03-01-2012 07:31 AM - edited 07-03-2021 09:41 PM
Hi,
i am facing a very strage issue
i have created a access list 710 for mac base authentication.
today all the access list disapper from access point. I faced this issue 2 times.
note:
1. AP is not rebooted.
2. i execute wr command after configuration.
What will the possible reason ?
03-01-2012 10:38 AM
Prashant,
What version of IOS are you running on the AP?
Justin
03-01-2012 07:47 PM
Hi ,
Thanks for reply
Below is the ios.
c1200-k9w7-mx.123-8.JA2
Regards,
Prashant
03-02-2012 12:40 AM
Prashant,
That code is about 5 years old. Can you upgrade to recent code and see if the issue persists?
Justin
03-19-2012 09:56 PM
HI Justin.
I updated it to mention version but still issue is not fixed
C1200 Software (C1200-K9W7-M), Version 12.3(8)JEC3,
03-20-2012 08:23 AM
Prashant,
This is a strange issue. Have you tried putting the configuration on a different access point to eliminate hardware as a cause?
Does anyone else have access to the AP besides you and are you sure no one (or nothing) else has logged in besides you? (You can check logs for this)
If you've eliminated hardware and software, and you're sure someone else isn't logging into the AP (or something else, like an SNMP management box of some kind), then your next step would be to contact TAC as I think at that point this behavior falls outside any kind configuration or environmental problem and sounds more like a bug.
Feel free to post your config and I'll look it over to see if anything looks out of order.
Justin
03-20-2012 09:32 PM
Hi,
I have 5 AP with same issue.No Only i have the access to all access point .
Please find the configuration
NTNW0247#sh running-config
Building configuration...
Current configuration : 7597 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname NTNW0247
!
enable secret 5 $1$qCC.$4BtdaOdZP2vt.8770TZYn/
!
ip subnet-zero
!
!
no aaa new-model
dot11 association mac-list 710
!
dot11 ssid NTwifi
authentication open
!
!
!
username Cisco password 7 05280F00xxxx
username xxxxxx privilege 15 password xxxxxxxxxx
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption key 1 size 128bit 7 xxxxxxxxxxxxxxxx transmit-key
encryption mode wep mandatory
!
ssid Yahoo
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2442
station-role root
antenna receive right
antenna transmit right
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
description "in server room"
ip address x.x.x.x 255.255.255.0
no ip route-cache
!
ip default-gateway x.x.x.x
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
access-list 710 permit 001c.bf65.29a9 0000.0000.0000
access-list 710 permit 001b.7744.b602 0000.0000.0000
access-list 710 permit 0050.8825.6111 0000.0000.0000
access-list 710 permit 001c.bf65.20b7 0000.0000.0000
access-list 710 permit 001a.7308.37ab 0000.0000.0000
access-list 710 permit 001a.7308.3795 0000.0000.0000
access-list 710 permit 001b.7744.cb50 0000.0000.0000
access-list 710 permit 001f.3ce6.1ae6 0000.0000.0000
access-list 710 permit 001b.7744.b621 0000.0000.0000
access-list 710 permit 001f.3ce6.0f07 0000.0000.0000
access-list 710 permit 001b.7744.b43d 0000.0000.0000
access-list 710 permit 001b.7744.c727 0000.0000.0000
access-list 710 permit 001b.7744.afa5 0000.0000.0000
access-list 710 permit 001b.7744.d407 0000.0000.0000
access-list 710 permit 001b.7744.b600 0000.0000.0000
access-list 710 permit 001c.bf64.ffe7 0000.0000.0000
access-list 710 permit 001c.bf65.1bec 0000.0000.0000
access-list 710 permit 001c.bf65.18c1 0000.0000.0000
access-list 710 permit 001c.bf65.162b 0000.0000.0000
access-list 710 permit 001c.bf65.15d0 0000.0000.0000
access-list 710 permit 001c.bf65.1de3 0000.0000.0000
access-list 710 permit 001f.3ce6.106b 0000.0000.0000
access-list 710 permit 0024.d659.8944 0000.0000.0000
access-list 710 permit 0024.d659.84f8 0000.0000.0000
access-list 710 permit 0024.d659.84f6 0000.0000.0000
access-list 710 permit 0024.d659.8622 0000.0000.0000
access-list 710 permit 0024.d658.b310 0000.0000.0000
access-list 710 permit 0024.d656.ec8c 0000.0000.0000
access-list 710 permit 0024.d658.bbd4 0000.0000.0000
access-list 710 permit 0024.d658.d8d6 0000.0000.0000
access-list 710 permit 0024.d659.90dc 0000.0000.0000
access-list 710 permit 5894.6b1e.f1a0 0000.0000.0000
access-list 710 permit 5894.6b1e.eb5c 0000.0000.0000
access-list 710 permit 5894.6b1e.6f10 0000.0000.0000
access-list 710 permit 5894.6b1d.3ae8 0000.0000.0000
access-list 710 permit 5894.6b1e.dfc0 0000.0000.0000
access-list 710 permit 74de.2bcd.263e 0000.0000.0000
access-list 710 permit 74de.2bcd.30ac 0000.0000.0000
access-list 710 permit 74de.2bd4.4576 0000.0000.0000
access-list 710 permit 74de.2bd4.4875 0000.0000.0000
access-list 710 permit 74de.2bd1.3490 0000.0000.0000
access-list 710 permit 0000.0000.0000 0000.0000.0000
access-list 710 permit 74de.2bd1.34f4 0000.0000.0000
access-list 710 permit 0014.a5ef.cde3 0000.0000.0000
access-list 710 permit 0014.a5ef.d02f 0000.0000.0000
access-list 710 permit 58b0.3582.da63 0000.0000.0000
access-list 710 permit d8a2.5e42.fd38 0000.0000.0000
access-list 710 permit 74de.2bd4.486d 0000.0000.0000
access-list 710 permit 0024.d659.8525 0000.0000.0000
access-list 710 permit 0024.d659.8524 0000.0000.0000
access-list 710 permit 001c.bf65.175d 0000.0000.0000
access-list 710 permit 0418.0f39.7bfb 0000.0000.0000
access-list 710 permit 001c.bf64.ff8d 0000.0000.0000
access-list 710 permit 74de.2bd4.48f8 0000.0000.0000
access-list 710 permit 001f.3ce6.10cd 0000.0000.0000
access-list 710 permit 001c.bf65.1e26 0000.0000.0000
access-list 710 permit 001c.2305.f2fd 0000.0000.0000
access-list 710 permit 0014.a5ef.d060 0000.0000.0000
access-list 710 permit e0b9.ba3b.7122 0000.0000.0000
access-list 710 permit 001b.7744.d6ba 0000.0000.0000
access-list 710 permit 5894.6b1d.59bc 0000.0000.0000
access-list 710 permit 0024.d658.b2f2 0000.0000.0000
access-list 710 permit 5894.6b1e.dfcc 0000.0000.0000
access-list 710 permit 74de.2bcd.2ff9 0000.0000.0000
access-list 710 permit 001c.bf65.0eff 0000.0000.0000
access-list 710 permit 001b.7771.1178 0000.0000.0000
access-list 710 permit 5894.6b1e.9e7c 0000.0000.0000
access-list 710 permit 001c.bf65.27b2 0000.0000.0000
access-list 710 permit 001b.7744.b5c3 0000.0000.0000
access-list 710 permit 001f.bc89.5909 0000.0000.0000
access-list 710 permit 001a.a0bd.fad9 0000.0000.0000
access-list 710 permit 001f.3c89.5909 0000.0000.0000
access-list 710 permit 4cde.de1c.329d 0000.0000.0000
access-list 710 permit 001b.7744.b611 0000.0000.0000
access-list 710 permit 0021.6a7c.972c 0000.0000.0000
access-list 710 permit 001b.7771.117b 0000.0000.0000
access-list 710 permit 74de.2bd4.48cb 0000.0000.0000
access-list 710 permit 74de.2bd4.4924 0000.0000.0000
access-list 710 permit 5894.6b1d.6708 0000.0000.0000
access-list 710 permit 0024.d658.d8e6 0000.0000.0000
access-list 710 permit 0024.d659.84fc 0000.0000.0000
access-list 710 permit 001c.bf65.1680 0000.0000.0000
access-list 710 permit 74de.2bd4.4e4c 0000.0000.0000
