Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Intel 2915a/b/g WPA-PERSONAL authentication issues

Hi board,

hopefully anybody knows this or experienced the same problem :-)

Here's the problem:

We are using autonomous Aironet 1242ag APs with 12.3(8)JEA code. There is a SSID with WPA1 (TKIP) configuration and PSK authentication. Guest-Mode is disabled. We are experiencing issues in combination with handhelds with Intel 2915 Chipsets (802.11a).

Sometimes during roaming or initial connections (4-way handshake), the clients are not able to authenticate to the AP.

The logging of the AP shows the following message:

%DOT11-7-AUTH_FAILED: station xxxxxxxxxxxxx Authentication failed.

Huh - this is normally a 802.1x related message (at least if you search through CCO).

So I enabled a debugging (dot11 events, dot11 aaa manager):

Jul 15 16:17:52.396: dot11_mgr_sm_start_ssn_psk: Starting 4-way handshake for PSK supplicant 0016.6faf.5c63
Jul 15 16:17:52.396: dot11_dot1x_send_ssn_eapol_key: eapol->length 95
Jul 15 16:17:52.396: dot11_dot1x_build_ptk_handshake: building PTK msg 1 for 0016.6faf.5c63
Jul 15 16:17:52.396: dot11_mgr_disp_client_send_eapol: sending eapol to client 0016.6faf.5c63 on BSSID 0016.9c96.4360
Jul 15 16:17:52.397: dot11_mgr_sm_send_ptk_msg1: [1] Sent PTK msg 1 to 0016.6faf.5c63, no timer set
Jul 15 16:17:52.397: dot11_mgr_sm_hs_callback: [1] Handshake msg to 0016.6faf.5c63, timer set: timeout 100 ms
Jul 15 16:17:52.496: dot11_mgr_sm_run_machine: Executing Action(PTK_MSG2_WAIT,TIMEOUT) for 0016.6faf.5c63
Jul 15 16:17:52.496: dot11_dot1x_send_ssn_eapol_key: eapol->length 95
Jul 15 16:17:52.496: dot11_dot1x_build_ptk_handshake: building PTK msg 1 for 0016.6faf.5c63
Jul 15 16:17:52.496: dot11_mgr_disp_client_send_eapol: sending eapol to client 0016.6faf.5c63 on BSSID 0016.9c96.4360
Jul 15 16:17:52.497: dot11_mgr_sm_send_ptk_msg1: [2] Sent PTK msg 1 to 0016.6faf.5c63, no timer set
Jul 15 16:17:52.521: dot11_mgr_sm_hs_callback: [2] Handshake msg to 0016.6faf.5c63, timer set: timeout 100 ms
Jul 15 16:17:52.621: dot11_mgr_sm_run_machine: Executing Action(PTK_MSG2_WAIT,TIMEOUT) for 0016.6faf.5c63
Jul 15 16:17:52.621: dot11_dot1x_send_ssn_eapol_key: eapol->length 95
Jul 15 16:17:52.621: dot11_dot1x_build_ptk_handshake: building PTK msg 1 for 0016.6faf.5c63
Jul 15 16:17:52.621: dot11_mgr_disp_client_send_eapol: sending eapol to client 0016.6faf.5c63 on BSSID 0016.9c96.4360
Jul 15 16:17:52.621: dot11_mgr_sm_send_ptk_msg1: [3] Sent PTK msg 1 to 0016.6faf.5c63, no timer set
Jul 15 16:17:52.724: dot11_mgr_sm_hs_callback: [3] Handshake msg to 0016.6faf.5c63, timer set: timeout 100 ms
Jul 15 16:17:52.825: dot11_mgr_sm_run_machine: Executing Action(PTK_MSG2_WAIT,TIMEOUT) for 0016.6faf.5c63
Jul 15 16:17:52.825: dot11_mgr_sm_handshake_fail: Handshake failure for 0016.6faf.5c63
Jul 15 16:17:52.825: dot11_mgr_disp_auth_abort: Sending abort request for client 0016.6faf.5c63 to local Authenticator
Jul 15 16:18:03.900: DOT11 EVENT:(adding)client->key_details.encrypt_type is 20
Jul 15 16:18:03.901: dot11_mgr_disp_wlccp_update_auth:  unknown auth type 0x1

I understand the debug like this:

The AP starts to send the first message of the 4-way handshake (PTK derival). This message just contains a random number (ANonce).

The client does not respond to this message. After 100ms (timeout), the AP sends the first message again. After three times that the AP doesn't get a response by the client, it gives up (dot11_mgr_sm_handshake_fail: Handshake failure for 0016.6faf.5c63).

This is not a wrong PSK issue - sometimes the client is able to authenticate successfully to the AP.

We are using the latest Intel drivers for this card :-(

The handhelds are using Windows XP with SP3 - the wirless supplicat is MS WZC. IntelProWireless supplicant is not possible becaue of insufficient space on the device.

Does anybody have an idea? Changing to WEP or no-encryption is no option. I thought about chaning to WPA2, but WPA2 is using nearly the same key hierarchy than WPA1 - the Key Management and 4-way handshake process is exactely the same.

Thanks in advance!

Kind regards

Johannes

  • Other Wireless - Mobility Subjects
656
Views
0
Helpful
0
Replies
This widget could not be displayed.