WPA2-PSK

Unanswered Question
Feb 23rd, 2007

Greetings -

I currently have a Cisco AIR-AP1231G-A-K9 that is running IOS version 12.3(8)JEA1. I am trying to setup WPA2 "Personal" (WPA2-PSK) with a client running Windows XP SP2. The WLAN Nic is a Cisco a/b/g PCMCIA, driver version 2.5.0.22. I have configured the PSK on both the AP and the client and verified that I did not make a typing mistake. I have installed the Microsoft WPA2 hotfix to see if that was causing the problem but it is not. The actual problem is that the client says it's "Authenticated" but will not allow any traffic to pass through. Whenever I created an SSID NOT using WPA2-PSK, the client can ge an IP address and things function normally. Here is the current AP configuration:

sh run

Building configuration...

Current configuration : 4170 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname AP1

!

enable secret ****

!

ip subnet-zero

!

!

no aaa new-model

dot11 vlan-name Joes-VLANofFUN vlan 237

dot11 vlan-name Joes-VLANofFUN-PartII vlan 238

!

dot11 ssid -=b0Gg$=-

vlan 237

authentication open

--More-- authentication key-management wpa

wpa-psk ascii ****

!

username Cisco password ****

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 237 mode ciphers aes-ccm

!

ssid -=b0Gg$=-

!

--More-- speed basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

no power client local

power client 50

power local cck 50

power local ofdm 30

station-role root

bridge-group 1

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.237

encapsulation dot1Q 237

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

no cdp enable

bridge-group 237

bridge-group 237 subscriber-loop-control

bridge-group 237 block-unknown-source

--More-- no bridge-group 237 source-learning

no bridge-group 237 unicast-flooding

bridge-group 237 spanning-disabled

!

interface FastEthernet0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

speed 100

full-duplex

hold-queue 160 in

!

interface FastEthernet0.237

encapsulation dot1Q 237

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

no cdp enable

bridge-group 237

--More-- bridge-group 237 subscriber-loop-control

bridge-group 237 block-unknown-source

no bridge-group 237 source-learning

no bridge-group 237 unicast-flooding

bridge-group 237 spanning-disabled

!

interface FastEthernet0.238

encapsulation dot1Q 238 native

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 10.238.1.100 255.255.0.0

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

!

--More-- ip default-gateway 10.238.1.10

no ip http server

ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

!

!

control-plane

!

bridge 1 route ip

!

!

!

line con 0

privilege level 15

logging synchronous

line vty 0 4

login local

!

end

I have tried upgrading the WLAN NIC drivers to the latest version (3.5 I believe) but it does not help. If I run the troubleshooting task of the Aironet Desktop Utility is sasys that the Authentication tests failed, even though the status shows me as "Authenticated". Perhaps there is something in the above config that I am missing.

Any help would be greatly appreciated.

Joe

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
scottmac Fri, 02/23/2007 - 16:39

Check the hardware version of your AP radio(S).

Earlier versions (ending in "20") do not support AES (used for WPA2 / 802.11i).

You should have at least a "Radio AIR-MP31G " for your 802.11G and "Radio AIR-RM21A" for your 802.11a radio.

THe (probably) easiest way to check this is the Web GUI ... go to INterfaces, select each band, then the "Detailed Status" tab.

If your radios are older than this, the CLI and GUI will accept your configuration for WPA2/802.11i, but will not operate in that mode (and usually fail).

Either radio is independently upgradeable for ~US$100.00 through someplace like www.cdw.com.

Good Luck

Scott

Actions

This Discussion

 

 

Trending Topics - Security & Network