Open SSID configured but clients are seeing WPA

Answered Question

There are about 30 autonomous access points in this building. The are all configured with two SSIDs, each on their own VLAN. For some reason, clients started seeing the public SSID as WPA protected. It is an intermittant problem so I'm not sure what's happening. I sniffed around with Airmagent Spectrum Analyzer and all the public SSIDs are showing as open (without WEP, WPA, etc.). I matched all the radio interfaces from Airmagnet with the AP radios so I know there isn't some rogue around. The AP's are running 12.3.8. Here is the config:


!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname AP20

!

enable secret

!

username Cisco password 7 062506324F41

ip subnet-zero

!

no aaa new-model

dot11 network-map

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 2 mode ciphers tkip wep128

!

ssid GUEST

vlan 3

authentication open

guest-mode

!

ssid LSD

vlan 2

authentication open

authentication key-management wpa optional

wpa-psk ascii 7

!

short-slot-time

speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0

rts threshold 2312

channel 2462

station-role root

!

interface Dot11Radio0.2

encapsulation dot1Q 2 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.3

encapsulation dot1Q 3

no ip route-cache

bridge-group 3

bridge-group 3 subscriber-loop-control

bridge-group 3 block-unknown-source

no bridge-group 3 source-learning

no bridge-group 3 unicast-flooding

bridge-group 3 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

speed 100

full-duplex

!

interface FastEthernet0.2

encapsulation dot1Q 2 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface FastEthernet0.3

encapsulation dot1Q 3

no ip route-cache

bridge-group 3

no bridge-group 3 source-learning

bridge-group 3 spanning-disabled

!

interface BVI1

ip address 172.x.x.x 255.255.0.0

no ip route-cache

!

ip default-gateway 172.x.x.x

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

logging snmp-trap emergencies

logging snmp-trap alerts

logging snmp-trap critical

logging snmp-trap errors

logging snmp-trap warnings

access-list 111 permit tcp any any neq telnet

bridge 1 route ip

!

!

!

line con 0

transport preferred all

transport output all

line vty 0 4

login local

transport preferred all

transport input all

transport output all

line vty 5 15

login

transport preferred all

transport input all

transport output all

!

end


I've tried my iphone and it connects just fine but an Intel 3945 and Dell card don't always see the SSID as open. Since this is a guest network, clients should be able to bring in any kind of client. I think this is a combo client/AP problem.


Correct Answer by Johannes Luther about 8 years 3 months ago

I guess this is what happens:

The AP is broadcasting the guest SSID. But it also sends beacons with the WPA SSID (non-broadcasting). Both SSIDs use the same BSSID (AP MAC address).


So the client sees the following:

- Beacon: SSID "guest" with no encryption (BSSID: 00:11:22:33:44:55)

- Beacon: SSID "" with WPA (RSN) (BSSID: 00:11:22:33:44:55)

- Beacon: SSID "guest" with no encryption (BSSID: 00:11:22:33:44:55)

- Beacon: SSID "" with WPA (RSN) (BSSID: 00:11:22:33:44:55)

[...]


I guess this is confusing some clients. The same BSSID is sending different beacon frames.

A workaround would be to use MBSSIDs. So each SSID is using it's unique BSSID. So each SSID has it's own virtual AP.


See this link for mbssids:

http://www.cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/configuration/guide/scg12410b-chap7-mbssid.html#wp1050170

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Johannes Luther Tue, 04/14/2009 - 12:34
User Badges:

I guess this is what happens:

The AP is broadcasting the guest SSID. But it also sends beacons with the WPA SSID (non-broadcasting). Both SSIDs use the same BSSID (AP MAC address).


So the client sees the following:

- Beacon: SSID "guest" with no encryption (BSSID: 00:11:22:33:44:55)

- Beacon: SSID "" with WPA (RSN) (BSSID: 00:11:22:33:44:55)

- Beacon: SSID "guest" with no encryption (BSSID: 00:11:22:33:44:55)

- Beacon: SSID "" with WPA (RSN) (BSSID: 00:11:22:33:44:55)

[...]


I guess this is confusing some clients. The same BSSID is sending different beacon frames.

A workaround would be to use MBSSIDs. So each SSID is using it's unique BSSID. So each SSID has it's own virtual AP.


See this link for mbssids:

http://www.cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/configuration/guide/scg12410b-chap7-mbssid.html#wp1050170

Thanks for the prompt reply. I tried enabling mbssid and verified through "show dot11 bssid" that I now had unique identifies:


Interface BSSID Guest SSID

Dot11Radio0 0012.80ed.6980 Yes GUEST

Dot11Radio0 0012.80ed.6981 No LSD


However, the problem still shows up. I have a TAC case open but they are having trouble with this too. Any other help would be appreciated.


Thanks again!

Tony

Enabling mbssid did solve the issue. I had to enable it on both SSID's. Here are the changes made from the original config:


dot11 ssid GUEST

vlan 3

authentication open

mbssid guest-mode

!

dot11 ssid LSD

vlan 2

authentication open

authentication key-management wpa

mbssid dtim-period 2

wpa-psk ascii 7 (hidden)


interface dot11radio 0

mbssid


Also, removing the WEP128 and optional security was a recommendation.


Thanks again!

Johannes Luther Tue, 04/21/2009 - 10:21
User Badges:

I'm glad that helped. Sorry - I couldn't follow up your first reply.... this one sneaked through my fingers :-)


Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode