Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

802.1x and static-wep-key conflict

When we enable Dynamic 802.1x in our WCS, we get a wep key prompt on devices connecting to the Access Points. This occurs without us setting a static wep key entry.

We think that this is caused by this config line appearing on the controllers:

wlan security static-wep-key encryption 5 104 <mode unknown> <passwd hidden> 1

If we then get clients to specify the SSID and 802.1x authentication, along with the requisite username/password credientials for the radius server, then a full authenticated 802.1x session can be succesfully established.

If we try to remove it via the console, the terminal doesn't return anything except a new line, and as soon as the interface is enabled again, the above line reappears in show running-config.

Nuking the config on the WCS - the SSID template, the Accounting server, the Authentication server, removing the entries from the access points then adding them back under a different name returns the same result.

Creating an entirely new set of templates, and applying it to a entirely untouched accesspoint also returns the same result.

This occurs on all devices I've got my hands on, which so far is:

iPhone, ipod touch gen 1 and gen2, OSX 10.6, win xp sp3, win vista, win 7, ubuntu 9.10 and finally a nokia n900.

Has anyone come across this and fixed this before?

Other background information that might help:

Versions/Configuration:

Wireless Control System
Version 5.0.56.2
Type:   Basic
Licensed APs:   250
Quantity of APs:        151


WLC's (4 of them - 2 in each WiSM)
1 WiSM is in a Catalyst 6506
1 WiSM is in a Catalyst 6509
Software Version of WiSM:    5.0.148.0

LAPs
Software Version         5.0.148.0
Boot Version    12.3.8.0
Inventory Information
AP Type         LWAPP
AP Model        AIR-LAP1131AG-N-K9
IOS Version     12.4(13d)JA
AP Certificate Type     Manufacture Installed
Unique Device Identifier(UDI)
Name    Cisco AP
Description     Cisco Wireless Access Point
Product Id      AIR-LAP1131AG-N-K9
Version Id      V01

APs converted to LAPs
Software Version         5.0.148.0
Boot Version    12.3.8.0
Inventory Information
AP Type         LWAPP
AP Model        AIR-AP1131AG-A-K9
IOS Version     12.4(13d)JA
AP Certificate Type     Manufacture Installed

This is the debug output of a failed attempt to connect to the wep key:

Thu Apr 29 12:31:09 2010: 00:1e:c2:b2:4e:17 802.1x 'txWhen' Timer expired for station 00:1e:c2:b2:4e:17

Thu Apr 29 12:31:09 2010: 00:1e:c2:b2:4e:17 dot1x - moving mobile 00:1e:c2:b2:4e:17 into Connecting state

Thu Apr 29 12:31:09 2010: 00:1e:c2:b2:4e:17 Sending EAP-Request/Identity to mobile 00:1e:c2:b2:4e:17 (EAP Id 19)

Thu Apr 29 12:31:09 2010: 00:1e:c2:b2:4e:17 Sending 802.11 EAPOL message  to mobile 00:1e:c2:b2:4e:17

Thu Apr 29 12:31:09 2010: 00000000: 01 00 00 2d 01 13 00 2d  01 00 6e 65 74 77 6f 72  ...-...-..networ

Thu Apr 29 12:31:09 2010: 00000010: 6b 69 64 3d 77 63 65 6c  2c 6e 61 73 69 64 3d 47  kid=wcel,nasid=G

Thu Apr 29 12:31:09 2010: 00000020: 47 2d 57 4c 43 2d 32 2c  70 6f 72 74 69 64 3d 32  G-WLC-2,portid=2

Thu Apr 29 12:31:09 2010: 00000030: 39                                                9

Thu Apr 29 12:31:11 2010: 00:1e:c2:b2:4e:17 Reached Max EAP-Identity Request retries (21) for STA 00:1e:c2:b2:4e:17

Thu Apr 29 12:31:11 2010: 00:1e:c2:b2:4e:17 dot1x - moving mobile 00:1e:c2:b2:4e:17 into Disconnected state

Thu Apr 29 12:31:11 2010: 00:1e:c2:b2:4e:17 Not sending EAP-Failure for STA 00:1e:c2:b2:4e:17

This, I understand, is the standard behavior for a failed static-wep-connection.

This is the output of show running-config for the wireless lan (snipped for bits relating to this ssid)

wlan create 5 wcel wcel

wlan interface 5 vlan 32

wlan aaa-override enable 5

wlan mfp infrastructure protection disable 5

wlan session-timeout 5 1800

wlan security wpa disable 5

wlan security 802.1X enable 5

wlan radius_server auth add 5 1

wlan radius_server acct add 5 1

wlan security static-wep-key encryption 5 104 <mode unknown> <passwd hidden> 1

wlan security wpa akm ft reassociation-time 20 5

wlan security wpa akm ft over-the-air enable 5

wlan security wpa akm ft over-the-ds enable 5

wlan dhcp_server 5 0.0.0.0 required required

wlan enable 5

1678
Views
0
Helpful
0
Replies
CreatePlease to create content