Controllerless Networks

Hi,

Recently a problem has surfaced where our company iPhones mostly IOS 7.04 have difficulty or cannot connect to the WLAN.

We have 2 IAP105 Access Points and both have been working for quite some time.

I even had one replaced under warranty because I thought it was the AP causing the problem.

All Wireless laptops connect to the AP using the same WPA2 Enterprise SSID and have no problems.

The configuration is delivered to laptop devices via Group Policy.

The configurations are delivered to the phones via AirWatch MDM server and have been working for quite some time.

The AP105's are software version 6.2.1.0-3.4.0.1_39461.

 

I cant find any logs showing a clue as to any error message.

The client list on the AP actually shows the devices in the list as being connected, however as you look at the device itself it appears the device iPhone4s is continually searching for the Network, i.e there is no tick mark against the SSID.

The Network Policy and Access service on our Windows 2008 server even reports that access is granted

"Network Policy Server granted full access to a user because the host met the defined health policy".

Yet the phones appear to be still trying to connect to the WLAN.

 

Anyone experience anything like this before?

Any help greatly appreciated.

 

 

 

Can you send us the output of ?show tech-support? from the AP?

Hi,

Yes I have attached the Show Tech Support file.

I assume the ssid you are referring to is ShimSYDEnt ?

 

Try and unhide the ssid to see if this makes a difference.

 

It sounds like the devices are not getting an ip address for whatever reason.  Try some of the support commands specific to dhcp and see if anything jumps out.

Is OKC disabled? Apple devices do not support OKC. Make sure that is unchecked.

 

 

Sorry I cant find OKC. OKC is not on my security screen. However Iphones were working before. Ios upgrades maybe wrecking havoc on wireless on the iphones?

 

 

 

Hi,

I am still struggling with this.

I found below, expired certificate.

Could this be the problem, but Laptops still connect to the ShimSYDEnt SSID.

 

 

 

Anyway I tried to load a new certificate and get the error below.

 

I generated a certificate request on a windows 2008 server via Certificates MMC.

Then I opened the certificate authority Administrative tool on the 2008 server (same machine) and submitted new request and recived the certificate file which I saved in X.509 Certificate (*.cer;*.crt,*.der) format.

The certificate seems ok see image below.

 

But trying to load it to the IAP I have no Idea what to do.

I didnt get asked for a Passphrase so tried something random and just blank but get the same message above about pass_phase error.

Any ideas?

OKC support was introduced in version 6.3.1-4.0 so is not applicable to your version.

 

What do the logs on the radius server show you?  The config looks fine there, so it may be best to get TAC involved who can better pinpoint what the issue is.

 

 

I have been tailing the logs on the Radius server.

The tracing log is enabled in the Windows 2008 Server.

The log file IASSAM.log indicates that the sopm\sopmwirless eap authentication succeeded.

