AP250 PSKs not working

  • 1
  • Question
  • Updated 5 months ago
We have recently purchased and installed about 5-6 AP250s in our school and are having some PSK issues with them. We have about 2000 PSKs that we upload into the config of each of our APs (split between a Staff SSID and a Student SSID) and we are having no issues with staff connecting, but most of the student PSKs are not working- when a student inputs their password it comes back as incorrect for that network, but when we try it with the older AP next door it jumps on with no issues. I've checked all the settings between our AP250s and older devices (AP330s mostly) and all settings appear to be the same. Configs upload from Hivemanager with no issues, doesn't appear to be anything to do with our switches (as an older AP will function when plugged into the same port) so i'm wondering if it might have to do with the amount of PSKs we are trying to upload into the AP250s? They aren't complaining but I can't find an actual limit anywhere. I'd love some assistance here, thanks for reading. 
Photo of Dan

Dan

  • 18 Posts
  • 0 Reply Likes

Posted 5 months ago

  • 1
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
The PPSK database size for the higher capacity models (i.e. not the AP121) is, if memory serves me correctly, was just under 10,000.

What is the Client Monitor advising when a student fails to authenticate?  

Are the student PPSKs recurring? (this is possible with HiveManager Classic/HMOL but not NG).  If so, ensure that NTP is working correctly and the access point timezone is correct.
(Edited)
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
The Client Monitor lines you are looking for are:

Sending 1/4 msg of 4-Way Handshake
Received 2/4 msg of 4-Way Handshake
Sending 3/4 msg of 4-Way Handshake
Received 4/4 msg of 4-Way Handshake
PTK is set
These lines means the key on both the access point and the wireless client are the same.

The next lines should be DHCP requests, etc.
Photo of Dan

Dan

  • 18 Posts
  • 0 Reply Likes
Excellent, i'll check for those asap.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
If you SSH into the access point and execute a "sh ntp" command you should see:

BC-DC1 (Active)

The important part is the "(Active)" after the hostname.  This indicates that the access point is getting active NTP updates.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
You can also get SSH access to an access point via HiveManager:

Monitor -> [Place a tick in the checkbox to the left of the access point name] -> Utilities [button] -> SSH Client.
Photo of Dan

Dan

  • 18 Posts
  • 0 Reply Likes
Yup i'm getting active beside our dc server ip (.67, pictured)
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
The "PPSK Validity Period" field in your screenshot is "Always" so the PPSK is not date/time limited.  Therefore the timezone is not going to be the issue.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Can you post a copy of your network policy settings screen?
Photo of Dan

Dan

  • 18 Posts
  • 0 Reply Likes
Sure, the BC BYOD SSID is the one we're having issues with. Is this pic what you're after?
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Tomorrow can you upload the Client Monitor results?
Photo of Dan

Dan

  • 18 Posts
  • 0 Reply Likes
For sure, I get in at 8 so i'll do it then. 
Photo of Dan

Dan

  • 18 Posts
  • 0 Reply Likes
When running the Client Monitor and attempting to connect an iPad to our BYOD network I got this log message- looks like part 4/4 of the handshake is failing. 


p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}

22/02/2018 08:12:54 AM  4C3275719C27  C413E29F8964  R209-AP250   BASIC   (0)Rx auth <open> (frame 1, rssi -74dB)

22/02/2018 08:12:54 AM  4C3275719C27  C413E29F8964  R209-AP250   BASIC   (1)Tx auth <open> (frame 2, status 0, pwr 13dBm)

22/02/2018 08:12:54 AM  4C3275719C27  C413E29F8964  R209-AP250   BASIC   (2)Rx assoc req (rssi -74dB)

22/02/2018 08:12:54 AM  4C3275719C27  C413E29F8964  R209-AP250   BASIC   (3)Tx assoc resp <accept> (status 0, pwr 13dBm)

22/02/2018 08:12:54 AM  4C3275719C27  C413E29F8964  R209-AP250   INFO    (4)WPA-PSK auth is starting (at if=wifi1.1)

22/02/2018 08:12:54 AM  4C3275719C27  C413E29F8964  R209-AP250   INFO    (5)Sending 1/4 msg of 4-Way Handshake (at if=wifi1.1)

22/02/2018 08:12:54 AM  4C3275719C27  C413E29F8964  R209-AP250   INFO    (6)Received 2/4 msg of 4-Way Handshake (at if=wifi1.1)

22/02/2018 08:12:54 AM  4C3275719C27  C413E29F8964  R209-AP250   INFO    (7)Sending 3/4 msg of 4-Way Handshake (at if=wifi1.1)

22/02/2018 08:12:54 AM  4C3275719C27  C413E29F8964  R209-AP250   INFO    (8)Rx deauth (reason 17 <n/a>, rssi -72dB)

22/02/2018 08:12:54 AM  4C3275719C27  C413E29F8964  R209-AP250   BASIC   (9)Sta(at if=wifi1.1) is de-authenticated because of notification of driver

22/02/2018 08:12:54 AM  4C3275719C27  C413E29F8964  R209-AP250   BASIC   (10)Sta(at if=wifi1.1) is de-authenticated because of notification of driver
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Deauthentication reason code 17 is:

Information element in 4-Way Handshake different from (Re)Association Request/Probe
Response/Beacon frame
What was the wireless client that was attempting to authenticate when the Client Monitor capture was taken? iPhone, Windows 7 laptop, etc.

Are you running the 8.2r1 firmware on the AP250 access points?
(Edited)
Photo of Dan

Dan

  • 18 Posts
  • 0 Reply Likes
Hey Crowdie, turns out the issue was the 'Enable WMM' option seemed to need to be ticked. As soon as I ticked this and uploaded the config the BYOD network immediately started working on these AP250s. We noticed also that it seemed to mostly be Apple devices that were having the issues (we mostly use apple devices on our BYOD network so it was harder to notice) and we had this option ticked on all our other SSIDs which were fine. Without this option ticked the SSID was still working on all our other (older) APs so pretty confusing to me!
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hey Dan,

Good find. Apple document this requirement here: https://support.apple.com/en-gb/HT202068

Cheers,

Nick
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
The "Enable WMM" should always be enabled as without it you are limited to data rates of 54 Mbps and less.

I am glad you found the problem.  Now if you could just fix this rain problem it would be great :-)
Photo of Dan

Dan

  • 18 Posts
  • 0 Reply Likes
Hey helpful article! I'll check through this and make other adjustments if necessary :)
Photo of Dan

Dan

  • 18 Posts
  • 0 Reply Likes
Come to TGA mate! Nice and sunny here and i'll shout you a beer :)