PLEASE ease my mind! - WPA/2-PSK (Unsecured)

Unanswered Question
Jun 5th, 2009

I'm running code 4.2.130 on my 4404's with an SSID running WPA/WPA2-PSK. However, sometimes on my clients it'll show connected to SSID(Unsecured Network)? I'm hoping this is a driver bug? I've personally seen it on the Intel 3945ABG's series 11.x drivers.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
George Stefanick Fri, 06/05/2009 - 20:42

The easy way to test it is try and connect to it with no security.

We have a few thousand clients and you will see some odd things at times that make you go huh? :) Just double check...

You mentioned you have more than 1 controller. Do all the controllers with your SSID configured property with the same security?

Robert.N.Barrett_2 Sat, 06/06/2009 - 16:19

You might also want to use a capture tool to see if the data is encrypted or not. I think even WireShark will work fine in this situation.

abpsoft Sun, 07/05/2009 - 08:32

Hi Raun,

I'm sure that is a bug either in Windows ZeroConf or the Intel drivers, I've seen it a lot, too. The issue is transient and the client will soon change back to displaying the correct connection state. What I assume might happen is that WZC samples the state of the associations in some interval and sometimes manages to hit the phase when it is already associated and authenticated in the clear, but not yet through the EAPoL 4-way handshake comprising PSK. That state looks exactly like an unsecured connection to a casual stateless observer, and in a way it is - it's just the other end (the AP playing the authenticator) that is blocking any traffic but EAPoL from passing over that association. It might also be that WCZ actually thought it would be done after open auth/assoc, maybe due to the first frame of the 4-way (which has to come from the AP) getting lost, leaving the STA in "connected to dead air" mode for a macroscopic timeframe. But this will time out after 8s or so, forcing reauth.

So just ignore it, the APs don't let traffic pass without proper 4-way handshake, at least according to any wireless sniffer trace I've seen so far.



Lucien Avramov Sun, 07/05/2009 - 10:12

If you are able to connect in clear mode and the WLC is configured identically as the other ones where WPA2 is working and you have a sniffer trace, you may want to open a TAC case so we can troubleshoot it further.


This Discussion



Trending Topics - Security & Network