Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

PLEASE ease my mind! - WPA/2-PSK (Unsecured)

I'm running code 4.2.130 on my 4404's with an SSID running WPA/WPA2-PSK. However, sometimes on my clients it'll show connected to SSID(Unsecured Network)? I'm hoping this is a driver bug? I've personally seen it on the Intel 3945ABG's series 11.x drivers.


Re: PLEASE ease my mind! - WPA/2-PSK (Unsecured)

The easy way to test it is try and connect to it with no security.

We have a few thousand clients and you will see some odd things at times that make you go huh? :) Just double check...

You mentioned you have more than 1 controller. Do all the controllers with your SSID configured property with the same security?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

Re: PLEASE ease my mind! - WPA/2-PSK (Unsecured)

You might also want to use a capture tool to see if the data is encrypted or not. I think even WireShark will work fine in this situation.

Community Member

Re: PLEASE ease my mind! - WPA/2-PSK (Unsecured)

Hi Raun,

I'm sure that is a bug either in Windows ZeroConf or the Intel drivers, I've seen it a lot, too. The issue is transient and the client will soon change back to displaying the correct connection state. What I assume might happen is that WZC samples the state of the associations in some interval and sometimes manages to hit the phase when it is already associated and authenticated in the clear, but not yet through the EAPoL 4-way handshake comprising PSK. That state looks exactly like an unsecured connection to a casual stateless observer, and in a way it is - it's just the other end (the AP playing the authenticator) that is blocking any traffic but EAPoL from passing over that association. It might also be that WCZ actually thought it would be done after open auth/assoc, maybe due to the first frame of the 4-way (which has to come from the AP) getting lost, leaving the STA in "connected to dead air" mode for a macroscopic timeframe. But this will time out after 8s or so, forcing reauth.

So just ignore it, the APs don't let traffic pass without proper 4-way handshake, at least according to any wireless sniffer trace I've seen so far.



Re: PLEASE ease my mind! - WPA/2-PSK (Unsecured)

If you are able to connect in clear mode and the WLC is configured identically as the other ones where WPA2 is working and you have a sniffer trace, you may want to open a TAC case so we can troubleshoot it further.

CreatePlease to create content