300-430 · Question #294
Refer to the exhibit. An engineer receives a report that a client cannot authenticate via phone in a secure WLAN. The phone uses Layer 2 Security WPA2, and other clients can authenticate successfully.
The correct answer is A. An invalid user account or password was used. B. RADIUS is incorrectly configured. Debug output showing a per-client authentication failure on WPA2 Enterprise while other clients succeed most commonly indicates an invalid credential supplied by the client or a RADIUS misconfiguration on the WLC.
Question
Refer to the exhibit. An engineer receives a report that a client cannot authenticate via phone in a secure WLAN. The phone uses Layer 2 Security WPA2, and other clients can authenticate successfully. The engineer issues the (CONTROLLER) >debug client 64:89:9a:31:7f:a1 and (CONTROLLER) >debug aaa all enable commands in the controller and sees this output. What are two sources of this issue? (Choose two.)
Exhibit
Options
- AAn invalid user account or password was used.
- BRADIUS is incorrectly configured
- CThe server certificate is expired or not in use
- DCertificate services are not working properly.
- EThe incorrect EAP method was configured on the client device.
How the community answered
(54 responses)- A50% (27)
- C11% (6)
- D31% (17)
- E7% (4)
Why each option
Debug output showing a per-client authentication failure on WPA2 Enterprise while other clients succeed most commonly indicates an invalid credential supplied by the client or a RADIUS misconfiguration on the WLC.
An invalid username or password causes the RADIUS server to return an Access-Reject specific to that client's identity, which appears in the debug output as an authentication failure tied to that MAC address while all other clients with valid credentials continue to authenticate successfully.
A RADIUS misconfiguration on the WLC - such as a wrong shared secret, incorrect server IP, or wrong port - causes RADIUS transactions to fail or return errors, which can manifest as selective failures depending on which RADIUS server or policy is hit for that client type.
An expired or absent server certificate would cause EAP server validation to fail for all clients performing certificate-validating EAP methods, not selectively for a single phone while other clients authenticate without issue.
A general certificate services failure would affect all clients relying on certificate-based EAP across the WLAN, making it inconsistent with the symptom that other clients are authenticating successfully.
An incorrect EAP method on the client would prevent EAP negotiation from completing, but the debug output evidence pointing to an Access-Reject response identifies credential or RADIUS configuration errors as the more direct root cause.
Concept tested: RADIUS authentication failure debugging on Cisco WLC
Source: https://www.cisco.com/c/en/us/support/docs/wireless/aironet-1200-series/112072-wlc-debug-guide-00.html
Topics
Community Discussion
No community discussion yet for this question.
