11-23-2011 11:07 AM - edited 07-03-2021 09:07 PM
Here is my config due to key mismatch not working but i am using right key.
Cisco IOS Software, C1200 Software (C1200-K9W7-M), Version 12.3(7)JA3, RELEASE SOFTWARE (fc1)
no aaa new-model
!
dot11 ssid Test
vlan 25
authentication open
guest-mode
wpa-psk ascii 7 13544345535956737D7778
!
dot11 ssid TestGuest
vlan 24
authentication open
guest-mode
!
!
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 25 key 1 size 40bit 7 8600516C6527 transmit-key
encryption vlan 25 mode wep mandatory
!
ssid Test
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root access-point
rts threshold 2312
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.25
encapsulation dot1Q 25
no ip route-cache
bridge-group 25
bridge-group 25 subscriber-loop-control
bridge-group 25 block-unknown-source
no bridge-group 25 source-learning
no bridge-group 25 unicast-flooding
bridge-group 25 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 160 in
!
interface FastEthernet0.25
encapsulation dot1Q 25
no ip route-cache
bridge-group 25
no bridge-group 25 source-learning
bridge-group 25 spanning-disabled
!
interface BVI1
ip address 172.x.x.x 255.255.255.0
no ip route-cache
!
ip default-gateway 172.x.x.1
log :-
*Feb 28 16:33:24.892 PST: %DOT11-6-ASSOC: Interface Dot11Radio0, Station c0f8.da90.dxxx Associated KEY_MGMT[NONE]
*Feb 28 16:34:24.892 PST: %DOT11-4-ENCRYPT_MISMATCH: Possible encryption key mismatch between interface Dot11Radio0 and station c0f8.da90.dxxx
Adv thanks for your support .
Solved! Go to Solution.
11-23-2011 01:16 PM
Hi Elango,
Ok, the problem is likely a vlan mismatch the AP is tagging packets with dot1q vlan 25, instead it needs to be the native vlan. Try the following:
*****EDIT******
It looks like you want the AP and users to be in native vlan 25. In order for this to work, you also would want to put the vlan 25 subinterfaces in bridge-group 1, so that they are tied into the BVI1 interface.
Also, mark the native flag as below:
interface Dot11Radio0.25
encapsulation dot1Q 25
and
interface FastEthernet0.25
encapsulation dot1Q 25
Become:
interface Dot11Radio0.25
encapsulation dot1Q 25 native
and
interface FastEthernet0.25
encapsulation dot1Q 25 native
-Pat
Message was edited by: Patrick Croak
11-23-2011 12:02 PM
Hello Elango,
Your current configuration is mixing WPA with WEP. Your SSID configuration is specifying the WPA pre-shared key, but your radio interface is using a WEP encryption scheme.
You will need to decide if you want to use WEP or WPA. If you want to use WPA, under the radio you would change the encryption line to:
encryption vlan 25 mode ciphers tkip aes-ccm
(for both WPA/tkip and WPA2/AES)
If you want to use WEP, you need to remove wpa-psk from your SSID configuration. With a 40-bit WEP key, you will have 10 hex characters. With 128-bit WEP, you will have 26 hex characters.
-Pat
11-23-2011 12:15 PM
Hi Pat,
Thanks for information here is the new config but still i client not connecting to the network getting 169.x.x.x ip address simpley say connected but no access.
dot11 ssid Test
vlan 25
authentication open
guest-mode
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 25 key 1 size 40bit 7 CD321255CC52 transmit-key
encryption vlan 25 mode wep optional
!
ssid Test
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
rts threshold 2312
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
LOG:-
*Feb 28 17:57:33.720 PST: %DOT11-6-ASSOC: Interface Dot11Radio0, Station c0f8.da90.dxxx Associated KEY_MGMT[NONE]
11-23-2011 12:24 PM
Hi Elango,
Ok, so you are wanting to use WEP -- right now it is setup for 40-bit, which means you have 10 hexadecimal characters for your key. Please confirm that this same key is configured on your device.
I would suggest making the encryption to be:
encryption vlan 25 mode wep mandatory (instead of optional)
Then, connect your device, and from the AP command line, issue a "show dot11 assoc all" after the device is connected. I would like to look at the client statistics.
-Pat
11-23-2011 12:39 PM
Hello Pat,
I changed WEP to Mandatory and here output.
MVCLAWL01#show dot11 assoc all
Address : c0f8.da90.d779 Name : NONE
IP Address : 169.254.216.155 Interface : Dot11Radio 0
Device : 4500-radio Software Version : NONE
CCX Version : 4
State : Assoc Parent : self
SSID : Test VLAN : 25
Hops to Infra : 1 Association Id : 37
Clients Associated: 0 Repeaters associated: 0
Tunnel Address : 0.0.0.0
Key Mgmt type : NONE Encryption : WEP
Current Rate : 54.0 Capability : WMM ShortHdr ShortSlot
Supported Rates : 1.0 2.0 5.5 11.0 18.0 24.0 36.0 54.0 6.0 9.0 12.0 48.0
Signal Strength : -61 dBm Connected for : 42 seconds
Signal Quality : N/A Activity Timeout : 19 seconds
Power-save : Off Last Activity : 1 seconds ago
Packets Input : 190 Packets Output : 4
Bytes Input : 26659 Bytes Output : 435
Duplicates Rcvd : 0 Data Retries : 0
Decrypt Failed : 0 RTS Retries : 0
MIC Failed : 0 MIC Missing : 0
Packets Redirected: 0 Redirect Filtered: 0
client laptop side security config
Operating system :- Windows 7 64 bit
Security type :- No authentication (Open)
Encryption Type:- WEP
Network Security Key: 1478529630
11-23-2011 01:02 PM
Hi Elango,
I think your client is connecting now with the proper WEP key. Now the issue appears to be with DHCP and your wired network. How do you have the switchport configured where the AP is connected?
-pat
11-23-2011 01:07 PM
Hi Pat,
Here is the swicth config .
Swicth Primary:-
interface Vlan25
description WIRELESS-ACCESS
ip address 172.30.25.2 255.255.255.0
ip helper-address 172.30.2.9
standby 30 ip 172.30.25.1
standby 30 priority 120
standby 30 preempt delay minimum 15
Sec switch :-
interface Vlan25
description WIRELESS-ACCESS
ip address 172.30.25.3 255.255.255.0
ip helper-address 172.30.2.9
standby 30 ip 172.30.25.1
end
Access point connected interface:-
interface GigabitEthernet3/38
description WIRELESS ACC POINT
switchport trunk native vlan 25
switchport mode trunk
no cdp enable
spanning-tree portfast
end
11-23-2011 01:16 PM
Hi Elango,
Ok, the problem is likely a vlan mismatch the AP is tagging packets with dot1q vlan 25, instead it needs to be the native vlan. Try the following:
*****EDIT******
It looks like you want the AP and users to be in native vlan 25. In order for this to work, you also would want to put the vlan 25 subinterfaces in bridge-group 1, so that they are tied into the BVI1 interface.
Also, mark the native flag as below:
interface Dot11Radio0.25
encapsulation dot1Q 25
and
interface FastEthernet0.25
encapsulation dot1Q 25
Become:
interface Dot11Radio0.25
encapsulation dot1Q 25 native
and
interface FastEthernet0.25
encapsulation dot1Q 25 native
-Pat
Message was edited by: Patrick Croak
11-23-2011 01:31 PM
Awesome its working now thank you very much Pat.
Quick question if I want to do Mac Address based auth
dot11 ssid Test
vlan 25
authentication open(authentication open mac-address mac_methods)
guest-mode
and add the mac address to MAC Addresses Authenticated by: Local list only.
11-23-2011 01:33 PM
It appears like that would be correct -- if you have problems with it once you configure it, post the new config and we can take a look.
-Pat
04-29-2013 11:13 PM
Please review the below link:
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: