We’ve had some success with this problem on our WPA2-Enterprise SSID by configuring the laptop to always trust the wireless certificate. This setting can be found in your keychain. Look for your wireless cert in keychain access and set the trust setting to “Always Trust”. This isn’t the greatest solution, but we’ve found it to solve the problem in some cases.
Kevin -- Kevin Grattan Network Engineer, Telecommunications and Network Services Northwestern University Information Technology (NUIT) 2001 Sheridan Road Evanston, IL 60208 NUIT Web Site: <http://www.it.northwestern.edu/> From: <Wang>, Yu <ywan...@fsu.edu<mailto:ywan...@fsu.edu>> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Wednesday, September 24, 2014 at 10:09 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] Apple devices dropping on WPA2-PSK and WPA2-Ent SSIDs Aruba 6.3 I echo what Ryan described here. Ryan alerted me of this issue and after changing user logging level to notification on our Aruba controllers, we got quite a number of “Ptk Challenge Failed” in our logs. We have both OKC and Validate PMKID enabled and have not changed any of the settings as I saw Aruba engineers gave conflict statements. Yu Wang ____________________________ Network Architect Information Technology Services The Florida State University 850-645-6810 yu.w...@fsu.edu<mailto:yu.w...@fsu.edu> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H Sent: Wednesday, September 24, 2014 10:29 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] Apple devices dropping on WPA2-PSK and WPA2-Ent SSIDs Aruba 6.3 We’ve had complaints for a while that would come in sporadically, but didn’t pay them much mind as it was always difficult to reproduce. The complaint was with Apple devices (normally OSX) that would just drop connectivity and then reestablish moments later. People would complain that our secure SSID (our primary EAP-TLS WPA2-Ent SSID) was not stable. It was always from Apple users. Recently, however, one of our employees with an Apple running OSX (Yosemite) started to have the problem routinely on our PSK SSID. When I turned on debugging in the logs, the following message was logged every time he dropped: Sep 5 10:53:48 :501105: <NOTI> |AP RB_House_016@172.28.65.99<mailto:RB_House_016@172.28.65.99> stm| Deauth from sta: 48:d7:05:bf:28:e5: AP 172.28.65.99-00:1a:1e:52:dd:51-RB_House_016 Reason Ptk Challenge Failed When I did a google the Ptk Challenge failed, it turned up an Airheads forum that said that since OSX devices don’t support Opportunistic Key Caching, having this enabled on your controllers could cause drops on these devices when they roam from AP to AP. We disabled it on both out UNC-Secure and UNC-PSK SSIDs, and yet the user is still having disconnects, and we still see this message when his device drops. We actually see a LOT of these messages in the logs now that I have turned on the proper notification logging, indicating that this error message is either a red herring, or a lot more prevalent in our environment that we had hoped for. I plan on opening a case with Aruba, but before I beat my head against a wall for the next couple of hours with a support engineer, have any of you seen this problem and tackled it? Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113 Office +1 919 274 7926 Mobile ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
