02-10-2010 11:20 AM - edited 07-03-2021 06:30 PM
This is my setup:
1. Cisco Automuous AP - 1131AG-A-K9figure with 3 VLANs and 3 SSIDs, one SSID for each VLAN.
2. Running code version: c1130-k9w7-mx.124-10b.JDA3
3. first SSID - faculty-1,VLAN201 , confiure with Cipers TKIP and WPA, and passphrase.
4. Seccondary SSID - faculty-2,VLAN202 , confiure with WEP
5. Third SSID- guest. VLAN203, no encryption.
6. Use Windows VISTA laptop with Window wireless client , could connect to both the secondary and third SSID, but the connection to First SSID with WPA keep failing.
Any idea,thanks for the advice.
02-10-2010 05:09 PM
In order to help in troubleshooting, can you make all of the SSIDs use OPEN or no authentication? If it still doesn't work, can you post your config?
02-11-2010 08:12 PM
All the SSIDs were configured with Open authentication, WEP and no authentication work, but WPA. attached please find the configuration.Thanks
+++++++++++++
DFx-WL-AP002#
hostname IDFx-WL-AP002
!
enable secret 5 $1$x2cF$CowZYf0R5M3yf14ZP695z/
!
no aaa new-model
!
!
!
dot11 ssid faculty-1
wpa-psk ascii babb1122babb
vlan 201
authentication open
authentication key-management wpa
mobility network-id 201
wpa-psk ascii babb1122babb
!
dot11 ssid faculty-2
vlan 202
authentication open
!
dot11 ssid guest
vlan 203
authentication open
guest-mode
!
power inline negotiation prestandard source
!
!
username Cisco password 7 05280F1C2243
!
bridge irb
!
!
interface Dot11Radio1
encryption vlan 201 mode ciphers tkip
no ip address
no ip route-cache
!
encryption vlan 200 mode ciphers wep128
!
encryption vlan 202 key 1 size 40bit 7 397CB7630AE1 transmit-key
encryption vlan 202 mode wep mandatory
!
encryption vlan 201 mode ciphers aes-ccm
!
ssid faculty-1
!
ssid faculty-2
!
ssid guest
!
mbssid
station-role root
!
interface Dot11Radio0.200
encapsulation dot1Q 200 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.201
encapsulation dot1Q 201
no ip route-cache
bridge-group 201
bridge-group 201 subscriber-loop-control
bridge-group 201 block-unknown-source
no bridge-group 201 source-learning
no bridge-group 201 unicast-flooding
bridge-group 201 spanning-disabled
!
interface Dot11Radio0.202
encapsulation dot1Q 202
no ip route-cache
bridge-group 202
bridge-group 202 subscriber-loop-control
bridge-group 202 block-unknown-source
no bridge-group 202 source-learning
no bridge-group 202 unicast-flooding
bridge-group 202 spanning-disabled
!
interface Dot11Radio0.203
encapsulation dot1Q 203
no ip route-cache
bridge-group 203
bridge-group 203 subscriber-loop-control
bridge-group 203 block-unknown-source
no bridge-group 203 source-learning
no bridge-group 203 unicast-flooding
bridge-group 203 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 202 key 1 size 40bit 7 76A8B820E4B6 transmit-key
encryption vlan 202 mode wep mandatory
!
encryption vlan 201 mode ciphers tkip
!
ssid faculty-1
!
ssid faculty-2
!
ssid guest
!
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.201
encapsulation dot1Q 201
no ip route-cache
bridge-group 201
bridge-group 201 subscriber-loop-control
bridge-group 201 block-unknown-source
no bridge-group 201 source-learning
no bridge-group 201 unicast-flooding
bridge-group 201 spanning-disabled
!
interface Dot11Radio1.202
encapsulation dot1Q 202
no ip route-cache
bridge-group 202
bridge-group 202 subscriber-loop-control
bridge-group 202 block-unknown-source
no bridge-group 202 source-learning
no bridge-group 202 unicast-flooding
bridge-group 202 spanning-disabled
!
interface Dot11Radio1.203
encapsulation dot1Q 203
no ip route-cache
bridge-group 203
bridge-group 203 subscriber-loop-control
bridge-group 203 block-unknown-source
no bridge-group 203 source-learning
no bridge-group 203 unicast-flooding
bridge-group 203 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.200
encapsulation dot1Q 200 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.201
encapsulation dot1Q 201
no ip route-cache
bridge-group 201
no bridge-group 201 source-learning
bridge-group 201 spanning-disabled
!
interface FastEthernet0.202
encapsulation dot1Q 202
no ip route-cache
bridge-group 202
no bridge-group 202 source-learning
bridge-group 202 spanning-disabled
!
interface FastEthernet0.203
encapsulation dot1Q 203
no ip route-cache
bridge-group 203
no bridge-group 203 source-learning
bridge-group 203 spanning-disabled
!
interface BVI1
ip address 10.128.1.2 255.255.255.0
no ip route-cache
!
ip default-gateway 10.128.1.254
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
Message was edited by: rawsonfang
02-11-2010 08:29 PM
Can you also remove the encryption to VLAN 202 and 203?
02-12-2010 06:40 AM
Vlan203 - SSID- guest, works fine without encryption. so sure if this was due to my Laptop issue because of Windows Vista bug with WPA compatibility?
Thanks
02-12-2010 12:47 PM
rawsonfang....
I may be missing something, but I think I'm seeing 2 "interface Dot11Radio1" in your configuration. Is this a typo? Also, under the first Dot11Radio1 you are using AES and TKIP....as a best practice you should stick to TKIP with WPA and AES with WPA2. Let me know if this helps.
02-13-2010 10:16 AM
Hi,
This is latest config:
IDFx-WL-AP002#sh run
Building configuration...
Current configuration : 4456 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname IDFx-WL-AP002
!
enable secret 5 $1$x2cF$CowZYf0R5M3yf14ZP695z/
!
no aaa new-model
!
!
!
dot11 ssid faculty-1
vlan 201
authentication open
authentication key-management wpa
mobility network-id 201
wpa-psk ascii 7 00251125005E0D272E006D6F28382436330A0E072E2E2209311626
no ids mfp client
!
dot11 ssid faculty-2
vlan 202
authentication open
!
dot11 ssid guest
vlan 203
authentication open
guest-mode
!
power inline negotiation prestandard source
!
!
username Cisco password 7 05280F1C2243
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 202 key 1 size 128bit 7 5C8396957C974FD578D183FB82F3 transmit-k
ey
encryption vlan 202 mode wep mandatory
!
encryption vlan 201 mode ciphers tkip
!
ssid faculty-1
!
ssid faculty-2
!
ssid guest
!
station-role root
!
interface Dot11Radio0.200
encapsulation dot1Q 200 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.201
encapsulation dot1Q 201
no ip route-cache
bridge-group 201
bridge-group 201 subscriber-loop-control
bridge-group 201 block-unknown-source
no bridge-group 201 source-learning
no bridge-group 201 unicast-flooding
bridge-group 201 spanning-disabled
!
interface Dot11Radio0.202
encapsulation dot1Q 202
no ip route-cache
bridge-group 202
bridge-group 202 subscriber-loop-control
bridge-group 202 block-unknown-source
no bridge-group 202 source-learning
no bridge-group 202 unicast-flooding
bridge-group 202 spanning-disabled
!
interface Dot11Radio0.203
encapsulation dot1Q 203
no ip route-cache
bridge-group 203
bridge-group 203 subscriber-loop-control
bridge-group 203 block-unknown-source
no bridge-group 203 source-learning
no bridge-group 203 unicast-flooding
bridge-group 203 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 202 key 1 size 128bit 7 8EC1CAB5D9AFBDB688B9CEDE6DC1 transmit-k
ey
encryption vlan 202 mode wep mandatory
!
encryption vlan 201 mode ciphers tkip
!
ssid faculty-1
!
ssid faculty-2
!
ssid guest
!
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.201
encapsulation dot1Q 201
no ip route-cache
bridge-group 201
bridge-group 201 subscriber-loop-control
bridge-group 201 block-unknown-source
no bridge-group 201 source-learning
no bridge-group 201 unicast-flooding
bridge-group 201 spanning-disabled
!
interface Dot11Radio1.202
encapsulation dot1Q 202
no ip route-cache
bridge-group 202
bridge-group 202 subscriber-loop-control
bridge-group 202 block-unknown-source
no bridge-group 202 source-learning
no bridge-group 202 unicast-flooding
bridge-group 202 spanning-disabled
!
interface Dot11Radio1.203
encapsulation dot1Q 203
no ip route-cache
bridge-group 203
bridge-group 203 subscriber-loop-control
bridge-group 203 block-unknown-source
no bridge-group 203 source-learning
no bridge-group 203 unicast-flooding
bridge-group 203 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.200
encapsulation dot1Q 200 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.201
encapsulation dot1Q 201
no ip route-cache
bridge-group 201
no bridge-group 201 source-learning
bridge-group 201 spanning-disabled
!
interface FastEthernet0.202
encapsulation dot1Q 202
no ip route-cache
bridge-group 202
no bridge-group 202 source-learning
bridge-group 202 spanning-disabled
!
interface FastEthernet0.203
encapsulation dot1Q 203
no ip route-cache
bridge-group 203
no bridge-group 203 source-learning
bridge-group 203 spanning-disabled
!
interface BVI1
ip address 10.128.1.2 255.255.255.0
no ip route-cache
!
ip default-gateway 10.128.1.254
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
!
end
IDFx-WL-AP002#$
02-15-2010 05:39 AM
Do you have a WLSM? I assume no, since you didn't mention it in the first place. If you don't, remove the mobility network-id 201 from faculty-1 and see if that helps
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide