Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

I need help to configure Access point

Here is my config  due to key mismatch not working but i am using right key.

Cisco IOS Software, C1200 Software (C1200-K9W7-M), Version 12.3(7)JA3, RELEASE SOFTWARE (fc1)

no aaa new-model

!

dot11 ssid Test

   vlan 25

   authentication open

   guest-mode

   wpa-psk ascii 7 13544345535956737D7778

!

dot11 ssid TestGuest

   vlan 24

   authentication open

   guest-mode

!

!

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 25 key 1 size 40bit 7 8600516C6527 transmit-key

encryption vlan 25 mode wep mandatory

!

ssid Test

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root access-point

rts threshold 2312

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.25

encapsulation dot1Q 25

no ip route-cache

bridge-group 25

bridge-group 25 subscriber-loop-control

bridge-group 25 block-unknown-source

no bridge-group 25 source-learning

no bridge-group 25 unicast-flooding

bridge-group 25 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

hold-queue 160 in

!

interface FastEthernet0.25

encapsulation dot1Q 25

no ip route-cache

bridge-group 25

no bridge-group 25 source-learning

bridge-group 25 spanning-disabled

!

interface BVI1

ip address 172.x.x.x 255.255.255.0

no ip route-cache

!

ip default-gateway 172.x.x.1

log :-

*Feb 28 16:33:24.892 PST: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  c0f8.da90.dxxx Associated KEY_MGMT[NONE]

*Feb 28 16:34:24.892 PST: %DOT11-4-ENCRYPT_MISMATCH: Possible encryption key mismatch between interface Dot11Radio0 and station c0f8.da90.dxxx

Adv thanks for your support .

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: I need help to configure Access point

Hi Elango,

Ok, the problem is likely a vlan mismatch the AP is tagging packets with dot1q vlan 25, instead it needs to be the native vlan. Try the following:

*****EDIT******

It looks like you want the AP and users to be in native vlan 25. In order for this to work, you also would want to put the vlan 25 subinterfaces in bridge-group 1, so that they are tied into the BVI1 interface.

Also, mark the native flag as below:

interface Dot11Radio0.25

encapsulation dot1Q 25

and

interface FastEthernet0.25

encapsulation dot1Q 25

Become:

interface Dot11Radio0.25

encapsulation dot1Q 25 native

and

interface FastEthernet0.25

encapsulation dot1Q 25 native

-Pat

Message was edited by: Patrick Croak

10 REPLIES
Cisco Employee

I need help to configure Access point

Hello Elango,

Your current configuration is mixing WPA with WEP. Your SSID configuration is specifying the WPA pre-shared key, but your radio interface is using a WEP encryption scheme.

You will need to decide if you want to use WEP or WPA. If you want to use WPA, under the radio you would change the encryption line to:

encryption vlan 25 mode ciphers tkip aes-ccm

(for both WPA/tkip and WPA2/AES)

If you want to use WEP, you need to remove wpa-psk from your SSID configuration. With a 40-bit WEP key, you will have 10 hex characters. With 128-bit WEP, you will have 26 hex characters.

-Pat

New Member

I need help to configure Access point

Hi Pat,

             Thanks for information  here is the new config but still i client not connecting to the network getting 169.x.x.x ip address simpley say connected but no access.

dot11 ssid Test 

vlan 25

   authentication open

   guest-mode

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 25 key 1 size 40bit 7 CD321255CC52 transmit-key

encryption vlan 25 mode wep optional

!

ssid Test

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

rts threshold 2312

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

LOG:-

*Feb 28 17:57:33.720 PST: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  c0f8.da90.dxxx Associated KEY_MGMT[NONE]

Cisco Employee

I need help to configure Access point

Hi Elango,

Ok, so you are wanting to use WEP -- right now it is setup for 40-bit, which means you have 10 hexadecimal characters for your key. Please confirm that this same key is configured on your device.

I would suggest making the encryption to be:

encryption vlan 25 mode wep mandatory (instead of optional)

Then, connect your device, and from the AP command line, issue a "show dot11 assoc all" after the device is connected. I would like to look at the client statistics.

-Pat

New Member

I need help to configure Access point

Hello Pat,

                  I changed WEP to Mandatory and here output.

MVCLAWL01#show dot11 assoc all
Address           : c0f8.da90.d779     Name             : NONE
IP Address        : 169.254.216.155    Interface        : Dot11Radio 0
Device            : 4500-radio         Software Version : NONE
CCX Version       : 4

State             : Assoc              Parent           : self
SSID              : Test                VLAN             : 25
Hops to Infra     : 1                  Association Id   : 37
Clients Associated: 0                  Repeaters associated: 0
Tunnel Address    : 0.0.0.0
Key Mgmt type     : NONE               Encryption       : WEP
Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
Supported Rates   : 1.0 2.0 5.5 11.0 18.0 24.0 36.0 54.0 6.0 9.0 12.0 48.0
Signal Strength   : -61  dBm           Connected for    : 42 seconds
Signal Quality    : N/A                Activity Timeout : 19 seconds
Power-save        : Off                Last Activity    : 1 seconds ago

Packets Input     : 190                Packets Output   : 4
Bytes Input       : 26659              Bytes Output     : 435
Duplicates Rcvd   : 0                  Data Retries     : 0
Decrypt Failed    : 0                  RTS Retries      : 0
MIC Failed        : 0                  MIC Missing      : 0
Packets Redirected: 0                  Redirect Filtered: 0

client laptop side security config

Operating system :- Windows 7 64 bit

Security type :- No authentication (Open)

Encryption Type:- WEP

Network Security Key: 1478529630

Cisco Employee

I need help to configure Access point

Hi Elango,

I think your client is connecting now with the proper WEP key. Now the issue appears to be with DHCP and your wired network. How do you have the switchport configured where the AP is connected?

-pat

New Member

I need help to configure Access point

Hi Pat,

           Here is the swicth config .

Swicth Primary:-

interface Vlan25

description WIRELESS-ACCESS

ip address 172.30.25.2 255.255.255.0

ip helper-address 172.30.2.9

standby 30 ip 172.30.25.1

standby 30 priority 120

standby 30 preempt delay minimum 15

Sec switch :-

interface Vlan25

description WIRELESS-ACCESS

ip address 172.30.25.3 255.255.255.0

ip helper-address 172.30.2.9

standby 30 ip 172.30.25.1

end

Access point connected interface:-

interface GigabitEthernet3/38

description WIRELESS ACC POINT

switchport trunk native vlan 25

switchport mode trunk

no cdp enable

spanning-tree portfast

end

Cisco Employee

Re: I need help to configure Access point

Hi Elango,

Ok, the problem is likely a vlan mismatch the AP is tagging packets with dot1q vlan 25, instead it needs to be the native vlan. Try the following:

*****EDIT******

It looks like you want the AP and users to be in native vlan 25. In order for this to work, you also would want to put the vlan 25 subinterfaces in bridge-group 1, so that they are tied into the BVI1 interface.

Also, mark the native flag as below:

interface Dot11Radio0.25

encapsulation dot1Q 25

and

interface FastEthernet0.25

encapsulation dot1Q 25

Become:

interface Dot11Radio0.25

encapsulation dot1Q 25 native

and

interface FastEthernet0.25

encapsulation dot1Q 25 native

-Pat

Message was edited by: Patrick Croak

New Member

I need help to configure Access point

Awesome its working now thank you very much Pat.

Quick question if I want to do Mac Address based auth

dot11 ssid Test 

vlan 25

   authentication open(authentication open mac-address mac_methods)

   guest-mode

and add the mac address to MAC Addresses Authenticated by: Local list only.

Cisco Employee

I need help to configure Access point

It appears like that would be correct -- if you have problems with it once you configure it, post the new config and we can take a look.

-Pat

New Member

I need help to configure Access point

Please review the below link:

https://supportforums.cisco.com/docs/DOC-20629

1444
Views
5
Helpful
10
Replies
CreatePlease to create content