Friday, December 7, 2018

IPv6 and WPA gtk-randomize

I am not a wireless network expert, in fact I know less about wireless than some of the subject matter experts forget in a single day, but I've been playing with various wireless solutions for my home/lab network for some time. For the past few years I've been running Cisco lightweight access points in Flex mode.

While troubleshooting IPv6 connectivity in my home lab, I came across a 'feature' that may be obvious to IPv6 and wireless experts, but took some time for me to figure out.

I am running multiple SSIDs. They have similar, but slightly different configurations. One of my SSIDs have been having issues with IPv6. DHCPv6 would work and Windows endpoints would get IPv6 addresses, but over the time they would lose IPv6 connectivity. In SLAAC mode with RAs the endpoints on that specific SSID would not get IPv6 addresses at all.

After spending some quality time with Wireshark, comparing IPv6 traffic on that VLAN on wired connection vs wireless connection I came to conclusion that there was a wireless-specific configuration issue that was preventing SLAAC IPv6 from working and causing DHCPv6 leases to expire without proper renewal.

After comparing the settings between SSID with functional IPv6 vs the broken SSID I found that enabling 'WPA gtk-randomize' setting was breaking IPv6 RAs.  I don't remember myself specifically enabling this setting. I may have enabled it when I was configuring 802.11r, or it may have been accidentally enabled due to CSCtx48271, but according to my testing, it was definitely affecting RAs. Cisco WLC SSID configuration page clearly states that 'Enabling gtk-randomize will prevent clients from decrypting broadcast and multicast packets.', but it does not mention IPv6. Cisco IPv6 Deployment Guide also does not mention this setting.

While it was not obvious (to me), it does make sense that disabling broadcast and multicast traffic breaks IPv6 RAs. Hopefully this post saves some troubleshooting time to other people hitting IPv6 issues with this setting enabled.

1 comment:

  1. Do you have a Youtube channel as well with this kind of content on it? I would love to see this post turned into a longer video if possible. Maybe I can share on it on my website.
    24 hour locksmith


Configuring 802.1x authentication using wpa_supplicant on Ubiquiti Edgerouter

This guide describes steps required to configure 802.1x wired authentication using wpa_supplicant on Cavium-based Ubiquiti Edgerouter devic...