08-23-2019 06:30 AM
On our HiveManager NG on prem, PPSK authentication stopped working for some clients.
We cannot pinpoint the issue, what we see on the APs is that the PW of the users gets rejected. Even when we create new users on the HiveManager, these get rejected too. (we have 2 SSIDs using PPSK, and it is the same with both, regardless of the user group - one has four different with different expiration dates, the other just one).
The whole setup was working until wednesday evening. It is still working for most people, and all other auth methods work fine, but even a restart of the APs and the Hive Manager didn't solve the problem.
The currently elected Radius Proxy APs reject the authentication, the user cannot connect her/his mobile device. On the AP it looks like a "wrong password", as if the Radius Proxies do not check with the HiveManager at all for the correct/current user list.
Funny thing: I had a working login for one of the networks on my device. It was supposed to be able to auth 10 devices in this network. I let a co-worker try to auth with my key, it didn't work. Afterwards, I wasn't able to log in with this key either.
We created a new one for him, he was able to log in with his macbook with it, but not with his mobile phone.
01-06-2020 09:56 AM
(just to clarify: The problem crept back up even with the new SSIDs, so we had to scramble to get a solution. We re-created another SSID from scratch, adding features one-by-one.
This problem only occurs with PPSKs, not with normal WPA2-SSIDs. So if you do not use PPSKs you can probable leave 802.11r enabled, since it should be supported by nearly all current hardware.
01-06-2020 09:52 AM
Sorry for not answering earlier, was away over the holidays.
Anyway, the problem could be solved with an on-site analysis by our local Aerohive partner.
We found out that one single setting was responsible for all of our problems: 802.11r
(in the SSID settings, additional settings at the bottom, voice enterprise section)
Activating this led to the PPSK authentication problems, without it everything works just fine.
We didn't have to create new SSIDs this time around.
12-23-2019 11:11 AM
Auth debugs will show you the authentication process in more detail, so you can see exactly where the client failed in the process.
This guide reviews how to enable auth debugs: https://thehivecommunity.aerohive.com/s/article/Authentication-Auth-Debugs
12-20-2019 11:06 PM
Hi I have a similar issue however I'm running local PPSK keys. Now one just stopped working for a client. What type of debug can you do to figure out what is happening ?