Intel 2915a/b/g WPA-PERSONAL authentication issues

Unanswered Question
Jul 15th, 2010

Hi board,

hopefully anybody knows this or experienced the same problem :-)

Here's the problem:

We are using autonomous Aironet 1242ag APs with 12.3(8)JEA code. There is a SSID with WPA1 (TKIP) configuration and PSK authentication. Guest-Mode is disabled. We are experiencing issues in combination with handhelds with Intel 2915 Chipsets (802.11a).

Sometimes during roaming or initial connections (4-way handshake), the clients are not able to authenticate to the AP.

The logging of the AP shows the following message:

%DOT11-7-AUTH_FAILED: station xxxxxxxxxxxxx Authentication failed.

Huh - this is normally a 802.1x related message (at least if you search through CCO).

So I enabled a debugging (dot11 events, dot11 aaa manager):

Jul 15 16:17:52.396: dot11_mgr_sm_start_ssn_psk: Starting 4-way handshake for PSK supplicant 0016.6faf.5c63
Jul 15 16:17:52.396: dot11_dot1x_send_ssn_eapol_key: eapol->length 95
Jul 15 16:17:52.396: dot11_dot1x_build_ptk_handshake: building PTK msg 1 for 0016.6faf.5c63
Jul 15 16:17:52.396: dot11_mgr_disp_client_send_eapol: sending eapol to client 0016.6faf.5c63 on BSSID 0016.9c96.4360
Jul 15 16:17:52.397: dot11_mgr_sm_send_ptk_msg1: [1] Sent PTK msg 1 to 0016.6faf.5c63, no timer set
Jul 15 16:17:52.397: dot11_mgr_sm_hs_callback: [1] Handshake msg to 0016.6faf.5c63, timer set: timeout 100 ms
Jul 15 16:17:52.496: dot11_mgr_sm_run_machine: Executing Action(PTK_MSG2_WAIT,TIMEOUT) for 0016.6faf.5c63
Jul 15 16:17:52.496: dot11_dot1x_send_ssn_eapol_key: eapol->length 95
Jul 15 16:17:52.496: dot11_dot1x_build_ptk_handshake: building PTK msg 1 for 0016.6faf.5c63
Jul 15 16:17:52.496: dot11_mgr_disp_client_send_eapol: sending eapol to client 0016.6faf.5c63 on BSSID 0016.9c96.4360
Jul 15 16:17:52.497: dot11_mgr_sm_send_ptk_msg1: [2] Sent PTK msg 1 to 0016.6faf.5c63, no timer set
Jul 15 16:17:52.521: dot11_mgr_sm_hs_callback: [2] Handshake msg to 0016.6faf.5c63, timer set: timeout 100 ms
Jul 15 16:17:52.621: dot11_mgr_sm_run_machine: Executing Action(PTK_MSG2_WAIT,TIMEOUT) for 0016.6faf.5c63
Jul 15 16:17:52.621: dot11_dot1x_send_ssn_eapol_key: eapol->length 95
Jul 15 16:17:52.621: dot11_dot1x_build_ptk_handshake: building PTK msg 1 for 0016.6faf.5c63
Jul 15 16:17:52.621: dot11_mgr_disp_client_send_eapol: sending eapol to client 0016.6faf.5c63 on BSSID 0016.9c96.4360
Jul 15 16:17:52.621: dot11_mgr_sm_send_ptk_msg1: [3] Sent PTK msg 1 to 0016.6faf.5c63, no timer set
Jul 15 16:17:52.724: dot11_mgr_sm_hs_callback: [3] Handshake msg to 0016.6faf.5c63, timer set: timeout 100 ms
Jul 15 16:17:52.825: dot11_mgr_sm_run_machine: Executing Action(PTK_MSG2_WAIT,TIMEOUT) for 0016.6faf.5c63
Jul 15 16:17:52.825: dot11_mgr_sm_handshake_fail: Handshake failure for 0016.6faf.5c63
Jul 15 16:17:52.825: dot11_mgr_disp_auth_abort: Sending abort request for client 0016.6faf.5c63 to local Authenticator
Jul 15 16:18:03.900: DOT11 EVENT:(adding)client->key_details.encrypt_type is 20
Jul 15 16:18:03.901: dot11_mgr_disp_wlccp_update_auth:  unknown auth type 0x1

I understand the debug like this:

The AP starts to send the first message of the 4-way handshake (PTK derival). This message just contains a random number (ANonce).

The client does not respond to this message. After 100ms (timeout), the AP sends the first message again. After three times that the AP doesn't get a response by the client, it gives up (dot11_mgr_sm_handshake_fail: Handshake failure for 0016.6faf.5c63).

This is not a wrong PSK issue - sometimes the client is able to authenticate successfully to the AP.

We are using the latest Intel drivers for this card :-(

The handhelds are using Windows XP with SP3 - the wirless supplicat is MS WZC. IntelProWireless supplicant is not possible becaue of insufficient space on the device.

Does anybody have an idea? Changing to WEP or no-encryption is no option. I thought about chaning to WPA2, but WPA2 is using nearly the same key hierarchy than WPA1 - the Key Management and 4-way handshake process is exactely the same.

Thanks in advance!

Kind regards

Johannes

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode