Wireless Access

Reply
Aruba
Posts: 1,643
Registered: ‎04-13-2009

Ptk Challenge Failed

Having an issue with users being dropped from the network with "Reason Ptk Challenge Failed"    The controllers are running 6.3.0.1.

 

I just started looking into it, but it looks to be MacOS systems.  

 

I saw one post with this message referencing the IP Spoofing issue of 6.2.   It does not appear to be the same thing; but I could be wrong.  

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: Ptk Challenge Failed

Is "Validate PMKID" and "Oportunistic Key Caching" enabled in the 802.1x profile?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Ptk Challenge Failed

In the advanced settings for the firewall, is "prohibit IP spoofing" on or off?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: Ptk Challenge Failed

[ Edited ]

EDIT:

 

That location's profile has Validate PMKID enabled and Opportunistic Key Caching disabled.       I am going to compare with the other profiles that are setup.

 

Prohibit IP Spoofing is "enabled" for IPv4; disabled for IPv6 (as is all IPv6)

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Ptk Challenge Failed

uncheck it from v4
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: Ptk Challenge Failed

I'll uncheck it from IPv4 Seth.  What is the recommended settings for OKC and Validate PKMD in this type of setup (primarily Macs)?  Both are disabled.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Ptk Challenge Failed

In the 802.1x auth profile (under the AAA profile), ONLY check off "Validate PMKID".  Leave OKC unchecked

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: Ptk Challenge Failed


clembo wrote:

I'll uncheck it from IPv4 Seth.  What is the recommended settings for OKC and Validate PKMD in this type of setup (primarily Macs)?  Both are disabled.


Clembo,

 

OKC is on by default and many Windows clients leverage this.  If OKC was turned off, I would check to see if anything else is changed in that profile because it is on by default.  Ideally in a mixed environment you would have OKC on and Validate PMKID on, as well.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Ptk Challenge Failed

Supporting facts:

 

OKC or opportunistic key caching is a mechanism that allows devices to NOT have to re-negotiate keys with a radius server when roaming from one access point to another AP that they have already been on.  Devices that support OKC enjoy faster roam times to access points to which they have previously associated.  This ONLY applies on a 802.1x WLAN.

 

MAC OSX devices do NOT support OKC so if OKC is enabled in the 802.1x profile (it is by default), MACs will not complete their key exchange and it will manifest itself as a connectivity issue.  If you have a 100% MAC environment, it is best just to turn OKC off in the 802.1x profile.  Validate-PMKID provides a way to check to see if a device is attempting to associate using OKC, but allows clients like MACs that do not support OKC to complete a full key exchange, if they don't support OKC.  Having OKC and Validate-PMKID is if you have a mixed environment and you want to support clients that do OKC, but also allow non-OKC clients to co-exist.  You can also get by by turning OKC off altogether with few, if any issues.  OKC is much more important for Voice clients, where voip applications are very sensitive to roaming and need that fast roaming support.
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: Ptk Challenge Failed

Sethfiermonti,

 

I don't have any supporting facts quotes.

 

We do have a University in New England where that specific message was showing up both on the controller and on the MAC OSX client when the debugging was turned on.  OKC was off at the time.  We turned on OKC AND Validate PMKID, and clients that leveraged OKC as well as MACs had a better experience and we never saw that message again.

 

They know who they are and can chime in here.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: