山东某局点WX3510E无线控制器下联苹果终端掉线。
配置如下:
#
port-security enable
#
wlan auto-ap enable
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
group-attribute allow-guest
#
wlan rrm
dot11a mandatory-rate 6 12 24
dot11a supported-rate 9 18 36 48 54
dot11b mandatory-rate 1 2
dot11b supported-rate 5.5 11
dot11g mandatory-rate 1 2 5.5 11
dot11g supported-rate 6 9 12 18 24 36 48 54
band-navigation enable
#
wlan service-template 1 crypto
ssid dyjy
bind WLAN-ESS 0
cipher-suite ccmp
security-ie rsn
service-template enable
#
interface WLAN-ESS0
port link-type hybrid
port hybrid vlan 1 109 untagged
port hybrid pvid vlan 109
mac-vlan enable
port-security port-mode psk
port-security tx-key-type 11key
port-security preshared-key pass-phrase cipher $c$3$MovZkD7yPGTop5FWGZw8I6XthTC7WQM9QZ/M
#
wlan ap bei1-1 model WA4320i-ACN id 21
serial-id 210235A1GQC162001853
radio 1
service-template 1 vlan-id 109
radio enable
radio 2
service-template 1 vlan-id 109
radio enable
………
#
通过debug wlan mac all发现:
*Nov 18 14:43:31:691 2016 ac WMAC/7/EVENT : 4-way handshake message resend timer expired for client a45e-60dc-deab
*Nov 18 14:43:31:691 2016 ac WMAC/7/EVENT : 4-way handshake FSM state is changed, ptkstart -> idle to resend message1 for client a45e-60dc-deab
*Nov 18 14:43:31:691 2016 ac WMAC/7/EVENT : Sent 4-way handshake message1 to station a45e-60dc-deab successfully
*Nov 18 14:43:31:691 2016 ac WMAC/7/EVENT : 4-way handshake FSM changes state, idle -> ptkstart for client a45e-60dc-deab
*Nov 18 14:43:31:693 2016 ac WMAC/7/ERROR : Received invalid 4-way handshake message2 frame from client a45e-60dc-deab, wrong replay counter
*Nov 18 14:43:31:693 2016 ac WMAC/7/ERROR : Received invalid EAPOL-KEY frame from client a45e-60dc-deab, discard it
秘钥协商有问题,终端发过来的秘钥AC认为是错误的。
修改原配置:
wlan service-template 1 crypto
ssid dyjy
bind WLAN-ESS 0
cipher-suite tkip
cipher-suite ccmp
security-ie rsn
security-ie WPA
service-template enable
并建议客户在终端做如下操作:
1、 检查终端是否手动设置加密方式,是否与设备的加密算法不一致;
2、 检查终端秘钥是否正确
3、 把秘钥协商参数更改下,看下终端是否仅支持老算法
通过修改设备上的配置和调整终端的加密方式,问题解决。
此类问题需要设备侧和终端同时调整,匹配加密方式解决。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作