Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Beginner
237 Views

Intel AX200 fails to connect using SHA1+SHA256

Hi community,

We are suffering lack of connectivity when configuring WPA/WPA2 or WPA2/WPA3 WLAN profile with PMF optional plus 802.1X-SHA1 plus 802.1X-SHA256 simultaneously.

Packet captures shows EAPOL failing on sending 4-way handshake M3 packet from client to AP.

However, with that same config, AC8265 chipset are sucessfully connecting. This is the output.

GBRDCWLCD001#sh wirele clie mac-address 74e5.f9f4.64ec detail | i IPv4 Address|Client State|Current Rate|Policy Manage|Policy Type|Encryption Cipher|Authenticatio$
Client IPv4 Address : 10.7.97.150
Client State : Associated
Channel : 36
Current Rate : m9 ss2
Client State Servers : None
Policy Manager State: Run
Last Policy Manager State : IP Learn Complete
Policy Type : WPA3
Encryption Cipher : CCMP (AES)
Authentication Key Management : 802.1x-SHA256
Protected Management Frame - 802.11w : Yes
DNS Snooped IPv4 Addresses : None
Channel Agility : Not implemented
Fast BSS Transition Details :
11v BSS Transition : Implemented
11v DMS Capable : No
Radio Signal Strength Indicator : -51 dBm
Signal to Noise Ratio : 56 dB
GBRDCWLCD001#

There is also a strange thing, as from above output, AC8265 is conecting using SHA256 but for some reason, configuring WLAN profile only with WPA/WPA2 or WPA2/WPA3 plus 802.1X-SHA256 is not working.

0 Kudos
11 Replies
Highlighted
222 Views

jepavon, Thank you for posting in the Intel® Communities Support.


In order for us to provide the most accurate assistance, we just wanted to confirm a few details about your system:

What is the model of the motherboard?

If this is a laptop, what is the model of it?

What is the model of the Router?

Is this a new computer?

Was it working fine before?

Did you make any recent hardware/software changes?

The wireless card, did you purchased it separately or did it came installed in the computer?

When did the issue start?

Which Windows* version are you using?

Does the problem happen at home or work environment?


Any questions, please let me know.


Regards,

Albert R.


Intel Customer Support Technician

A Contingent Worker at Intel


0 Kudos
Highlighted
Beginner
208 Views

Requested information answers:

What is the model of the motherboard? Not applicable

If this is a laptop, what is the model of it? Not applicable

What is the model of the Router? This is a Cisco WLAN Infrastructure: Catalyst 9800 running IOS-XE 17.3.1 and different AP Models (AP3700, AP3800, AP4800, C9120, C9130). The issue is reproducible with Cisco's latest code because in the previous ones there were many defects affecting the use of SHA256. This is also reproducible with all of them AP models listed before.

Is this a new computer? Not applicable

Was it working fine before? We have never tested it before as we are upgrading WLAN L2 security features now.

Did you make any recent hardware/software changes? Only upgrading to Intel PROSet Wireless 21.110

The wireless card, did you purchased it separately or did it came installed in the computer? I purchased it separately and replace it by myself

When did the issue start? It always happened after the start of the tests with SHA256 enabled in the WLAN security features.

Which Windows* version are you using? Windows 10 version 2004 (OS Build 19041.264)

Does the problem happen at home or work environment? Home and Work environment. I have reproduce it the issue at home with commented infrastructure above, but also at hoome using Cisco Mobility Express Controller embedded into AP3800 running AireOS 8.10.130 which integrates same AP code, and also features and caveats.

Below you can find more information about the issue.

This is the output on the failure in the controller debug that shows MIC validation failed:

2020/08/18 09:41:03.306370 {wncd_x_R0-0}{1}: [client-orch-sm] [25343]: (info): MAC: aabb.ccdd.eeff Deleting the client, reason: 91, CO_CLIENT_DELETE_REASON_KEY_MGMT_MIC_VALIDATION, Client state S_CO_L2_AUTH_IN_PROGRESS
2020/08/18 09:41:03.306374 {wncd_x_R0-0}{1}: [tdllib] [25343]: (debug): ewlc/client/client_orch/_gen_lib_tpp_x86_64_cge7/client_orch_stats.c:2184:5: ewlc_client_orch_libctxt->client_orch_stats_rec->field_st_client_orch_stats_ptr->client_del_reason.co_client_delete_reason_key_mgmt_mic_validation_ctr++: db=WNCD_DB, tid=0, obj_ptr=0x808098fe48, write_ptr=0x808098ffc0, size=4
2020/08/18 09:41:03.306378 {wncd_x_R0-0}{1}: [client-orch-sm] [25343]: (debug): Search wlan client stats record exists for given wlan id: 39
2020/08/18 09:41:03.306379 {wncd_x_R0-0}{1}: [tdllib] [25343]: (debug): ewlc/client/client_orch/_gen_lib_tpp_x86_64_cge7/client_orch_wlan_client_stats.c:2942:5: rec->field_wlan_client_stats_ptr->client_del_reason.co_client_delete_reason_key_mgmt_mic_validation_ctr++: db=WNCD_DB, tid=0, obj_ptr=0x8080e84718, write_ptr=0x8080e84890, size=4
2020/08/18 09:41:03.306383 {wncd_x_R0-0}{1}: [client-orch-sm] [25343]: (debug): MAC: aabb.ccdd.eeff local ipv6 deletemmif_role_status: 0, Success, client role: Unassoc
2020/08/18 09:41:03.306396 {wncd_x_R0-0}{1}: [client-ipv6-client] [25343]: (debug): MAC: aabb.ccdd.eeff Failed to find client in mgid table
2020/08/18 09:41:03.306407 {wncd_x_R0-0}{1}: [client-orch-sm] [25343]: (debug): transition buffer: written 96 position 5
2020/08/18 09:41:03.306408 {wncd_x_R0-0}{1}: [client-orch-sm] [25343]: (note): MAC: aabb.ccdd.eeff Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_KEY_MGMT_MIC_VALIDATION, fsm-state transition 00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|00|01|07|13|1a|23|

This is the output for the wNIC properties connected to 802.1X-SHA1 SSID:

C:\WINDOWS\system32>netsh wlan show interfaces
There is 1 interface on the system:
Name : WiFi 4
Description : Intel(R) Wi-Fi 6 AX200 160MHz
GUID : 9e707412-1074-48a8-9747-94f344ed892c
Physical address : aa:bb:cc:dd:ee:ff
State : connected
SSID : MySSID
BSSID : 00:11:22:33:44:55
Network type : Infrastructure
Radio type : 802.11ac
Authentication : WPA2-Enterprise
Cipher : CCMP
Connection mode : Profile
Channel : 136
Receive rate (Mbps) : 400
Transmit rate (Mbps) : 400
Signal : 87%
Profile : MySSID
Hosted network status : Not available
C:\WINDOWS\system32>netsh wlan show drivers
Interface name: WiFi 4
Driver : Intel(R) Wi-Fi 6 AX200 160MHz
Vendor : Intel Corporation
Provider : Intel
Date : 01/07/2020
Version : 21.110.1.1
INF file : oem15.inf
Type : Native Wi-Fi Driver
Radio types supported : 802.11b 802.11g 802.11n 802.11a 802.11ac 802.11ax
FIPS 140-2 mode supported : Yes
802.11w Management Frame Protection supported : Yes
Hosted network supported : No
Authentication and cipher supported in infrastructure mode:
Open None
Open WEP-40bit
Open WEP-104bit
Open WEP
WPA-Enterprise TKIP
WPA-Enterprise CCMP
WPA-Personal TKIP
WPA-Personal CCMP
WPA2-Enterprise TKIP
WPA2-Enterprise CCMP
WPA2-Personal TKIP
WPA2-Personal CCMP
Open Vendor defined
WPA3-Personal CCMP
Vendor defined Vendor defined
WPA3-Enterprise GCMP-256
OWE CCMP

Regards.

0 Kudos
Highlighted
Beginner
206 Views

This is the output of the OTA packet capture during association process.

Here you can see client nevers sends M3 key and the connection times out.

captureSHA256.png

0 Kudos
Highlighted
192 Views

jepavon, Thank you very much for providing that information.


We will do further research on this matter, as soon as I get any updates I will post all the details on this thread.


Regards,

Albert R.


Intel Customer Support Technician

A Contingent Worker at Intel


0 Kudos
Highlighted
Beginner
186 Views

I've full OTA packet captures and WLC association debugs from AX200 and AC8265 for you to compare if you need it. Just DM me requesting them.

0 Kudos
Highlighted
Beginner
158 Views

Hi Alberto,

Hi have some more information in regards of this issue.

Doing debug on the AP itself when configured SHA1+SHA256, this is the output I can see when trying to connect with AX200 chipset.

[*08/21/2020 05:28:06.1454] wl0: turn sta MFP setting on with sha256
[*08/21/2020 05:28:06.1464] chatter: client_ip_table :: ClientIPTable no client entry found, dropping packet AA:BB:CC:DD:EE:FF
[*08/21/2020 05:28:06.1464] chatter: client_ip_table :: ClientIPTable no client entry found, dropping packet AA:BB:CC:DD:EE:FF
[*08/21/2020 05:28:06.1464] chatter: client_ip_table :: ClientIPTable no client entry found, dropping packet AA:BB:CC:DD:EE:FF
[*08/21/2020 05:28:06.1464] chatter: client_ip_table :: ClientIPTable no client entry found, dropping packet AA:BB:CC:DD:EE:FF
[*08/21/2020 05:28:11.2144] Received an unproctected deauth frame during PMF association.

 

0 Kudos
Highlighted
154 Views

jepavon, I just received an update on this matter.


Just to confirm, did you upgrade the firmware on the Wireless Controller? Please try to do that. 

Additionally, did you open a case with Cisco on this? 

If no, we would suggest to do so, as this scenario seems to be more related to the Cisco infrastructure.


Regards,

Albert R.


Intel Customer Support Technician

A Contingent Worker at Intel


0 Kudos
Highlighted
Beginner
138 Views

Hi Alberto,

Yes I have upgraded to latest Cisco code (17.3.1) and latest Intel driver (21.110) but same results.

I've a Cisco TAC case open about this and they are escalating this to developers to talk with Intel They see the same thing, station send unencrypted response on Key M3 to AP so closing connection. this is not happening with Intel AC8265 chipset with same config, code and driver, but it's happenign with AC3165 as well.

Regards

0 Kudos
Highlighted
124 Views

Hi jepavon, thank you very much for sharing those details.


We will continue with our research on this matter, as soon as I get more information I will post all the details on this thread.


Regards,

Albert R.


Intel Customer Support Technician

A Contingent Worker at Intel


0 Kudos
Highlighted
Beginner
102 Views

I have the problem that I upgraded from Windows 1909 to Windows 2004 and since then the WiFi connection has stopped working.

The report shows that it aborts after 6 seconds with the message: No connection to this network possible.

PMF is required.

is the PMF on enable then I can connect.

Wi-Fi 6 AX200 160MHz, driver version is 21.90.3.2 All other notebooks still have Windows 1909 installed and it works quite normally.

0 Kudos
Highlighted
79 Views

Hello jepavon, I just received an update on this matter.


I sent you an email requesting private information, please verify your inbox.


RA, Thank you for posting in the Intel® Communities Support.


Please submit your inquiry on a new thread, the reason for this is that every scenario is different even if the same product is being used, so for us to better assist you and in order to try to fix the problem, please submit a new thread:

https://communities.intel.com/community/tech


Let me apologize for any inconvenience.

 

Regards,

Albert R.


Intel Customer Support Technician

A Contingent Worker at Intel


0 Kudos