Cisco Aironet 1200 Mac access-list removed automatically

Unanswered Question
Mar 1st, 2012

Hi,

i am facing a very strage issue

i have created a access list 710 for mac base authentication.

today all the access list disapper from access point. I faced this issue 2 times.

note:

1. AP is not rebooted.

2. i execute wr command after configuration.

What will the possible reason ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4 (1 ratings)
airframes Thu, 03/01/2012 - 10:38

Prashant,

What version of IOS are you running on the AP?

Justin

prashantrecon Thu, 03/01/2012 - 19:47

Hi ,

Thanks for reply

Below is the ios.

c1200-k9w7-mx.123-8.JA2

Regards,

Prashant

airframes Fri, 03/02/2012 - 00:40

Prashant,

That code is about 5 years old. Can you upgrade to recent code and see if the issue persists?

Justin

prashantrecon Mon, 03/19/2012 - 21:56

HI Justin.

I updated it to mention version but still issue is not fixed

C1200 Software (C1200-K9W7-M), Version 12.3(8)JEC3,

airframes Tue, 03/20/2012 - 08:23

Prashant,

This is a strange issue. Have you tried putting the configuration on a different access point to eliminate hardware as a cause?

Does anyone else have access to the AP besides you and are you sure no one (or nothing) else has logged in besides you? (You can check logs for this)

If you've eliminated hardware and software, and you're sure someone else isn't logging into the AP (or something else, like an SNMP management box of some kind), then your next step would be to contact TAC as I think at that point this behavior falls outside any kind configuration or environmental problem and sounds more like a bug.

Feel free to post your config and I'll look it over to see if anything looks out of order.

Justin

prashantrecon Tue, 03/20/2012 - 21:32

Hi,

I have 5 AP with same issue.No Only i have the access to all access point .

Please find the configuration

NTNW0247#sh running-config

Building configuration...

Current configuration : 7597 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname NTNW0247

!

enable secret 5 $1$qCC.$4BtdaOdZP2vt.8770TZYn/

!

ip subnet-zero

!

!

no aaa new-model

dot11 association mac-list 710

!

dot11 ssid NTwifi

   authentication open

!

!

!

username Cisco password 7 05280F00xxxx

username xxxxxx privilege 15 password xxxxxxxxxx

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption key 1 size 128bit 7 xxxxxxxxxxxxxxxx transmit-key

encryption mode wep mandatory

!

ssid Yahoo

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

channel 2442

station-role root

antenna receive right

antenna transmit right

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

description "in server room"

ip address x.x.x.x 255.255.255.0

no ip route-cache

!

ip default-gateway x.x.x.x

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

!

access-list 710 permit 001c.bf65.29a9   0000.0000.0000

access-list 710 permit 001b.7744.b602   0000.0000.0000

access-list 710 permit 0050.8825.6111   0000.0000.0000

access-list 710 permit 001c.bf65.20b7   0000.0000.0000

access-list 710 permit 001a.7308.37ab   0000.0000.0000

access-list 710 permit 001a.7308.3795   0000.0000.0000

access-list 710 permit 001b.7744.cb50   0000.0000.0000

access-list 710 permit 001f.3ce6.1ae6   0000.0000.0000

access-list 710 permit 001b.7744.b621   0000.0000.0000

access-list 710 permit 001f.3ce6.0f07   0000.0000.0000

access-list 710 permit 001b.7744.b43d   0000.0000.0000

access-list 710 permit 001b.7744.c727   0000.0000.0000

access-list 710 permit 001b.7744.afa5   0000.0000.0000

access-list 710 permit 001b.7744.d407   0000.0000.0000

access-list 710 permit 001b.7744.b600   0000.0000.0000

access-list 710 permit 001c.bf64.ffe7   0000.0000.0000

access-list 710 permit 001c.bf65.1bec   0000.0000.0000

access-list 710 permit 001c.bf65.18c1   0000.0000.0000

access-list 710 permit 001c.bf65.162b   0000.0000.0000

access-list 710 permit 001c.bf65.15d0   0000.0000.0000

access-list 710 permit 001c.bf65.1de3   0000.0000.0000

access-list 710 permit 001f.3ce6.106b   0000.0000.0000

access-list 710 permit 0024.d659.8944   0000.0000.0000

access-list 710 permit 0024.d659.84f8   0000.0000.0000

access-list 710 permit 0024.d659.84f6   0000.0000.0000

access-list 710 permit 0024.d659.8622   0000.0000.0000

access-list 710 permit 0024.d658.b310   0000.0000.0000

access-list 710 permit 0024.d656.ec8c   0000.0000.0000

access-list 710 permit 0024.d658.bbd4   0000.0000.0000

access-list 710 permit 0024.d658.d8d6   0000.0000.0000

access-list 710 permit 0024.d659.90dc   0000.0000.0000

access-list 710 permit 5894.6b1e.f1a0   0000.0000.0000

access-list 710 permit 5894.6b1e.eb5c   0000.0000.0000

access-list 710 permit 5894.6b1e.6f10   0000.0000.0000

access-list 710 permit 5894.6b1d.3ae8   0000.0000.0000

access-list 710 permit 5894.6b1e.dfc0   0000.0000.0000

access-list 710 permit 74de.2bcd.263e   0000.0000.0000

access-list 710 permit 74de.2bcd.30ac   0000.0000.0000

access-list 710 permit 74de.2bd4.4576   0000.0000.0000

access-list 710 permit 74de.2bd4.4875   0000.0000.0000

access-list 710 permit 74de.2bd1.3490   0000.0000.0000

access-list 710 permit 0000.0000.0000   0000.0000.0000

access-list 710 permit 74de.2bd1.34f4   0000.0000.0000

access-list 710 permit 0014.a5ef.cde3   0000.0000.0000

access-list 710 permit 0014.a5ef.d02f   0000.0000.0000

access-list 710 permit 58b0.3582.da63   0000.0000.0000

access-list 710 permit d8a2.5e42.fd38   0000.0000.0000

access-list 710 permit 74de.2bd4.486d   0000.0000.0000

access-list 710 permit 0024.d659.8525   0000.0000.0000

access-list 710 permit 0024.d659.8524   0000.0000.0000

access-list 710 permit 001c.bf65.175d   0000.0000.0000

access-list 710 permit 0418.0f39.7bfb   0000.0000.0000

access-list 710 permit 001c.bf64.ff8d   0000.0000.0000

access-list 710 permit 74de.2bd4.48f8   0000.0000.0000

access-list 710 permit 001f.3ce6.10cd   0000.0000.0000

access-list 710 permit 001c.bf65.1e26   0000.0000.0000

access-list 710 permit 001c.2305.f2fd   0000.0000.0000

access-list 710 permit 0014.a5ef.d060   0000.0000.0000

access-list 710 permit e0b9.ba3b.7122   0000.0000.0000

access-list 710 permit 001b.7744.d6ba   0000.0000.0000

access-list 710 permit 5894.6b1d.59bc   0000.0000.0000

access-list 710 permit 0024.d658.b2f2   0000.0000.0000

access-list 710 permit 5894.6b1e.dfcc   0000.0000.0000

access-list 710 permit 74de.2bcd.2ff9   0000.0000.0000

access-list 710 permit 001c.bf65.0eff   0000.0000.0000

access-list 710 permit 001b.7771.1178   0000.0000.0000

access-list 710 permit 5894.6b1e.9e7c   0000.0000.0000

access-list 710 permit 001c.bf65.27b2   0000.0000.0000

access-list 710 permit 001b.7744.b5c3   0000.0000.0000

access-list 710 permit 001f.bc89.5909   0000.0000.0000

access-list 710 permit 001a.a0bd.fad9   0000.0000.0000

access-list 710 permit 001f.3c89.5909   0000.0000.0000

access-list 710 permit 4cde.de1c.329d   0000.0000.0000

access-list 710 permit 001b.7744.b611   0000.0000.0000

access-list 710 permit 0021.6a7c.972c   0000.0000.0000

access-list 710 permit 001b.7771.117b   0000.0000.0000

access-list 710 permit 74de.2bd4.48cb   0000.0000.0000

access-list 710 permit 74de.2bd4.4924   0000.0000.0000

access-list 710 permit 5894.6b1d.6708   0000.0000.0000

access-list 710 permit 0024.d658.d8e6   0000.0000.0000

access-list 710 permit 0024.d659.84fc   0000.0000.0000

access-list 710 permit 001c.bf65.1680   0000.0000.0000

access-list 710 permit 74de.2bd4.4e4c   0000.0000.0000

access-list 710 permit 001b.7744.ccb7   0000.0000.0000

access-list 710 permit 74de.2bcd.28f8   0000.0000.0000

access-list 710 permit 001b.7744.b839   0000.0000.0000

access-list 710 permit 001b.7744.b7e6   0000.0000.0000

access-list 710 permit 001f.3ce5.8051   0000.0000.0000

access-list 710 permit 001b.7744.b626   0000.0000.0000

access-list 710 permit 001a.dce8.e8f1   0000.0000.0000

access-list 710 permit 70d4.f26e.729f   0000.0000.0000

access-list 710 permit 4030.0489.c4c2   0000.0000.0000

access-list 710 permit 0024.d68d.114e   0000.0000.0000

access-list 710 permit 4ced.de1c.329d   0000.0000.0000

access-list 710 permit 5894.6b1e.ed28   0000.0000.0000

access-list 710 permit 74de.2bcd.27dc   0000.0000.0000

access-list 710 permit 001c.bf65.1e16   0000.0000.0000

access-list 710 permit 0019.7964.7346   0000.0000.0000

access-list 710 permit 001e.3a03.377d   0000.0000.0000

access-list 710 permit 4030.04a8.d0c3   0000.0000.0000

access-list 710 permit 0014.a5ef.d05a   0000.0000.0000

access-list 710 permit d8a2.5e6a.4abc   0000.0000.0000

access-list 710 permit 74de.2bd4.4e47   0000.0000.0000

access-list 710 permit 0024.d658.b302   0000.0000.0000

access-list 710 permit 001b.7744.af0e   0000.0000.0000

access-list 710 permit 0024.d658.ba64   0000.0000.0000

access-list 710 permit 5894.6b1e.7c58   0000.0000.0000

access-list 710 permit 0024.d658.9e88   0000.0000.0000

access-list 710 permit 0024.d680.c192   0000.0000.0000

access-list 710 permit 0025.5643.40d1   0000.0000.0000

snmp-server community xxxxxxxxx

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

login local

!

end

airframes Tue, 03/20/2012 - 22:01

Prashant,

When I saw your ACL list, I thought, whoa, that's a long ACL (over 100 entries). I wonder if you are bumping into upper resource limits on the AP. An ACL that long is undoubtedly running up the CPU utilization every time a client associates.

Given the size of this ACL, have you considered offloading MAC address checking to a RADIUS server? At least this way you'll tax the CPU of your AP a lot less, and it will eliminate the need to replicate your ACLs across 5 APs. You would only have to add each client MAC address once to your RADIUS server. You can do this with Windows IAS or NPS (included with Windows server), ACS, ISE, and most other RADIUS servers.

Justin

prashantrecon Wed, 03/28/2012 - 01:46

I found the reason

When i want to remove oneof mac client then i use

in config mode

no access-list 710 permit 5894.6b1e.7c58   0000.0000.0000

it suppose to remove only this client but it is removing all access list 710

it is a bug.

airframes Wed, 03/28/2012 - 10:50

Prashant,

I don't think that's a bug. In my experience, I've found that a no access-list [parameters] just removes the whole access list. I.e., with that particular command, you can't selectively remove lines from ACLs by specifying the whole ACL line. The parser stops at no access-list and just deletes it entirely.

I just tried it on a 3560 switch and had the above described result. (Anyone feel free to jump in here and clarify if what I'm saying isn't true on other IOS platforms.)

I haven't played much with extended access-lists, but I believe with xACLs you can selectively remove and reorder entries.

Justin

prashantrecon Wed, 03/28/2012 - 21:43

Yes you are correct.

Do you have any idea to delete a entry in number access list case.

airframes Thu, 03/29/2012 - 21:32

Prashant,

You can do it through the AP's web gui. On the CLI, I think you're stuck with modifying the ACL in a text file and replacing it each time you make a change.

I'll say it again, but I think this would be a lot cleaner if you just pointed all your APs at a RADIUS server and managed your MAC addresses just like you would users. No more ACLs on the APs necessary.

Justin

Actions

Login or Register to take actions

This Discussion

Posted March 1, 2012 at 7:31 AM
Stats:
Replies:11 Avg. Rating:4
Views:1005 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard