Re: Issues connecting Android 10 to Cisco ME - Page 3

dovla091 · ‎01-10-2020

Hi, I had one problem which I found bypass solution, but I would like to share with someone, as I don't want that someone is wasting time as I did troubleshooting the issue.

My case was that I have 15 APs AP1832i set to Cisco ME, so 1 acts as a call it a "controller", while others are getting the instruction. I have set latest version of firmware for APs - 8.10.105.0

Now I have Nokia 7.1 running Android 10 December 2019 patch, and what I found out that after upgrading Android to version 10 and patching Cisco AP1832i from 8.5 to 8.10, android phone cannot connect anymore.

After 1 hour of troubleshooting I found a bypass. By enabling WPA3 (along with WPA2), android 10 started to connect again.

My guess is either Google completely ditched support for WPA2 (for some reason), in favor for WPA3 or there is some mismatch between Cisco 8.10.105.0 for ME and Google Android 10. By enabling WPA3, phone can successfully connect to our network.

I hope I helped someone, and saved him/her some time in dealing with tedious troubleshooting

Best regards

Cheng · ‎05-17-2020

I’ve tried disabling Aironet IE and Client Exclusion but no luck. The issue still happens.

JPavonM · ‎05-20-2020

Posting Cheng's test discussion, "disabling SHA1 an enabling only SHA256 on the SSID do the trick".
Unfortunately that way we are missing legacy devices not supporting WPA2-SHA256.

These are the commands needed:

## WPA2-PERSONAL SSID
config wlan security wpa akm psk disable
config wlan security wpa akm pmf psk enable <wlan_id>config wlan security wpa akm psk set-key ascii <psk> <wlan_id>
config wlan security ft disable <wlan_id>  <== must be disabled when removing previous security features if adaptive is selected
!## WPA2-ENTERPRISE SSIDconfig wlan security wpa akm 802.1x disable <wlan_id>
config wlan security wpa akm pmf 802.1x enable <wlan_id>
config wlan security ft disable <wlan_id>  <== must be disabled when removing previous security features if adaptive is selected

dovla091 · ‎05-16-2020

So unfortunately I cannot remember exact setup as it was long time ago set. I only remember that I have tried every possible option on the Cisco ME to set and test, without success. Also as it was a production system I had to immediately revert new patch to an old version as it made an impact on out whole laboratory.

Sorry that I could not help you more then that. I have reverted to 8.5 and it is working properly again. Until this new patch is properly tested I won't be installing it again.

Brgds

thuy.hoang · ‎05-20-2020

Hi Buddy,

I have a exactly same issue with WLC 3504 and AP 3802e, some users have Xiaomi phone (Android 10) can not connect.

I have 2 work around:

1. Change Layer 2 Security to None (Open ssid).

2. Change PSK to PSK-SHA2.

I can not deploy my customer's network with solution 1.

With solution 2, some old generation laptop can not connect.

Could anyone share better solution with us ?

JPavonM · ‎05-20-2020

Unfortunatelly, at this time, there's no beter solution.

I'm working with some Cisco engineers who are talking to Google in order to find out what's happenning there.

As soon as I have some news I will share with you.

-HTH

Jesus

thuy.hoang · ‎05-21-2020

Hi @JPavonM ,

Thanks for you quick reply.

As someone mentioned, I am planning to downgrade the OS firmware version 8.10.x down to 8.8 or 8.5 then let see if it can resolved the issue with Android 10.

Thanks.

JPavonM · ‎05-21-2020

Sure, I can confirm everything is working properly running AireOS 8.8 and 8.5.

This is something related with Cisco and WPA3 supporting codes.

-HTH

Jesus

ditti.tech · ‎05-21-2020

Hi

I can confirm it works on 5520 with AireOS 8.5.161.0

but not with Cat9k8 16.12.3

Robert

patoberli · ‎05-21-2020

Also running fine here with 8.5.161.0 and 8.8.130.0 (tested with a Xiaomi Mi 9T Pro). Pretty sure it's a bug in the 8.10 train.

thuy.hoang · ‎05-22-2020

Hi Buddy,

I just downgraded the WLC 3504 from 8.10.x to 8.8.x and I confirmed that it works normally in my customer.

This bug is on version 8.10.x

Thanks all for your suggestion guys.

patoberli · ‎05-22-2020

There definitively are many open WPA3 bugs:

https://bst.cloudapps.cisco.com/bugsearch/search?kw=wpa3&pf=prdNm&sb=anfr

Some are fixed in 8.10.121.0, but by far not all. I suggest to open a TAC if you can, so that this issue gets more priority.

JPavonM · ‎06-03-2020

Hi community,

I have some good news. The issue is due to a firmware bug in some Qualcomm chipsets, and devices from Nokia/Sony/Xiaomi triggering that bug when processing newly added Cisco IE Att 44 in the beacons.

Qaulcomm is fixing it per device model with new security patches (Mi10 received it with April 2020 security Patch).

And from Cisco side, after many tests and troubleshooting sessions with engineers, there is a workaround to avoid this issue.

They all are covered under CSCvu24770.

These are the tests I've done previously.

Xiaomi Mi8 + Cisco AP3800/4800
PMF (disabled/optional/required)	dot11r adaptive	dot11r enabled	dot11r disabled	dot11r adaptive + overDS	dot11r enabled + overDS
SHA1	No	Yes	No	No	Yes
SHA256	Invalid	Yes	Yes	Invalid	Yes
SHA1+SHA256	No	Yes	No	No	Yes

HTH
-Jesus
*** Please Rate Helpful Responses ***

thuy.hoang · ‎06-03-2020

Hi @JPavonM ,

Cool, thank you so much for your information, it is very useful.

Thanks.

patoberli · ‎06-03-2020

Hi Jesus

Thanks for the update. Based on the bug description, only a downgrade to 8.5 helps, but based on the discussion here, a downgrade to 8.8 should also work, correct?

thuy.hoang · ‎06-03-2020

Hi @patoberli ,

I can confirm that the version 8.8.x works good. My customer is running on this version 8.8.x

Thanks.