02-10-2010 11:20 AM - edited 07-03-2021 06:30 PM
This is my setup:
1. Cisco Automuous AP - 1131AG-A-K9figure with 3 VLANs and 3 SSIDs, one SSID for each VLAN.
2. Running code version: c1130-k9w7-mx.124-10b.JDA3
3. first SSID - faculty-1,VLAN201 , confiure with Cipers TKIP and WPA, and passphrase.
4. Seccondary SSID - faculty-2,VLAN202 , confiure with WEP
5. Third SSID- guest. VLAN203, no encryption.
6. Use Windows VISTA laptop with Window wireless client , could connect to both the secondary and third SSID, but the connection to First SSID with WPA keep failing.
Any idea,thanks for the advice.
02-10-2010 05:09 PM
In order to help in troubleshooting, can you make all of the SSIDs use OPEN or no authentication? If it still doesn't work, can you post your config?
02-11-2010 08:12 PM
All the SSIDs were configured with Open authentication, WEP and no authentication work, but WPA. attached please find the configuration.Thanks
+++++++++++++
DFx-WL-AP002#
hostname IDFx-WL-AP002
!
enable secret 5 $1$x2cF$CowZYf0R5M3yf14ZP695z/
!
no aaa new-model
!
!
!
dot11 ssid faculty-1
wpa-psk ascii babb1122babb
vlan 201
authentication open
authentication key-management wpa
mobility network-id 201
wpa-psk ascii babb1122babb
!
dot11 ssid faculty-2
vlan 202
authentication open
!
dot11 ssid guest
vlan 203
authentication open
guest-mode
!
power inline negotiation prestandard source
!
!
username Cisco password 7 05280F1C2243
!
bridge irb
!
!
interface Dot11Radio1
encryption vlan 201 mode ciphers tkip
no ip address
no ip route-cache
!
encryption vlan 200 mode ciphers wep128
!
encryption vlan 202 key 1 size 40bit 7 397CB7630AE1 transmit-key
encryption vlan 202 mode wep mandatory
!
encryption vlan 201 mode ciphers aes-ccm
!
ssid faculty-1
!
ssid faculty-2
!
ssid guest
!
mbssid
station-role root
!
interface Dot11Radio0.200
encapsulation dot1Q 200 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.201
encapsulation dot1Q 201
no ip route-cache
bridge-group 201
bridge-group 201 subscriber-loop-control
bridge-group 201 block-unknown-source
no bridge-group 201 source-learning
no bridge-group 201 unicast-flooding
bridge-group 201 spanning-disabled
!
interface Dot11Radio0.202
encapsulation dot1Q 202
no ip route-cache
bridge-group 202
bridge-group 202 subscriber-loop-control
bridge-group 202 block-unknown-source
no bridge-group 202 source-learning
no bridge-group 202 unicast-flooding
bridge-group 202 spanning-disabled
!
interface Dot11Radio0.203
encapsulation dot1Q 203
no ip route-cache
bridge-group 203
bridge-group 203 subscriber-loop-control
bridge-group 203 block-unknown-source
no bridge-group 203 source-learning
no bridge-group 203 unicast-flooding
bridge-group 203 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 202 key 1 size 40bit 7 76A8B820E4B6 transmit-key
encryption vlan 202 mode wep mandatory
!
encryption vlan 201 mode ciphers tkip
!
ssid faculty-1
!
ssid faculty-2
!
ssid guest
!
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.201
encapsulation dot1Q 201
no ip route-cache
bridge-group 201
bridge-group 201 subscriber-loop-control
bridge-group 201 block-unknown-source
no bridge-group 201 source-learning
no bridge-group 201 unicast-flooding
bridge-group 201 spanning-disabled
!
interface Dot11Radio1.202
encapsulation dot1Q 202
no ip route-cache
bridge-group 202
bridge-group 202 subscriber-loop-control
bridge-group 202 block-unknown-source
no bridge-group 202 source-learning
no bridge-group 202 unicast-flooding
bridge-group 202 spanning-disabled
!
interface Dot11Radio1.203
encapsulation dot1Q 203
no ip route-cache
bridge-group 203
bridge-group 203 subscriber-loop-control
bridge-group 203 block-unknown-source
no bridge-group 203 source-learning
no bridge-group 203 unicast-flooding
bridge-group 203 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.200
encapsulation dot1Q 200 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.201
encapsulation dot1Q 201
no ip route-cache
bridge-group 201
no bridge-group 201 source-learning
bridge-group 201 spanning-disabled
!
interface FastEthernet0.202
encapsulation dot1Q 202
no ip route-cache
bridge-group 202
no bridge-group 202 source-learning
bridge-group 202 spanning-disabled
!
interface FastEthernet0.203
encapsulation dot1Q 203
no ip route-cache
bridge-group 203
no bridge-group 203 source-learning
bridge-group 203 spanning-disabled
!
interface BVI1
ip address 10.128.1.2 255.255.255.0
no ip route-cache
!
ip default-gateway 10.128.1.254
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
Message was edited by: rawsonfang
02-11-2010 08:29 PM
Can you also remove the encryption to VLAN 202 and 203?
