Scenario: I connect to my work wpa2 ssid (via my RAP at home) just fine. I then switch over to my local home wireless ssid. I then try and come back to my wpa2 work ssid (saved profile in Win10), and I cannot connect. It just attempts and fails, and fails multiple times. If I forget the network and reconnect from scratch - it connects just fine.
Windows wireless logs show repeated failures:
I have my client setup for debug on the controllers. I am finding this issue:
May 15 13:18:08 :522289: <3605> <DBUG> |authmgr| Auth GSM : MAC_USER mu_delete publish for mac 30:24:32:f7:51:2a bssid c8:b5:ad:1e:0a:50 vlan 2260 type 1 data-ready 0 deauth-reason 52 HA-IP n.aMay 15 13:18:08 :526162: <4241> <DBUG> |dot1x-proc:2| send_client_event_notify_to_main_auth 13:18:10.725313 message sent to auth event 10May 15 13:18:08 :501106: <5512> <NOTI> |stm| Deauth to sta: 30:24:32:f7:51:2a: Ageout AP 100.64.16.118-c8:b5:ad:1e:0a:50-RAP-189ce0 wifi_deauth_staMay 15 13:18:08 :522296: <5324> <DBUG> |authmgr| Auth GSM : USER_STA delete event for user 30:24:32:f7:51:2a age 0 deauth_reason 52May 15 13:18:08 :522036: <5324> <INFO> |authmgr| MAC=30:24:32:f7:51:2a Station DN: BSSID=c8:b5:ad:1e:0a:50 ESSID=UCCS-Wireless VLAN=960 AP-name=RAP-189ce0 reason=52 at 13:18:10.725715May 15 13:18:08 :522234: <5324> <DBUG> |authmgr| Setting idle timer for user 30:24:32:f7:51:2a to 14400 seconds (idle timeout: 14400 ageout: 0).May 15 13:18:08 :522004: <5324> <DBUG> |authmgr| auth_gsm_change_repkey_for_channels: publish_list 7 repkey -1 macuser VALID ipuser NULLMay 15 13:18:08 :501080: <5512> <NOTI> |stm| Deauth to sta: 30:24:32:f7:51:2a: Ageout AP 100.64.16.118-c8:b5:ad:1e:0a:50-RAP-189ce0 Ptk Challenge FailedMay 15 13:18:08 :522004: <5324> <DBUG> |authmgr| auth_gsm_change_sta_repkey: STA repkey change failed for mac 30:24:32:f7:51:2a result error_invalid_object_pointerMay 15 13:18:08 :522004: <5324> <DBUG> |authmgr| auth_gsm_change_mac_user_repkey: Failed sta publish: result 0May 15 13:18:08 :501000: <5512> <DBUG> |stm| Station 30:24:32:f7:51:2a: Clearing stateMay 15 13:18:08 :522328: <5324> <DBUG> |authmgr| Auth GSM : MAC USER change repkey Success for mac 30:24:32:f7:51:2a -1May 15 13:18:08 :522004: <5324> <DBUG> |authmgr| auth_gsm_publish_cluster_sta_section: csta_section_update success for mac 30:24:32:f7:51:2a stby_ip = 220.127.116.11May 15 13:18:08 :522326: <5324> <DBUG> |authmgr| Auth GSM : USER repkey change Success for mac 30:24:32:f7:51:2a 001a1e0203280000004c7580 -1May 15 13:18:08 :522004: <4241> <DBUG> |dot1x-proc:2| handle_dot1x_abort calledMay 15 13:18:08 :522152: <5324> <DBUG> |authmgr| station free: bssid=c8:b5:ad:1e:0a:50, mac=30:24:32:f7:51:2a.May 15 13:18:08 :501105: <NOTI> |AP RAPemail@example.com stm| Deauth from sta: 30:24:32:f7:51:2a: AP 100.64.16.118-c8:b5:ad:1e:0a:50-RAP-189ce0 Reason Ptk Challenge FailedMay 15 13:18:08 :501000: <DBUG> |AP RAPfirstname.lastname@example.org stm| Station 30:24:32:f7:51:2a: Clearing state
What is deauth code 52?
What could be causing it?
What else can I check?
- Try to connect
- After it fails, on the controller type "show auth-tracebuf mac <mac address of client>"
- Paste that output here.
Has this client ever worked?
Authbuff output attached. This client has worked fine in the past.
I would forget the SSID and recreate it from scratch.
It looks like the client is not responding to key1
May 15 14:20:14 wpa2-key1 <- 30:24:32:f7:51:2a c8:b5:ad:1e:0a:50 - 117
May 15 14:20:15 wpa2-key1 <- 30:24:32:f7:51:2a c8:b5:ad:1e:0a:50 - 117
May 15 14:20:16 wpa2-key1 <- 30:24:32:f7:51:2a c8:b5:ad:1e:0a:50
I would also see if the radius server says anything.
Seems to only happen on my RAP. Couldn't reproduce on a Win10 client on campus switching between campus AP ssid and a test xfinity wireless AP ssid I have on site. I have other clients (on RAPs) exhibiting this behavior as well.
ClearPass doesnt show any entries in the access tracker for the failed attempts to connect.
Please open a Technical Support case so that they can drill down into your log information.
Thanks @cjoseph for your suggestions and help. Might have to break down and open a TAC case. Appreciate your input.
You should still ask questions here, but only TAC will be able to see all of your logs and be able to make proper determinations.
Did you test the RAP SSID with a phone or some other OS besides Windows 10?
My iPhone seems to work fine.
I have a mac user reporting similar issue. I need to debug them, and a few others... and see if they are failing similarly (failing to reply to key1).
Any timeout settings to look at (as it pertains to wpa2 and EAP working over a RAP)?
I would forget the SSID on the mac and try to reconnect from scratch.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.