Client can't join AP anymore

Rosa Ladeira · ‎05-14-2012

I know from my logs that a client could join APs on my wireless network until Mar 25 16:06:55 :

wlan-controller.log.49.gz:Mar 25 16:06:55 wlan-controller-14-3 impa-wireless3: *Mar 25 16:06:53.839: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:407 Max EAPOL-key M1 retransmissions exceeded for client 14:74:11:59:83:8e

from Mar 25 16:06:55 client could not join wireless network. There are no error messages.

... But I have created a new TESTE WLAN with the same configuration the old one and client joins.

I don't know why.

Thanks

Rosa

controlers : AIR-WLC2112-K9 (6.0.199.4) and AIR-WLC2106-K9 (6.0.188.0)

APs : AIR-LAP1131AG-A-K9 (12.4(21a)JA2)

Leo Laohoo · ‎05-14-2012

Have you tried OPEN authentication?

Maybe the certificate has expired?

Rosa Ladeira · ‎05-14-2012

Thanks for your answer.

Are you talking about authenticantion without password ? (Layer 2 Security = NONE)

How can I get a new certificate ?

Rosa

Leo Laohoo · ‎05-14-2012

Are you talking about authenticantion without password ? (Layer 2 Security = NONE)

I mean no username/password required to join the SSID.

How can I get a new certificate ?

Depends on how you authenticate users to the SSID. The easiest method is troubleshoot wireless issues is to see if users can/can't join the SSID with no username/password required. If they can then you start piling encryption and security until you break stuff.

If client CAN'T join the SSID even without any username/password required then you know where the problem is.

Rosa Ladeira · ‎05-15-2012

Only one client can't join APs.

All other clients still join the same SSID.

When I said :

I have created a new TESTE WLAN with the same configuration the old one and client joins.

I wanted to say that the specific client which could not join wireless network joined the new TESTE WLAN.

Rosa

Amjad Abdullah · ‎05-14-2012

Rose:
What is the seucrity that is being used by clients? what EAP method is being used? (PEAP, EAP-TLS...etc)?

When a client tries to connect try to issue "show client detail " on WLC and list output to us. It should tell something about the client's status at the time of trying to connect.

Is the problem happening with one client only? or with all clients?

If all clients then try doing debug "debug client ". issue the debug first and then try to connect with a client that you provided the mac address for. collect the output and list it. It should tell exactly what is going on when the client tries to connect.

Amjad

Rating useful replies is more useful than saying "Thank you"

Rosa Ladeira · ‎05-15-2012

Only one client can't join APs.

All other clients still join the same SSID.

When I said :

I have created a new TESTE WLAN with the same configuration the old one and client joins.

I wanted to say that the specific client which could not join wireless network joined the new TESTE WLAN.

Rosa

maldehne · ‎05-14-2012

Excuse me All !

The message mentioned above is reporting an issue in the WPA 4-way handshake so the client should have successfully passed EAP authentication.

Try to increase the EAPOL timers on the controller side and see how it goes.

In the meantime it worths to have debug client output while not being able to connect

Amjad Abdullah · ‎05-14-2012

You are right.

Message 1 in 4-way handshake is being retried with no hope until retries timer expires.

It still can be a client issue not responding at all to 4-way handshek messages.

Rosa: in order to increase EAPOL timer Mr. maldehne talked about you can do that from CLI:

config advanced eap eapol-key-timeout

value should be between 200 and 5000 milliseconds (0.2 - 5 seconds).

AFAIK the default is 1000 milliseconds (1 second). Try increaseing that to maximum (5000) and see if that works.

Thanks maldehne for your point.

Amjad

Rating useful replies is more useful than saying "Thank you"

maldehne · ‎05-15-2012

Any time dude

Rosa Ladeira · ‎05-15-2012

Only one client can't join APs.

All other clients still join the same SSID.

When I said :

I have created a new TESTE WLAN with the same configuration the old one and client joins.

I wanted to say that the specific client which could not join wireless network joined the new TESTE WLAN.

Rosa

Amjad Abdullah · ‎05-16-2012

If it is one client with the problem it could probably be a problem with the client itself.

Try delete config on clietn and configure it again. Try also upgrading wireless adapter's driver to latest on the client.

If the above did not work and still no log messagesa appear I think we need to collect some wireless sniffer capture while the client is trying to connect in order to know what is going on.

If same problem that is indicated by the old log message you provided then the problem is high probably related to the client itself and no tto the AP and you need to concentrate on solving the client's problem.

Amjad

Rating useful replies is more useful than saying "Thank you"

Rosa Ladeira · ‎05-16-2012

Amjad, I am concerned it is a very specific problem because, as I told you, when I have created a new TESTE WLAN with the same configuration the old one has, this client joins wireless network (same controller and APs and same client configuration).

Any sugestion.

Regards,

Rosa

David Santos · ‎05-16-2012

Rosa,

have you done "debug client [MAC ADD] on the WLC? Can i see the output?

Rosa Ladeira · ‎05-16-2012

David,

no did not.

I will call client to debug togheter, then I will send you the log.

Thanks,

Rosa