Solved: Re: Wi-Fi WPA-PSK TKIP AUTH_FAILED Palm Treo 700w

wchaffin · ‎02-01-2006

I'm not able to get a Wi-Fi card to connect to a cisco AP1200 when everything is setup for WPA-PSK/TKIP. The Treo 700 sets on "connecting" and the AP generates an auth_failed error.

I know PSK is right on the AP and treo. This is not a new wireless deployment. Has anyone seen this problem?

Thanks, Bill, CCIE/MCSE

Authentication method:

WPA-PSK: The 64-character pre-shared key is entered.

Data Encryption method:

TKIP is turned on.

The Treo SSID shows "Connecting".....

The AT state shows "Association processing"

The AP generates a "Debugging Station xxxx.xxxx.xxxx Authentication failed" about every 5 seconds.

(where xxxx.xxxx.xxxx is the real MAC)

debug aaa authentication

000944: Feb 1 10:28:25.947 UTC: %DOT11-7-AUTH_FAILED: Station xxxx.xxxx.xxxx Authentication failed

000945: Feb 1 10:28:27.880 UTC: AAA/BIND(000004F0): Bind i/f

000946: Feb 1 10:28:29.612 UTC: AAA/BIND(000004F1): Bind i/f

000947: Feb 1 10:28:31.483 UTC: AAA/BIND(000004F2): Bind i/f

000948: Feb 1 10:28:31.784 UTC: %DOT11-7-AUTH_FAILED: Station xxxx.xxxx.xxxx Authentication failed

000949: Feb 1 10:28:33.217 UTC: AAA/BIND(000004F3): Bind i/f

000950: Feb 1 10:28:34.946 UTC: AAA/BIND(000004F4): Bind i/f

000951: Feb 1 10:28:36.771 UTC: AAA/BIND(000004F5): Bind i/f

jverich · ‎02-20-2006

I had similar problem. My PDA couldn't connect to Aironet 1200.

I had to change configuration AP:

conf t

dot11 wpa handshake timeout 500

interface Dot11Radio0

no dot11 extension aironet

end

Now all work fine.

#sh dot11 as 0009.2d82.e4b9

...

Key Mgmt type : WPA PSK Encryption : TKIP

Current Rate : 11.0 Capability : ShortHdr

Supported Rates : 1.0 2.0 5.5 11.0

Signal Strength : -39 dBm Connected for : 52213 seconds

...

View solution in original post

wchaffin · ‎02-02-2006

is there a debug or show command that will let me see the network key received from a device trying to authenticate to an AP, but failing?

johanbloemhard · ‎02-03-2006

Bill,

I just bought a Siemens sx66 and have also had trouble connecting to a Aironet 1100 with WPA-PSK; however, I can connect to a Linksys router with WPA-PSK. When I look at the network scan, I see a WPA PSK encryption for the Linksys. When I view the Aironet 1100 on the wi-fi scan, I see WEP encryption on the status.

I did try downloading the Odyssey Client trial which didn't help either. I actually called Juniper Networks and ran a number of debuggers but weren't able to conclude anything so I basically gave up on the Odyssey Client.

At this time, things are pointing to the Cisco Aironets as being the culprit. Another note is that if I take off the WPA encryption, the PDA gets right on.

I would love to hear from anyone that have found a solution.

Thanks!

Johan Bloemhard

wififofum · ‎02-05-2006

Johan,

Make sure you have disabled Aironet extensions on the AP.

no dot11 extension aironet under int d0/1.

wififofum · ‎02-05-2006

Also note doing this disables Cisco TKIP and client transmit power control.

wchaffin · ‎02-06-2006

We had the extensions disabled, so that's not it.

i'm going to try another vendors AP and see if it works. Its almost line the ap1200 is clipping the PSK.

wchaffin · ‎02-06-2006

Johan - i also don't have a problem connecting the PDA (w700) with wpa off. it's almost like the PSK is being clipped by my ap1200.

johanbloemhard · ‎02-06-2006

The most frustrating thing is that it connects WPA-PSK to a $50 Linksys WRT54G no problem. I've used Socket Companion on my Siemens sx66 and noticed the following:

- Linksys WRT54G shows WPA, PSK Encryption

- Cisco 1200AP shows WEP Encryption (even though it's configured as WPA-PSK and computers/laptops have no problem connecting to it)

Has anyone tried to open a TAC case on this issue yet? If not, maybe it's time for me to persue that.

wififofum · ‎02-06-2006

Johan, what version of TKIP is enabled on the AP, Cisco TKIP (ckip) or WPA TKIP (tkip)? Can you compare the output of "sh dot11 assoc" on a laptop vs. PDA? Sniff the output from the working Linksys AP connection and grab the header info, compare to working/non-working Cisco AP connections...

johanbloemhard · ‎02-17-2006

I'm running WPA TKIP. I've tried all of the applicable debugging commands on the AP and the AP doesn't even see the PDA as trying to connect. Haven't sniffed out the traffic yet...

willskei · ‎02-17-2006

What version of IOS are you running ?

johanbloemhard · ‎02-17-2006

I'm tried running 12.3(7)JA and 12.3(7)JA2 with no avail.

willskei · ‎02-17-2006

The problem you are having is with the chipset. Not with the Access Point. This is going to sound very odd but ... try this.

Within the AP GUI go to services.

QoS - ADVANCED – WiFi MultiMedia (WMM)

Turn this option OFF

Your B client should now connect with WPA-PSK

johanbloemhard · ‎02-17-2006

Would this be the problem even if QoS is "Disabled" under services?

willskei · ‎02-17-2006

Yes. Follow my directions in the previous post.