01-10-2020 12:11 AM - edited 07-05-2021 11:31 AM
Hi, I had one problem which I found bypass solution, but I would like to share with someone, as I don't want that someone is wasting time as I did troubleshooting the issue.
My case was that I have 15 APs AP1832i set to Cisco ME, so 1 acts as a call it a "controller", while others are getting the instruction. I have set latest version of firmware for APs - 8.10.105.0
Now I have Nokia 7.1 running Android 10 December 2019 patch, and what I found out that after upgrading Android to version 10 and patching Cisco AP1832i from 8.5 to 8.10, android phone cannot connect anymore.
After 1 hour of troubleshooting I found a bypass. By enabling WPA3 (along with WPA2), android 10 started to connect again.
My guess is either Google completely ditched support for WPA2 (for some reason), in favor for WPA3 or there is some mismatch between Cisco 8.10.105.0 for ME and Google Android 10. By enabling WPA3, phone can successfully connect to our network.
I hope I helped someone, and saved him/her some time in dealing with tedious troubleshooting
Best regards
05-17-2020 12:43 AM
05-20-2020 03:37 AM
Posting Cheng's test discussion, "disabling SHA1 an enabling only SHA256 on the SSID do the trick".
Unfortunately that way we are missing legacy devices not supporting WPA2-SHA256.
These are the commands needed:
## WPA2-PERSONAL SSID
config wlan security wpa akm psk disable
config wlan security wpa akm pmf psk enable <wlan_id>config wlan security wpa akm psk set-key ascii <psk> <wlan_id>
config wlan security ft disable <wlan_id> <== must be disabled when removing previous security features if adaptive is selected
!## WPA2-ENTERPRISE SSIDconfig wlan security wpa akm 802.1x disable <wlan_id>
config wlan security wpa akm pmf 802.1x enable <wlan_id>
config wlan security ft disable <wlan_id> <== must be disabled when removing previous security features if adaptive is selected
05-16-2020 03:35 AM
So unfortunately I cannot remember exact setup as it was long time ago set. I only remember that I have tried every possible option on the Cisco ME to set and test, without success. Also as it was a production system I had to immediately revert new patch to an old version as it made an impact on out whole laboratory.
Sorry that I could not help you more then that. I have reverted to 8.5 and it is working properly again. Until this new patch is properly tested I won't be installing it again.
Brgds
05-20-2020 09:36 PM
Hi Buddy,
I have a exactly same issue with WLC 3504 and AP 3802e, some users have Xiaomi phone (Android 10) can not connect.
I have 2 work around:
1. Change Layer 2 Security to None (Open ssid).
2. Change PSK to PSK-SHA2.
I can not deploy my customer's network with solution 1.
With solution 2, some old generation laptop can not connect.
Could anyone share better solution with us ?
05-20-2020 10:36 PM
Unfortunatelly, at this time, there's no beter solution.
I'm working with some Cisco engineers who are talking to Google in order to find out what's happenning there.
As soon as I have some news I will share with you.
-HTH
Jesus
05-21-2020 12:33 AM
Hi @JPavonM ,
Thanks for you quick reply.
As someone mentioned, I am planning to downgrade the OS firmware version 8.10.x down to 8.8 or 8.5 then let see if it can resolved the issue with Android 10.
Thanks.
05-21-2020 05:02 AM
Sure, I can confirm everything is working properly running AireOS 8.8 and 8.5.
This is something related with Cisco and WPA3 supporting codes.
-HTH
Jesus
05-21-2020 07:47 AM
Hi
I can confirm it works on 5520 with AireOS 8.5.161.0
but not with Cat9k8 16.12.3
Robert
05-21-2020 11:17 PM
05-22-2020 12:29 AM
Hi Buddy,
I just downgraded the WLC 3504 from 8.10.x to 8.8.x and I confirmed that it works normally in my customer.
This bug is on version 8.10.x
Thanks all for your suggestion guys.
05-22-2020 01:20 AM
06-03-2020 08:40 AM
Hi community,
I have some good news. The issue is due to a firmware bug in some Qualcomm chipsets, and devices from Nokia/Sony/Xiaomi triggering that bug when processing newly added Cisco IE Att 44 in the beacons.
Qaulcomm is fixing it per device model with new security patches (Mi10 received it with April 2020 security Patch).
And from Cisco side, after many tests and troubleshooting sessions with engineers, there is a workaround to avoid this issue.
They all are covered under CSCvu24770.
These are the tests I've done previously.
Xiaomi Mi8 + Cisco AP3800/4800 | |||||
PMF (disabled/optional/required) | dot11r adaptive | dot11r enabled | dot11r disabled | dot11r adaptive + overDS | dot11r enabled + overDS |
SHA1 | No | Yes | No | No | Yes |
SHA256 | Invalid | Yes | Yes | Invalid | Yes |
SHA1+SHA256 | No | Yes | No | No | Yes |
HTH
-Jesus
*** Please Rate Helpful Responses ***
06-03-2020 09:46 AM
06-03-2020 11:52 PM
06-03-2020 11:59 PM
Hi @patoberli ,
I can confirm that the version 8.8.x works good. My customer is running on this version 8.8.x
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide