Wireless Access

Reply
Occasional Contributor I

Question: wpa2-aes connect problem

Hi  .

I used Alcatel firmware 6.3.1.4 and i attempted to connect to WiFI with wpa2-aes applied.

However, only iPhone was connected. 

android 5,6 and win10 is fail. 

 

Anyone know this issue?

why 6.3.1.4 make fail to connect Wi-Fi with wpa2-aes applied?

( I used internal radius)

Aruba Employee

Re: Question: wpa2-aes connect problem

Hi Insang,

 

Please enable user-debug for couple of clients & provide the following outputs:

 

config#logging level debugging user-debug <mac-address of user>

#show  authetracebuf count <>

 

This could be related to TLS 1.2 version for which the fix was given in 6.3.1.20.

 

But we need logs to determine that.

 

 

Guru Elite

Re: Question: wpa2-aes connect problem


Hwang wrote:

Hi  .

I used Alcatel firmware 6.3.1.4 and i attempted to connect to WiFI with wpa2-aes applied.

However, only iPhone was connected. 

android 5,6 and win10 is fail. 

 

Anyone know this issue?

why 6.3.1.4 make fail to connect Wi-Fi with wpa2-aes applied?

( I used internal radius)


If you are using internal radius that means that you are using EAP-Termination.  Did you replace the internal radius server certificate with something that is valid?  6.3.1.4 is very old....



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Question: wpa2-aes connect problem

thank you reply and sorry i'm late..

 

a0:b4:a5:8b:f3:e5 is my android6.0 phone)

 

(OAW-4306G) #show clock

Mon Jul 24 04:24:21 PST 2017

(OAW-4306G) #show auth-tracebuf count 20

Warning: user-debug is enabled on one or more specific MAC addresses;
only those MAC addresses appear in the trace buffer.

Auth Trace Buffer
-----------------


Jul 24 04:19:04 client-finish -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - - invalid tls version
Jul 24 04:19:36 eap-term-start -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - -
Jul 24 04:19:36 station-term-start * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10 1 -
Jul 24 04:19:36 client-finish -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - - invalid tls version
Jul 24 04:20:08 eap-term-start -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - -
Jul 24 04:20:08 station-term-start * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10 1 -
Jul 24 04:20:08 client-finish -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - - invalid tls version
Jul 24 04:20:19 station-up * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10 - - wpa2 aes
Jul 24 04:20:19 station-term-start * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10 1 -
Jul 24 04:20:19 client-finish -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - - invalid tls version
Jul 24 04:20:50 eap-term-start -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - -
Jul 24 04:20:50 station-term-start * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10 1 -
Jul 24 04:20:50 client-finish -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - - invalid tls version
Jul 24 04:21:22 eap-term-start -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - -
Jul 24 04:21:22 station-term-start * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10 1 -
Jul 24 04:21:22 client-finish -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - - invalid tls version
Jul 24 04:24:24 station-down * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10 - -
Jul 24 04:24:24 station-up * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:00 - - wpa2 aes
Jul 24 04:24:24 station-term-start * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:00 1 -
Jul 24 04:24:24 client-finish -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:00/802.1x_kbs - - invalid tls version

 

and

 

(OAW-4306G) #show log all 10

Jul 24 04:24:57 authmgr[2290]: <132162> <ERRS> |authmgr| Station a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:00 sent with unsupported TLS client version 771
Jul 24 04:24:57 authmgr[2290]: <132162> <ERRS> |authmgr| Station a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:00 sent with unsupported TLS client version 771

 

 

so..is this problem android or  firmware image?

 

i think 6.3.1.4 can't support TLS1.2 version , is that right?

 

and it only solve upgrade image ? 

(  i aleady talk to my customer "you need upgrade " )

 

thank you for help me

 

 

Occasional Contributor I

Re: Question: wpa2-aes connect problem

thank you for help me 

 

i know 6.3.1.4 is very old . but my customer use AP 70 . 

So I will tell the customer that we need to upgrade the firmware and change the access point.

 

um... will this link help me? " what is EAP-Termination "

https://community.arubanetworks.com/aruba/attachments/aruba/unified-wired-wireless-access/6140/1/EAP-TLS%20Termination-2.docx

Aruba Employee

Re: Question: wpa2-aes connect problem

The issue is related to firmware not supporting TLS version 1.2 when EAP-Termination is on controller.

 

Please use one of the following options :

 

1. Use external radius server & disable EAP-termination on controller. Ensure that external server is using a valid server certificate.

 

2. In case you don't have radius server & need to use controller's internal  db for authentication , we need to upgrade the controllers to 6.3.1.20 or above to support new TLS version.

 

The following link has more info on 802.1x/EAP termination:

 

https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-dot1x-termination-work/ta-p/178566

 

 

Occasional Contributor I

Re: Question: wpa2-aes connect problem

I appreciate it . 

Thank you VERY much~! 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: