Failed to WPA3-Enterprise GCM256/CNSA
WPA3-Enterprise GCM256 および CNSA に iPhone SE/iOS13.5.1 を EAP-TLS で接続してみましたが、いずれも失敗しました。原因は不明です。EAP-PEAP もダメでした。以下は、EAP-TLS 使用時のログです。
- GCM256 接続時
AP が 4-way handshake の Key1 を再送しているログが見れますが、iPhone が key2 を返していないです。
AP505# show ap debug auth-trace-buf Auth Trace Buffer ----------------- Jul 4 15:52:05 wpa2-key1 <- 84:ab:1a:11:d2:f6 b8:3a:5a:8b:36:d1 - 117 Jul 4 15:52:07 wpa2-key1 <- 84:ab:1a:11:d2:f6 b8:3a:5a:8b:36:d1 - 117
- CNSA 接続時
wpa3-cnsa-key4 まで確認できますが、DHCP による IP アドレスが取得できていないです。
AP505# show ap debug auth-trace-buf Auth Trace Buffer ----------------- Jul 5 16:30:29 wpa3-cnsa-key1 <- 84:ab:1a:11:d2:f6 b8:3a:5a:8b:36:d2 - 125 Jul 5 16:30:29 wpa3-cnsa-key2 -> 84:ab:1a:11:d2:f6 b8:3a:5a:8b:36:d2 - 147 Jul 5 16:30:29 wpa3-cnsa-key3 <- 84:ab:1a:11:d2:f6 b8:3a:5a:8b:36:d2 - 231 Jul 5 16:30:29 wpa3-cnsa-key4 -> 84:ab:1a:11:d2:f6 b8:3a:5a:8b:36:d2 - 103 AP505# show clients debug Client List ----------- Name Host Name IP Address MAC Address OS ESSID Access Point Channel Type Role IPv6 Address Signal Speed (mbps) *Reauth Age *Reauth Interval *Reauth ESSID Auth Type *Authenticated DEL Age Vlan *ESSID *Private role info Accouting Session Name BSSID Idle Timeout csum *mcast groups *Acct Interval *Class Attribute *Dhcp-Opt Vlan *Dhcp-Opt role Intercept *Offline *FB Token *FB RxBytes *FB TxBytes *SLAAC IP Address *Link Local IP Address *DHCP Status *DHCP v6 Status ---- --------- ---------- ----------- -- ----- ------------ ------- ---- ---- ------------ ------ ------------ ----------- ---------------- ------------- --------- -------------- --- --- ---- ------ ------------------ ---------------------- ----- ------------ ---- ------------- -------------- ---------------- -------------- -------------- --------- -------- --------- ----------- ----------- ----------------- ---------------------- ------------ --------------- 0.0.0.0 84:ab:1a:11:d2:f6 NOFP bin4-wpa3-enterprise-cnsa AP505 108 a-HE bin4-wpa3-enterprise-cnsa -- 58(good) 8(poor) 18 0 bin4-wpa3-enterprise-cnsa 802.1x/TLS yes no 6 0(NONE) bin4-wpa3-enterprise-cnsa(EAP-TLS) 155(RADIUS-7fff) b8:3a:5a:8b:36:d2 1000 b4944a0d (0) 0 a3cbd30cf4d346e0beea50959a4419e8b90b0000000000005230303030303434392d30312d35663031383139350000000000000000000000 0,NONE ,,0-0 no no null null null 0.0.0.0 0.0.0.0 None None AP505#
引き続き、調査します。
[English Version]
I tried to connect iPhone SE/iOS13.5.1 to Aruba AP505/Instant OS 8.7.0.0 WPA3-Enterprise GCM256 and CNSA with EAP-TLS, but could not. I am not sure what I missed. I also tried EAP-PEAP, but failed neither. Below is output using EAP-TLS
- Connecting to GCM256
We can AP sent 4-way handshake Key1, but STA did not send key2.
AP505# show ap debug auth-trace-buf Auth Trace Buffer ----------------- Jul 4 15:52:05 wpa2-key1 <- 84:ab:1a:11:d2:f6 b8:3a:5a:8b:36:d1 - 117 Jul 4 15:52:07 wpa2-key1 <- 84:ab:1a:11:d2:f6 b8:3a:5a:8b:36:d1 - 117
- Connecting to CNSA
We can see wpa3-cnsa-key4, but iPhone could not get IP address from the DHCP server.
AP505# show ap debug auth-trace-buf Auth Trace Buffer ----------------- Jul 5 16:30:29 wpa3-cnsa-key1 <- 84:ab:1a:11:d2:f6 b8:3a:5a:8b:36:d2 - 125 Jul 5 16:30:29 wpa3-cnsa-key2 -> 84:ab:1a:11:d2:f6 b8:3a:5a:8b:36:d2 - 147 Jul 5 16:30:29 wpa3-cnsa-key3 <- 84:ab:1a:11:d2:f6 b8:3a:5a:8b:36:d2 - 231 Jul 5 16:30:29 wpa3-cnsa-key4 -> 84:ab:1a:11:d2:f6 b8:3a:5a:8b:36:d2 - 103 AP505# show clients debug Client List ----------- Name Host Name IP Address MAC Address OS ESSID Access Point Channel Type Role IPv6 Address Signal Speed (mbps) *Reauth Age *Reauth Interval *Reauth ESSID Auth Type *Authenticated DEL Age Vlan *ESSID *Private role info Accouting Session Name BSSID Idle Timeout csum *mcast groups *Acct Interval *Class Attribute *Dhcp-Opt Vlan *Dhcp-Opt role Intercept *Offline *FB Token *FB RxBytes *FB TxBytes *SLAAC IP Address *Link Local IP Address *DHCP Status *DHCP v6 Status ---- --------- ---------- ----------- -- ----- ------------ ------- ---- ---- ------------ ------ ------------ ----------- ---------------- ------------- --------- -------------- --- --- ---- ------ ------------------ ---------------------- ----- ------------ ---- ------------- -------------- ---------------- -------------- -------------- --------- -------- --------- ----------- ----------- ----------------- ---------------------- ------------ --------------- 0.0.0.0 84:ab:1a:11:d2:f6 NOFP bin4-wpa3-enterprise-cnsa AP505 108 a-HE bin4-wpa3-enterprise-cnsa -- 58(good) 8(poor) 18 0 bin4-wpa3-enterprise-cnsa 802.1x/TLS yes no 6 0(NONE) bin4-wpa3-enterprise-cnsa(EAP-TLS) 155(RADIUS-7fff) b8:3a:5a:8b:36:d2 1000 b4944a0d (0) 0 a3cbd30cf4d346e0beea50959a4419e8b90b0000000000005230303030303434392d30312d35663031383139350000000000000000000000 0,NONE ,,0-0 no no null null null 0.0.0.0 0.0.0.0 None None AP505#
I will try and update later.