01-21-2009 07:46 AM - edited 07-03-2021 05:01 PM
I have 14 Cisco 1121G's setup. When walking around with my laptop I am ok. I will lose one ping as I transition from one to another but with data that is fine. The problem is that I need these for voice. I am using Spectralinks for voice and have followed both theirs and Cisco's doc's in configuration but still get gaps in conversation. Has anyone set these up for voice? I have tried several different configurations with no change. All keys match. I do not have a Wireless LAN controller. I am using one AP as the WDS. The state always shows as "Administratively Standalone - ACTIVE. All the AP's show the following error, "AP timed out in authenticating to the WDS." They are all using the same AP Username and Password. They all point to the AP acting as the WDS Server. When viewing the WDS Status some show AUTHORIZED. The number authorized varies everytime I view the screen.
Again, roaming works with the laptop - a missed ping here and there, but works.
Ideas and thoughts PLEASE.....
Thank you
01-22-2009 10:43 PM
Hi,
i wouldn't concider "a missed ping here and there" as working roaming. This happens e.g. when clients do not roam at all but deauthenticate from one cell and reauthenticate to another one. This behavior is very bad for voice.
Could you provide the config of the WDS-Master-AP, or at least the part with the wlccp commands? This would ease troubleshooting.
When you enter "show wlccp wds" and "show wlccp wds ap" on the WDS-Master, what is the output?
And how do you authenticate the WDS-Usernames and passwords, on a radius-server?
Greets,
Sebastian
01-23-2009 06:27 AM
Sebastian - thank you for the input.
Here is the output from the show commands and the config from the WDS-Master. I do not think the roaming is working properly at all.
This exceeds the maximum characters for this post so I with cut the config in half - sorry.
C_MAP20_Ref1#show wlccp wds
MAC: 0011.20da.4dc6, IP-ADDR: 10.69.130.20 , Priority: 1
Interface BVI1, State: BACKUP
Currently ACTIVE WDS - MAC: 0011.5cfa.1b60, Priority: 3
C_MAP20_Ref1#show wlccp wds ap
MAC-ADDR IP-ADDR STATE LIFETIME
C_MAP20_Ref1#wr t
Building configuration...
Current configuration : 4078 bytes
!
! Last configuration change at 09:08:56 R Fri Jan 23 2009
! NVRAM config last updated at 09:08:56 R Fri Jan 23 2009
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname C_MAP20_Ref1
!
enable secret xxx
!
username ParaAdmin privilege 15 password xxx
username Admin privilege 15 password xxx
clock timezone R -5
clock summer-time R recurring
ip subnet-zero
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.69.130.20 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
server 10.69.130.20 auth-port 1645 acct-port 1646
!
aaa group server radius rad_admin
server 10.69.130.20 auth-port 1645 acct-port 1646
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius 10.69.130.20
server 10.69.130.20 auth-port 1645 acct-port 1646
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login method_10.69.130.20 group 10.69.130.20
aaa authorization exec default local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 network-map
dot11 arp-cache optional
!
class-map match-all _class_WirelessPhones0
match ip protocol 119
!
!
policy-map WirelessPhones
class _class_WirelessPhones0
set cos 6
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
(Config continued on next post)
01-23-2009 06:28 AM
Below is the rest of my config. I think it is probably something stupid on my part and I appreciate your help - thanks guys.
!
encryption mode ciphers tkip
!
ssid Swordfish
authentication open
authentication network-eap eap_methods
authentication key-management wpa cckm
guest-mode
wpa-psk ascii xxx
!
traffic-class 7 cw-min 0 cw-max 0 fixed-slot 2
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
rts threshold 2312
no preamble-short
channel 2412
station-role root
no dot11 extension aironet
service-policy input WirelessPhones
service-policy output WirelessPhones
dot1x reauth-period 30
dot1x client-timeout 60
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
ntp broadcast client
service-policy output WirelessPhones
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.69.130.20 255.255.255.0
no ip route-cache
!
ip default-gateway 10.69.130.1
ip http server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
/ivory/1100
ip radius source-interface BVI1
radius-server local
nas 10.69.130.20 key xxx
nas 10.69.130.22 key xxx
nas 10.69.130.23 key xxx
nas 10.69.130.24 key xxx
nas 10.69.130.25 key xxx
nas 10.69.130.26 key xxx
nas 10.69.130.27 key xxx
nas 10.69.130.28 key xxx
nas 10.69.130.29 key xxx
nas 10.69.130.30 key xxx
nas 10.69.130.31 key xxx
nas 10.69.130.32 key xxx
nas 10.69.130.33 key xxx
nas 10.69.130.34 key xxx
group ParaTest
ssid Swordfish
block count 1000 time infinite
!
user ROLAND nthash xxx1465B5501 group ParaTest
!
radius-server host 10.69.130.20 auth-port 1645 acct-port 1646 key 7 014457285E06
070132
radius-server attribute 32 include-in-access-req format %h
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
bridge 1 route ip
!
wlccp authentication-server infrastructure method_10.69.130.20
wlccp wds priority 1 interface BVI1
wlccp wnm ip address 10.69.130.20
wlccp ap username ParaAdmin password xxx
!
line con 0
line vty 5 15
!
ntp authenticate
ntp server 10.69.130.20
end
C_MAP20_Ref1#
01-23-2009 07:06 AM
Hmm, this looks like the AP you entered the show commands on is not the WDS-Master. It says "State: BACKUP" because it has a lower priority (1) than the actual WDS-Master with the MAC-Adress 0011.5cfa.1b60 (3).
I would suggest you raise the "wlccp wds priority 1 interface BVI1" to a higher number on the AP you wish to be the WDS-Master.
Another problem is: You have entered "wlccp ap username ParaAdmin password xxx". This username and password have to be entered in your radius-server (which seems to be local on this AP). If you have the same username entered on the other APs, too, then your WDS should be working if you add this username in your Radius-Server.
01-23-2009 09:54 AM
Ok - frustration is getting through the roof..... lol
I went back in and set the priorities straight - the Master is 10, client is 3.
ParaAdmin is gone. I simply used Admin. It is on the Radius Server (the master AP) and on the clients, password match. The master now shows:
User Access Verification
Username: Admin
Password:
C_MAP20_Ref1#sho wlccp ap
WDS = 0011.20da.4dc6, 10.69.130.20
state = wlccp_ap_st_leap_auth
IN Authenticator = 10.69.130.20
C_MAP20_Ref1#sho wlccp wds
MAC: 0011.20da.4dc6, IP-ADDR: 10.69.130.20 , Priority: 10
Interface BVI1, State: Administratively StandAlone - ACTIVE
AP Count: 5 , MN Count: 0
C_MAP20_Ref1#sho wlccp wnm st
WNM IP Address : 10.69.130.20 Status : NOT AUTHENTICATED
C_MAP20_Ref1#
This looks as though he can not even authenticate to himslef
The client shows:
User Access Verification
Username: Admin
Password:
C_AP26_WH1a#sho wlccp ap
WDS = 0011.20da.4dc6, 10.69.130.20
state = wlccp_ap_st_leap_auth
IN Authenticator = 10.69.130.20
C_AP26_WH1a#sho wlccp wds
MAC: 0011.20cd.b830, IP-ADDR: 10.69.130.26 , Priority: 3
Interface BVI1, State: BACKUP
Currently ACTIVE WDS - MAC: 0011.20da.4dc6, Priority: 10
C_AP26_WH1a#sho wlccp wnm st
WNM IP Address : 10.69.130.20 Status : NOT AUTHENTICATED
C_AP26_WH1a#
This is really killing me as I don't think it should be difficult....
Do you have any working configs I could change IP's, User names, and PW's on?
ARRRGGGGGHHHHHHH !!!!!
Thank you
01-25-2009 11:09 PM
No, no, this seems right. A WNM is something different. You dont even need an WNM, so you can delete the "wlccp wnm ip address 10.69.130.20" command.
If you see all the APs as "Registered" when you enter "show wlcpp wds ap" (Not "show wlcpp ap") including the WDS-Master, then your WDS works.
If only some of the APs show up as "Registered", then it's propably an Username/Password-problem.
If it's still not working, then tell me and i will post an working config.
Greets,
Sebastian
01-26-2009 12:54 PM
Sebastian, Still not working,
Please do send me a working config.
Thank you - Brian
01-26-2009 11:16 PM
This is the config of the WDS-Master:
...
aaa new-model
!
!
aaa group server radius rad_eap
server 10.1.1.1 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
!
aaa group server tacacs+ tac_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius Infra
server 10.1.1.1 auth-port 1812 acct-port 1813
!
aaa group server radius Clients
server 10.1.1.1 auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login method_Infra group Infra
aaa authentication login method_Clients group Clients
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa cache profile admin_cache
all
!
!
aaa session-id common
!
...
!
interface BVI1
ip address 10.1.1.1 255.255.0.0
no ip route-cache
!
ip default-gateway 10.1.0.1
...
ip radius source-interface BVI1
...
radius-server local
no authentication mac
nas 10.1.1.1 key passwordradius
nas 10.1.1.2 key passwordradius1
nas 10.1.1.3 key passwordradius2
!
user WDS-Master password passwordwds
user WDS-Client1 password passwordwds1
user WDS-Client2 password passwordwds2
user Client password passwordclient
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key passwordradius
radius-server vsa send accounting
bridge 1 route ip
!
!
wlccp ap username WDS-Master password passwordwds
wlccp authentication-server infrastructure method_Infra
wlccp authentication-server client mac mac_methods
wlccp authentication-server client eap method_Clients
wlccp authentication-server client leap method_Clients
wlccp wds priority 200 interface BVI1
...
This is the config of a WDS-Client:
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.1.1.1 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
server 10.1.1.1 auth-port 1812 acct-port 1813
!
aaa group server radius rad_acct
server 10.1.1.1 auth-port 1812 acct-port 1813
!
aaa group server radius rad_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
!
aaa group server tacacs+ tac_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius Infra
!
aaa group server radius Client
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login method_Infra group Infra
aaa authentication login method_Client group Client
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
...
!
interface BVI1
ip address 10.1.1.2 255.255.0.0
no ip route-cache
!
ip default-gateway 10.1.0.1
...
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.1.1.1 auth-port 1812 acct-port 1813 key passwordradius1
radius-server vsa send accounting
bridge 1 route ip
!
!
wlccp ap username WDS-Client1 password passwordwds1
wlccp ap wds ip address 10.1.1.1
!
...
01-27-2009 09:11 AM
Thank you. Here is what I did. I defaulted an AP, shut off all other AP's on the net.
I then pasted your config into the master. You show no SSID so I created one and used my IP scheme. When I look at the master now, iget thet folling errors:
Mar 1 00:11:14.172 Warning Unknown authenticator: 10.69.130.20
2 Mar 1 00:11:09.166 Warning RADIUS server 10.69.130.20:1812,1813 has returned.
3 Mar 1 00:11:09.166 Warning RADIUS server 10.69.130.20:1812,1813 is not responding.
4 Mar 1 00:10:36.162 Warning Unknown authenticator: 10.69.130.20
5 Mar 1 00:10:14.682 Error AP Authentication to the WDS failed
6 Mar 1 00:10:03.354 Warning Unknown authenticator: 10.69.130.20
7 Mar 1 00:10:03.353 Warning RADIUS server 10.69.130.20:1812,1813 has returned.
8 Mar 1 00:10:03.353 Warning RADIUS server 10.69.130.20:1812,1813 is not responding.
9 Mar 1 00:09:30.777 Warning Unknown authenticator: 10.69.130.20
The following post will have the config as it stands.
01-27-2009 09:12 AM
Here is the config as it stands right now:
User Access Verification
Username: Cisco
Password:
ap#en
ap#wr t
Building configuration...
Current configuration : 3487 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
no logging console
enable secret 5 $1$tcvD$a6kzdqwhFd.nLiTAfCGNG.
!
ip subnet-zero
!
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.69.130.20 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
!
aaa group server tacacs+ tac_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius Infra
server 10.69.130.20 auth-port 1812 acct-port 1813
!
aaa group server radius Clients
server 10.69.130.20 auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login method_Infra group Infra
aaa authentication login method_Clients group Clients
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa cache profile admin_cache
all
!
aaa session-id common
!
dot11 ssid ParaSpec
authentication open
guest-mode
!
!
!
username Cisco privilege 15 password 7 112A1016141D
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
ssid ParaSpec
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
no dot11 extension aironet
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 80 in
!
interface BVI1
ip address 10.69.130.20 255.255.255.0
no ip route-cache
!
ip default-gateway 10.69.130.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
radius-server local
no authentication mac
nas 10.69.130.22 key 7 111918160405041E00382A20212626
nas 10.69.130.23 key 7 01030717481C091D255E4F0D10100443
nas 10.69.130.24 key 7 00141215174C04140B334D4A000C1645
user WDS-Master nthash 7 00504B5E570A5C512B726E6F5A415433425A5C577972007064650
0415441205905
user WDS-Client1 nthash 7 047A59542A056F6C5D4C5741342F5E540F7C7C7D636770432346
5B2401010F0604
user WDS-Client2 nthash 7 096E1B2F4E2646312F5F25727C7370116D744655435327060B0F
72755B2239347B
user Client nthash 7 115A4A5540422E2856797F75701717753557402550030C7C03045D214
F430C7971
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.69.130.20 auth-port 1812 acct-port 1813 key 7 044B0A151C36
435C0D0B04131B1E1F44
radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
!
!
wlccp ap username WDS-Master password 7 06160E325F59060B010016184C
wlccp authentication-server infrastructure method_Infra
wlccp authentication-server client mac mac_methods
wlccp authentication-server client eap method_Clients
wlccp authentication-server client leap method_Clients
wlccp wds priority 200 interface BVI1
!
line con 0
line vty 0 4
!
end
ap#
If this can not authenticate to itself????
SW Version is 12.3(8)JEA
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: