Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

AP Wont join Cisco 2500 WLC

Hello,

I have a Cisco 2500 WLC and 3 AIR-CAP3602I-A-K9.

One of them joined my controller and works perfect, no issues.

The other 2 wont join, YET, on all 3 it states that "Radius authorization of the AP has failed"

What can I do to have the other 2 join the controller?

I get this from all 3 of the APs, but 1 works fine:

Last AP Message Decryption Failure
Last AP Connection Failure
Last AP Disconnect Reason
Last Error Occurred
Last Error Occurred Reason
Last Join Error Timestamp

Base Mac             AP EthernetMac       AP Name                 IP Address                 Status

4c:00:82:77:32:70    4c:00:82:77:32:70    AP4c00.8277.327e        10.2.20.65                 Not Joined

7c:69:f6:ef:6f:c0    7c:69:f6:ef:6f:c0    AP7c69.f6ef.6fca        10.2.20.64                 Not Joined

f8:4f:57:66:d3:a0    4c:00:82:77:32:7b    AP4c00.8277.327b        10.2.20.53                 Joined

show sysinfo

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.5.102.0
Bootloader Version............................... 1.0.18
Field Recovery Image Version..................... 1.0.0
Firmware Version................................. PIC 16.0


Build Type....................................... DATA + WPS

System Name...................................... PTIC-WLC
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1279
IP Address....................................... 10.2.20.47
Last Reset....................................... Reset Button
System Up Time................................... 14 days 4 hrs 34 mins 59 secs
System Timezone Location.........................
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180


--More-- or (q)uit
Configured Country............................... US  - United States
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +27 C
External Temperature............................. +33 C
Fan Status....................................... 4200 rpm

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 1
Number of Active Clients......................... 10

Burned-in MAC Address............................ DC:A5:F4:01:B8:00
Maximum number of APs supported.................. 5

Everyone's tags (4)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

Re: AP Wont join Cisco 2500 WLC

Let's make it simple... Make sure your AP Policies look like the one I have posted.

Place the AP on the same subnet as the management of the WLC and then console into the AP and attach the output on a text file, from when you have rebooted the AP.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
VIP Purple

AP Wont join Cisco 2500 WLC

Hi,

From WLC GUI>>Secuirty>>AAA>AP policies, can you verify you have not checked "Authorize MIC APs against auth-list or AAA" ? If checked, uncheck this and try.

On the logs ": RADIUS authorization is pending for the AP  " means that this needs the MAC addr to be in the mac filter or ap policies.

So, from WLC GUI>>Secuirty>>AAA>AP policies>>Add> ????? (AP mac addr) and check if it jons.

Regards

7 REPLIES
VIP Purple

Re: AP Wont join Cisco 2500 WLC

Have you configured AP policies (Secuirty -> AP Policies) ? If so you need to add Eth MAC address of these AP on to that list (show auth-list CLI output should confirm that)

Pls check that

HTH

Rasika

**** Pls rate all useful responses ****

New Member

Re: AP Wont join Cisco 2500 WLC

Yes I have added all the APs with their MAc addresses...

Here is what I get from output debug capwap errors enable:

*spamApTask5: Dec 09 20:24:23.488: 7c:69:f6:ef:6f:c0 State machine handler: Failed to process  msg type = 3 state = 0 from 10.2.20.64:63229

*spamApTask5: Dec 09 20:24:23.489: 7c:69:f6:ef:6f:c0 Failed to parse CAPWAP packet from 10.2.20.64:63229

*spamApTask1: Dec 09 20:24:31.838: 4c:00:82:77:32:70 Discarding non-ClientHello Handshake OR DTLS encrypted packet from  10.2.20.65:29480)since DTLS session is not established

*spamApTask1: Dec 09 20:24:42.097: sshpmGetCID: called to evaluate

*spamApTask1: Dec 09 20:24:42.097: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*spamApTask1: Dec 09 20:24:42.097: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*spamApTask1: Dec 09 20:24:42.097: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*spamApTask1: Dec 09 20:24:42.097: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*spamApTask1: Dec 09 20:24:42.097: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*spamApTask1: Dec 09 20:24:42.097: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*spamApTask1: Dec 09 20:24:42.097: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<

*spamApTask1: Dec 09 20:24:42.097: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<

*spamApTask1: Dec 09 20:24:42.097: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<

*spamApTask1: Dec 09 20:24:42.097: sshpmGetCertFromCID: called to get cert for CID 166daa6e

*spamApTask1: Dec 09 20:24:42.097: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<

*spamApTask1: Dec 09 20:24:42.097: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<

*spamApTask1: Dec 09 20:24:42.097: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<

*spamApTask1: Dec 09 20:24:42.098: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<

*spamApTask1: Dec 09 20:24:42.098: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<

*spamApTask1: Dec 09 20:24:42.098: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<

*spamApTask1: Dec 09 20:24:42.098: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<

*spamApTask1: Dec 09 20:24:42.098: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultIdCert<

*spamApTask1: Dec 09 20:24:42.098: sshpmGetCertFromCID: comparing to row 2, certname >cscoDefaultIdCert<

*spamApTask1: Dec 09 20:24:42.098: sshpmGetCID: called to evaluate

*spamApTask1: Dec 09 20:24:42.098: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*spamApTask1: Dec 09 20:24:42.098: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*spamApTask1: Dec 09 20:24:42.098: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*spamApTask1: Dec 09 20:24:42.098: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*spamApTask1: Dec 09 20:24:42.098: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*spamApTask1: Dec 09 20:24:42.098: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*spamApTask1: Dec 09 20:24:42.098: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<

*spamApTask1: Dec 09 20:24:42.098: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<

*spamApTask1: Dec 09 20:24:42.098: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<

*spamApTask1: Dec 09 20:24:42.098: sshpmGetSshPrivateKeyFromCID: called to get key for CID 166daa6e

*spamApTask1: Dec 09 20:24:42.098: sshpmGetSshPrivateKeyFromCID: comparing to row 0, certname >bsnOldDefaultIdCert<

*spamApTask1: Dec 09 20:24:42.098: sshpmGetSshPrivateKeyFromCID: comparing to row 1, certname >bsnDefaultIdCert<

*spamApTask1: Dec 09 20:24:42.098: sshpmGetSshPrivateKeyFromCID: comparing to row 2, certname >cscoDefaultIdCert<

*spamApTask1: Dec 09 20:24:42.098: sshpmGetSshPrivateKeyFromCID: match in row 2

*spamApTask1: Dec 09 20:24:42.402: sshpmGetIssuerHandles: locking ca cert table

*spamApTask1: Dec 09 20:24:42.402: sshpmGetIssuerHandles: calling x509_alloc() for user cert

*spamApTask1: Dec 09 20:24:42.402: sshpmGetIssuerHandles: calling x509_decode()

*spamApTask1: Dec 09 20:24:42.406: sshpmGetIssuerHandles: C=US, ST=California, L=San Jose, O=Cisco Systems, CN=AP3G2-4c008277327e, MAILTO=support@cisco.com

*spamApTask1: Dec 09 20:24:42.406: sshpmGetIssuerHandles:   O=Cisco Systems, CN=Cisco Manufacturing CA

*spamApTask1: Dec 09 20:24:42.406: sshpmGetIssuerHandles: Mac Address in subject is 4c:00:82:77:32:7e

*spamApTask1: Dec 09 20:24:42.406: sshpmGetIssuerHandles: Cert Name in subject is AP3G2-4c008277327e

*spamApTask1: Dec 09 20:24:42.406: sshpmGetIssuerHandles: Cert is issued by Cisco Systems.

*spamApTask1: Dec 09 20:24:42.406: sshpmGetCID: called to evaluate

*spamApTask1: Dec 09 20:24:42.406: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*spamApTask1: Dec 09 20:24:42.406: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*spamApTask1: Dec 09 20:24:42.406: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*spamApTask1: Dec 09 20:24:42.406: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*spamApTask1: Dec 09 20:24:42.406: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*spamApTask1: Dec 09 20:24:42.406: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*spamApTask1: Dec 09 20:24:42.406: sshpmGetCertFromCID: called to get cert for CID 2535f131

*spamApTask1: Dec 09 20:24:42.406: sshpmGetCertFromCID: comparing to row 0, certname >bsnOldDefaultCaCert<

*spamApTask1: Dec 09 20:24:42.406: sshpmGetCertFromCID: comparing to row 1, certname >bsnDefaultRootCaCert<

*spamApTask1: Dec 09 20:24:42.406: sshpmGetCertFromCID: comparing to row 2, certname >bsnDefaultCaCert<

*spamApTask1: Dec 09 20:24:42.406: sshpmGetCertFromCID: comparing to row 3, certname >bsnDefaultBuildCert<

*spamApTask1: Dec 09 20:24:42.406: sshpmGetCertFromCID: comparing to row 4, certname >cscoDefaultNewRootCaCert<

*spamApTask1: Dec 09 20:24:42.406: sshpmGetCertFromCID: comparing to row 5, certname >cscoDefaultMfgCaCert<

*spamApTask1: Dec 09 20:24:42.406: ssphmUserCertVerify: calling x509_decode()

*spamApTask1: Dec 09 20:24:42.414: ssphmUserCertVerify: user cert verfied using >cscoDefaultMfgCaCert<

*spamApTask1: Dec 09 20:24:42.414: sshpmGetIssuerHandles: ValidityString (current): 2013/12/09/20:24:42

*spamApTask1: Dec 09 20:24:42.414: sshpmGetIssuerHandles: ValidityString (NotBefore): 2013/07/05/06:34:21

*spamApTask1: Dec 09 20:24:42.414: sshpmGetIssuerHandles: ValidityString (NotAfter): 2023/07/05/06:44:21

*spamApTask1: Dec 09 20:24:42.414: sshpmGetIssuerHandles: getting cisco ID cert handle...

*spamApTask1: Dec 09 20:24:42.414: sshpmGetCID: called to evaluate

*spamApTask1: Dec 09 20:24:42.414: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<

*spamApTask1: Dec 09 20:24:42.414: sshpmGetCID: comparing to row 1, CA cert >bsnDefaultRootCaCert<

*spamApTask1: Dec 09 20:24:42.414: sshpmGetCID: comparing to row 2, CA cert >bsnDefaultCaCert<

*spamApTask1: Dec 09 20:24:42.414: sshpmGetCID: comparing to row 3, CA cert >bsnDefaultBuildCert<

*spamApTask1: Dec 09 20:24:42.414: sshpmGetCID: comparing to row 4, CA cert >cscoDefaultNewRootCaCert<

*spamApTask1: Dec 09 20:24:42.414: sshpmGetCID: comparing to row 5, CA cert >cscoDefaultMfgCaCert<

*spamApTask1: Dec 09 20:24:42.414: sshpmGetCID: comparing to row 0, ID cert >bsnOldDefaultIdCert<

*spamApTask1: Dec 09 20:24:42.414: sshpmGetCID: comparing to row 1, ID cert >bsnDefaultIdCert<

*spamApTask1: Dec 09 20:24:42.414: sshpmGetCID: comparing to row 2, ID cert >cscoDefaultIdCert<

*spamApTask1: Dec 09 20:24:42.423: sshpmFreePublicKeyHandle: called with 0x2bd2d2ac

*spamApTask1: Dec 09 20:24:42.423: sshpmFreePublicKeyHandle: freeing public key

*spamApTask0: Dec 09 20:24:42.570: L
*spamApTask1: Dec 09 20:24:42.577: 4c:00:82:77:32:70 State machine handler: Failed to process  msg type = 3 state = 0 from 10.2.20.65:29480

*spamApTask1: Dec 09 20:24:42.578: 4c:00:82:77:32:70 Failed to parse CAPWAP packet from 10.2.20.65:29480

VIP Purple

AP Wont join Cisco 2500 WLC

Adding to Rasika...

The self-signed certificate (SSC) of the AP was not correct on the controller. The controller always checks its local database before it forwards the request to a defined radius server. due to this, the RADIUS authorization is pending for AP error appears when the controller does not find the SSC locally.

Also check this link: http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808c7234.shtml

Hope it helps.

Regards

New Member

Re: AP Wont join Cisco 2500 WLC

i read up on this, i just dont know how to fix it.

How can i fix this issue?

Thanks....

Hall of Fame Super Silver

Re: AP Wont join Cisco 2500 WLC

Let's make it simple... Make sure your AP Policies look like the one I have posted.

Place the AP on the same subnet as the management of the WLC and then console into the AP and attach the output on a text file, from when you have rebooted the AP.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Re: AP Wont join Cisco 2500 WLC

Thank you guys. That did the trick. I had all those options checked in the Security. As soon as i un-checked them, BAM, the AP joined.

You guys rock.


THANK YOU THANK YOU THANK YOU....

VIP Purple

AP Wont join Cisco 2500 WLC

Hi,

From WLC GUI>>Secuirty>>AAA>AP policies, can you verify you have not checked "Authorize MIC APs against auth-list or AAA" ? If checked, uncheck this and try.

On the logs ": RADIUS authorization is pending for the AP  " means that this needs the MAC addr to be in the mac filter or ap policies.

So, from WLC GUI>>Secuirty>>AAA>AP policies>>Add> ????? (AP mac addr) and check if it jons.

Regards

848
Views
4
Helpful
7
Replies