WPA2-Personal on Cisco1811w

Answered Question
Dec 18th, 2011

Try and try, we have been unable to use WPA2 (Pre-shared Key aka Personal) to connect to a Cisco1811w.

This works fine if we turn off encryption.

What we see in debug messages is (debug dot11 station connection failure).

*Dec 18 21:17:05.041 CST: Client c417.fed5.8522 failed: Dot1x MIC mismatch

*Dec 18 21:17:05.137 CST: Client c417.fed5.8522 failed: Dot1x MIC mismatch

*Dec 18 21:17:05.237 CST: Client c417.fed5.8522 failed: Dot1x MIC mismatch

*Dec 18 21:17:05.337 CST: %DOT11-7-AUTH_FAILED: Station c417.fed5.8522 Authentication failed

We have tried an 8 character and 11 character pre-shared key. Same results. Why are we getting Dot1x MIC mismatch?

Can someone please help us find what is wrong?

Cisco IOS Software, C181X Software (C181X-ADVENTERPRISEK9-M), Version 12.4(24)T3

! config parts

aaa new-model

aaa authentication login default local

aaa authentication login VPN local

aaa authorization exec default local

aaa authorization network VPN local

!

dot11 ssid ACDinternet

vlan 98

authentication open

authentication key-management wpa

guest-mode

wpa-psk ascii 7 010013165D0E141F205E5A10

!

interface Dot11Radio0

no ip address

!

encryption vlan 98 mode ciphers aes-ccm tkip

!

ssid ACDinternet

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

no cdp enable

!           

interface Dot11Radio0.98

encapsulation dot1Q 98

no cdp enable

bridge-group 98

bridge-group 98 subscriber-loop-control

bridge-group 98 spanning-disabled

bridge-group 98 block-unknown-source

no bridge-group 98 source-learning

no bridge-group 98 unicast-flooding

!

bridge irb

bridge 98 protocol ieee

bridge 98 route ip

!

interface BVI98

ip address 192.168.98.1 255.255.255.0

ip access-group 198 in

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

end

Thanks for any support you can provide!

I have this problem too.
0 votes
Correct Answer by Scott Fella about 2 years 4 months ago

I understand it's a Cisco router, but the commands are the same for the AP. Try to manually configure the client for wpa/tkip and see if your client connects. If it does, then the configuration is not for WPA2. Usually if that is not an option, it means the radio/ios doesn't support wpa2.

Thanks,

Scott Fella

Sent from my iPhone

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
Scott Fella Sun, 12/18/2011 - 19:26

Looks like your setup is for wpa/tkip.  Have you tried that to see if it works.  It also depends if your hardware supports wpa2.

Example:

1240AG> enable

1240AG# configure terminal

1240AG (config)# interface dot11radio 0

1240AG (config-if)# encryption vlan 30 mode ciphers aes-ccm

1240AG (config-if)# ssid Admin

1240AG (config-if-ssid)# vlan 30

1240AG (config-if-ssid)# authentication open

1240AG (config-if-ssid)# authentication key-management wpa version 2

1240AG (config-if-ssid)# wpa-psk ascii your-key-here

http://networking-newbie.blogspot.com/2008/11/configuring-wpa-and-wpa2-on-cisco.html

Kris Thompson Mon, 12/19/2011 - 07:44

This is not Aironet hardware, but a Cisco router with Dot11Radio interfaces. It appears the configuration model has changed, SSID parameters are NOT set under the interface, but the SSID configuration is put under "dot11 ssid" mode.

This can be seen here. There are no commands under the interface SSID.

  aus-hym-rtr01(config-if-ssid)#vlan ?

  % Unrecognized command

  aus-hym-rtr01(config-if-ssid)#?   

  ssid configuration commands:

  aus-hym-rtr01(config-if-ssid)#

Under SSID configuration, "version 2" is not an option. I beleive it is the default.

   aus-hym-rtr01(config-ssid)#authen key-management wpa ?      

     optional  allow legacy clients

   

The configuration seems correct for WPA2 and AES (although, we also added TKIP to the ciphers in case that made a difference, but it did not). The wireless client we were testing from was showing WPA2 and AES.

The configuration looks correct after a LOT of research. However, we continue to get the Dot1x MIC Mismatch.

Perhaps this is a known defect?

Correct Answer
Scott Fella Mon, 12/19/2011 - 07:49

I understand it's a Cisco router, but the commands are the same for the AP. Try to manually configure the client for wpa/tkip and see if your client connects. If it does, then the configuration is not for WPA2. Usually if that is not an option, it means the radio/ios doesn't support wpa2.

Thanks,

Scott Fella

Sent from my iPhone

blakekrone Mon, 12/19/2011 - 08:03

Your configuration like Scott has pointed out is for WPA, not WPA2. What you have configured is WPA-PSK with AES, which some clients might have issues with. I would recommend changing the encryption to simply be TKIP and setup your client to do WPA-PSK/TKIP.

In order to get WPA2-PSK/AES you need to change the following:

dot11 ssid ACDinternet

vlan 98

authentication open

authentication key-management wpa version 2

guest-mode

wpa-psk ascii 7 010013165D0E141F205E5A10

interface Dot11Radio0

no ip address

!

encryption vlan 98 mode ciphers aes-ccm

If it won't take the command for

authentication key-management wpa version 2 then that means you can't do WPAv2 on that unit with the current code.

Kris Thompson Mon, 12/19/2011 - 19:02

slight typo above. Should be:

   int dot11radio

      encrypt vlan 98 mode ciphers tkip





blakekrone Mon, 12/19/2011 - 19:05

yes that is true for WPA/TKIP. The config I was showing was for WPA2/AES if it was supported.

Scott Fella Mon, 12/19/2011 - 07:59

Kris,

I have an 871w that doesn't support wpa2 an a 1941w that does support wpa2.

Sent from Cisco Technical Support iPhone App

blakekrone Mon, 12/19/2011 - 11:07

Glad you got it working somewhat. Please do rate the posts if you find them helpful.

As for the WPAv2, if you have Smartnet I would advise opening a TAC case, this might be a case of simply needing the correct IOS level to enable WPAv2.

Actions

Login or Register to take actions

This Discussion

Posted December 18, 2011 at 7:23 PM
Stats:
Replies:9 Avg. Rating:5
Views:2269 Votes:0
Shares:0
Tags: wpa2
+

Related Content

Discussions Leaderboard