I should have mentioned, I did a radioactive trace first.  That result was pretty clear.  Wrong PSK.  To be honest that’s as far as I would go if the user wasn’t so insistent they have entered the correct key.  

As I understand it the client includes a message integrity check in its eapol message 2.  If that is as far as the exchange goes and the AP doesn’t send message 3 in response with a deliberate wrong PSK test does that mean the MIC is created using the PSK details? Then if the AP doesn’t get the expected MIC it can assume the client has the wrong PSK and stops the 4 way transaction?  The disassociation message after 3 attempts at the 4 way exchange fail says 4 way timeout or something similar.  

Kev.

Part of this https://praneethwifi.in/2019/11/09/4-way-hand-shake-keys-generation-and-mic-verification/ shows that the PSK is involved in the generation of the MIC.  Several known parameters and the PSK.  The AP has sent its nonce to the client.  The client is sending its nonce to the AP.  Those pieces of information plus the SSID name, client MAC and AP MAC are used with the PSK to generate the MIC.

I assume the AP then uses those known parameters and its knowledge of the PSK to try to generate the same MIC.  A difference then implies the client is using an incorrect PSK.  So the PSK isn’t sent but its value plus known values generate the MIC which can then be used to infer the client has the same PSK the AP

Kev.

If you want FT to be used keep it on FT enabled, this way any clients support FT will be using FT and clients doesn't support will not be using FT. Both will be able to associate without any problems. 

Is that correct? In my memory, when enabling FT, clients not correctly supporting it will be unable to connect at all. 

I’ve tested FT enabled before and had issues with some clients.  I understood FT adaptive was to support those that can do FT on the same SSID as those who don’t.  It’s working that way at the moment.  I don’t think it’s relevant to the PSK issue because that seems clear that the MIC sent to the AP is not matching what the AP expects.

Kev.

I have had clients not connect when FT was turned on, even in adaptive but they were older devices not a mobile/ tablet/ laptop style device.

I have also seen 802.11k or v sometimes cause issues with real legacy devices.

Couple things I would try:

Get the user to update their wireless driver if its a laptop. Or upgrade latest software version for phone/ tablet.

If that doesn't work, you could spin up a test SSID with FT disabled and see if that works for them (use the exact same PSK to rule out them not typing it correct).

If there still issues going to suggest they cant type the PSK or they should buy a new device.