10-28-2011 01:46 PM - edited 07-03-2021 09:00 PM
Weird issue:
I have some handhelds using certificates to connect to the internet in my office.
The handhelds can connect in all the complex but inside a warehouse, all the config for the APs is the same, we use 1242s and 1131s (yes inside the warehouse we have both models) and the ports where we have the APs connected were configured as trunk, at the time we set them up as access for the wireless vlan (in this case vlan 7).....
A little detail, if I take a laptop and try to connect inside the warehouse, I can with no problem at all but the handhelds cannot connect.
On the WLC4400 I can see all the handhelds associated to the wireless network but under the Policy Manager State I get "8021X_REQD" for all those handhelds inside the warehouse.
Any clues?
---
Posted by WebUser Eridanny Aviña
10-28-2011 02:09 PM
Questions:
What security are you using?
Is the aps at the warehouse and the office area all on the same WLC or different WLCs?
Both locations are controller based, correct?
10-28-2011 04:13 PM
In addition to George's post, try this little experiment:
1. Create a generic SSID for the sake of testing if the Symbol/Motorola handsets can connect;
2. OPEN authentication (or NO authentication);
3. Simple SSID: No funky characters. Just alpha-numeric ones;
4. Broadcast SSID.
Now roam. If you can roam between two or more APs with this SSID, then start cranking up by enabling non-broadcasting or hidden SSID and so on, and so forth.
My guess is you'll start getting issues when you disable broadcast SSID or if you go beyond WPA/PSK.
10-29-2011 09:43 AM
Have you examined any logs on the RADIUS server? How about a debug (client and dot1x aaa enable)? If there are separate controllers, are they in the same Mobility Group?
Sent from Cisco Technical Support iPad App
10-31-2011 03:31 PM
I appreciate your comments.
More status:
Same WLC for all APs, we tried connecting the APs to an Xpress 500, 2960 and a 3560-8PC and none of them worked (inside the warehouse). Outside is different.
We can discard interference o low signal as we are able to connect a laptop with no issue and all the test we tried using an AP on one hand and the handheld in the other.
We tried configuring the ports on the path to the WLC as trunk and as access to the wireless vlan and again it didn't work.
Nothing weird on the RADIUS logs and there are no access list on the APs or the switches.
Any more thoughts?
---
Posted by WebUser Eridanny Aviña
10-31-2011 04:05 PM
Did you try my suggestion/recommendation?
10-31-2011 06:20 PM
What about a client debug? Client detail on GUI? My guess is you are seeing decrypt errors. Try Leo's suggestion to start with an open SSID and re-apply encryption later. How about after rebooting the APs?
10-31-2011 06:26 PM
11-01-2011 02:01 PM
Thanks for the doc!
Sent from Cisco Technical Support iPad App
11-01-2011 10:11 AM
leolaohoo I saw your comments and we tried that with no avail.
What we are getting on the WLC is "802.x required" while on the handheld it says “Authentication successful, but we received an invalid key”. This would be the certificate invalid or wrong but what we don't get is why the handheld is able to connect in the other part of the complex? Using same WLC (only one, no redundancy) with IOS 7.0.116.0
No more clues on the RADIUS logs or the WLC debugs
---
Posted by WebUser Eridanny Aviña
11-01-2011 01:49 PM
we tried that with no avail. What we are getting on the WLC is "802.x required" while on the handheld it says “Authentication successful, but we received an invalid key”.
That's not OPEN authentication.
11-01-2011 02:00 PM
The devil's in the details. How about giving us a clue and attaching the controller client debug output?
Another thing to try. Enable telnet on the AP where there's handhelds connecting, and after logging into the AP, issue the following commands:
sh controller d0 | beg ---Clients
sh controller d1 | beg ---Clients
Sent from Cisco Technical Support iPad App
11-03-2011 05:17 PM
Leo we did try with open authentication and as I said, it didn't work.
What I posted afterwards is the log we are getting with the regular setup.
According to Symbol they release an upgrade for the application used to connect to wireless networks that might be related to our issues and our corporate agrees on that upgrade. I'll let you know if this solved the issue.
Thanks for the comments though.
---
Posted by WebUser Eridanny Aviña
11-03-2011 08:15 PM
your fastest ticket to the solution is to first identify why the client is stuck in dot1x . If you are doing EAP PEAP or EAP TLS it is mostly likely cert issue.
Please run the following debugs and post the output.
>config session timeout 30
> debug client
followed by this command intermittently
>show client detal
If you have a radius , check the radius logs after this.
Lookout for access-reject or accesss accept in the debugs
Without these its all guess work and it will take a long time to get to a solution.
11-06-2011 12:20 PM
I would highly suggest the debugs that the other members have requested. The proof will be in the pudding at that point and any "changes" are a shot in the dark without it.
Another thing to consider since you mention these devices work fine inside the office, but not in the warehouse is AP placement and antenna orientation. It is fairly often that APs are deployed with poor RF consideration for large warehouses. Can you describe the mounting location of these APs? You mention you are using 1131 and 1242s so please describe each.
Are the APs mounted to a high ceiling? Are there large racks or obstructions that can lead to attenuation or unwanted multipath, etc? How high are the APs mounted? For the 1242's, what type of antenna and what orientation are these antennas (ie, for instance with a dipole; are the antennas pointed downards/perpindicular to the ground, or a re they horizontal/parallel to the ground?)
What power level do you see your APs in the warehouse transmitting at? How does this compare to inside?
Also; you mention your APs are configured for a trunk? Unless you are performing H-REAP local switching, which it doesn't sound like as the APs are local to the WLC at this campus, then you should keep your AP on an access port. The AP will just need to be able to get back to the WLC on this single VLAN with it's client CAPWAP data. Clients will egress the WLC on their respective VLANs through your dynamic interfaces; they do not require a trunk port at the AP itself. This should not have any affect on your problem; but I would suggest keeping the AP config clean and simple.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide