02-12-2007 12:34 PM - edited 07-03-2021 01:37 PM
I started having an issue last week. I have numerous 1100 series Access Points in our network. We have laptops that authenticate through one vlan (1) and wireless IP phones (7920s) that authenticate through another vlan (2). I have a WDS system configured with oen master and 7 backups. Everything was working fine until last week. Now the AP where the 7920s authenticate is now giving an authentication failure message. The 7920 will authenticate with others APs with no problem. They will also authenticate with the questionable AP if I take it out of the WDS network. Laptops have no problem authenticating with the questionable AP. I have upgraded the fireware and cannot see any problems. Any ideas? Thanks.
02-12-2007 01:23 PM
What authentication method are you using on the 7920 phones compared to wireless laptops? What happens if you use laptop authentication schme on the phones also?
Have you tried to upload successful AP configuration to the failed AP?
02-12-2007 01:32 PM
The phones and the laptops are both using LEAP. I have not actually tried uploading another configuration because this one was working fine last week. I will check another AP config and see what is different and then upload it if there is any differences. Thanks.
02-13-2007 06:09 AM
A good configuration made no difference. The 7920s will not authenticate through the AP when it is part of a WDS. They do fine when it is a standalone.
02-13-2007 03:39 PM
Can we see the "Show tech" of your main WDS AP, problem AP and working AP?
02-14-2007 06:01 AM
I would be happy to send a show tech. There will be a total of about 70 pages. What is the best way to get it to you?
02-14-2007 08:52 AM
You can attach only the configuration of 3 AP's and also mention the IOS version running on them.
Basant
02-14-2007 01:33 PM
Purchasing/IS - phones work ok through this
Product/Model Number: AIR-AP1220-IOS-UPGRD
Top Assembly Serial Number:
System Software Filename: c1200-k9w7-tar.123- 4.JA
System Software Version: 12.3(4)JA
Bootloader Version: 12.2(8)JA
ISShop - phones don't work through this
Product/Model Number: AIR-AP1120B-A-K9
Top Assembly Serial Number: FHK0806V1C5
System Software Filename: c1100-k9w7-tar.123- 8.JA2
System Software Version: 12.3(8)JA2
Bootloader Version: 12.2(8)JA
Doorscenter - Master WDS
Product/Model Number: AIR-AP1120B-A-K9
Top Assembly Serial Number: FHK0806V1C6
System Software Filename: c1100-k9w7-tar.123- 8.JA2
System Software Version: 12.3(8)JA2
Bootloader Version: 12.2(8)JA
02-15-2007 01:15 PM
VLAN 1 and VLAN 2 part of the configuration on the working and the not working AP I concentrated on looks OK to me.
Pls let me know, when you enter the WDS username and pwd in the "not working" AP, does it shows status as "registered" on the WDS status page of the main WDS AP?
If it shows "registered" then try to associate a 7920 phone to it and check its status in the WDS status page of the main WDS AP.
Does it shows "registered" or "association processing"?
02-15-2007 01:32 PM
The non-working AP does register with the WDS. There are laptops that can and do work through that AP when it is part of the WDS network. Just the 7920s don't. The 7920s are part of vlan 2. The laptops are part of vlan 1.
02-15-2007 03:47 PM
So for the DoorsCenter AP, this is configured as the highest priority WDS server (255). Can see you don't have a AAA group configured for clients to use, so it will fail. Not sure how other clients using EAP are working, so assume they are not.
If using f185560as3 or intermec SSID, then will not use WDS for authentication as they are open authentication SSIDs.
wlccp authentication-server infrastructure method_infrastructure
wlccp wds priority 255 interface BVI1
!
wlccp ap username doorscenter password xxx
On the ISSHOP AP, you have the following which would be correct, but other SSIDs using EAP wouldn't be able to authenticate if the Ap is registered to this WDS server.
Below can see the voice SSID is allowed though.
wlccp authentication-server infrastructure method_infrastructure
wlccp authentication-server client mac method_client
ssid v165ar39x0
wlccp authentication-server client eap method_client
ssid v165ar39x0
wlccp authentication-server client leap method_client
ssid v165ar39x0
wlccp wds priority 250 interface BVI1
So you nee dto add the following to the Doorscenter AP WDS config.
aaa group server radius client
server 172.30.8.190 auth-port 1812 acct-port 1813
!
aaa authentication login method_client group client
!
wlccp authentication-server client eap method_client
Also not recommended to mix match versions in the same WLAN.
Also for 7920, 3.0 or later supports EAP-FAST, which the 7920 gives precedence to in default Auto EAP mode. Can set to LEAP manually though. Will want to ensure dot11 holdoff time is not a long time if EAP-FAST is not enabled.
Also to do WPA, ensure the phone is set for AKM or set to EAP to do 802.1x + WEP128.
02-16-2007 10:57 AM
Thanks. I have made the changes in the WDS and the 7920s appear to be registering correctly. I will keep an eye on it.
02-16-2007 11:10 AM
Glad I could help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide