cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
84876
Views
107
Helpful
64
Replies

Issues connecting Android 10 to Cisco ME

dovla091
Level 1
Level 1

Hi, I had one problem which I found bypass solution, but I would like to share with someone, as I don't want that someone is wasting time as I did troubleshooting the issue.

My case was that I have 15 APs AP1832i set to Cisco ME, so 1 acts as a call it a  "controller", while others are getting the instruction. I have set latest version of firmware for APs - 8.10.105.0

Now I have Nokia 7.1 running Android 10 December 2019 patch, and what I found out that after upgrading Android to version 10 and patching Cisco AP1832i from 8.5 to 8.10, android phone cannot connect anymore.

After 1 hour of troubleshooting I found a bypass. By enabling WPA3 (along with WPA2), android 10 started to connect again.

My guess is either Google completely ditched support for WPA2 (for some reason), in favor for WPA3 or there is some mismatch between Cisco 8.10.105.0 for ME and Google Android 10. By enabling WPA3, phone can successfully connect to our network.

 

I hope I helped someone, and saved him/her some time in dealing with tedious troubleshooting

 

Best regards

64 Replies 64

patoberli
VIP Alumni
VIP Alumni
That's really weird. Android 10 still supports WPA2 (and also the older protocols).
I suspect a bug in the AireOS, or in the specific Nokia Android 10 implementation on your mobile phone.

If it is still supporting, then it might be Cisco firmware. Anyway, I found a potential bypass which works, so people can use it until bugs are resolved. 

 

Brgds

greg.paschall
Level 1
Level 1

Android 10 turns on MAC address randomization by default, apparently. We had to get users to disable that when doing MAC address filtering for a couple of our WLANs. That may or may not be impacting you.

 

https://source.android.com/devices/tech/connect/wifi-mac-randomization

Sento
Level 1
Level 1

Same problem on a Xiaomi Mi8 with Android 10 but WPA3 activation is not the solution.

Running 8.8.125.0 with WLC here and a Xiaomi Mi9T Pro, no issues with Android 10.

Using 8.10.xxx (tested with the 3 currently available releases) I can say that definitely this is not a Cisco issue but something due to Android 10 vendor's implementation.

 

Doing the the test with multiple devices (Windwos 10, iOS 13, Android 10) they all conclude that some Android 10 devices running Android 10 security patch 2020-01-01 are having issues when only using WPA2-Personal (mine is Xiaomi Mi8 as well). Same problem when using WPA2-Enterprise.

 

Running OTA packet captures I see Android devices are not initiating the connection after receiving probe response, so this is something to do absolutely with operating system (and maybe only to some vendors flavors as another Galaxy S9 is able to connect).

 

I've not been able to debug network connectivity on Android to see what's happening there, and whatever reason it is, I'm sure that vendors are not going to open a bug or defect (trust me, I tried a few months ago for 802.11u support).

 

Here is the comparison between Beacon/AssociationResponse capture from the AP, where the only difference in the packets between WORKING (left) and NOT WORKING SSID (right) is enabling hybrid WPA2/WPA3-Personal (unfortunately there is no WPA3-Enterprise configuration available).

 

Annotation 2020-04-10 110338.png

Now doing some test to compare same packets between 8.8.xxx and 8.10.xxx to see if there is any difference.

 

HTH
-Jesus

*** Rate All Helpful Responses ***

Same issue found using WPA2-Enterprise with Intel 8265 wNIC on Windows 10 if using automatic RSN detection. You need to configure credentials manually.

 

Same workaround does not work in Android 10 devices with connectivity issues when using WPA2-Enterprise (Xiaomi Mi8).

Interesting, at least while using 8.8.130.0 (and previous releases) with a Xiaomi Mi9T Pro I don't have any issues. Tested with 2802i APs.

When I use another AP (old Linksys E2000) with WPA2-personal configured, the Android devices connect without issue.
It seems to be a specific issue between android 10 with recent security fixes and the 1800 series APs with ME.

Hi community,

 

After opening a TAC case, the engineer pointed me to this URL.

https://source.android.com/devices/tech/connect/wifi-wpa3-owe

 

In this URL for Android developers, it clearly says that Android 10 devices must support WPA2/WPA3. Unless not told there, maybe is up to the vendor's implementation to support previous WPA/WPA2 configurations and discard or not the beacon in order to send association request. That could give some light on why some devices are only working when WPA2-only SSID is been configured. If the vendor is strict, only WPA2/WPA3-ready SSID's should be working.

 

I've doing some debugs using adb in an Android 10 ready Xiaomi Mi8 device. I've found that the "wpa_supplicant" is not sending any association request when only enabling WPA2. But the supplicant sent that association request packet along with the rest of the EAP stuff when enabling WPA2+WPA3. After sucessfull association, the device reports been associated using WPA3.

 

The problem now is, why AireOS 8.10 ME does not support WPA3-Enterprise configuration to select WPA2/WP3 with dot1X?

For WPAx-Personal SSID everything works properly when enabling WPA3, but there seems to be no option in AireOS ME to configure WPA3-Enterprise though GUI.

 

I'm investigating on that configuration on CLI.

 

HTH
-Jesus

*** Always Rate Helpful Responses ***

Can you check if PMF has any influence on the WPA2 only SSID?


Update.

There is no luck after configuring the SSID manually to support WPA2/WPA3-Enterprise (there is no option to do it through the GUI).

Enabling hybrid mode with 802.1X config for SHA1 and SHA256 with PMF optional and disabling FT is not working (recommended settings from Cisco AireOS Config Guide 8.10).

Neither using WPA2-Personal only and disabling PMF and FT works. It has to be enabled WPA3 along with WPA2-Personal.

 

Attached WLAN summary for 802.1X with 8.5 and 8.10 if anybody from Cisco consider it could help.

Can you test with PMF on required?
For WPA3 this must be set to required (or it automatically is).

Btw. have a look at this very informative video in regards to what is new with WPA3:
https://www.ciscolive.com/global/on-demand-library.html?search=BRKEWN-2006#/session/1564528249591001ejys

 

If I remember the video correct, the only difference from WPA2-Enterprise to WPA3-Enterprise is the requirement of PMF needing to be set to required. I think new certificates are suggested, but not required (check the video to be sure).

Choose allow from options available while you reconfigure Wlan WMM from default disable. 


@JPavonM wrote:

Update.

There is no luck after configuring the SSID manually to support WPA2/WPA3-Enterprise (there is no option to do it through the GUI).

Enabling hybrid mode with 802.1X config for SHA1 and SHA256 with PMF optional and disabling FT is not working (recommended settings from Cisco AireOS Config Guide 8.10).

Neither using WPA2-Personal only and disabling PMF and FT works. It has to be enabled WPA3 along with WPA2-Personal.

 

Attached WLAN summary for 802.1X with 8.5 and 8.10 if anybody from Cisco consider it could help.


 

Review Cisco Networking for a $25 gift card