https://community.cisco.com/t5/wireless/dot1x-3-invalid-wpa-key-msg-state-iphone-network-failure-inquiry/m-p/4092693#M31631 <P>I have 300 ap on wlc 5520.<BR />Some clients (only iPhones) are disconnected at unspecified times.<BR />I did the analysis and the log below was checked.<BR />% DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c: 1547 Received invalid EAPOL-key M2 msg in START state-invalid RSN IE; KeyLen 22, Key type 1, client aa: bb: cc: dd: ee: ff<BR />In the log above, all mac addresses were confirmed as apple mac.<BR />I did a community and bug search.<BR />I tried applying all the methods I found in relation to this, but it did not resolve.</P><P>Only wpa2 / aes is set in wlan and there is no authentication server.<BR />Both ft and pmf are not used for wlan.<BR />I tried changing the value of EAP-Broadcast Key Interval to 86400, but the result was the same.<BR />os version is 8.5.151 and ap is 1815, 1832.</P><P>We do not use a separate authentication server, do we need to see the EAP settings?<BR />Where should I solve the problem?<BR />I sincerely ask for your help from the community cisco.</P><P>thank you.</P><P>&nbsp;</P> Mon, 05 Jul 2021 19:06:05 GMT inb 2021-07-05T19:06:05Z https://community.cisco.com/t5/wireless/dot1x-3-invalid-wpa-key-msg-state-iphone-network-failure-inquiry/m-p/4092693#M31631 <P>I have 300 ap on wlc 5520.<BR />Some clients (only iPhones) are disconnected at unspecified times.<BR />I did the analysis and the log below was checked.<BR />% DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c: 1547 Received invalid EAPOL-key M2 msg in START state-invalid RSN IE; KeyLen 22, Key type 1, client aa: bb: cc: dd: ee: ff<BR />In the log above, all mac addresses were confirmed as apple mac.<BR />I did a community and bug search.<BR />I tried applying all the methods I found in relation to this, but it did not resolve.</P><P>Only wpa2 / aes is set in wlan and there is no authentication server.<BR />Both ft and pmf are not used for wlan.<BR />I tried changing the value of EAP-Broadcast Key Interval to 86400, but the result was the same.<BR />os version is 8.5.151 and ap is 1815, 1832.</P><P>We do not use a separate authentication server, do we need to see the EAP settings?<BR />Where should I solve the problem?<BR />I sincerely ask for your help from the community cisco.</P><P>thank you.</P><P>&nbsp;</P> Mon, 05 Jul 2021 19:06:05 GMT https://community.cisco.com/t5/wireless/dot1x-3-invalid-wpa-key-msg-state-iphone-network-failure-inquiry/m-p/4092693#M31631 inb 2021-07-05T19:06:05Z https://community.cisco.com/t5/wireless/dot1x-3-invalid-wpa-key-msg-state-iphone-network-failure-inquiry/m-p/4092840#M31633 <P>there are posts that pint to a bug in version 8.3</P> <P>read <A href="https://community.cisco.com/t5/other-wireless-mobility-subjects/clients-losing-connectivity-dot1x-3-invalid-wpa-key-msg-state-1x/td-p/2916285" target="_self">this post that suggests the client driver or an intruder</A></P> <P>it could just be the client prefers to connect using DOT1x first, and reverts to PSK second.</P> <P>(wild idea: does these clients use the same SSID name elsewhere with DOT1x enabled?)</P> <P>remove the wlan config from the client device and after some minutes re-add.</P> Wed, 27 May 2020 14:17:23 GMT https://community.cisco.com/t5/wireless/dot1x-3-invalid-wpa-key-msg-state-iphone-network-failure-inquiry/m-p/4092840#M31633 pieterh 2020-05-27T14:17:23Z https://community.cisco.com/t5/wireless/dot1x-3-invalid-wpa-key-msg-state-iphone-network-failure-inquiry/m-p/4093200#M31634 <P>We are using WPA2 AES (PSK) only for WLAN.<BR />I do not use an authentication server and local EAP.<BR />However, EAP related logs are generated. Is this normal operation?<BR />I tried adjusting the EAP Timer, but the result is the same.</P><P>802.1x is not used.</P><P>There is no SSID of the same name using the authentication server.</P> Thu, 28 May 2020 02:13:59 GMT https://community.cisco.com/t5/wireless/dot1x-3-invalid-wpa-key-msg-state-iphone-network-failure-inquiry/m-p/4093200#M31634 inb 2020-05-28T02:13:59Z https://community.cisco.com/t5/wireless/dot1x-3-invalid-wpa-key-msg-state-iphone-network-failure-inquiry/m-p/4093283#M31635 <P>normally people take their phone everywhere, also outside your company.<BR />and not only company phones are within reach of your wifi-network!</P> <P>there will be guests and strangers passing past the office.</P> <P>&nbsp;</P> <P>my suggestion is that some phone at some time outside your network, connected to a SSID with the same name.<BR />and now comes within reach of your network and tries to authenticate using credentials configured for "the other network".<BR />which of course fail..... and that is normal behaviour to show up in your logs.</P> Thu, 28 May 2020 06:07:36 GMT https://community.cisco.com/t5/wireless/dot1x-3-invalid-wpa-key-msg-state-iphone-network-failure-inquiry/m-p/4093283#M31635 pieterh 2020-05-28T06:07:36Z https://community.cisco.com/t5/wireless/dot1x-3-invalid-wpa-key-msg-state-iphone-network-failure-inquiry/m-p/4093544#M31636 <P>I don't think that's the problem.<BR />I have a test AP in an enclosed space.<BR />(2.4Ghz and 5Ghz signal absolutely free space)<BR />I was connected to the WLAN in the latest OS of iPhone 11 pro.<BR />If you repeatedly go out of sleep mode several times, communication with the outside is not possible even when connected to WLAN.<BR />The condition of the iPhone's Wi-Fi antenna is full.<BR />It does not occur on Android, MacBook, and laptops.<BR />It only happens on the iphone.<BR />5 ~ 6 years ago, there was a case where the iPhone could not communicate due to a similar problem.<BR />At that time, IOS update or WLC OS update has been solved.<BR />I'm not sure if this is the same problem again.<BR />This time, a special log occurred in WLC.<BR />I don't know what the cause is.</P><P>&nbsp;</P><P><FONT><FONT>I understand your suggestion.<BR />It is a university wireless network and there are only 200 people due to corona.<BR />20 iphone clients a day have the same problem.<BR />It seemed to have been resolved by going through a WLC OS update with a similar issue in early 2019, but it is said that it has recently begun to reappear.<BR />When there are many people, I usually use up to 3000 people.<BR />At this time, it is expected that 300 problems will occur simply by calculating.</FONT></FONT></P><P><FONT><FONT>This is a very big problem.</FONT></FONT></P><P><FONT><FONT>Thank you very much for your answer.</FONT></FONT></P><P>&nbsp;</P> Thu, 28 May 2020 12:08:05 GMT https://community.cisco.com/t5/wireless/dot1x-3-invalid-wpa-key-msg-state-iphone-network-failure-inquiry/m-p/4093544#M31636 inb 2020-05-28T12:08:05Z https://community.cisco.com/t5/wireless/dot1x-3-invalid-wpa-key-msg-state-iphone-network-failure-inquiry/m-p/4094307#M31637 There are some issues in the firmware you currently use, which might show this issue.<BR />For this reason I suggest to upgrade to 8.5.161.0.<BR />Release notes with the fixed bugs:<BR /><A href="https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn85mr6.html#resolved-caveats_85mr6" target="_blank">https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn85mr6.html#resolved-caveats_85mr6</A> Fri, 29 May 2020 11:27:42 GMT https://community.cisco.com/t5/wireless/dot1x-3-invalid-wpa-key-msg-state-iphone-network-failure-inquiry/m-p/4094307#M31637 patoberli 2020-05-29T11:27:42Z https://community.cisco.com/t5/wireless/dot1x-3-invalid-wpa-key-msg-state-iphone-network-failure-inquiry/m-p/4103054#M31638 <P>Eventually, it was confirmed to be an OS problem.<BR />Thanks to everyone who helped. <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span></P> Mon, 15 Jun 2020 02:40:26 GMT https://community.cisco.com/t5/wireless/dot1x-3-invalid-wpa-key-msg-state-iphone-network-failure-inquiry/m-p/4103054#M31638 inb 2020-06-15T02:40:26Z