Cannot join guest network from iPad/Android but works fine from Windows laptop (AP230)

  • 1
  • Question
  • Updated 3 years ago
  • Answered
I have a single AP230 device.

Single internal SSID is setup with WPA2-PSK (works fine on all devices) (set to VLAN 1)

Setup a second SSID and set it as a guest network.  Also operating on VLAN 1.
-If I set the guest SSID to use WPA2-PSK password I can join the guest network from a Windows 7 laptop, however any attempt to join the network from an iPad or Android tablet results in either "incorrect password" messages or just a failed join attempt.
-If I set the guest SSID to use WEP encryption then all devices join
-If I set the guest SSDI to use no encryption all devices join

This has been tested on both 2.4 and 5 GHz radios.

Anyone have any ideas?

*I know that I should use separate VLANs but I had not gotten around to setting that up yet.  Open or WEP encryption on the guest network still lets everything work so I didn't think that was the root problem here.
Photo of Michael K

Michael K

  • 10 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of Hans Matthé

Hans Matthé

  • 131 Posts
  • 28 Reply Likes
The best tool to see what happens during the authentication proces is the client monitor (tools -> client monitor). Get the MAC adres of an Ipad or Android tablet, start the monitoring en do the authentication proces. If anything is wrong you get more information in this tool.
Photo of Michael K

Michael K

  • 10 Posts
  • 0 Reply Likes
Used the client monitor tool and this is what I see when the client tries to join

02/14/2015 11:54:22 PM  609217D8B25C  9C5D1212D264  AH-12d240    BASIC   (201)Rx auth <open> (frame 1, rssi -61dB)
02/14/2015 11:54:22 PM  609217D8B25C  9C5D1212D264  AH-12d240    BASIC   (202)Tx auth <open> (frame 2, status 0, pwr 19dBm)
02/14/2015 11:54:22 PM  609217D8B25C  9C5D1212D264  AH-12d240    BASIC   (203)Rx assoc req (rssi -61dB)
02/14/2015 11:54:22 PM  609217D8B25C  9C5D1212D264  AH-12d240    BASIC   (204)Tx assoc resp <accept> (status 0, pwr 19dBm)
02/14/2015 11:54:22 PM  609217D8B25C  9C5D1212D264  AH-12d240    INFO    (205)WPA-PSK auth is starting (at if=wifi1.1)
02/14/2015 11:54:22 PM  609217D8B25C  9C5D1212D264  AH-12d240    INFO    (206)Sending 1/4 msg of 4-Way Handshake (at if=wifi1.1)
02/14/2015 11:54:22 PM  609217D8B25C  9C5D1212D264  AH-12d240    INFO    (207)Received 2/4 msg of 4-Way Handshake (at if=wifi1.1)
02/14/2015 11:54:22 PM  609217D8B25C  9C5D1212D264  AH-12d240    INFO    (208)Sending 3/4 msg of 4-Way Handshake (at if=wifi1.1)
02/14/2015 11:54:22 PM  609217D8B25C  9C5D1212D264  AH-12d240    INFO    (209)Rx deauth (reason 17 <n/a>, rssi -62dB)
02/14/2015 11:54:22 PM  609217D8B25C  9C5D1212D264  AH-12d240    BASIC   (210)Sta(at if=wifi1.1) is de-authenticated because of notification of driver
02/14/2015 11:54:22 PM  609217D8B25C  9C5D1212D264  AH-12d240    DETAIL  (211)Rx <broadcast> probe req (rssi -57dB)
02/14/2015 11:54:22 PM  609217D8B25C  9C5D1212D264  AH-12d240    BASIC   (212)Tx probe resp (pwr 19dBm)
02/14/2015 11:54:22 PM  609217D8B25C  9C5D1212D264  AH-12d240    BASIC   (213)Tx probe resp (pwr 19dBm)
02/14/2015 11:54:22 PM  609217D8B25C  9C5D1212D265  AH-12d240    DETAIL  (214)Rx <broadcast> probe req (rssi -57dB)
Photo of Michael K

Michael K

  • 10 Posts
  • 0 Reply Likes
Found another post with similar symptoms - https://community.aerohive.com/aerohive/topics/wpa-authentication-issue

In my case I can use WPA fine as long as I'm not setting the network as guest.  As soon as I use guest I have to do open or WEP in order for the Apple and Android devices to join.

bug in the firmware?
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Are you able to complete a packet capture of a wireless client failing to associate to the wireless network?  This would enable Aerohive Support to take a deeper look.
Photo of Michael K

Michael K

  • 10 Posts
  • 0 Reply Likes
Any suggestions for the packet capture?  PC's will join just fine.  The only thing that fails are tablets.  Is there a good way to packet capture from the wired side of the network?
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
You can use a product like Wireshark to capture 802.3 packets but it doesn't natively support 802.11 captures (unless you are using Linux).  Windows users can purchase the Riverbed AirPcap USB adapters but I would capture the 802.11 frames using Aerohive's Remote Sniffer functionality with Wireshark running on the a Windows laptop.
(Edited)
Photo of Michael K

Michael K

  • 10 Posts
  • 0 Reply Likes
Found that WMM was not enabled on the guest network.  Turned on WMM and now iPads can join the guest network.

Can anyone explain what WMM did?

Thanks
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Apple do document this:

Wi-Fi: Unable to connect to an 802.11n Wi-Fi network
http://support.apple.com/en-us/TS3727

WMM is, by spec, required for 802.11n and 802.11ac data rates to be used.
Where it is disabled on an AP, if it can/will associate at all, a client will often be limited to 802.11g and 802.11a data rates.
(Edited)
Photo of Hans Matthé

Hans Matthé

  • 131 Posts
  • 28 Reply Likes
WMM stands for Wifi Multimedia. With WMM you can prioritize traffic generated by time-sensitive appliactions as voice and video. It is mandatory for the use of IoS devices.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
I tested this on a new AP230 running HiveOS 6.4r1a.2103 with a Kit Kat android smartphone and an iPhone 6 using an HMOL.  I just created a basic SSID with the only change being that the low data rates were disabled.  By default WMM is enabled in the SSID configuration:



Both the android smartphone and iPhone 6 connected without an issue.  Therefore, you should be able to authenticate these wireless clients with automatically generated PPSKs out of the box.

I cannot think off the top of my head of a good reason to disable WMM as it will have a severely adverse affect on the performance of your wireless network.
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Yeah, I am wondering why people are disabling WMM.  There seems to be a rash of these cases on the community lately.

Michael K?  Any reason you (or someone there) disabled it in the first place?
Photo of Michael K

Michael K

  • 10 Posts
  • 0 Reply Likes
I did not disable WMM. I will test it when I get back but it seems that WMM is disabled when I switched it to a guest network.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Are you running a HiveManager in "Express" mode?
Photo of Michael K

Michael K

  • 10 Posts
  • 0 Reply Likes
I am
Photo of Michael K

Michael K

  • 10 Posts
  • 0 Reply Likes
Tested a new SSID and WMM was enabled. I do not know how WMM was disabled on the guest network but it happened twice on new SSIDs that I created.
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Yeah, it looks like we have a bug in Express mode, and I was able to duplicate the problem.  If you create a network of type "Guest", the WMM button unselects itself as soon as you save the SSID for the first time.  This does not seem to happen with Internal Access networks.

The good news is that if you manually go back to edit the Guest SSID, re-enable WMM, and save, the setting seems to stick.

So, if you are using Guest Networks in Express mode, please double check the WMM setting before pushing to an AP.

I will file a bug for this.
Photo of Michael K

Michael K

  • 10 Posts
  • 0 Reply Likes
Excellent.  Thank you.