms| |ids| AP(9c:1c:12:94:0e:10@Wolverton-Conf): Valid Client Not Using Encryption: An AP detected an unencrypted frame between a valid client (d4:9a:20:54:d0:a0) and access point (BSSID 9c:1c:12:94:0e:11), with source d4:9a:20:54:d0:a0 and receiver 00:1b:ed:16:5a:00. SNR value is 0.
Feb 4 15:26:31 :126065: <WARN> |wms| |ids| AP(9c:1c:12:94:0e:10@Wolverton-Conf): Valid Client Not Using Encryption: An AP detected an unencrypted frame between a valid client (d4:9a:20:54:d0:a0) and access point (BSSID 9c:1c:12:94:0e:11), with source d4:9a:20:54:d0:a0 and receiver ff:ff:ff:ff:ff:ff. SNR value is 46.
Feb 4 15:34:00 :132030: <ERRS> |authmgr| Dropping EAPOL packet sent by Station d4:9a:20:54:d0:a0 9c:1c:12:94:0e:10
Feb 4 15:59:11 :132030: <ERRS> |authmgr| Dropping EAPOL packet sent by Station d4:9a:20:54:d0:a0 00:24:6c:ba:f4:d0
Feb 4 16:00:59 :126065: <WARN> |wms| |ids| AP(00:24:6c:ba:f4:d0@KERN-721): Valid Client Not Using Encryption: An AP detected an unencrypted frame between a valid client (d4:9a:20:54:d0:a0) and access point (BSSID 00:24:6c:ba:f4:d1), with source d4:9a:20:54:d0:a0 and receiver 00:1b:ed:16:5a:00. SNR value is 40.
Feb 4 16:03:02 :132030: <ERRS> |authmgr| Dropping EAPOL packet sent by Station d4:9a:20:54:d0:a0 00:24:6c:ba:f4:d0
Feb 4 16:04:28 :132030: <ERRS> |authmgr| Dropping EAPOL packet sent by Station d4:9a:20:54:d0:a0 00:24:6c:ba:f4:d0

Can you provide the show  auth-tracebuf | include <mac address> output as well?

When I run that command, with or without the "| include <mac>" there is no output 

ah, I did not do that.  I did now.  here is the output

Feb 5 09:54:09 station-up * d4:9a:20:54:d0:a0 9c:1c:12:94:0e:12 - - wpa2 aes
Feb 5 09:54:09 eap-id-req <- d4:9a:20:54:d0:a0 9c:1c:12:94:0e:12 1 5
Feb 5 09:54:09 eap-start -> d4:9a:20:54:d0:a0 9c:1c:12:94:0e:12 - -
Feb 5 09:54:09 eap-id-req <- d4:9a:20:54:d0:a0 9c:1c:12:94:0e:12 1 5
Feb 5 09:54:14 eap-start -> d4:9a:20:54:d0:a0 9c:1c:12:94:0e:12 - -
Feb 5 09:54:14 eap-id-req <- d4:9a:20:54:d0:a0 9c:1c:12:94:0e:12 1 5
Feb 5 09:54:19 eap-start -> d4:9a:20:54:d0:a0 9c:1c:12:94:0e:12 - -
Feb 5 09:54:19 eap-id-req <- d4:9a:20:54:d0:a0 9c:1c:12:94:0e:12 2 5
Feb 5 09:54:24 station-down * d4:9a:20:54:d0:a0 9c:1c:12:94:0e:12 - -
Feb 5 09:54:48 station-up * d4:9a:20:54:d0:a0 9c:1c:12:94:0e:10 - - wpa2 aes
Feb 5 09:54:48 eap-id-req <- d4:9a:20:54:d0:a0 9c:1c:12:94:0e:10 1 5
Feb 5 09:54:49 eap-start -> d4:9a:20:54:d0:a0 9c:1c:12:94:0e:10 - -
Feb 5 09:54:49 eap-id-req <- d4:9a:20:54:d0:a0 9c:1c:12:94:0e:10 1 5
Feb 5 09:54:53 eap-start -> d4:9a:20:54:d0:a0 9c:1c:12:94:0e:10 - -
Feb 5 09:54:53 eap-id-req <- d4:9a:20:54:d0:a0 9c:1c:12:94:0e:10 1 5
Feb 5 09:54:59 eap-start -> d4:9a:20:54:d0:a0 9c:1c:12:94:0e:10 - -
Feb 5 09:54:59 eap-id-req <- d4:9a:20:54:d0:a0 9c:1c:12:94:0e:10 2 5
Feb 5 09:55:04 station-down * d4:9a:20:54:d0:a0 9c:1c:12:94:0e:10 - -

It looks like the device is not responding to the EAP ID request (Provides the username/password) , please try the following uninstall the Certificate previously installed 

1. Start Finder.
2. From the Go drop-down list, select Utilities.
3. Double-click the Keychain Access icon.

And find the cert and delete it then remove the ssid from the preferred wireless networks and then reboot .

Try again and run the same commands.

What AP are you connecting at this point ? AP125 or AP225 ?

Right now I am only working with the AP 225 at it seems to be limited to the AP 225.  Deleting the key for the ssid worked one time.  I deleted it, removed the ssid from the prefered networks and rebooted.

It connected on the first try. So I turned the Wi-Fi on the iMAC off, waited a few seconds and turned it back on again.  It went back to the same thing.  

It almost seems like the AP 225 is holding onto something or there is something screwy with how the iMAC is doing the wi-fi 

I have attached the tracebuff commands

Attachment(s)

tracebuff.txt   7 KB 1 version