Wireless Access

Reply
Occasional Contributor II

Question: wpa2-aes connect problem

Hi  .

I used Alcatel firmware 6.3.1.4 and i attempted to connect to WiFI with wpa2-aes applied.

However, only iPhone was connected. 

android 5,6 and win10 is fail. 

 

Anyone know this issue?

why 6.3.1.4 make fail to connect Wi-Fi with wpa2-aes applied?

( I used internal radius)

Re: Question: wpa2-aes connect problem

Hi Insang,

 

Please enable user-debug for couple of clients & provide the following outputs:

 

config#logging level debugging user-debug <mac-address of user>

#show  authetracebuf count <>

 

This could be related to TLS 1.2 version for which the fix was given in 6.3.1.20.

 

But we need logs to determine that.

 

 

Guru Elite

Re: Question: wpa2-aes connect problem


Hwang wrote:

Hi  .

I used Alcatel firmware 6.3.1.4 and i attempted to connect to WiFI with wpa2-aes applied.

However, only iPhone was connected. 

android 5,6 and win10 is fail. 

 

Anyone know this issue?

why 6.3.1.4 make fail to connect Wi-Fi with wpa2-aes applied?

( I used internal radius)


If you are using internal radius that means that you are using EAP-Termination.  Did you replace the internal radius server certificate with something that is valid?  6.3.1.4 is very old....


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Occasional Contributor II

Re: Question: wpa2-aes connect problem

thank you reply and sorry i'm late..

 

a0:b4:a5:8b:f3:e5 is my android6.0 phone)

 

(OAW-4306G) #show clock

Mon Jul 24 04:24:21 PST 2017

(OAW-4306G) #show auth-tracebuf count 20

Warning: user-debug is enabled on one or more specific MAC addresses;
only those MAC addresses appear in the trace buffer.

Auth Trace Buffer
-----------------


Jul 24 04:19:04 client-finish -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - - invalid tls version
Jul 24 04:19:36 eap-term-start -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - -
Jul 24 04:19:36 station-term-start * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10 1 -
Jul 24 04:19:36 client-finish -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - - invalid tls version
Jul 24 04:20:08 eap-term-start -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - -
Jul 24 04:20:08 station-term-start * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10 1 -
Jul 24 04:20:08 client-finish -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - - invalid tls version
Jul 24 04:20:19 station-up * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10 - - wpa2 aes
Jul 24 04:20:19 station-term-start * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10 1 -
Jul 24 04:20:19 client-finish -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - - invalid tls version
Jul 24 04:20:50 eap-term-start -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - -
Jul 24 04:20:50 station-term-start * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10 1 -
Jul 24 04:20:50 client-finish -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - - invalid tls version
Jul 24 04:21:22 eap-term-start -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - -
Jul 24 04:21:22 station-term-start * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10 1 -
Jul 24 04:21:22 client-finish -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - - invalid tls version
Jul 24 04:24:24 station-down * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10 - -
Jul 24 04:24:24 station-up * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:00 - - wpa2 aes
Jul 24 04:24:24 station-term-start * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:00 1 -
Jul 24 04:24:24 client-finish -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:00/802.1x_kbs - - invalid tls version

 

and

 

(OAW-4306G) #show log all 10

Jul 24 04:24:57 authmgr[2290]: <132162> <ERRS> |authmgr| Station a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:00 sent with unsupported TLS client version 771
Jul 24 04:24:57 authmgr[2290]: <132162> <ERRS> |authmgr| Station a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:00 sent with unsupported TLS client version 771

 

 

so..is this problem android or  firmware image?

 

i think 6.3.1.4 can't support TLS1.2 version , is that right?

 

and it only solve upgrade image ? 

(  i aleady talk to my customer "you need upgrade " )

 

thank you for help me

 

 

Occasional Contributor II

Re: Question: wpa2-aes connect problem

thank you for help me 

 

i know 6.3.1.4 is very old . but my customer use AP 70 . 

So I will tell the customer that we need to upgrade the firmware and change the access point.

 

um... will this link help me? " what is EAP-Termination "

https://community.arubanetworks.com/aruba/attachments/aruba/unified-wired-wireless-access/6140/1/EAP-TLS%20Termination-2.docx

Re: Question: wpa2-aes connect problem

The issue is related to firmware not supporting TLS version 1.2 when EAP-Termination is on controller.

 

Please use one of the following options :

 

1. Use external radius server & disable EAP-termination on controller. Ensure that external server is using a valid server certificate.

 

2. In case you don't have radius server & need to use controller's internal  db for authentication , we need to upgrade the controllers to 6.3.1.20 or above to support new TLS version.

 

The following link has more info on 802.1x/EAP termination:

 

https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-dot1x-termination-work/ta-p/178566

 

 

Occasional Contributor II

Re: Question: wpa2-aes connect problem

I appreciate it . 

Thank you VERY much~! 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: