Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vorsoth100
New Contributor II

Can't connect to WiFi after Windows 10 May 2020 update (v.2004) - WPA-invalid-2/4-key-msg

After our laptops update to Windows 10 v2004, they will no longer connect to our WPA2-Enterprise FortiAP WiFi network. We have troubleshooted and checked our RADIUS/NPS settings, and they are correct. The users get authenticated, but the connection fails with this message in the FortiGate Logs:

 

WPA-invalid-2/4-key-msg

Probably wrong password entered, invalid MIC in 2/4 message of 4-way handshake from client 

 

The laptop's event logs report "Dynamic Key exchange did not succeed withing configured time"

 

Other laptops still on Windows 10 1909 can connect just fine. And if we roll back the Windows 10 update to 1909, it will connect again. If we take the laptop to our other office with Aruba AP's they connect just fine. So it's something to do with the Windows 10 2004 update and the FortiAP 221E Access Points. We just can't figure out how to fix it.

 

Any ideas or suggestions would be greatly appreciated! Thanks!

1 Solution
vorsoth100
New Contributor II

I believe we have figured out the solution. After running a network monitor capture, I noticed the KeyData in Message 1 of the 4-way handshake was PMKID KDE. After researching PMKID, I found this article on Protected Management Frames: https://docs.fortinet.com/document/fortiap/6.2.0/fortiwifi-and-fortiap-configuration-guide/980459/pr.... I set PMF to "Optional" on the VAP and the laptops that have been updated to Windows 10 v2004 are now connecting to our RADIUS authenticated WiFi network.

View solution in original post

7 REPLIES 7
Dave_Hall
Honored Contributor

Just a quick question - have you deleted the WPA2-Enterprise FortiAP WiFi from a laptop then recreate/set it up again?

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

Toshi_Esumi
Esteemed Contributor II

Looks like wifi issue after updating windows 10 is quite common. I found multiple troubleshooting articles on the internet like below. I suspect driver compatibility issue is the likely cause since it doesn't happen when you roll back.

https://pureinfotech.com/fix-wifi-problems-windows-10-2004/

 

vorsoth100
New Contributor II

I believe we have figured out the solution. After running a network monitor capture, I noticed the KeyData in Message 1 of the 4-way handshake was PMKID KDE. After researching PMKID, I found this article on Protected Management Frames: https://docs.fortinet.com/document/fortiap/6.2.0/fortiwifi-and-fortiap-configuration-guide/980459/pr.... I set PMF to "Optional" on the VAP and the laptops that have been updated to Windows 10 v2004 are now connecting to our RADIUS authenticated WiFi network.

Toshi_Esumi
Esteemed Contributor II

Was PMF enabled before, or disabled?

vorsoth100

Looking at our backups, PMF was previously set to "enabled" when we were having the connection issues. Once I set it to "optional" the updated laptops were then able to connect.

Toshi_Esumi
Esteemed Contributor II

I was guessing opposite based on some discussions like below. I need to research more about Win10 2004's 802.11w implementation.

https://www.reddit.com/r/...r_some_people_who_are/

cacsci

vorsoth100 wrote:

I believe we have figured out the solution. After running a network monitor capture, I noticed the KeyData in Message 1 of the 4-way handshake was PMKID KDE. After researching PMKID, I found this article on Protected Management Frames: https://docs.fortinet.com/document/fortiap/6.2.0/fortiwifi-and-fortiap-configuration-guide/980459/pr.... I set PMF to "Optional" on the VAP and the laptops that have been updated to Windows 10 v2004 are now connecting to our RADIUS authenticated WiFi network.

Spent hours trying to figure this out before finding this post. Set PMF to optional fixed it. Thank you for sharing this solution!