Background: I am a self-employed Network Engineer / Systems Administrator for multiple local businesses. I primarily handle medical offices as well as several SME's.
Client switched retail merchants and received a new Flex POS. Their old device was the original (I believe) 1st Gen Flex. I'll refer to the 1st-gen Flex as "Flex A" and the new 2nd-gen Clover as "Flex B".
The wireless access point used in this environment is a NETGEAR R7960P running the latest Netgear Firmware (V18.104.22.168_1.3.28). The wireless network is (was) broadcasting on 2.4GHz b/g/n as well as 5GHz a/n/ac with strict WPA2-PSK AES encryption and is located less than 15-feet from the Clover device(s). This wireless network is also secured by a captive portal using LDAP authentication and numerous firewall rules via latest stable-release pfSense edge device. Flex A had zero issues working with this network configuration with authentication being handled via a MAC & IP-based ACL on the firewall via the captive portal.
Upon receiving the new Flex (Flex B), configuring the firewall to allow the device on the network should have been as easy as adjusting the MAC/IP ACL. However, this proved not as easy.
After several hours of troubleshooting, stripping down my wireless firewall(s), numerous Clover Support remote sessions, a factory reset, a new device overnighted, and more hours of further frustration I just-so happened to stumble upon the problem by chance: I reconfigured the wireless access point encryption to accept WPA-PSK TKIP - an older and less secure method of wireless encryption - and voila.
As an advocate for privacy and security online, I find this discovery to be a bit disconcerting. Especially-so when dealing with sensitive customer data and PCI (and HIPAA in some cases) Compliance. I highly encourage developers of the 2nd-gen Flex to allow only AES-encrypted (or better) connection methods. I have yet to confirm whether the device is strictly using TKIP encryption. Could this be a specific wireless access point hardware/software issue? Possibly. I have yet to test other hardware with the 2nd-gen device. This is next on my list, as I cannot allow my client to use hardware and methods that have known vulnerabilities such as TKIP encryption.