I cannot configure PPSK for Iphone users on AP 230

  • 1
  • Question
  • Updated 3 years ago
  • Answered
I installed 2 new AP 230 at a customers site last week.
for Pc's the guest network is operational with use of private psk's.

IPhone User cannot connect:
1226D995 AH-26d980 BASIC (1924)Sta(at if=wifi0.2) is de-authenticated because of notification of driver
Photo of Jan De Smet

Jan De Smet

  • 9 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Gary Smith

Gary Smith, Official Rep

  • 299 Posts
  • 61 Reply Likes
Hi Jan,

Could you show us the running config for this SSID please?

Thanks,
Gary
Photo of Jan De Smet

Jan De Smet

  • 9 Posts
  • 0 Reply Likes

Hi Gary,

Could you please inform me how to do this?  Can this be achieved via HMOL?

many thanks

Jan

Photo of Gary Smith

Gary Smith, Official Rep

  • 299 Posts
  • 61 Reply Likes
Hi Jan,

If you have CLI access to the AP you could run a "show run | include {ssid name}"

You could also capture the Client Monitor logs showing the sequence of authentication. this might help us understand what is breaking down and where.

Thanks,
Gary
Photo of Jan De Smet

Jan De Smet

  • 9 Posts
  • 0 Reply Likes

Gary,

Please find attached the screenshot of the client Monitor.

I will try to login through vpn, ssh an AP.

Hopefully this is already sufficient.


thx

Photo of Jan De Smet

Jan De Smet

  • 9 Posts
  • 0 Reply Likes

Gary,

Another Alarm i receive:


thanks

Photo of Gary Smith

Gary Smith, Official Rep

  • 299 Posts
  • 61 Reply Likes
Hi Jan,

I would like to know more about the PPSK setup and see the running config from the AP if possible.

  1. are you using IDM for PPSK?
  2. are the PPSK auto or manual?
  3. does the attribute number for the PPSK group match the User profile attirbute number?
Screenshots of the config are useful if you have problems getting to the CLI of the AP.

Thanks,
Gary
Photo of Jan De Smet

Jan De Smet

  • 9 Posts
  • 0 Reply Likes

Gary,

this should be the running config of one AP:

login as: admin
admin@192.168.0.87's password:
Last login: Wed Aug  6 16:39:39 2014 from 192.168.0.23

Aerohive Networks Inc.
Copyright (C) 2006-2014
AH-26d980#sh ru

2014-08-06 16:40:34 alert   ah_dcd: lwtest ctrl->cfg.suite.method=1, wpa_aes_psk=8, wpa_tkip_psk=9

security mac-filter powerclimber default permit
security mac-filter Powerclimber default permit
security mac-filter "Powerclimber Hotspot" default permit
schedule PowerclimberGuest recurrent time-range 05:00 to 23:00
security-object Powerclimber
security-object Powerclimber security protocol-suite wpa2-aes-psk ascii-key ***
security-object Powerclimber default-user-profile-attr 1
security-object "Powerclimber Hotspot"
security-object "Powerclimber Hotspot" security protocol-suite wpa2-aes-psk ascii-key ***
security-object "Powerclimber Hotspot" security additional-auth-method captive-web-portal reg-user-profile-attr 9
security-object "Powerclimber Hotspot" security private-psk
security-object "Powerclimber Hotspot" user-profile-sequence ssid-cwp-mac
no security-object "Powerclimber Hotspot" security private-psk self-reg-enable
security-object "Powerclimber Hotspot" security private-psk default-psk-disabled
security-object "Powerclimber Hotspot" default-user-profile-attr 9
security-object "Powerclimber Hotspot" security additional-auth-method captive-web-portal default-language english
security-object "Powerclimber Hotspot" security additional-auth-method captive-w --More--           eb-portal success-redirect external-page http://www.powerclimberwind.com
 --More--           security-object "Powerclimber Hotspot" web-server web-page mandatory-field 0 opt --More--           ional-field 0
 --More--           security-object "Powerclimber Hotspot" web-server index-file eula.html
 --More--           security-object "Powerclimber Hotspot" web-directory Powerclimber-Hotspot
 --More--           ssid Powerclimber
 --More--           ssid Powerclimber security-object Powerclimber
 --More--           ssid Powerclimber security mac-filter Powerclimber
 --More--           ssid "Powerclimber Hotspot"
 --More--           ssid "Powerclimber Hotspot" security-object "Powerclimber Hotspot"
 --More--           ssid "Powerclimber Hotspot" security mac-filter "Powerclimber Hotspot"
 --More--           no ssid "Powerclimber Hotspot" wmm
 --More--           ssid "Powerclimber Hotspot" schedule PowerclimberGuest
 --More--           hive powerclimber
 --More--           hive powerclimber security mac-filter powerclimber
 --More--           hive powerclimber password ***
 --More--           interface wifi1 mode access
 --More--           interface mgt0 hive powerclimber
 --More--           interface wifi0 ssid Powerclimber
 --More--           interface wifi0 ssid "Powerclimber Hotspot"
 --More--           interface wifi1 ssid Powerclimber
 --More--           interface wifi1 ssid "Powerclimber Hotspot"
 --More--           lldp
 --More--           access-console security protocol-suite wpa-auto-psk ascii-key ***
 --More--           report statistic alarm-threshold interface tx-retry-rate 60
 --More--           admin root-admin admin password ***
 --More--           dns server-ip 168.143.87.77
 --More--           dns server-ip 209.128.124.9 second
 --More--           ntp server ntp1.aerohive.com
 --More--           clock time-zone 1
 --More--           clock time-zone daylight-saving-time 03-30 01:59:59 10-26 02:59:59
 --More--           config version 22
 --More--           config rollback enable
 --More--           track powerclimber default-gateway
 --More--           track powerclimber action enable-access-console
 --More--           track powerclimber multi-dst-logic and
 --More--           ssid "Powerclimber Hotspot" user-group PowerclimberGuestNew
 --More--           capwap client server name hm-emea-034.aerohive.com
 --More--           capwap client dtls hm-defined-passphrase *** key-id 1
 --More--           capwap client vhm-name powerclimber
 --More--           no capwap client dtls negotiation enable
 --More--           qos classifier-map service dns qos 4 action permit
 --More--           qos classifier-map service dhcp-server qos 4 action permit
 --More--           qos classifier-map service dhcp-client qos 4 action permit
 --More--           qos classifier-map service tftp qos 2 action permit
 --More--           qos classifier-map service pcoip-media qos 3 action permit
 --More--           qos classifier-map service pcoip-control qos 3 action permit
 --More--           qos classifier-map service ica qos 3 action permit
 --More--           service HTTP-8080 protocol tcp port 8080
 --More--           service SMB protocol tcp port 139 timeout 1800
 --More--           qos classifier-profile eth0 service
 --More--           qos classifier-profile eth1 service
 --More--           qos classifier-profile red0 service
 --More--           qos classifier-profile agg0 service
 --More--           qos classifier-profile Powerclimber service
 --More--           qos classifier-profile PowerclimberGuest service
 --More--           interface eth1 qos-classifier eth1
 --More--           interface eth0 qos-classifier eth0
 --More--           ssid Powerclimber qos-classifier Powerclimber
 --More--           ssid "Powerclimber Hotspot" qos-classifier PowerclimberGuest
 --More--           user-profile Powerclimber qos-policy def-user-qos vlan-id 1 attribute 1
 --More--           user-profile Powerclimber performance-sentinel enable
 --More--           user-profile Powerclimber performance-sentinel guaranteed-bandwidth 5000
 --More--           user-profile Powerclimberguestuserprofile qos-policy def-user-qos vlan-id 1 attr --More--           ibute 9
 --More--           ip-policy Guest-Internet-Access-Only
 --More--           ip-policy Guest-Internet-Access-Only id 1 from 0.0.0.0 0.0.0.0 to 0.0.0.0 0.0.0. --More--           0 service DHCP-Server action permit
 --More--           ip-policy Guest-Internet-Access-Only id 2 from 0.0.0.0 0.0.0.0 to 0.0.0.0 0.0.0. --More--           0 service DNS action permit
 --More--           ip-policy Guest-Internet-Access-Only id 3 from 0.0.0.0 0.0.0.0 to 10.0.0.0 255.0 --More--           .0.0 service any action deny
 --More--           ip-policy Guest-Internet-Access-Only id 4 from 0.0.0.0 0.0.0.0 to 172.16.0.0 255 --More--           .240.0.0 service any action deny
 --More--           ip-policy Guest-Internet-Access-Only id 5 from 0.0.0.0 0.0.0.0 to 192.168.0.0 25 --More--           5.255.0.0 service any action deny
 --More--           ip-policy Guest-Internet-Access-Only id 6 from 0.0.0.0 0.0.0.0 to 0.0.0.0 0.0.0. --More--           0 service any action permit
 --More--           user-profile Powerclimberguestuserprofile security ip-policy from-access Guest-I --More--           nternet-Access-Only to-access Guest-Internet-Access-Only
 --More--           alg ftp enable
 --More--           alg tftp enable
 --More--           alg sip enable
 --More--           roaming neighbor include ip 192.168.0.88 255.255.255.0
 --More--           no bonjour-gateway enable
 --More--           application reporting auto
 --More--           AH-26d980#

AH-26d980#

AH-26d980#


thanks

Photo of Jan De Smet

Jan De Smet

  • 9 Posts
  • 0 Reply Likes

I am not using IDM, we use auto ppsk.

DO the attribute numbers need to match?  one attribute is 8, and the other is 9.


Many thanks.

Photo of Gary Smith

Gary Smith, Official Rep

  • 299 Posts
  • 61 Reply Likes
From the Client monitor information (fails at 3/4 of the 4-way handshake) and from the config I would suggest that you use the same attribute number for both the user and for the PPSK. I believe that the DHCP is failing because of an attribute mismatch.

some info below from the Help Giude which explains a little more.

http://www.aerohive.com/330000/docs/help/english/6.1r5/hm/full/help.htm#cshid=tools/clientMon.htm
"If a problem occurs during the third stage, IP assignment, again
begin by checking the log and also consider checking the following
common causes of IP assignment failures:

Does the client have DHCP enabled on its wireless interface, and if so, did it receive network settings through DHCP?

If the client uses DHCP to obtain its network settings,
is there a network connection between the AP and a DHCP server or DHCP
relay agent?

If a static IP address is configured on the client, are the IP address, netmask, and default gateway settings valid?"



http://www.aerohive.com/330000/docs/help/english/6.1r5/hm/full/help.htm#config/auth/localUserGrpD.htm

User Profile Attribute


"To link the users in the user group to a user profile, enter the same attribute number as that of the user profile. The Aerohive
device can then apply the QoS (Quality of Service) settings, firewall
policies, and mobility policies defined for the user profile to the
users belonging to the local user group with the same attribute number.
If you do not assign an attribute to the user group—or if you assign an
attribute that does not match that of a user profile—the device applies
the user group members with QoS settings, firewall policies, and
mobility policies for the default user group of the SSID through which
the user associates with the Aerohive device. The user group attribute can be between 0 and 4095."
Photo of Jan De Smet

Jan De Smet

  • 9 Posts
  • 0 Reply Likes

Gary,

I will try to change the attributes today.

One other question: could this be the reason why only IPhone users are not able to connect?

My windows 8 pc does connect without issues to the guest ssid.

It is only iPhone users (4s, 5 and 5s) who are not able to connect.

thanks

Jan

Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
I have been having issues getting Linux users authenticated with PPSKs.

What I have been able to find out is that Linux users will not authenticate when auto generated PPSKs are used but will when manually configured PPSKs are utilised.

Are you able to test if you are having the same issue with your iPhone users?
Photo of Jan De Smet

Jan De Smet

  • 9 Posts
  • 0 Reply Likes

I will try and test this later today

at this moment I am at another customer site.


many thanks for you feedback

Photo of Michael K

Michael K

  • 10 Posts
  • 0 Reply Likes
Having similar issues with an AP230. 

Have 2 SSID's.  One is setup as internal (WPA2-PSK) and one is setup as guest (WPA2-PSK).

Any client can join internal network.

Guest network - Windows machines can join fine but Android and iDevices fail.  Error messages are the same as yours.  If Guest network uses open or WEP encryption then the devices can join.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
You need to packet capture a wireless client authenticating using the PPSK for analysis.
(Edited)
Photo of Jan De Smet

Jan De Smet

  • 9 Posts
  • 0 Reply Likes
I enabled WMM under advanced settings.   This setting resolved the issue for me.