Wireless Access

 View Only
Back to discussions
Expand all | Collapse all

Motorola MC9090 and WPA2-PSK-AES

This thread has been viewed 5 times

  • 1.  Motorola MC9090 and WPA2-PSK-AES

    Posted Nov 02, 2018 07:32 AM

    Hey Guys,

     

    I have a costumer that wants to use Motorola MC9090 with Windows CE7 in a WPA2-PSK-AES secured SSID, but we have some problems with it.

     

    Right now we have an old network where everything works fine. The Costumer has a new Building with Aruba APs. We run AOS 8.2.2.1 with a MM controlled Cluster of two 7220. The Client-Devices are Motorola MC9090 with Windows CE 7 (latest version) and support 11a/b/g. They have static IPs configured on the device.

     

    The Clients try to connect to the new Network, but loose the connection. We tried:

    - allowing the datarates from 1-11MBit/s

    - enabeling IP-spoofing in the Firewall
    - disable OKC

    - disable "validate PMKID"

    - setting the security to "WPA2-PSK-TKIP" and "WPA-PSK-AES"

     

    802.11d is disabled on the clients and 11r/k/v is disabled on the network. I collected some logfiles on this issue:

     

    <NOTI> |AP FLDEAP010OG1_01@172.20.0.12 stm|  Auth success: <client-mac>: AP 172.20.0.12-80:8d:b7:02:5b:80-FLDEAP010OG1_01
<NOTI> |stm|  Assoc success @ 14:56:23.007600: <client-mac>: AP 172.20.0.12-80:8d:b7:02:5b:80-FLDEAP010OG1_01
<NOTI> |AP FLDEAP010OG1_01@172.20.0.12 stm|  Assoc request @ 14:56:23.001817: <client-mac> (SN 518): AP 172.20.0.12-80:8d:b7:02:5b:80-FLDEAP010OG1_01
<DBUG> |authmgr|  Auth GSM : USER_STA event 0 for user <client-mac>
<INFO> |authmgr|  MAC=<client-mac> Station UP: BSSID=80:8d:b7:02:5b:80 ESSID=FREIVSBR VLAN=80 AP-name=FLDEAP010OG1_01 
<DBUG> |authmgr|  MAC=<client-mac> ingress 0x1001d (tunnel 29), u_encr 32, m_encr 32, slotport 0x2100 , type: local, FW mode: 0, AP IP: 172.20.0.12 mdie 0 ft_complete 0
<DBUG> |authmgr|  "MAC:<client-mac>: Allocating UUID: 001a1e04c848000000020625
<DBUG> |authmgr|  "VDR - Add to history of user user <client-mac> vlan 0 derivation_type Reset VLANs for Station up index 0.
<DBUG> |authmgr|  "VDR - set vlan in user for <client-mac> vlan 80 fwdmode 0 derivation_type Default VLAN.
<DBUG> |authmgr|  "VDR - Add to history of user user <client-mac> vlan 80 derivation_type Default VLAN index 1.
<DBUG> |authmgr|  "VDR - set vlan in user for <client-mac> vlan 80 fwdmode 0 derivation_type Current VLAN updated.
<DBUG> |authmgr|  "VDR - Add to history of user user <client-mac> vlan 80 derivation_type Current VLAN updated index 2.
<DBUG> |authmgr|  Role Derivation for user N/A-<client-mac>- N/A Set AAA profile defaults.
<DBUG> |authmgr|  Setting default role to authenticated for user <client-mac>".
<DBUG> |authmgr|  {L2} Update role from logon to authenticated for IP=N/A, MAC=<client-mac>.
<INFO> |authmgr|  MAC=<client-mac>,IP=N/A User role updated, existing Role=logon/none, new Role=authenticated/none, reason=Set AAA profile defaults
<NOTI> |AP FLDEAP010OG1_01@172.20.0.12 stm|  Assoc success @ 14:56:23.004535: <client-mac>: AP 172.20.0.12-80:8d:b7:02:5b:80-FLDEAP010OG1_01
