Aironet 1231's that drop from the network

Unanswered Question
Mar 23rd, 2007

I have 5 1231 access points that will not work on my network. I have updated the config's on 7 other AP's that work fine.

We where updating the configuration to allow web based management and tacacs+.

I have copied the correct conifg's from a working ap into a non working ap and only changed the internal ip address and the ap will not work.

Exmaple:

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname AMR_ORG_AP15

!

enable secret xxx

!

clock timezone GMT -5

ip subnet-zero

ip domain name xxx

!

!

aaa new-model

!

!

aaa group server radius rad_eap

server 10.10.1.104 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

server 10.10.1.104 auth-port 1645 acct-port 1646

!

aaa group server radius rad_admin

server 10.10.1.104 auth-port 1645 acct-port 1646

cache expiry 1

cache authorization profile admin_cache

cache authentication profile admin_cache

!

aaa group server tacacs+ tac_admin

server 10.10.1.104

cache expiry 1

cache authorization profile admin_cache

cache authentication profile admin_cache

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius rad

!

aaa authentication login default group tac_admin

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default group tac_admin

aaa accounting network acct_methods start-stop group rad_acct

aaa cache profile admin_cache

all

!

aaa session-id common

!

dot11 ssid amriwpa

authentication open eap eap_methods

authentication key-management wpa

!

!

crypto pki trustpoint TP-self-signed-2161964427

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2161964427

revocation-check none

rsakeypair TP-self-signed-2161964427

!

!

username xxx password xxx

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

ssid amriwpa

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 10.100.14.12 255.255.0.0

no ip route-cache

!

ip default-gateway 10.100.2.2

no ip http server

ip http authentication aaa

ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

!

snmp-server community aromr5 RO

snmp-server host 10.10.1.2 arwmr5

snmp-server host 10.10.1.5 arwmr5

tacacs-server host 10.10.1.104 key xxx

tacacs-server directed-request

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.10.1.104 auth-port 1645 acct-port 1646 key xxx

radius-server vsa send accounting

radius-server vsa send authentication

!

control-plane

!

bridge 1 route ip

!

!

!

line con 0

logging synchronous

login authentication local_auth

transport preferred all

transport output all

stopbits 1

line vty 0 4

authorization exec admin_methods

login authentication admin_methods

transport preferred all

transport input all

transport output all

line vty 5

authorization exec admin_methods

login authentication admin_methods

transport preferred all

transport input all

transport output all

line vty 6 15

transport preferred all

transport input all

transport output all

!

sntp server 10.1.2.1

end

I have updated the IOS sofware to the latest addition, with no success.

Lawrence

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lfranchini1 Sun, 03/25/2007 - 06:47

I can not telnet into the item. I can not access

it device through the web interface. I can ping the device and that is about it. No wireless enable devices even detect a radio signal.

rseiler Sun, 03/25/2007 - 11:03

Are you trying to telnet or https to these APs using the wireless network or via the Ethernet network (10.100.0.0/16)?

Be sure you are testing this from the console or using ssh via the Ethernet network, NOT WIRELESS!

If you upgraded these APs to 12.3(11)JA1 or 12.3(8)JEA1 then you may be experiencing the ssl bug that fails ssl negotiation. http would work if you enabled it. You can do a 'debug ip http ssl errors' and see the '%HTTPS: ssl negotiation failed' messages. Note that you will need a 'term mon' from an ssh or telnet session or 'logging console debugging' if using the console (NOT recommended for debugs).

Otherwise, you are just dealing with a config or implementation issue.

Note that you should remove the last 15 vty lines with the command 'no line vty 5 15'.

john.preves Sun, 03/25/2007 - 16:13

You cannot browse into the web interface because you have 'no ip http server' on.

You cannot telnet most likely because of all that crap you have under 'line vty x-x'.

Which I think the above post actually said more elequently but I didn't understand it the first time... sorry man I'm working on it.

lfranchini1 Mon, 03/26/2007 - 05:31

thank you all for your insight. I will make the changes you have pointed out. I just find it weird that the other 7 access points are working fine with the configuration.

lfranchini1 Mon, 03/26/2007 - 05:54

We use the AP's to access the network for authenticated users.

I am accessing the devices through the intra net

using: https:10.100.0.0/16 through Ethernet or by console cable or telnet into through Ethernet.

I have not been testing through wireless.

We are using Version 12.3(7)JA2.

I have tried to remove the last vty lines with the listed command in enable mode and could not it. stated the following: % Can't delete last 16 VTY lines

rseiler Mon, 03/26/2007 - 10:25

You need to be running 12.3(8)JEA1, minimum, to incorporate all bug fixes. It doesn't make any sense to troubleshoot an issue that may have been fixed since Nov, 2005 (the IOS you are running, which is also deferred as of Mar 23, 2006.

The command to remove the last 10 vty lines is:

'no line vty 5 15'

If that doesn't work then you are not running recent code...

lfranchini1 Mon, 03/26/2007 - 10:51

ok ,

I have flashed a access point to 12.3(8)JEA1.

I have enable access up to the point I change to my new tacacs+ server ip address in the "security - server manager" of the http webpage.

As soon as I apply the ip address it locks me out unless I am in throigh console at the time.

I get the following message:

The server 10.100.14.12 at level_15_or_view_access requires a username and password.

I use what I believe is the correct username/password for the access. It's the one listed in the config and shows up presently.

I can set the radius server to the new address fine. I have enable access to the device.

rseiler Mon, 03/26/2007 - 11:15

I'm not sure what you are doing or what you are trying to accomplish.

Looking at your above config, you haven't defined 'admin_methods' anywhere so you don't have access via telnet, ssh, or http.

Are you doing this through the GUI or command line?

If you have other APs that work, look at their config, I would bet they either have 'admin_methods' defined or have a different method defined under the vty lines.

lfranchini1 Mon, 03/26/2007 - 11:26

We are setting up management thru the secure http. We want to use network id's to change settings on the access point and update the tacacs+ ip address change.

I will update the IOS again.

I have tried to duplicate the settings on the devices from those that are working with no luck.

rseiler Mon, 03/26/2007 - 11:28

You don't have to upgrade the IOS again!?

Just check my above comments on the missing 'admin_methods' aaa method and compare it to other working APs...

lfranchini1 Mon, 03/26/2007 - 13:32

I took your advice and tried to add add the following command to line vty 0 4

authorization exec admin_methods

it states the following:

AAA: Warning authorization list "admin_methods" is not defined for EXEC

I am not sure what this means. I see "login authentication admin_methods" on both configurations.

though I do not see admin_methods listed under my aaa settings.

Actions

This Discussion