02-12-2010 06:40 AM
Vlan203 - SSID- guest, works fine without encryption. so sure if this was due to my Laptop issue because of Windows Vista bug with WPA compatibility?
Thanks
02-12-2010 12:47 PM
rawsonfang....
I may be missing something, but I think I'm seeing 2 "interface Dot11Radio1" in your configuration. Is this a typo? Also, under the first Dot11Radio1 you are using AES and TKIP....as a best practice you should stick to TKIP with WPA and AES with WPA2. Let me know if this helps.
02-13-2010 10:16 AM
Hi,
This is latest config:
IDFx-WL-AP002#sh run
Building configuration...
Current configuration : 4456 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname IDFx-WL-AP002
!
enable secret 5 $1$x2cF$CowZYf0R5M3yf14ZP695z/
!
no aaa new-model
!
!
!
dot11 ssid faculty-1
vlan 201
authentication open
authentication key-management wpa
mobility network-id 201
wpa-psk ascii 7 00251125005E0D272E006D6F28382436330A0E072E2E2209311626
no ids mfp client
!
dot11 ssid faculty-2
vlan 202
authentication open
!
dot11 ssid guest
vlan 203
authentication open
guest-mode
!
power inline negotiation prestandard source
!
!
username Cisco password 7 05280F1C2243
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 202 key 1 size 128bit 7 5C8396957C974FD578D183FB82F3 transmit-k
ey
encryption vlan 202 mode wep mandatory
!
encryption vlan 201 mode ciphers tkip
!
ssid faculty-1
!
ssid faculty-2
!
ssid guest
!
station-role root
!
interface Dot11Radio0.200
encapsulation dot1Q 200 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.201
encapsulation dot1Q 201
no ip route-cache
bridge-group 201
bridge-group 201 subscriber-loop-control
bridge-group 201 block-unknown-source
no bridge-group 201 source-learning
no bridge-group 201 unicast-flooding
bridge-group 201 spanning-disabled
!
interface Dot11Radio0.202
encapsulation dot1Q 202
no ip route-cache
bridge-group 202
bridge-group 202 subscriber-loop-control
bridge-group 202 block-unknown-source
no bridge-group 202 source-learning
no bridge-group 202 unicast-flooding
bridge-group 202 spanning-disabled
!
interface Dot11Radio0.203
encapsulation dot1Q 203
no ip route-cache
bridge-group 203
bridge-group 203 subscriber-loop-control
bridge-group 203 block-unknown-source
no bridge-group 203 source-learning
no bridge-group 203 unicast-flooding
bridge-group 203 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 202 key 1 size 128bit 7 8EC1CAB5D9AFBDB688B9CEDE6DC1 transmit-k
ey
encryption vlan 202 mode wep mandatory
!
encryption vlan 201 mode ciphers tkip
!
ssid faculty-1
!
ssid faculty-2
!
ssid guest
!
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.201
encapsulation dot1Q 201
no ip route-cache
bridge-group 201
bridge-group 201 subscriber-loop-control
bridge-group 201 block-unknown-source
no bridge-group 201 source-learning
no bridge-group 201 unicast-flooding
bridge-group 201 spanning-disabled
!
interface Dot11Radio1.202
encapsulation dot1Q 202
no ip route-cache
bridge-group 202
bridge-group 202 subscriber-loop-control
bridge-group 202 block-unknown-source
no bridge-group 202 source-learning
no bridge-group 202 unicast-flooding
bridge-group 202 spanning-disabled
!
interface Dot11Radio1.203
encapsulation dot1Q 203
no ip route-cache
bridge-group 203
bridge-group 203 subscriber-loop-control
bridge-group 203 block-unknown-source
no bridge-group 203 source-learning
no bridge-group 203 unicast-flooding
bridge-group 203 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.200
encapsulation dot1Q 200 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.201
encapsulation dot1Q 201
no ip route-cache
bridge-group 201
no bridge-group 201 source-learning
bridge-group 201 spanning-disabled
!
interface FastEthernet0.202
encapsulation dot1Q 202
no ip route-cache
bridge-group 202
no bridge-group 202 source-learning
bridge-group 202 spanning-disabled
!
interface FastEthernet0.203
encapsulation dot1Q 203
no ip route-cache
bridge-group 203
no bridge-group 203 source-learning
bridge-group 203 spanning-disabled
!
interface BVI1
ip address 10.128.1.2 255.255.255.0
no ip route-cache
!
ip default-gateway 10.128.1.254
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
!
end
IDFx-WL-AP002#$
02-15-2010 05:39 AM
Do you have a WLSM? I assume no, since you didn't mention it in the first place. If you don't, remove the mobility network-id 201 from faculty-1 and see if that helps
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: