Skip to main content
vorsoth100
vorsoth100
New Member
July 14, 2020
Solved

Can't connect to WiFi after Windows 10 May 2020 update (v.2004) - WPA-invalid-2/4-key-msg

  • July 14, 2020
  • 2 replies
  • 17949 views

After our laptops update to Windows 10 v2004, they will no longer connect to our WPA2-Enterprise FortiAP WiFi network. We have troubleshooted and checked our RADIUS/NPS settings, and they are correct. The users get authenticated, but the connection fails with this message in the FortiGate Logs:

 

WPA-invalid-2/4-key-msg

Probably wrong password entered, invalid MIC in 2/4 message of 4-way handshake from client 

 

The laptop's event logs report "Dynamic Key exchange did not succeed withing configured time"

 

Other laptops still on Windows 10 1909 can connect just fine. And if we roll back the Windows 10 update to 1909, it will connect again. If we take the laptop to our other office with Aruba AP's they connect just fine. So it's something to do with the Windows 10 2004 update and the FortiAP 221E Access Points. We just can't figure out how to fix it.

 

Any ideas or suggestions would be greatly appreciated! Thanks!

Best answer by vorsoth100

I believe we have figured out the solution. After running a network monitor capture, I noticed the KeyData in Message 1 of the 4-way handshake was PMKID KDE. After researching PMKID, I found this article on Protected Management Frames: https://docs.fortinet.com/document/fortiap/6.2.0/fortiwifi-and-fortiap-configuration-guide/980459/protected-management-frames-and-opportunistic-key-caching-support. I set PMF to "Optional" on the VAP and the laptops that have been updated to Windows 10 v2004 are now connecting to our RADIUS authenticated WiFi network.

2 replies

Dave_Hall
Dave_Hall
New Member
July 14, 2020

Just a quick question - have you deleted the WPA2-Enterprise FortiAP WiFi from a laptop then recreate/set it up again?

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
July 14, 2020

Looks like wifi issue after updating windows 10 is quite common. I found multiple troubleshooting articles on the internet like below. I suspect driver compatibility issue is the likely cause since it doesn't happen when you roll back.

https://pureinfotech.com/fix-wifi-problems-windows-10-2004/

 

vorsoth100
vorsoth100AuthorAnswer
New Member
August 11, 2020

I believe we have figured out the solution. After running a network monitor capture, I noticed the KeyData in Message 1 of the 4-way handshake was PMKID KDE. After researching PMKID, I found this article on Protected Management Frames: https://docs.fortinet.com/document/fortiap/6.2.0/fortiwifi-and-fortiap-configuration-guide/980459/protected-management-frames-and-opportunistic-key-caching-support. I set PMF to "Optional" on the VAP and the laptops that have been updated to Windows 10 v2004 are now connecting to our RADIUS authenticated WiFi network.

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
August 12, 2020

Was PMF enabled before, or disabled?

vorsoth100
vorsoth100Author
New Member
August 12, 2020

Looking at our backups, PMF was previously set to "enabled" when we were having the connection issues. Once I set it to "optional" the updated laptops were then able to connect.

Terms & ConditionsAccessibility statement