Problems with 11n and WPA2-Key

Frank Lindner · ‎10-24-2011

Hi,

i have a problem with Cisco WLC 2106 (SW: 7.0.98.0) and LAP1262.

The client roams to new AP, associates with the new AP and authentication (WPA2 with EAP-TLS) runs fine until WPA2 key exchange.

The first WPA2-Key-paket from AP (1 / 4) is sent twice. On a closer look at those pakets with Wireshark, i've found out the first is encapsulated into a 11n-frame (A-MSDU). The resent frame isn't.

This figure shows the first WPA-Key-paket:

The next figure shows the 2nd key-paket, without 11n-encapsulation:

The problem, that occurs a very long roaming-time with about 5 seconds. As you can see on second figure, the second wpa-key is sent 5 seconds after the first.

Does Anyone know this problem? Or is it well knows at Cisco?

Some details:

Client: Tablet PC with Intel 6230 agn

Controller: Cisco WLC 2106

AP: LAP 1262

Controller SW: 7.0.98.0

Encryption: WPA2-AES

Authentication: EAP-TLS

This problem occurs just on 5-GHz interface with 40 MHz channel bandwidth.

Thanks in advance for any reply!!!

Kind regards!

George Stefanick · ‎10-24-2011

Im curious, do you have CCKM enabled?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Frank Lindner · ‎10-24-2011

No, CCKM isn't enabled. And I don't want it enabled, special reasons. should also work this way.

George Stefanick · ‎10-24-2011

It makes me wonder if your client is actually using RSN with PKI cache, thus why I asked. Did you capture to see if a PKI-ID was renewed or a new one was created during the roam process?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Frank Lindner · ‎10-24-2011

Well, actually i don't know.

But it also doesn't seem to be the problem. The contents of those two frames I've posted above are the same, just one is encapsulated.