1200 Ap LEAP Issue

Discussion in 'Cisco' started by jt, May 10, 2004.

  1. jt

    jt Guest

    Dear all,

    can anyone point me in the appropiate direction what the following means ?

    DOT11-4-MAXRETRIES: : Packet to client 0040.96a1.eab3 reached max retries,
    removing the client

    I dug around at cisco, found information that " a packet has not been
    successfully tranferred many times",
    clear, but what component inside does issue this message ? I am playing
    around with a test setup ( 1200 ./. CSACS )
    and LEAP authentication sometimes works, sometimes it does not....no light
    in the fog......


    jt
    jt, May 10, 2004
    #1
    1. Advertising

  2. jt

    mh Guest

    This means that the radio interface has tried to transfer a packet
    unsucessfully to a client. By default the radio interace will try 32
    times.

    This can be configured

    int d0
    packet retries <retries>,, where retries is a value from 1 to 128
    exit

    The packet not being received could mean the client is too far away or
    there is a LOT of interference

    use the command "sh int d0 stat" and look at the retries counters
    under the Transmit column

    You will also probably notice that a lot of packets are being
    transmitted at slower speeds

    If your are having problems witha particular client, then while it is
    associated
    use the command "OURHOUSE-AP2#sh dot11 stat client-tr"

    Clients:
    10-0040.96a1.6b41 pak in 16266 bytes in 2174130 pak out 18306 bytes
    out 17163810
    dup 39 decrpyt err 0 mic mismatch 0 mic miss 0
    tx retries 10890 data retries 10739 rts retries 151
    signal strength 60 signal quality N/A

    and check the retries counts
    mh, May 10, 2004
    #2
    1. Advertising

  3. jt

    jt Guest

    Hi Merv,

    this seems to be some radius traffic......anyway, thanks for your time.

    Is there any option you know about to get a 1200 running
    together with PEAP ./. IAS ( W2K Server with IAS, SP4 ) ?

    I know I cannot run LEAP with IAS. For historic reasons, we're having
    our PSTN stuff running via IAS, and and I fear the work to switch
    the lines over to CSACS....so, now we got this dot11 thingie and
    I'm trying to find a path in this jungle.

    Any idea ? I am not looking for a complete solution, but I seem
    tio get increasingly confused looking at all the options you have
    when it comes to safety of wireless environments. Would you
    suggest CSACS rather than IAS ? For what reason except
    TACACS+ and general higher granularity ?


    greets

    daniel




    "mh" <> schrieb im Newsbeitrag
    news:...
    > This means that the radio interface has tried to transfer a packet
    > unsucessfully to a client. By default the radio interace will try 32
    > times.
    >
    > This can be configured
    >
    > int d0
    > packet retries <retries>,, where retries is a value from 1 to 128
    > exit
    >
    > The packet not being received could mean the client is too far away or
    > there is a LOT of interference
    >
    > use the command "sh int d0 stat" and look at the retries counters
    > under the Transmit column
    >
    > You will also probably notice that a lot of packets are being
    > transmitted at slower speeds
    >
    > If your are having problems witha particular client, then while it is
    > associated
    > use the command "OURHOUSE-AP2#sh dot11 stat client-tr"
    >
    > Clients:
    > 10-0040.96a1.6b41 pak in 16266 bytes in 2174130 pak out 18306 bytes
    > out 17163810
    > dup 39 decrpyt err 0 mic mismatch 0 mic miss 0
    > tx retries 10890 data retries 10739 rts retries 151
    > signal strength 60 signal quality N/A
    >
    > and check the retries counts
    jt, May 10, 2004
    #3
  4. jt

    mh Guest

    I have read PEAP will work with IAS, however, I have not done it myself.

    The AP 1200 will support an internal RADIUS server which only supports LEAP.
    However if you have a large number of users, I would not use it.
    mh, May 11, 2004
    #4
  5. jt

    jt Guest

    Dear Merv,

    I've read this too, but only related to W2K3. The curiuos guy I am, I dug
    around in IAS on W2K. It seems
    that it is supported, because all the switches necessary in W2K3 can be
    thrown there in the same manner as well.
    Will dig a little bit more and inform you if I get it up and running.

    At last, Can you perhaps tell me which debug options I should turn on to
    determine if the client attempts to
    find an "authenticator match" on the AP ? This would be very helpful because
    at the very moment there is
    nothing but silence; I' d like to have some sort of debug as soon as a
    client attempts to comunicate with the AP.

    Thanks again for your help and input


    Daniel



    "mh" <> schrieb im Newsbeitrag
    news:...
    > I have read PEAP will work with IAS, however, I have not done it myself.
    >
    > The AP 1200 will support an internal RADIUS server which only supports

    LEAP.
    > However if you have a large number of users, I would not use it.
    jt, May 11, 2004
    #5
  6. jt

    mh Guest

    You appear to have two issues:

    a) DOT11-4-MAXRETRIES definitely means that the AP cannot reach the wireless client
    If the client authenticated properly ( can be seen in the logging buffer) then
    this message would have nothing to do with LEAP or RADIUS


    b) "Best" authentication approach - since you have IAS set up already then I would
    try to use PEAP. Also Microsoft have implemented PEAP support for most
    versions of Windows
    mh, May 11, 2004
    #6
  7. jt

    jt Guest

    Hi Merv,

    > b) "Best" authentication approach - since you have IAS set up already then

    I would
    > try to use PEAP. Also Microsoft have implemented PEAP support for most
    > versions of Windows



    Think this is what I am going to use, here's the latest result, seems there
    is still some confusion.
    The testing Notebook in question associates fine, but does not authenticate,
    nor does IAS log anything.
    The ACU is set to EAP MSCHAP v2; Radius properties in IAS are set to
    vendor=Microsoft,
    "Signature Attribute" is set to required.

    Can you take a look at the below ?

    AP cfg:

    aaa group server radius testradius
    server 192.168.20.204 auth-port 1645 acct-port 1646
    aaa authentication login airo group itaxradius
    dot11 aaa authentication attributes service login-only
    encryption key 1 size 128bit *********** transmit-key
    encryption mode wep mandatory
    ssid testssid
    authentication open eap airo

    Here's the debug output :

    May 11 14:42:31.349: disc_client_add 0040.96a1.eab3, set ST_FWD_PEND
    May 11 14:42:31.349: disc_client_add: clnt 0040.96a1.eab3 airo flags 0x0
    May 11 14:42:31.349: disc_client_add 0040.96a1.eab3, set ST_FWD_PEND
    May 11 14:42:34.361: RADIUS: AAA Unsupported [248] 8
    May 11 14:42:34.362: RADIUS: 49 54 41 58 5F 46
    [ITAX_F]
    May 11 14:42:34.362: RADIUS: AAA Unsupported [150] 3
    May 11 14:42:34.362: RADIUS: 31
    [1]
    May 11 14:42:34.362: RADIUS(0000006F): Storing nasport 108 in rad_db
    May 11 14:42:34.362: RADIUS(0000006F): Config NAS IP: 192.168.20.251
    May 11 14:42:34.362: RADIUS/ENCODE(0000006F): acct_session_id: 111
    May 11 14:42:34.362: RADIUS(0000006F): sending
    May 11 14:42:34.363: RADIUS(0000006F): Send Access-Request to
    192.168.20.204:1645 id 21645/31, len 135
    May 11 14:42:34.363: RADIUS: authenticator 74 68 77 F5 3C B4 99 7F - 15 42
    3B CF 43 63 A9 1F
    May 11 14:42:34.363: RADIUS: User-Name [1] 15 "Administrator"
    May 11 14:42:34.364: RADIUS: Framed-MTU [12] 6 1400
    May 11 14:42:34.364: RADIUS: Called-Station-Id [30] 16 "000f.8f2c.1170"
    May 11 14:42:34.364: RADIUS: Calling-Station-Id [31] 16 "0040.96a1.eab3"
    May 11 14:42:34.364: RADIUS: Service-Type [6] 6 Login
    [1]
    May 11 14:42:34.364: RADIUS: Message-Authenticato[80] 18 *
    May 11 14:42:34.364: RADIUS: EAP-Message [79] 20
    May 11 14:42:34.364: RADIUS: 02 02 00 12 01 41 64 6D 69 6E 69 73 74 72 61
    74 [?????Administrat]
    May 11 14:42:34.365: RADIUS: 6F 72
    [or]
    May 11 14:42:34.365: RADIUS: NAS-Port-Type [61] 6 802.11 wireless
    [19]
    May 11 14:42:34.365: RADIUS: NAS-Port [5] 6 108
    May 11 14:42:34.365: RADIUS: NAS-IP-Address [4] 6 192.168.20.251
    May 11 14:42:34.377: RADIUS: Received from id 21645/31 192.168.20.204:1645,
    Access-Challenge, len 76
    May 11 14:42:34.378: RADIUS: authenticator 01 E0 C1 A0 38 B1 47 2E - 2B 30
    E5 97 AE 76 0B 35
    May 11 14:42:34.378: RADIUS: Session-Timeout [27] 6 30
    May 11 14:42:34.378: RADIUS: EAP-Message [79] 8
    May 11 14:42:34.378: RADIUS: 01 03 00 06 19 20
    [????? ]
    May 11 14:42:34.378: RADIUS: State [24] 24
    May 11 14:42:34.378: RADIUS: 1B BE 02 A8 00 00 01 37 00 01 C0 A8 14 CC 00
    00 [???????7????????]
    May 11 14:42:34.379: RADIUS: 00 01 00 00 00 25
    [??????]
    May 11 14:42:34.379: RADIUS: Message-Authenticato[80] 18 *
    May 11 14:42:34.380: RADIUS(0000006F): Received from id 21645/31
    May 11 14:42:34.380: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
    May 11 14:42:34.436: %DOT11-4-MAXRETRIES: Packet to client 0040.96a1.eab3
    reached max retries, removing the client
    May 11 14:42:34.436: DOT11 EVENT: Free client
    May 11 14:43:05.826: disc_client_add -- enter 0


    Any ideas ?


    Daniel
    jt, May 11, 2004
    #7
  8. jt

    jt Guest

    Addendum Re: 1200 Ap LEAP Issue

    I forgot the following, sorry....

    radius-server host 192.168.20.204 auth-port 1645 acct-port 1646 key 7
    ***********



    Daniel
    jt, May 11, 2004
    #8
  9. jt

    mh Guest

    You should proably add the following lines to your config:

    ip radius source-interface BVI1
    radius-server attribute 32 include-in-access-req format %h
    radius-server authorization permit missing Service-Type


    For debugging, check out eqch of the following commands:

    debug dot11 aaa dot1x all

    debug dot11 d0 trace print client

    debug dot11 d0 trace print rcv

    debug dot11 d0 trace print xmt


    It would be faster & easier to communicate by private mail ""
    mh, May 12, 2004
    #9
  10. jt

    mh Guest

    What wireless card is being used for your test

    If it is Cisco what version of ACU software are you using?
    mh, May 12, 2004
    #10
  11. jt

    mh Guest

    For troubleshooting you may want to checkout CommView for WiFi 4.2
    ( www.tamos.com/download/main ).

    They show a list of supported wireless adpater.
    mh, May 12, 2004
    #11
  12. jt

    mh Guest

    What software levels are you using

    client OS: Windows XP ? service pack level ?
    client utitlity level ?

    AP 1200 - what IOS level ?

    W2K server - what service pack level ?
    IAS - service pack level 6 ?
    mh, May 12, 2004
    #12
  13. jt

    jt Guest

    Hi Merv,

    I've sent a mail to your private account with the
    necessary data which was returned as "unread".

    Client OS is W2K, SP4
    Server OS is Win2K SP6, no individual patches applied o IAS.
    Client Util level is latest ADU release ( 1.0.0.305 )


    Daniel


    "mh" <> schrieb im Newsbeitrag
    news:...
    > What software levels are you using
    >
    > client OS: Windows XP ? service pack level ?
    > client utitlity level ?
    >
    > AP 1200 - what IOS level ?
    >
    > W2K server - what service pack level ?
    > IAS - service pack level 6 ?
    jt, May 12, 2004
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Sarbjit Singh Gill

    MOving from LEAP to PEAP

    Sarbjit Singh Gill, Dec 10, 2004, in forum: Wireless Networking
    Replies:
    2
    Views:
    1,123
    Sarbjit Singh Gill
    Dec 13, 2004
  2. Replies:
    1
    Views:
    577
    Uli Link
    Apr 2, 2005
  3. Claudiu
    Replies:
    0
    Views:
    2,330
    Claudiu
    Apr 19, 2005
  4. Replies:
    1
    Views:
    5,411
    Aaron Leonard
    Mar 13, 2006
  5. tef
    Replies:
    0
    Views:
    1,640
Loading...

Share This Page