cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3373
Views
0
Helpful
14
Replies

Apple Clients Stuck in DHCP_REQD state

Davar Bajelan
Level 1
Level 1

We are facing a problem with APPLE devices only and they are not able to get IP address and stuck at DHCP_REQD state. We have two SSIDs, one open SSID and the other one uses WPA/WPA2 PSK (AES & TKIP). The APPLE devices doesn't have problem with open ssid, the problem only happen  when APPLE clients try to associate to Secure SSID.  Windows based clients and Adroid based client works fine with both SSIDs without problem.

We upgraded the WLC to latest software (7.2.111.3)  to address the other issue with Windows 8 clients a month ago and we don't see any newer release.

I'm wondering  if it is Apple device issue or if there is an unknow issue in the new Cisco software (7.2.111.3). Anybody else facing similar problem or if you know the solution?

14 Replies 14

Scott Fella
Hall of Fame
Hall of Fame

Yes you would have an issue... Apple devices only like either wpa+tkip or wpa2+aes. Try one or the other.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Thanks Scott,  But the Apple clients in other branches are working fine with the same SSID seting ( uses WPA/WPA2 PSK (AES & TKIP)).If Apple clients only like  either wpa+tkip or wpa2+aes I should see this problem in other branches as well.

Well it will not work with WLC's. if you have it working in other branches, you better monitor the client connection because its not supported. When you configure an Apple device for wpa it uses tkip. For wpa2 apple uses aes. So seeing different encryption a causes these devices to not associate properly. You can search the forum and you will see other post stating to use one or the other.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Is there any documentation regarding this issue (Cisco or Apple)? We just recently disabled TKIP for this reason, but I haven't been able to find any known issues that specifically mention Apple products.

Well... its a standard... WPA uses TKIP only and WPA2 uses AES only. Its more of an Apple issue. If you disable TKIP, you need to disable WPA also. So the only encryption you should have is WPA2/AES.

Sent from Cisco Technical Support iPad App

-Scott
*** Please rate helpful posts ***

Thanks for the response. While I've got you on the subject, can you confirm that this is how we disable WPA?

The drop down box does not have an option that is just 'WPA2'. Do we disable WPA by choosing 'WPA+WPA2' and then only checking 'WPA2 Policy'? Thank you in advance.

You should also be aware of the fast ssid change. Apple devices does a connect to a new ssid without sending disassosiate frames to the old ssid first. That is by default not allowed on Cisco controller.

Sent from Cisco Technical Support iPad App

'Fast SSID change' is set on the 'Controller' tab. 'Fast Transition' is to enable or disable a fast transition between access points, per Cisco documentation.

Disable Fast Transition!

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

This is how it should be of course you need to enter the pre shared key if your using psk.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Why should i disable fast transition?

Thanks..

Sent from Cisco Technical Support iPad App

Because clients don't support it.

802.11r, which is the IEEE standard for fast roaming, introduces a new concept of roaming where the initial handshake with the new AP is done even before the client roams to the target AP, which is called Fast Transition (FT). The initial handshake allows the client and APs to do the Pairwise Transient Key (PTK) calculation in advance. These PTK keys are applied to the client and AP after the client does the reassociation request or response exchange with new target AP.

802.11r provides two methods of roaming:

Over-the-Air

Over-the-DS (Distributed System)

The FT key hierarchy is designed to allow clients to make fast BSS transitions between APs without the need to reauthenticate at every AP. WLAN configuration contains a new Authenticated Key Management (AKM) type called FT (Fast Transition).


Note Legacy clients cannot associate with a WLAN that has 802.11r enabled if the driver of the supplicant that is responsible for parsing the Robust Security Network Information Exchange (RSN IE) is old and not aware of the additional AKM suites in the IE. Due to this limitation, clients cannot send association requests to WLANs. These clients, however, can still associate with non-802.11r WLANs. Clients that are 802.11r capable can associate as 802.11i clients on WLANs that have both 802.11i and 802.11r Authentication Key Management Suites enabled.

The workaround is to enable or upgrade the driver of the legacy clients to work with the new 802.11r AKMs, after which the legacy clients can successfully associate with 802.11r enabled WLANs.

Another workaround is to have two SSIDs with the same name but with different security settings (FT and non-FT).

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Yes... Just uncheck WPA and you will be left with WPA2. Then uncheck TKIP and make sure AES is checked.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Scott Fella
Hall of Fame
Hall of Fame

Also look at this link that might be an issue with the iPhone 5

https://discussions.apple.com/thread/4322714?start=570&tstart=0

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: