Wireless Profile issue

Sohail Muhammad · ‎08-26-2013

Hi all,

One of my client was using Autonomous Wireless setup in 2 of their offices, and user authentication was done through Certificate based authentication using AD. In one of their office, saying Office-1, they deployed WLC 5508 and all the autonomous APs were replaced with LWAPP APs. Controller is integrated with AD using Microsoft IAS and users are successfully authenticating.

Now, there is strange problem. Once the user creates a Wireless Profile at Office-1 and successfully connects to the Network, and then he/she moves to Office-2, he is not able to re-connect to the Network and he/she has to delete the existing profile, create the same profile again and then he/she is able to join the Network. Wireless Profile configuration is same for both the locations, except for the thing that Office-1 has Wireless LAN controller and Office-2 does not have WLC. This issue is being faced with only Windows 7 machines, and on Windows XP, it is working fine without deleting/creating new Wireless profile. Looking forward for valuable response.

Regards, Sohail

Scott Fella · ‎08-26-2013

It's probably how the WLAN is setup. Can you post the show run-config from the autonomous ap and the show WLAN from the WLC.

The ssid is using 802.1x, should either be using WPA/TKIP or WPA2/AES. This should not be used together or mixed up like if you have on the WLC WPA/AES or WPA2/TKIP.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Sohail Muhammad · ‎08-26-2013

Hi Scott,

Currently I have Show run-config of the autonomous AP which is as follows:

=============================================================================

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname DIFC_NGN_1

!

enable secret 5 $1$lAVY$r6aQXsi6VmDXsbzDlw.tB.

!

aaa new-model

!

aaa group server radius rad_eap

server 172.30.1.236 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

!

dot11 ssid NGN8021x

authentication open eap eap_methods

authentication network-eap eap_methods

guest-mode

!

power inline negotiation prestandard source

!

username Cisco password 7 143A411F0F07232725

username Admin privilege 15 password 7 002940120758020A0E

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode wep mandatory

!

ssid NGN8021x

!

fragment-threshold 2300

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption mode wep mandatory

!

ssid NGN8021x

!

no dfs band block

channel dfs

fragment-threshold 2300

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

hold-queue 160 in

!

interface BVI1

ip address 172.30.200.6 255.255.240.0

no ip route-cache

!

ip default-gateway 172.30.200.1

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

radius-server attribute 32 include-in-access-req format %h

radius-server host 172.30.1.236 auth-port 1645 acct-port 1646 key 7 013E551058080F0320

radius-server vsa send accounting

bridge 1 route ip

!

line con 0

line vty 0 4

!

end

=============================================================================

Based on above AP config, can you please advise what configuration I should do on WLC to make it work properly? In the meanwhile, I am trying to get the show wlan output from the customer.

Regards, Sohail

Sohail Muhammad · ‎08-26-2013

Hi Scott,

I have managed to get the show wlan output from the controller. Here it is..

(Cisco Controller) >show wlan 4

WLAN Identifier.................................. 4

Profile Name..................................... NGN8021x

Network Name (SSID).............................. NGN8021x

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

AAA Policy Override.............................. Disabled

Network Admission Control

Client Profiling Status ....................... Disabled

DHCP ......................................... Disabled

HTTP ......................................... Disabled

Radius-NAC State............................... Disabled

SNMP-NAC State................................. Disabled

Quarantine VLAN................................ 0

Maximum number of Associated Clients............. 0

Maximum number of Clients per AP Radio........... 200

Number of Active Clients......................... 7

Exclusionlist Timeout............................ 60 seconds

Session Timeout.................................. 1800 seconds

User Idle Timeout................................ 300 seconds

--More-- or (q)uit

User Idle Threshold.............................. 0 Bytes

NAS-identifier................................... WLC-METLIFEACLICO-DIFC-01

CHD per WLAN..................................... Enabled

Webauth DHCP exclusion........................... Disabled

Interface........................................ management

Multicast Interface.............................. Not Configured

WLAN IPv4 ACL.................................... unconfigured

WLAN IPv6 ACL.................................... unconfigured

mDNS Status...................................... Enabled

mDNS Profile Name................................ default-mdns-profile

DHCP Server...................................... Default

DHCP Address Assignment Required................. Disabled

Static IP client tunneling....................... Disabled

PMIPv6 Mobility Type............................. none

Quality of Service............................... Silver

Per-SSID Rate Limits............................. Upstream Downstream

Average Data Rate................................ 0 0

Average Realtime Data Rate....................... 0 0

Burst Data Rate.................................. 0 0

Burst Realtime Data Rate......................... 0 0

Per-Client Rate Limits........................... Upstream Downstream

Average Data Rate................................ 0 0

Average Realtime Data Rate....................... 0 0

--More-- or (q)uit

Burst Data Rate.................................. 0 0

Burst Realtime Data Rate......................... 0 0

Scan Defer Priority.............................. 4,5,6

Scan Defer Time.................................. 100 milliseconds

WMM.............................................. Allowed

WMM UAPSD Compliant Client Support............... Disabled

Media Stream Multicast-direct.................... Disabled

CCX - AironetIe Support.......................... Enabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

Passive Client Feature........................... Disabled

Peer-to-Peer Blocking Action..................... Disabled

Radio Policy..................................... All

DTIM period for 802.11a radio.................... 1

DTIM period for 802.11b radio.................... 1

Radius Servers

Authentication................................ 172.30.1.236 1645

Accounting.................................... 172.30.1.236 1646

Interim Update............................. Disabled

Dynamic Interface............................. Disabled

Dynamic Interface Priority.................... wlan

--More-- or (q)uit

Local EAP Authentication......................... Disabled

Security

802.11 Authentication:........................ Open System

FT Support.................................... Disabled

Static WEP Keys............................... Disabled

802.1X........................................ Disabled

Wi-Fi Protected Access (WPA/WPA2)............. Enabled

WPA (SSN IE)............................... Enabled

TKIP Cipher............................. Enabled

AES Cipher.............................. Enabled

WPA2 (RSN IE).............................. Enabled

TKIP Cipher............................. Enabled

AES Cipher.............................. Enabled

Auth Key Management

802.1x.................................. Enabled

PSK..................................... Disabled

CCKM.................................... Disabled

FT-1X(802.11r).......................... Disabled

FT-PSK(802.11r)......................... Disabled

PMF-1X(802.11w)......................... Disabled

PMF-PSK(802.11w)........................ Disabled

FT Reassociation Timeout................... 20

--More-- or (q)uit

FT Over-The-DS mode........................ Enabled

GTK Randomization.......................... Disabled

SKC Cache Support.......................... Disabled

CCKM TSF Tolerance......................... 1000

WAPI.......................................... Disabled

Wi-Fi Direct policy configured................ Disabled

EAP-Passthrough............................... Disabled

CKIP ......................................... Disabled

Web Based Authentication...................... Disabled

Web-Passthrough............................... Disabled

Conditional Web Redirect...................... Disabled

Splash-Page Web Redirect...................... Disabled

Auto Anchor................................... Disabled

FlexConnect Local Switching................... Disabled

flexconnect Central Dhcp Flag................. Disabled

flexconnect nat-pat Flag...................... Disabled

flexconnect Dns Override Flag................. Disabled

FlexConnect Vlan based Central Switching ..... Disabled

FlexConnect Local Authentication.............. Disabled

FlexConnect Learn IP Address.................. Enabled

Client MFP.................................... Optional

PMF........................................... Disabled

PMF Association Comeback Time................. 1

--More-- or (q)uit

PMF SA Query RetryTimeout..................... 200

Tkip MIC Countermeasure Hold-down Timer....... 60

AVC Visibilty.................................... Disabled

AVC Profile Name................................. None

Flow Monitor Name................................ None

Call Snooping.................................... Disabled

Roamed Call Re-Anchor Policy..................... Disabled

SIP CAC Fail Send-486-Busy Policy................ Enabled

SIP CAC Fail Send Dis-Association Policy......... Disabled

KTS based CAC Policy............................. Disabled

Assisted Roaming Prediction Optimization......... Disabled

802.11k Neighbor List............................ Disabled

802.11k Neighbor List Dual Band.................. Disabled

Band Select...................................... Disabled

Load Balancing................................... Disabled

Multicast Buffer................................. Disabled

Mobility Anchor List

WLAN ID IP Address Status

------- --------------- ------

802.11u........................................ Disabled

--More-- or (q)uit

MSAP Services.................................. Disabled

Regards, Sohail