Wi Fi Troubleshooting Performance Monitoring Case Study Troubleshooting

Wi. Fi Troubleshooting & Performance Monitoring Case Study : Troubleshooting wireless issues via Mojo Aware - Asvin

Case studies In this session, we will cover how Mojo Aware helped system administrators to identify following issues in corporate environment: • Scenerio 1: Wireless connection is lost when the wireless session times out in Windows 7 or Windows Server 2008 R 2 • Scenerio 2: Issues with clients staying connected to an Access Point that has bad signal (Sticky Clients) 2 © Mojo Networks. Confidential Information.

Case Study: Window 7 Clients loses Wi. Fi connectivity Vertical: SME branch office Problem Wireless connection is lost when the wireless session times out in Windows 7 or Windows Server 2008 R 2 Flag Mojo Aware flagged Invalid MIC failure on dashboard Cause Win 7 clients randomly introduce invalid MIC causing Mojo AP’s to reject M 2 messages 3 © Mojo Networks. Confidential Information.

Learning Objectives • User impact of random client disconnection • Problem Statement • Detailed description of EAPOL 4 -Way handshake functionality • Symptoms • Cause • How Mojo Aware quickly identifies Invalid MIC failures and promptly alerts administrator 4 © Mojo Networks. Confidential Information.

User Impact of the Problem • Few minutes disruption of Wi. Fi during office hours • Issue occurs randomly on Windows 7 laptop • Takes nearly 1 to 2 mins for the laptop to reconnect to wireless network 5 © Mojo Networks. Confidential Information.

Debugging “Invalid MIC failure” • Problem Statement • Few minutes random disruption of Wi. Fi • Windows 7 clients connecting to wireless networks configured with WPA 2 and session timeout may get disconnected during the key exchange after reauthentication • Over the air, M 1 and M 2 packet retried several times causing delay in reconnection • AP logs during problem: 6 © Mojo Networks. Confidential Information.

EAPOL 4 -way Message in detail (M 1) • Apply display filter EAPOL-Key messages using “eapol. keydes. type == 2” wireshark display filter. Message 1 (M 1) • Authenticator sends EAPOL-Key frame containing an ANonce(Authenticator nonce) to supplicant. • With this information, supplicant have all necessary input to generate PTK using pseudo-random function(PRF) 7 © Mojo Networks. Confidential Information.

EAPOL 4 -way Message in detail (M 2) Message 2 (M 2) ➢Supplicant sends an EAPOLKey frame containing SNonce to the Authenticator. ➢Now authenticator has all the inputs to create PTK. ➢Supplicant also sent RSN IE capabilities to Authenticator & MIC ➢Authenticator derive PTK & validate the MIC as well. 8 © Mojo Networks. Confidential Information.

EAPOL 4 -way Message in detail (M 3) Message 3 (M 3) ➢If necessary, Authenticator will derive GTK from GMK. ➢Authenticator sends EAPOLKey frame containing ANonce, RSN-IE & a MIC. ➢GTK will be delivered (encrypted with PTK) to supplicant. ➢Message to supplicant to install temporal keys. 9 © Mojo Networks. Confidential Information.

EAPOL 4 -way Message in detail (M 4) Message 4 (M 4) ➢Supplicant sends final EAPOL -Key frame to authenticator to confirm temporal keys have been installed. ➢From this point onwards data frame will be encrypted using PTK or GTK (depending upon unicast or multicast/broadcast frame) 10 © Mojo Networks. Confidential Information.

Symptoms This issue occurs when a Windows 7 -based computer is connected to a wireless network by using the Wi. Fi- WPA 2 protocol and the wireless access point (AP) starts a new exchange of WPA 2 keys. In the four-way handshake, the Windows 7 -based computer sends a Message 2 (M 2) with an invalid message integrity check (MIC) Note This issue may occur every 12 hours or more frequently, and it takes one minute to regain the network connectivity. 11 © Mojo Networks. Confidential Information.

Cause This issue occurs because the WPA 2 key context is not set correctly before the four-way handshake rekeys. Certain variables are not reset after the previous four-way handshake. This causes the secure bit to be set incorrectly and the stale Pairwise Transient Key (PTK) to be used to calculate the MIC in the M 2 key messages. APs reject the M 2 messages because of these errors. 12 © Mojo Networks. Confidential Information.

Root cause analysis Microsoft confirmed this bug and fixed in Hotfix Win 7 release. https: //support. microsoft. com/en-in/kb/3094412 Win 7 laptop required above hotfix upgrade. 13 © Mojo Networks. Confidential Information.

How Mojo-aware quickly identifies Invalid MIC failures and promptly alerts administrator Mojo Aware pinpoint exact cause of failure and saves administrator time and effort for debugging Wireless capture is saved here! 14 © Mojo Networks. Confidential Information.

Aware: Capture for corresponding failure Mojo Aware display exact packet capture during problem statement without applying any display filters! 15 © Mojo Networks. Confidential Information.

Mojo Aware advantages • Promotes actual cause of issue, not just client connectivity failure • Administrator identifies complex EAPOL issues in single glance • Save time and debugging effort without using real time wireless sniffer • Wireless client failure logs preserved in cloud and can be looked and accessed any time. 16 © Mojo Networks. Confidential Information.

Case Study 2: Bad signal(Sticky clients) causing network slowness Vertical: SME branch office Problem Issues with clients staying connected to an Access Point that has bad signal (Sticky Clients) Flag Mojo Aware flagged sticky clients on dashboard Cause Clients still have good signal strength to far away AP so do not disassociate 17 © Mojo Networks. Confidential Information.

Learning Objectives • User impact of bad signal and sticky client • Problem statement • What is sticky client • Symptoms • Cause • Resolution • How Mojo-Aware quickly identifies sticky clients and promptly alerts administrators 18 © Mojo Networks. Confidential Information.

User Impact of the Problem • Far away clients contend with rising error rates due to the lower signals • Overall wireless efficiency of the cell is reduced as clients wait longer than they should for a slower speed client to send its data • Key to high performance Wi. Fi network is airtime efficiency • Even a small number of sticky clients, using suboptimal speeds, can very quickly drag down the performance of Wi-Fi network 19 © Mojo Networks. Confidential Information.

Debugging “Bad signal and network slowness” • Problem Statement • Customer reported “Overall network slowness ” • Basic file copy operation within the network takes long time to transfer. 20 © Mojo Networks. Confidential Information.

Sticky clients and roaming decision o Wireless clients tend to hang on to the original access point they associated with, rather than moving to a nearby AP that would generally be a better choice for them. o Roaming Decision is a client decision, not a network decision o AP don’t tell client when to roam – the network has to respect the wishes and behavior of client devices. 21 © Mojo Networks. Confidential Information.

Symptoms Identifying Sticky clients - behavior • Do not probe on other channels • Probe infrequently • Remain associated to an AP even through better Aps are available • Transmit on low PHY rate consuming more air 22 © Mojo Networks. Confidential Information.

Sticky client end user impact 23 © Mojo Networks. Confidential Information.

Sniff capture with sticky client in network Low Data rate 24 © Mojo Networks. Confidential Information. Low RSSI

Mojo Aware • Mojo Aware quickly identifies sticky clients and promptly alerts administrators to take appropriate action. 25 © Mojo Networks. Confidential Information.

Resolution • Enable Smart Steering • Disassociate “Sticky clients” • Prevent them from re-associating to the AP • Encourage/Force roam to better AP • Configured per SSID (Enable/Disable) • Enable Min Association RSSI • RSSI Threshold • Reduce the number of probe/assoc response • Prevent clients with RSSI below the threshold from associating • Configured per SSID (Enable/Disable) 26 © Mojo Networks. Confidential Information.

Sniff Capture-After Enabling smart steering Deauth after enabling smart steering 27 © Mojo Networks. Confidential Information.

Mojo Aware - After Enabling Smart steering 28 © Mojo Networks. Confidential Information.

Mojo Aware Advantages • Warns the administrator about network slowness (eg. Sticky client) • Ability to quickly identify the WLAN issues • Ability to quickly detect total no of sticky or bad clients in the network • Ability to isolate problematic clients with complete details include packet captures and system logs for further analysis. 29 © Mojo Networks. Confidential Information.

Thank You 30 © Mojo Networks, Inc. All Rights Reserved.

Backup slides 31 © Mojo Networks, Inc. All Rights Reserved.

EAPOL 4 -Way Handshake functionality Process: 32 1. The AP sends a nonce-value to the STA (ANonce). The client now has all the attributes to construct the PTK. 2. The STA sends its own nonce-value (SNonce) to the AP together with a MIC, including authentication, which is really a Message Authentication and Integrity Code: (MAIC). 3. The AP sends the GTK and a sequence number together with another MIC. This sequence number will be used in the next multicast or broadcast frame, so that the receiving STA can perform basic replay detection. 4. The STA sends a confirmation to the AP. © Mojo Networks. Confidential Information.

What is session timeout? Session timeout means that authenticated user session expires in 1800 seconds based on implementation, it is not an activity or idle timeout. So depending on authentication method, this could cause client to disconnect. 33 © Mojo Networks. Confidential Information.

Root cause analysis Microsoft confirmed this bug and fixed in Hotfix Win 7 release. https: //support. microsoft. com/en-in/kb/3094412 Win 7 laptop required above hotfix upgrade. Per Microsoft, this issue can also be mitigated by reducing the EAPOL key retransmission timeout. The issue was first seen with timeout value of 3 ms. When reducing this value to 1 msec the issue was fixed. Note: Do be aware that reducing this value might negatively impact key negotiations with some very old and slow clients. 34 © Mojo Networks. Confidential Information.

How Mojo-aware quickly identifies Invalid MIC failures and promptly alerts administrator Mojo-aware pinpoint exact cause of failure and saves administrator time and effort for debugging 35 © Mojo Networks. Confidential Information.