1131's and 1250's wont associate with a 2100 controller

Unanswered Question
May 5th, 2009
User Badges:

I have some demo gear that I am trying to get going for a POC and having one heck of a time working. The AP's and WLAN controller are on the same subnet and vlan as well as the dhcp server. I have a trunk going to port 1 on the controller and I have tried the internal DHCP server, a windows 2003 server with option 43 and a IOS DHCP server using option 60 and 43. The AP's get ip addresses fine, however they will not associate Now I know the 2100's are layer 3 only, but they should be able to do a layer 3 broadcast if that doesn't work use the DHCP option and then use DNS. None of these appears to work. Just wondering if there is something special about these controllers i am missing. I can ping the AP's from the controller and have a DNS entry also for the controllers. i don't have any history on the equipment. They all appear to be LWAPP since I can console in but cannot do anything on the console. Really weird.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
gamccall Tue, 05/05/2009 - 11:27
User Badges:
  • Silver, 250 points or more

What messages show up during the boot/discovery process on the AP console?

Try manually configuring a controller address on the AP using this command (don't do config t, just type it in):

lwapp ap controller ip address x.x.x.x

miwitte Tue, 05/05/2009 - 11:43
User Badges:

I can't enter anything on the console. I thought once it was associated to a controller the console wouldn't work. Trust me I tried that one already. Since its on the same subnet it should just do a unicast broadcast and be done with it.

gamccall Tue, 05/05/2009 - 12:11
User Badges:
  • Silver, 250 points or more

Try entering "clear lwapp private-config". That should allow you to then do "lwapp ap controller ip address x.x.x.x"

If it doesn't allow you to clear, you can return to factory defaults by rebooting while holding the mode button. Then try assigning the controller address as above.

miwitte Tue, 05/05/2009 - 14:58
User Badges:

It would appear I am stuck in some kind of weird mode since those commands are disabled. They are disabled when a AP is in LWAPP mode and joined to a controller however its not joined. I had to use putty to console in hyperterm and Securecrt wouldn't let me type but putty did. Go figure. In any case it appears I need to convert back to autonomous and then back to LWAPP we'll see how that works. What a PITA!

Leo Laohoo Tue, 05/05/2009 - 14:08
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

I'm suspecting the AP's you're using have already been associated to a different controller. I agree with the previous post that you need to clear all LWAPP configuration before you can prime them on a different network.

miwitte Tue, 05/05/2009 - 16:55
User Badges:

you can't clear them as those commands are disabled because it thinks its associated to a controller.I tried setting the AP back to autonomous mode. I then converted it back to LWAPP, it saw the controller and started downloading fine. After the reboot, I keep getting the same messages about authorization which I don't have turned on any where In any case I see this under the controller

>show ap join stats detailed 00:21:55:4e:f6:b0

Last AP disconnect details

- Reason for last AP connection failure.................... Aes HMAC decryption of LWAPP message from AP has failed

And on the controller logs

May 05 20:44:24.675: %LWAPP-3-RADIUS_ERR: spam_radius.c:108 Could not send join reply, AP authorization failed; AP:00:21:55:4e:f6:b0

*May 05 20:44:22.973: %LWAPP-3-RADIUS_ERR: spam_radius.c:108 Could not send join reply, AP authorization failed; AP:00:21:55:4e:f6:b0

*May 05 20:44:21.269: %LWAPP-3-RADIUS_ERR: spam_radius.c:108 Could not send join reply, AP authorization failed; AP:00:21:55:4e:f6:b0

I was able to convert the 1250 over fine its just these 1131's I am having issues with

gamccall Wed, 05/06/2009 - 06:23
User Badges:
  • Silver, 250 points or more

That sounds like a problem with the AP Authorization list. Have you added all the appropriate MAC addresses and hashes to the list? If your APs don't have MICs do you have "allow SSCs" enabled?

miwitte Thu, 05/07/2009 - 08:35
User Badges:

The AP's are MIC based not SSC and yes I had the MCI and SSC enable under AP authorization. i cannot get TAC support since they are demo gear. I have tried converting back to autonomous and back to lwapp they join, download and reload then they wont join again. It also appears that the recovery image 12.3.11x might not support the 2106 controller, and the 12.4 image from the site makes the upgrade tool complain its not a vailid upgrade image. what a PITA.

gamccall Thu, 05/07/2009 - 09:21
User Badges:
  • Silver, 250 points or more

From the Cisco Wireless LAN Controller System Message Guide:



Error Message %LWAPP-3-RADIUS_ERR: Could not send join reply, AP authorization

failed; AP:[hex]:[hex]:[hex]:[hex]:[hex]:[hex]

Explanation Join reply was not sent to the AP as AP authentication failed.

Recommended Action Check the AP credentials on the RADIUS server, or the local MAC filtering table - if it was configured. Also check if RADIUS servers are configured and are reachable.


Is it possible you have RADIUS authentication set up for your APs? Is anything interesting showing up in your RADIUS logs?

miwitte Thu, 05/07/2009 - 15:19
User Badges:

So it looks like it was a issue with the 12.3.11x LWAPP upgrade image and the 2106 controller. There is a 12.4 upgrade image but the LWAPP upgrade tool wasn't happy with it. Here were the steps to fixs this really bizarre issue

1) Convert AP's back to autonomous

2) Upgrade AP using command line to 12.4 reovery image "archive download-sw /overwrite tftp://"

3) AP then download and joins fine.

This was a really weird one.


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode