cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
27454
Views
70
Helpful
63
Replies
dovla091
Beginner

Issues connecting Android 10 to Cisco ME

Hi, I had one problem which I found bypass solution, but I would like to share with someone, as I don't want that someone is wasting time as I did troubleshooting the issue.

My case was that I have 15 APs AP1832i set to Cisco ME, so 1 acts as a call it a  "controller", while others are getting the instruction. I have set latest version of firmware for APs - 8.10.105.0

Now I have Nokia 7.1 running Android 10 December 2019 patch, and what I found out that after upgrading Android to version 10 and patching Cisco AP1832i from 8.5 to 8.10, android phone cannot connect anymore.

After 1 hour of troubleshooting I found a bypass. By enabling WPA3 (along with WPA2), android 10 started to connect again.

My guess is either Google completely ditched support for WPA2 (for some reason), in favor for WPA3 or there is some mismatch between Cisco 8.10.105.0 for ME and Google Android 10. By enabling WPA3, phone can successfully connect to our network.

 

I hope I helped someone, and saved him/her some time in dealing with tedious troubleshooting

 

Best regards

63 REPLIES 63
Cheng
Cisco Employee

I’ve tried disabling Aironet IE and Client Exclusion but no luck. The issue still happens.

Posting Cheng's test discussion, "disabling SHA1 an enabling only SHA256 on the SSID do the trick".
Unfortunately that way we are missing legacy devices not supporting WPA2-SHA256.

 

These are the commands needed:

 

## WPA2-PERSONAL SSID
config wlan security wpa akm psk disable
config wlan security wpa akm pmf psk enable <wlan_id>config wlan security wpa akm psk set-key ascii <psk> <wlan_id>
config wlan security ft disable <wlan_id>  <== must be disabled when removing previous security features if adaptive is selected
!## WPA2-ENTERPRISE SSIDconfig wlan security wpa akm 802.1x disable <wlan_id>
config wlan security wpa akm pmf 802.1x enable <wlan_id>
config wlan security ft disable <wlan_id>  <== must be disabled when removing previous security features if adaptive is selected

 

So unfortunately I cannot remember exact setup as it was long time ago set. I only remember that I have tried every possible option on the Cisco ME to set and test, without success. Also as it was a production system I had to immediately revert new patch to an old version as it made an impact on out whole laboratory.

 

Sorry that I could not help you more then that. I have reverted to 8.5 and it is working properly again. Until this new patch is properly tested I won't be installing it again.

 

 

Brgds

Hi Buddy,

I have a exactly same issue with WLC 3504 and AP 3802e, some users have Xiaomi phone (Android 10) can not connect. 

I have 2 work around:

 1. Change Layer 2 Security to None (Open ssid).

 2. Change PSK to PSK-SHA2.

I can not deploy my customer's network with solution 1. 

With solution 2, some old generation laptop can not connect.

Could anyone share better solution with us ?

Unfortunatelly, at this time, there's no beter solution.

I'm working with some Cisco engineers who are talking to Google in order to find out what's happenning there.

As soon as I have some news I will share with you.

 

-HTH

Jesus

Hi @Jesus Pavon ,

Thanks for you quick reply.

As someone mentioned, I am planning to downgrade the OS firmware version 8.10.x down to 8.8 or 8.5 then let see if it can resolved the issue with Android 10.

Thanks.

Sure, I can confirm everything is working properly running AireOS 8.8 and 8.5.

This is something related with Cisco and WPA3 supporting codes.

-HTH

Jesus

Hi

I can confirm it works on 5520 with AireOS 8.5.161.0

but not with Cat9k8 16.12.3

Robert

Also running fine here with 8.5.161.0 and 8.8.130.0 (tested with a Xiaomi Mi 9T Pro). Pretty sure it's a bug in the 8.10 train.

Hi Buddy,

I just downgraded the WLC 3504 from 8.10.x to 8.8.x and I confirmed that it works normally in my customer.

This bug is on version 8.10.x

Thanks all for your suggestion guys.

 

There definitively are many open WPA3 bugs:

https://bst.cloudapps.cisco.com/bugsearch/search?kw=wpa3&pf=prdNm&sb=anfr

Some are fixed in 8.10.121.0, but by far not all. I suggest to open a TAC if you can, so that this issue gets more priority.


Hi community,

I have some good news. The issue is due to a firmware bug in some Qualcomm chipsets, and devices from Nokia/Sony/Xiaomi triggering that bug when processing newly added Cisco IE Att 44 in the beacons.

Qaulcomm is fixing it per device model with new security patches (Mi10 received it with April 2020 security Patch).

And from Cisco side, after many tests and troubleshooting sessions with engineers, there is a workaround to avoid this issue.

They all are covered under CSCvu24770.

These are the tests I've done previously.

Xiaomi Mi8 + Cisco AP3800/4800
PMF (disabled/optional/required)dot11r adaptivedot11r enableddot11r disableddot11r adaptive + overDSdot11r enabled + overDS
SHA1NoYesNoNoYes
SHA256InvalidYesYesInvalidYes
SHA1+SHA256NoYesNoNoYes

 

HTH
-Jesus
*** Please Rate Helpful Responses ***

Hi @Jesus Pavon ,

Cool, thank you so much for your information, it is very useful.

Thanks.

Hi Jesus



Thanks for the update. Based on the bug description, only a downgrade to 8.5 helps, but based on the discussion here, a downgrade to 8.8 should also work, correct?


Hi @patoberli ,

I can confirm that the version 8.8.x works good. My customer is running on this version 8.8.x

Thanks.

Content for Community-Ad