1121g Issues

Unanswered Question
Jan 21st, 2009
User Badges:

I have 14 Cisco 1121G's setup. When walking around with my laptop I am ok. I will lose one ping as I transition from one to another but with data that is fine. The problem is that I need these for voice. I am using Spectralinks for voice and have followed both theirs and Cisco's doc's in configuration but still get gaps in conversation. Has anyone set these up for voice? I have tried several different configurations with no change. All keys match. I do not have a Wireless LAN controller. I am using one AP as the WDS. The state always shows as "Administratively Standalone - ACTIVE. All the AP's show the following error, "AP timed out in authenticating to the WDS." They are all using the same AP Username and Password. They all point to the AP acting as the WDS Server. When viewing the WDS Status some show AUTHORIZED. The number authorized varies everytime I view the screen.


Again, roaming works with the laptop - a missed ping here and there, but works.


Ideas and thoughts PLEASE.....

[email protected]

Thank you


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
SJessulat_2 Thu, 01/22/2009 - 22:43
User Badges:

Hi,


i wouldn't concider "a missed ping here and there" as working roaming. This happens e.g. when clients do not roam at all but deauthenticate from one cell and reauthenticate to another one. This behavior is very bad for voice.

Could you provide the config of the WDS-Master-AP, or at least the part with the wlccp commands? This would ease troubleshooting.

When you enter "show wlccp wds" and "show wlccp wds ap" on the WDS-Master, what is the output?

And how do you authenticate the WDS-Usernames and passwords, on a radius-server?


Greets,

Sebastian

brasicot22 Fri, 01/23/2009 - 06:27
User Badges:

Sebastian - thank you for the input.


Here is the output from the show commands and the config from the WDS-Master. I do not think the roaming is working properly at all.

This exceeds the maximum characters for this post so I with cut the config in half - sorry.


C_MAP20_Ref1#show wlccp wds

MAC: 0011.20da.4dc6, IP-ADDR: 10.69.130.20 , Priority: 1

Interface BVI1, State: BACKUP

Currently ACTIVE WDS - MAC: 0011.5cfa.1b60, Priority: 3

C_MAP20_Ref1#show wlccp wds ap

MAC-ADDR IP-ADDR STATE LIFETIME

C_MAP20_Ref1#wr t

Building configuration...


Current configuration : 4078 bytes

!

! Last configuration change at 09:08:56 R Fri Jan 23 2009

! NVRAM config last updated at 09:08:56 R Fri Jan 23 2009

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname C_MAP20_Ref1

!

enable secret xxx

!

username ParaAdmin privilege 15 password xxx

username Admin privilege 15 password xxx

clock timezone R -5

clock summer-time R recurring

ip subnet-zero

!

aaa new-model

!

!

aaa group server radius rad_eap

server 10.69.130.20 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

server 10.69.130.20 auth-port 1645 acct-port 1646

!

aaa group server radius rad_admin

server 10.69.130.20 auth-port 1645 acct-port 1646

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius 10.69.130.20

server 10.69.130.20 auth-port 1645 acct-port 1646

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login method_10.69.130.20 group 10.69.130.20

aaa authorization exec default local

aaa authorization ipmobile default group rad_pmip

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

dot11 network-map

dot11 arp-cache optional

!

class-map match-all _class_WirelessPhones0

match ip protocol 119

!

!

policy-map WirelessPhones

class _class_WirelessPhones0

set cos 6

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

(Config continued on next post)

brasicot22 Fri, 01/23/2009 - 06:28
User Badges:

Below is the rest of my config. I think it is probably something stupid on my part and I appreciate your help - thanks guys.



!

encryption mode ciphers tkip

!

ssid Swordfish

authentication open

authentication network-eap eap_methods

authentication key-management wpa cckm

guest-mode

wpa-psk ascii xxx

!

traffic-class 7 cw-min 0 cw-max 0 fixed-slot 2

speed basic-1.0 basic-2.0 basic-5.5 basic-11.0

rts threshold 2312

no preamble-short

channel 2412

station-role root

no dot11 extension aironet

service-policy input WirelessPhones

service-policy output WirelessPhones

dot1x reauth-period 30

dot1x client-timeout 60

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

ntp broadcast client

service-policy output WirelessPhones

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 10.69.130.20 255.255.255.0

no ip route-cache

!

ip default-gateway 10.69.130.1

ip http server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

/ivory/1100

ip radius source-interface BVI1

radius-server local

nas 10.69.130.20 key xxx

nas 10.69.130.22 key xxx

nas 10.69.130.23 key xxx

nas 10.69.130.24 key xxx

nas 10.69.130.25 key xxx

nas 10.69.130.26 key xxx

nas 10.69.130.27 key xxx

nas 10.69.130.28 key xxx

nas 10.69.130.29 key xxx

nas 10.69.130.30 key xxx

nas 10.69.130.31 key xxx

nas 10.69.130.32 key xxx

nas 10.69.130.33 key xxx

nas 10.69.130.34 key xxx

group ParaTest

ssid Swordfish

block count 1000 time infinite

!

user ROLAND nthash xxx1465B5501 group ParaTest

!

radius-server host 10.69.130.20 auth-port 1645 acct-port 1646 key 7 014457285E06

070132

radius-server attribute 32 include-in-access-req format %h

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

bridge 1 route ip

!

wlccp authentication-server infrastructure method_10.69.130.20

wlccp wds priority 1 interface BVI1

wlccp wnm ip address 10.69.130.20

wlccp ap username ParaAdmin password xxx

!

line con 0

line vty 5 15

!

ntp authenticate

ntp server 10.69.130.20

end


C_MAP20_Ref1#



SJessulat_2 Fri, 01/23/2009 - 07:06
User Badges:

Hmm, this looks like the AP you entered the show commands on is not the WDS-Master. It says "State: BACKUP" because it has a lower priority (1) than the actual WDS-Master with the MAC-Adress 0011.5cfa.1b60 (3).


I would suggest you raise the "wlccp wds priority 1 interface BVI1" to a higher number on the AP you wish to be the WDS-Master.


Another problem is: You have entered "wlccp ap username ParaAdmin password xxx". This username and password have to be entered in your radius-server (which seems to be local on this AP). If you have the same username entered on the other APs, too, then your WDS should be working if you add this username in your Radius-Server.

brasicot22 Fri, 01/23/2009 - 09:54
User Badges:

Ok - frustration is getting through the roof..... lol

I went back in and set the priorities straight - the Master is 10, client is 3.

ParaAdmin is gone. I simply used Admin. It is on the Radius Server (the master AP) and on the clients, password match. The master now shows:




User Access Verification


Username: Admin

Password:


C_MAP20_Ref1#sho wlccp ap

WDS = 0011.20da.4dc6, 10.69.130.20

state = wlccp_ap_st_leap_auth

IN Authenticator = 10.69.130.20

C_MAP20_Ref1#sho wlccp wds

MAC: 0011.20da.4dc6, IP-ADDR: 10.69.130.20 , Priority: 10

Interface BVI1, State: Administratively StandAlone - ACTIVE

AP Count: 5 , MN Count: 0

C_MAP20_Ref1#sho wlccp wnm st

WNM IP Address : 10.69.130.20 Status : NOT AUTHENTICATED

C_MAP20_Ref1#


This looks as though he can not even authenticate to himslef


The client shows:




User Access Verification


Username: Admin

Password:


C_AP26_WH1a#sho wlccp ap

WDS = 0011.20da.4dc6, 10.69.130.20

state = wlccp_ap_st_leap_auth

IN Authenticator = 10.69.130.20

C_AP26_WH1a#sho wlccp wds

MAC: 0011.20cd.b830, IP-ADDR: 10.69.130.26 , Priority: 3

Interface BVI1, State: BACKUP

Currently ACTIVE WDS - MAC: 0011.20da.4dc6, Priority: 10

C_AP26_WH1a#sho wlccp wnm st

WNM IP Address : 10.69.130.20 Status : NOT AUTHENTICATED

C_AP26_WH1a#


This is really killing me as I don't think it should be difficult....


