Specifications
Troubleshooting AOS-W Environments 597
Chapter 27
z WPA/802.11i Key Exchange Failure: In a WPA or 802.11i network, the
dynamic key exchange process may fail. This is an error condition and
indicates either a man-in-the-middle attack or a faulty NIC driver. Examine
the “Authentication” log file in the Alcatel switch for details – because the
WPA/802.11i key exchange is a standard and utilizes a four-way verified
handshake, error messages will be generated when part of the process
fails. To view the Authentication log file in the Alcatel management GUI,
navigate to MonitoringÆProcess Logs and filter on “Authentication.” From
the CLI, enter the command “show log authmgr”.
z If multiple users on the same AP are experiencing problems, examine sta-
tistics on the AP. It is possible that the network is extremely busy, is expe-
riencing interference, or is experiencing a denial of service attack. Perform
a wireless packet capture when in doubt.
Client has network connectivity, then loses wireless
association
In this scenario, a client successfully associates to an AP, authenticates, and
has network connectivity. At some future time, the association is dropped.
z If the failure took place while the user was moving, it is possible that the
user roamed to an area with no radio coverage and cannot re-associate.
z If the problem repeats often, debug may be enabled for the client experi-
encing the problem. If the Alcatel switch is dropping the association, this
will be indicated in the log file. To enable client debug in the Alcatel CLI,
use the command “aaa user debug mac <MAC address of client>”. Log
output from the debug process can be viewed by issuing the command
“show log intuser 30” (to display the last 30 lines of the log file).
z In a network configured to ignore broadcast probe requests, Windows
devices may spend an excessive amount of time transmitting broadcast
probe requests before finally transmitting probe requests for a specific
ESSID. Under these circumstances, roaming performance between APs
may be extremely slow, and may cause the wireless association to be
dropped for a long period of time. If this is the cause of the problem, the
association will eventually be restored. A wireless packet capture will ver-
ify this situation. To resolve, make sure the latest Windows OS patches
have been applied. Also consider enabling responses to broadcast probe
requests – this feature should be used only as a convenience factor to hide
special-purpose ESSIDs from clients and should not be considered a secu-
rity feature.
z The cause for the dropped association may have been a denial of service
attack – specifically a “deauth” or “disconnect station” attack. View the
Alcatel Wireless Management System log file by navigating in the manage-
ment GUI to the Events tab to see if this is the case. A wireless packet
capture will also verify this situation.