08-13-2015 08:34 AM - edited 07-05-2021 03:45 AM
Hi,
i have an Cisco WLC 2504 with IOS 8.1.111.0 and AP 1602E on it.
after moving from WPA with TKIP to WPA2 with AES, many of clients keep disconnecting.
log that i see is next one:
*Dot1x_NW_MsgTask_2: Aug 13 18:23:29.294: %DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:961 Received invalid EAPOL-key M2 msg in START state - invalid secure bit; KeyLen 40, Key type 1, client d0:7e:35:a8:95:3a
vey strange.
I have changed some timeouts but it did not help.
thanks
08-13-2015 02:43 PM
The problem is probably that your clients are still trying to use TKIP because that is what is configured in the wireless profile they have. If this profile has been created automatically by the end-user when they first connected it needs to be removed manually and recreated or just changed (depends on the client device). From standpoint of the end-user it is probably simpler if you can push settings with a GPO (Windows) or use mobile device management tooling for Apple and Android devices.
Sometimes it is easier to create a second SSID which clients have not used before so there is no history. This way you can also monitor which devices are still using the "old" SSID. Once the clients are moved you can remove it. Depending on which EAP(ol) settings you change I would advice you making them default again.
Please rate useful posts... :-)
08-14-2015 08:57 AM
Hi,
We had migrated the client config pushed via GPO. all the client have connected to AP/WLC. but sometime, like once a 2 hour or once 3o minutes, AP disconnect them
on windows, it shows "limited connectivity"
Thanks
08-14-2015 03:48 PM
May be code specific issue as well. Reach TAC and see if any known issue with your current code.
HTH
Rasika
08-20-2015 07:17 AM
Limited connectivity may be due to DHCP (option 43 received invalid ip or no ip address, proxy). AAA,bad RF. But as per the log you have shared its seems like a issue with client wireless profile as Freerk Terpstra suggested try with change/new profile.
08-20-2015 03:21 PM
My suggestion is recreate the Profile[WLAN/SSSID] on WLC and bind WPA with AES only and uncheck 802.1x if not using.
Also try to use Cisco supplicant on client side those having issue disconnecting.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide