Because 6 GHz requires Enhanced Open where the other bands can utilize transition mode to connect to the Open network. Open doesn't have a four-way handshake to negotiate so nothing to fail.
Original Message:
Sent: Dec 04, 2024 02:21 PM
From: Netbuzz
Subject: ClearPass Guest Web login -- Android issues
Thanks.
After additional testing, looks like issue is when 6G radio tuned on.. our APs broadcast all 3 radios all the time.. disabling 6G radio allows Andriod to connect fine. we are 8.10.0.14.. if it matters
------------------------------
[Akshay][Vishwas]
Original Message:
Sent: Dec 04, 2024 11:39 AM
From: chulcher
Subject: ClearPass Guest Web login -- Android issues
If that is showing the same behavior then you'll need to do an over-the-air PCAP to see if the device is actually sending the fourth packet in the four-way handshake. If the client device isn't finishing the handshake, nothing we can do from the AP side.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Dec 04, 2024 11:32 AM
From: Netbuzz
Subject: ClearPass Guest Web login -- Android issues
Thanks for that..
One of my colleagues just tested with Android 14 as well. we are seeing same issue. Its a Samsung phone if it matters
------------------------------
[Akshay][Vishwas]
Original Message:
Sent: Dec 04, 2024 11:20 AM
From: chulcher
Subject: ClearPass Guest Web login -- Android issues
Android 16 is in developer preview, any change in behavior should be brought up with that team.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Dec 04, 2024 11:15 AM
From: Netbuzz
Subject: ClearPass Guest Web login -- Android issues
Yes, I have created a case with them..
After troubleshooting further, the issue seems to be specific to Android with "enhanced open" turned on. the 4th packet "wpa3-key4-vm" is not making back to IAP from a client in a 4-way handshake. this is specific to Android 16, works fine with old Android 13 and All IOS devices.
Here is "show ap debug auth-trace buffer" output
Dec 3 17:34:41.972 owe-pmk-update * xx:xx:xx:xx:xx:xx xx:xx:xx:xx:xx:xx - - Grp:19 PMK:32 Succ
Dec 3 17:34:41.976 mac-auth-req -> xx:xx:xx:xx:xx:xx xx:xx:xx:xx:xx:xx/Clearpass1 - - xx:xx:xx:xx:xx:xx
Dec 3 17:34:42.040 mac-auth-success <- xx:xx:xx:xx:xx:xx xx:xx:xx:xx:xx:xx/Clearpass1 - - success
Dec 3 17:34:42.040 station-up * xx:xx:xx:xx:xx:xx xx:xx:xx:xx:xx:xx - - wpa3-owe aes-ccmp-128
Dec 3 17:34:42.040 wpa3-key1-vm <- xx:xx:xx:xx:xx:xx xx:xx:xx:xx:xx:xx - 95
Dec 3 17:34:42.068 wpa3-key2-vm -> xx:xx:xx:xx:xx:xx xx:xx:xx:xx:xx:xx - 32256
Dec 3 17:34:42.068 wpa3-key3-vm <- xx:xx:xx:xx:xx:xx xx:xx:xx:xx:xx:xx - 191
------------------------------
[Akshay][Vishwas]
Original Message:
Sent: Dec 04, 2024 10:28 AM
From: chulcher
Subject: ClearPass Guest Web login -- Android issues
Have you opened a case with TAC on this?
What client devices are experiencing this behavior?
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Dec 03, 2024 05:01 PM
From: Netbuzz
Subject: ClearPass Guest Web login -- Android issues
Hi
We are implementing guest captive portal leveraging ClearPass web login along with mac authentication (for returning clients). works fine on IOS and Windows platform. however for android user base we are running into problems with an error "connection failed".
Use case is a new android user creates an account on CPPM guest platform and generates a password to connect to an "enhanced open" SSID. works fine the first time. but user steps out of the range, comes and tries to connect user sees connection failed and no captive portal is opened as well (as expected). ClearPass logs shows mac auth is successful and its receiving post-auth roles with no rejections as well. On IAP side we are seeing EAP time-out message coming from a client when it happens.
Please note we are unable to reproduce this with IOS, Windows and Android 13 user base. only reproduceable with new android clients in our testing .
Has anyone gone thru this implementation.. are there any special considerations that needs to be taken for android clients ?
Thank you,
------------------------------
[Akshay][Vishwas]
------------------------------