<DBUG> |authmgr|  Idle timeout should be driven by STM for MAC <client-mac>.
<DBUG> |authmgr|  clr_pmkcache_ft():1094: MAC:<client-mac> BSS:80:8d:b7:02:5b:80
<DBUG> |authmgr|  VDR - mac <client-mac> rolename authenticated fwdmode 0 derivation_type Initial Role Contained vp not present.
<DBUG> |authmgr|  "VDR - Add to history of user user <client-mac> vlan 0 derivation_type Reset Role Based VLANs index 3.
<DBUG> |authmgr|  Skip User-Derivation, mba:0 udr_exist:0,default_role:authenticated,pDefRole:0x0x1df4aec
<DBUG> |authmgr|  handle_sta_up_dn (3659): rtts user=<client-mac>  enabled=0 initial tput=35280
<DBUG> |authmgr|  dot1x_supplicant_up(): MAC:<client-mac>, pmkid_present:False, pmkid:N/A
<DBUG> |authmgr|  "VDR - set vlan in user for <client-mac> vlan 80 fwdmode 0 derivation_type Current VLAN updated.
<DBUG> |authmgr|  "VDR - Add to history of user user <client-mac> vlan 80 derivation_type Current VLAN updated index 4.
<DBUG> |authmgr|  "VDR - Cur VLAN updated <client-mac> mob 0 inform 1 remote 0 wired 0 defvlan 80 exportedvlan 0 curvlan 80.
<DBUG> |authmgr|  Device Type index derivation for <client-mac> : dhcp (0,0,0) oui (0,0) ua (0,0,0) derived (0):
<DBUG> |authmgr|  download-L2: acl=78/0 role=authenticated, tunl=0x1001d, PA=0, HA=1, RO=0, VPN=0 L3MOB=0.
<INFO> |authmgr|  MAC=<client-mac>,IP=N/A User data downloaded to datapath, new Role=authenticated/78, bw Contract=0/0, reason=layer 2 event driven download, dle-timeout=300
<DBUG> |authmgr|  Auth GSM : USER publish for uuid 001a1e04c848000000020625 mac <client-mac> name  role authenticated devtype  wired 0 authtype 0 subtype 0  encrypt-type 9 conn-port 8448 fwd-mode 0 roam 0 repkey -1
<DBUG> |authmgr|  Auth GSM : MAC_USER publish for mac <client-mac> bssid 80:8d:b7:02:5b:80 vlan 80 type 1 data-ready 0 HA-IP n.a
<DBUG> |authmgr|  MAC=<client-mac> Station Created Update MMS: BSSID=80:8d:b7:02:5b:80 ESSID=FREIVSBR VLAN=80 AP-name=FLDEAP010OG1_01
<DBUG> |authmgr|  Auth GSM : MAC_USER mu_delete publish for mac <client-mac> bssid 80:8d:b7:02:5b:80 vlan 80 type 1 data-ready 0 deauth-reason 52  HA-IP n.a
<NOTI> |stm|  Deauth to sta: <client-mac>: Ageout AP 172.20.0.12-80:8d:b7:02:5b:80-FLDEAP010OG1_01 wifi_deauth_sta
<DBUG> |authmgr|  Auth GSM : USER_STA delete event for user <client-mac> age 0 deauth_reason 52
<INFO> |authmgr|  MAC=<client-mac> Station DN: BSSID=80:8d:b7:02:5b:80 ESSID=FREIVSBR VLAN=80 AP-name=FLDEAP010OG1_01 reason=52
<DBUG> |authmgr|  Setting idle timer for user <client-mac> to 300 seconds (idle timeout: 300 ageout: 0).
<DBUG> |authmgr|  station free: bssid=80:8d:b7:02:5b:80, mac=<client-mac>.
<DBUG> |authmgr|  MAC=<client-mac> Station Deleted Update MMS
<NOTI> |stm|  Deauth to sta: <client-mac>: Ageout AP 172.20.0.12-80:8d:b7:02:5b:80-FLDEAP010OG1_01 Ptk Challenge Failed
<DBUG> |authmgr|  Auth GSM : MAC_USER delete for mac <client-mac>
<DBUG> |authmgr|  Auth GSM : USER delete for mac <client-mac> uuid 001a1e04c848000000020625

    So i looked into the authentication trace-buffer and found several MIC-Failures during the 4-way handshake with the client:

    [MDC] #show auth-tracebuf mac <client-mac> count 30

Auth Trace Buffer
-----------------
Oct 29 18:00:07  wpa2-key1             <-  <client-mac>  80:8d:b7:02:5b:80  -      117  
Oct 29 18:00:07  wpa2-key2             ->  <client-mac>  80:8d:b7:02:5b:80  -      117  mic failure
Oct 29 18:00:08  wpa2-key1             <-  <client-mac>  80:8d:b7:02:5b:80  -      117  
Oct 29 18:00:08  station-down           *  <client-mac>  80:8d:b7:02:5b:80  -      -    
Oct 29 18:00:09  station-up             *  <client-mac>  80:8d:b7:02:5b:80  -      -    wpa2 psk aes
Oct 29 18:00:09  wpa2-key1             <-  <client-mac>  80:8d:b7:02:5b:80  -      117  
Oct 29 18:00:09  user repkey change     *  <client-mac>  80:8d:b7:02:5b:80  65535  -    001a1e04c848000000020afb
Oct 29 18:00:09  macuser repkey change  *  <client-mac>  80:8d:b7:02:5b:80  65535  -    <client-mac>
Oct 29 18:00:09  wpa2-key2             ->  <client-mac>  80:8d:b7:02:5b:80  -      117  mic failure
Oct 29 18:00:10  wpa2-key1             <-  <client-mac>  80:8d:b7:02:5b:80  -      117  
Oct 29 18:00:10  wpa2-key2             ->  <client-mac>  80:8d:b7:02:5b:80  -      117  mic failure
Oct 29 18:00:11  wpa2-key1             <-  <client-mac>  80:8d:b7:02:5b:80  -      117  
Oct 29 18:00:11  wpa2-key2             ->  <client-mac>  80:8d:b7:02:5b:80  -      117  mic failure
Oct 29 18:00:12  wpa2-key1             <-  <client-mac>  80:8d:b7:02:5b:80  -      117  
Oct 29 18:00:12  wpa2-key2             ->  <client-mac>  80:8d:b7:02:5b:80  -      117  mic failure
Oct 29 18:00:13  wpa2-key1             <-  <client-mac>  80:8d:b7:02:5b:80  -      117  
Oct 29 18:00:13  station-down           *  <client-mac>  80:8d:b7:02:5b:80  -      -    
Oct 29 18:00:15  station-up             *  <client-mac>  80:8d:b7:02:5b:80  -      -    wpa2 psk aes
Oct 29 18:00:15  wpa2-key1             <-  <client-mac>  80:8d:b7:02:5b:80  -      117  
Oct 29 18:00:15  user repkey change     *  <client-mac>  80:8d:b7:02:5b:80  65535  -    001a1e04c848000000020afc
Oct 29 18:00:15  macuser repkey change  *  <client-mac>  80:8d:b7:02:5b:80  65535  -    <client-mac>
Oct 29 18:00:15  wpa2-key2             ->  <client-mac>  80:8d:b7:02:5b:80  -      117  mic failure
Oct 29 18:00:16  wpa2-key1             <-  <client-mac>  80:8d:b7:02:5b:80  -      117  
Oct 29 18:00:16  wpa2-key2             ->  <client-mac>  80:8d:b7:02:5b:80  -      117  mic failure
Oct 29 18:00:17  wpa2-key1             <-  <client-mac>  80:8d:b7:02:5b:80  -      117  
Oct 29 18:00:17  wpa2-key2             ->  <client-mac>  80:8d:b7:02:5b:80  -      117  mic failure
Oct 29 18:00:18  wpa2-key1             <-  <client-mac>  80:8d:b7:02:5b:80  -      117  
Oct 29 18:00:18  wpa2-key2             ->  <client-mac>  80:8d:b7:02:5b:80  -      117  mic failure
Oct 29 18:00:19  wpa2-key1             <-  <client-mac>  80:8d:b7:02:5b:80  -      117  
Oct 29 18:00:19  station-down           *  <client-mac>  80:8d:b7:02:5b:80  -      -

    We rechecked the PSK, but it is correct in the controller and the device as a Laptop can connect to the network without any problems.

     

    I found out that there is an option that could help called 902il-compatibility-mode (Link) in the SSID-Profile and this option is documented for at least the show command in AOS 8.2, but if I actually try to use it, the command is unknown to the CLI.

     

    Does someone have had any similar issue or any Idea to find a solution to this problem?

     

    Thanks for your Help,

    Hendrik



Related Content