However then the log recieves another request from the same device

[4436] 02-12 15:50:20:303: NT-SAM Names handler received request with user identity sopm\sopmwireless.
[4436] 02-12 15:50:20:303: Username is already an NT4 account name.
[4436] 02-12 15:50:20:303: SAM-Account-Name is "SOPM\sopmwireless".
[4436] 02-12 15:50:20:303: Successfully created new RAP Based EAP session for user SOPM\sopmwireless.
[4436] 02-12 15:50:20:303: No AUTHENTICATION extensions, continuing
[4436] 02-12 15:50:20:303: NT-SAM Authentication handler received request for SOPM\sopmwireless.
[4436] 02-12 15:50:20:303: Validating windows user account SOPM\sopmwireless
[4436] 02-12 15:50:20:303: Sending LDAP search to SOPM-DC1.sopm.shimadzu.com.au.
[4436] 02-12 15:50:20:303: Successfully validated windows account SOPM\sopmwireless.
[4436] 02-12 15:50:20:303: Allowed EAP type: 25
[4436] 02-12 15:50:20:303: Succesfully created EAP Host session with session id 2641
[4436] 02-12 15:50:20:303: Processing output from EAP: action:1
[4436] 02-12 15:50:20:303: Inserting outbound EAP-Message of length 6.
[4436] 02-12 15:50:20:303: Issuing Access-Challenge.
[4436] 02-12 15:50:20:303: No AUTHORIZATION extensions, continuing
[2536] 02-12 15:50:20:350: Successfully retrieved session (2641) for user SOPM\sopmwireless.
[2536] 02-12 15:50:20:350: No AUTHENTICATION extensions, continuing
[2536] 02-12 15:50:20:350: Processing output from EAP: action:1
[2536] 02-12 15:50:20:350: Inserting outbound EAP-Message of length 1096.
[2536] 02-12 15:50:20:350: Issuing Access-Challenge.
[2536] 02-12 15:50:20:350: No AUTHORIZATION extensions, continuing
[4436] 02-12 15:50:20:413: Successfully retrieved session (2641) for user SOPM\sopmwireless.
[4436] 02-12 15:50:20:413: No AUTHENTICATION extensions, continuing
[4436] 02-12 15:50:20:413: Processing output from EAP: action:1
[4436] 02-12 15:50:20:413: Inserting outbound EAP-Message of length 1096.
[4436] 02-12 15:50:20:413: Issuing Access-Challenge.
[4436] 02-12 15:50:20:413: No AUTHORIZATION extensions, continuing
[2536] 02-12 15:50:20:460: Successfully retrieved session (2641) for user SOPM\sopmwireless.
[2536] 02-12 15:50:20:460: No AUTHENTICATION extensions, continuing
[2536] 02-12 15:50:20:460: Processing output from EAP: action:1
[2536] 02-12 15:50:20:460: Inserting outbound EAP-Message of length 1096.
[2536] 02-12 15:50:20:460: Issuing Access-Challenge.
[2536] 02-12 15:50:20:460: No AUTHORIZATION extensions, continuing
[4436] 02-12 15:50:20:522: Successfully retrieved session (2641) for user SOPM\sopmwireless.
[4436] 02-12 15:50:20:522: No AUTHENTICATION extensions, continuing
[4436] 02-12 15:50:20:522: Processing output from EAP: action:1
[4436] 02-12 15:50:20:522: Inserting outbound EAP-Message of length 1096.
[4436] 02-12 15:50:20:522: Issuing Access-Challenge.
[4436] 02-12 15:50:20:522: No AUTHORIZATION extensions, continuing
[2536] 02-12 15:50:20:569: Successfully retrieved session (2641) for user SOPM\sopmwireless.
[2536] 02-12 15:50:20:569: No AUTHENTICATION extensions, continuing
[2536] 02-12 15:50:20:569: Processing output from EAP: action:1
[2536] 02-12 15:50:20:569: Inserting outbound EAP-Message of length 84.
[2536] 02-12 15:50:20:569: Issuing Access-Challenge.
[2536] 02-12 15:50:20:569: No AUTHORIZATION extensions, continuing
[2536] 02-12 15:50:20:616: Successfully retrieved session (2641) for user SOPM\sopmwireless.
[2536] 02-12 15:50:20:616: No AUTHENTICATION extensions, continuing
[2536] 02-12 15:50:20:632: Processing output from EAP: action:1
[2536] 02-12 15:50:20:632: Inserting outbound EAP-Message of length 69.
[2536] 02-12 15:50:20:632: Issuing Access-Challenge.
[2536] 02-12 15:50:20:632: No AUTHORIZATION extensions, continuing
[4436] 02-12 15:50:20:679: Successfully retrieved session (2641) for user SOPM\sopmwireless.
[4436] 02-12 15:50:20:679: No AUTHENTICATION extensions, continuing
[4436] 02-12 15:50:20:679: Processing output from EAP: action:1
[4436] 02-12 15:50:20:679: Inserting outbound EAP-Message of length 43.
[4436] 02-12 15:50:20:679: Issuing Access-Challenge.
[4436] 02-12 15:50:20:679: No AUTHORIZATION extensions, continuing
[4436] 02-12 15:50:20:710: Successfully retrieved session (2641) for user SOPM\sopmwireless.
[4436] 02-12 15:50:20:710: No AUTHENTICATION extensions, continuing
[4436] 02-12 15:50:20:710: Processing output from EAP: action:1
[4436] 02-12 15:50:20:710: Inserting outbound EAP-Message of length 59.
[4436] 02-12 15:50:20:710: Issuing Access-Challenge.
[4436] 02-12 15:50:20:710: No AUTHORIZATION extensions, continuing
[4436] 02-12 15:50:20:757: Successfully retrieved session (2641) for user SOPM\sopmwireless.
[4436] 02-12 15:50:20:757: No AUTHENTICATION extensions, continuing
[4436] 02-12 15:50:20:757: Processing output from EAP: action:1
[4436] 02-12 15:50:20:757: Inserting outbound EAP-Message of length 75.
[4436] 02-12 15:50:20:757: Issuing Access-Challenge.
[4436] 02-12 15:50:20:757: No AUTHORIZATION extensions, continuing
[2536] 02-12 15:50:20:804: Successfully retrieved session (2641) for user SOPM\sopmwireless.
[2536] 02-12 15:50:20:804: No AUTHENTICATION extensions, continuing
[2536] 02-12 15:50:20:804: Processing output from EAP: action:1
[2536] 02-12 15:50:20:804: Inserting outbound EAP-Message of length 91.
[2536] 02-12 15:50:20:804: Issuing Access-Challenge.
[2536] 02-12 15:50:20:804: No AUTHORIZATION extensions, continuing
[4436] 02-12 15:50:20:913: Successfully retrieved session (2641) for user SOPM\sopmwireless.
[4436] 02-12 15:50:20:913: No AUTHENTICATION extensions, continuing
[4436] 02-12 15:50:20:913: Processing output from EAP: action:3
[4436] 02-12 15:50:20:913: onIndicateTLV: Injecting All Attributes Returned by EAP
[4436] 02-12 15:50:20:913: Translating attributes returned by EAPHost.
[4436] 02-12 15:50:20:913: Inserting attribute 4120
[4436] 02-12 15:50:20:913: Inserting attribute 4145
[4436] 02-12 15:50:20:913: Inserting attribute 8102
[4436] 02-12 15:50:20:913: Inserting attribute 8102
[4436] 02-12 15:50:20:913: Processing PEAP TLVs
[4436] 02-12 15:50:20:913: Forward Result-TLV and Inner Method TLV
[4436] 02-12 15:50:20:913: No AUTHORIZATION extensions, continuing
[4436] 02-12 15:50:20:913: pEapHost->EapHostAuthenticatorSetAttributes called succesfullywith 1 EAP attributes
[4436] 02-12 15:50:20:913: Processing output from EAP: action:1
[4436] 02-12 15:50:20:913: Inserting outbound EAP-Message of length 107.
[4436] 02-12 15:50:20:913: Issuing Access-Challenge.
[4436] 02-12 15:50:20:991: Successfully retrieved session (2641) for user SOPM\sopmwireless.
[4436] 02-12 15:50:20:991: No AUTHENTICATION extensions, continuing
[4436] 02-12 15:50:20:991: Processing output from EAP: action:2
[4436] 02-12 15:50:20:991: Translating attributes returned by EAPHost.
[4436] 02-12 15:50:20:991: Inserting attribute 4120
[4436] 02-12 15:50:20:991: Inserting attribute 4145
[4436] 02-12 15:50:20:991: Inserting attribute 8100
[4436] 02-12 15:50:20:991: Inserting attribute 8099
[4436] 02-12 15:50:20:991: Inserting attribute 4140
[4436] 02-12 15:50:20:991: Inserting attribute 4141
[4436] 02-12 15:50:20:991: EAP authentication succeeded.
[4436] 02-12 15:50:20:991: No AUTHORIZATION extensions, continuing
[4436] 02-12 15:50:20:991: Inserting outbound EAP-Message of length 4.

