Wireless Access

Reply

Re: Ptk Challenge Failed

Not disagreeing...just presenting the knowledge and will let others decide.  Always good to know that those checkboxes are doing :)

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Aruba

Re: Ptk Challenge Failed

for what it's worth.   Since disabling the firewall spoofing setting (IPv4), the Ptk Challenge Failed message has not been seen.  The profile still has both OKC and Validate PKMID disabled.  

 

The environment is probably 80-85% Mac and/or iOS.  

 

I know what the settings do, but is their harm in disabling both.....or is it better to eneable both?

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

Highlighted
Contributor II

Re: Ptk Challenge Failed

I know this is an old thread, I just wanted to say thanks as this article came in handy. A new install was left with PMKID set to disabled when the default option by the system is enabled. No other changes were needed to be made for OSX to roam correctly.

 

Thanks,

Justin

Justin Kwasnik | ACMX# 598 | ACCX# 638
Contributor I

Re: Ptk Challenge Failed

Hi,

 

We have this problems "Ptk Challenge Failed" with an iPhone 6 with iOS 9.0 and Aruba controller 6.4.2.7.

 

It is the first iOS 9 have in our network, Will we have problems with the new version?

 

We have tried without succes:

  • Checked OKC and Validate PMKID, failed
  • Uncheck OKC and Validate PMKID, failed
  • Uncheck Prohibit IP Spoofing (just in case, the device has no IP and fails in 4-way handshake), failed
  • Enable 802.11r , failed (we have disabled 802.11r for compatibility reasons)

Any suggestions?

 

Best regards,

Toni

 

 

Super Contributor I

Re: Ptk Challenge Failed

toni, that's interesting.  What does it look like from the iOS9 client side -- does the client just fail entirely or does it connect and then get kicked off a lot?

 

Contributor I

Re: Ptk Challenge Failed

Hi,

Device always fails 4-way handshake and never obtains IP from DHCP.

Association, authentication and enforcement accept by Clearpass with role works fine.

Always fails with PTK Challenge Failed.

WPA2-PSK works fine. Only fails with 802.1X.

Contributor I

Re: Ptk Challenge Failed

The issue is with iOS9 and ClearPass 6.5.1. The same SSID config with Freeradius works fine.

 

May be a problem with PMK distribution?

 

ClearPass enforcement is ok with controller role with accept.

 

What parameters can be modified in ClearPass for this issue?

Guru Elite

Re: Ptk Challenge Failed

toni.perez,

 

IOS9 is prerelease software and your issue should be reported to Apple so that it can be fixed in release code.  If it worked in IOS8 but does not work in IOS9, this is something Apple should fix based on your feedback, because they possibly changed something.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Frequent Contributor I

Re: Ptk Challenge Failed

Sorry to resurrect this thread again but we seem to be encountering this issue on 6.4.2.12. We opened a TAC case and they directed us to this post and recommended that we turn off the IP spoofing (we are having problems with a PSK SSID so OKC should not be the problem).

 

Our question is "why"? IP spoofing should have nothing to do with the symptoms of the problem. We are going to disable it in our next MW but it doesn't explain what is causing the problem.

 

FYI in the auth-tracebuf we see that when things are working, the 4 WPA keys get exchanged, and when it doesn't work, the AP sends key 1 three times then drops the station. No MIC failures. Affected clients are MAC OS X Yosemite (10.5).

Tim Haynie, ACMX #508, CWNE #254, ACCP, CCNP R/S, CCNP Wireless, CCNA Security, CCDA
Guru Elite

Re: Ptk Challenge Failed

Feel free to ask TAC why they recommend that.

If the ap sends the first key and the client does not answer it could be an indication the client did not hear it. That could be because of congestion, interference, or the client roamed away. You probably need to make sure that you wlan has as little contention as possible.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: