Controller Based WLANs

Possible client behaviour with 802.11r enabled

Question : Why BlackBerry Z10 fails to connect to 802.1x SSID with 802.11r enabled?

 

Environment Information : This article applies to all controllers/AP models running AOS version 6.3 and above.

 

Symptoms :

 

- Black Berry Z10 fails to connect to 802.1x SSID with 802.11r enabled
- WPA2-Key 2 messages are not sent from the device to complete the 802.1x authentication process

 

Cause :

BB Z10 is unable to connect to 802.1x ssid and we find that the device fails to reply with WPA-key2 message.
 
Jan 31 10:40:28  eap-success         <-  40:6f:2a:d4:24:9b  24:de:c6:4b:e3:39                        44  4   
Jan 31 10:40:28  wpa2-key1             <-  40:6f:2a:d4:24:9b  24:de:c6:4b:e3:39                    -   117 
Jan 31 10:40:29  wpa2-key1             <-  40:6f:2a:d4:24:9b  24:de:c6:4b:e3:39                    -   117 
Jan 31 10:40:30  wpa2-key1             <-  40:6f:2a:d4:24:9b  24:de:c6:4b:e3:39                    -   117 
Jan 31 10:40:31  station-down           *  40:6f:2a:d4:24:9b  24:de:c6:4b:e3:39                    -   -    


 
From the above it is seen that the device fails to respond back with WPA2-key2 and thus fails authentication. This particular issue was seen with AOS version 6.3 and above.
 
Root  cause of the issue was identified to be mismatch of the eapol key descriptor version as shown below:

 
User-added image
(above snip is from client trying to auth against controller running version 6.3.x)


 
Controller proposes AES-CMAC (version 3) in WPA2-key1 to which client doesn’t respond since it doesn’t support it. Client is capable of doing only HMAC-SHA1 (version 2) as can be seen from the below snip:
 
User-added image
(above is a snip from client get auth against IAP running version 6.)
 

Resolution :

Reason why there is a mismatch is because client is trying to do 802.11r even though it doesn't support Fast BSS Transition and thus uses version 3 for some unknown reason.

 
User-added image


From the above snip we can see that the “Fast BSS Transition” tag is set which indicates client wants to do 802.11r.
Per AOS design, if client is negotiating 802.11r then the Version used will be AES-CMAC(Version 3). This was found to be a client side issue.

Resolution is to disable 802.11r. This might not be only applicable to BB_Z10 but there might be other devices exhibiting the similar behavior and doing an interop testing for all is not feasible.

 

Version history
Revision #:
1 of 1
Last update:
‎07-14-2014 11:58 PM
Updated by:
 
Labels (2)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.