Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

OEAP 600 cannot join WLC with auth-list enable

I've got a strange problem here. In the office, my OEAP 600 can join WLC if there is no MAC authentication. When i enable MAC authentication at WLC, AP will fail to register. However, I try it at home and it works with both MAC authentication enable or disable. I suspect it is because of firewall in my office, but there shouldn't have any different in discovery and joining procedure for AP with MAC authentication enable or disable. I'm confused here. Please help.

18 REPLIES

Re: OEAP 600 cannot join WLC with auth-list enable

Alex,

What do your AP Join Statistics tell you about this AP? Do you see any failure reasons? (WLC: Monitor -- Statistics -- AP Join)

Justin

New Member

Re: OEAP 600 cannot join WLC with auth-list enable

Justin,

Below is error summary from WLC:

Last Error Summary

Last AP Message Decryption Failure----

Last AP Connection Failure     ---------      Timed out while waiting for ECHO repsonse from the AP

Last Error Occurred                ---------      Lwapp join request rejected

Last Error Occurred Reason    ---------      RADIUS authorization is pending for the AP

The error reason is probaly because I haven't added AP MAC address to ACS. With the same AP, at home using ADSL link, i have no problem.

Thanks.

Re: OEAP 600 cannot join WLC with auth-list enable

I add both the AP and Eithernet macs of the OEAP to the ap autoization list ..   You have your MAC address on your ACS or on your WLC?

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Re: OEAP 600 cannot join WLC with auth-list enable

I have AP Ethernet MAC address in both WLC authorization list and ACS. When checking ACS log, I can see authentication is successful. What confused me is with the same AP, with MAC authentication enable, it can join WLC outside my office (e.g. home ADSL), but fail only in my office. It doesn't look like office firewall is the cause since without MAC authencation, AP can join WLC from my office.

Re: OEAP 600 cannot join WLC with auth-list enable

Sorry, a little confused. So you are saying when you are at the office it doesnt join. But when you are home it does, correct?

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Re: OEAP 600 cannot join WLC with auth-list enable

For MAC authentication enable, that's correct. For MAC authentication disable, it's working both in my office and home.

Silver

Re: OEAP 600 cannot join WLC with auth-list enable

If the OEAP600 is configured to join a public address it won't join when attempting to from behind your firewalls inside. The WLC will respond back with the public address configured and the AP will not know how to join properly.

Re: OEAP 600 cannot join WLC with auth-list enable

Blake -- I have a outside IP address on my WLC and my 600's join on the inside.

Little odd, so this looks like a mac address autoization issue. That doesnt make much sense.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Re: OEAP 600 cannot join WLC with auth-list enable

You can see from the log, MAC authorization is ok. AP is authenticated with ACS and i can see access-accept from debug output. Only when DTLS negotiation happens, it fails.

Re: OEAP 600 cannot join WLC with auth-list enable

Wish I could help Alex... Im a little stumped on this one .. Did you open a TAC case?

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Re: OEAP 600 cannot join WLC with auth-list enable

I'm going to open a TAC case for this. But just wondering if there is any difference in DTLS negotiation between MAC authentication enable and MAC authentication disable.

Silver

Re: OEAP 600 cannot join WLC with auth-list enable

Their could be, I personally never use MAC auth for anything seen as it can be spoofed, albeit that is hard to do on an AP level.

The MAC authentication could be hampering the DTLS connection to be setup in a timely manner. Have you tried not doing it on ACS but just using AP authorization lists on the WLC directly?

Re: OEAP 600 cannot join WLC with auth-list enable

I am not  aware of any difference. I am using ap authorization on my OE and I dont have any issues.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
Silver

Re: OEAP 600 cannot join WLC with auth-list enable

AP Authorization and MAC authentication are two different things though. The delay in the call to ACS server for MAC authentication could be causing the DTLS tunnel session to expire before it can be created.

Re: OEAP 600 cannot join WLC with auth-list enable

Alex,

Can you debug dtls on the wlc and ap to capture the negotiation details?

Justin

... typd on tny kybrd.

Silver

Re: OEAP 600 cannot join WLC with auth-list enable

I thought about that after I sent it and I think with the newer code they changed that a little bit so it responds with both IPs.

It seems more like it is failing on the DTLS tunnel setup from inside than MAC auth by looking at the limited debugs.

New Member

OEAP 600 cannot join WLC with auth-list enable

The issue has been resolved. The miracle happened when we used ISE server as the second radiuse server. Actually, i don't know why it suddenly works. But this probably will help if someone encounter the same issue.

Re: OEAP 600 cannot join WLC with auth-list enable

Hello,

For More information on OEAP-600, please watch the "Community Tech-Talk Series" Cisco Office Extend Access Point OEAP-600

https://supportforums.cisco.com/community/netpro/wireless-mobility/begin-wireless/blog/2012/02/24/cisco-office-extend-access-point-oeap-600

Thanks,

Vinay Sharma

Community Manager - Wireless

Thanks & Regards
1321
Views
10
Helpful
18
Replies
CreatePlease to create content