PTK challenged failed for EAP-SIM client

Aruba Employee
Problem:

PTK Challenge failed for EAP-SIM Client.



Diagnostics:

In the auth-trace we could see authentication is successful but no key exchange is initiated from the controller/AP to the client.

Auth-trace output:
=================
    
    Line 13479: Aug  9 19:38:38  eap-id-req            <-  78:4b:87:d9:da:e8  ac:a3:1e:54:12:e1              1    5    
    Line 13480: Aug  9 19:38:38  eap-id-resp           ->  78:4b:87:d9:da:e8  ac:a3:1e:54:12:e1              1    63   CGH/XXVMapZVsnV06p6URHK@wlan.mnc009.mcc334.3gppnetwork.org
    Line 13481: Aug  9 19:38:38  rad-req               ->  78:4b:87:d9:da:e8  ac:a3:1e:54:12:e1              138  283  
    Line 13482: Aug  9 19:38:38  rad-resp              <-  78:4b:87:d9:da:e8  ac:a3:1e:54:12:e1/SRV-WIFI-GW  138  168  
    Line 13483: Aug  9 19:38:38  eap-req               <-  78:4b:87:d9:da:e8  ac:a3:1e:54:12:e1              2    128  
    Line 13484: Aug  9 19:38:38  eap-resp              ->  78:4b:87:d9:da:e8  ac:a3:1e:54:12:e1              2    44   
    Line 13485: Aug  9 19:38:38  rad-req               ->  78:4b:87:d9:da:e8  ac:a3:1e:54:12:e1/SRV-WIFI-GW  139  264  
    Line 13486: Aug  9 19:38:38  rad-accept            <-  78:4b:87:d9:da:e8  ac:a3:1e:54:12:e1/SRV-WIFI-GW  139  120  
    Line 13487: Aug  9 19:38:38  eap-success           <-  78:4b:87:d9:da:e8  ac:a3:1e:54:12:e1              2    4    
    Line 13488: Aug  9 19:38:38  station-down           *  78:4b:87:d9:da:e8  ac:a3:1e:54:12:e1        
     -    -    
  
    Security logs.
    =============
    
    
    Line 13868: Aug 9 19:38:39 :124003:  <INFO> |authmgr|  Authentication result=Authentication Successful(0), method=802.1x, server=SRV-WIFI-GW, user=78:4b:87:d9:da:e8 
    Line 13879: Aug 9 19:38:39 :124105:  <DBUG> |authmgr|  MM: mac=78:4b:87:d9:da:e8, state=3, name=CGH/XXVMapZVsnV06p6URHK@wlan.mnc009.mcc334.3gppnetwork.org, role=Postpaid, dev_type=, ipv4=0.0.0.0, ipv6=0.0.0.0, new_rec=1.
    Line 13881: Aug 9 19:38:39 :124105:  <DBUG> |authmgr|  MM: mac=78:4b:87:d9:da:e8, state=3, name=CGH/XXVMapZVsnV06p6URHK@wlan.mnc009.mcc334.3gppnetwork.org, role=Postpaid, dev_type=, ipv4=0.0.0.0, ipv6=0.0.0.0, new_rec=0.
    Line 13883: Aug 9 19:38:39 :132086:  <INFO> |authmgr|  WPA 2 Key exchange failed to complete, de-authenticating the station 78:4b:87:d9:da:e8 associated with AP ac:a3:1e:54:12:e1 AP-325   



Solution

Captured the radius packets and observed that attributes "MS-MPPE-Recv-Key and MS-MPPE-Send-Key" are missing in the radius-accept packet.

Unsuccessful trace:

===============

 

Post correcting the AVPs sent from the server - Successful trace:

==================================================

Version history
Revision #:
1 of 1
Last update:
4 weeks ago
Updated by:
 
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: