Cisco 1142 AP as WGB

Unanswered Question
Dec 19th, 2011
User Badges:

Hi


I'm trying to connect a full-IOS Cisco 1142 access point as WGB to our WLAN infrastructure.

I have these settings configured on our WLC:


wlc.JPG

There is a Win2k8 R2 NPS (Network Policy Server) RADIUS server in the background for handling the authentications against the active directory. I can see passed authentication in the event log.


The WGB is configured like this:


version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

logging rate-limit console 9

enable secret 5 $1$YnK.$37j/OyuZDBr4DSnAEHWFT1

!

no aaa new-model

!

!

dot11 syslog

!

dot11 ssid InternalSSID

   authentication open eap eap_methods

   authentication network-eap eap_methods

   authentication key-management cckm

   dot1x credentials ADCred

   dot1x eap profile EAPProfile

   infrastructure-ssid

!

eap profile EAPProfile

method mschapv2

!

!

!

dot1x credentials ADCred

username ADUsername

password ADPassword

!


username Cisco password 7 01300F175804

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

shutdown

antenna gain 0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption mode ciphers aes-ccm

!

ssid InternalSSID

!

antenna gain 0

station-role workgroup-bridge

bridge-group 1

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no keepalive

bridge-group 1

bridge-group 1 spanning-disabled

!

interface BVI1

ip address dhcp client-id GigabitEthernet0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

login local

!

end


I'm able to get a association to an AP but I'm not able to authenticate.


ap#sh dot11 associations all-client

Address           : 0026.994f.xxxx     Name             : APName

IP Address        : xx.xx.xx.xx.       Interface        : Dot11Radio 1

Device            : LWAPP-Parent      Software Version : NONE

CCX Version       : 5                  Client MFP       : On


State             : EAP-Assoc          Parent           : -

SSID              : InternalSSID

VLAN              : 0

Hops to Infra     : 0                  Association Id   : 1

Tunnel Address    : 0.0.0.0

Key Mgmt type     : CCKM               Encryption       : AES-CCMP

Current Rate      : m15.               Capability       : WMM

Supported Rates   : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

Voice Rates       : disabled           Bandwidth        : 40 MHz

Signal Strength   : -54  dBm           Connected for    : 0 seconds

Signal to Noise   : 45  dB            Activity Timeout : 15 seconds

Power-save        : Off                Last Activity    : 0 seconds ago

Apsd DE AC(s)     : NONE


Packets Input     : 2287               Packets Output   : 225

Bytes Input       : 553482             Bytes Output     : 26055

Duplicates Rcvd   : 45                 Data Retries     : 0

Decrypt Failed    : 0                  RTS Retries      : 0

MIC Failed        : 0                  MIC Missing      : 0

Packets Redirected: 0                  Redirect Filtered: 0


Protocol                    Status            Auth     Port     WGB


Can somebody help me? Do I have to post more information?


Thank you!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fella Tue, 12/20/2011 - 00:47
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Well as a WGB, you would connect that to a single SSID and everything should pass right through. So all you need us for the WGB to associate to your WLAN SSID.


Simple sample config


http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration...



Sent from Cisco Technical Support iPhone App

dominikhug Tue, 12/20/2011 - 00:58
User Badges:

I've added guest-mode because this is the only difference between the sample config and my config but it still doesn't work.

On console I can see this message:


%DOT11-4-CANT_ASSOC: Interface Dot11Radio1, cannot associate: Too many retries


And I think the WGB ist flapping between different reachable APs propagating the same SSID. Is it possible to change this behaviour?

Scott Fella Tue, 12/20/2011 - 01:00
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

I believe in the WGB you can define the AP you want to associate to.


Thanks,


Scott Fella


Sent from my iPhone

Scott Fella Tue, 12/20/2011 - 01:04
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Make sure you have passive mode enabled on the WLAN SSID. I believe this was supported on the 7.x.


You can run a debug on the wlc also to see if you see anything.


Sent from Cisco Technical Support iPhone App

dominikhug Tue, 12/20/2011 - 01:16
User Badges:

We're using Cisco WiSMv1. Passive mode is only available on 5500 and 2100 I think.


I was able to tie the WGB to only one AP but it still doesn't work.


I've found a new log-message on WLC:


*dot1xMsgTask: Dec 20 10:16:02.230: %DOT1X-3-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:444 Max EAPOL-key M1 retransmissions exceeded for client 44:d3:ca:62:91:8e

Scott Fella Tue, 12/20/2011 - 04:50
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

If its radius related, you would see a failed authentication on the wlc and on the log in the radius you would see the same.


I see you posted on the other forum and tried wpa and that failed. Try to sart from basic and use an open connection an get that to work first. The had part that you will face is the WGB authenticating 802.1x. So start with the basic and get that working first.


Sent from Cisco Technical Support iPhone App

George Stefanick Tue, 12/20/2011 - 06:41
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015


I recently sent an hour t/s a wgb and my issue was that I didn't have aironet extensions enabled on the wlc/WLAN. Is yours enabled?




Sent from Cisco Technical Support iPad App

Scott Fella Tue, 12/20/2011 - 01:19
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

So that Mac address is the WGB or a wired client?


Sent from Cisco Technical Support iPhone App

dominikhug Tue, 12/20/2011 - 01:22
User Badges:

It's from the WBG D1 interface:


ap#sh int d1

Dot11Radio1 is up, line protocol is up

  Hardware is 802.11N 5GHz Radio, address is 44d3.ca62.918e (bia 64ae.0c5c.5be0)

  MTU 1500 bytes, BW 54000 Kbit/sec, DLY 1000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input never, output 00:00:00, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/1677/3/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/30 (size/max)

  5 minute input rate 1000 bits/sec, 1 packets/sec

  5 minute output rate 2000 bits/sec, 3 packets/sec

     2953 packets input, 540325 bytes, 0 no buffer

     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 input packets with dribble condition detected

     6319 packets output, 558439 bytes, 0 underruns

     144 output errors, 0 collisions, 6 interface resets

     0 unknown protocol drops

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier

     0 output buffer failures, 0 output buffers swapped out

ap#

dominikhug Fri, 12/23/2011 - 02:00
User Badges:

Hi


I made some additional attempts to get it working but I failed. So i changed the security settings to WPA-PSK to check if using a WGB ist the right way. Now I'm testing.


Thanks for your help and merry christmas.

Dominik

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode