WT4090 won't associate with Cisco AP with WPA2/PEAP

I have a customer with EWLAN infrastructure of  Cisco (AP AIR-AP1220-IOS-UPGRD, IOS : 12.3(8)JEC2-CRYPTO) and when they attempt to associate with our WT4090 terminal with WPA2 -Enterprise network authentication, they just see "connection timeout" on the terminal 

Data Encryption is: AES

Authentication Type is : PEAP

Authentication Protocol : MS-CHAP-V2

Certificate are not in use .

SSID is hidden.

However with WAP/TKIP it works fine.

They have the latest Fusion driver installed on WT4090, latest OS, Long Preamble is enabled in Cisco AP. Also it does not work when SSID is not hidden.

Has anyone seen such a issue recently?
cheers, Roland

Afshin Mansoorieh
it would be a good data point

it would be a good data point to know if they have tried to attach a laptop to their CISCO infrastructure and if it worked.
Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Marcus Kurath
This could be a password

This could be a password issue.

Depending on the radius server and how it is interfaced to the LDAP database, it may be necessary to configure the password for reversible encryption in the user database. Once this parameter is cahnged, it is necessary to re-input the password into the user database
Vote: 
Vote up!
Vote down!

Points: 1

You voted ‘up’


Art Gabriellini
Based on the Fusion failure

Based on the Fusion failure message (connection timeout), which is vague in & of itself, this tells me there's something other then an EAP PW causing this error.

The problem description is much too vague here...

TKIP works, but when EAP (PEAP) is applied, it fails; if it were a PW miss-match, you'd see "invalid credentials" message in the Fusion log...
That said, make sure they're not inputting entry into the PEAP domain field as a common rule, as this field auto-appends (see attached guide).
Please also have them check the EAP setting @ the AP config per the attached (i.e. need to set as "open EAP"; not shared).

If all else fails, run Netlog on a failing device & we 'should' be able to see where the failure happens, however, if it turns out to be a de-authentication failure (sent via 802.11 from either end), then only a wireless capture will show this...

What's the support case # for this issue?
Vote: 
Vote up!
Vote down!

Points: 1

You voted ‘up’


Art Gabriellini
Based on the Fusion failure

Based on the Fusion failure message (connection timeout), which is vague in & of itself, this tells me there's something other then an EAP PW causing this error.

The problem description is much too vague here...

TKIP works, but when EAP (PEAP) is applied, it fails; if it were a PW miss-match, you'd see "invalid credentials" message in the Fusion log...
That said, make sure they're not inputting entry into the PEAP domain field as a common rule, as this field auto-appends (see attached guide).
Please also have them check the EAP setting @ the AP config per the attached (i.e. need to set as "open EAP"; not shared).

If all else fails, run Netlog on a failing device & we 'should' be able to see where the failure happens, however, if it turns out to be a de-authentication failure (sent via 802.11 from either end), then only a wireless capture will show this...

What's the support case # for this issue?
Vote: 
Vote up!
Vote down!

Points: 1

You voted ‘up’


David Meyer
"Connection Timeout"

"Connection Timeout" indicates that you could not even associate to the AP.  There is probably a setting on the AP that the MU doesn't recognize, or vice-versa.  Customer support should be able to help you through this, as many customers have Cisco APs with WPA2-PEAP working.
Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Anonymous (not verified)
I had a similar problem with

I had a similar problem with a WT4090 customer, but they were going the other direction.  They were using WPA2/PEAP and switched to WPA PSK.  They had the same association issues you described on the WPA PSK network.  Laptops connected fine, but the WT4090 had issues.  To fix the problem, their network folks had to click an additional checkbox on the controller.  I've attached a screen shot of what they changed.
Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Sukhdeep Singh Johar
Try increasing the EAP

Try increasing the EAP timeout value on the Cisco AP.
The default value may be too aggressive for some of the slower devices like the handhelds.
Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Roland Rozsa
Thank you all for your prompt

Thank you all for your prompt feedback! The case# is: 2090959.I attached the WT4090 settings, just received from customer. Also attached a Wireshark trace log. Actually it is not a real wireless trace because there is no terminal visible, only the handshake between Cisco AP and Intel card successfull (according to EmeaTech).

With HP laptop it works fine.
I will check with customer your inputs and advises and let you know!

cheers, Roland

Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Mark Mann
Also make sure your date and

Also make sure your date and time on the terminal is set as this could also be an issue.

Cheers,

Mark
Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Roland Rozsa
Actually the issue was that

Actually the issue was that in WT4090 in Profile Entry at "Encryption" window "Allow WPA2 Mixed Mode " was not checked. By checking this box, terminal associated promptly with Cisco AP without any issue.
regards, Roland
Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Art Gabriellini
Good find, but this check-box

Good find, but this check-box is checked by default, so I wonder why it was un-checked/disabled in the first place...
Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Log in to post comments