Re: Issue connecting Windows 10 Client to network using WPA3 - Page 2

user2022 · ‎08-07-2021

Hi all,

1. I have using C9130AXI-D as EWC and have set Wireless network as WPA3-enterpsie along with GCMP256. I have configured setting on both EWC and Windows 10 client as given in

https://mrncciew.com/2020/08/17/wpa3-enterprise/

2. The configurations were set without error. But when a try to connect to AP I get a message on Windows " Can't connect to this network". I am attaching the log snapshot of EWC for reference. Please help me out.

user2022 · ‎08-10-2021

Sorry for the issue. I have attached the file for your analysis.

https://drive.google.com/file/d/17oG-coSZ0PsoC8Nb0OJQ-rDSDn6F7FLy/view?usp=sharing

user2022 · ‎08-10-2021

File shared again

marce1000 · ‎08-10-2021

- Look for the authentication-attempts from the particular client (or MAC) in the radius-server logs , check if you can find it and or look for anomalies.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

patoberli · ‎08-10-2021

This is the result of https://cway.cisco.com/wireless-debug-analyzer/

2021/06/28 00:32:06.492	client-orch-sm	Client made a new Association to an AP/BSSID: BSSID 488b.0a93.150f, WLAN CWN, Slot 1 AP 488b.0a93.1500, AP70F0.960C.6294
2021/06/28 00:32:06.493	dot11	Association success for client, assigned AID is: 1
2021/06/28 00:33:36.535	errmsg	Client failed EAP authentication with following reason: Timeout
2021/06/28 00:33:50.001	client-orch-sm	Controller initiated client deletion with code: CO_CLIENT_DELETE_REASON_MN_AP_AUTH_STOP. Code means: Client deletion triggered by the AP due to authentication stop

Without diving to deep into the debug file, is this a WPA3-Enterprise or WPA3-PSK SSID?

Based on the word EAP I tend to say it's WPA3-Enterprise at the moment. If yes, what does the Radius Server logs?

After digging a bit, I also found those error messages:

021/07/03 11:57:47.882573 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [8352]: (note): Authentication Success. Resolved Policy bitmap:11 for client 6c6a.7752.68a9 
2021/07/03 11:58:08.369403 {wncd_x_R0-0}{1}: [radius] [8352]: (ERR): RADIUS/DECODE: No response from radius-server; parse response; FAIL
2021/07/03 11:58:08.369409 {wncd_x_R0-0}{1}: [radius] [8352]: (ERR): RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
2021/07/03 11:58:08.369533 {wncd_x_R0-0}{1}: [caaa-authen] [8352]: (ERR): [CAAA:AUTHEN] Authen ctx not found. Authen response freed.
2021/07/03 11:58:26.370853 {wncd_x_R0-0}{1}: [radius] [8352]: (ERR): RADIUS/DECODE: No response from radius-server; parse response; FAIL
2021/07/03 11:58:26.370858 {wncd_x_R0-0}{1}: [radius] [8352]: (ERR): RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
2021/07/03 11:58:26.372123 {wncd_x_R0-0}{1}: [errmsg] [8352]: (note): %DOT1X-5-FAIL: Authentication failed for client (6c6a.7752.68a9) with reason (AAA Server Down) on Interface capwap_90000005 AuditSessionID 2901A8C0000000396C3B5DE8 Username: student1
2021/07/03 11:58:26.372326 {wncd_x_R0-0}{1}: [wncd_0] [8352]: (debug): 
CLIENT msg logging has not started
2021/07/03 11:58:26.372635 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [8352]: (ERR): SANET_AUTHC_FAILURE - AAA Server Down username student1, audit session id 2901A8C0000000396C3B5DE8, 
2021/07/03 11:58:26.380464 {wncd_x_R0-0}{1}: [errmsg] [8352]: (note): %SESSION_MGR-5-FAIL: Authorization failed or unapplied for client (6c6a.7752.68a9) on Interface capwap_90000005 AuditSessionID 2901A8C0000000396C3B5DE8. Failure reason: Authc fail. Authc failure reason: AAA Server Down.
2021/07/03 11:58:26.380591 {wncd_x_R0-0}{1}: [wncd_0] [8352]: (debug): 
CLIENT msg logging has not started

It sounds as if you have Radius servers configured for this SSID, correct?

user2022 · ‎08-10-2021

I am using Pfsense with Freeradius. The freeradius work flawlessly with WAP2- enterprise. But when I change to WPA3-enterprise I am not able to connect to the network and there are no logs being generated by freeradius

marce1000 · ‎08-10-2021

- You may want to for instance review this document : (and check your radius-server-settings and configuration accordingly)

https://itigic.com/configure-freeradius-server-in-pfsense-and-use-wpa2-wpa3-enterprise/

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

user2022 · ‎08-10-2021

Thank you. I have used this guide only for configuration and it works for WAP2- enterprise but not for WPA3-enterprise

patoberli · ‎08-11-2021

I found this little information on another place:
But the largest improvement is the requirement of server certificate validation if a RADIUS server is in use. In the past, organizations may omit using server certificate validation, or they could lack onboarding software and end users could misconfigure it. WPA3-Enterprise avoids this potential issue because without server certificate validation, end users are at high risk for over-the-air credential theft.
Is the client trusting the Radius certificate (a valid externally signed one) before the connection? Or did you try to manually add it to the trusted root certificate store of the client? If not, then the client might throw away the encrypted packets. You should get a certificate prompt when connecting (at least on Windows), if the client trusts the certificate. Looking similar to this (I hope the image works):
[Certificate issues with RADIUS connection on W10 clients]

If this doesn't pop up, it might be a certificate issue.
Also Windows 10 must be at least 21h1 patch for full 192-bit encryption (which you have enabled on your first screenshot). I'm not sure if your Insider Build from April already has full support, but I think yes. Nonetheless, I would upgrade the insider build or up/downgrade to the latest non-insider build.

patoberli · ‎08-11-2021

One more thing, from the WPA3 standards document:
https://www.wi-fi.org/download.php?file=/sites/default/files/private/WPA3_Specification_v3.0.pdf
WPA3-Enterprise 192-bit mode is well suited for deployments in sensitive enterprise environments to further protect Wi[1]Fi® networks with higher security requirements such as government, defense, and industrial.
When operating in WPA3-Enterprise 192-bit mode:
1. When WPA3-Enterprise 192-bit mode is used by an AP, PMF shall be set to required (MFPR bit in the RSN
Capabilities field shall be set to 1 in the RSNE transmitted by the AP).
2. When WPA3-Enterprise 192-bit mode is used by a STA, PMF shall be set to required (MFPR bit in the RSN
Capabilities field shall be set to 1 in the RSNE transmitted by the STA).
3. Permitted EAP cipher suites for use with WPA3-Enterprise 192-bit mode are:
▪ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- ECDHE and ECDSA using the 384-bit prime modulus curve P-384
▪ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- ECDHE using the 384-bit prime modulus curve P-384
- RSA ≥ 3072-bit modulus
▪ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- RSA ≥ 3072-bit modulus
- DHE ≥ 3072-bit modulus
Sorry for the formatting. It looks like the certificate in use might need to use at least a key size of 3072-bit (if RSA) when using 192-bit mode, but I’m not entirely sure I read this correct.

user2022 · ‎08-11-2021

Thanks for the reply. I have upgraded the certificate on the radius server to key size of 3072-bit. But still I am not able to connect. Also no logs generated at radius server. The system work perfect with WPA2-enterprise where I get a pop to choose the certificate. Somehow the WLC is not sending packets to radius server

patoberli · ‎08-11-2021

Can you run a Wireshark or packet capture on the Radius to ensure that no packets are sent? Those could also be decrypted with the radius shared secret.
Are you running freeradius? If yes, can you run it in Debug mode (commands for a default Debian based distribution):
sudo systemctl stop freeradius
sudo -u freerad freeradius -X 2>&1 | tee debugfile

This will first create a lot of output (the whole configuration) and then you can do one authentication with WPA3, at least something should be sent to the Radius. This is typically sanitized enough that you could share it here (no password, but usernames are there).

user2022 · ‎08-11-2021

I have captured the packets. With WAP2-enterprise I am getting authentication packets at the freeradius server. But for WPA3 not packets are received. I am attaching the pcap file

pcap file

patoberli · ‎08-11-2021

Ok, if no packets are received it's a bad sign.
Could you please share again your full SSID Security configuration?
Did you try with 192-bit disabled?
Just found this little information in the configuration manual https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_wpa3.html#t_configuring_wpa3_enterprise_gui.xml:
A WLAN configured with WPA3 enterprise (SUITEB192-1X) is not supported on C9115/C9120 APs.
This should not affect your C9130, but who knows...

Juan Camilo Bayona Ruiz · ‎08-12-2021

In EWC only one site tag is supported and it has to be the default-site-tag. Also, in EWC there is no central site concept as EWC is a FlexConnect local switching deployment.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvy53184

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvy48917

“Flex does not support GCMP256. Feature planned for 17.8”

patoberli · ‎08-13-2021

Now this explains a lot. But why is this information not more publicly noted? And why is the option GCMP256 even there, if it doesn't work?