Cisco Cisco Aironet 350 Wireless Bridge Manuel Technique

This information is relevant to this configuration. Complete these steps in order to troubleshoot your
configuration:

If this LEAP, EAP, or PEAP configuration has not been thoroughly tested before WPA
implementation, you must complete these steps:

Temporarily disable the WPA encryption mode.

a. 

Reenable the appropriate EAP.

b. 

Confirm that the authentication works.

c. 

1. 

Verify that the configuration of the client matches that of the AP.

For example, when the AP is configured for WPA and TKIP, confirm that the settings match the
settings that are configured in the client.

2. 

Note: Refer to Important Information on Debug Commands before you use debug commands.

WPA key management involves a four−way handshake after EAP authentication successfully completes. You
can see these four messages in debugs. If EAP does not successfully authenticate the client or if you do not
see the messages, complete these steps:

Temporarily disable WPA.

1. 

Reenable the appropriate EAP.

2. 

Confirm that the authentication works.

3. 

This list describes the debugs:

debug dot11 aaa manager keysThis debug shows the handshake that happens between the AP and
the WPA client as the pairwise transient key (PTK) and group transient key (GTK) negotiate. This
debug was introduced in Cisco IOS Software Release 12.2(15)JA.

labap1200ip102#

Apr  7 16:29:59.191: dot11_dot1x_verify_eapol_header: Warning: Invalid key info

(exp=0x381, act=0x109

Apr  7 16:29:59.191: dot11_dot1x_verify_eapol_header: Warning: Invalid key len 

(exp=0x20, act=0x0)

Apr  7 16:29:59.783: dot11_dot1x_verify_eapol_header: Warning: Invalid key info 

(exp=0x381, act=0x109

Apr  7 16:29:59.783: dot11_dot1x_verify_eapol_header: Warning: Invalid key len 

(exp=0x20, act=0x0)

Apr  7 16:29:59.788: dot11_dot1x_build_gtk_handshake: dot11_dot1x_get_multicast_key 

len 32 index 1

Apr  7 16:29:59.788: dot11_dot1x_hex_dump: GTK: 27 CA 88 7D 03 D9 C4 61 FD 4B BE 71 

•