Do you have any working configs I could change IP's, User names, and PW's on?

ARRRGGGGGHHHHHHH !!!!!


Thank you

SJessulat_2 Sun, 01/25/2009 - 23:09
User Badges:

No, no, this seems right. A WNM is something different. You dont even need an WNM, so you can delete the "wlccp wnm ip address 10.69.130.20" command.


If you see all the APs as "Registered" when you enter "show wlcpp wds ap" (Not "show wlcpp ap") including the WDS-Master, then your WDS works.

If only some of the APs show up as "Registered", then it's propably an Username/Password-problem.


If it's still not working, then tell me and i will post an working config.


Greets,

Sebastian

brasicot22 Mon, 01/26/2009 - 12:54
User Badges:

Sebastian, Still not working,


Please do send me a working config.


Thank you - Brian

SJessulat_2 Mon, 01/26/2009 - 23:16
User Badges:

This is the config of the WDS-Master:


...


aaa new-model

!

!

aaa group server radius rad_eap

server 10.1.1.1 auth-port 1812 acct-port 1813

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

cache expiry 1

cache authorization profile admin_cache

cache authentication profile admin_cache

!

aaa group server tacacs+ tac_admin

cache expiry 1

cache authorization profile admin_cache

cache authentication profile admin_cache

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius Infra

server 10.1.1.1 auth-port 1812 acct-port 1813

!

aaa group server radius Clients

server 10.1.1.1 auth-port 1812 acct-port 1813

!

aaa authentication login default local

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login method_Infra group Infra

aaa authentication login method_Clients group Clients

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

aaa cache profile admin_cache

all

!

!

aaa session-id common

!


...



!

interface BVI1

ip address 10.1.1.1 255.255.0.0

no ip route-cache

!

ip default-gateway 10.1.0.1


...


ip radius source-interface BVI1



...



radius-server local

no authentication mac

nas 10.1.1.1 key passwordradius

nas 10.1.1.2 key passwordradius1

nas 10.1.1.3 key passwordradius2

!

user WDS-Master password passwordwds

user WDS-Client1 password passwordwds1

user WDS-Client2 password passwordwds2

user Client password passwordclient

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key passwordradius

radius-server vsa send accounting

bridge 1 route ip

!

!

wlccp ap username WDS-Master password passwordwds

wlccp authentication-server infrastructure method_Infra

wlccp authentication-server client mac mac_methods

wlccp authentication-server client eap method_Clients

wlccp authentication-server client leap method_Clients

wlccp wds priority 200 interface BVI1


...



This is the config of a WDS-Client:




!

aaa new-model

!

!

aaa group server radius rad_eap

server 10.1.1.1 auth-port 1812 acct-port 1813

!

aaa group server radius rad_mac

server 10.1.1.1 auth-port 1812 acct-port 1813

!

aaa group server radius rad_acct

server 10.1.1.1 auth-port 1812 acct-port 1813

!

aaa group server radius rad_admin

cache expiry 1

cache authorization profile admin_cache

cache authentication profile admin_cache

!

aaa group server tacacs+ tac_admin

cache expiry 1

cache authorization profile admin_cache

cache authentication profile admin_cache

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius Infra

!

aaa group server radius Client

!

aaa authentication login default local

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login method_Infra group Infra

aaa authentication login method_Client group Client

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common


...



!

interface BVI1

ip address 10.1.1.2 255.255.0.0

no ip route-cache

!

ip default-gateway 10.1.0.1


...



ip radius source-interface BVI1

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key passwordradius1

radius-server vsa send accounting

bridge 1 route ip

!

!

wlccp ap username WDS-Client1 password passwordwds1

wlccp ap wds ip address 10.1.1.1

!


...

brasicot22 Tue, 01/27/2009 - 09:11
User Badges:

Thank you. Here is what I did. I defaulted an AP, shut off all other AP's on the net.


I then pasted your config into the master. You show no SSID so I created one and used my IP scheme. When I look at the master now, iget thet folling errors:


Mar 1 00:11:14.172 Warning Unknown authenticator: 10.69.130.20

2 Mar 1 00:11:09.166 Warning RADIUS server 10.69.130.20:1812,1813 has returned.

3 Mar 1 00:11:09.166 Warning RADIUS server 10.69.130.20:1812,1813 is not responding.

4 Mar 1 00:10:36.162 Warning Unknown authenticator: 10.69.130.20

5 Mar 1 00:10:14.682 Error AP Authentication to the WDS failed

6 Mar 1 00:10:03.354 Warning Unknown authenticator: 10.69.130.20

7 Mar 1 00:10:03.353 Warning RADIUS server 10.69.130.20:1812,1813 has returned.

8 Mar 1 00:10:03.353 Warning RADIUS server 10.69.130.20:1812,1813 is not responding.

9 Mar 1 00:09:30.777 Warning Unknown authenticator: 10.69.130.20


The following post will have the config as it stands.



brasicot22 Tue, 01/27/2009 - 09:12
User Badges:

Here is the config as it stands right now:




User Access Verification


Username: Cisco

Password:


ap#en

ap#wr t

Building configuration...


Current configuration : 3487 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

no logging console

enable secret 5 $1$tcvD$a6kzdqwhFd.nLiTAfCGNG.

!

ip subnet-zero

!

!

aaa new-model

!

!

aaa group server radius rad_eap

server 10.69.130.20 auth-port 1812 acct-port 1813

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

cache expiry 1

cache authorization profile admin_cache

cache authentication profile admin_cache

!

aaa group server tacacs+ tac_admin

cache expiry 1

cache authorization profile admin_cache

cache authentication profile admin_cache

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius Infra

server 10.69.130.20 auth-port 1812 acct-port 1813

!

aaa group server radius Clients

server 10.69.130.20 auth-port 1812 acct-port 1813

!

aaa authentication login default local

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login method_Infra group Infra

aaa authentication login method_Clients group Clients

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

aaa cache profile admin_cache

all

!

aaa session-id common

!

dot11 ssid ParaSpec

authentication open

guest-mode

!

!

!

username Cisco privilege 15 password 7 112A1016141D

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

ssid ParaSpec

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0

54.0

station-role root

no dot11 extension aironet

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

hold-queue 80 in

!

interface BVI1

ip address 10.69.130.20 255.255.255.0

no ip route-cache

!

ip default-gateway 10.69.130.1

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

!

radius-server local

no authentication mac

nas 10.69.130.22 key 7 111918160405041E00382A20212626

nas 10.69.130.23 key 7 01030717481C091D255E4F0D10100443

nas 10.69.130.24 key 7 00141215174C04140B334D4A000C1645

user WDS-Master nthash 7 00504B5E570A5C512B726E6F5A415433425A5C577972007064650

0415441205905

user WDS-Client1 nthash 7 047A59542A056F6C5D4C5741342F5E540F7C7C7D636770432346

5B2401010F0604

user WDS-Client2 nthash 7 096E1B2F4E2646312F5F25727C7370116D744655435327060B0F

72755B2239347B

user Client nthash 7 115A4A5540422E2856797F75701717753557402550030C7C03045D214

F430C7971

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.69.130.20 auth-port 1812 acct-port 1813 key 7 044B0A151C36

435C0D0B04131B1E1F44

radius-server vsa send accounting

!

control-plane

!

bridge 1 route ip

!

!

wlccp ap username WDS-Master password 7 06160E325F59060B010016184C

wlccp authentication-server infrastructure method_Infra

wlccp authentication-server client mac mac_methods

wlccp authentication-server client eap method_Clients

wlccp authentication-server client leap method_Clients

wlccp wds priority 200 interface BVI1

!

line con 0

line vty 0 4

!

end


ap#


If this can not authenticate to itself????


SW Version is 12.3(8)JEA

Actions

This Discussion