Wireless Station Deauth Issues Windows 8.1

Please follow & like us :)

Wireless Station Deauth Issues

This week i’ve been troubleshooting a very bizarre Wireless Station Deauth issue on an Aruba 6000 Controller along with some HP and Dell Laptops running Windows 8 and Windows 8.1

The issue came about after upgrading the Laptops from Windows 7 to Windows 8.1 over the Christmas break. Since these laptops are used in a school, many of them get powered on at once. What was identified was that some of the laptops were connecting and other weren’t. The ones that weren’t connecting were in a state of searching for wireless networks.

This was total intermittent, meaning that the laptop that didn’t work 5 minutes ago, could suddenly associate and then jump onto the network and work perfectly. So with any intermittent issue this was going to take time to troubleshoot.

Wireless Station Deauth Troubleshooting

Firstly the way that a Laptop successfully authenticates via 802.1x onto the network is via the following:

  • Laptop Powers on and Associates to SSID
  • Authentication Process is WPA2 AES through to a Microsoft Windows 2008 R2 Radius (or in Microsoft world Network Policy Server)
  • Laptop presents its Computer Certificate for Authentication
  • Authentication Succeeds
  • DHCP Request from Client
  • DHCP Offer from DHCP Server
  • Laptop is on the Wireless Network

If you are not sure on how 802.1x works between Supplicant, Authenticator and Authentication Server you can click here for an excellent explanation on Wikipedia

The first step was to install the latest Intel Windows 8.1 Wireless card drivers for the adapters within the laptops. These consisted of 2 different types of Intel cards:

  • Intel Centrino Advanced-N 6205
  • Intel Centrino Advanced-N 6300

Both cards now had the latest drivers and still the same problem persisted. I played around with changing the following settings within the adapter to see if it made any difference:

  • Disable N Mode
  • Change Aggressive Roaming Settings: Low – Medium – High
  • Change Power Mode of Card: – Low – Medium – High
  • Change Preference of 2.4GHz over 5Ghz and vice versa

Still the same problem. After searching on the Intel Communities for known problems with the above cards and Windows 8.1, I found that plenty of people are experiencing very similar issues. They explain that everything was working fine and then as soon as upgrading to Windows 8.1, they experienced very weird connectivity problems. A few Intel mods replied saying that the issue had been fixed in newer drivers however from the responses that followed, it appears this was not the case.

I then installed Microsoft Network Monitor 3.4 on the laptops so I could see from the Laptops point of view what it was trying to do. You can use any packet tracing software for this. Another good alternative is Wireshark

It was the time to turn on debugging in the Aruba 6000 wireless switch so I could see what was going on in this area. The commands I used to turn on the debugging are:

  • logging level debugging network process authmgr
  • logging level debugging network process dhcpd subcat dhcp
  • logging level debugging network process dhcpd subcat packet-dump
  • logging level debugging security process authmgr subcat dot1x
  • logging level debugging security process authmgr subcat packet-trace
  • logging level debugging user process aaa
  • logging level debugging user process authmgr subcat dot1x
  • logging level debugging user process authmgr subcat radius
  • logging level debugging wireless process authmgr
  • logging level debugging ap-debug AP10_Level2
  • logging level debugging user-debug 00:24:d7:c2:a1:34 (This is the Intel 6300 Card – HP Laptop)
  • logging level debugging user-debug 8c:70:5a:85:ef:44 (This is the Intel 6205 Card – Dell Laptop)

Sometimes during my tests I would also clear the MAC address from the user-table. The command I used to do this was:

  • aaa user delete mac 00:24:d7:c2:a1:34

If you need to look into the authentication packets being sent and receive via the Switch (Authenticator) you can use this command:

  • show auth-tracebuf (with options failures or the mac address)

I had the 2 laptops with me, HP and Dell, as I powered off the wireless adapter on both computers and then powered on the HP one so that I can see the debug logs in action within the wireless switch. I issued the following command on the Aruba 6000 wireless switch:

  • show log user-debug 100 (The 100 shows the last 100 messages, you can type any number here or you can type all)

This is what I noticed:

  • <NOTI> [stm] Assoc request @ 15:05:30.322819: 00:24:d7:c3:0d:c8 (SN1): AP
  • <NOTI> [stm] Assoc success @ 15:05:30.325271: 00:24:d7:c3:0d:c8: AP
  • <DBUG> |stm|  Sending STA 00:24:d7:c3:0d:c8 message to Auth and Mobility Unicast Encr WPA2 8021X AES Multicast Encr WPA2 8021X AES VLAN 0x1, wmm:1, rsn_cap:3c
  • <DBUG> |mobileip|  Station 00:24:d7:c3:0d:c8, Received association on ESSID: CORPSSID Mobility service ON, HA Discovery on Association Off, Fastroaming Disabled, AP: Name AP10_Level2 Group Library BSSID 6c:f3:7f:23:53:2d, phy g, VLAN 1
  • <NOTI> |mobileip|  Station 00:24:d7:c3:0d:c8, Mobility trail, on switch, VLAN 2, AP AP10_Level2, CORPSSID/6c:f3:7f:23:53:2d/g
  • <INFO> |authmgr|  MAC=00:24:d7:c3:0d:c8 Station UP: BSSID=6c:f3:7f:23:53:2d ESSID=CORPSSID VLAN=2 AP-name=AP10_Level2
  • <DBUG> |authmgr|  dot1x_supplicant_up(): MAC:00:24:d7:c3:0d:c8, pmkid_present:False, pmkid:N/A
  • <INFO> |authmgr|  MAC=00:24:d7:c3:0d:c8 Station authenticate(start): method=802.1x, role=Permit_All_User_Role/Permit_All_User_Role//Permit_All_User_Role, VLAN=2/1/0/0/0/0, Derivation=1/0, Value Pair=0
  • <INFO> |authmgr|  MAC=00:24:d7:c3:0d:c8,IP=N/A User role updated, existing Role=Permit_All_User_Role/none, new Role=Permit_All_User_Role/none, reason=Station Authenticated with auth type: 4
  • <INFO> |authmgr|  MAC=00:24:d7:c3:0d:c8,IP=N/A User data downloaded to datapath, new Role=Permit_All_User_Role/56, bw Contract=0/0,reason=Download driven by user role setting
  • <INFO> |authmgr|  MAC=00:24:d7:c3:0d:c8 Station authenticate: method=802.1x, role=Permit_All_User_Role/Permit_All_User_Role//Permit_All_User_Role, VLAN=2/1/0/0/0/0, Derivation=1/0, Value Pair=0

This is all good up to here but then the problem packet comes where the wireless station wants to deauth for some reason and I see 1 of the 2 messages below in the debug log:

  • <NOTI> |stm|  Deauth from sta: 00:24:d7:c3:0d:c8: AP Reason Unspecified Failure
  • <NOTI> |stm|  Deauth from sta: 00:24:d7:c3:0d:c8: AP Reason 255

The first line I cannot find or figure out what Unspecified Failure means, and Reason 255 according to this post on Aruba Airheads, means that the client sent a Deauth but did not give a reason.

From the Wireless Station point of view with the Packet Capture I see the following:

  • Many AP Probes with Signal Strength and SSID for the Laptop to connect to
  • The Laptop associates
  • EAPOL packets sent and received followed by Authentication success
  • DHCP request from the client
  • DHCP offer from the server
  • Then I see many AP Probe requests again. Meaning that the laptop has left the current association and is looking to associate again

All this diagnostics points straight back to the client. Intel have Windows 8.1 drivers for the integrated cards so it looks like the operating system is supported.

The Solution

My final step was to try and find the oldest driver that would work on Windows 8.1 and slowly step up from that, testing each time.

Our tests were pretty simple, turn the wireless switch off, wait, and on again on the laptop. Maybe after 1 time I would see the problem, then again maybe after 20 times I would see that problem.

In the end, we ended up running a Windows 7 driver that was able to install into Windows 8.1 and after a full afternoon of testing and roaming around to different IP’s we did not see the error.

[ad name=”sysadmintutorialsSquareLargeBottom”]

Be the first to comment

Leave a Reply

Your email address will not be published.



This site uses Akismet to reduce spam. Learn how your comment data is processed.