ExtremeWireless (WiNG)

  • 1.  Failed WPA2-AES handshake on wlan

    Posted 04-13-2018 07:14
    I'm seeing several "failed WPA2-AES handshake on wlan ...." in my logs for multiple devices on AP7522/AP6521 adopted to RFS6000 running 5.8.3.1 and the WLAN is running TKIP-CCMP. I can see the device failing the handshake every 15-30 seconds on several different APs.

    I am in the process of changing this infrastructure but wanted to know if there's something I can do in the meantime.

    What are the main reasons for this?

    Thanks in advance
    Bruno


  • 2.  RE: Failed WPA2-AES handshake on wlan

    Posted 04-13-2018 07:20
    Hi Bruno,

    try to avoid use of TKIP.
    Some devices won't respond to EAPoL calls while support for TKIP is maintained.

    Regards,
    Ondrej


  • 3.  RE: Failed WPA2-AES handshake on wlan

    Posted 04-13-2018 07:28
    Thanks Ondrej I will try CCMP only


  • 4.  RE: Failed WPA2-AES handshake on wlan

    Posted 04-13-2018 07:48
    I would also look at the RF environment, are you using SMART-RF, is so can you send the smart-rf configuration, please.

    it will also be worth seeing what the interference is like.

    show smart-rf interfering-ap on


  • 5.  RE: Failed WPA2-AES handshake on wlan

    Posted 04-13-2018 09:12
    Hi Andrew,

    All we have in the smart-rf policy is:

    channel-width 5GHz 20MHz
    no neighbor-recovery
    no coverage-hole-recovery

    The interferers are about 4 of our own APs that are part of a different RF-Domain (which I assume is the cause)

    -------------------------------------------------------------------------------------
    INTERFERER VENDOR RADIO RADIO-MAC CHNL RSSI
    -------------------------------------------------------------------------------------
    84-24-8D-91-0B-00 Zebra Tech AP52:R1 84-24-8D-91-8E-80 1 -64
    74-67-F7-78-3D-10 Zebra Tech ap6521-43C2F0:R1 FC-0A-81-D3-52-A0 1 -65
    84-24-8D-91-0B-00 Zebra Tech ap6521-43C7F8:R1 FC-0A-81-D3-51-B0 11 -68
    84-24-8D-91-0B-00 Zebra Tech ap6521-43C7F8:R1 FC-0A-81-D3-51-B0 1 -68
    84-24-8D-91-0B-00 Zebra Tech AP22:R1 84-24-8D-91-95-10 1 -68
    74-67-F7-78-3D-10 Zebra Tech ap6521-43C85A:R1 FC-0A-81-D3-46-C0 1 -68
    74-67-F7-78-3E-10 Zebra Tech ap6521-43C85A:R1 FC-0A-81-D3-46-C0 1 -69
    84-24-8D-91-0B-00 Zebra Tech AP26:R1 84-24-8D-8D-E1-F0 1 -70
    84-24-8D-91-0B-00 Zebra Tech AP25:R1 84-24-8D-8E-2C-10 1 -71
    84-24-8D-91-0B-00 Zebra Tech AP26:R1 84-24-8D-8D-E1-F0 6 -71
    84-24-8D-91-0B-00 Zebra Tech AP10:R1 84-24-8D-8F-DE-C0 1 -71
    84-24-8D-91-0B-00 Zebra Tech ap6521-43C2F0:R1 FC-0A-81-D3-52-A0 1 -72
    84-24-8D-91-0B-00 Zebra Tech ap6521-43C85A:R1 FC-0A-81-D3-46-C0 1 -72
    84-24-8D-91-0B-00 Zebra Tech AP24:R1 84-24-8D-91-95-40 11 -73
    84-24-8D-91-0B-00 Zebra Tech AP24:R1 84-24-8D-91-95-40 1 -73
    74-67-F7-78-3D-10 Zebra Tech ap6521-43C5DC:R1 FC-0A-81-D3-46-10 1 -73
    74-67-F7-78-48-A0 Zebra Tech ap6521-43C85A:R1 FC-0A-81-D3-46-C0 1 -73
    74-67-F7-78-3D-10 Zebra Tech AP12:R1 84-24-8D-8D-CE-00 1 -73
    74-67-F7-77-C4-00 Zebra Tech AP10:R2 84-24-8D-8E-CD-A0 36 -74
    74-67-F7-78-49-30 Zebra Tech ap6521-43C85A:R1 FC-0A-81-D3-46-C0 1 -74

    We are changing the AP density and likely models soon due to some site changes



  • 6.  RE: Failed WPA2-AES handshake on wlan

    Posted 04-13-2018 09:36
    it might be worth looking to amend the smart-rf config

    below is an example

    sensitivity custom
    assignable-power 5GHz max 18
    assignable-power 5GHz min 14
    assignable-power 2.4GHz min 12
    assignable-power 2.4GHz max 18
    smart-ocs-monitoring sample-count 5GHz 10
    smart-ocs-monitoring sample-count 2.4GHz 15
    smart-ocs-monitoring awareness-override schedule 1 23:00 04:00 all
    coverage-hole-recovery snr-threshold 5GHz 10
    coverage-hole-recovery snr-threshold 2.4GHz 10
    coverage-hole-recovery client-threshold 2.4GHz 3
    neighbor-recovery dynamic-sampling

    the key line is neighbor-recovery dynamic-sampling

    when this line is added it is worth running

    service smart-rf clear-config

    this will reset smart RF it will take between 10-30min for the process to complete

    I would recommend upgrading to a supported code base.

    GTAC can help with this.



  • 7.  RE: Failed WPA2-AES handshake on wlan

    Posted 04-13-2018 10:13
    Thanks Andrew,

    We had severe issues with coverage-hole and neighbor-recovery but we may not have configured it properly. It worked out much better removing them and that was brought one of our rf-domains to become stable but I will revisit this.

    I'm not sure what you mean by a supported code base. Is this just the firmware we are running? We will run the latest (or close to) when we migrate