Re: Devices Android not connecting SSID with WPA2 Enterprise

clauscosta · ‎08-15-2018

Hi All

I am having problems with android devices software version 7 and higher for example galaxy J7 prime to connect to our SSID configured with WPA2 Enterprise...

The request neither arrives to authenticator.

Network Infraestucture:

WLC 5520 -version 8.3.143.0

SSID with 802.1X

APS 1852I in flexconnect mode (data e authentication local)

Authenticator ISE 2.3 with 4 patchs applied.

Testing with another android version 5.1.1 (ASUS_X014D) the same SSID and same user/password works fine.

Apple devices also works fine.

Same device connects to SSID with PSK without problems

Thanks in advance for any help

Sandeep Choudhary · ‎08-15-2018

if onl yone type of device is gaving issue then .....

1. update the software (if you can) on device and try again...

2. if still fails then contact to cisco TAC.

Regards

Dont forget to rate helpful posts

pieterh · ‎08-16-2018

It may have a connection with the certificate presented by the authentication server
if possible enable the option to ask for certificate when connecting to the ssid and see what response you get

clauscosta · ‎08-17-2018

We tried to use several android versions, 5, 6,7, different vendors (motorola, samsung) and same problem
I only connect with my device that is a Asus version 5.1 and another samsung that is using version 4.2.2, besides Apple phones.

ajc · ‎08-21-2018

Could you please post the ISE log so we can troubleshoot your issue?.

patoberli · ‎08-17-2018

Depending on your radius server setup, you also have to fill out the Android field "Anonymous Identity" which is just under the Identity (username).
Fill it out with the same username.
I do more tend to a certificate issue though, or a misconfiguration on the SSID. You have not enabled WPA or TKIP, right?

clauscosta · ‎08-17-2018

Thanks guys for your suggestions, below the answers about your requests.

I didn't try to fill out the anonymous identity, I'll test it and post if works

At the WLC I just configured WPA2 and 802.1x, the radius server is ISE 2.3

Certificate at the device mobile side is not used, on the phone we configure PEAP with MSCHAPv2 and to not validate certificate.

strange that we have this problem only with android phones...Apple phones is working well

clauscosta · ‎08-20-2018

I tried with "Anonymous Identity" filled, same behavior :(
But I made a change that did the connection works...I put the SSID hidden and worked...but Why? why works in that way and not with the SSID broadcast? I don't know yet...besides that I need to leave the SSID broadcasting.
I tried to change the SSID name thinking that could be something with the characters quantity, but no as well.
In Summary I still have a problem...

patoberli · ‎08-20-2018

Can you please post the ISE log of one of the affected devices? It should arrive at the ISE, but might not get logged repeatedly when wrong (default setting).
Check this: https://community.cisco.com/t5/security-documents/configuring-anomalous-client-suppression-on-ise/ta-p/3161437
This can cause "wrong" logging on the ISE, something I really don't like when troubleshooting.

pieterh · ‎08-21-2018

that is a good lead from patoberli!
you can locate the device under devices right-click and select "bypass-supression" to temporarily re-enable events in the log

clauscosta · ‎08-21-2018

patorbeli,
I'll try to do this, but I guess is not that, because I tried many times with the device and not worked with broadcasting SSID, when I just put the SSID hidden worked just in time.
Thanks for your contribution.

pieterh · ‎08-21-2018

i'd check again what certificates are used.

look at this thread that states

I did essentially prove that it was related to the self-signed certificate. I pointed my wireless controller to another radius server (ISE 2.1) that has a real certificate on it, and it worked immediately. No other changes were made to the SSID, or anything related to the wireless itself. It appears that Android 7.1 is not ignoring the validity of the certificate, even though I configured it to do so. If you have a purchased/trusted certificate on your radius server (which is almost never the case), it will work fine. If you don't, it won't work at all.

clauscosta · ‎08-22-2018

Hello Guys,
I am sure that is not a problem related to ISE, cause:
1 - If I just disable broadcast SSID the request goes to connection sucessfully immediatilly.
2 - If I enable broadcast SSID, the connection neither arrives to the ISE, collecting debugs at WLC and AP I can see that the device request is changing to 802.1X to Unassociate status

Aug 21 17:25:42 kernel: [*08/21/2018 17:25:42.0753] CLSM[HH:HH:HH:HH:HH:HH]: ADD MOBILE: Use Default AAA QOS Signature
Aug 21 17:25:42 hostapd: apr1v2:WPA: STA HH:HH:HH:HH:HH:HH no PSK configured for the STA
Aug 21 17:25:42 kernel: [*08/21/2018 17:25:42.0853] CLSM[HH:HH:HH:HH:HH:HH]: client moved from ASSOC to 8021X
Aug 21 17:25:42 kernel: [*08/21/2018 17:25:42.0853] CLSM[HH:HH:HH:HH:HH:HH]: Added to WCP client table AID 11 Radio 1 Vap 2 Enc 4
Aug 21 17:25:42 kernel: [*08/21/2018 17:25:42.0853] CLSM[HH:HH:HH:HH:HH:HH]: Client delete initiated
Aug 21 17:25:42 kernel: [*08/21/2018 17:25:42.0853] CLSM[HH:HH:HH:HH:HH:HH]: Remove success from ClientIPTable on apr1v2
Aug 21 17:25:42 kernel: [*08/21/2018 17:25:42.0853] CLSM[HH:HH:HH:HH:HH:HH]: client moved from 8021X to UNASSOC
Aug 21 17:25:42 kernel: [*08/21/2018 17:25:42.0853] CLSM[HH:HH:HH:HH:HH:HH]: Send Deauth - Radio 1 Vap 2 success
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] CLSM[HH:HH:HH:HH:HH:HH]: US Auth(b0) seq 1083 IF 32 slot 1 vap 2 len 41 state UNASSOC
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] CLSM[HH:HH:HH:HH:HH:HH]: Delete client reassoc 1 succeeded to radio intf apr1v2
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] CLSM[HH:HH:HH:HH:HH:HH]: Client delete initiated
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] CLSM[HH:HH:HH:HH:HH:HH]: client moved from UNASSOC to UNASSOC
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] CLSM[HH:HH:HH:HH:HH:HH]: DS Auth len 41 slot 1 vap 2
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] CLSM[HH:HH:HH:HH:HH:HH]: Driver send mgmt frame success Radio 1 Vap 2
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] CLSM[HH:HH:HH:HH:HH:HH]: client moved from UNASSOC to AUTH
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] CLSM[HH:HH:HH:HH:HH:HH]: US Assoc Req(0) seq 1084 IF 32 slot 1 vap 2 len 266 state AUTH
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] CLSM[HH:HH:HH:HH:HH:HH]: Client aid: 11
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] CLSM[HH:HH:HH:HH:HH:HH]: ADD_MOBILE AID 11
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] CLSM[HH:HH:HH:HH:HH:HH]: Driver Add Client success AID 11 Radio 1 Vap 2 Enc 4
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] client capability: 0x00
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] client HT capability: [0]0x6f [1]0x00
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] client VHT capability: [0]0x32
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] HT:yes VHT:yes 80MHz:no 40MHz:yes AMSDU:yes AMSDU_long:no
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] 11w:no MFP:no 11h:no encrypt_polocy: 4
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] _wmm_enabled:yes qos_capable:yes WME(11e):no WMM_MIXED_MODE:no
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] short_preamble:no short_slot_time:no short_hdr:no SM_dyn:yes
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] short_GI_20M:yes short_GI_40M:yes short_GI_80M:yes LDPC:yes
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] is_wgb_wired:no is_wgb:no
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] Legacy Rates(Mbps): 12 18 24 36 48 54
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] HT Rates(MCS):M0 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 M13 M14 M15
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] VHT Rates: 1SS:M0-9 2SS:M0-9

patoberli · ‎08-22-2018

How is the layer 2 security on this SSID configured?

clauscosta · ‎08-22-2018

WPA2 with AES / 802.1x / CCKM (have already uncheck it, same behavior)

WLAN Identifier.................................. 3
Profile Name..................................... DIRETORIA
Network Name (SSID).............................. DIRETORIA
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Enabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum Clients Allowed.......................... Unlimited
Maximum number of Clients per AP Radio........... 200
ATF Policy....................................... 0
Number of Active Clients......................... 4
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 28880 seconds
User Idle Timeout................................ 1800 seconds
Sleep Client..................................... disable
Sleep Client Timeout............................. 720 minutes
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... none
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
WLAN URL ACL..................................... unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Tunnel Profile................................... Unconfigured
PMIPv6 Mobility Type............................. none
PMIPv6 MAG Profile........................... Unconfigured
PMIPv6 Default Realm......................... Unconfigured
PMIPv6 NAI Type.............................. Hexadecimal
PMIPv6 MAG location.......................... AP
Quality of Service............................... Platinum
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Disabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ 192.168.X.X 1812 *
Authentication................................ 192.168.Y.Y 1812 *
Accounting.................................... 192.168.X.X 1813 *
Accounting.................................... 192.168.Y.Y 1813 *
Interim Update............................. Enabled
Interim Update Interval.................... 0
Framed IPv6 Acct AVP ...................... Prefix
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Radius NAI-Realm................................. Disabled
Mu-Mimo.......................................... Enabled
Security

802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
CCMP256 Cipher.......................... Disabled
GCMP128 Cipher.......................... Disabled
GCMP256 Cipher.......................... Disabled
OSEN IE.................................... Disabled
Auth Key Management
802.1x.................................. Enabled
PSK..................................... Disabled
CCKM.................................... Enabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Disabled
OSEN-1X................................. Disabled
SUITEB-1X............................... Disabled
SUITEB192-1X............................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Disabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
Wi-Fi Direct policy configured................ allowed
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web Authentication Timeout.................... 300
Web-Passthrough............................... Disabled
Mac-auth-server............................... 0.0.0.0
Web-portal-server............................. 0.0.0.0
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Enabled
FlexConnect Central Association............... Disabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
flexconnect PPPoE pass-through................ Disabled
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Enabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Disabled
AVC Visibilty.................................... Enabled
AVC Profile Name................................. AUTOQOS-AVC-PROFILE
Flex Avc Profile Name............................ AUTOQOS-AVC-PROFILE
Flow Monitor Name................................ PrimeInfraMon
Split Tunnel Configuration
Split Tunnel................................. Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Enabled
802.11k Neighbor List Dual Band.................. Disabled
802.11v Directed Multicast Service............... Disabled
802.11v BSS Max Idle Service..................... Disabled
802.11v BSS Transition Service................... Enabled
802.11v BSS Transition Disassoc Imminent......... Disabled
802.11v BSS Transition Disassoc Timer............ 200
802.11v BSS Transition OpRoam Disassoc Timer..... 40
DMS DB is empty
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Universal Ap Admin............................... Disabled
Broadcast Tagging................................ Disabled

Mobility Anchor List
WLAN ID IP Address Status Priority
------- --------------- ------ --------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

Local Policy
----------------
Priority Policy Name
-------- ---------------

Lync State ...................................... Disabled
Audio QoS Policy................................. Silver
Video QoS Policy................................. Silver
App-Share QoS Policy............................. Silver
File Transfer QoS Policy......................... Silver
QoS Fastlane Status.............................. Enabled
Selective Reanchoring Status..................... Disable