i have an Cisco WLC 2504 with IOS 22.214.171.124 and AP 1602E on it.
after moving from WPA with TKIP to WPA2 with AES, many of clients keep disconnecting.
log that i see is next one:
*Dot1x_NW_MsgTask_2: Aug 13 18:23:29.294: %DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:961 Received invalid EAPOL-key M2 msg in START state - invalid secure bit; KeyLen 40, Key type 1, client d0:7e:35:a8:95:3a
I have changed some timeouts but it did not help.
The problem is probably that your clients are still trying to use TKIP because that is what is configured in the wireless profile they have. If this profile has been created automatically by the end-user when they first connected it needs to be removed manually and recreated or just changed (depends on the client device). From standpoint of the end-user it is probably simpler if you can push settings with a GPO (Windows) or use mobile device management tooling for Apple and Android devices.
Sometimes it is easier to create a second SSID which clients have not used before so there is no history. This way you can also monitor which devices are still using the "old" SSID. Once the clients are moved you can remove it. Depending on which EAP(ol) settings you change I would advice you making them default again.
Please rate useful posts... :-)
We had migrated the client config pushed via GPO. all the client have connected to AP/WLC. but sometime, like once a 2 hour or once 3o minutes, AP disconnect them
on windows, it shows "limited connectivity"
Limited connectivity may be due to DHCP (option 43 received invalid ip or no ip address, proxy). AAA,bad RF. But as per the log you have shared its seems like a issue with client wireless profile as Freerk Terpstra suggested try with change/new profile.
My suggestion is recreate the Profile[WLAN/SSSID] on WLC and bind WPA with AES only and uncheck 802.1x if not using.
Also try to use Cisco supplicant on client side those having issue disconnecting.