Wireless Access

Hi All

I'm having problems with iOS devices connecting to an 802.1x network that I'm setting up.  The device seems to be getting stuck after Phase 2 of the Key Exchange during auth, and see a Ptk Challenge Failed as the reason for the subsequent deauth.

Reason                             Timestamp

------                             ---------

Ptk Challenge Failed               Jul 26 10:55:45

Ptk Challenge Failed               Jul 26 10:55:40

Ptk Challenge Failed               Jul 26 10:55:35

The user authenticates successfully (at least as far as our auth server is indicating) - however during the key exchange it seems to go awry.  I've turned user-debug on for the station, and see this:

Jul 26 10:50:47 :522038:  <6137> <NOTI> |dot1x-proc:2|  username=myusername MAC=4c:56:9d:01:02:03 IP=0.0.0.0 Result=Successful method=802.1x server=8445VNPS001

Jul 26 10:50:47 :526162:  <6137> <DBUG> |dot1x-proc:2|  rx_dot1x_radius (651): vid 311

Jul 26 10:50:47 :526158:  <6137> <DBUG> |dot1x-proc:2|  rx_dot1x_radius (756): rtts user=4c:56:9d:01:02:03 RADIUS ACCEPT result=-1 discard=0 reest=0 keepalive=0 bkoff=0 earlylift=0

Jul 26 10:50:47 :526154:  <6137> <DBUG> |dot1x-proc:2|  eap_pkt (745): rtts user=4c:56:9d:01:02:03 dot1xctx_auth_type=25 enabled=0 result=-1

Jul 26 10:50:47 :526162:  <6137> <DBUG> |dot1x-proc:2|  10:50:47.509087 mac 4c:56:9d:01:02:03 user mac 4c:56:9d:01:02:03 result 0  server 8445VNPS001 eap id 25 session timeut  0

Jul 26 10:50:47 :522044:  <5694> <INFO> |authmgr|  MAC=4c:56:9d:01:02:03 Station authenticate(start): method=802.1x, role=logon///logon, VLAN=78/78, Derivation=0/0, Value Pair=1, flags=0x8

Jul 26 10:50:47 :522158:  <5694> <DBUG> |authmgr|  Role Derivation for user N/A-4c:56:9d:01:02:03-myusername N/A station Authenticated with auth type:  Unknown auth type.

Jul 26 10:50:47 :522142:  <5694> <DBUG> |authmgr|  Setting cached role to NULL for user 4c:56:9d:01:02:03".

Jul 26 10:50:47 :522266:  <5694> <DBUG> |authmgr|  Calling derive_role2 for user 4c:56:9d:01:02:03

Jul 26 10:50:47 :522136:  <5694> <DBUG> |authmgr|  {L2} guest from profile "MYSSID_aaa_prof" for user 4c:56:9d:01:02:03.

Jul 26 10:50:47 :522127:  <5694> <DBUG> |authmgr|  {L2} Update role from logon to guest for IP=N/A, MAC=4c:56:9d:01:02:03.

Jul 26 10:50:47 :522049:  <5694> <INFO> |authmgr|  MAC=4c:56:9d:01:02:03,IP=N/A User role updated, existing Role=logon/none, new Role=guest/none, reason=station Authenticated with auth type:  802.1x

Jul 26 10:50:47 :522128:  <5694> <DBUG> |authmgr|  download-L2: acl=7/0 role=guest, tunl=0x1003b, PA=0, HA=1, RO=0, VPN=0 L3MOB=0.

Jul 26 10:50:47 :522050:  <5694> <INFO> |authmgr|  MAC=4c:56:9d:01:02:03,IP=N/A User data downloaded to datapath, new Role=guest/7, bw Contract=0/0, reason=Download driven by user role setting, idle-timeout=300

Jul 26 10:50:47 :522004:  <5694> <DBUG> |authmgr|  auth_gsm_publish_channels: mac 4c:56:9d:01:02:03 publish_list 3 user VALID macuser VALID ipuser NULL

Jul 26 10:50:47 :522301:  <5694> <DBUG> |authmgr|  Auth GSM : USER publish for uuid 000c2947f68d000000060ca9 mac 4c:56:9d:01:02:03 name myusername role guest devtype iPad wired 0 authtype 4 subtype 0  encrypt-type 10 conn-port 8448 fwd-mode 0 roam 0 repkey -1

Jul 26 10:50:47 :522287:  <5694> <DBUG> |authmgr|  Auth GSM : MAC_USER publish for mac 4c:56:9d:01:02:03 bssid 48:4a:e9:00:27:20 vlan 78 type 1 data-ready 0 HA-IP n.a

Jul 26 10:50:47 :522258:  <5694> <DBUG> |authmgr|  "VDR - Add to history of user user 4c:56:9d:01:02:03 vlan 0 derivation_type Reset Dot1x VLANs index 4.

Jul 26 10:50:47 :522254:  <5694> <DBUG> |authmgr|  VDR - mac 4c:56:9d:01:02:03 rolename NULL fwdmode 0 derivation_type Dot1x Aruba VSA vp present.

Jul 26 10:50:47 :522254:  <5694> <DBUG> |authmgr|  VDR - mac 4c:56:9d:01:02:03 rolename NULL fwdmode 0 derivation_type Dot1x MSFT Attributes vp present.

Jul 26 10:50:47 :522254:  <5694> <DBUG> |authmgr|  VDR - mac 4c:56:9d:01:02:03 rolename NULL fwdmode 0 derivation_type Dot1x Server Rule vp present.

Jul 26 10:50:47 :522259:  <5694> <DBUG> |authmgr|  "VDR - Do Role Based VLAN Derivation user 4c:56:9d:01:02:03 role guest rolehow ROLE_DERIVATION_DOT1X.

Jul 26 10:50:47 :522254:  <5694> <DBUG> |authmgr|  VDR - mac 4c:56:9d:01:02:03 rolename guest fwdmode 0 derivation_type User Dot1x Role Contained vp not present.

Jul 26 10:50:47 :522258:  <5694> <DBUG> |authmgr|  "VDR - Add to history of user user 4c:56:9d:01:02:03 vlan 0 derivation_type Reset Role Based VLANs index 5.

Jul 26 10:50:47 :522161:  <5694> <DBUG> |authmgr|  Valid Dot1xct, remote:0, assigned:78, default:78, current:78,termstate:0, wired:0, dot1x enabled:1, psk:0 static:0 bssid=48:4a:e9:00:27:20.

Jul 26 10:50:47 :522255:  <5694> <DBUG> |authmgr|  "VDR - set vlan in user for 4c:56:9d:01:02:03 vlan 78 fwdmode 0 derivation_type Current VLAN updated.

Jul 26 10:50:47 :522258:  <5694> <DBUG> |authmgr|  "VDR - Add to history of user user 4c:56:9d:01:02:03 vlan 78 derivation_type Current VLAN updated index 6.

Jul 26 10:50:47 :522260:  <5694> <DBUG> |authmgr|  "VDR - Cur VLAN updated 4c:56:9d:01:02:03 mob 0 inform 1 remote 0 wired 0 defvlan 78 exportedvlan 0 curvlan 78.

Jul 26 10:50:47 :522029:  <5694> <INFO> |authmgr|  MAC=4c:56:9d:01:02:03 Station authenticate: method=802.1x, role=guest///logon, VLAN=78/78, Derivation=8/1, Value Pair=1

Jul 26 10:50:47 :522142:  <5694> <DBUG> |authmgr|  Setting cached role to guest for user 4c:56:9d:01:02:03".

Jul 26 10:50:47 :522053:  <5694> <DBUG> |authmgr|  PMK Cache getting updated for 4c:56:9d:01:02:03, (def, cur, vhow) = (78, 78, 1) with vlan=0 vlanhow=0 essid=MYSSID role=guest rhow=8

Jul 26 10:50:47 :522004:  <5694> <DBUG> |authmgr|  add_kcache: user nasip (0.0.0.0)

Jul 26 10:50:47 :522004:  <5694> <DBUG> |authmgr|  add_kcache: kcache present  nasip (0.0.0.0) user nasip 0.0.0.0

Jul 26 10:50:47 :524129:  <5694> <DBUG> |authmgr|  dot1x_gsm_set_keycache(): MAC:4c:56:9d:01:02:03 GSM: Successfully published Key-cache object.

Jul 26 10:50:47 :524134:  <5694> <DBUG> |authmgr|  dot1x_gsm_set_pmkcache(): MAC:4c:56:9d:01:02:03 BSS:48:4a:e9:00:27:20 GSM: Successfully published PMK-cache object.

Jul 26 10:50:47 :524139:  <5694> <DBUG> |authmgr|  add_pmkcache():715: MAC:4c:56:9d:01:02:03 BSS:48:4a:e9:00:27:20 Update:

Jul 26 10:50:47 :522004:  <5694> <DBUG> |authmgr|  10:50:47.511081 No update sent to STM. Triggering  key handshake for user 4c:56:9d:01:02:03

Jul 26 10:50:47 :522004:  <5694> <DBUG> |authmgr|  send tunnel ID update to dot1x for  4c:56:9d:01:02:03

Jul 26 10:50:47 :522004:  <5694> <DBUG> |authmgr|  Starting reauth time for user 4c:56:9d:01:02:03

Jul 26 10:50:47 :522004:  <6137> <DBUG> |dot1x-proc:2|  10:50:47.511081 Dot1x received tunnel ID update  for mac 4c:56:9d:01:02:03

Jul 26 10:50:48 :501102:  <5717> <NOTI> |stm|  Disassoc from sta: 4c:56:9d:01:02:03: AP 10.224.57.9-48:4a:e9:00:27:20-MYAPNAME Reason STA has left and is disassociated

Jul 26 10:50:48 :501102:  <NOTI> |AP MYAPNAME@10.224.57.9 stm|  Disassoc from sta: 4c:56:9d:01:02:03: AP 10.224.57.9-48:4a:e9:00:27:20-MYAPNAME Reason STA has left and is disassociated

Jul 26 10:50:48 :522296:  <6399> <DBUG> |authmgr|  Auth GSM : USER_STA delete event for user 4c:56:9d:01:02:03 age 0 deauth_reason 8

Jul 26 10:50:48 :522036:  <6399> <INFO> |authmgr|  MAC=4c:56:9d:01:02:03 Station DN: BSSID=48:4a:e9:00:27:20 ESSID=MYSSID VLAN=78 AP-name=MYAPNAME reason=8 at 10:50:48.355082

Jul 26 10:50:48 :522234:  <6399> <DBUG> |authmgr|  Setting idle timer for user 4c:56:9d:01:02:03 to 300 seconds (idle timeout: 300 ageout: 0).

Jul 26 10:50:48 :522152:  <6399> <DBUG> |authmgr|  station free: bssid=48:4a:e9:00:27:20, mac=4c:56:9d:01:02:03.

Jul 26 10:50:48 :522244:  <6399> <DBUG> |authmgr|  MAC=4c:56:9d:01:02:03 Station Deleted Update MMS

Jul 26 10:50:48 :522004:  <6399> <DBUG> |authmgr|  4c:56:9d:01:02:03: station datapath entry deleted

Jul 26 10:50:48 :522004:  <6137> <DBUG> |dot1x-proc:2|  handle_dot1x_abort called

Jul 26 10:50:48 :522004:  <6399> <DBUG> |authmgr|  mac_station_free: Sta->essid MYSSID mu_mac 4c:56:9d:01:02:03 macuser 0x0x7fc1c01e49f0

Jul 26 10:50:48 :522290:  <6399> <DBUG> |authmgr|  Auth GSM : MAC_USER delete for mac 4c:56:9d:01:02:03

Jul 26 10:50:48 :522303:  <6399> <DBUG> |authmgr|  Auth GSM : USER delete for mac 4c:56:9d:01:02:03 uuid 000c2947f68d000000060ca9

Jul 26 10:50:48 :501000:  <5717> <DBUG> |stm|  Station 4c:56:9d:01:02:03: Clearing state

Jul 26 10:50:48 :501000:  <DBUG> |AP MYAPNAME@10.224.57.9 stm|  Station 4c:56:9d:01:02:03: Clearing state

I'm running AOS 8.5.0.0 (I note that 8.5.0.1 is out - however couldn't see anything that specifically addressed this).  It's a new deployment, so wanted to go straight to the latest code.

I should note that MacOS devices are connecting to this SSID no problems at all as are Windows devices.  

Any ideas?

It appears the device does indeed authenticate successfully:

Jul 26 10:50:47 :522049:  <5694> <INFO> |authmgr|  MAC=4c:56:9d:01:02:03,IP=N/A User role updated, existing Role=logon/none, new Role=guest/none, reason=station Authenticated with auth type:  802.1x

You are assigning the 'guest' User Role however, is this correct? As the ACL's within this default role are restrictive

Jul 26 10:50:47 :522259:  <5694> <DBUG> |authmgr|  "VDR - Do Role Based VLAN Derivation user 4c:56:9d:01:02:03 role guest rolehow ROLE_DERIVATION_DOT1X

Have you updated your Default 802.1X user role? 

What does the output of "#show auth-tracebuf" show?

-

-

Hi Craig and thank you for responding!

(Apologies if this is a duplicate response - these don't seem to be getting posted).

Yes, I do have the Guest role assigned at the moment, however that was just me testing to see if the custom role I had assigned was the cause of the issue.  FYI the custom role was an any/any ip4/ip6 and still had the same behaviour.

RE: the show auth-tracebuf logs, please see below:

Jul 24 16:38:25  station-up             *  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              -    -      wpa2 aes

Jul 24 16:38:25  eap-id-req            <-  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              1    1280   

Jul 24 16:38:25  eap-id-resp           ->  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              1    4864   myusername

Jul 24 16:38:25  rad-req               ->  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              136  200    10.224.56.100

Jul 24 16:38:25  rad-resp              <-  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0/8445VNPS001  136  90     

Jul 24 16:38:25  eap-req               <-  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              2    1536   

Jul 24 16:38:25  eap-resp              ->  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              2    41216 

Jul 24 16:38:25  rad-req               ->  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0/8445VNPS001  138  380    10.224.56.100

Jul 24 16:38:25  rad-resp              <-  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0/8445VNPS001  138  1113   

Jul 24 16:38:25  eap-req               <-  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              3    64771 

Jul 24 16:38:25  eap-resp              ->  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              3    37888 

Jul 24 16:38:25  rad-req               ->  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0/8445VNPS001  137  367    10.224.56.100

Jul 24 16:38:25  rad-resp              <-  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0/8445VNPS001  137  145    

Jul 24 16:38:25  eap-req               <-  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              4    15616 

Jul 24 16:38:25  eap-resp              ->  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              4    1536   

Jul 24 16:38:25  rad-req               ->  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0/8445VNPS001  149  225    10.224.56.100

Jul 24 16:38:25  rad-resp              <-  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0/8445VNPS001  149  120    

Jul 24 16:38:25  eap-req               <-  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              5    9216   

Jul 24 16:38:25  eap-resp              ->  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              5    12800 

Jul 24 16:38:25  rad-req               ->  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0/8445VNPS001  151  269    10.224.56.100

Jul 24 16:38:25  rad-resp              <-  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0/8445VNPS001  151  135    

Jul 24 16:38:25  eap-req               <-  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              6    13056 

Jul 24 16:38:25  eap-resp              ->  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              6    12800 

Jul 24 16:38:25  rad-req               ->  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0/8445VNPS001  143  269    10.224.56.100

Jul 24 16:38:25  rad-resp              <-  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0/8445VNPS001  143  156    

Jul 24 16:38:25  eap-req               <-  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              7    18432 

Jul 24 16:38:25  eap-resp              ->  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              7    26624 

Jul 24 16:38:25  rad-req               ->  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0/8445VNPS001  152  323    10.224.56.100

Jul 24 16:38:25  rad-resp              <-  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0/8445VNPS001  152  166    

Jul 24 16:38:25  eap-req               <-  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              8    20992 

Jul 24 16:38:25  eap-resp              ->  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              8    9472   

Jul 24 16:38:25  rad-req               ->  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0/8445VNPS001  139  256    10.224.56.100

Jul 24 16:38:25  rad-resp              <-  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0/8445VNPS001  139  190    

Jul 24 16:38:25  eap-req               <-  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              10   27136 

Jul 24 16:38:25  eap-resp              ->  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              10   11776 

Jul 24 16:38:25  rad-req               ->  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0/8445VNPS001  153  265    10.224.56.100

Jul 24 16:38:25  rad-accept            <-  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0/8445VNPS001  153  282    

Jul 24 16:38:25  eap-success           <-  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              10   1024   

Jul 24 16:38:25  wpa2-key1             <-  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              -    29952 

Jul 24 16:38:25  wpa2-key2             ->  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              -    61440  mic failure

Jul 24 16:38:26  wpa2-key1             <-  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              -    29952 

Jul 24 16:38:26  wpa2-key2             ->  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              -    61440  mic failure

Jul 24 16:38:27  wpa2-key1             <-  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              -    29952 

Jul 24 16:38:27  wpa2-key2             ->  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              -    61440  mic failure

Jul 24 16:38:28  wpa2-key1             <-  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              -    29952 

Jul 24 16:38:28  wpa2-key2             ->  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0              -    61440  mic failure

Jul 24 16:38:29  station-down           *  4c:56:9d:01:02:03  48:4a:e9:fe:2c:e0             

Hope that assists

For further information, i've now spun up a separate SSID for testing (With the same auth servers) and it seems to be working, which is strange to me.  These are the config differences I can discern between the two:

aaa authentication dot1x "MYSSID-Test_dot1_aut"

!

aaa authentication dot1x "MYSSID_dot1_aut"

    no opp-key-caching

    no cert-cn-lookup

!

aaa server-group "MYSSID-Test_dot1_svg"

auth-server 8445VNPS001 position 1

!                                                  

aaa server-group "MYSSID_dot1_svg"

auth-server 8445VNPS001 position 1

!

aaa profile "MYSSID-Test_aaa_prof"

    authentication-dot1x "MYSSID-Test_dot1_aut"

    dot1x-default-role "MYSSID-Staff"

    dot1x-server-group "MYSSID-Test_dot1_svg"

!

aaa profile "MYSSID_aaa_prof"

    authentication-dot1x "MYSSID_dot1_aut"

    dot1x-server-group "MYSSID_dot1_svg"

!                                          

wlan ssid-profile "MYSSID-Test_ssid_prof"

    essid "MYSSID-Test"

    opmode wpa2-aes

!

wlan ssid-profile "MYSSID_ssid_prof"

    essid "MYSSID"

    opmode wpa2-aes

    a-basic-rates 12 24

    a-tx-rates 12 18 24 36 48 54

    g-basic-rates                                  

    g-tx-rates 12 18 24 36 48 54

    g-beacon-rate 12

    a-beacon-rate 12

    advertise-ap-name

    dot11r-profile "default"

    no okc

!

wlan virtual-ap "MYSSID-Test"

    aaa-profile "MYSSID-Test_aaa_prof"

    vlan NSC-Staff

    ssid-profile "MYSSID-Test_ssid_prof"

!

wlan virtual-ap "MYSSID"

    aaa-profile "MYSSID_aaa_prof"

    vlan NSC-Staff

    ssid-profile "MYSSID_ssid_prof"

As you can see from the above, there are some differences... This Apple KB (https://support.apple.com/en-au/HT202628) tells me that OKC is not supported on Apple Devices, so disabling OKC i wouldn't have thought was the issue.  The basic & tx rates again shouldn't be an issue as we're associating without problem.  I'm not aware of any issues with advertise-ap-name and would like to keep using this to assist in our validation survey.  

As noted earlier regardless of the role used, the problem still occurs so I'm stucking thinking the issue is dot11r.  However the same link I posted above suggests that dot11r is supported on both IOS & MacOS devices... 

-

And I've now experimented by simply turning off dot11r on the relevant SSID, and suddenly iOS clients can connect.

It's a bit odd - the article i posted above indicates they should support dot11r.

Anyway, i've got a TAC case open at the moment, will post back with further info as/when it arises.