Devices Android not connecting SSID with WPA2 Enterprise

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-15-2018 04:21 AM - edited 07-05-2021 08:59 AM
Hi All
I am having problems with android devices software version 7 and higher for example galaxy J7 prime to connect to our SSID configured with WPA2 Enterprise...
The request neither arrives to authenticator.
Network Infraestucture:
WLC 5520 -version 8.3.143.0
SSID with 802.1X
APS 1852I in flexconnect mode (data e authentication local)
Authenticator ISE 2.3 with 4 patchs applied.
Testing with another android version 5.1.1 (ASUS_X014D) the same SSID and same user/password works fine.
Apple devices also works fine.
Same device connects to SSID with PSK without problems
Thanks in advance for any help
- Labels:
-
Wireless Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-15-2018 10:08 PM
if onl yone type of device is gaving issue then .....
1. update the software (if you can) on device and try again...
2. if still fails then contact to cisco TAC.
Regards
Dont forget to rate helpful posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2018 02:18 AM
if possible enable the option to ask for certificate when connecting to the ssid and see what response you get
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-17-2018 01:53 PM
I only connect with my device that is a Asus version 5.1 and another samsung that is using version 4.2.2, besides Apple phones.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-21-2018 02:40 PM - edited 08-21-2018 02:48 PM
Could you please post the ISE log so we can troubleshoot your issue?.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-17-2018 07:28 AM
Fill it out with the same username.
I do more tend to a certificate issue though, or a misconfiguration on the SSID. You have not enabled WPA or TKIP, right?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-17-2018 01:43 PM
Thanks guys for your suggestions, below the answers about your requests.
I didn't try to fill out the anonymous identity, I'll test it and post if works
At the WLC I just configured WPA2 and 802.1x, the radius server is ISE 2.3
Certificate at the device mobile side is not used, on the phone we configure PEAP with MSCHAPv2 and to not validate certificate.
strange that we have this problem only with android phones...Apple phones is working well

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-20-2018 05:12 PM
But I made a change that did the connection works...I put the SSID hidden and worked...but Why? why works in that way and not with the SSID broadcast? I don't know yet...besides that I need to leave the SSID broadcasting.
I tried to change the SSID name thinking that could be something with the characters quantity, but no as well.
In Summary I still have a problem...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-20-2018 11:46 PM
Check this: https://community.cisco.com/t5/security-documents/configuring-anomalous-client-suppression-on-ise/ta-p/3161437
This can cause "wrong" logging on the ISE, something I really don't like when troubleshooting.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-21-2018 12:33 AM
you can locate the device under devices right-click and select "bypass-supression" to temporarily re-enable events in the log

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-21-2018 07:56 AM - edited 08-21-2018 07:57 AM
patorbeli,
I'll try to do this, but I guess is not that, because I tried many times with the device and not worked with broadcasting SSID, when I just put the SSID hidden worked just in time.
Thanks for your contribution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-21-2018 08:11 AM
i'd check again what certificates are used.
look at this thread that states

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-22-2018 05:24 AM
I am sure that is not a problem related to ISE, cause:
1 - If I just disable broadcast SSID the request goes to connection sucessfully immediatilly.
2 - If I enable broadcast SSID, the connection neither arrives to the ISE, collecting debugs at WLC and AP I can see that the device request is changing to 802.1X to Unassociate status
Aug 21 17:25:42 kernel: [*08/21/2018 17:25:42.0753] CLSM[HH:HH:HH:HH:HH:HH]: ADD MOBILE: Use Default AAA QOS Signature
Aug 21 17:25:42 hostapd: apr1v2:WPA: STA HH:HH:HH:HH:HH:HH no PSK configured for the STA
Aug 21 17:25:42 kernel: [*08/21/2018 17:25:42.0853] CLSM[HH:HH:HH:HH:HH:HH]: client moved from ASSOC to 8021X
Aug 21 17:25:42 kernel: [*08/21/2018 17:25:42.0853] CLSM[HH:HH:HH:HH:HH:HH]: Added to WCP client table AID 11 Radio 1 Vap 2 Enc 4
Aug 21 17:25:42 kernel: [*08/21/2018 17:25:42.0853] CLSM[HH:HH:HH:HH:HH:HH]: Client delete initiated
Aug 21 17:25:42 kernel: [*08/21/2018 17:25:42.0853] CLSM[HH:HH:HH:HH:HH:HH]: Remove success from ClientIPTable on apr1v2
Aug 21 17:25:42 kernel: [*08/21/2018 17:25:42.0853] CLSM[HH:HH:HH:HH:HH:HH]: client moved from 8021X to UNASSOC
Aug 21 17:25:42 kernel: [*08/21/2018 17:25:42.0853] CLSM[HH:HH:HH:HH:HH:HH]: Send Deauth - Radio 1 Vap 2 success
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] CLSM[HH:HH:HH:HH:HH:HH]: US Auth(b0) seq 1083 IF 32 slot 1 vap 2 len 41 state UNASSOC
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] CLSM[HH:HH:HH:HH:HH:HH]: Delete client reassoc 1 succeeded to radio intf apr1v2
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] CLSM[HH:HH:HH:HH:HH:HH]: Client delete initiated
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] CLSM[HH:HH:HH:HH:HH:HH]: client moved from UNASSOC to UNASSOC
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] CLSM[HH:HH:HH:HH:HH:HH]: DS Auth len 41 slot 1 vap 2
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] CLSM[HH:HH:HH:HH:HH:HH]: Driver send mgmt frame success Radio 1 Vap 2
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] CLSM[HH:HH:HH:HH:HH:HH]: client moved from UNASSOC to AUTH
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] CLSM[HH:HH:HH:HH:HH:HH]: US Assoc Req(0) seq 1084 IF 32 slot 1 vap 2 len 266 state AUTH
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] CLSM[HH:HH:HH:HH:HH:HH]: Client aid: 11
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] CLSM[HH:HH:HH:HH:HH:HH]: ADD_MOBILE AID 11
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] CLSM[HH:HH:HH:HH:HH:HH]: Driver Add Client success AID 11 Radio 1 Vap 2 Enc 4
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] client capability: 0x00
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] client HT capability: [0]0x6f [1]0x00
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] client VHT capability: [0]0x32
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] HT:yes VHT:yes 80MHz:no 40MHz:yes AMSDU:yes AMSDU_long:no
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] 11w:no MFP:no 11h:no encrypt_polocy: 4
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] _wmm_enabled:yes qos_capable:yes WME(11e):no WMM_MIXED_MODE:no
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] short_preamble:no short_slot_time:no short_hdr:no SM_dyn:yes
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] short_GI_20M:yes short_GI_40M:yes short_GI_80M:yes LDPC:yes
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] is_wgb_wired:no is_wgb:no
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] Legacy Rates(Mbps): 12 18 24 36 48 54
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] HT Rates(MCS):M0 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 M13 M14 M15
Aug 21 17:25:48 kernel: [*08/21/2018 17:25:48.4433] VHT Rates: 1SS:M0-9 2SS:M0-9
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-22-2018 05:41 AM

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-22-2018 07:00 AM
WLAN Identifier.................................. 3
Profile Name..................................... DIRETORIA
Network Name (SSID).............................. DIRETORIA
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Enabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum Clients Allowed.......................... Unlimited
Maximum number of Clients per AP Radio........... 200
ATF Policy....................................... 0
Number of Active Clients......................... 4
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 28880 seconds
User Idle Timeout................................ 1800 seconds
Sleep Client..................................... disable
Sleep Client Timeout............................. 720 minutes
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... none
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
WLAN URL ACL..................................... unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Tunnel Profile................................... Unconfigured
PMIPv6 Mobility Type............................. none
PMIPv6 MAG Profile........................... Unconfigured
PMIPv6 Default Realm......................... Unconfigured
PMIPv6 NAI Type.............................. Hexadecimal
PMIPv6 MAG location.......................... AP
Quality of Service............................... Platinum
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Disabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ 192.168.X.X 1812 *
Authentication................................ 192.168.Y.Y 1812 *
Accounting.................................... 192.168.X.X 1813 *
Accounting.................................... 192.168.Y.Y 1813 *
Interim Update............................. Enabled
Interim Update Interval.................... 0
Framed IPv6 Acct AVP ...................... Prefix
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Radius NAI-Realm................................. Disabled
Mu-Mimo.......................................... Enabled
Security
802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
CCMP256 Cipher.......................... Disabled
GCMP128 Cipher.......................... Disabled
GCMP256 Cipher.......................... Disabled
OSEN IE.................................... Disabled
Auth Key Management
802.1x.................................. Enabled
PSK..................................... Disabled
CCKM.................................... Enabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Disabled
OSEN-1X................................. Disabled
SUITEB-1X............................... Disabled
SUITEB192-1X............................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Disabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
Wi-Fi Direct policy configured................ allowed
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web Authentication Timeout.................... 300
Web-Passthrough............................... Disabled
Mac-auth-server............................... 0.0.0.0
Web-portal-server............................. 0.0.0.0
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Enabled
FlexConnect Central Association............... Disabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
flexconnect PPPoE pass-through................ Disabled
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Enabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Disabled
AVC Visibilty.................................... Enabled
AVC Profile Name................................. AUTOQOS-AVC-PROFILE
Flex Avc Profile Name............................ AUTOQOS-AVC-PROFILE
Flow Monitor Name................................ PrimeInfraMon
Split Tunnel Configuration
Split Tunnel................................. Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Enabled
802.11k Neighbor List Dual Band.................. Disabled
802.11v Directed Multicast Service............... Disabled
802.11v BSS Max Idle Service..................... Disabled
802.11v BSS Transition Service................... Enabled
802.11v BSS Transition Disassoc Imminent......... Disabled
802.11v BSS Transition Disassoc Timer............ 200
802.11v BSS Transition OpRoam Disassoc Timer..... 40
DMS DB is empty
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Universal Ap Admin............................... Disabled
Broadcast Tagging................................ Disabled
Mobility Anchor List
WLAN ID IP Address Status Priority
------- --------------- ------ --------
802.11u........................................ Disabled
MSAP Services.................................. Disabled
Local Policy
----------------
Priority Policy Name
-------- ---------------
Lync State ...................................... Disabled
Audio QoS Policy................................. Silver
Video QoS Policy................................. Silver
App-Share QoS Policy............................. Silver
File Transfer QoS Policy......................... Silver
QoS Fastlane Status.............................. Enabled
Selective Reanchoring Status..................... Disable
