Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Question: wpa2-aes connect problem

This thread has been viewed 2 times

  • 1.  Question: wpa2-aes connect problem

    Posted Jul 21, 2017 03:22 AM

    Hi  .

    I used Alcatel firmware 6.3.1.4 and i attempted to connect to WiFI with wpa2-aes applied.

    However, only iPhone was connected. 

    android 5,6 and win10 is fail. 

     

    Anyone know this issue?

    why 6.3.1.4 make fail to connect Wi-Fi with wpa2-aes applied?

    ( I used internal radius)



  • 2.  RE: Question: wpa2-aes connect problem

    Posted Jul 21, 2017 05:00 AM

    Hi Insang,

     

    Please enable user-debug for couple of clients & provide the following outputs:

     

    config#logging level debugging user-debug <mac-address of user>

    #show  authetracebuf count <>

     

    This could be related to TLS 1.2 version for which the fix was given in 6.3.1.20.

     

    But we need logs to determine that.

     

     



  • 3.  RE: Question: wpa2-aes connect problem

    Posted Jul 24, 2017 11:03 AM

    thank you reply and sorry i'm late..

     

    a0:b4:a5:8b:f3:e5 is my android6.0 phone)

     

    (OAW-4306G) #show clock

    Mon Jul 24 04:24:21 PST 2017

    (OAW-4306G) #show auth-tracebuf count 20

    Warning: user-debug is enabled on one or more specific MAC addresses;
    only those MAC addresses appear in the trace buffer.

    Auth Trace Buffer
    -----------------


    Jul 24 04:19:04 client-finish -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - - invalid tls version
    Jul 24 04:19:36 eap-term-start -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - -
    Jul 24 04:19:36 station-term-start * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10 1 -
    Jul 24 04:19:36 client-finish -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - - invalid tls version
    Jul 24 04:20:08 eap-term-start -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - -
    Jul 24 04:20:08 station-term-start * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10 1 -
    Jul 24 04:20:08 client-finish -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - - invalid tls version
    Jul 24 04:20:19 station-up * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10 - - wpa2 aes
    Jul 24 04:20:19 station-term-start * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10 1 -
    Jul 24 04:20:19 client-finish -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - - invalid tls version
    Jul 24 04:20:50 eap-term-start -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - -
    Jul 24 04:20:50 station-term-start * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10 1 -
    Jul 24 04:20:50 client-finish -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - - invalid tls version
    Jul 24 04:21:22 eap-term-start -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - -
    Jul 24 04:21:22 station-term-start * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10 1 -
    Jul 24 04:21:22 client-finish -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10/802.1x_kbs - - invalid tls version
    Jul 24 04:24:24 station-down * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:10 - -
    Jul 24 04:24:24 station-up * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:00 - - wpa2 aes
    Jul 24 04:24:24 station-term-start * a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:00 1 -
    Jul 24 04:24:24 client-finish -> a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:00/802.1x_kbs - - invalid tls version

     

    and

     

    (OAW-4306G) #show log all 10

    Jul 24 04:24:57 authmgr[2290]: <132162> <ERRS> |authmgr| Station a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:00 sent with unsupported TLS client version 771
    Jul 24 04:24:57 authmgr[2290]: <132162> <ERRS> |authmgr| Station a0:b4:a5:8b:f3:e5 00:24:6c:7f:0a:00 sent with unsupported TLS client version 771

     

     

    so..is this problem android or  firmware image?

     

    i think 6.3.1.4 can't support TLS1.2 version , is that right?

     

    and it only solve upgrade image ? 

    (  i aleady talk to my customer "you need upgrade " )

     

    thank you for help me

     

     



  • 4.  RE: Question: wpa2-aes connect problem

    EMPLOYEE
    Posted Jul 21, 2017 08:36 AM
    @Hwang wrote:

    Hi  .

    I used Alcatel firmware 6.3.1.4 and i attempted to connect to WiFI with wpa2-aes applied.

    However, only iPhone was connected. 

    android 5,6 and win10 is fail. 

     

    Anyone know this issue?

    why 6.3.1.4 make fail to connect Wi-Fi with wpa2-aes applied?

    ( I used internal radius)

    If you are using internal radius that means that you are using EAP-Termination.  Did you replace the internal radius server certificate with something that is valid?  6.3.1.4 is very old....



  • 5.  RE: Question: wpa2-aes connect problem

    Posted Jul 24, 2017 11:13 AM

    thank you for help me 

     

    i know 6.3.1.4 is very old . but my customer use AP 70 . 

    So I will tell the customer that we need to upgrade the firmware and change the access point.

     

    um... will this link help me? " what is EAP-Termination "

    https://community.arubanetworks.com/aruba/attachments/aruba/unified-wired-wireless-access/6140/1/EAP-TLS%20Termination-2.docx



  • 6.  RE: Question: wpa2-aes connect problem
    Best Answer

    Posted Jul 24, 2017 09:30 PM

    The issue is related to firmware not supporting TLS version 1.2 when EAP-Termination is on controller.

     

    Please use one of the following options :

     

    1. Use external radius server & disable EAP-termination on controller. Ensure that external server is using a valid server certificate.

     

    2. In case you don't have radius server & need to use controller's internal  db for authentication , we need to upgrade the controllers to 6.3.1.20 or above to support new TLS version.

     

    The following link has more info on 802.1x/EAP termination:

     

    https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-dot1x-termination-work/ta-p/178566

     

     



  • 7.  RE: Question: wpa2-aes connect problem

    Posted Jul 24, 2017 09:38 PM

    I appreciate it . 

    Thank you VERY much~!