Solved: WPA3-Enterprise 6 GHz SuiteB only SSID and roaming

patoberli · ‎06-05-2024

Hi All

I'm currently troubleshooting a 6 GHz only SSID on a 9800 WLC with 17.9.5 and 9166 APs. The SSID is setup with WPA3-Enterprise and SuiteB, as per the guide here:
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/220712-configure-and-verify-wi-fi-6e-wlan-layer.html#toc-hId--2092915632

I discovered now that this variant doesn't support Fast Transition (802.11r). The radius server is an ISE cluster with EAP-TLS as computer authentication.

I have now issues with roaming, that it will take > 3 seconds for the roam. Is this normal and to be expected when using WPA3-Enterprise + GCMP256 cipher + SUITEB192-1X?

The SSID is solely on 6 GHz, but there are other SSIDs distributed on the same AP. A PCAP of the client shows that it's doing full authentications.

When checking the radioactive trace, I can see exact 3,00x seconds between the following two states:

Mobility Announce
Mobility HandOff

Also the following errors are shown when the client tries to roam, after which it will start a fresh and successful authentication:

2024/06/05 11:13:46.024	client-orch-sm	Client started layer 2 authentication (either dot1X or PSK)
2024/06/05 11:13:46.029	client-keymgmt	Sent M1 for EAPOL 4-Way Handshake
2024/06/05 11:13:47.029	client-keymgmt	Controller did not receive response for M1, sending retransmission
2024/06/05 11:13:48.029	client-keymgmt	Controller did not receive response for M1, sending retransmission
2024/06/05 11:13:49.030	client-keymgmt	Reached maximum retries for M1
2024/06/05 11:14:37.151	client-orch-sm	Controller initiated client deletion with code: CO_CLIENT_DELETE_REASON_KEY_MGMT_MIC_VALIDATION. Explanation: if WLAN is PSK, possible invalid password. For 802.1x, this is client side supplicant issue. Actions: For PSK, check password on WLAN and client side. For 802.1x, contact client manufacturer
2024/06/05 11:14:37.153	dot11	Disassociation packet sent with code status: 15

Those heavily point to a driver issue, but we tried Intel drivers 23.40 and also the newest 23.50 with the same result.

Do you think it's indeed the client?

Thanks
Patrick

patoberli · ‎07-01-2024

Hi all

The final solution was more simple than though, WLC upgraded to 17.12.3 and now it works as it should. Not sure if the customer switched back to normal WPA3-Enterprise without NSA ciphers or not.

View solution in original post

marce1000 · ‎06-05-2024

- We see a similar error (CO_CLIENT_DELETE_REASON_KEY_MGMT_MIC_VALIDATION) being reported in : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvy55746
Known Fixed Releases (0)....

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

JPavonM · ‎06-07-2024

FT over SuiteB is a known missing feature that would be added on a next code iteration but, why are you testing SuiteB and not standard WPA3-128bit? Unless your clients would be Win11 (no Win10 support for SuiteB, and 6Ghz of course), and your environment requires the use of such NSA-grade security, it has little sense.

patoberli · ‎06-07-2024

Actually, I'm fairly sure that two days ago, my Windows 11 didn't offer WPA3-Enterprise with AES as an option, or I was blind. In any case, today it's available and am currently doing tests.

JPavonM · ‎06-12-2024

That's the same for me too, maybe Microsoft have received a care reminder to provide both WPA3 flavours and not just the NS grade one.

patoberli · ‎07-01-2024

Hi all

The final solution was more simple than though, WLC upgraded to 17.12.3 and now it works as it should. Not sure if the customer switched back to normal WPA3-Enterprise without NSA ciphers or not.