Wireless Access

Hi Everyone,

I have a problem with Android tablets and my Wireless

• TOPOLOGY: Access point connects to two a cluster of 7210 Controllers that authenticate against a cluster of two ClearPass Servers
• The problem only exist on Android Tablets,
• They are running Android OS 7.1.2
• The problem appears to happen when a device roams from one AP to Another.( in the logs i see the following error PTK challenge Failed)

• Disassociated; Auth frame from STA that was already associated  Feb 18 05:54:40

  Ptk Challenge Failed                                            Feb 17 22:50:29 this is when I cant reach device and it drops off network

  STA has left and is disassociated                               Feb 17 10:10:22

  STA has left and is disassociated                               Feb 17 08:14:55

  Disassociated; Auth frame from STA that was already associated  Feb 17 06:02:26

  STA has left and is disassociated                               Feb 17 05:59:47

  STA has left and is disassociated                               Feb 17 05:57:33

  Ptk Challenge Failed                                            Feb 17 01:29:33

  Ptk Challenge Failed                                            Feb 16 08:41:28

  Ptk Challenge Failed                                            Feb 16 00:17:24

  Num Deauths:10

• These devices are stationary, (fixed to a wall) they roam between APS because there is One than one AP in proximity.
• They are connecting on the 2.4ghz
• If I log onto the controller and dissociate the device via MAC running this CMD they connect back in seconds 
• I have tried turning OKC and PMKID off/on etc
• I have been told so far 

  As this is EAP-PEAP SSID (username and password) PTK challenge failed is not expected as the Keys will be derived using MSK which will be derived from EAP transaction.

  If it was a password issue, why does it work straight away when i turn wifi off and back on again
• if i do nothing after a period of 8 hours the device will reconnect it self, so some cache timer has expired .
•  

Clients roaming between APs could mean that the transmit power on the access point is too high.  The PKT challenge fail could mean that there is so much contention that the rekeying does not happen successfully.  What is the transmit power on the 2.4ghz band of your access points?

Hi Joseph,

I was hoping you responded!

I have read many of your post and was currently reading a revious post of yours around a similar problem and your suggestion of lowering Power.

So what I did was , where the device is evenly located between two Access points I created a group and lowered the power settings to 9-11 on the 2.4 as these devices are only 2.4ghz compatable. and then moved one Ap of the two into the new group.

 All other Aps are set to 21 on 2.4ghz

i have only just now applied these settings , so time willl tell, my only concern with lowering power settings on one AP is the effect it will have on clients that were connecting to that ap from a distance may drop off.

you did say that a possible cause for PTK failure is contention, How would I adress that ?

18:93:7f:35:0d:76 84:d4:7e:f3:68:a2 GGS-STF-N CUTHY-HA-1-08 40 Ptk Challenge Failed STA has roamed to another AP

Deauth Reason
-------------
Reason Timestamp
------ ---------
Ptk Challenge Failed Mar 3 09:03:13
Ptk Challenge Failed Mar 3 00:39:06
Ptk Challenge Failed Mar 1 23:20:57
Ptk Challenge Failed Mar 1 06:32:51
Ptk Challenge Failed Feb 29 22:08:47
Ptk Challenge Failed Feb 29 13:44:43
Ptk Challenge Failed Feb 28 20:56:37
Ptk Challenge Failed Feb 27 22:21:51
Disassociated; Auth frame from STA that was already associated Feb 27 05:33:46
Disassociated; Auth frame from STA that was already associated Feb 27 05:17:04
Num Deauths:10

Alerts
------
Reason Timestamp
------ ---------
STA has roamed to another AP Mar 3 09:16:18
STA has roamed to another AP Mar 2 07:50:56
STA has roamed to another AP Feb 28 04:08:32
STA has roamed to another AP Feb 26 03:55:37
STA has roamed to another AP Feb 21 01:02:03
STA has roamed to another AP Feb 7 13:36:32
STA has roamed to another AP Feb 7 13:33:18
STA has roamed to another AP Jan 31 18:52:21
STA has roamed to another AP Jan 31 18:40:05
Num Alerts:9

Mobility Trail
--------------
BSSID ESSID AP-name VLAN Timestamp
----- ----- ------- ---- ---------
84:d4:7e:f3:68:a2 GGS-STF-N CUTHY-HA-1-08 40 Mar 3 09:16:18
84:d4:7e:f3:56:02 GGS-STF-N CUTHY-HA-G-06 40 Mar 3 09:16:18
84:d4:7e:f3:68:a2 GGS-STF-N CUTHY-HA-1-08 40 Mar 3 09:16:18
84:d4:7e:f3:56:02 GGS-STF-N CUTHY-HA-G-06 40 Mar 3 09:03:14
84:d4:7e:f3:56:02 GGS-STF-N CUTHY-HA-G-06 40 Mar 3 09:03:14
84:d4:7e:f3:68:a2 GGS-STF-N CUTHY-HA-1-08 40 Mar 3 09:03:13
84:d4:7e:f3:68:a2 GGS-STF-N CUTHY-HA-1-08 40 Mar 3 00:39:07
84:d4:7e:f3:68:a2 GGS-STF-N CUTHY-HA-1-08 40 Mar 3 00:39:07
84:d4:7e:f3:6b:22 GGS-STF-N CUTHY-HA-G-08 40 Mar 3 00:39:06
84:d4:7e:f3:6b:22 GGS-STF-N CUTHY-HA-G-08 40 Mar 2 07:50:56
Num Mobility Trails:10
(GGS-MC-1) [MDC] *#
*** IDLE TIMEOUT ***
Connection closed by foreign host.

Paul

Hi Joseph,

I was hoping you responded, I have read many of your post in the past and found them helpful,

I have looked at your suggestion and will try tonight to lower one of the Access points power from what is set at default on the 2.4ghz range of 21 to 9-11

You mention that the PKT fail could be due to contention,

he problem  appears to only happen to a collection of Android Tablets, Windows and Mac Laptop are fine that connect to the same WAPs

If i lower the power settings on one AP to try and prevent roaming of a stationary device.

I am concerened it could effect clients from connecting if they are at a distance and also if the Android Tablet did roam even with the power setttings tweaked it will still have the problem.

Many thanks In advance for any recommendations

Paul

How far apart are your access points? How high are they mounted?

Hi Joseph,

The access point are approxiamatley 35m apart with the Android device placed located near to the middle of the two WAPs. For height they would be around 2.2m off the ground.

What kind of environment is this?  What access points are these?

Unless this is an access point with a directional antenna, all of the access points that Aruba makes are downtilt onmidirectional.  They are designed to be placed on the ceiling at an approximate distance of 20M apart.  Any more distance than that and roaming will not be smooth.  You will also have the issue where you have to turn the power up high and clients will keep alternating to both access points.  While the signal strength is high, the signal quality can be poor at that distance.  The more distance you put between a client an access point, the more chance for interference, which is what we might  be seeing in your example.  I would try to put an access point halfway between the two access points and turn the max tx power down to 15 or 18.