Dot1x/EAP/WPA problems in IOS 12.4(3g) on AP1131AG Hardware
Upon upgrading a test access point from IOS 12.3(8)JA2 to IOS 12.4(3g)JA/IOS 12.4(3g)JA1, clients using Dot1x/EAP Authentication and WPA/TKIP Encryption fail to authenticate with the Access Point. They go into an associate, authenticate, client cancels authentication, de-associate, associate... cycle. Logs from the Radius Server indicate authentication was successful and debug logs from the Access Point confirm this.
After on-site troubleshooting & client debugs/packet sniffing, the problem symptoms are exactly the same as detailed in Bug CSCsi02700 (in both the Bug Toolkit & IOS Release Notes).
The difference is the platform (an AP1131 platform, rather than AP1231) and the suggested workaround does not solve the problem (all SSIDs are configured to only use WPA key-management, AES is not used).
Client side (Vista/Intel 3945 ABG wireless card) tracing seems to reveal a zero-length key in one of the handshake packets:
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...
I have created a Powershell script to automatically add a Wireless Guest
User on Cisco WLCs. (tested on 2500 Series) The script should be
completely self explanatory. Prerequisites: Powershell SNMP Module
(Install-Module -Name SNMP) SNMP Write Access to y...