Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2713
Views
5
Helpful
10
Replies

I need help to configure Access point

Go to solution
Elango Murugan
Level 1
Level 1

‎11-23-2011 11:07 AM - edited ‎07-03-2021 09:07 PM

Here is my config  due to key mismatch not working but i am using right key.

Cisco IOS Software, C1200 Software (C1200-K9W7-M), Version 12.3(7)JA3, RELEASE SOFTWARE (fc1)

no aaa new-model

!

dot11 ssid Test

   vlan 25

   authentication open

   guest-mode

   wpa-psk ascii 7 13544345535956737D7778

!

dot11 ssid TestGuest

   vlan 24

   authentication open

   guest-mode

!

!

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 25 key 1 size 40bit 7 8600516C6527 transmit-key

encryption vlan 25 mode wep mandatory

!

ssid Test

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root access-point

rts threshold 2312

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.25

encapsulation dot1Q 25

no ip route-cache

bridge-group 25

bridge-group 25 subscriber-loop-control

bridge-group 25 block-unknown-source

no bridge-group 25 source-learning

no bridge-group 25 unicast-flooding

bridge-group 25 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

hold-queue 160 in

!

interface FastEthernet0.25

encapsulation dot1Q 25

no ip route-cache

bridge-group 25

no bridge-group 25 source-learning

bridge-group 25 spanning-disabled

!

interface BVI1

ip address 172.x.x.x 255.255.255.0

no ip route-cache

!

ip default-gateway 172.x.x.1

log :-

*Feb 28 16:33:24.892 PST: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  c0f8.da90.dxxx Associated KEY_MGMT[NONE]

*Feb 28 16:34:24.892 PST: %DOT11-4-ENCRYPT_MISMATCH: Possible encryption key mismatch between interface Dot11Radio0 and station c0f8.da90.dxxx

Adv thanks for your support .

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pcroak
Cisco Employee
Cisco Employee
In response to Elango Murugan

‎11-23-2011 01:16 PM

Hi Elango,

Ok, the problem is likely a vlan mismatch the AP is tagging packets with dot1q vlan 25, instead it needs to be the native vlan. Try the following:

*****EDIT******

It looks like you want the AP and users to be in native vlan 25. In order for this to work, you also would want to put the vlan 25 subinterfaces in bridge-group 1, so that they are tied into the BVI1 interface.

Also, mark the native flag as below:

interface Dot11Radio0.25

encapsulation dot1Q 25

and

interface FastEthernet0.25

encapsulation dot1Q 25

Become:

interface Dot11Radio0.25

encapsulation dot1Q 25 native

and

interface FastEthernet0.25

encapsulation dot1Q 25 native

-Pat

Message was edited by: Patrick Croak

View solution in original post

0 Helpful
10 Replies 10

Go to solution
pcroak
Cisco Employee
Cisco Employee

‎11-23-2011 12:02 PM

Hello Elango,

Your current configuration is mixing WPA with WEP. Your SSID configuration is specifying the WPA pre-shared key, but your radio interface is using a WEP encryption scheme.

You will need to decide if you want to use WEP or WPA. If you want to use WPA, under the radio you would change the encryption line to:

encryption vlan 25 mode ciphers tkip aes-ccm

(for both WPA/tkip and WPA2/AES)

If you want to use WEP, you need to remove wpa-psk from your SSID configuration. With a 40-bit WEP key, you will have 10 hex characters. With 128-bit WEP, you will have 26 hex characters.

-Pat

0 Helpful

Go to solution
Elango Murugan
Level 1
Level 1
In response to pcroak

‎11-23-2011 12:15 PM

Hi Pat,

             Thanks for information  here is the new config but still i client not connecting to the network getting 169.x.x.x ip address simpley say connected but no access.

dot11 ssid Test 

vlan 25

   authentication open

   guest-mode

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 25 key 1 size 40bit 7 CD321255CC52 transmit-key

encryption vlan 25 mode wep optional

!

ssid Test

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

rts threshold 2312

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

LOG:-

*Feb 28 17:57:33.720 PST: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  c0f8.da90.dxxx Associated KEY_MGMT[NONE]

0 Helpful

Go to solution
pcroak
Cisco Employee
Cisco Employee
In response to Elango Murugan

‎11-23-2011 12:24 PM

Hi Elango,

Ok, so you are wanting to use WEP -- right now it is setup for 40-bit, which means you have 10 hexadecimal characters for your key. Please confirm that this same key is configured on your device.

I would suggest making the encryption to be:

encryption vlan 25 mode wep mandatory (instead of optional)

Then, connect your device, and from the AP command line, issue a "show dot11 assoc all" after the device is connected. I would like to look at the client statistics.

-Pat

0 Helpful

Go to solution
Elango Murugan
Level 1
Level 1
In response to pcroak

‎11-23-2011 12:39 PM

Hello Pat,

                  I changed WEP to Mandatory and here output.

MVCLAWL01#show dot11 assoc all
Address           : c0f8.da90.d779     Name             : NONE
IP Address        : 169.254.216.155    Interface        : Dot11Radio 0
Device            : 4500-radio         Software Version : NONE
CCX Version       : 4

State             : Assoc              Parent           : self
SSID              : Test                VLAN             : 25
Hops to Infra     : 1                  Association Id   : 37
Clients Associated: 0                  Repeaters associated: 0
Tunnel Address    : 0.0.0.0
Key Mgmt type     : NONE               Encryption       : WEP
Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
Supported Rates   : 1.0 2.0 5.5 11.0 18.0 24.0 36.0 54.0 6.0 9.0 12.0 48.0
Signal Strength   : -61  dBm           Connected for    : 42 seconds
Signal Quality    : N/A                Activity Timeout : 19 seconds
Power-save        : Off                Last Activity    : 1 seconds ago

Packets Input     : 190                Packets Output   : 4
Bytes Input       : 26659              Bytes Output     : 435
Duplicates Rcvd   : 0                  Data Retries     : 0
Decrypt Failed    : 0                  RTS Retries      : 0
MIC Failed        : 0                  MIC Missing      : 0
Packets Redirected: 0                  Redirect Filtered: 0

client laptop side security config

Operating system :- Windows 7 64 bit

Security type :- No authentication (Open)

Encryption Type:- WEP

Network Security Key: 1478529630

0 Helpful

Go to solution
pcroak
Cisco Employee
Cisco Employee
In response to Elango Murugan

‎11-23-2011 01:02 PM

Hi Elango,

I think your client is connecting now with the proper WEP key. Now the issue appears to be with DHCP and your wired network. How do you have the switchport configured where the AP is connected?

-pat

0 Helpful

Go to solution
Elango Murugan
Level 1
Level 1
In response to pcroak

‎11-23-2011 01:07 PM

Hi Pat,

           Here is the swicth config .

Swicth Primary:-

interface Vlan25

description WIRELESS-ACCESS

ip address 172.30.25.2 255.255.255.0

ip helper-address 172.30.2.9

standby 30 ip 172.30.25.1

standby 30 priority 120

standby 30 preempt delay minimum 15

Sec switch :-

interface Vlan25

description WIRELESS-ACCESS

ip address 172.30.25.3 255.255.255.0

ip helper-address 172.30.2.9

standby 30 ip 172.30.25.1

end

Access point connected interface:-

interface GigabitEthernet3/38

description WIRELESS ACC POINT

switchport trunk native vlan 25

switchport mode trunk

no cdp enable

spanning-tree portfast

end

0 Helpful

Go to solution
pcroak
Cisco Employee
Cisco Employee
In response to Elango Murugan

‎11-23-2011 01:16 PM

Hi Elango,

Ok, the problem is likely a vlan mismatch the AP is tagging packets with dot1q vlan 25, instead it needs to be the native vlan. Try the following:

*****EDIT******

It looks like you want the AP and users to be in native vlan 25. In order for this to work, you also would want to put the vlan 25 subinterfaces in bridge-group 1, so that they are tied into the BVI1 interface.

Also, mark the native flag as below:

interface Dot11Radio0.25

encapsulation dot1Q 25

and

interface FastEthernet0.25

encapsulation dot1Q 25

Become:

interface Dot11Radio0.25

encapsulation dot1Q 25 native

and

interface FastEthernet0.25

encapsulation dot1Q 25 native

-Pat

Message was edited by: Patrick Croak

0 Helpful

Go to solution
Elango Murugan
Level 1
Level 1
In response to pcroak

‎11-23-2011 01:31 PM

Awesome its working now thank you very much Pat.

Quick question if I want to do Mac Address based auth

dot11 ssid Test 

vlan 25

   authentication open(authentication open mac-address mac_methods)

   guest-mode

and add the mac address to MAC Addresses Authenticated by: Local list only.

0 Helpful

Go to solution
pcroak
Cisco Employee
Cisco Employee
In response to Elango Murugan

‎11-23-2011 01:33 PM

It appears like that would be correct -- if you have problems with it once you configure it, post the new config and we can take a look.

-Pat

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card