Security

Hi, I found the solution to this on my own but I didn't find anything online that hinted that this could be the issue.

Issue:  I have a raspberry pi which worked fine with WPA2/PEAP on AOS verson 5.x but then I upgraded to 6.3 and it stopped working.  It would half-authenticate, assocate with the AP but never finish the PEAP authentication.  auth-trace would show that it was timing out.  It was reaching the radius server but never completing the PEAP auth.  The solution I found was in the ssid profile to set 

wlan ssid-profile "SSID"

     no eapol-rate-opt

Once I set this it would connect without issues.  I guess the wpa_supplilcant on the raspberry pi at least would get confused wtih the rate-opt feature and never connect.  Hope this helps someone, took me a day to figure it out.

What basic and Tx rates do you have configured on this SSID?

wlan ssid-profile "SSID"
essid "SSID"
 opmode wpa2-aes
g-tx-rates 36 48 54
ageout 1800
wmm
local-probe-req-thresh 30
no eapol-rate-opt
!

Basic rates are the defaults (1 and 2 I believe).  Can thsese settings also cause that behavior?  I fiddled with this setting just now and it didn't seem to affect it.

Just from the initial glance, I would try running through the ASE.arubanetworks.com solution for RF optimization in WLAN networks and use those settings for the SSID.  The EAP optimization should be enabled unless there is an issue with it in which case TAC needs to be informed.

Here is a link - https://ase.arubanetworks.com/solutions/id/75

Hey thats a neat tool!  I'll play around with it and let you know if that makes any difference.

---

@arubasecrets wrote:

wlan ssid-profile "SSID"
essid "SSID"
 opmode wpa2-aes
g-tx-rates 36 48 54
ageout 1800
wmm
local-probe-req-thresh 30
no eapol-rate-opt
!

Basic rates are the defaults (1 and 2 I believe).  Can thsese settings also cause that behavior?  I fiddled with this setting just now and it didn't seem to affect it.

---

Arubasecrets,

Did you try it with the default basic and TX rates, no local probe threshold (the default) ?

Your basic rates should be a subset of your TX rates to work correctly.  Having a local-probe-response-threshold of 30 is very aggressive.  Having things configured they way you have them currently could cause issues, yes.  Try the defaults, first.

Hi Colin, I tried as you suggested:

first I enabled the eapol-rate-opt and cycled the adapter on the wpa_supplicant that was having issues.  It was not able to complete the authentication.

I then undid the probe response level (not sure how that got turned on, but it was on the 5x config), no change.  I changed the TX rates to be 12 and up, no change. 

Then I changed the basic rates to 12 (as the ASE tool and you suggested) and boom, client connected.

So the real issue was my screwy basic rate settings.  I had no idea they had to be a subset of the tx rates, for some reason I thought it should always be 1 and 2.  

I changed these settings on the other SSID profiles as well.  Thanks for the help, I bet it will make things run smoother for now on.