AP Join Issue

deyster94 · ‎07-31-2014

I have a client that is adding 18 new AP's to their network. After getting them configured in the correct vlan, only 5 of them join the WLC (5508). When I look at the AP join statistics, it shows the following:

RADIUS authorization is pending for the AP

However, under the AP Policies, the 'Authorize MIC APs against auth-list or AAA' option is disabled.

I am stumped on this one.

TIA for any ideas. Also, I do not have console access the AP's as the client already had them mounted above the ceiling tiles somewhere.

Edit: Here is the output of show auth-list from the WLC:

(Cisco Controller) >show auth-list

Authorize MIC APs against Auth-list or AAA ...... disabled
Authorize LSC APs against Auth-List ............. disabled
APs Allowed to Join
AP with Manufacturing Installed Certificate.... yes
AP with Self-Signed Certificate................ no
AP with Locally Significant Certificate........ no

Leo Laohoo · ‎07-31-2014

Post the following command outputs from an AP that won't join:

1. WLC: sh sysinfo;

2. WLC: sh time;

3. AP: sh version;

4. AP: sh ip interface brief; and

5. AP: sh inventory

deyster94 · ‎08-01-2014

WLC Show sysinfo:

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.6.100.0
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... 6.0.182.0
Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
Build Type....................................... DATA + WPS

System Name...................................... PTS-LIB-SRVR-WLC5508
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
Redundancy Mode.................................. Disabled
IP Address....................................... 10.203.200.6
Last Reset....................................... Power on reset
System Up Time................................... 30 days 16 hrs 23 mins 34 secs
System Timezone Location......................... (GMT -5:00) Eastern Time (US and Canada)
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180

Configured Country............................... US - United States
Operating Environment............................ Commercial (0 to 40 C)

--More-- or (q)uit
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +39 C
External Temperature............................. +22 C
Fan Status....................................... OK

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 7
Number of Active Clients......................... 67

Burned-in MAC Address............................ A4:93:4C:FB:E7:A0
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 100

WLC show time:

(Cisco Controller) >show time

Time............................................. Fri Aug 1 10:01:44 2014

Timezone delta................................... 0:0
Timezone location................................ (GMT -5:00) Eastern Time (US and Canada)

NTP Servers
NTP Polling Interval......................... 36000

Index NTP Key Index NTP Server NTP Msg Auth Status
------- ----------------------------------------------------------------------------------
1 0 172.16.50.1 AUTH DISABLED
2 0 172.16.50.2 AUTH DISABLED

I do not have console access to any of the AP's that are having the issue, but I know they are all 3602i AP's.

deyster94 · ‎08-01-2014

So I figured something else out. The 'Base Radio MAC' and 'Ethernet MAC' on the Join AP stats page is the same on the AP's that have not joined and different for the AP's that have joined. So I looked at the MAC address the switch the AP's are connected to shows and it's different. I added the different MAC address to the 'Authorized AP' list under the AP Policies page to see what would happen. Wouldn't you know, the AP joined the WLC.

Now, this seems odd to me since the 'Authorize MIC AP's against auth-list or AAA' is disabled. Anyone know why this is happening? I have a TAC case open as well.

deyster94 · ‎08-01-2014

Well, here's the solution. These AP's where sent out with the mesh image, so I have to add their MAC address to the Authorized AP list. I did confirm this with TAC as well. Learn something new everyday.

Daniel Ordóñez Flores · ‎08-01-2014

Yep... That's ahas the problem. Just get them back to local mode

Espero que la información haya sido útil y si no tienes más preguntas recuerda cerrar el topic, seleccionando la respuesta como "Respuesta correcta"
**Please rate the answer if this information was useful***
**Por favor si la información fue util marca esta respuesta como correcta**

Matteo Comisso · ‎08-01-2014

Hi,

as you maybe know, an AP can find the controller in many different ways. My favourite is the DNS one:

- connect the APs to a network with a DHCP server

- create an A record in the DNS server with "cisco-capwap-controller." pointing to your WLC

- ensure that there are no ACLs and routing is ok

When you have done that, APs should be able to find the WLC.

If this is already ok, then we should investigate more. Are the APs new or they have been converted from "Autonomous" to "Lightweight"? If so, you have to do some more configuration on WLC because they could not have a MIC but a SSC, so you will have to add MAC addresses and SSC SHA keys manually. Please refer to this guide an search for SSC (http://goo.gl/EpSz35).

Best regards,

Matteo

deyster94 · ‎08-01-2014

All except one of the new AP's is connected to the same switch. Of the 18 connected to this switch, 5 can join without any issue. All are fresh out of the box 3602i AP's.

mohanak · ‎08-01-2014

cli/gui discrepancy Authorize MIC APs against auth-list or AAA

CSCuc45044

Description

Symptom:
cli should have "Authorize MIC APs against auth-list or AAA" similar to GUI instead of "Authorize MIC APs against AAA".

Conditions:
when using "Authorize MIC APs against auth-list or AAA" feature cli doesn't descript the same.

Workaround:
none or cosmetic issue

Minor issue.

Last Modified:

Feb 15,2014

Status:

Fixed

Severity:

3 Moderate

Product:

Cisco 5500 Series Wireless Controllers

Known Fixed Releases:

(2)

7.4(1.38)

7.4(100.0)

Known Affected Releases:

(1)

7.2(110.0)