access-list 710 permit 001b.7744.ccb7 0000.0000.0000
access-list 710 permit 74de.2bcd.28f8 0000.0000.0000
access-list 710 permit 001b.7744.b839 0000.0000.0000
access-list 710 permit 001b.7744.b7e6 0000.0000.0000
access-list 710 permit 001f.3ce5.8051 0000.0000.0000
access-list 710 permit 001b.7744.b626 0000.0000.0000
access-list 710 permit 001a.dce8.e8f1 0000.0000.0000
access-list 710 permit 70d4.f26e.729f 0000.0000.0000
access-list 710 permit 4030.0489.c4c2 0000.0000.0000
access-list 710 permit 0024.d68d.114e 0000.0000.0000
access-list 710 permit 4ced.de1c.329d 0000.0000.0000
access-list 710 permit 5894.6b1e.ed28 0000.0000.0000
access-list 710 permit 74de.2bcd.27dc 0000.0000.0000
access-list 710 permit 001c.bf65.1e16 0000.0000.0000
access-list 710 permit 0019.7964.7346 0000.0000.0000
access-list 710 permit 001e.3a03.377d 0000.0000.0000
access-list 710 permit 4030.04a8.d0c3 0000.0000.0000
access-list 710 permit 0014.a5ef.d05a 0000.0000.0000
access-list 710 permit d8a2.5e6a.4abc 0000.0000.0000
access-list 710 permit 74de.2bd4.4e47 0000.0000.0000
access-list 710 permit 0024.d658.b302 0000.0000.0000
access-list 710 permit 001b.7744.af0e 0000.0000.0000
access-list 710 permit 0024.d658.ba64 0000.0000.0000
access-list 710 permit 5894.6b1e.7c58 0000.0000.0000
access-list 710 permit 0024.d658.9e88 0000.0000.0000
access-list 710 permit 0024.d680.c192 0000.0000.0000
access-list 710 permit 0025.5643.40d1 0000.0000.0000
snmp-server community xxxxxxxxx
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
!
end
03-20-2012 10:01 PM
Prashant,
When I saw your ACL list, I thought, whoa, that's a long ACL (over 100 entries). I wonder if you are bumping into upper resource limits on the AP. An ACL that long is undoubtedly running up the CPU utilization every time a client associates.
Given the size of this ACL, have you considered offloading MAC address checking to a RADIUS server? At least this way you'll tax the CPU of your AP a lot less, and it will eliminate the need to replicate your ACLs across 5 APs. You would only have to add each client MAC address once to your RADIUS server. You can do this with Windows IAS or NPS (included with Windows server), ACS, ISE, and most other RADIUS servers.
Justin
03-28-2012 01:46 AM
I found the reason
When i want to remove oneof mac client then i use
in config mode
no access-list 710 permit 5894.6b1e.7c58 0000.0000.0000
it suppose to remove only this client but it is removing all access list 710
it is a bug.
03-28-2012 10:50 AM
Prashant,
I don't think that's a bug. In my experience, I've found that a no access-list
I just tried it on a 3560 switch and had the above described result. (Anyone feel free to jump in here and clarify if what I'm saying isn't true on other IOS platforms.)
I haven't played much with extended access-lists, but I believe with xACLs you can selectively remove and reorder entries.
Justin
03-28-2012 09:43 PM
Yes you are correct.
Do you have any idea to delete a entry in number access list case.
03-29-2012 09:32 PM
Prashant,
You can do it through the AP's web gui. On the CLI, I think you're stuck with modifying the ACL in a text file and replacing it each time you make a change.
I'll say it again, but I think this would be a lot cleaner if you just pointed all your APs at a RADIUS server and managed your MAC addresses just like you would users. No more ACLs on the APs necessary.
Justin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide