Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WAP personal Authentication of Cisco Aironet 1140 does not work for MACbooks.

I have a Cisco Aironet 1140 with ENABLED broadcasting SSID, encryption is WPA2(personal).

Ubuntu 12.04 and Windows 7 are authenticated, but MACBooks never be authenticated.

Anyone know special configuration for MAC books?

With my best regards,

c1141-142#show version

Cisco IOS Software, C1140 Software (C1140-K9W7-M), Version 12.4(21a)JY, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2010 by Cisco Systems, Inc.

Compiled Wed 28-Apr-10 10:20 by prod_rel_team

ROM: Bootstrap program is C1140 boot loader

BOOTLDR: C1140 Boot Loader (C1140-BOOT-M) Version 12.4(23c)JA1, RELEASE SOFTWARE (fc1)

c1141-142 uptime is 3 days, 22 hours, 43 minutes

System returned to ROM by reload

System image file is "flash:/c1140-k9w7-mx.124-21a.JY/c1140-k9w7-mx.124-21a.JY"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

cisco AIR-AP1142N-P-K9     (PowerPC405ex) processor (revision A0) with 98294K/32768K bytes of memory.

Processor board ID FGL1532S7JJ

PowerPC405ex CPU at 586Mhz, revision number 0x147E

Last reset from reload

1 Gigabit Ethernet interface

2 802.11 Radio(s)

32K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address: 70:81:05:06:E1:3F

Part Number                          : 73-12836-03

PCA Assembly Number                  : 800-33767-03

PCA Revision Number                  : A0

PCB Serial Number                    : FOC15282H8M

Top Assembly Part Number             : 800-33775-02

Top Assembly Serial Number           : FGL1532S7JJ

Top Revision Number                  : A0

Product/Model Number                 : AIR-AP1142N-P-K9   

Configuration register is 0xF

c1141-142#

c1141-142#show run

Building configuration...

Current configuration : 2192 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname c1141-142

!

logging buffered 8192 debugging

enable secret 5 $1$wN77$SjdD8e/zS2Ok9XGcB53TZ/

!

no aaa new-model

no ip domain lookup

!

!

dot11 syslog

!

dot11 ssid AirPort-Test-Cisco

   authentication open

   authentication key-management wpa version 2

   guest-mode

   wpa-psk ascii ********************************

!

!

!

username Cisco privilege 15 password 7 13061E01080344

username view password 7 1058001C12

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

ssid AirPort-Test-Cisco

!

antenna gain 0

speed  basic-5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

power local 2

channel 2462

station-role root

no dot11 extension aironet

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

ssid AirPort-Test-Cisco

!

antenna gain 0

no dfs band block

speed  basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

power local 2

channel 5300

station-role root

no dot11 extension aironet

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no keepalive

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 192.168.20.142 255.255.254.0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

bridge 1 route ip

!

!

!

line con 0

logging synchronous

line vty 0 4

password 7 047802150C2E

logging synchronous

login

!

end

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

WAP personal Authentication of Cisco Aironet 1140 does not work

Here is a config exmaople with an AP that has an IP address for vlan 1 and working with 2 ssids one for vlan 1 and one for vlan 3 both using WPA version 2 with AES + PSK and  the PSK is cisco12345

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP1142AG.246
!
enable secret 5 $1$ONOn$EFmsjtV4qtvRCbfAqDbIG1
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid test vlan 1
   vlan 1
   authentication open 
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 14141B180F0B7B7977
!
dot11 ssid test vlan 30
   vlan 30
   authentication open 
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 01100F175804575D72181B
!
!
!
username Cisco password 7 1531021F0725
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 1 mode ciphers aes-ccm 
 !
 encryption vlan 30 mode ciphers aes-ccm 
 !
 ssid test vlan 1
 !
 ssid test vlan 30
 !
 antenna gain 0
 mbssid
 speed  basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
 channel 2412
 station-role root
 no dot11 extension aironet
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.30
 encapsulation dot1Q 30
 no ip route-cache
 bridge-group 30
 bridge-group 30 subscriber-loop-control
 bridge-group 30 block-unknown-source
 no bridge-group 30 source-learning
 no bridge-group 30 unicast-flooding
 bridge-group 30 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption vlan 1 mode ciphers aes-ccm 
 !
 encryption vlan 30 mode ciphers aes-ccm 
 !
 ssid test vlan 1
 !
 ssid test vlan 30
 !
 antenna gain 0
 dfs band 3 block
 mbssid
 speed  basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
 channel dfs
 station-role root
 no dot11 extension aironet
!
interface Dot11Radio1.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1.30
 encapsulation dot1Q 30
 no ip route-cache
 bridge-group 30
 bridge-group 30 subscriber-loop-control
 bridge-group 30 block-unknown-source
 no bridge-group 30 source-learning
 no bridge-group 30 unicast-flooding
 bridge-group 30 spanning-disabled
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 no keepalive
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.30
 encapsulation dot1Q 30
 no ip route-cache
 bridge-group 30
 no bridge-group 30 source-learning
 bridge-group 30 spanning-disabled
!
interface BVI1
 ip address dhcp client-id GigabitEthernet0
 no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local
!
end
6 REPLIES
Bronze

WAP personal Authentication of Cisco Aironet 1140 does not work

Hi,

As you mention you have the AP configured to work with WPA 2, I checked the configuration you attached and you have configured WPA version 2 under the SSID but under the encryption method on the radio you are using TKIP.

As per the WiFi alliance when we are working with WPA version 1 we use the cipher known as TKIP and when working with WPA version 2 we use the cipher known as AES-CCM, so please change the encryption from TKIP to AES-CCM.

Let me know how it goes.

New Member

WAP personal Authentication of Cisco Aironet 1140 does not work

fbarboza:
I tried WPA version 2 with AES-CCM and WPA version 1 with TKIP.
MacBook Air does not work fine. following configuration is OK?

dot11 ssid AirPort-Test-Cisco

   authentication open

   authentication key-management wpa version 1

   guest-mode

   wpa-psk ascii 7 045702100A3249401A1C4845425B5A54787B7C

interface Dot11Radio0

  encryption mode ciphers tkip

interface Dot11Radio1

  encryption mode ciphers tkip

dot11 ssid AirPort-Test-Cisco

   authentication open

   authentication key-management wpa version 2

   guest-mode

   wpa-psk ascii 7 045702100A3249401A1C4845425B5A54787B7C

interface Dot11Radio0

encryption mode ciphers aes-ccm tkip

interface Dot11Radio1

encryption mode ciphers aes-ccm tkip

I tried to investigate debug messages.

When I connect Ubuntu machines, Cisco debug messages say

c1141-143#debug dot11 mgmt msg

IEEE 802.11 packets debugging is on

c1141-143#debug dot11 mgmt state-machine

dot11 state machine debugging is on

c1141-143#

c1141-143#

c1141-143#

*Mar  2 11:07:18.637: SM: ---Open Authentication 0x13B1F50: AuthReq (0)

*Mar  2 11:07:18.637: SM:    Init (0) --> Auth_not_Assoc (1)

*Mar  2 11:07:18.637: dot11_mgmt: [AEB4117] send auth=0, status[0] to dst=2477.035f.2630, src=a0cf.5b69.3280, bssid=a0cf.5b69.3280, seq=2, if=Dot11Radio0

*Mar  2 11:07:18.637:  Incoming bssid a0cf.5b69.3280 is valid , client 2477.035f.2630

*Mar  2 11:07:18.641: SM: ---Open Authentication 0x13B1F50: AssocReq (1)

*Mar  2 11:07:18.641: SM:    Auth_not_Assoc (1) --> DONT CHANGE STATE (255)

*Mar  2 11:07:18.641: SM: ---Open Authentication 0x13B1F50: IAPP-Resp (3)

*Mar  2 11:07:18.641: SM:    IAPP_get (5) --> DONT CHANGE STATE (255)

*Mar  2 11:07:18.641: dot11_mgmt: dot11_mgmt_smact_iapp_resp: bss clnt

*Mar  2 11:07:18.641: dot11_mgmt: [AEB5190] request driver to add client 2477.035f.2630

*Mar  2 11:07:18.642: SM: ---Open Authentication 0x13B1F50: Drv Add Resp (8)

*Mar  2 11:07:18.642: SM:    Drv_Add_InProg (8) --> DONT CHANGE STATE (255)

*Mar  2 11:07:18.642: dot11_mgmt: [AEB5321] response from driver for client 2477.035f.2630

*Mar  2 11:07:18.642: dot11_mgmt: [AEB5357] send reassoc resp, status[0] to dst=2477.035f.2630, aid[1] on Dot11Radio0

*Mar  2 11:07:18.661: SM: ---Open Authentication 0x13B1F50: AAA Auth OK (5)

*Mar  2 11:07:18.661: SM:    AAA_Auth (6) --> Assoc (2)

*Mar  2 11:07:18.661: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   2477.035f.2630 Reassociated KEY_MGMT[WPAv2 PSK]

c1141-143#

I tried to investigate debug messages.

When I connect MacBooks, Cisco debug messages say

c1141-143#

*Mar  2 11:39:11.524: SM: ---Open Authentication 0x13B1A60: AuthReq (0)

*Mar  2 11:39:11.525: SM:    Init (0) --> Auth_not_Assoc (1)

*Mar  2 11:39:11.525: dot11_mgmt: [7CEF991E] send auth=0, status[0] to dst=b88d.1217.72bc, src=a0cf.5b74.8710, bssid=a0cf.5b74.8710, seq=2, if=Dot11Radio1

*Mar  2 11:39:11.525:  Incoming bssid a0cf.5b74.8710 is valid , client b88d.1217.72bc

*Mar  2 11:39:11.525: SM: ---Open Authentication 0x13B1A60: AssocReq (1)

*Mar  2 11:39:11.525: SM:    Auth_not_Assoc (1) --> DONT CHANGE STATE (255)

*Mar  2 11:39:11.525: SM: ---Open Authentication 0x13B1A60: IAPP-Resp (3)

*Mar  2 11:39:11.525: SM:    IAPP_get (5) --> DONT CHANGE STATE (255)

*Mar  2 11:39:11.525: dot11_mgmt: dot11_mgmt_smact_iapp_resp: bss clnt

*Mar  2 11:39:11.525: dot11_mgmt: [7CEF9CE7] request driver to add client b88d.1217.72bc

*Mar  2 11:39:11.526: SM: ---Open Authentication 0x13B1A60: Drv Add Resp (8)

*Mar  2 11:39:11.526: SM:    Drv_Add_InProg (8) --> DONT CHANGE STATE (255)

*Mar  2 11:39:11.526: dot11_mgmt: [7CEF9EDC] response from driver for client b88d.1217.72bc

*Mar  2 11:39:11.526: dot11_mgmt: [7CEF9F18] send assoc resp, status[0] to dst=b88d.1217.72bc, aid[1] on Dot11Radio1

*Mar  2 11:39:11.829: SM: ---Open Authentication 0x13B1A60: AAA Auth OK (5)

*Mar  2 11:39:11.829: SM:    AAA_Auth (6) --> Assoc (2)

c1141-143#

*Mar  2 11:39:11.829: %DOT11-6-ASSOC: Interface Dot11Radio1, Station   b88d.1217.72bc Associated KEY_MGMT[WPAv2 PSK]

c1141-143#

*Mar  2 11:39:19.819:  dot11_mgmt: de-auth msg sent with reason = 2

*Mar  2 11:39:19.819: SM: ---Open Authentication 0x13B1A60: Delete (2)

*Mar  2 11:39:19.819: SM:    Assoc (2) --> Init (0)

c1141-143#

*Mar  2 11:39:19.819: %DOT11-6-DISASSOC: Interface Dot11Radio1, Deauthenticating Station b88d.1217.72bc Reason: Sending station has left the BSS

c1141-143#

I think your comment makes sense and there is probles except AES-CCM.

Bronze

WAP personal Authentication of Cisco Aironet 1140 does not work

Hi,

On the confi you attach it shows that for one you use only WPA version 1 with TKIP as the encryption but you still shows the command "encryption mode ciphers aes-ccm tkip" and should be "encryption mode ciphers aes-ccm" or

"encryption mode ciphers tkip" if you enable WPA version 2 under the SSID or WPA version 1 under the SSID.

Also if you want to broadcast 2 SSIDs you need to enable first mbssd under the radio itself and then under the SSID we use mbssid guest mode instead of guest mode.

Try to reset the AP to defaults and reconfigure it.

I will upload a confi example. 

Bronze

WAP personal Authentication of Cisco Aironet 1140 does not work

Here is a config exmaople with an AP that has an IP address for vlan 1 and working with 2 ssids one for vlan 1 and one for vlan 3 both using WPA version 2 with AES + PSK and  the PSK is cisco12345

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP1142AG.246
!
enable secret 5 $1$ONOn$EFmsjtV4qtvRCbfAqDbIG1
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid test vlan 1
   vlan 1
   authentication open 
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 14141B180F0B7B7977
!
dot11 ssid test vlan 30
   vlan 30
   authentication open 
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 01100F175804575D72181B
!
!
!
username Cisco password 7 1531021F0725
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 1 mode ciphers aes-ccm 
 !
 encryption vlan 30 mode ciphers aes-ccm 
 !
 ssid test vlan 1
 !
 ssid test vlan 30
 !
 antenna gain 0
 mbssid
 speed  basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
 channel 2412
 station-role root
 no dot11 extension aironet
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.30
 encapsulation dot1Q 30
 no ip route-cache
 bridge-group 30
 bridge-group 30 subscriber-loop-control
 bridge-group 30 block-unknown-source
 no bridge-group 30 source-learning
 no bridge-group 30 unicast-flooding
 bridge-group 30 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption vlan 1 mode ciphers aes-ccm 
 !
 encryption vlan 30 mode ciphers aes-ccm 
 !
 ssid test vlan 1
 !
 ssid test vlan 30
 !
 antenna gain 0
 dfs band 3 block
 mbssid
 speed  basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
 channel dfs
 station-role root
 no dot11 extension aironet
!
interface Dot11Radio1.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1.30
 encapsulation dot1Q 30
 no ip route-cache
 bridge-group 30
 bridge-group 30 subscriber-loop-control
 bridge-group 30 block-unknown-source
 no bridge-group 30 source-learning
 no bridge-group 30 unicast-flooding
 bridge-group 30 spanning-disabled
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 no keepalive
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.30
 encapsulation dot1Q 30
 no ip route-cache
 bridge-group 30
 no bridge-group 30 source-learning
 bridge-group 30 spanning-disabled
!
interface BVI1
 ip address dhcp client-id GigabitEthernet0
 no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local
!
end
New Member

WAP personal Authentication of Cisco Aironet 1140 does not work

fbarboza:

Your configuration does work! Thank you!


Bronze

WAP personal Authentication of Cisco Aironet 1140 does not work

Glad to know it is working.

6545
Views
5
Helpful
6
Replies
CreatePlease login to create content