 

 

And it just continues over and over again.

 

Please open a support case.  There are many, many variables here and it would be very painful to try to resolve this in this forum.  You can even keep us up to date here on how the case is going.

 

If you do not have termination enabled, the expired certificate is not used.  The certificate on the radius server is what is important.

Hi,

Since the devices are purchased through Dell I have to open a case with them which I have. They inturn opened a case with Aruba.

Now that was 4 days ago and I have gotten no further with them, basically the assistance has been minimal, no trouble shooting steps have been offered at all, simply some questions asked.

We have investigated further and now seem to be able to reproduce the problem.

Firstly the iPhones use and Enterprise SSID, and connect on the 2.4Ghz band and obtain IP addresses from the AP's.

Laptops use the same Enterprise SSID but connect on the 5Ghz band and obtain IP addresses from the AP's.

 

To reproduce the problem we turn on a particular HP printer that uses a different SSID , WPA2 Personal SSID.

It connects on the 2.4Ghz band and Obtains its IP address from our Company DHCP server, so its a different subnet to the iPhones and laptops. When we do this the iPhones will almost immediately disconnect from the WIFI network.

Also the 2.4Ghz Utilization percentage will increase to > 60%

If we turn the Printer off again the iPhones recover.

If I change the Personal SSID to obtain IP addresses from the AP's then the problem does not occur.

 

Any clue why this would be the case?

The Printer is part of a Scientific instrument LAB which has 3 other computers attached to instruments that also use the Personal SSID.

The reason they are on a different SSID is so they can obtain IP's on the same Subnet as the rest of the company.

The only reason for that is so Remote office users can Remotely connect to the Labs Instruments via the computers.

I cannot figure out how to enable the remote connection if the Lab Computers are not on the same subnet as the rest of the company.

Remote connection can be via VNC, MSRA RDP etc.

Any help appreciated.

I have a few suggestions:

1. Have you tried enabling broadcast filtering on the IAP?
2. Could you share your ?show tech-support? output?
3. Do you have capability of doing wireless packet captures in the air? If so, recording the packets sent to/from both the iPhone and the printer would be very helpful.

Thanks,

Yan

Hi,

Thanks for the response.

1. No I had not tried that, I assume you mean setting Broadcast filtering to ALL in the advanced options on the WLAN Settings for the SSID.

I have just set that to ALL now. The iphones did not drop out yet....

2. Show tech support is posted in one of my first posts.

3. I dont have that capability at the moment.

 

I will monitor over the next couple of hours as we put the rest of the Lab computers back onto the WiFi Network to see if your suggestion is the solution.

Thanks so much.

 

Hi,

Looks like your suggestion worked.

Have been able to add Lab computers and printer to WPA2 Personal SSID after enabling broadcast filtering and iPhones did not disconnect. They connections have stayed up for the last few hours ok.

If I stop broadcast filtering the problem will re-occur so It appears you have solved it.

Thanks very much.

Yes the ssid is ShimSYDEnt.

The virtuall controller inidicates the iphone devices are given IP addresses. See attachment.

Unhiding the SSID made no difference.

Yesterday after around half an hour iPhone devices were connecting.

This morning they are not.

At no time are any other devices having a problem, eg our laptops.