Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
GautSikk
Staff
Staff

Created on ‎01-16-2024 01:18 AM

Article Id 294351

Troubleshooting Tip: After updating to v7.2.x, there is an issue where WiFi devices randomly fail to connect to an SSID enabled with MPSK

Description This article describes how to verify the cause of failure when WiFi devices experience random connection issues to an SSID enabled with MPSK.
Scope Validation of the Authentication Issue with the SSID mapped to the MPSK Profile.
Solution

If WiFi devices are experiencing authentication issues with the SSID using the MPSK profile after an upgrade, and the devices fail during the 4-way handshake at step 2 of the WPA handshake (specifically, due to an invalid MIC in the 2/4 message of the 4-way handshake), it is necessary to check if the MPSK keys are fully loaded in the wpad daemon after applying a VAP with the MPSK-profile selected on a FortiAP.


In the problematic state, it becomes apparent that the MPSK keys are not completely loaded in the wpad daemon, leading to authentication issues.


To confirm the completeness of the loaded MPSK keys, log in to the CLI of the FortiGate:


SWAT-ETAC-Wi-Fi # diagnose wireless-controller wlac -c mpsk-prof

MPSK_PROF (001/001) vdom,name: root, snbrca-wh
refcnt : 2 own(1) wlan(1)
deleted : no
group cnt : 2
key cnt : 101
client limit : 0
wlan cnt : 1
vap 001 : 0 snbrca-wh


SWAT-ETAC-Wi-Fi # diagnose wpa wpad mpsk-info


SSID config (001/002): SSID(CovenantTransport) VAP(Covenant Transp) refcnt(19)
MPSK is disabled on this SSID.
SSID config (002/002): SSID(snbrca-wh) VAP(snbrca-wh) refcnt(38)
Password name (001/080): Scanners2, snbr00079
mac-binding: 00:00:00:00:00:00
sta cnt(0) type (1) max sta cnt(unlimited)
vlan_type(1) vlan_id(3) schedule_cnt(1)
schedules :SMTWTFS 00:00->00:00,
PMK: 2bd732600642e82e4f73c3e1a73a305a50d137ea409c48026dfa84e6b7251955
Password name (002/080): Scanners2, snbr00078
mac-binding: 00:00:00:00:00:00
sta cnt(0) type (1) max sta cnt(unlimited)
vlan_type(1) vlan_id(3) schedule_cnt(1)
schedules :SMTWTFS 00:00->00:00,
PMK: ab25db80cbf3aa6c3056d9fdeb7add20066d71c4b1da609624f64022795fe10c
Password name (003/080): Scanners2, snbr00077
mac-binding: 00:00:00:00:00:00
sta cnt(0) type (1) max sta cnt(unlimited)
vlan_type(1) vlan_id(3) schedule_cnt(1)
schedules :SMTWTFS 00:00->00:00,
PMK: 3af9b5d9d437dbf92432be07aa637da391a34a36f5102f2b81dc431a00cfdbbd
Password name (004/080): Scanners2, snbr00001


Complete List of Keys:

In the above scenario,  only 80 Keys are visible instead of the 101 Keys in wpad daemon debug. It is then necessary to recreate the MPSK profile or upgrade the FortiGate Firewall to version v7.4.1 or v7.2.7.

 

446
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.