07-31-2014 01:54 PM - edited 07-05-2021 01:18 AM
I have a client that is adding 18 new AP's to their network. After getting them configured in the correct vlan, only 5 of them join the WLC (5508). When I look at the AP join statistics, it shows the following:
RADIUS authorization is pending for the AP
However, under the AP Policies, the 'Authorize MIC APs against auth-list or AAA' option is disabled.
I am stumped on this one.
TIA for any ideas. Also, I do not have console access the AP's as the client already had them mounted above the ceiling tiles somewhere.
Edit: Here is the output of show auth-list from the WLC:
(Cisco Controller) >show auth-list
Authorize MIC APs against Auth-list or AAA ...... disabled
Authorize LSC APs against Auth-List ............. disabled
APs Allowed to Join
AP with Manufacturing Installed Certificate.... yes
AP with Self-Signed Certificate................ no
AP with Locally Significant Certificate........ no
07-31-2014 03:23 PM
Post the following command outputs from an AP that won't join:
1. WLC: sh sysinfo;
2. WLC: sh time;
3. AP: sh version;
4. AP: sh ip interface brief; and
5. AP: sh inventory
08-01-2014 07:02 AM
WLC Show sysinfo:
(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.6.100.0
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... 6.0.182.0
Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
Build Type....................................... DATA + WPS
System Name...................................... PTS-LIB-SRVR-WLC5508
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
Redundancy Mode.................................. Disabled
IP Address....................................... 10.203.200.6
Last Reset....................................... Power on reset
System Up Time................................... 30 days 16 hrs 23 mins 34 secs
System Timezone Location......................... (GMT -5:00) Eastern Time (US and Canada)
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180
Configured Country............................... US - United States
Operating Environment............................ Commercial (0 to 40 C)
--More-- or (q)uit
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +39 C
External Temperature............................. +22 C
Fan Status....................................... OK
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 7
Number of Active Clients......................... 67
Burned-in MAC Address............................ A4:93:4C:FB:E7:A0
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 100
WLC show time:
(Cisco Controller) >show time
Time............................................. Fri Aug 1 10:01:44 2014
Timezone delta................................... 0:0
Timezone location................................ (GMT -5:00) Eastern Time (US and Canada)
NTP Servers
NTP Polling Interval......................... 36000
Index NTP Key Index NTP Server NTP Msg Auth Status
------- ----------------------------------------------------------------------------------
1 0 172.16.50.1 AUTH DISABLED
2 0 172.16.50.2 AUTH DISABLED
I do not have console access to any of the AP's that are having the issue, but I know they are all 3602i AP's.
08-01-2014 12:38 PM
So I figured something else out. The 'Base Radio MAC' and 'Ethernet MAC' on the Join AP stats page is the same on the AP's that have not joined and different for the AP's that have joined. So I looked at the MAC address the switch the AP's are connected to shows and it's different. I added the different MAC address to the 'Authorized AP' list under the AP Policies page to see what would happen. Wouldn't you know, the AP joined the WLC.
Now, this seems odd to me since the 'Authorize MIC AP's against auth-list or AAA' is disabled. Anyone know why this is happening? I have a TAC case open as well.
08-01-2014 01:01 PM
Well, here's the solution. These AP's where sent out with the mesh image, so I have to add their MAC address to the Authorized AP list. I did confirm this with TAC as well. Learn something new everyday.
08-01-2014 02:05 PM
Yep... That's ahas the problem. Just get them back to local mode
08-01-2014 12:26 AM
Hi,
as you maybe know, an AP can find the controller in many different ways. My favourite is the DNS one:
- connect the APs to a network with a DHCP server
- create an A record in the DNS server with "cisco-capwap-controller." pointing to your WLC
- ensure that there are no ACLs and routing is ok
When you have done that, APs should be able to find the WLC.
If this is already ok, then we should investigate more. Are the APs new or they have been converted from "Autonomous" to "Lightweight"? If so, you have to do some more configuration on WLC because they could not have a MIC but a SSC, so you will have to add MAC addresses and SSC SHA keys manually. Please refer to this guide an search for SSC (http://goo.gl/EpSz35).
Best regards,
Matteo
08-01-2014 07:06 AM
All except one of the new AP's is connected to the same switch. Of the 18 connected to this switch, 5 can join without any issue. All are fresh out of the box 3602i AP's.
08-01-2014 02:18 AM
Known Fixed Releases: | (2) |
Known Affected Releases: | (1) |
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: