Windows Client Troubleshooting for WLAN 802.1X

 

Windows Client Troubleshooting for WLAN

 

Authentication Process for 802.1X

Logs on the Client

 

On the client side, go to Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational for wireless issues. 

 

 

EventID :

8000 : WLAN AutoConfig service started a connection to a wireless network.,

11000 : Wireless network association started.,

11001  : Wireless network association succeeded.

11010 : Wireless security started.

12011 : Wireless 802.1x authentication started.

12014 : Wireless 802.1x authentication was restarted.

11004 : Wireless security stopped.

 

 

You can see from above screen that the wireless security process stopped and went to Event ID 11010 (Wireless security started) again.

 

 

ClearPass Access Tracker

You can see more information from the RADIUS server.  Clearpass Access Tracker shows “TIMEOUT”

 

You can see more details for the request below. The request uses WPA3-AES-CCM-128

 

Radius:IETF:WLAN-AKM-Suite 1027084

• Attribute: WLAN-AKM-Suite specifies the Authentication and Key Management (AKM) suite. This defines the method used to generate the Pairwise Master Key (PMK) during the 802.1X authentication process.
• Value 1027084 (hex):
• 10: This is the vendor-specific attribute (VSA) ID for the Wi-Fi Alliance.
• 27084 corresponds to 00-0F-AC:04. This value indicates a WPA2 handshake using 802.1X for key exchange. 

Radius:IETF:WLAN-Group-Cipher 1027081

• Attribute: WLAN-Group-Cipher specifies the cipher used to encrypt broadcast and multicast traffic. The key used for this is the Group Transient Key (GTK), which is securely distributed to all authenticated clients.
• Value 1027081 (hex):
• 10: Wi-Fi Alliance VSA ID.
• 27081 corresponds to 00-0F-AC:01. This value indicates Advanced Encryption Standard (AES) in Cipher-Block Chaining Message Authentication Code (CBC-MAC), also known as CCMP, which is a mandatory part of WPA2 and WPA3 security standards. 

Radius:IETF:WLAN-Group-Mgmt-Cipher 1027084

• Attribute: WLAN-Group-Mgmt-Cipher specifies the cipher suite used to protect critical management frames within the wireless network. This prevents an attacker from forging or tampering with management frames, which could be used to deauthenticate legitimate clients. This feature is part of Protected Management Frames (PMF), which is mandatory in WPA3 and optional in WPA2.
• Value 1027084 (hex):
• 10: Wi-Fi Alliance VSA ID.
• 27084 corresponds to 00-0F-AC:04. This value indicates that management frames are protected using AES-128-CMAC, a standard requirement for PMF. 

Radius:IETF:WLAN-Pairwise-Cipher 1027081

• Attribute: WLAN-Pairwise-Cipher specifies the cipher suite used for encrypting and decrypting unicast traffic (one-to-one communication between a client and the access point).
• Value 1027081 (hex):
• 10: Wi-Fi Alliance VSA ID.
• 27081 corresponds to 00-0F-AC:01. This value indicates that AES-CCMP is used for pairwise unicast traffic, which is a required security mechanism for WPA2 and WPA3. 

 

 

Above, it shows that ClearPass processed the request and sent RADIUS Response with “Radius:Aruba:Aruba-Named-User-Vlan = SparkCorp_AKMDR”.

 

 

Here, the client request is accepted by the ClearPass because they both can support WPA3-AES-CCM-128.

But, in the Middle, there is AP who only allows WPA3-CNSA (WPA3-AES-192bits-GCMP-256). Thus, this negotiation is not acceptable to the AP.

 

To specify WPA3 Enterprise 192-bit mode (also known as the Commercial National Security Algorithm Suite, or CNSA) with GCMP-256 in RADIUS attributes, you need to use specific hexadecimal values defined by the Wi-Fi Alliance. 

The key management suite uses the cipher suite 00-0F-AC:12, while the ciphers use GCMP-256, corresponding to 00-0F-AC:08. 

Here are the required RADIUS attribute values for WPA3 Enterprise 192-bit mode with GCMP-256:

RADIUS attribute	Hexadecimal value	Decoded meaning
Radius:IETF:WLAN-AKM-Suite	10270812	Authentication and Key Management (AKM): Indicates the use of WPA3 192-bit mode, which relies on a more robust 802.1X/EAP authentication with SHA-384 and elliptical curve cryptography (ECC).
Radius:IETF:WLAN-Pairwise-Cipher	10270808	Pairwise Cipher: Specifies GCMP-256 (Galois/Counter Mode Protocol) for unicast traffic (traffic between a client and the access point). This provides robust confidentiality and integrity for user data.
Radius:IETF:WLAN-Group-Cipher	10270808	Group Cipher: Specifies GCMP-256 for broadcast and multicast traffic. The group key is protected using the same strong cryptographic standards.
Radius:IETF:WLAN-Group-Mgmt-Cipher	10270808	Group Management Cipher: Specifies GCMP-256 for protecting management frames. In 192-bit mode, this is required and enforced for all management traffic to prevent spoofing and denial-of-service attacks.

the values represent

• 10 (Vendor ID): Represents the Wi-Fi Alliance as the vendor for the attribute.
• 2708 (OID): Represents the Organizationally Unique Identifier (OUI) 00-0F-AC, which is the identifier for the Wi-Fi Alliance.
• 12 (AKM-Suite Selector): 00-0F-AC:12 designates the WPA3 Enterprise 192-bit Authentication and Key Management suite.
• 08 (Cipher Suite Selector): 00-0F-AC:08 designates the GCMP-256 cipher for data and management frame protection. 

 

You can also run in cmd "netsh wlan show wlanreport duration=3" and investigate. This will give you a thorough information. Duration is the number of days for the report. 

The command will generate an HTML file containing the wireless network report. A path to the report file will be displayed in the Command Prompt, typically in a format like C:\ProgramData\Microsoft\Windows\WlanReport\wlan-report-latest.html