×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

WLSE / WDS authentication problems

Unanswered Question
May 4th, 2006
User Badges:

Hello,


Im currenlty experiencing problems about authentication between WLSE and WDS.


I have already successfullu deployed the WDS on several networks. WDS is correctly authenticated:

- WLCCP credentials are correct

- the "SECURITY KEYS SETUP" message appears on the WDS APs


On some other subnets, i don't manage to get the WDS APs authenticated (it's definitely not a configuration problem).

The authenticaion problem concerns only the WLSE and the WDS:

- infrastructure APs (and the WDS AP it self) successfully authenticate to the WDS AP.

- Wifi clients authentication is working properly.

All those subnets have a common point: they use the same network device to reach the WLSE: it's an HP 5308XL Switch.


I have checked the logs on the switch and i haven't found anything interesting.


Does someone know how to fix the problem ?


Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dominic.caron Thu, 05/04/2006 - 06:45
User Badges:
  • Silver, 250 points or more

How is the WLSE account set in your radius server. Are the NAR ok?

genghiskhan Mon, 05/08/2006 - 12:30
User Badges:

Did you get it fixed?


I know how you feel! I have been fighting with wlse and wds authentication off and on for a couple of weeks.


I believe I finally got it working. I disabled cdp on the radio interface, though I doubt this had much to do with it. Just make sure cdp is still running on fast ethernet interface.


On the AP I removed and re-entered all the lines pertaining to radius and wlccp with passwords.


I re-entered the password for wlse-wds authentication in wlse at 'Devices>Discover>Device Credentials>WLCCP Credentials'.


This fixed the problem. No more faults in wlse, and the AP shows 'Security Keys Setup' on the 'Wireless Services>WDS' page in 'Authentication Status' field.


Hope this helps in the battle!


Roger

simon-hautier Mon, 05/08/2006 - 23:13
User Badges:

Yes, re-entering WLCCP passwords and credentials helped to fix the problem on a few APs.

But, there were still some APs which couldnt be authenticated.

To fix the problem, I upgraded the software of these APs: 12.3(4)JA => 12.3(7)JA3

I didn't upgrade all APs yet, but those which have the 12.3(7)JA3 version dont have authentication problems anymore


Thanks for your help anyway.


o-ziltener Tue, 05/09/2006 - 06:59
User Badges:

Hello


do you use an ACS for the authentication of the infrastructure? If yes, what Version do you have?

There is a bug, beginning with 3.3


best regards

Oliver

simon-hautier Wed, 05/10/2006 - 00:00
User Badges:

Hello,


We don't use Cisco Access Control Server, anyway it's interesting to know this issue

l.dennis Fri, 05/26/2006 - 10:51
User Badges:

we are using this version of 3.3...what is the bug?

rham.editco Wed, 05/10/2006 - 03:46
User Badges:

Are there any specific debug methods that helped solve this issue?


I have a WLSE running 2.12FCS, 44 1231G's and one subnet out of 4 is not authenticating. I have beat my head against the wall for about a week now. The specific message I am seeing that is unique to the misbehaving subnet is "WNM MAC yet unknown" - I have tried "ip proxy-arp" and putting in static arp entries, upgrading to 12.3(7)JA3 and so on, but zero sucess. I have copied the config from a working WDS master that sucessfully auths to the misbehaving WDS master but still no authentcation of the WLSE/WNM. Incidently, I never see the wlse try to authenticate against the local radious server... The debug available to tell me whats going on seems to be very limited.


Anyone have any more ideas?


Thanks,


Richard

simon-hautier Wed, 05/10/2006 - 07:00
User Badges:

Hello,


The debug method i used is the following:


- I tried those commands on the WLSE:

Dumptcp port 2887 host [WDS IP Address] log

Dumptcp proto udp host [WDS IP Address] log

then i downloaded the dumptcp.cal file and opened it (with Ethereal for example).

this log showed that only SNMP paquets were received by the WLSE


- then i tried to use debug commands WDS AP having an issue:

i opened 2 telnet sessions on the same WDS AP

in the 1° one, i used the following commands:

debug wlccp packet

debug wlccp wds

terminal monitor


in the 2° one, i stopped and re-activated the WDS by typing:

no wlccp wnm ip address

wlccp wnm ip address [WLSE IP Address]


then i looked the result in the first session and didnt see ANYTHING which could have had a link with WLSE authentication


that's why i supposed that the WDS AP was the origin of the problem and i tried to upgrade its software


hope this helps

rham.editco Wed, 05/10/2006 - 23:13
User Badges:

Simon,


Thanks for your help - I have *finally* been able to resolve this issue. As per your suggestion, I enabled only the two debugs on the WDS AP. I usually enabled a large number more.... The debug read like this when enabling "wlccp wnm":


Mar 2 01:15:40.866: %WLCCP_NM-6-RESET: Resetting WLCCP_NM because WNM IP address has changed

*Mar 2 01:15:40.908: %WLCCP_NM-6-WNM_LINK_UP: Link to WNM is up

*Mar 2 01:15:40.910: WLCCP WDS Rx: Lateral AAA Request

*Mar 2 01:15:40.910: Org=10-00c0.9fb4.e9c8 Rsp=08-0016.47ea.2b68

*Mar 2 01:15:40.910: Len=42 ID=29 Hops=0 Flags=0000

*Mar 2 01:15:40.911: Requester=10-00c0.9fb4.e9c8 Type=0/4/0 Stat=00

*Mar 2 01:15:40.911: WDS: WLCCP_TYPE_AAA (START) rcvd, Org = 00c0.9fb4.e9c8, Rsp = 0016.47ea.2b68, Req 00c0.9fb4.e9c8, id 29 auth 4 key 0

*Mar 2 01:15:40.912: WDS: WLCCP_TYPE_AAA (EAPOL) sent with Source IP = 10.20.10.221, Org = 0016.47ea.2b68, Rsp = 00c0.9fb4.e9c8, Req 00c0.9fb4.e9c8, auth 4,

****SNIP****

*Mar 2 01:15:40.982: WDS: DOT11_AAA_FAILURE ...


which pretty much indicated the user/pass on WLSE didn't match the local details on the AP. I must have messed this up while I was struggling with the bug in 12.3(4)JA and never fixed it :(


Anyway, many many thanks!


Richard

gdoezie Thu, 05/11/2006 - 11:20
User Badges:

I to have had this and after making sure my passwords are correct I had to reboot my WLSE for some reason and all my WDS servers became authenticated. I think there might be a process that if I had looked earlier may have needed to be restarted or stoped then started.Sorry no details but what I have ran in to. Be interresting to see if it fixes yours then maybe Cisco can reseach it further

simon-hautier Sun, 05/14/2006 - 23:50
User Badges:

Hello,


Upgrading APs to 12.3(7)JA solved a lot of problems. Anyway i still have one WDS AP which can't be authenticated.


I tried several debug commands to identify the problem and i didn't find anything: the "debug wlccp wds nm packet" command displayed 0 packets


On the WLSE, i used the dumptcp command: the WLSE receives packets from the WDS AP but doesn't send any response to it


I also tried to reboot the WLSE ... nothing changed


Any idea ?


Thanks

rham.editco Fri, 05/26/2006 - 13:05
User Badges:

Simon,


I'm out of ideas on this one. The debugging for the WLSE part of WDS is very short and needs serious work by Cisco IMHO.


Hmm one idea - can you return the access point to defaults and start config from scratch? This worked for a prob I had this week....


Regards,


Richard

Actions

This Discussion

 

 

Trending Topics - Security & Network