Re: Medical Devices and iPSK

craiglebutt · ‎02-24-2022

Hi

Currently migrating devices from PSK & MAC to iPSK & MAC.

Loads of medical scanners migrating no problem, but have some GE Logiq S8 that don't want to work with the iPSK.

Work fine with PSK and MAC.

Only thing can think of as lots of medical devices still running Windows 7 and drivers having trouble with iPSK with Radius possibly need upgrading,

Just wondering if anyone else has a work around?

Anyone

Scott Fella · ‎02-24-2022

I have played around and still have iPSK in my test environment, and it was not as easy to get it working. Now, I don't think you have an issue with your radius server, because you have all other devices working, so I will assume that the version you are using is supported.

What controller, version, radius server and version are you running? You might be able to just create a catch-all policy with the default psk and override the vlan id.

-Scott
*** Please rate helpful posts ***

craiglebutt · ‎02-25-2022

WLC 5520 in HA, running 8.5.182 and ISE 2.7

Haydn Andrews · ‎02-24-2022

what happens if have these devices hit the default PSK for the iPSK SSID? Do they work.

I suspect its more to do with a timeout thing as with iPSK the auth now needs to wait for the RADIUS server to return to the WLC the correct PSK for that device.

Do a debug on the client whilst it tries to authenticate and post the result.

Ideally if you can get an OTA packet capture it would also help identify if any packets being sent that causing the issues.

As always try getting one of them upgraded to latest wireless drivers

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

craiglebutt · ‎02-25-2022

I did change the timeout to 8 seconds as was at the default of 2. Checked he WLC to see if any other devices are connected to the same Radiology Policy and there was, also added a iphone to test the policy, this all worked.

When the scanner is going via ipsk it keeps getting excluded on the WC, no log attempts on the ISE.

I've attached client debug, not tried the OTA as not something ever had to do before, so I'll look at that.

Unfortunately as it is a medical device, we are limited to what we can do, it's lucky we have access to Network Config, so like normal, we need to prove 100% it's not a config issue on the wireless and it points to a driver issue specialty when it it running on a hacked version of what looks to be windows 7.

Cheers

marce1000 · ‎02-25-2022

- Below you find when your debugging file is parsed by : https://cway.cisco.com/wireless-debug-analyzer/ , you may want to run yourself and or toggle with available flags.

imeTaskTranslated

Feb 24 13:29:56.745	*apfMsConnTask_5	Client made new Association to AP/BSSID BSSID 6c:8b:d3:a1:a8:b9 AP
Feb 24 13:29:56.746	*apfMsConnTask_5	The WLC/AP has found from client association request Information Element that claims PMKID Caching support
Feb 24 13:29:56.746	*apfMsConnTask_5	The Reassociation Request from the client comes with 0 PMKID
Feb 24 13:29:56.746	*apfMsConnTask_5	Client expiration timer code set for 10 seconds. The reason: No response from radius server for mac filtering request
Feb 24 13:29:56.746	*apfReceiveTask	WLC/AP is sending an Association Response to the client with status code 1 = Unspecified failure. For example, when there is no ssid specified in the association request
Feb 24 13:29:56.746	*apfReceiveTask	Client expiration timer code set for 10 seconds. The reason: Delete request due to authentication error

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R · ‎02-27-2022

2 possibilities I can think of in addition to other suggestions above:

1. Are your APs in flexconnect mode - if not try enabling flex? That changes the AP behaviour which can fix some of these types of problems if they're timer related (as I've mentioned on previous posts recommended by TAC and worked for us).

2. Is the new PSK something the devices can't handle - eg. too long or special characters they don't handle correctly? Try a simpler PSK?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs