Symptom
Older device attempting to use WPA2 to associate to WPA2/AES only WLAN. Client debugs show mismatch between association frame RSN IE and EAPOL-M2 frame RSN IE (length) as shown in example below:
*Dot1x_NW_MsgTask_0: Apr 03 17:49:07.862: 00:40:17:6b:4d:90 Compare RSN IE in association and EAPOL-M2 frame(rsnie_len :20, and grpMgmtCipherLen:0)
*Dot1x_NW_MsgTask_0: Apr 03 17:49:07.862: 00:40:17:6b:4d:90 rsnieCapabilty = 0 rsnie_len =20
*Dot1x_NW_MsgTask_0: Apr 03 17:49:07.862: 00:40:17:6b:4d:90 EAPOL-key M2 with invalid RSN IE received from mobile 00:40:17:6b:4d:90 rxed IE len :20, rxed IE length in association:22 rsnie_len to compare = 20
*Dot1x_NW_MsgTask_0: Apr 03 17:49:07.862: 00:40:17:6b:4d:90 Dumping RSNIE received in Association request(len = 22):
*Dot1x_NW_MsgTask_0: Apr 03 17:49:07.862: 00000000: 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 0...............
*Dot1x_NW_MsgTask_0: Apr 03 17:49:07.862: 00000010: 00 0f ac 02 28 00 ....(.
*Dot1x_NW_MsgTask_0: Apr 03 17:49:07.862: 00:40:17:6b:4d:90 Dumping RSNIE received in EAPOL M2 (len = 20):
*Dot1x_NW_MsgTask_0: Apr 03 17:49:07.862: 00000000: 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ................
*Dot1x_NW_MsgTask_0: Apr 03 17:49:07.862: 00000010: ac 02 00 00 ....
Conditions
Older device attempting to use WPA2 to associate to WPA2/AES only WLAN on 8.5.140.0 code.
Workaround
Utilize older code such as 8.2.170.2 which works fine or configure device to be WPA only and modify WLAN to be WPA/TKIP + WPA2/AES.
We have introduced a new CLI to enable/disable RSN Capability validation. By default it will be enabled.
(Cisco Controller) >config advanced eap rsn-capability-validation
enable Enables RSN Capability validation
disable Disables RSN Capability validation
Further Problem Description
Same device and same configuration works on 8.2.170.2 but does not work on 8.5.140.0.
