Unable to connect One Plus Pro Phone to the BYOD network

AnilKumar95946 · ‎03-16-2022

We are facing enterprise wide issue in connecting One Plus Pro Phone Android v11 to the BYOD network. No descriptive errors on phone. No entries on the Wireless LAN Controller for the phones MAC address during these attempts so it seems to fail prior to negotiation. Can join the guest network on this AP which is an Open SSID with a captive guest portal. Other Android 11 phones can connect to our Enterprise network

We came across a forum link from One plus support page suggesting enabling 802.1x and 802.1x-SHA256. If we enable both what type of operation it will be? AND or OR. Means both will be enable simultaneously or One of the Auth Method will work. Also what could be the implication this workaround would have on other wireless clients.

https://forums.oneplus.com/threads/unable-to-join-wpa2-enterprise-network.1441160/

We are using Cisco 9800 WLC version 17.3.4

Scott Fella · ‎03-16-2022

Open SSID and 802.1x is very different. My suggestion is to create a new TEST SSID that is just open and see if the device connects. Then try a PSK and see if the device connects. This way you can at least figure out what is working and what is not. Make sure that your test SSID is open and don't start to enable features. If the device connects, then look at adding features one at a time.

-Scott
*** Please rate helpful posts ***

AnilKumar95946 · ‎03-16-2022

Hi Scott,

Users are able to connect using Guest SSID without any issue

Scott Fella · ‎03-16-2022

Okay... well I think you need to take the suggestion that was provided on the other forum. Make sure you test and make sure it doesn't break other devices.

-Scott
*** Please rate helpful posts ***

AnilKumar95946 · ‎03-16-2022

What could happen if i enable both 802.1x and 802.1x SHA256 together. Other devices may face issue?

Scott Fella · ‎03-16-2022

Anytime you make changes, that can affect how devices react. Every device is different and that is why you need to be able to test before making changes in production.

-Scott
*** Please rate helpful posts ***

Flavio Miranda · ‎03-16-2022

Similar thread discussed here:

https://community.cisco.com/t5/wireless/intel-ax200-unable-to-connect-using-802-1x-sha256/td-p/4137954

SHA1 means WPA whilst SHA-256 is WPA2. You can try that on the WLAN Security option.

Arshad Safrulla · ‎03-16-2022

Hi Anil,

Android 11 devices connecting to SSID's configured with WPA2-Enterprise PEAP authentication (username/password) fails because the option to bypass the security certificate has been removed from Android. Clients that do not have the certificate installed and validated will not be able to comply with PEAP authentication and their connection attempt will fail. So the only workaround is to install the Enterprise CA root certificate in end device or install public CA signed certificate in your Radius server.

Moving forward in MS Windows also depreciate the support for EAP-PEAP due to the Windows Credential Guard behavior. So I would strongly recommend that if you are using EAP-PEAP, plan your migration to EAP-TLS.

Thanks,

Arshad

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla